Scans showed that 91,000 devices are exposed and at risk for unauthorized access and TV set takeover.

Source: Askar Karimullin via Alamy Stock Photo

Researchers at Bitdefender have discovered four vulnerabilities in LG webOS, the operating system for multiple models of its smart television line.

According to the researchers, even though the now vulnerable LG webOS service is supposed to be used in local area networks, scans show that there are reportedly roughly 91,000 exposed devices that are vulnerable to the bugs.

The bugs are a mix of command injection, privilege escalation, and bypass vulnerabilities and are tracked as CVE-2023-6317, CVE-2023-6318, CVE-2023-6319, and CVE-2023-6320. For instance, CVE-2023-6317 can allow an attacker to add an extra user to the TV set, and CVE-2023-6318 can allow a user to use the access "gained in the first step to root and fully take over the device."

They impact webOS 4.9.7-5.30.40 running on LG43UM7000PLA, webOS 5.5.0-04.50.51 running on OLED55CXPUA, webOS 6.3.3-442 (kisscurl-kinglake)-03.36.50 running on OLED48C1PUB, and webOS 7.3.1-43 (mullet-mebin)-03.33.85 running on OLED55A23LA.

The researchers reported their findings to LG in November 2023, but it was only last month that the vendor released security updates. Affected users who have not been alerted to the vulnerabilities or the updates to fix them should go to the TV "Settings," then "Support," and "Software Update," and then click on "Check for Update."

**About the Author(s)**

LG Smart TVs at Risk of Attacks, Thanks to 4 OS Vulnerabilities

As more electric vehicles are sold, the risk to compromised charging stations looms large alongside the potential for major cybersecurity exploits.

Source: Rosemary Roberts via Alamy Stock Photo

The increasing popularity of electric vehicles (EVs) isn't just a favorite for gas-conscious consumers, but also for cybercriminals who focus on using EV charging stations to launch far-reaching attacks. This is because every charging point, whether inside a private garage or on a public parking lot, is online and running a variety of software that interacts with payment systems and the electric grid, along with storing driver identities. In other words, they are an Internet of Things (IoT) software sinkhole.

"As EV charging becomes more widespread, they will become appealing targets to more sophisticated hacking groups," says Hooman Shahidi, the CEO of EVPassport, a charging network provider. "Providers need to think of their products as critical infrastructure and a critical component of our national security." There are 2.5 million electric vehicles operating in the US, and more than half of them require plug-in chargers. Acknowledging their popularity, back in 2022, the UK mandated charging stations be built in all new residential construction.

Charging stations face significant cybersecurity risks. "Issues include unprotected Internet connectivity, insufficient authentication and encryption, absence of network segmentation, unmanaged energy assets, and more," wrote researchers from Check Point Software and SaiFlow, the latter a cybersecurity specialist in distributed energy solutions. Compromised stations could damage the power grid, for example, or result in stolen customer data. “Chargers have personal and payment information and run a variety of protocols that aren't typically recognized by traditional firewalls," says Check Point Software's Aaron Rose, who works in the office of the CTO.

The early stages of cyberattacks on charging stations began a few years ago, when one Russian station was attacked in February 2022 in response to the Ukraine war and three more were compromised in the United Kingdom in April 2022. Both situations were more cyber pranks that displayed rude messages on the screens of the units. Shell patched a vulnerability last year in one database that could have exposed millions of charging logs from across its EV charging network.

New vulnerabilities continue to plague charging stations. Two of them could lead to remote code execution and potential data theft, discovered by SaiFlow earlier this year. The exploits take advantage of weak authentication routines among the various software modules that are used in the stations, according to their research. Charging station vendor Enel X Way lists a variety of other data compromises involving vehicle ID numbers, as well as exploits that could gain remote access to the vehicle controls.

Elias Bou-Harb is a computer scientist with the Louisiana State University who has long studied charging station security. He has found almost every charging product has major vulnerabilities, including well-known attack methods such as SQL injection and cross-site scripting. "What is particularly alarming is that some well-known protective measures haven't been implemented by most of the vendors, and that few of them have taken steps to improve their security even after we identified these weaknesses."

**IoT Devices Remain Attractive Targets**

Certainly, threats from charging stations aren't the only IoT devices that are targets of opportunity for cyberattackers. And the stations are just one of a multitude of IoT devices where exploits continue to increase. The combination of numerous smaller vendors with poor security design and practice and numerous automated tools such as botnets to locate and compromise various devices makes all IoT devices easy targets for hackers. Data from the US Federal Communications Commission (FCC) increased since then.

But the charging stations do represent a complex — and therefore very rich and potentially exploitable — combination of elements that can go beyond smart TVs and smart speakers. For example, Check Point's Rose says that "chargers have similar risk profiles but present a different attack surface to other smart devices."

What this means is that the chargers run management software tools "in between the EV user and the car and between the charging station and the power grid and coordinate billing, authentication, and supplied power," Bou-Harb says. "And adding to this complexity, all of this is also deployed by the charging vendors in the cloud." His research has found that some of the software run by these stations has been exploited for years, "and that vendors haven't yet realized they have been compromised, let alone fixed the problems."

Enel X Way's blog post lists a comprehensive eight-point framework for charging stations that covers identity access, risk management, emergency response, and other factors. 

**In Regulators' Crosshairs**

Both the US and Europe are making regulatory steps to try to rein in charging stations, both public and private. The UK has had an anti-tampering law in effect since 2022 relevant to the home-based charging stations. This resulted in security improvements from several vendors, as recently reported. Wallbox, a charging station vendor, added extra security safeguards to its equipment to comply with these regulations, while other vendors have dropped out of European markets rather than improve their products. 

The EU has proposed new cybersecurity safeguards for electric grid operators and IoT vendors in its NIS2 directive last year that will take effect in October. It includes stricter breach reporting requirements and levies higher fines, among other items. 

Another proposal is to have the charging station industry self-certify their devices, like what Underwriters Laboratories does for various electronics. European automotive safety vendor Dekra proposed a public charging station certification program that it claims is an industry first. It offers three different levels that range from providing basic security services to penetration testing of the equipment. 

The US is lagging in these efforts. Last summer, the Biden administration proposed a cybersecurity labeling program for smart home devices. Dubbed the Cyber Trust Mark, it would be administered by the FCC, based on work developed by the National Institute of Standards and Technology. "The Cyber Trust Mark is a great idea," Check Point's Rose says. "But execution is going to be key. The mark must be updated and based on doing continuous testing of devices."

Last year, the National Institute of Standards and Technology (NIST) also proposed a series of recommendations for public charging stations to improve their cybersecurity. However, one key element of the NIST, Cyber Trust, and Dekra initiatives is that they are all voluntary. "The charging stations' guidelines are a positive development," Ravi Lingarkar, vice president of product management at Akitra, wrote on LinkedIn. "Without uniform cybersecurity standards, EV charging stations can become easy targets for hackers. It's like enabling anyone to bring their own device to the grid. Given the rapid expansion of the EV charging infrastructure, cybersecurity is at the forefront of many potential problems." 

Still, these efforts are early and incomplete. "The government regulations have come too late," Bou-Harb says. "The market is already saturated with various charging products. These vendors don't really care about the security of their devices, which is often more of an afterthought. It's time for the charging vendors to come together, admit there is a problem, and start working on solutions and sharing threat data."

One potential roadblock is that EV chargers are under the purview of multiple regulatory agencies, such as the departments of Transportation, Energy, and Homeland Security. Getting them all to work cooperatively isn't going to be easy. "No one is taking leadership," Bou-Harb says. 

"A simple step that the government could take now would be to require SOC2 pending for EV charging providers. We need to raise the bar," EVPassport's Shahidi says. The SOC2 standard focuses on security controls and privacy, among other items.  

**About the Author(s)**

Contributing Writer

David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as cybersecurity, VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 35 years. He was the editor-in-chief of Network Computing print, Digital Landing.com, and Tom's Hardware.com. He has written two computer networking books and appeared on a number of TV and radio shows explaining technology concepts and trends. He regularly blogs at https://blog.strom.com, and is president of David Strom Inc.

EV Charging Stations Still Riddled With Cybersecurity Vulnerabilities

Distributed denial-of-service attacks still plague the enterprise, but adding preventive measures can reduce their impact.

Source: Aleksey Funtap via Alamy Stock Photo

In the security profession, controls are one of the main tools we use to reduce risk. In doing so, we leverage a mix of preventive and detective controls. As the name suggests, preventive controls are designed to reduce the potential that a given threat will negatively affect a given environment.

Of course, preventive controls don't always work as designed, and some threats will always get through them. To supplement this protection, detective controls are also used. Detective controls identify security issues soon after they occur, so that they can be remediated before too much damage has occurred.

Using preventive and detective controls in tandem is a routine practice that is applied across many areas in the security space, including network security, application security, endpoint protection, identity and access management, and cloud security.

That is by no means an exhaustive list — this practice is applied in myriad areas within the security space. You can imagine my surprise, then, that one area is noticeably lacking the powerful combination of preventive and detective controls: distributed denial-of-service (DDoS) protection.

**Why DDoS Is Still a Problem**

DDoS is a significant problem for most businesses. According to MazeBolt, a DDoS security company, 60% of businesses lose at least $120,000 due to DDoS attacks, while 15% of businesses lose at least $1 million. Even with the best DDoS protections in place, businesses still suffer from 30% to 75% exposure of their online services to DDoS, MazeBolt says. This means that DDoS is a serious problem confronting the industry — and one that is not getting the preventive controls it needs.

Perhaps that will surprise you, too. When it comes to DDoS, organizations focus mainly on detection and mitigation. They purchase DDoS mitigation solutions, but they don't give much thought to protecting the organization from attack in the first place. We as a profession don't seem to focus much on DDoS preventive controls, despite the fact that the US Cybersecurity and Infrastructure Security Agency (CISA) recommends doing so in its latest DDoS mitigation guidance.

It may seem odd, but historically, there are reasons for this, such as the difficulty in checking for vulnerabilities and susceptibility to DDoS in a nondisruptive manner.

**5 Steps to Round Out DDoS Protection**

So once an organization decides to take a more well-rounded approach to DDoS, what are some steps it should follow to ensure it is adequately protected? I've offered a few thoughts here.

1\. Check for vulnerabilities. Organizations should ensure that they check for vulnerabilities and susceptibility to DDoS at layers 3, 4, and 7 of the OSI model. This is easier said than done, of course. This requires being nondisruptive in identifying vulnerabilities. Taking down the infrastructure in the name of DDoS security would not be a good thing.

2\. Stay nondisruptive. No one needs their DDoS risk reduced at the cost of disrupting business operations and impacting revenue, uptime, and customer satisfaction. There is a better way — namely, new nondisruptive, nonintrusive methods to identify and enumerate infrastructure vulnerabilities that expose an organization to additional DDoS risk.

3\. Understand the environment. The best way to ensure that no infrastructure vulnerabilities are missed is to know the environment well. This is the case regardless of how complex the environment is, and even if that environment involves hybrid and multicloud environments. Understanding the environment is the best way to eliminate blind spots. That, in turn, makes the vulnerability identification and remediation process far more thorough and effective.

4\. Establish and follow a process. Organizations should have a process to document and prioritize vulnerabilities for remediation. This ensures that things do not fall through the cracks and reduces the potential for oversight and human error. Even with the best process, organizations will still need determination and follow-through to remediate the vulnerabilities they have identified. DDoS security is a marathon, not a sprint.

5\. Iterate your security steps. DDoS security, like many areas within the security field, is not a one-time activity. Organizations need to continually test for new or persistent vulnerabilities within the infrastructure. They need to ensure that they are continually aware of changes to the environment so that they can retain the requisite level of understanding and knowledge of the environment. Organizations will also need to continually stick to and follow their process to ensure that vulnerabilities are remediated in a timely manner. Simply put, DDoS security is an effort that requires continuous attention.

Like many areas in the security space, DDoS security leverages both preventive and detective controls — or at least it should. For a variety of reasons, our historical focus around DDoS has been primarily on detection and mitigation of DDoS attacks. We as a field are long overdue for leveraging preventive controls in the DDoS security area.

**About the Author(s)**

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Proper DDoS Protection Requires Both Detective and Preventive Controls

We are potentially encroaching on a water supply crisis if data center operators, utilities, and the government don't implement preventative measures now.

Mark Trump, IT/IoT Defense Adviser, Cybersecurity Center of Excellence, Capgemini

April 9, 2024

5 Min Read

Source: stockphoto-graf via Alamy Stock Photo

COMMENTARY

In our digitally driven world, data has become an invaluable asset to companies across sectors. Data enables intelligent products, services, and operations. Data is also the unsung hero in today's "age of AI." By 2030, the AI market will be worth more than $1.3 billion in revenue — growing 36.8% from 2023's market size of $150.2 billion, and data is arguably the catalyzer driving this immense growth.

**The Current State of Data Centers**

Data is not just an intangible asset that's stored in the virtual ether of "the cloud." In reality, data, and data storage, is very much tied to the physical world. With the increasing introduction of artificial intelligence models, more data will be needed, and therefore stored in data centers.

These centers allow for data to be kept secure, accurate, available, and, for all practical purposes, "alive." Using switches, storage systems, servers, routers, and other equipment, data centers can store essential data sets around the clock. However, the extreme warmth produced by the energy used to process and store data causes overheating concerns. Data centers therefore require energy-intensive cooling systems to ensure the equipment does not fail. Such failures can lead to data losses, and vital workload and service outages — which occurred at a major tech company's Australian-based data center when a regional utility's power outage shut down the center's cooling mechanism. 

Unfortunately, cooling comes at a steep price, accounting for nearly 40% of an average data center's electricity usage. Many operators recognize the strain traditional air-based cooling methods put on its finances and net-zero pledges, which is why some are opting for liquid cooling systems. Although liquid cooling is technically more energy efficient than air cooling, it can still negatively impact the environment — and opens other door for potential outages. 

**Data's Dependence on Water**

When we say "liquid" cooling systems, we're actually referring to water in most cases. Just like living beings, data needs water to survive — and, therefore, so do AI models, software, and countless other technologies that rely on data.

Most data centers in the United States use freshwater supplied by utilities — the same water supply that humans rely on. The average data center uses 1 million to 5 million gallons of water a day (paywalled article), and considering that 30% of the world's data centers are located in America, that means Americans are losing access to a significant amount of safe drinking water. 

The US is already experiencing alarming water shortages as a result of low precipitation fueled by climate change and increased demand from a growing population. Now, add the increased demand from data centers as operators try to cool facilities overrun with AI-associated data, and America could experience a water crisis.

To make matters worse, the American water supply is facing an additional threat: cybersecurity attacks. Bad actors are increasingly targeting US water infrastructure. The main concern is the health and safety of Americans, but these attacks also threaten data centers — and the technology that depend on data. Hackers have historically targeted cooling systems, and they will undoubtedly continue to do so by finding weak points in data centers' water infrastructure, as well as security gaps in the regional water utilities that serve data centers across the US.

**Two-Pronged Approach: Sustainability and Security**

So, how can data center operators effectively store data that is essential to the booming AI market and virtually every aspect of the digital world while limiting their water consumption and protecting their water infrastructure? 

From an environmental standpoint, it will mean utilizing other water sources beyond freshwater provided by American utilities. Some operators are exploring the use of wastewater, industrial water, and seawater to lessen their strain on the United States' depleting freshwater supply. Improving liquid cooling system monitoring tools to track water consumption is also key. And companies are wisely utilizing federal funds to explore efficient cooling options and should continue partnering with the public sector moving forward.

What's more, operators should consider introducing new liquid cooling systems entirely, as there are now more advanced designs that use less water. And as new data centers become necessary — which we know they will — companies should consider building these facilities in cooler climates as well as in areas with water basins that are not overstrained. 

From a cybersecurity standpoint, many operators will have to prioritize defensive measures that specifically protect water infrastructure — which arguably has not been a key security prerogative in previous years. This will require a strategic reset in which leaders identify water, energy, and other external dependencies and extend risk assessments to environmental and other resources beyond the "logistics-based supply chain" that could interrupt business or operations. If enterprises have not done so already, then they should also apply zero-trust principles to all water-based infrastructure that they are dependent upon. 

Organizations must prepare themselves for a variety of scenarios: What would happen if the data centers you rely on for business viability had a water shortage that forced a shut down? Does your crisis plan consider catastrophic loss of water, and therefore data? If water resources and infrastructure sit outside of your security programs, then chances are you could very well face these scenarios. 

To avoid such potential threats, keep in mind this simple mantra: Define. Protect. Defend. Assess your risk so you can mitigate it, and monitor and maintain your defenses.

That said, water utilities must also do their part to help prevent attacks that could severely impact critical data centers and compromise water supply. Experts point to a renewed focus on cyber resiliency through public-private partnerships, improved centralized patch management systems, risk assessments, and temporary controls to address immediate vulnerabilities in critical systems and legacy infrastructure.

**Change Is Needed Now **

Data center operators are faced with a considerable challenge. They must meet the demands of storing an astonishingly increasing quantity of data while utilizing a decreasing supply of water to cool their facilities. Business, technology, and sustainability leaders must work together to formulate strategies that not only protect the environment, but also protect their data.

There's no future for humans or the life-changing technology we've come to rely on without water. And make no mistake, we are potentially encroaching on a water supply crisis if data center operators, utilities, and the American government do not implement preventative measures now.

**About the Author(s)**

IT/IoT Defense Adviser, Cybersecurity Center of Excellence, Capgemini

Mark Trump is a physical security knowledge leader and defense adviser. He has more than 35 years’ experience with advanced technologies, cybersecurity and application of best defensive practices across industrial, commercial, governmental and defense industries specializing in cybersecurity modernizations for critical infrastructure and operational technologies OT/IoT and other infrastructure critical to business and safety.

Why Liquid Cooling Systems Threaten Data Center Security &amp; Our Water Supply

The company is asking users to retire several network-attached storage (NAS) models to avoid compromise through a publicly available exploit that results in backdooring.

Source: Tiny Ivan via Alamy Stock Photo

A critical flaw in several end-of-life (EOL) models of D-Link network-attached storage (NAS) devices can allow attackers to backdoor the device and gain access to sensitive information, among other nefarious activities.

More than 92,000 devices currently connected to the Internet are affected by a flaw tracked as CVE-2024-3273 in D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325, according to D-Link. As a result, the company is asking customers to sunset any and all affected devices, which will remain vulnerable as the devices no longer receive updates or support from the vendor.

A researcher who goes by the online name "netsecfish" identified the flaw and detailed it on GitHub and subsequently informed D-Link about it, which released its own advisory. The researcher also released an exploit for the flaw, in which attackers already are showing interest, according to a post on X (formerly Twitter) by Shadowserver.

"We have started to see scans/exploits from multiple IPs for CVE-2024-3273," according to the post. "This involves chaining of a backdoor and command injection to achieve RCE."

Flaws in NAS devices are serious business, as exploiting them has great potential to affect not only the device itself but myriad devices that connect to it, posing a dangerous threat that can expose enterprise networks to risk.

**Data Theft, Denial of Service & More**

The vulnerability exists in the nas\_sharing.cgi CGI script, leading to backdooring through username and password exposure as well as command injection through the system parameter, explained netsecfish.

"Affected is an unknown function of the file /cgi-bin/nas\_sharing.cgi of the component HTTP GET Request Handler," according to the listing for the flaw in the National Institute of Standards and Technology's (NIST's) National Vulnerability Database. "The manipulation of the argument system leads to command injection."

To get more granular, in terms of username and password exposure, the problem lies in the request, which "includes parameters for a username (user=messagebus) and an empty password field (passwd=)," according to netsecfish. "This indicates a backdoor allowing unauthorized access without proper authentication."

For command injection, attackers can exploit the "system" parameter within the request, "which carries a base64 encoded value that, when decoded, appears to be a command," according to netsecfish.

Attackers can chain the two issues together to obtain arbitrary command execution on the affected D-Link NAS devices, granting attackers potential access to sensitive information, system configuration alteration, or denial of service.

Netsecfish's exploit entails crafting malicious HTTP requests by preparing an HTTP GET request–GET /cgi-bin/nas\_sharing.cgi?user=messagebus&passwd=&cmd=15&system=<BASE64\_ENCODED\_COMMAND\_TO\_BE\_EXECUTED>–targeting the /cgi-bin/nas\_sharing.cgi endpoint.

**Replace & Retire Vulnerable D-Link Devices**

A report published last year found that companies in every industry continue to leave backup and storage platforms unsecured, making it crucial for them to ensure cybercriminals can't exploit vulnerable ones to enter corporate networks.

With no forthcoming patch for CVE-2024-3273, the only true remedy is not to use affected devices at all, so anyone with one still connected to a network should retire and replace the product immediately, according to D-Link. A complete list of devices can be found in D-Link's advisory.

Indeed, the company remained adamant that it has no plans to support or update the affected products as per its typical device EOL strategy. "Regardless of product type or sales channel, D-Link's general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease," according to D-Link.

If consumers in the US continue to use the device against the company's recommendation, they should "please make sure the device has the last know firmware," which can be located on a Legacy Website links included in the advisory, according to D-Link.

Anyone who wants to continue using the device also should ensure frequent updating of the device's unique password to access its Web configuration, as well enable Wi-Fi encryption with a unique password.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

92K D-Link NAS Devices Open to Critical Command-Injection Bug

We need more than "do-it-yourself" approaches to threats that clearly rise to the level of national security issues.

Jon Miller, CEO & Co-Founder, Halcyon

April 9, 2024

4 Min Read

Source: Christophe Coat via Alamy Stock Photo

COMMENTARY

The US government is ramping up efforts to stem the increasingly disruptive scourge of ransomware attacks. For example, the State Department recently offered up to $15 million for information on LockBit, and $10 million for information on the BlackCat/ALPHV or Hive ransomware gangs. 

Where these bounties might be most effective is in enticing operators to "out" rival threat actors, or disgruntled affiliates to exact some revenge if they are cheated out of their cut of a ransom. However, the conditions that need to be met in order to collect these bounties are rigorous, and the payouts represent a tiny fraction of the revenue ransomware operators and their partners are realizing, leaving little incentive to cooperate with authorities.

So, is the government doing enough? Is a criminal law enforcement approach to this threat really going to make a dent in attacks? Are adversarial nations taking advantage of this big gray area that is the nexus of cybercriminal and nation-state operations? 

**Ransomware Operators as Nation-State Proxies**

We know rogue nations like Russia support ransomware operations, and they provide a safe harbor for attackers. A recent report by Chainalysis assessed that 74% of all the illicit revenue generated by ransomware attacks during 2021 went to Russia-linked attackers, the lion's share of ransomware proceeds. 

We cannot discount the potential dual nature of many of today's ransomware attacks. There is plenty of overlap between cybercriminal activity and nation-state operations, as evidenced by shared tooling and attack infrastructure. Using ransomware gangs as proxies provides plausible deniability for nations like Russia, while leveraging them in a larger geopolitical strategy. 

Nations like Russia have zero interest in relinquishing such valuable assets to Western authorities. Don't let the faux "takedowns" the Russian government has touted fool you — they are purely a publicity stunt, and no more.

**Designating Some Ransomware Attacks as Terrorism**

Ransomware attacks targeting critical infrastructure providers like healthcare organizations have crossed the line from cybercriminal activity to a serious national security threat. It's no longer just speculation as to whether ransomware attacks are threatening lives. 

When remote attackers disrupt systems critical to care and hold dozens of healthcare providers and their patients to ransom, we simply call it an IT security event and the government response is to offer more guidelines and frameworks. But if hundreds of gunmen coordinating with an adversarial nation entered dozens of hospitals and held the staff and patients hostage, preventing the administration of care for days on end, would offering the hospital guidelines on how to detect gunmen be an acceptable government response?

A recent report by Ponemon found a direct link between ransomware attacks and negative patient outcomes: 68% of survey respondents said ransomware attacks disrupted patient care; 46% noted increased mortality rates; 38% noted more complications in medical procedures. Other research found that between 2016 and 2021, ransomware attacks contributed to between 42 and 67 patient deaths, as well a staggering 33% increase in death rates per month for hospitalized Medicare patients. There is definitely a case to be made to designate some of these attacks as acts of state-supported terrorism. 

Some might argue that the lack of a clearly stated political motive behind ransomware operations means that, while an attack on a hospital that disrupts patient care and leads to negative outcomes could be described as inflicting terror, it would not necessarily meet the definition of terrorism.

However, executive order 13224, issued by the George W. Bush administration in September 2001, does not support that conclusion, and seems to be clearly applicable to some ransomware attacks, such as those against healthcare providers:

"For the purpose of the Order, 'terrorism' is defined to be an activity that (1) involves a violent act or an act dangerous to human life, property, or infrastructure; and (2) appears to be intended to intimidate or coerce a civilian population; to influence the policy of a government by intimidation or coercion."

Cybercriminal activity is the purview of law enforcement. They investigate, collect evidence of a crime, indict, and prosecute when possible. So far this has only resulted in a few arrests, mostly of low-priority suspects. But if we designate these attacks as threats to national security, there are different rules of engagement that would go far beyond mere indictments, and can include offensive actions deemed appropriate and proportional, both cyber and kinetic. 

**The Hard Truth: Guidelines and Frameworks Are Not Enough**

Organizations that are the victims and potential victims of these attacks have largely been left to fight this battle on their own while getting little to no protection from the government. Unless and until the US and allied governments make this determination, there are few real consequences for these threat actors while targeted organizations are still left to fend for themselves. While guidelines and frameworks are useful, they are still "do-it-yourself" approaches to a threat that clearly rises to the level of a national security issue. 

We need more than vanilla government public relations programs to combat ransomware attacks. It is imperative that the US government and allied nations that are the targets of these attacks differentiate at least a portion of them by reclassifying them as terrorist acts so we can leverage some new tools in this fight. Otherwise, it will be a long, hard, lonely road ahead for ransomware victims.

**About the Author(s)**

CEO & Co-Founder, Halcyon

Jon Miller is the CEO & Co-founder of Halcyon with 25+ years working in the cybersecurity industry. Prior to Halcyon, Jon was the CEO & Co-founder of Boldend, a next-generation defense contractor focused on building offensive tools for the US Government. Previous to Boldend, Jon held the title of Chief Research Officer of Cylance (now Blackberry) where he focused on malware and product efficacy. Prior to Cylance, Jon was employee number 70 at Accuvant (now Optiv) where with a group of others he helped build and lead the largest technical consultancy at the time Accuvant LABS, working with over 95% of the Fortune 500 as an offensive security expert. Before Accuvant, Jon was a ten year veteran penetration tester, serving as one of the first in the industry working for the Internet Security Systems (now IBM) X-Force.

Frameworks, Guidelines &amp; Bounties Alone Won't Defeat Ransomware

Novacoast's Apex Program prepares individuals with visual impairments for cybersecurity careers.

Source: Sueddeutsche Zeitung Photo via Alamy Stock Photo

When David Mayne first started looking for a job in cybersecurity, the recruiter at his first-choice company told him no. With only one eye, how could Mayne spend all day looking at a computer screen?

But he didn't let that stop him. Mayne had already overcome tremendous hardship, losing his eye and his leg following a severe car accident, then finding a way to raise his four children on his own. He had earned a degree that qualified him for cybersecurity work, and he was not going to take no for an answer.

Mayne landed at Novacoast, a cybersecurity company specializing in IT services and software development. After the company moved from Santa Barbara, Calif., to Wichita, Kansas, Mayne reached out to state and city organizations to recruit for Novacoast's training program. That's how he met the team at Envision, a local organization that helps people who are blind or visually impaired (BVI) through employment, outreach, rehabilitation, education, and research.

"In meeting with them, light was shed on the employment situation for people who are blind or visually impaired," Mayne says. "I had no clue how bad that actually was."

According to Envision, 70% of people who experience low vision are unemployed. Mayne saw an opportunity.

**Curriculum Adapts to the Tools**

With the right tools — such as a computer with a screen reader and a Braille keyboard — BVI individuals can work in cybersecurity and IT roles, such as a SOC analyst, help-desk engineer, or network administration, Mayne realized. And organizations needed to broaden their search to address a national shortage in trained cybersecurity workers. So with the support of Novacoast CEO Paul Anderson, Mayne led the development of the Apex Program, an online, on-demand course to prepare VBI students for cybersecurity certification exams.

About 25 students have enrolled in the program since its inception in May 2023, and Mayne says he hopes to register 100 this year. While the course is designed to last 10 weeks, students can work at their own pace. Apex supports students through the course and exam processes, then helps them find work.

"We will stay with them until they get to the end," Mayne says.

The program is free, its $7,500 cost covered by state grants. So far, 16 states have partnered with the Apex Program, with Florida and Texas expected to join the fold this year, Mayne says.

The training materials are delivered in several different ways to accommodate student needs: audio-only, text-only, and PowerPoint and Word document versions that auto advance or advance manually (which is preferred by JAWS, or Job Access with Speech, a common screen-reader program that renders text as speech or in Braille). Content contains both text and video, and students participate in hands-on labs and quizzes.

Creating a curriculum that was accessible and still tackled the challenging topics completely was challenging, Mayne says.

"There's binary math in the class and subnetting, and it took me over a month to figure out how to teach that without using a blackboard," he says.

Mayne is currently updating the materials, as the exams will be updated in July. The course prepares students for CompTIA's Network+ or Security+ certification exam. Students can request accommodations for the exam, such as screen readers, extra time, or even human readers.

"All of our exams are computer-based, and we have gone through the effort with multiple versions to ensure 100% compatibility with JAWS," says Carl Bowman, senior vice president of exam services at CompTIA.

Because tests are taken in a locked-down browser, the software has to be configured to allow the screen readers to run. But Bowman says it's important to make sure that BVI individuals who want to take the exams have equal access.

"Fairness is one of the underlying themes across the board when you look at our entire operation," Bowman says.

**Training Pays Off for Students and Employers**

So far, four students have completed the Apex Program course. One of the first graduates, Curtis Jackson, recently joined Novacoast as a SOC 1 Analyst, the company's first direct hire from the program.

Finding the Apex Program through a Facebook ad was a game-changer for Jackson, who was born blind due to congenital glaucoma. The father of two, who had worked as a telemarketer for nearly two decades, dreamed of working in tech but felt locked out due to his disability.

Now, however, he not only has a new job, he has a career.

"I definitely have more earning potential," Jackson says. "But the real opportunities will come when accessibility comes and I have a chance to advance and move up in the company, just like everybody else."

For Mayne, bringing Jackson on board was important for both the company and the success of the Apex Program.

"We drink our own Kool-Aid," he says. "We don't want to be out there telling everyone they need to hire BVI employees but we do not."

Once graduates successfully pass the CompTIA exams, their resumes are given to Novacoast's staff augmentation arm, which helps companies hire tech professionals. So far, about 70 organizations have said they are willing to interview the program's graduates. They're from a variety of industries, including local businesses, federal agencies, vehicle manufacturers, and software firms. Graduates can work anywhere that "has an IT department," Mayne says.

**Cybersecurity Is a Career, Not Just a Job**

Mayne has been working with the White House's Office of the National Cyber Director to spread the word about the program, which also was featured in a recent short film from WorkingNation, a nonprofit media organization that explores the future of work in the US.

WorkingNation's Melissa Panzer, the short film's director, says that she hopes the film inspires business leaders to look to unlikely talent pools and expand who they consider for opportunities.

"I tell a lot of stories about people who are marginalized, and I always come back to the same thing: I believe that people who are marginalized, their work ethic is strong, their dedication is strong," she says. "They just want a chance."

The Apex Program plans to expand beyond its focus on BVI individuals to veterans and disabled veterans, which could open the program up to 500 to 800 students a year, Mayne says.

"We're bringing people to careers, not just to jobs. And we want them to be financially secure as well as have a career that they enjoy," Mayne says. "We're bringing students that are excited to get into this field, that are go-getters. We would like the people in the IT world to give these people a shot. That's what doesn't exist today."

**About the Author(s)**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Ambitious Training Initiative Taps Talents of Blind and Visually Impaired

With a complex attack chain and using Telegram for its command and control, CoralRaider targets victims in Asian countries — and appears to have accidentally infected itself as well.

Source: incamerastock via Alamy Stock Photo

A newcomer cybercrime group linked to Vietnam has targeted individuals and organizations in Asia, attempting to steal social media account information and user data.

CoralRaider, which first appeared in late 2023, relies heavily on social engineering and legitimate services for data exfiltration, and it develops custom tools for loading malware onto victim systems. Yet the group has also made some rookie mistakes, such as inadvertently infecting their own systems, which exposed their activities, threat researchers with Cisco's Talos threat intelligence group stated in a new analysis on CoralRaider.

While Vietnam has become increasingly active in cyber operations, this group does not appear to be working with the government, says Chetan Raghuprasad, security research technical leader for Cisco's Talos group.

"The main priority is financial gain, and the actor is attempting to hijack the victim’s social media business and advertis\[ing\] accounts," he says. "The potential exposure for follow-on attacks, including delivering other malware, is also possible. Our research has not seen any examples of other payloads being delivered."

Vietnam threat actors frequently focus on social media. The infamous OceanLotus group — also known as APT32 — has attacked other governments, dissidents, and journalists in Southeast Asian countries, including in Vietnam. A military-associated group, Force 47 — linked to the Vietnamese army's official television station — regularly attempts to influence social media groups.

CoralRaider, however, appears to be connected to profit motives rather than nationalist agendas.

"At this moment, we do not have any evidence or information on signs of CoralRaider working with the Vietnamese government," Raghuprasad says.

**Multistage Infection Chain**

A CoralRaider campaign typically starts with a Windows shortcut (.LNK) file, often using a .PDF extension in an attempt to fool the victim into opening the files, according to the Cisco analysis. Following that, the attackers move through a series of stages in their attack:

1.  Windows shortcut downloads and executes an HTML application (HTA) file from an attacker-controlled server
    
2.  HTA file executes an embedded Visual Basic script
    
3.  VB script executes a PowerShell script, which then runs three more PowerShell scripts, including a series of anti-analysis checks to detect if the tool is running in a virtual machine, a bypass for the system's User Access Controls, and code that disables any notifications to the user
    
4.  Final script runs RotBot, a loader that performs detection evasion, conducts reconnaissance on the system, and downloads a configuration file
    
5.  RotBot then typically downloads XClient, which collects a variety of user data from the system, including social media account credentials
    

In addition to credentials, XClient also steals browser data, credit card account information, and other financial data. And lastly, XClient takes a screenshot of the victim's desktop and uploads it.

Meanwhile, the researchers say there are indications that the attackers had targeted individuals in Vietnam as well.

"The \[XClient\] stealer function maps the stolen victim's information to hardcoded Vietnamese words and writes them to a text file on the victim machine's temporary folder before exfiltration," the analysis stated. "One example function we observed is used to steal the victim's Facebook Ads account that has hardcoded with Vietnamese words for Account rights, Threshold, Spent, Time Zone, and Date Created."

**Shooting Themselves in the Foot**

The CoralRaider group used an automated bot on the Telegram service as a command-and-control channel and as well as to exfiltrate data from victims' systems. However, the cybercriminal group appears to have infected one of their own machines, because the Cisco researchers discovered screenshots of the information posted to the channel.

"Analyzing the images of the actor's Desktop on the Telegram bot, we found a few Telegram groups in Vietnamese named 'Kiém tien tử Facebook, 'Mua Bán Scan MINI,' and 'Mua Bán Scan Meta,'" Cisco Talos stated in the analysis. "Monitoring these groups revealed that they were underground markets where, among other activities, victim data was traded."

CoralRaider's arrival on the cyber threat scene is not surprising: Vietnam is currently facing an increase in threats from account-stealing malware, says Sakshi Grover, research manager in IDC's Cybersecurity Services group for the Asia/Pacific region.

"While historically less associated with cybercrime compared to other Asian nations, Vietnam's rapid adoption of digital technologies has made it more susceptible to cyber threats," she says. "Advanced persistent threats (APTs) are increasingly targeting government entities, critical infrastructure, and businesses, utilizing sophisticated techniques like custom malware and social engineering to infiltrate systems and steal sensitive data."

Because economic conditions vary across Vietnam — with some areas experiencing limited job opportunities, resulting in low wages for highly skilled roles — individuals can be incentivized to engage in cybercrime to make money, Grover says.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Vietnamese Cybercrime Group CoralRaider Nets Financial Data

Industry experts share how to implement comprehensive security strategies necessary to secure the software supply chain in Dark Reading's latest Tech Insights report.

Software supply chain attacks are relatively easy to conduct and have a significant payoff for attackers, so it's little wonder why they're top-of-mind for CISOs.

"This is especially the case if the vulnerable hardware or software has a high adoption across enterprise organizations," says ReliaQuest CISO Jeff Music.

While some software supply chain attacks, such as the ones involving MOVEit and SolarWinds, garner considerable attention, there are many software supply chain attacks occurring every day that don't get their moment in the spotlight. And no one beyond their victims ever hear about what happened.

But whether well-known or obscure, they create considerable risk for organizations.

For Dark Reading's latest Tech Insights report, "How Supply Chain Attacks Work and How to Secure Them," we interviewed experts who shared how to implement the comprehensive security strategies necessary to defend against these attacks. They include managing vendor risk, implementing security frameworks, conducting software composition analysis, and ensuring adequate DevSecOps practices are in place.

**Can't Blindly Trust Software**

In software supply chain attacks, malicious code or components are inserted into legitimate software applications or dependencies. The malicious software then enables attackers to infiltrate organizations that use those compromised systems.

Unfortunately, enterprises can't blindly trust their technology environments — from their end-user endpoints to third-party suppliers or the open-source components they rely on. These software supply chain attacks are insidious and have the power to compromise vast amounts of enterprise data and disrupt essential services across all business sectors.

In the case of MOVEit, for example, the attacks compromised the personal data of millions of people and affected more than 1,050 organizations, including those in the federal government, healthcare, education, finance, and insurance.

The stakes are high, and CISOs and security teams are grappling with these risks. Download a copy of our new report to learn from industry experts about how to implement the comprehensive security strategies necessary to defend against supply chain attacks.

**About the Author(s)**

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Tips for Securing the Software Supply Chain

SaaS vendor to blame for exposing employee data that was ultimately leaked on Dark Web forum, according to the home improvement retailer.

Source: Ian Dagnall via Alamy Stock Photo

A hacking forum leak has led Home Depot to confirm that its employee data was compromised via a third-party software vendor.

Home Depot did not identify the breached software-as-a-service (SaaS) vendor but said an error exposed the names, corporate IDs, and email addresses of a "small sample" of its employees, according to reports. Now up for sale on the Dark Web, this is the type of data that could be used to fuel targeted phishing cyberattacks.

The incident highlights how selecting SaaS vendors with strong cybersecurity protections is critical for enterprises, according to Tamir Passi, director of product with DoControl.

**Software Supply Chain Cyber Risk**

Passi recommends testing a third-party supplier's workflow before providing them access to your data.

"Ideally, real employee data should not be used to test a new vendor's workflow," Passi explained in a statement. "In general, system testing and validation should be done with non-production data sets unless all the necessary and same security and privacy protocols are in place for production as for testing."

Passi cautioned that once data is handed over to a partner, it's too late to do anything about its security.

In addition to due diligence and vetting prior to selecting a SaaS vendor, Mika Alto, co-founder and CEO of Hoxhunt, recommends regular audits.

"The threat landscape is always changing, so continuous training on security best practices are vital," Alto said in a statement. "Employees and security professionals at all levels should be equipped to recognize and respond to potential threats, including those that may arise from third-party sources."

A decade ago Home Depot experienced a much larger data breach where customer credit card data related to purchases at stores across the US and Canada was compromised.

Source

DARKReading