As part of its Secure by Design initiative, CISA urged companies to redouble efforts to quash SQL injection vulnerabilities. Here's how.

Source: Casimiro PT via Shutterstock

For more than a decade, injection vulnerabilities have literally topped the charts of critically dangerous software flaws, deemed more serious than all other types of vulnerabilities in the 2010, 2013, and 2017 Top 10 lists maintained by the Open Web Application Security Project (OWASP).

Still, the warnings have failed to weed out the issues. Last year, the Cl0p group stole data from companies using a previously unknown SQL injection (SQLi) vulnerability in MOVEit's file-transfer application. In late March, the Cybersecurity and Infrastructure Security Agency (CISA) called for companies to redouble their efforts to eliminate the security issue, which application security experts consider one of 13 different "unforgivable" classes of vulnerabilities that programmers should catch during development.

"Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk," the agency stated in its March 25 advisory. "Vulnerabilities like SQLi have been considered by others an 'unforgivable' vulnerability since at least 2007."

The root of injection vulnerabilities is a lack of input sanitization; when the application receives variable input, there's always the risk of that input being tainted, says Randall Degges, head of developer relations at application security firm Snyk.

"Although this has been an issue since programming existed, the reason it’s still in the top 10 vulnerabilities after all this time is because there are an infinite number of ways to use input, and often time sanitizing input is tricky," he says.

For software developers looking to nix this particular issue, here's how.

**1\. Educate Yourself and Others**

The first step is always education. OWASP offers cheat sheets on SQLi, how to detect the vulnerability, and ways of creating safe code. Some Web application frameworks aim to educate developers while they are programming, using application programming interface (API) names to make the risk of some functions clear, such as React's "dangerouslySetInnerHTML" function, says James Kettle, director of research at PortSwigger, an application security testing firm.

In addition, developers should not necessarily trust the makers of open source software — especially components that have not been well vetted — to use safe code, and online tutorials are often unsafe as well, he says.

"I think the core issue is that there's a lot of unsafe APIs, where anyone using the API is vulnerable by default," Kettle says. "Even when there are more modern secure APIs available, fresh code is written using the unsafe versions, thanks to old unsafe examples in StackOverflow."

**2\. Harden the DevOps Pipeline Using Automated Tools**

Developers should implement unit tests to check code for SQLi flaws — and other common security issues — during development, add static application security testing (SAST) both prior to and after commits, and include scans for SQLi as part of dynamic application security testing (DAST).

Unit tests can be added using frameworks such as tSQLt for testing Microsoft SQL Server, pgTAP for testing applications that use PostgreSQL, and Pytest and SQLAlchemy for unit testing in Python programs. A variety of SQL unit testing best practices should be followed to make the tests more useful, such as isolating the SQL tests from dependencies and avoiding descriptive naming of the tests.

In addition to automated tests in the development pipeline, developers should make sure to use SQL frameworks, such as SQLAlchemy, because many security improvements are already baked in, says Snyk's Degges.

"Pretty much all modern SQL frameworks and tools provide convenience methods to help with this nowadays, so your best bet is to thoroughly read through the relevant framework documentation to ensure you're using it correctly when building queries," he says.

**3\. Play Around With SQLMap**

The open source program SQLMap is a great tool for penetration testers to experiment with SQLi, exploit any potential vulnerabilities, and dump a database to prove that the vulnerability can be exploited. The tool can also educate application developers to the true dangers of SQLi and how vulnerable code can be exploited.

However, the tool is not necessarily the best way to scan for potential vulnerabilities, says PortSwigger's Kettle.

"In my experience, the detection capabilities are slow, heavyweight, and prone to false positives," Kettle says. "Also, it can't explore websites to find the attack surface, which is one of the biggest challenges for finding these vulnerabilities automatically."

**4\. Consider a DAST Service**

Automating SQL injection scanning using DAST as part of the quality assurance stage — and even earlier in the DevOps pipeline, if possible — can help catch any overlooked vulnerabilities. In addition, DAST scanning is a good way to find SQLi in legacy code.

While Web application firewalls (WAFs) can prevent SQLi attacks from reaching an application, they should be used only as part of a defense-in-depth strategy, Kettle says.

"Personally, I've seen runtime protection like WAFs bypassed so many times that I don't have much confidence in them," he says. "I would recommend a bug-bounty program as an effective way to surface undetected vulnerabilities instead, and use WAFs as a last resort for systems that are in such a bad state that known vulnerabilities can't be patched."

**5\. Expand Beyond SQL**

Finally, companies should also look for other types of injection vulnerabilities and make sure their developers recognize risky patterns, since SQLi is only one class of injection vulnerabilities.

OWASP broadened the definition of an injection vulnerability to be any software flaw where user-supplied data is not validated or sanitized by an application and then sent to an interpreter. Cross-site scripting, SQL, operating system scripting, and parsing the Lightweight Directory Access Protocol (LDAP) are all areas that can be vulnerable to injection.

With the advent of artificial intelligence models, for instance, prompt injection is the latest form of an injection attack.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

How to Tame SQL Injection

Guests affected by the companywide disruption vented their frustrations on social media.

Source: Andrew Shurtleff via Alamy Stock Photo

UPDATE

This story was updated at 3:30 ET on April 4 to reflect new information about the cause of the outage.

Omni Hotels & Resorts last week experienced a cyberattack that led to an outage, bringing down the company's IT systems.

In a notice on the Omni Hotel website, the company explained that after learning of the cyberattack, it shut down its systems to protect its data.

This cyberattack impacted operations and hotel functions such as reservations, hotel room door locks, and point-of-sale (POS) systems, but it is unclear what data, if any, was impacted.

The Omni's website went down Friday as well but was back in service by the weekend, with a notification to customers reading, "Dear valued guest, we are currently experiencing technical difficulties, please try back at a later time."

Customers shared their experiences on social media sites like X (formerly known as Twitter) and Reddit.

On a "r/hotels" Reddit thread, a user posted about the hotel outage, alerting that the computer systems were down. Another user responded saying "It's pretty bad. They have it so you have to text them to come let you into your room, and it usually takes 30+ minutes for an employee to get there and unlock it for you," referencing the inoperable digital locks on hotel rooms.

Omni hasn't disclosed what caused this cyberattack, ransomware or otherwise, though Elise Carmichael, CTO of Lakeside Software, said that identifying the causes of these kinds of outage can be "like finding a needle in a haystack" for some companies.

"Organizations will go into a war room either literally or virtually — pulling a dozen people at all hours to find this needle. Unfortunately, today, finding this needle is exceedingly difficult as nearly every organization is reactionary," Carmichael said in an emailed statement to Dark Reading. 

Carmichael recommended that organizations and businesses collect the kind of data they need to solve these kinds of issues prior to an event like an outage or cyber incident actually happening. 

"With this kind of visibility, they can predict problems before they disrupt the business at wide scale, preventing most of these war room situations," Carmichael added.

Omni has launched an ongoing investigation into the attack and is working to restore whatever systems are not yet fully operational. The hotels will remain open and are accepting new guests and reservations on its website.

Omni Hotel IT Outage Disrupts Reservations, Digital Key Systems

Security teams often confuse tool purchasing with program management. They should focus on what a security program means to them, and what they are trying to accomplish.

Source: Panther Media GmbH via Alamy Stock Photo

COMMENTARY

I've had the pleasure of speaking to hundreds of security teams, and the biggest mistake I've seen is that they often mistake tool purchasing with program management, meaning they often think of the tool driving the program, rather the tool being a part of the program. Instead of focusing on the tool, security teams should focus on what a security program means to them, and what they are trying to accomplish. Below, I share insights that can improve your cybersecurity strategy.

**The Misconceptions and Limitations of Cybersecurity Tools**

Not planning a program end to end can lead to failure. Being able to detect something, but doing nothing about it, isn't useful. Too often, security teams fall for the misconception that a security tool is a comprehensive security program. But can we fault them?

Cybersecurity tools are packaged to be appealing: sleek dashboards, integrations, APIs, multiple language support, the promise to find everything. These features give the illusion of a sure bet for security. Security teams buy these tools expecting, then hoping, finally pleading, that their bet will pay off. 

**The Known-Bug Breach**

Organizations routinely need weeks to months to fix a software vulnerability. Even more startling, in a third of security breaches, the pending security fix was known before it was exploited. Why? This often stems from security tickets falling in priority because of the inability to drive a meaningful vulnerability management program and getting stakeholder buy-in. 

**Best Practices for Building Effective Cybersecurity Programs**

The National Institute of Standards and Technology (NIST) defines a security program "as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions." A security program answers: why this, what to do about it, when, how, and who. It simplifies those answers by forming them into policies and instructions for everyone to follow.

"In my org," a former chief information security officer (CISO) told me, "we didn't greenlight any tool purchasing until a remediation plan was established for the tool." This ex-CISO understands that managing security well is managing the security program, which, in turn, is managing, maintaining, and building a security culture. To be effective, you have to embed the security program in every layer of the business.  

My advice: Before you buy a tool like SAST, lay the groundwork for a security program.

There are so many threat models and definitions out there that it can be overwhelming. Instead, keep it simple to start. Use this tried-and-true formula:

program = tool + people + processes + goals

If you do this, you will avoid the misconception that a tool is a program. These best practices bolster more effective cybersecurity programs that are resilient, adaptable, and capable of remediating bugs. 

In the following two sections, I want to call out two important and often overlooked pieces of this equation that might be misunderstood.

**Stakeholder Engagement in Security Programs**

Stakeholder engagement is crucial to a security program. The vast majority of a security team's success is based on the relationships and buy-in they achieve with key stakeholders, like engineering teams. Forgetting stakeholder buy-in and commitment will fail the vast majority of purchases.

Stakeholder engagement ensures that everyone understands the importance of cybersecurity and eliminates ambiguity. The security program helps every individual understand their role in security and importance in fulfilling that role. In the case of implementing a SAST tool, not having buy-in from your engineering team means you're going to rack up a vulnerability count because you can't act on it. 

**Vulnerability Management **

Vulnerability management is a core component of a strong security program, and generally applicable to most security tools. We've found only the largest of enterprises will hire a dedicated vulnerability manager, and often most organizations don't have someone owning and driving those vulnerabilities.

Vulnerability management involves identifying, assessing, prioritizing, and then addressing vulnerabilities in the system. This is a continuous process that requires regular monitoring and updating. 

For example, in fixing code vulnerabilities from a SAST tool, essential to vulnerability management is remediation and, later, prevention. There is plenty of information about proactive efforts. The big addition I can add here is using cutting-edge tools to achieve rapid maturation for your vulnerability management program — namely, auto-remediation. The recent developments in AI have enabled teams to behave like their counterparts. For example, product managers can now do data science tasks. Additionally, AI is enabling teams to automatically fix vulnerable source code. Security teams can't scale their efforts alone. They need to invest in actions and systems that help them drive programs. 

**Conclusion**

Cybersecurity tools are no replacement for a robust security program. No one buys construction tools and starts building willy-nilly. Without a plan, they'd end up with a chaotic assembly of screwed-in screws, hammered nails, and sawed boards. That isn't productivity. It's busywork. Sadly, a tool without a robust plan behind it can go the same way. A security program assures that security tools are effective and deliver value for your organization — and, ultimately, increase the security of your organization.

**About the Author(s)**

Founder & CEO, Corgea

Ahmad Sadeddin is the founder and CEO of Corgea. A three-time startup founder and product leader, he's worked on building and scaling software products for over 15 years. Securing software products was always a challenge, so Corgea was born from his frustration at the manual and inefficient processes to remediate security issues. Corgea automatically fixes insecure code.

The Biggest Mistake Security Teams Make When Buying Tools

A federal review board demanded that the tech giant prioritize its "inadequate" security posture, putting the blame solely on the company for last year's Microsoft 365 breach that allowed China's Storm-0558 to hack the email accounts of key government officials.

Source: Wachirawit Lemlerkchai via Alamy Stock Photo

A federal review board has called on Microsoft to prioritize its approach to cloud security and stop pushing the burden of it onto customers in the wake of a July 2023 cyberattack that let Chinese threat actors breach Microsoft 365 accounts to spy on key US government officials.

A report released on April 2 by the independent Department of Homeland Security (DHS) Cyber Safety Review Board offered an incendiary review of Microsoft's security culture, putting the blame squarely on the company and a "cascade of security failures" for the cyber espionage attack by China-based threat group Storm-0558, which "never should have happened."

The board — which was investigating the breach at the behest of President Joe Biden — demanded that the technology giant put cybersecurity at the top of its agenda. It also should be held to strict account to make significant revisions to its cloud-security position, even prioritizing these changes ahead of new product features and development.

"To drive the rapid cultural change that is needed within Microsoft, the board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company's security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products," officials said in the report.

**Put Security Before Product Innovation**

As part of its review, the board made a series of recommendations to this end, including that top executives not only develop this plan but also hold leaders at all levels across the company accountable for implementing it.

Microsoft leadership also should consider directing internal Microsoft teams to "deprioritize feature developments across the company's cloud infrastructure and product suite until substantial security improvements have been made," instead assessing and addressing security before deploying any new features, the board concluded.

Given the dependence on the security of Microsoft's cloud-based services and infrastructure, the software giant and other CSPs also need to take more accountability overall for the security outcomes of their customers. An action item at the top of this list is to halt the practice of making customers pay for security-related logging, making it "a core element" of cloud offerings instead of an add-on service for an extra fee.

Microsoft already relented and dropped fees associated with expanded logging access for all levels of 365 license holders shortly after the breach following complaints that it was effectively levying a logging tax on customers.

**This One Is on Microsoft**

The overall finding of the board is that the blame for the breach — which allowed Storm-0558 to gain access to email accounts across 25 government agencies in Western Europe and the US — is solely with Microsoft, and was directly due to a series of security failings on the part of the company.

As the fallout from the breach intensified in the weeks after its initial detection, Microsoft eventually in September 2023 owned up to a series of mistakes that led to Storm-0558 using a Microsoft account (MSA) consumer signing key to forge Azure AD tokens for accessing enterprise email accounts. MSA consumer keys are typically used to cryptographically sign into a Microsoft consumer application or service such as Outlook.com, OneDrive, and Xbox Live.

The company said at the time that a race condition resulted in the signing key being present either in a crash dump or a snapshot of the crashed system. The key eventually ended up with the debugging team on Microsoft's Internet-connected corporate network, where threat actors likely picked it off.

However, government officials held executives feet to the fire over the company's failure to detect the compromise of its "cryptographic crown jewels on its own," as it was a customer — a human rights organization who did not have access to advanced cloud security logging — that first alerted the company to a potential issue.

Moreover, Microsoft has never proven that the key used by attackers ended up in any crash dump or snapshot, and failed to correct statements claiming this as the root cause "in a timely manner." Indeed, Microsoft did not roll back its story on how the key got into the hands of Storm-0558 until last month, when it amended its blog post and acknowledged it never located a crash dump containing the key.

Finally, Microsoft is generally lax in comparison to other cloud service providers (CSPs) when it comes to cloud security, failing to keep security controls to a similar standard, the board found. The company must level up immediately given that its ubiquitously used products "underpin essential services that support national security, the foundations of our economy, and public health and safety," which in turn, requires Microsoft "to demonstrate the highest standards of security, accountability, and transparency," officials concluded.

A Microsoft spokesperson said that the company appreciates the work of the board to investigate the attack, and that in its aftermath the company has recognized a"a need to adopt a new culture of engineering security in our own networks."

To that end, Microsoft unveiled what it's calling a Secure Future Initiative, to mobilize its engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.

"Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries," the spokesperson said, adding that Microsoft will also take into consideration any additional recommendations by the board.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Feds to Microsoft: Clean Up Your Cloud Security Act Now

Working together and integrating cybersecurity as part of our corporate and individual thinking can make life harder for hackers and safer for ourselves.

Source: Anatolyi Deryenko via Alamy Stock Phot

It's clear from the comments by Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), at a recent Congressional hearing on Chinese cyber operations, and from documents leaked from a Chinese hacker-for-hire ring, that there's a growing threat from and demand for a market for cyber vulnerabilities. Even more alarming, however, was Easterly's assessment that "we've made it easy on" attackers through poor software design. To secure our systems and prevent a whole-of-society or whole-of-economy attack like the one that Easterly and her peers descripted to Congress, it will take a whole-of-society effort to reshape the market for cybersecurity to create technologies that are both high-performing and secure.

Cybersecurity statistics from 2023 paint an even clearer picture of how easy it is for hackers: In Chromium, the engine that powers Chrome and Edge, eight previously unknown vulnerabilities (zero-days) were identified. Even software designed to keep users and networks secure was not immune from compromise. CISA opened 2024 with an emergency directive for federal departments and agencies to patch a series of vulnerabilities in VPN software designed for securing employee connections to federal networks. In the coming months, it's also likely that the creation of a market for hacks and hacked data by the likes of iSoon, as well as the growing offensive threat posed by AI, will make cyber defense even more challenging.

As CISA articulated in its Secure by Design initiative, vendors are the first step to creating technologies that are both secure and usable. Taking security into account along with performance and features from day one of a product's development will not only help build a secure technology stack but will also ensure that products truly balance security and performance instead of creating hurdles to good user experience masquerading as security features. But even CISA's ambitions to bring Secure by Design to life as a regulatory framework is insufficient to drive the sea change that's needed to turn the tide against emboldened and AI-empowered hackers — without support from the market, even the most well-intentioned and well-informed regulations will devolve into a box-checking enterprise.

**Cyber-Risk Is Business Risk**

To secure our economy and privately operated infrastructure, businesses must realize, as Easterly put it, that "cyber-risk is business risk" by incorporating cybersecurity into all their business practices. By increasing the stature of CISOs and giving them holistic cybersecurity oversight of the entire business, particularly procurement decisions, companies can incorporate cybersecurity as an organic step in business processes. In doing so, cybersecurity will become less of a last-minute hurdle to business effectiveness and more of an enabler to build a technology ecosystem and operations model that are both successful and secure.

As executives prioritize cybersecurity as a factor in their strategic decisions, cybersecurity and IT professionals — two closely related but often clashing groups — must come together to build networks that are both secure and functional for their users. IT professionals must realize that shortcuts to bypass security controls in favor of user experience or network efficiency incur unnecessary risk for their companies; in return, cybersecurity professionals must proactively look for technology that provides users a good experience while isolating them from technical risks. Both groups need to collaborate to create education for their workforces that are based on a real-time understanding of the risks they face and empowering good decisions about those risks rather than annual, quarterly, or monthly training that too often runs in the background while employees do their "real jobs."

The final piece of a whole-of-society approach to cybersecurity is both the most difficult and the most critical: integrating cybersecurity into the day-to-day lives of citizens. While CISA and the US government writ large have put much of the burden for secure development and secure decisions on companies, citizens must realize that the cybersecurity stakes go far beyond individual credit cards and bank accounts. The doomsday scenario of a simultaneous power, water, and communications disruption brings these stakes into focus, and day-to-day citizens must be willing to increase their cyber literacy and compliance to stop this scenario from unfolding. Just as we accept and comply with the incessant tones that remind us to buckle our seatbelts when driving, we must accept minor cybersecurity "nudges" like multifactor authentication of sensitive work and personal.

It's easy to catastrophize the consequences a Chinese cyberattack could bring — and it's certainly worth talking about response, resiliency, and recovery policies. It's hard to look in the mirror and realize that, in the rush to develop, purchase, and consume feature-rich technology, we've made it "easy" for our adversaries. But this doesn't have to be the case. If we work together and integrate cybersecurity as part of our corporate and individual thinking, we can make life harder for the hackers and safer for ourselves.

**About the Author(s)**

Field CTO, Garrison Technology

Adam Maruyama is a cybersecurity and national security professional and the current Field CTO for Garrison Technology. He served more than 15 years in the Intelligence Community supporting cyber and counterterrorism operations, including numerous warzone tours and co-leading the drafting of the 2018 National Strategy for Counterterrorism. During his time in industry, Adam has served commercial and government customers at McKinsey & Company and Palo Alto Networks.

Why Cybersecurity Is a Whole-of-Society Issue

What cybersecurity professionals around the world can do to defend against the scourge of online disinformation in this year's election cycle.

Shamla Naidoo, Head of Cloud Strategy & Innovation, Netskope

April 3, 2024

5 Min Read

Source: Feng Yu via Alamy Stock Photo

COMMENTARY

In recent global election cycles, the Internet and social media have facilitated the widespread dissemination of false news, misleading memes, and deepfake content, overwhelming voters. Given that it is difficult to directly compromise election systems used to vote and count votes, adversaries turn to the age-old psychological manipulation technique to get the desired outcomes: no hacking needed. With the emergence of generative artificial intelligence (AI) tools, the impact of disinformation campaigns is expected to escalate further. This has led to increased uncertainty and ambiguity regarding reality, with personal biases often shaping perceptions of truth.

In a sense, disinformation is like a cyber threat: As security leaders, we realize that malware, phishing attempts, and other attacks are a given. But we put controls in place to minimize the impact, if not prevent it entirely. We develop defense strategies based on decades of historical knowledge and data to gain the best advantage.

Today's disinformation campaigns, however, are essentially a product of the last decade, and we have not yet designed a mature series of controls to counter it. But we need to. With 83 national elections in 78 countries taking place in 2024 — a volume not expected to be matched until 2048 — the stakes have never been higher. A recent wave of troubling incidents and developments illustrate the many ways that adversaries are attempting to deceive the hearts and minds of the world's voters:

*   In Europe, the French Foreign Minister accused Russia of setting up a network of more than 190 websites intended to spread disinformation to "destroy Europe's unity" and "make our democracies exhausted" in seeking to discourage support for Ukraine. The network, codenamed "Portal Kombat," has also sought to confuse voters, discredit certain candidates, and disrupt large sporting events like the Paris Olympics.
    
*   In Pakistan, voters have been exposed to false Covid-19 and anti-vaccination propaganda, online hate speech against religious groups, and attacks on women's movements.
    
*   The World Economic Forum ranks foreign and domestic entities' or individuals' use of misinformation and disinformation as the "most severe global risk" for the next two years — over extreme weather events, cyberattacks, armed conflicts, and economic downturns.
    

Let's be clear here about the difference between disinformation and misinformation: The latter is information that is wrong, but not intended for mass distribution. The "fake news" distributor may not even be aware of its inaccuracies.

Disinformation, on the other hand, occurs when an entity (such as an adversarial nation-state) knowingly leverages misinformation with the intent of viral distribution.

The psychological manipulation jeopardizes the stability of democratic institutions. Think of disinformation farms as a large office floor with hundreds or even thousands of people doing nothing but making up authentic-looking blogs, articles, and videos to target candidates and positions that contradict their agendas. Once unleashed on social media, these falsehoods spread rapidly, reaching millions and masquerading as real events.

How can citizens best protect themselves from these campaigns to maintain a firm grasp on what's real and what isn't? How can cybersecurity leaders help?

Here are four best practices.

**DYOV: Do Your Own Vetting**

A meme or GIF doesn't stand alone as a credible source of information. Not all professional-looking publications are credible or accurate. Not every statement from a trusted source may be their own. It’s too easy to create fake videos using AI-generated images. There are few arbiters of truth on the Internet, so buyer beware. Moreover, we can't depend on social media platforms to monitor and eliminate disinformation — regardless of whether we agree or embrace it. Section 230 has established immunity for online companies serving as publication resources for third-party content.

It's critical to look at different platforms and reconcile those with what government websites, real news outlets, and respected organizations such as the National Conference of State Legislatures (NCSL) are reporting. Inconsistencies should serve as a warning sign. Also, when seeking out biases from the information source, always ask, "Why should I believe this? Who is the author? What is their interest in this position?"

**2\. Avoid Becoming Part of the Problem**

Social media makes it too easy to run with a post or video that presents a version of "truth" that is anything but. Architects of disinformation campaigns depend upon individual users to spread their messages, i.e., "It came from my sibling/boss/neighbor, so it must be true." Again, DYOV before passing anything along. Be judicious about clicking on "forward" and "like" buttons to avoid being an engine of these campaigns.

**3\. Follow Watchdogs**

Organizations like the Netherlands-based Defend Democracy, the University of Pennsylvania-based FactCheck.org and Santa Monica, Calif.-based RAND Corp. offer resources to better help distinguish fact from fiction. In the academic community, San Diego State University's University Library and Stetson University's duPont-Ball Library maintain a list of watchdog groups, databases, and other resources.

**4\. Take a Leadership Stand**

As cybersecurity professionals, we recognize that threats like brand impersonation and phishing occur beyond our controlled technology environments. We cannot block every email, and our controls won't block or even detect impersonations on technology that we don't control. Instead, we must actively promote cyber education and awareness so employees can learn about the latest phishing attempts and the dangers of clicking on unfamiliar links.

We should take a similar, education-focused approach with disinformation campaigns. We can create employee awareness programs so they understand what to look for, even when the attempts do not involve our technology. We can even promote this knowledge through various platforms — internal company communications, public-facing blogs, articles — where we have a prominent voice. Offer credible and contextual resources against which they can vet information.

Unfortunately, disinformation — especially during political seasons — cannot be avoided, forcing us to field all relevant "facts" through appropriate vetting. However, tools enable everyone to do this while educating employees and the public as cybersecurity leaders. If they do so, 2024 may be remembered as the year when the global community decided that the truth matters.

**About the Author(s)**

Head of Cloud Strategy & Innovation, Netskope

Currently the head of cloud strategy & innovation at Netskope, Shamla Naidoo is a technology industry veteran with experience helping businesses across diverse sectors and cultures use technology more effectively. She has successfully embraced and led digital strategy in executive leadership roles such as Global CISO, CIO, VP, and Managing Partner, at companies like IBM, Anthem (Wellpoint), Marriott (Starwood), and Northern Trust.

Shamla has helped organizations in over 20 countries recognize the impact of digital transformation globally and advise their stakeholders on predicting and navigating the necessary changes in laws and regulations. In addition, she has worked with intelligence communities to use digital and cyber within their organizations to protect businesses and society from technology misuse.

Shamla remains actively engaged in the industry, with organizations like the Security Advisor Alliance, the Shared Security Assessments Group, Institute for Applied Network Security (IANS), Executive Women’s Forum (EWF), HMG Strategy Group, and the Round Table Network. In addition, she is an influential member of the legal community, creating and teaching courses on law, technology, and privacy for the University of Illinois Chicago School of Law. She frequently speaks at the American Bar Association and formerly served as the Committee Chair on Legal Technology for the Illinois State Bar Association. As a practitioner, teacher and coach, she enjoys the opportunity to help seasoned professionals to take their careers to the next level.

'Unfaking' News: How to Counter Disinformation Campaigns in Global Elections

An economic success story in Asia, Vietnam is seeing more manufacturing and more business investment. But with that comes a significant uptick in cybercrime as well.

Source: Jose Vilchez via Alamy Stock Photo

For one week last month, Vietnamese brokerage VNDirect Cyber Systems shut down its securities trading systems and disconnected from the country's two stock exchanges after a ransomware attack encrypted critical data. VNDirect was offline recovering until eight days later when the Ho Chi Minh and Hanoi stock exchanges allowed it to restart trading on April 1.

VNDirect Cyber Systems is just the latest Vietnamese company whose operations have been severely disrupted by a cyberattack.

In 2023, nearly 14,000 organizations across Vietnam suffered a cyberattack, an increase of 10% from the prior year, according to the country's National Cyber Security Centre (NCSC). While estimated damages caused by malicious software declined for the second year in a row to 17.3 trillion VND, or about US $690 million, a variety of other cybersecurity metrics continue to worsen, according to regional experts.

Overall, the country's economic picture is in flux. And that has led to a rise in cybercrime, says Ngoc Bui, a cybersecurity expert at Menlo Security, a provider of secure enterprise browser technology.

"Economic conditions, particularly in regions with limited job opportunities and low wages for high-skilled roles, can drive individuals to turn to cybercrime," he says. "This trend, fueled by the allure of cybercrime's rewards and digital anonymity, emphasizes the need for creating legitimate tech sector jobs to stimulate economic growth and counter cybercrime."

Vietnam is one of the fastest-growing economies in Asia, making the most of its connections to both China and the United States. The country's digital economy is expected to top US $43 billion by 2025, in part because of its focus on technology including initiatives in e-government, smart cities, and artificial intelligence, according to consulting giant PricewaterhouseCoopers. As a result, in mid-March, a delegation of nearly 60 US companies — including giants such as Meta and Boeing — visited the country to seek out investment opportunities.

**Cracked Software, Junk Bank Accounts**

The success has brought rapid technology adoption and significant cybercrime.

Nearly 750,000 systems were attacked by credential-stealing malware in 2023, an increase of 40% compared to the previous year, according to regional cybersecurity firm Bkav Technology Group. Online financial fraud has taken off due to a problem specific to the country: Bank account owners selling access to unused accounts. These so-called "junk accounts" make it difficult to track cybercriminals by following the money, says Nguyen Van Cuong, director in charge of cybersecurity at Bkav.

"Many people simply think that selling accounts they don't use won't be a problem," he said in a statement. "But in reality, bad guys have taken advantage of these bank accounts to carry out illegal transactions, hiding their origin, causing difficulties for investigation agencies."

Pirated or cracked software is another major issue. Fifty-three percent of computers are thought to be using pirated software, according to Bkav.

While the government has issued decrees to increase cybersecurity awareness, citizens continue to participate in these risky digital behavior, such as junk bank accounts and the use of cracked software, says Sarah Jones, a cyber threat intelligence research analyst at Critical Start.

"Vietnam's rapid digital growth creates a larger target for cybercriminals, and a lack of cybersecurity awareness among users makes them more susceptible," she says. "The widespread use of cracked software further exposes individuals and organizations to malware and exploitable weaknesses."

**Countering Cybercrime**

Vietnam's ruling Communist Party has strived to keep pace with cybercrime, issuing a number of directives to strengthen laws around the prevention and investigation of cybercrimes in 2021, and in 2020 launched efforts to raise public awareness of cybersecurity. Another directive, passed in 2019, required public sector organizations to spend at least 10% of their IT budget on cybersecurity. The sustained efforts has boosted Vietnam's ranking in the Global Cybersecurity Index to 25th out of 194 countries in the 2020 report (the latest available), up from 100th in 2017.

The country is already working with the United Nations Office on Drugs and Crime (UNODC) to strengthen the technical skills of law enforcement to tackle money laundering and other crimes.

Yet, divisions within the country are also driving the creation of dark platforms to escape increasing surveillance and Internet censorship by the government. A military group consisting of thousands of service members, known as Force 47, monitors communications and manages censorship in accordance with the government mandates, but also has resulted in the creation of several anonymity-as-a-service groups.

Such efforts will likely result in stronger Dark markets and platforms such as VietCredCare and DarkGate, both created by home-grown APT groups like Ocean Lotus and Lotus Bane, says Ken Dunham, cyber threat director at Qualys's threat research group.

"The threatscape in Vietnam is complicated with APT groups targeting companies for the benefit of the country, \[as well as\] Internet censorship, monitoring, and blocking of content by the Force 47 group," he says.

The next two years will be uncertain for Vietnam in many ways.

The leadership of the Community Party is expected to change by 2026, and economists wonder if the country can continue to deliver strong economic gains. Both uncertainties could breed more cybercrime in the future there.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware, Junk Bank Accounts: Cyber Threats Proliferate in Vietnam

UNAPIMON works by meticulously disabling hooks in Windows APIs for detecting malicious processes.

Source: Panchenko Vladimir via Shutterstock

Researchers have spotted Earth Freybug, a China-linked threat actor, using a new malware tool to bypass mechanisms organizations might have put in place to monitor Windows application programming interfaces (APIs) for malicious activity.

The malware, which researchers at Trend Micro discovered and named UNAPIMON, works by disabling hooks in Windows APIs for inspecting and analyzing API-related processes for security issues.

**Unhooking APIs**

The goal is to prevent any processes that the malware spawns from being detected or inspected by antivirus tools, sandboxing products, and other threat detection mechanisms.

"Looking at the behavior of UNAPIMON and how it was used in the attack, we can infer that its primary purpose is to unhook critical API functions in any child process," Trend Micro said in a report this week.

"For environments that implement API monitoring through hooking, such as sandboxing systems, UNAPIMON will prevent child processes from being monitored," the security vendor said. This allows malicious programs to run without being detected.

Trend Micro assessed Earth Freybug as being a subset of APT41, a collective of Chinese threat groups variously referred to as Winnti, Wicked Panda, Barium, and Suckfly. The group is known for using a collection of custom tools and so-called living-off-the-land binaries (LOLbins) that manipulate legitimate system binaries such as PowerShell and Windows Management Instrumentation (WMI).

APT41 itself has been active since at least 2012 and is linked to numerous cyber espionage campaigns, supply chain attacks, and financially motivated cybercrime. In 2022, researchers at Cybereason identified the threat actor as stealing large volumes of trade secrets and intellectual property from companies in the US and Asia for years. Its victims have included manufacturing and IT organizations, governments, and critical infrastructure targets in the US, East Asia, and Europe. In 2020, the US government charged five members believed to be associated with the group for their role in attacks against more than 100 organizations globally.

**Attack Chain**

In the recent incident that Trend Micro observed, Earth Freybug actors used a multistaged approach to delivering UNAPIMON on target systems. In the first stage, the attackers injected malicious code of unknown origin into vmstools.exe, a process associated with a set of utilities for facilitating communications between a guest virtual machine and the underlying host machine. The malicious code created a scheduled task on the host machine to run a batch script file (cc.bat) on the host system.

The batch file's task is to collect a range of system information and initiate a second scheduled task to run a cc.bat file on the infected host. The second batch script file leverages SessionEnv, a Windows service for managing remote desktop services, to side-load a malicious dynamic link library (DLL) on the infected host. "The second cc.bat is notable for leveraging a service that loads a nonexistent library to side-load a malicious DLL. In this case, the service is SessionEnv," Trend Micro said.

The malicious DLL then drops UNAPIMON on the Windows service for defense evasion purposes and also on a cmd.exe process that quietly executes commands. "UNAPIMON itself is straightforward: It is a DLL malware written in C++ and is neither packed nor obfuscated; it is not encrypted save for a single string," Trend Micro said. What makes it "peculiar" is its defense evasion technique of unhooking APIs so that the malware's malicious processes remain invisible to threat detection tools. "In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case," Trend Micro said.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China-Linked Threat Actor Taps 'Peculiar' Malware to Evade Detection

Fortanix is working on technologies to build a security wall around AI search.

The inner functioning of AI-powered search is more complex than plain-text search via Google when it comes to extracting answers from websites and databases. Fortanix is trying to build a security wall to protect the search query and the extraction of data from artificial intelligence (AI) systems.

Generative AI technologies will ultimately provide fine-grained responses based on associativity of information and retrieve information from sources users may not be aware of, says Richard Searle, vice president of confidential computing at Fortanix.

"What we're finding ... is that there is a deeper focus happening in the AI domain around privacy, consent, and permissioning of information," Searle says. "These are obviously the core cases."

Essentially, Fortanix is building a security wall around the way AI search queries are handled. More specifically, it is building security around prompts, where users provide AI search queries. The security wall extends to data retrieval from large language models, which are delivered to customers.

"We think there's a significant market there," Searle says. "The partners that we're working with within the AI space are talking about search to their customers already today."

Fortanix's private AI search is pinned on confidential computing, which creates secure vaults that are accessible to authorized parties only via keys. The data is processed inside, without leaving the vault.

"Data is going to be subject to not only the data protection regulations that we have today, but also these emerging AI regulations," Searle says.

Fortanix's technology is a component in the emerging field of confidential AI. Confidential AI is extended to AI scenarios typically associated with GPUs and accelerators, said Mark Russinovich, chief technology officer for Microsoft Azure, during a panel discussion at the Open Confidential Computing Conference in March.

**Protecting Vector Databases**

Private search with AI relies on data extraction from knowledge graphs or vector databases, which could draw information from a wide range of sources, including static conventional databases.

At Nvidia's GPU Technology Conference, also in March, the company's CEO, Jensen Huang, defined vector databases as a new style of database that takes structured data or unstructured data that can be reindexed by encoding the meaning of data.

"Now this becomes an AI database, and that AI database in the future, once you create it, you can talk to it," Huang said.

Fortanix's goal is to initiate privacy for the search initiator — a human or machine user — and protect the privacy and integrity of the information that might be within the vector embeddings.

"Confidential computing, I think, has a very important role to play," Fortanix’s Searle says.

**Private Search Differs From Conventional Search**

Confidential AI prevents the leak of AI information, which helps meet regulatory requirements. The layer also anonymizes the information so a user's intent or identity is protected. That is the opposite of conventional search, where user information and motives drive Google Ads and analytics.

A higher level of AI privacy is a cornerstone for industries such as healthcare and banking, which are tied to regulatory issues.

"Imagine that you want to do search in a scientific domain — you might want to be able to use data from a different institution to the one you're working in that has some specific expertise in a particular field. Showing the privacy of that data and the accuracy of this research is important," Searle says.

**State of Confidential AI**

Confidential AI is an emerging concept, and search fits into that profile. Intel and AMD have chips with hooks for secure enclaves. Microsoft, Google, and Amazon are providing confidential computing virtual machines in their cloud services.

Companies can bring data sets together to train a foundational model effectively, and these data sets are becoming high-value assets for top corporations, said Ian Buck, vice president and general manager of Nvidia's hyperscale and high-performance computing division, during the panel discussion.

The IT industry is rapidly approaching the deployment of confidential computing in data centers, edge computing, and PCs, but there's a lot more to do with confidential AI, said Greg Lavender, Intel's chief technology officer, during the panel.

"Privacy and safety and responsible AI are going to be big forcing functions for this as the government adopts AI technologies from the industry," he said.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Fortanix Builds Private Search for AI

The National Vulnerability Database can't keep up, and the agency is calling for a public-private partnership to manage it going forward.

Source: GK Images via Alamy Stock Photo

After warning it can't keep up with the exploding number of bugs being submitted to the National Vulnerability Database (NVD), the National Institute of Science and Technology (NIST) has asked for additional resources from the US government and the private sector.

The agency said in February it was experiencing delays updating the NVD. This week, it admitted the delays have ballooned into a bona fide backlog. NIST said it is working to address the highest priority vulnerabilities first.

"This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support," NIST said in a statement regarding its NVD backlog.

Staff at NIST are being shuffled around to triage the vulnerability analysis delays, but longer-term solutions are required, the agency explained. One specific suggestion NIST highlighted was the creation of a public-private consortium to support the NVD, made up of "industry, government, and other stakeholder organizations that can collaborate on research."

**NIST Needs a New Approach**

NIST's NVD is foundational to security operations, according to Jason Soroko, senior vice president of product at Sectigo. And getting additional analysts working through the backlog is critical, he added.

"The problem is scale," Soroko says. "NIST is going to open up the program to a consortia of vetted organizations from the industry in order to deal with the backlog of vulnerabilities that need to be analyzed and understood before being put into the NVD database. The move is a good one."

NIST needs a new approach if the agency is going to be able to keep up with the explosion in CVEs, explains Saumitra Das, vice president of engineering at Qualys.

"NIST NVD has been a cornerstone of vulnerability management for a long time," Das says. "However, the exponential growth in CVE issuance has created pressure which will necessitate a different and prioritized approach as mentioned in this statement. Budget cuts happening for the first time in a decade are possibly part of this issue as well, apart from the sheer volume."

Because NIST and the NVD have been so important to cybersecurity in the past, John Bambenek, president at Bambenek Consulting, says he's hopeful that with an assist from the cybersecurity industry, NVD can get back on track.

"The NVD is a major success story for NIST and cybersecurity, and hopefully a pivot to a private-public sector partnership can be reached quickly to scale up the program," Bambenek says. "This announcement illustrates that the explosion in vulnerability possibilities has grown so large that not even the US government can adequately keep their hands around the problem."

Source

DARKReading