The nation of Jordan begins work on a national cybersecurity framework to align with international practices and better mitigate threats.

The National Cybersecurity Center of Jordan has issued a proposed draft for a national cybersecurity framework.

With the consultation period open, center spokesperson Bassam Maharmeh said the draft encompasses a collection of procedures, controls, mechanisms, and standards that institutions must adopt and implement.

The framework's intention is to keep pace with international practices to develop the defense system for cybersecurity at a national level for all public and private institutions. It will also act as a guide to confront cyber threats efficiently and effectively, and mitigate the impact "resulting from the realization of various cyber risks through the development of technical, human and administrative capabilities in institutions."

Its objective is to enhance the security of Jordan's cyber systems and elevate the level of information protection, according to Jordan News. While the framework will enforce mandatory standards, Maharmeh stated that the cybersecurity center actively participates in drafting legislation, controls, and regulatory frameworks to mitigate cyberattacks.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Jordanian Cyber Leaders Kick Off Cybersecurity Framework Development

The ransomware landscape is energized with the emergence of smaller groups and new tactics, while established gangs like LockBit see fewer victims.

There was a rise in the number of ransomware victims in May compared to the previous month, although LockBit, the leading ransomware group, saw a 30% decrease in observed victims (110 to 77) from April to May.

Ransomware heavyweight AlphV also experienced a decline in posted victims, with 38 observed victims in May compared to 51 in April.

That drying up was offset by several new branded groups entering the scene, contributing to an overall increase in observed ransomware victims, according to GuidePoint Security's latest GRIT report.

The May GRIT report highlighted a diverse slate of active threat groups, with 28 observed groups claiming victims. There was a 13.57% increase in publicly posted ransomware victims from April to May, and 410 incidents total, led by victims in the United States — far and away the most targeted country.

The report noted that the fledgling Akira ransomware group has gained particular prominence just since April (the name a potential nod to the 1988 Japanese anime cult classic in which a biker is turned into a rampaging psychopath). The gang is primarily known for a unique data-leak site designed as an interactive command prompt using jQuery.

Educational organizations have been disproportionately targeted by Akira, representing eight of its 36 observed victims. The group follows the "double extortion" approach: stealing data from victims and threatening to leak it if the ransom is not paid.

While there isn't enough data to make a definitive hypothesis, GuidePoint Security threat intelligence consultant Nic Finn notes he has observed some of the new groups significantly lowering their initial ransomware demand.

"If this trend continues, it could indicate that ransomware groups are attempting to shorten the time between victimization and ransomware payment," he says.

Overall, though, the GRIT findings echoed the 2023 Verizon Data Breach Investigations Report in noting escalating ransomware costs.

**Emergence of New Ransomware Groups**

GRIT has also identified other fresh-faced ransomware groups on the scene, such as 8Base, Malas, Rancoz, and BlackSuit, each with its own distinct characteristics and targets.

8Base, which claimed 67 victims in the past year, has primarily targeted the banking and finance industry and is focused primarily on the US and Brazil, while the extortion group Malas was observed performing mass exploitation of business email and collaboration software Zimbra.

There is little known about Rancoz, which has posted just two victims so far — one in the tech sector and one in manufacturing — while BlackSuit was flagged for the maturity of its operations despite only one observed victim.

These emerging threat groups have deployed a combination of established and innovative tactics, aiming to blend in and profit amid the crowded ransomware landscape, explains Finn.

He notes one method that's been observed lately is a shift toward single extortion, focused around exfiltrated data — no encryption necessary.

"This is much more sustainable for ransomware groups because it involves less troubleshooting with victims when the decryptors fail," he says.

Finn explains the recent behavior of ransomware groups suggests they are following whatever tactics they believe to be more novel and successful.

"The trend back toward single extortion through the threat of data publication could be the result of perceived success by other groups, or it could be a determination they are making based on their interactions with victims," he says.

For example, if a good portion of their victims are asking to lower the ransom demand in exchange for just proof of deletion and guarantees not to attack them again, this may lead ransomware groups to assume that a good portion of their victims have backups in place, making it the effort of encrypting a victim network seem superfluous.

"Organizations following data backup best practices should remain diligent about developing detections and monitoring activity for any potential data exfiltration efforts, as this single extortion trend will definitely continue and likely grow throughout 2023," Finn says.

**Education Sector in the Sights**

As evidenced by Akira and older groups like Vice Society, ransomware groups are increasingly targeting educational institutions, from daycare centers to major universities. In total, ransomware groups posted 35 unique victims in the education industry in May.

"A recent influx in vulnerabilities affecting software commonly used in schools, such as the PaperCut MF/NG vulnerability," the report noted.

"It seems like the education sector is seeing heavy targeting because there is so much personally identifiable (PII) and sensitive student data available in the resulting data," Finn says. "Additionally, the number of individuals impacted is exponential to the size of the victim organization."

For example, a school system with just a thousand or so active students could still house records and data on thousands more former students, plus information relating to parents of the students who have data at risk.

"Another big factor is media attention," he adds. "Ransomware actors follow the trends that get them media coverage. The cyberattack against the LA Unified School District brought about a lot of media attention, so it's likely that more groups are matching that trend to replicate the coverage."

**MOVEit and Mass Exploitation**

Another factor in the recent growth of successful ransomware attacks is the phenomenon of ransomware groups are exploiting zero-day vulnerabilities _en masse_, the report noted, conducting exfiltration, and expecting victims to reach out to them to coordinate for ransoms.

The ongoing Cl0p attacks exploiting the MOVEit vulnerability against hundreds of organizations are emblematic of the trend, which is also seen with the DeadBolt ransomware variant and another recently exploited by a threat actor to deploy Nokoyawa ransomware.

"It appears that Cl0p has a team of highly technical hackers working on mass exploitation, especially of file transfer software," Finn adds.

Recent reporting indicates that the group began working on the MOVEit exploitation as far back as 2021, and even delayed the mass exploitation of the vulnerability until it completed a different mass exploitation campaign against the GoAnywhere MFT service earlier this year.

"This indicates a significant strategic planning capability, even down to the decision to begin exploitation of this MOVEit vulnerability over the Memorial Day weekend, when less staff is available to respond right away," he says.

While there has been a noted slowdown in ransomware activity over the summer for the past two years, which Finn adds may still occur this year, there's also "a good chance" that other ransomware groups attempt to mimic the behavior of groups like Cl0p and attempt mass exploitation, which could offset declines in activity elsewhere.

Fresh Ransomware Gangs Emerge as Market Leaders Decline

A severe security vulnerability allows credentials for the power meters to continuously transmit in cleartext, allowing device takeover.

INFOSEC23 – London – A security vulnerability in the Schneider Electric ION and PowerLogic power meters has been disclosed: They transmit a user ID and password in plaintext with every message.

Given a CVSS vulnerability-severity rating of 8.8 out of 10, the bug would allow an attacker with passive interception capabilities to obtain these credentials, authenticate to the ION/TCP engineering interface (as well as SSH and HTTP interfaces), and change configuration settings or potentially modify firmware.

"It's obviously not acceptable anymore for an operational technology (OT) product to transmit credentials in in cleartext because anybody that has access to the network and can sniff the traffic will be able to get them, and then do almost whatever they want with the device," says Daniel dos Santos, head of security research at Forescout. This could include controlling smart meter switches to cause load oscillations that could trigger shutdowns, with the demand (or load) then being passed on to other parts of the grid network. In a worst-case scenario, a domino effect could theoretically lead to a blackout.

Disclosed as part of the Forescout's Icefall OT research, this vulnerability is one of three announced today at Infosecurity Europe, the other two being denial-of-service (DoS) vulnerabilities in WAGO 740 controllers. Both of the DoS issues are given a severity rating of 4.9.

Schneider said in its advisory that the ION Protocol was created over 30 years ago to bring sophisticated data exchange to digital power meters, and as cybersecurity became a concern, the protocol was enhanced with support for authentication. 

But that doesn't mean there aren't still security holes, as there often are with legacy code. In fact, dos Santos says the Schneider vulnerability was originally due to be released as part of a bundle of 56 OT flaws in June 2022 but was held up due to patching processes.

"It's one of those examples of things that were designed at an earlier time, and Schneider definitely recognizes that \[this is a vulnerability\] and we worked with them to bring it up to the present, by finding the issue and fixing it," he says.

He adds, “Now this is a secure version of this protocol that has encryption where the credentials are not transmitted in plaintext anymore. So it's definitely a relevant enough issue that made them reevaluate the need for a secure version of the protocol for a product line that is older but still used a lot."

**Cybersecurity by Design is Still Missing for OT**

The Forescout research noted that this showcases that there's still a lack of fundamental understanding of security-by-design by OT vendors, with recurring design issues that demonstrate a lack of understanding of basic security control design, such as plaintext and/or hardcoded credentials, client-side authentication, stateful control on stateless protocols, missing critical steps in authentication, broken algorithms, and faulty implementations.

As dos Santos says: "Everybody knows that OT has almost no security built by design, right? That's a fact, but what we always wanted to stress around the fact was the fact that you need to measure how insecure it is. You cannot just say 'your whole OT is insecure'; you need to say there is insecure engineering, protocols, insecure firmware updates, and so on.”

Forescout used the release of these new vulnerabilities to call on vendors to improve their security testing procedures, and it said products and protocols must remain backward compatible with legacy designs.

Dos Santos says some vendors still have issues with backward compatibility, as legacy products have hardcoded credentials with insecure methods of delivery. "The main reason why things were designed insecurely at the time is because security wasn't a big concern, but now it's the need for for backward compatibility and the need for maintaining some product lines that are still used: but there are people still using those because the lifespan is 20 to 30 years."

Schneider Power Meter Vulnerability Opens Door to Power Outages

A criminal crowd-sourcing campaign has led to swift adoption of the stealer, which can pilfer key computer data, credentials from browsers and chat apps, and cryptocurrency from multiple wallets.

A stealthy stealer that can lift credentials from scores of Web browsers and extensions, and steal cryptocurrency, has quickly become a favorite of cybercriminals since it first appeared on underground marketplaces in April.

The Mystic Stealer has established a strong foothold in the threat landscape in only its first several months of existence thanks to a combination of advanced capabilities, pricing, and the crowdsourcing of recommendations that have led to ongoing updates and improvements. That's according to two simultaneously released reports, one by Cyfirma and the other a collaboration between Inquest and Zscaler.

The stealer — which typically goes for a subscription fee of $150 per month, or $390 for a three-month subscription — has similar capabilities to pilfer data from a victim's computer to other forms of this type of malware, paired with obfuscation techniques that make it, by design, capable of advanced evasion, the researchers said.

"It seems clear that the developer of Mystic Stealer is looking to produce a stealer on par with the current trends of the malware space while attempting to focus on anti-analysis and defense evasion," Zscaler researchers wrote in their post.

Mystic Stealer can steal a wide array of information, ranging from computer data such as the system hostname, username, and GUID, to credentials from nearly 40 Web browsers and more than 70 browser extensions, they said. Additionally, it targets Bitcoin, DashCore, Exodus, or any other popular cryptocurrencies, and can steal Telegram and Steam credentials.

So far, the regions where researchers have found the most instances of attackers wielding Mystic Stealer are the US, Germany, Finland, France, and Russia, in that order.

**Commitment to Evasion & Malware Improvement**

Unique to Mystic Stealer compared to similar forms of malware is its inventors' vested interested in making it difficult to detect or analyze, as well as a commitment to continuously advancing its capabilities by appealing to its user base for feedback, the researchers said.

In terms of evasion, Mystic Stealer's code is heavily obfuscated, with its creators using polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants, as well as a custom binary protocol that is encrypted with RC4, according to InQuest and Zscaler.

But perhaps the key reason the malware has caught on so fast — with the researchers already discovering more than 50 actively operational command and control (C2) servers in only about two months — is that its creators did something unique soon after its release. That is, they made the stealer available for testing to underground forum veterans to verify its effectiveness and make suggestions for enhancement, which were incorporated into new versions of the stealer, noted Cyfirma researchers.

"The threat actor demonstrates an understanding of the significance of receiving validation from established members within the underground forum regarding the product," Cyfirma researchers wrote in their post. "Furthermore, the author of the product openly invites suggestions for additional improvements in the stealer, as is evident in the updated releases, which signifies an ongoing effort to enhance the product."

**Mystic Stealer De-Mystified: Technical Details**

On the technical side of things, Mystic Stealer is implemented in C for the client and Python for the control panel and is purported to target all Windows versions from XP to Windows 11, with support for both x86 and x64 architectures, according to Cyfirma.

It can evade detection by most AV products, operating in memory and using system calls for compromising targets, the researchers said. This ensures that no trace is left on the hard disk during the data exfiltration process.

"Once target data is identified, the malware compresses, encrypts, and transmits it," the Cyfirma researchers wrote. "Client authentication is not required; data is transmitted as it is received.

Moreover, its developers created the malware without reliance on third-party libraries for decrypting or in decoding target credentials, both reports noted, which is unique to stealer malware.

"Some leading stealer projects download DLL files post-install to implement functionality to extract credentials from files on the local system," the InQuest and Zscaler researchers wrote.

Instead, of doing this, Mystic Stealer collects and exfiltrates information from an infected system and then sends the data to the C2 server that handles parsing, they said.

"This is a different approach from many leading stealers and is likely an alternate design to keep the size of the stealer binary smaller and the intention less clear to file analyzers," the researchers wrote.

**Defending Against Infostealers**

With the quick spread of the particularly evasive Mystic Stealer — and the prevalence of stealer malware in general — the Cyfirma team recommends that organizations implement robust security measures to avoid compromise in the advent of an attack, the researchers said.

"Mystic Stealer poses substantial risks and potential impacts from the perspective of external threat landscape management," they wrote.

This should include a best-practices layered defense strategy that combines threat prevention technologies, up-to-date antivirus software, firewalls, intrusion detection systems, and regular security patching, which can significantly reduce the risk of Mystic Stealer infiltration, the researchers said.

Organizations should also put into place continuous monitoring of threat-intelligence sources by sharing threat information within security communities and leveraging threat-intelligence feeds so they can stay updated on the latest indicators of compromise associated with Mystic Stealer, the researchers said. "This allows for early detection, response, and mitigation efforts," they wrote.

Educating employees on security best practices, how to recognize phishing attempts — which may attempt to spread the stealer — and maintaining an overall culture of security awareness is also crucial to helping organizations avoid compromise, the researchers said.

Finally, every organization should have a strong incident-response plan in case of attack that includes communication protocols, forensics investigation processes, and backup and recovery strategies, they added.

Mysterious Mystic Stealer Spreads Like Wildfire in Mere Months

It's still important to use other security measures, such as strong passwords and two-factor authentication, to protect your data.

Google has introduced new blue verified check marks for Gmail addresses. According to Google, the new feature helps protect inboxes against malicious and unwanted emails and increases confidence that those emails are from legitimate sources. Gmail users who added Google's Brand Indicators for Message Identification (BIMI) feature will now see a check mark icon instead of the verified brand logo.

Creating a verification process makes sense — until hackers and spammers decide to make it their mission to find flaws in the capability. Bypassing blue check marks will be another chapter in the long history of business email compromise schemes designed to propagate malicious code. By sending out emails with impersonated blue check marks, legacy security protection layers will likely pass the message to the suspecting victims.

**Another Layer of Protection or Just Another Layer?**

Hackers can create fake email accounts that look like they have been verified by Google. They can create a new account and then use a tool to generate a fake verification badge. Once the account has been created, the hacker can then send phishing emails or other malicious messages that appear to come from a legitimate source.

Hackers can use social engineering to trick users into revealing their passwords. They can send emails that appear to be from a legitimate source, such as a bank, government agency, or customer service representative. Or they may create a message that offers a free gift or discount. The email typically will contain a link that takes the user to a fake website that looks like the real thing. Once the user enters their login credentials, the hacker can then use them to access the user's Gmail account.

Hackers can use malware to steal login credentials. This can be done by sending emails that contain attachments infected with malware. Once the user opens the attachment, the malware will be installed on their computer. The malware can then be used to steal the user's login credentials for Gmail and other online accounts.

Also, don't be surprised when hackers send phishing emails with an artificial Gmail verification process to potential victims, fooling them into thinking they're helping them earn their blue check marks and stealing their credentials instead.

Creating accounts impersonating a domain and a user isn't something new. Email impersonation, especially with recently established email-sending domains, continues to create havoc with organizations trying to avoid email phishing attacks. Hackers have made these accounts and placed a fake verified badge to fool the receiving email user.

**Integrating Security Layers Continue to Be a Proven Strategy**

To contend with this new attack vector, organizations must invest in security solutions, including DMARC, SPF, and DKIM for domain authentication, sandboxing all attachments, and leveraging threat intelligence to help stop malware.

Using passwords with multifactor authentication, leveraging one-time passwords, biometrics, and even challenge and reply tokens could help businesses protect its data while standardizing a universal authentication strategy across the company.

The continuous investment in security as a platform instead of bolting on a new control layer is a wise move. With every innovative way to stop hackers from impersonating, stealing data, and spreading malware, there will be an element of exploitation the hackers will soon discover.

Security platforms using agile and DevOps rapid deployment can quickly add additional protection layers without the everyday user experience. Through the rapid deployment of features, security providers can respond quickly to changing threat landscape without causing service outages or exposing organizations to other attack vectors.

Google's new verified blue check mark feature is just one layer of security. It is important to use other security measures, such as strong passwords and multifactor authentication, to protect your Gmail account. And companies must continue to invest in end-user education and security awareness training to make sure those verified emails actually come from authentic people.

Hackers Will Be Quick to Bypass Gmail's Blue Check Verification System

Learn how the latest ransomware variant has heightened attack execution speed and what that means for cybersecurity operations.

There has always been a competition in the ransomware world, with attackers trying to improve the speed of campaign execution and organizations continuously innovating to get ahead of those attacks. Speed is so decisive that ransomware-as-a-service (RaaS) platforms even advertise the speed of execution for prospective ransomware affiliates. LockBit, one of the most successful ransomware groups, has publicly listed its encryption speed versus its competitors' speed to demonstrate its advantage. In short, speed is critical on both sides of the ransomware battle.

Rorschach, one of the newest ransomware variants, has officially taken the "encryption speed king" title from LockBit 3.0. The Rorschach variant was first detected in April 2023 and is a customized strain of the Babuk ransomware code. Rorschach brings speed into the spotlight and warrants a closer look at how ransomware creators increase speed across multiple dimensions of their victims' environment.

**Malware Propagation Speed**

One important speed component is the ability to quickly spread malware as far and wide as possible. In the past, ransomware groups have leveraged many techniques for fast propagation, including supply chain attacks and using existing IT and security tools to propagate their malware.

However, Rorschach has built and demonstrated an interesting self-propagating and autonomous capability that leverages Active Directory (AD) Domain Group Policy Objects (GPO). This enables the malware to rapidly propagate across the network and execute ransomware on every endpoint at blistering speeds. Because of this, the Rorschach variant has pushed the needle further than ever with these interesting innovations for self-propagation.

To counter this innovation, organizations must adopt tools that combat self-propagation, such as active defense technology, which deals with ransomware in real time and detects attackers as soon as possible.

**Data Encryption Speed for Extortion**

On Windows endpoints, Rorschach's creators have carefully chosen to use HC-128, a stream cipher that encrypts large streams of file data with impressive performance. Rorschach ransomware uses the asymmetric key exchange method, which is based on Curve25519. It's efficient in both computational performance and memory consumption while simultaneously retaining strong security.

Like many other ransomware strains, including LockBit and Babuk, Rorschach encrypts only parts of a file instead of the entire file's contents. This tactic is known as intermittent encryption, which has become popular in the last couple of years for its efficiency and speed. Encrypting only parts of the file dramatically reduces the time required to complete the data encryption. By shortening the encryption phase of an attack, ransomware operators give security tools less opportunity to detect them. Data encryption is the visible part of an attack, and attackers are shortening that window to better their odds in the race against defenders.

Like LockBit and other well-known ransomware, Rorschach also leverages parallelism and multithreading for high-performance speedy encryption. Because Rorschach ransomware implementation is customized for each operating system type, it leverages specific Windows capabilities known as I/O completion ports for efficient multithreaded encryption. This technique is borrowed from LockBit 3.0, REvil, Hive, BlackMatter, and DarkSide.

While the data encryption speed rankings among ransomware gangs is interesting, it is important to note that virtually all modern ransomware variants already perform data encryption very quickly. Unfortunately, all are much faster than what most security teams or tools are equipped to deal with.

However, while Rorschach does outpace competitors in speed in some realms, it currently does not appear to exfiltrate data for double extortion. This is in comparison to other ransomware gangs, including LockBit, that first exfiltrate enterprise data. While data encryption is the visible part of a ransomware attack, data exfiltration is the invisible race against defenders. Ransomware actors typically exfiltrate large amounts of data for double extortion before beginning data encryption.

**Staying Under the Radar of Defenders**

One of Rorschach's particularly innovative moves is its ability to stay under the radar by using deception technology — a double-edged sword that is useful for attackers and defenders. Rorschach's advanced security evasion capabilities leverage deception techniques and concepts for malicious purposes, including using obfuscation techniques, valid domain user and service accounts, and argument spoofing techniques to hide the true capabilities of the ransomware.

This kind of defense evasion is new to ransomware threats, but it's not new in the cybersecurity world. To combat Rorschach's technique for self-propagation using AD GPOs and high-speed campaigns, defenders need solutions that can detect and respond to real-time, novel, and autonomous ransomware capabilities.

Rorschach ransomware has borrowed innovations from previously successful ransomware groups including LockBit, Babuk, and REvil and built on their success by adding lightning-fast innovations. The Rorschach variant demonstrates the importance of continuous defender innovation, as well as the need to counter attacker movement in real time.

Rorschach Ransomware: What You Need to Know

To adequately address privacy, manufacturers need to think differently about data.

The pandemic altered the way many B2B2C manufacturers interact with customers. While the retail outlets that would typically distribute their products were closed, many manufacturing brands in consumer packaged goods (CPG), fashion, equipment, etc., realized the value of adopting a direct-to-consumer strategy.

These brands traditionally had limited interaction with the end consumer, as their model was to sell their product to a reseller. However, with resellers closed or operating at limited capacities, many manufacturers wisely built digital experiences to interface with, sell to, and collect data from their customers directly.

Data that was collected and owned by resellers or intermediaries suddenly became available directly to the manufacturers to learn from and capitalize on — opening new revenue streams by charging other entities for their data, using the information to cross- or upsell products or create a more frictionless experience for customers.

For example, a carmaker recently approached Thoughtworks with the question, "What tools can we arm salespeople with to provide the sales experience of the future?" In partnership, we built a platform that leveraged the carmaker's data to provide quicker access to information and sales tools, meaning greater customer satisfaction.

**Risks of Data Collection**

However, there are inherent risks in collecting consumer data — not only of hacking, malware, and data theft but also misusing the collected data that may damage one's brand or even create legal exposure.

While many think of malware and hacking as the greatest threat to organizations, a new "Looking Glass" trends report from Thoughtworks suggests organizations should be giving equal attention to avoid shooting themselves in the foot by incorrectly using consumer or employee data.

It finds that handling data and information in accordance with evolving regulations and changing expectations will be critical to having a competitive advantage and fostering customer loyalty. In fact, we believe the mishandling of consumer data could yield damages equal to or even greater than a hack.

Rather than reactive measures, enterprises should proactively create ethical frameworks to guide technology and data use. These frameworks establish a baseline of respect and security for customers, minimizing consumer harm. Customer privacy doesn't compromise business goals.

I encourage manufacturers to consider the following to keep data compliant, secure, ethical, and productive, while still working toward objectives:

*   **When it comes to data, what you don't do is as important as what you do.** Since the big-data trend, firms often collect and store data without considering its necessity. Today's machine-learning algorithms also encourage a degree of data hoarding. But data must be recognized as a liability and an asset. Hackers can't steal what you don't collect, and a security snafu can't leak customer information that's not in your database. Think selectively about the data you need and the possible fallout if it is stolen or leaked. Managing less data is easier.
*   **Adopt decentralized security.** As cyber threats evolve, previous methods are ineffective. There's no safe boundary or perimeter anymore. System design should enable risk management and security enforcement across the entire architecture, employing security-in-depth practices such as encrypted communications, segmented regions, granular authentication and authorization, and intelligent intrusion detection systems.
*   **Analyze the AI in security.** AI capabilities are increasingly important in software applications. Organizations should leverage this to help security professionals identify and react to threats and predict attack vectors. While automation isn't a replacement for trained professionals, it can automate basic defenses, allowing focus on critical threats.
*   **Anticipate increased regulation.** While we've flagged some of the most recent regulations to emerge in the privacy space, organizations should be prepared for more. Worldwide, there are a significant number of data protection laws already on the books, with more to come. Challenges will emerge as compliance grows more complex, especially for firms operating in multiple jurisdictions. When GDPR came into effect, many US-based news sites blocked Europeans from accessing their websites because of concerns about falling foul of a law they didn't understand.
*   **Build products with robust security and privacy practices.** This requires commitment and strong leadership; security and privacy should be ingrained in the organization's culture. Teams shouldn't consider these aspects nice-to-have, optional, or postponable for cost-saving purposes. Leaders must set the tone that security is a priority for everyone. Data breaches often result from employees not changing passwords or ignoring alerts.

To adequately address privacy, I urge manufacturers to think differently about data. Specifically, they should prioritize well-thought-out governance measures that enable informed decision-making regarding data collection, access and usage. By appointing data owners, manufacturers could ensure data is handled responsibly and ethically. Having a strong governance framework holds a particular value for organizations in protecting privacy and user data.

Consumer Data: The Risk and Reward for Manufacturing Companies

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Have a few minutes to spare? Come up with a clever cybersecurity-related caption for the cartoon above. If it strikes our fancy, you could win a $25 Amazon gift card!

Here are four convenient ways to submit your ideas before the July 12, 2023, deadline:

*   Email _\[email protected\]_ with the subject line "Dark Reading June Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

Dark Reading reader David is having a great month! He already won The Edge's "Spring Chickens" May cartoon caption contest, and now he's done it again with the main site's "One by One" May contest. Congratulations, David, and a big thanks to all who played.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Time to Spare?

Pressure mounts on the NSO Group's business viability as Khashoggi widow joins group of plaintiffs suing the Israeli firm for Pegasus spyware abuse.

NSO Group is facing a number of existential crises at the moment, and it appears there's a group of enterprising investors — including, reportedly, a Wrigley chewing gum magnate — ready to take advantage, lassoing control of arguably the most destructive and powerful spyware tool known to-date, i.e., Pegasus.

The Israeli firm was blacklisted by the US government in November 2021 for creating and selling its powerful zero-click spyware tool Pegasus, which has been used by its customers to target and track government officials, human rights workers, journalists, activists, academics, embassy workers, and businesspeople across the world. 

The designation placed severe restrictions on the firm's ability to operate by banning any transfer of US technology to NSO Group. Then, in December 2021 NSO Group's spyware was found on the phones of at least nine US State Department employees, which didn't help thaw the firm's relationship with Biden administration either.

There's also the problem of the mounting number of lawsuits.

**NSO Group's Lawsuit Docket Grows**

A new lawsuit filed by Hanan Elatr, widow of murdered Washington Post journalist Jamal Khashoggi, accuses NSO Group's Pegasus spyware of violating US hacking laws to track the couple leading up to the 2018 killing of the vocal Saudi dissident.

Elatr says in the lawsuit that the Pegasus spyware "caused her immense harm, both through the tragic loss of her husband and through her own loss of safety, privacy, and autonomy, as well as the loss of her financial stability and career."

In addition to Elatr, there are other, far more deep-pocketed legal foes for NSO Group to worry about. Apple filed suit in November 2021 against the organization for targeting its users with Pegasus spyware (attacks that are ongoing). And in January, the US Supreme Court denied a petition to block a suit to proceed against NSO Group filed by Meta-owned WhatsApp for spyware damages.

**Juicy Fruit Heir, Sandler Movie Producer Float NSO Purchase**

Despite the legal, business, and brand challenges, NSO Group reportedly continued to hone and improve Pegasus spyware. A recent report from research organization Citizen Lab, which has been at the forefront of working to expose Pegasus abuse, said it discovered at least three new exploit chains against human rights activists as recently as 2022.

Perhaps because of that, investors have begun to sniff out a potential opportunity. Reportedly, a motley gang of investors including Robert Simonds, a US investor whose background includes producing Adam Sandler movies, and his buddy, cannabis industry investor and chewing-gum fortune heir William "Beau" Wrigley, are looking at buying up NSO Group's assets, according to new reporting from The Guardian.

The report adds a spokesperson for Wrigley denied he is in discussions to buy NSO Group assets, while a source close to Simonds said he was "deep" in talks about a sale but aware it would be a steep climb to get the deal done. 

"Placing such powerful surveillance technology in the hands of individuals who may not have deep expertise in the cyber industry or a history of involvement in the sector raises questions about the potential ramifications," Callie Guenther, cyber threat research manager with Critical Start tells Dark Reading about the potential NSO sell-off. "It is essential to ensure that any potential acquirer of NSO's assets possesses the necessary expertise to handle the technology responsibly, maintain appropriate safeguards, and prevent potential misuse."

It should be noted that other attempts at buying control of Pegasus haven't worked out. Last year L3Harris, an American company and US defense contractor was looking into a possible purchase of NSO Group's technology, but the White House objected over "serious counter-intelligence and security concerns," the Guardian added.

Then there is the Israeli government, which closely regulates NSO Group and could potentially intervene in any sell off of its technology, the Guardian points out.

"NSO operates under close regulation by Israel's Ministry of Defense, and any potential sale of its assets would likely face scrutiny from Israeli authorities," Guenther says. "It remains to be seen how such a transaction could proceed and whether it would comply with relevant regulatory requirements and national security considerations."

Perhaps there's a pot-sweetener here though: The Guardian added a juicy rumor to its reporting that Simonds has privately pledged to hand over the surveillance technology to the so called "Five Eyes" alliance between the intelligence agencies of Australia, Canada, New Zealand, the UK, and the US.

Even so, a pledge is not a guarantee. Guenther outlines a number of potential problems with NSO Group's assets falling into the wrong hands, including giving the new owners the power to improve upon its existing capabilities for exploitation, targeting, as well as slow down future potential vulnerability disclosures.

"The acquisition could impact the overall cyber threat landscape. If NSO's spyware technology becomes more accessible or proliferates in unauthorized hands, it could lead to an increase in targeted attacks, surveillance activities, and potential abuse," Guenther warns. "This would necessitate heightened vigilance and strengthened defensive measures from organizations, governments, and cybersecurity communities to mitigate the associated risks."

**Has Pegasus Already Peaked?**

Many may question the power a tool like Pegasus could have when flying on behalf of someone rich enough to buy it, but the true value of NSO Group, and its dominance in the spyware space, might have already peaked.

JT Keating, senior vice president of mobile security firm Zimperium, explained to Dark Reading that the trend is decidedly moving toward open source spyware, making the surveillance tools available to almost anyone and driving down the value of NSOs proprietary Pegasus product.

"Spyware is now mainstream, including the shift from sole reliance on the Dark Web for distribution to seeing the same kits and tools being found on online repositories like GitHub or online communities like Reddit," Keating says. "Regardless of what happens to organizations like NSO, mobile spyware will only continue to proliferate."

Meanwhile though, the squeeze on NSO Group's business continues.

US Investors Sniffing Around Blacklisted NSO Group Assets

The threat organizations face with GenAI is not new, but it could speed how quickly private data reaches a wider audience.

Generative artificial intelligence (GenAI) and large language models (LLMs) are the disruptive technologies _du jour_, redefining how enterprises do business and spurring the debate on just how much AI will change the way civilization interacts with computers in the future. The hyperbole is reaching epic proportions as social scientists and pundits debate the End Times facing civilization due to smarter and potentially proactive computing. Perhaps some perspective is in order.

A recent report from Israeli venture firm Team8, "Generative AI and ChatGPT Enterprise Risk," addresses some of the realistic technical, compliance, and legal risks GenAI and LLMs place on corporate boards, C-suites, and cybersecurity personnel. The report underscored the potential operational and regulatory vulnerabilities of GenAI, but cautioned that some concerns might be premature. One concern — that exposing private data submitted to a GenAI application such as ChatGPT might make that data available to others in near real time — is discredited in the report.

"As of this writing, Large Language Models (LLMs) cannot update themselves in real-time and therefore cannot return one's inputs to another's response, effectively debunking this concern," the report states. "However, this is not necessarily true for the training of future versions of these models."

The report identifies several potential threats by risk category. Among the high risks are:

*   Data privacy and confidentiality of nonpublic enterprise and private data.
*   Enterprise, software-as-a-service (SaaS), and third-party security of nonpublic and enterprise data.
*   AI behavioral vulnerabilities, such as prompt interjection, of enterprise data.
*   Legal and regulatory compliance.

Among the threats that fall into the medium risk category are:

*   Threat actor evolution for attacks, such as phishing, fraud, and social engineering.
*   Copyright and ownership vulnerabilities leading to an organization's legal exposure.
*   Insecure code generation.
*   Bias and discrimination.
*   Trust and corporate reputation.

"The CISO is in a position to have the technical knowledge to support processes not necessarily under their umbrella, which might affect their role," says Gadi Evron, CISO-in-residence at Team8 and one of the report's authors. "Some interpretations of upcoming European Union regulation may push the CISO into a position of responsibility when it comes to AI. This may elevate the CISO to a position of responsibility where they are 'ambassadors of trust,' and this is a positive thing for the CISO role."

Chris Hetner, cybersecurity advisor at Nasdaq and chair of Panzura's Customer Security Advisory Council, says an initial risk assessment would identify potential issues with who has access, what can be done, and how the technology will interact with existing applications and data stores.

"You need to determine who has access to the platform, what level of data and code are they going to introduce, \[and does\] that data and code introduce any proprietary exposure to the enterprise," he notes. "Once those decisions are made, there's a process to proceed forward."

The threat organizations face with GenAI is not new, but it could speed how quickly private data reaches a wider audience.

"When it comes to security, it is clear that most companies are in much worse condition to mitigate the risks of their corporate and customer being stolen or leaked than they were just six months ago," opines Richard Bird, chief security officer at Traceable AI. "If we're being intellectually and historically honest with ourselves, the vast majority of companies were already struggling to keep that same data safe before the rise of generative AI.

"The ease of use and access that employees are already taking advantage of with AI technologies with little to no security controls is already showing the increased risk to companies."

**The Human Element**

Bird takes a pragmatic approach to GenAI, adding that companies are going to move fast and not wait on compliance demands to protect their data, customers, supply chains, and technologies. Users have shown "a complete lack of restraint combined with no awareness of the unintended security consequences of using AI," he notes. "This toxic combination is what companies must work quickly to address. AI isn't the key threat here. Human behavior is."

One issue that has yet to be fully analyzed is how users interact with GenAI based on their existing habits and experience. Andrew Obadiaru, CISO for Cobalt Labs, notes that iPhone users, for example, already have native experience with AI through Siri and thus will adapt quicker than users who do not have that experience. Like Bird, Obadiaru thinks those habits might make those users more susceptible to misusing the applications by inputting data that should not get out of an organization's direct control.

"The concerns are, 'What are the additional risks?' Everyone has the ability to tap into \[GenAI technology\] without necessarily going through a security review," he says. "And you can just do that on their personal device."

If employees use personal devices outside of the IT department's control to conduct business, or if employees use GenAI as they use Siri or similar applications, this could pose a security risk, Obadiaru adds. Using GenAI like a personal digital assistant potentially could put confidential data at risk.

**Network Risks**

Sagar Samtani, assistant professor in the Data Science and Artificial Intelligence Lab at the Indiana University Kelley School of Business, cautions that AI models are extensively shared via the open source software landscape. These models contain significant quantities of vulnerabilities within them, some of which CISOs need to be aware of.

"These vulnerabilities place an impetus on organizations to understand what models they are using that are open source, what vulnerabilities they contain, and how their software development workflows should be updated to reflect these vulnerabilities," Samtani says.

Asset management is a critical aspect to any strong cybersecurity program, he adds.

"\[It's\] not the exciting answer, but an essential ingredient," Samtani says. "Automated tools for detecting and categorizing data and assets can play a pivotal role in mapping out corporate networks. ... Generative AI could help provide layouts of corporate networks for possible asset management and vulnerability management tasks. Creating inventory lists, priority lists, vulnerability management strategies, \[and\] incident response plans can all be more \[easily\] done with LLMs in particular."

Source

DARKReading