Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

The enemies are always getting closer, using the same advanced technologies as security pros are employing to protect their networks. So perhaps it's time for a back-to-basics approach? Come up with a clever cybersecurity-related caption to describe the scene above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the May 13, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Great Dark Reading readers' minds think alike! Several captions submitted for last month's contest, "Bridge the Gap," played on the same theme of air gapping. They all made us chuckle, but in the end only one could win. So a round of applause, please, for Bill Cote, a cybersecurity engineer at Leidos. And big thanks to all who submitted an idea!

**About the Author(s)**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: Last Line of Defense

Recent analysis shows that enterprises need to think about the impact on security budgets and resources as they adopt new AI-based applications.

Source: Absolute Security Cyber Resilience Risk Index 2024

Enterprises assessing their readiness for artificial intelligence (AI) transformation have to ensure they have devices capable of running AI-enabled applications. A recent analysis by Absolute Security found that the majority of organizations need to update or replace their systems to be AI-ready. Deployments of this size can have significant implications on their cybersecurity risk and resiliency, Absolute Security states.

"Absolute Security Cyber Resilience Risk Index 2024" assesses the state of cyber resilience for global enterprises. The index is based on telemetry from millions of mobile and hybrid PCs running Absolute Security's firmware-based agents. To determine AI-readiness, Absolute Security analyzed over 4 million devices running Windows 10 or 11 to determine how many of them had a minimum of 32 GB of RAM. According to the index, 92% didn't meet the basic requirements needed to efficiently handle modern AI applications.

Absolute Security based the assessment on whether enterprise PCs are capable of supporting AI applications on the recommendation that PCs should be equipped with a minimum of 32 GB of RAM and have either a stand-alone graphics processing unit (GPU) or an integrated neural processing unit (NPU).

"Huge investments in AI-capable endpoint fleets have the potential to divert budget and human resources away from critical IT and security priorities that can leave gaps in security and risk policies," Absolute Security says.

The concern isn't just about diverting resources; Absolute Security notes that new devices being added to the environment can also add complexity. Organizations are already struggling to keep up with patching and making sure the right security controls are in place. New devices could mean defining new controls or adjusting workflows to make sure they are being patched.

While there is a marked improvement between 2023 and 2024, Absolute Security found that organizations are still lagging behind with patches. Most industries continue to run weeks or months behind in complying with their own patching policies, although Windows 11 devices seem to be faring better than Windows 10, the company said.

**About the Author(s)**

Enterprise Endpoints Aren't Ready for AI

Many teams think they're ready for a cyberattack, but events have shown that many don't have an adequate incident response plan.

Chris Crummey, Director, Executive & Board Cyber Services, Sygnia

April 16, 2024

5 Min Read

Source: Yee Xin Tan via Alamy Stock Photo

COMMENTARY

The new Securities and Exchange Commission (SEC) rules on cybersecurity risk management, strategy, governance, and incident disclosure recently went into effect, and organizational approaches to cybersecurity incident response are top of mind for stakeholders at both public and private companies. While most executive leadership teams and corporate board members assume their organizations are ready for a potential cyberattack, recent events have shown that many are ill-prepared to handle what will be their worst day on the job.

A company's response to a crisis is a direct reflection of its preparedness. Rather than focus solely on what happens during and after a cyber incident, executives and leadership teams must first understand that the period preceding an event is most critical. Organizational remediation efforts can and should be developed, tested, and implemented before an attack happens. It is imperative for those at the top to use this time to evaluate how well their teams will respond when thrust into a dire situation and take the necessary steps to ensure cyber readiness.

**Develop and Implement an Incident Response Plan**

Far too many organizations find themselves in the middle of a cyber crisis without a formal response plan in place. Companies make critical errors that can compound the financial and reputational damage associated with a cyber incident due to the simple fact they do not have established roles or responsibilities or a documented chain of command to handle this sort of situation. Within the first hour of the crisis, we see the most instances of job bias emerge and lead to a significant number of mistakes. During that "golden hour," people are unsure of what to do, but they inject themselves into the crisis because they believe it is their job to do something. This lack of understanding ultimately slows down the recovery and remediation process.

There isn't a single blueprint on what an incident response plan should look like, because each crisis is different. However, executives, board members, security teams, and others involved must know who takes the lead in responding, what each person's responsibilities are, and what steps should be taken to communicate internally and externally. The formal incident response plan should include an identified incident commander who works across lines of business and divisions within an organization to ensure each person and department understands the situation and handles their duties as assigned. The incident response commander will also be charged with contacting the company's third-party experts, such as legal, incident response firms, ransom negotiators, and public relations, to ensure they are aware of what has transpired. The cyber incident response protocol should be incorporated into the broader organizational crisis response plan, frequently reviewed and updated as necessary.

**Stress Test the Response Plan in an Active Simulation**

Planned actions can easily be lost in the chaos during a real cyberattack because of the natural psychological response employees have to a crisis. Leaders must understand that those involved in the attack will experience a rush of cortisol, the stress hormone that creates a "fog of war" during turbulent times, and it can lead to additional issues. The most common problem is the inability to validate and verify information. A person's interpretation of what has happened or what has been shared with them can differ significantly from the facts of the incident. The result can escalate a single piece of information about a potential event and turn it into a full-blown crisis.

The best way to evaluate how teams will react to a cyberattack is to put the formal incident response plan to the test. Tabletop and wargame exercises are immersive experiences, conducted in a controlled environment, that prepare enterprises to face and mitigate a potential attack. This gives every person within the organization the opportunity to feel, act, and behave as if they are in the midst of an attack situation. These training exercises allow teams to experience that rush of cortisol, learn how to handle and manage it, and develop the necessary discipline to execute the response plan. This also provides leadership with visibility into how an individual's response impacts the holistic approach to remediation.

**Evaluate the Plan's Efficacy and Improve it **

Once the organization and its cyber incident response plan have been put to the test, the next step is to evaluate the efficacy of the plan and identify opportunities for improvement. It is important to note where the fundamental breakdowns occurred and what can be done to address them. For example, if the communication cadence faltered, why was the team unable to contact the appropriate stakeholders? Was it procedural or did the incident commander not fulfill his or her duties? Leadership should know if it is a matter of committing additional resources to enhance security posture or if they need to incorporate different organizational leaders to spearhead response efforts.

Executives and board members must consider how prepared their team is before the attack happens and how it behaves during the crisis, and understand that the challenges from the wargame exercise are going present themselves when a real attack occurs. It is imperative for leadership to be involved in the evaluation process, as the final decisions will have a widespread impact on key stakeholders. The ability to comprehend how each choice impacts and improves security posture and coverage will boost employee engagement, which is paramount to successfully defending an organization.

Cybersecurity has become a board-level issue in recent years, and it must remain a priority moving forward. It is incumbent on executive leadership to be well-informed about their organization's security response plan and how people respond before, during, and after a cyber crisis. By proactively evaluating their response protocol before an attack begins, board members and executives can shore up their defenses against emerging risks and ensure cyber readiness.

**About the Author(s)**

Director, Executive & Board Cyber Services, Sygnia

Chris Crummey is the Director for Executive and Board Cyber Services globally at Sygnia. For the past eight years, Chris has prepared and advised thousands of companies, SOCs, executives and Boards of Directors on cybersecurity best practices before, during and after a cybersecurity crisis. These best practices focus on the intersection of cybersecurity, risk-based decision making, crisis communications, leadership under pressure and the role human beings play in cybersecurity. As a keynote speaker on these topics, Chris is also a cybersecurity faculty member of “Competent Boards,” which is the original and premier creator of online of ESG training programs for board directors and senior business professionals. Prior to this role, Chris was the Executive Director for the IBM’s X-Force Command Centers globally and specialized in tabletop exercises and cyber wargames.

3 Steps Executives and Boards Should Take to Ensure Cyber Readiness

Kaspersky researchers discovered the new variant after responding to a critical incident targeting an organization in West Africa.

Source: Zoonar Gmbh via Alamy Stock Photo

The LockBit ransomware-as-a-service (RaaS) group has struck another victim, this time using stolen credentials to launch a sophisticated attack against an unidentified organization in West Africa. The attackers used a new variant of the LockBit 3.0 builder, which was leaked in 2022.

Kaspersky researchers discovered the latest variant at the end of March 2024 after responding to the incident in West Africa, describing it at the time as Trojan-Ransom.Win32.Lockbit.gen, Trojan.Multi.Crypmod.gen, and Trojan-Ransom.Win32.Generic. Particularly concerning about this variant is that it can generate custom, self-propagating ransomware that is difficult to defend against.

During the attack, threat actors impersonating an administrator infected multiple hosts with malware, aiming to spread it deeply into the victim's network. According to Kaspersky, the customized ransomware performed various malicious actions, including disabling Windows Defender, encrypting network shares, and deleting Windows Event Logs to avoid discovery of its actions. 

The researchers discovered that the variant can also direct attacks on select systems and infect specific .docx or .xlsx files. "The nature of this finding is rather critical since the use of leaked privileged credentials allows the attackers to have full control of the victim's infrastructure, as well as covering their tracks," says Cristian Souza, an incident response specialist at Kaspersky. 

The organization in West Africa hit by the new LockBit variant is the only victim Kaspersky's Global Emergency Response Team (GERT) has encountered in that area to date, according to Souza. "However, we detected other incidents that used the leaked builder in other regions," he says. 

**The Appeal of LockBit 3.0 to Attackers**

Since it was leaked in 2022, attackers have continued actively using LockBit 3.0 builder to create customized versions and variants. "This opens up numerous possibilities for malicious actors to make their attacks more effective since it is possible to configure network spread options and defense-killing functionality," according to a research brief on the attack and a detailed description of the variant posted by Kaspersky. "It becomes even more dangerous if the attacker has valid privileged credentials in the target infrastructure."

According to a recent Trend Micro report, the LockBit group was responsible for at least 25% of all ransomware attacks in 2023 and has hit thousands of victims since 2020. The LockBit 3.0 builder is a popular tool among threat actors because it doesn't require advanced programming skills.

In February 2024, the Cronos Group, an international law-enforcement group, claimed that it had taken down the group's infrastructure, but less than a week later, LockBit responded that it had recovered and was back in business.

**Protecting Against LockBit Attacks**

As the debate continues over whether LockBit will remain the pervasive force in waging ransomware attacks, Kaspersky advises that organizations take the same steps they would undertake to prevent an attack from any group. Those steps include using properly configured antimalware and endpoint detection software, implementing a managed detection and response solution, conducting vulnerability assessments and penetration tests, and performing and testing backups of critical data.

Further, Sousa recommends network administrators employ network segmentation, enforce multifactor authentication (MFA), whitelist permitted applications, "and have a well-defined incident response plan."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

LockBit 3.0 Variant Generates Custom, Self-Propagating Malware

The scam is spreading across the US and impersonates the specific toll-collection services of each state in malicious SMS messages.

Source: Mira via Alamy Stock Photo

The FBI is warning people about widespread SMS phishing (smishing) campaign spreading "state to state" that's luring people with messages informing them that they have unpaid tolls to resolve. The scam is aimed at stealing their credentials and defrauding them.

There also is evidence that that the campaign — which has been reported by people in three states so far, according to a public service announcement by the FBI Internet Crime Complaint Center (IC3)—affected other parts of the world before it reached US shores.

The campaign, active in the US since at least early March and reported by more than 2,000 people, sends users a text message that appears to come from the road-toll collection service of their specific states, claiming they owe money for unpaid highway tolls.

"We've noticed an outstanding toll amount of $12.51 on your record," the text of one such message reads. "To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance."

**Old Social Engineering Trick Remains Effective**

While smishing scams are by no means new, they continue to be used by attackers because they still have the potential to fool users into giving up the valuable credentials that allow for cybercriminals to profit. The FBI's warning alone is a sign that the unpaid-toll campaign is likely to escalate, and is worrying enough to warrant vigilance from potential victims.

The texts "contain almost identical language" and use similar amounts for so-called outstanding tolls. What changes from state to state is that the malicious link provided within the text is created to impersonate the state's toll service name, "and phone numbers appear to change between states," according to the IC3.

The link takes users to what looks very much like the toll services' legitimate websites, asking them to enter information on the pretense of paying the toll. Instead the attackers collect the victim's payment credentials and other sensitive data that potentially could be shared with other cybercriminals and/or used in future social engineering attacks.

**Toll Scam Spreads Across US**

The FBI didn't specify which states are currently being affected by the wave of toll-related attacks, but a quick perusal of social-media platform X, formerly Twitter, found evidence that the scam has at least affected users in Pennsylvania.

The Pennsylvania Turnpike (@PA\_Turnpike), the toll road, and related services that spans the state, posted a warning on social platform X to let users know about the campaign, and encouraged them to report any scam messages to the IC3.

"Some customers have received phishing-attempt text messages claiming to be from the PA Turnpike’s toll services," according to the post. "If you receive such a text, providing you with a link to pay an outstanding toll, do not click on the link, and delete the text."

The scam may be related to a similar one that previously swept across Australia, as people in states in both the eastern and western parts of the country in 2022 and 2023, respectively, also reported on X that they received driving toll-related smishing messages.

Back in August 2022, X user Anthony Campisini posted about a toll scam associated with City Link, a toll freeway service in the southeastern Aussie city of Melbourne, that also tried to lure users in the region with a message about unpaid tolls. Less than a year later, another X user in the state of Western Australia (WA) observed in March 2023 that he had been receiving "a lot of scam" SMS messages informing him that he owes money on road tolls.

"How do I know they are scams?" the user, @EMacskasy, who goes by the X name of "Evan Stop the Killing," posted. "Over here in WA = we do not have tolls on our roads."

**Stay Vigilant**

EMacskasy's observation is a good example of how people being targeted by the scam can avoid being compromised by it — by taking a moment to rationalize if it's even possible that they owe money on tolls before having a knee-jerk reaction and immediately engaging with the message.

The IC3 is advising people to file a complaint with the IC3 on the agency's website if they receive one of the messages and include the following information: the phone number from where the text originated and the website listed within the text.

People also should check any toll-service account that they have by going separately and directly to the service's legitimate website, to ensure that their accounts are in order, and/or contact the legitimate service's customer service phone number to check the account and let them know of the scam. As previously mentioned, people also should delete the texts.

In case someone has already engaged with the link or given information, they should make an effort to secure their personal information and financial accounts, and dispute any unfamiliar charges that may show evidence of cybercriminal activity.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

FBI: Smishing Campaign Lures Victims With Unpaid-Toll Notices

Cyberattacks tripled over the past year in Israel, making it the most targeted nation in 2023, as cyber operations become a standard part of military conflicts and global protests.

Source: Ruma Aktar via Alamy Stock Photo

As tensions in the Middle East continue to escalate, cyberattacks and operations have become a standard part of the fabric of the geopolitical conflict.

Last week, the head of Israel's National Cyber Directorate blamed Iran and Hezbollah for "around the clock" cyberattacks against the country's networks, government agencies, and businesses, tripling in intensity as Israel's military operations continued against Hamas in Gaza. Following Quds Day — Iran's commemoration of its pro-Palestinian Jerusalem Day on April 5 — dozens of denial-of-service attacks disrupted Israeli targets, according to data from cybersecurity firm Radware.

While the volume of cyberattacks are running at a lower level so far this year, renewed tensions between Israel, Iran, and Lebanon could easily lead to more cyber activity, says Pascal Geenens, director of threat research for Tel Aviv-based Radware, a maker of cloud security solutions.

"There are two planes that we need to consider here," Geenens says. "One is more nation-state aligned, meaning purposely doing attacks against another nation, while the other is all the hacktivist activity — they just want to share their message \[and\] show that they're not happy with the situation."

Overall, Israel should be ready for more destructive cyberattacks, as Iran and other regional cyber groups have shown little restraint in such attacks, Google conclude in its "Tool of First Resort: Israel-Hamas War in Cyber" report, published in February. As Iran and Hezbollah appear ready to use destructive cyberattacks against both Israel and the United States, Israeli-linked groups likely will continue to target Iran, and hacktivists will likely target any organization they deem associated with their perceived enemies, the report stated.

"We assess with high confidence that Iran-linked groups are likely to continue to conduct destructive cyber attacks, particularly in the event of any perceived escalation to the conflict, which may include kinetic activity against Iranian proxy groups in various countries, such as Lebanon and Yemen," the company stated in the report.

**Not Your Father's Cyber Conflict**

When Russia invaded Ukraine, the Russian military used cyberattacks to target Ukraine prior to the invasion and during the invasion, and widely attacked the US and Ukraine's allies in Europe in the two years since the start of the war.

A significant spike in cyberattacks came prior to and after Oct. 7, while much more modest levels of activity targeted Israel this year. Source: Radware

For the Middle East, the cyber conflict has a different character. On one hand, the participants in the conflict have different strengths and limitations, which are affecting their options and making the cyber conflict more asymmetrical. Where the Russian government has a unity of purpose, Iran and Hamas are more opportunistic adversaries. Where Russia and Ukraine have similar cyber capabilities, Israel's military operations have limited Hamas' ability to respond, and the country has the most sophisticated cyber-offensive capabilities in the region, says Ben Read, head of cyber espionage analysis for Google Cloud's Mandiant incident-response group.

"Iran is very opposed to Israel, but aren't a direct party to the conflict, so their goals aren't necessarily about supporting the seizure of territory in the same sort of way as Russia," he says. "Because conventional weapons are not \[currently\] an outcome acceptable to Iran, they are using cyber to do some destructive \[operations\]. ... Cyber can be an easier tool to reach for there."

Iran is not the only anti-Israeli actor in the region. Google has observed cyber operations by groups linked to Hezbollah, a Lebanese Islamist political party and militant group aligned with Iran.

Iran has also been the target of disruptive cyber operations in the context of the conflict, says Kirsten Dennesen, reporting analyst with Google's Threat Analysis Group (TAG). Several disruptive attacks on the nation's infrastructure have been attributed to Predatory Sparrow, which reappeared in October and attacked Iranian gas stations in December, and which some analysts have linked to Israel.

"Telegraphing intent and demonstrating involvement in the conflict without escalating or directly taking part in on-the-ground confrontation ... limits potential blowback while also giving regional players the opportunity to project power through the cyber domain," she says. "Moreover, cyber capabilities can be quickly deployed at minimal cost by actors who may wish to avoid armed conflict."

**Resurgence in Hacktivism**

Nation-states are not the only actors involved in the conflict. In the past year, hacktivism has taken off as technologically savvy protesters react to the Russia-Ukraine war and the conflict between Israel and Hamas. Much of the increase in attack activity in Israel is due to hacktivism, as is demonstrated by sharp upticks in denial-of-service attacks, says Radware's Geenens.

"It's not like it did not exist before, but before they were much less organized, and now they have like this ability to gather on Telegram," he says. "They all started to communicate with each other through hashtags. They find each other much more easy, so they come together and create alliances to perform attacks."

In the past, the groups banded together under the Anonymous name, claiming the monicker for their own and attempting to get other groups to sign up. Today, they use operation-specific hashtags on Telegram to gain like-minded collaborators, a much more efficient method of operation, Geenens says.

Hacktivism likely will continue to fuel attacks against not only Israel, but other countries as well, he says. Attacks are more likely to ramp up quickly as nation-states develop standard techniques and hacktivists are able to collaborate more efficiently.

"Anything that happens in the future," Geenens says, "whether it be a military operation or an outcome of an election that they don't like or somebody says something that that they don't like — they will be there and there will be a wave of DDoS attacks."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Cyber Operations Intensify in Middle East, With Israel the Main Target

PRESS RELEASE

WEST LAFAYETTE, Ind. — Hiccups and failures of consumer cyber-physical systems like smart gadgets and appliances are inconvenient and annoying. But in mission-critical applications for the Department of Defense, any system weakness or flaw could have serious consequences, such as disruption, damage or even loss of life.

To help mitigate the problem, a group of Purdue University researchers has launched a multidisciplinary project to model, simulate and analyze cyber-physical systems (CPS), with the goal of rendering such systems more robust and making analysis of the systems more scalable and effective. Code named FIREFLY, the multiphase $6.5 million project is sponsored by the Defense Advanced Research Projects Agency under its FIRE program (Faithful Integrated Reverse-engineering and Exploitation). 

A technically intriguing aspect of the research is that, for a CPS with multiple cyber and physical components, the individual components may not appear faulty or vulnerable. But when the components start to interact, weaknesses or vulnerabilities may occur in unexpected ways: “When it comes to the security of system components and of the overall system, one-plus-one may be less than two. And we are particularly interested in exposing and analyzing such system-of-systems weaknesses,” says Dongyan Xu, the Samuel Conte Professor of Computer Science and the principal investigator of the FIREFLY project. 

Read more about the research at the Purdue Office of Research website.

Defense Award Launches Purdue Project to Strengthen Cyber-Physical Systems

A third-party telephony service provider for Cisco Duo falls prey to social engineering, and the company advises customer vigilance against subsequent phishing attacks.

Source: olga Yastremska via Alamy Stock Photo

A third-party provider that handles telephony for Cisco's Duo multifactor authentication (MFA) service has been compromised by a social engineering cyberattack. Now Cisco Duo customers have been warned to be on alert for follow-on phishing schemes.

Customers were sent a notice explaining that the company handling SMS and VOIP multifactor authentication messaging traffic for Cisco Duo was breached on April 1. The threat actors reportedly used compromised employee credentials. Once inside the service provider's systems, the unauthorized user downloaded SMS logs for specific users within a certain timeframe, the company said.

Cisco Duo did not identify the compromised telephony provider in its advisory.

"More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024," Cisco said in its customer advisory. "The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.)."

Cisco advised impacted users to notify anyone whose information was exposed, and to remain vigilant against additional phishing attacks using the stolen data.

This breach follows two specific trends, according to Jeff Margolies, chief product and strategy officer at Saviynt — social engineering cyberattack success, and a focus on identity security providers.

“There have been a number of public attacks on identity security providers, such as Okta and Microsoft, over the past few years," Margolies says. "You can also go back as far as the RSA SecurID Token attack back in 2011 to see how far back these sorts of attacks go."

In addition to the critical need for identity security providers to do more to secure their systems, Margolies adds enterprise teams need to assess what a breach of these services could mean to their own cybersecurity posture.

"It is also important for companies to understand the reliance they have on third-party identity security companies, how an attack on those companies would impact them, and what mitigating controls are in place to detect and respond to events with their Identity security providers," he explains.

Cisco Duo's Multifactor Authentication Service Breached

Roku assures customers that no financial information was stolen and that any purchases made through user accounts have been reimbursed.

Source: Marvin Tolentino via Alamy Stock Photo

Roku is now making two-factor authentication (2FA) mandatory for its users after two separate incidents in which customer accounts were compromised.

Roughly 591,000 customers were affected earlier this year — the first instance, limited to 15,363 accounts, prompted Roku to keep a closer watch on customer account activity, which led to discovery of another incident affecting around 576,000 accounts. 

For around 400 customers, their accounts were reportedly used to purchase streaming subscriptions and Roku hardware using financial credentials stored in their accounts. These customers have been reimbursed for these charges, according to Roku, and the threat actors were not able to glean any sensitive financial information such as full credit card numbers. Social Security numbers, dates of birth, and other information also were not accessed, according to the data breach notice letter sent out. 

Roku stated in its blog post that it believes the attack occurred through the use of credential stuffing and said it has reset the passwords for affected accounts, in addition to mandating 2FA for all its users. 

According to Roku's blog post, "The next time you attempt to log in to your Roku account online, a verification link will be sent to the email address associated with your account, and you will need to click the link in the email before you can access the account."

**About the Author(s)**

Roku Mandates 2FA for Customers After Credential-Stuffing Compromise

A sophisticated threat actor is leveraging the bug to deploy a Python backdoor for stealing data and executing other malicious actions.

Source: Tada Images via Shutterstock

Palo Alto Networks (PAN) on April 14 released hotfixes to address a maximum severity zero-day bug in multiple versions of its PAN-OS software that a threat actor is using to deploy a novel Python backdoor on affected firewalls.

The flaw — tracked as CVE-2024-3400 — is present in PAN-OS 10.2, 11.0, and 11.1 firewalls when the GlobalProtect Gateway and device telemetry features are both enabled. PAN disclosed the flaw April 12 after researchers at Volexity found the bug when investigating suspicious activity on a customer's firewall.  

**Limited Attack**

PAN described the attacks targeting the flaw as limited in volume and attributed the attack activity to a single threat cluster that the company is tracking as "Operation Midnight Eclipse." However, the vendor did not rule out the potential for other attackers to exploit the flaw as well.   

When PAN disclosed the flaw last week, it recommended temporary measures that customers could take to mitigate the threat — including disabling device telemetry. On April 14, the company made available hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions. The security vendor urged customers to apply the updates and promised similar hotfixes for other maintenance releases of the software.

Reports of attackers targeting the flaw before a patch was available prompted the US Cybersecurity and Infrastructure Agency (CISA) last week to quickly add CVE-2024-3400 to its catalog of known exploited vulnerabilities. All civilian federal agencies have until April 19 to address the flaw. CISA has previously warned organizations on multiple occasions about high threat-actor interest in VPNs and other remote access technologies from vendors such as Pulse Secure, Cisco, and PAN because of the privileged access these devices provide to enterprise networks and data.

**Max Severity Command Injection Flaw**

In a blog post last week, Volexity described the flaw it discovered as a command injection vulnerability in PAN-OS GlobalProtect that gave unauthenticated remote attackers a way to execute arbitrary code on affected systems. The security vendor said it had observed an attacker — which it's tracking as UTA0218 — leveraging the flaw to create a reverse shell and download additional malware on compromised systems.

"The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations," Volexity said.

One of the additional tools that the threat actor deployed on compromised systems was a novel Python backdoor that Volexity has named Upstyle. The security vendor said it found the threat actor using the Upstyle backdoor to execute a variety of additional commands including those for lateral movement within a target network and to steal credentials and other sensitive data from it.

"The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives," Volexity warned. Volexity said it was not able to determine the exact scale of the exploit activity but surmised it was likely limited and targeted. The company said it had found evidence of UTA0218 attempting to exploit the vulnerability at multiple organizations on March 26 and March 27.

PAN said its analysis showed the threat actor using the backdoor to run a handful of commands on vulnerable firewalls. The commands included one for copying configuration files and exfiltrating them via HTTP requests and another that set up the firewall to receive even more commands, this time from a different URL. "Lastly, the threat actor cleaned up after themselves by removing all files associated with the backdoors and clearing their cronjobs," PAN said.

**Complete Control**

Karl Sigler, senior security research manager at Trustwave's SpiderLabs, says exploiting CVE-2024-3400 would give an attacker complete control over the PAN device. "This could allow the attacker a foothold to pivot further into the organization," he says. "It could also allow the attacker to disable protections provided by the device, including disabling access control lists and VPN connections."

Sigler says the vulnerability exploit in this case works by getting an affected device to log OS commands in an error log. These commands are then processed and executed with root-level permissions, he says. "Disabling device telemetry disables the log file, short-circuiting the attack," Sigler notes. "The main risk in doing so is that network admins often rely on this telemetry to troubleshoot problems with the device. Additionally, monitoring for abnormal network behavior may be evidence of an ongoing attack. Disabling telemetry may hinder those efforts."

Palo Alto itself has recommended that organizations that are unable to immediately update their software for any reason should disable device telemetry till they are able to update. According to the company, "Once upgraded, device telemetry should be re-enabled on the device."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading