Authorities across 19 African countries also dismantled their infrastructure and networks, thanks to cooperation between global law enforcement and private firms.

Source: Golden Dayz via Shutterstock

A combined effort among Interpol, Afripol, cybersecurity firms, and authorities in 19 different African nations resulted in the arrest of more than 1,000 suspects who allegedly took part in ransomware schemes, business email compromise (BEC), and other cybercrimes and digital fraud.

The collection of law enforcement investigations, dubbed Operation Serengeti, resulted in the arrest of 1,006 suspects linked to more than $192 million in financial losses and affecting at least 35,000 victims.

The African nations that took part in the joint law enforcement collaboration include Algeria, Angola, Benin, Cameroon, Côte d'Ivoire, Democratic Republic of the Congo, Gabon, Ghana, Kenya, Mauritius, Mozambique, Nigeria, Rwanda, Senegal, South Africa, Tanzania, Tunisia, Zambia, and Zimbabwe.

The investigators worked with private-sector companies, including cybersecurity firms and Internet service providers, to share intelligence and take action to disrupt cybercriminals' infrastructure, Interpol's Secretary General Valdecy Urquiza said in a statement.

"Operation Serengeti shows what we can achieve by working together, and these arrests alone will save countless potential future victims from real personal and financial pain," Urquiza said. "We know that this is just the tip of the iceberg, which is why we will continue targeting these criminal groups worldwide."

Cybercriminal organizations have expanded in Africa, attracted by the growing economy and relative lack of cybersecurity maturity. While Russia, Ukraine, China, and the US top the lists of cybercrime producers, Nigeria took the No. 5 spot in the World Cybercrime Index, an academic effort to identify the most significant exporters of cybercrime. The African nation has struggled against the stereotype of rampant fraud caused by the once-common Nigerian Prince email scam. Other nations — such as Egypt, Kenya, and South Africa — have also struggled with rising cybercrime.

Along with seven private-sector partners, Interpol and Afripol arrested more than 1,000 suspected cybercriminals in October and September. Source: Interpol

Yet global organizations are increasingly taking part in cross-border investigations, leading to arrests and increased pressure on cybercriminals, according to the World Economic Forum's Cybercrime Atlas, which collaborated with Interpol and Afripol on Operation Serengeti.

"As long as profits are high and risks are perceived to be low, organized criminals will continue to focus on cybercrime," the Cybercrime Atlas group stated in a November analysis. "But 2024 has shown that better collaboration between law enforcement, industry, and cybercrime experts gets results. It is supporting arrests, the disruption of criminals' online infrastructure and the seizure of criminal profits."

**Card Fraud in Kenya, Cyber Trafficking in Cameroon**

Two schemes described by Interpol in its release underscore the varied nature of cybercrime across the African continent.

A criminal group in Cameroon, for example, ran a multi-level marketing scam with a trafficking twist. By promising employment opportunities and training, the group attracted victims, who then paid a fee, but rather than meeting with instructors, were held captive until they brought other victims into the group. The scheme made the group at least $150,000, according to authorities.

In another scam, cybercriminals ran funds-stealing scripts on bank websites, which piggybacked on account holders' sessions to withdraw and redistribute funds to companies in China, Nigeria, and the United Arab Emirates, Interpol stated. Losses from the scheme exceeded $8.6 million. So far, nearly two dozen people suspected of taking part in the scheme have been arrested.

Other cybercriminal schemes include an investment scam run out of Nigeria, a $6 million Ponzi scheme in Senegal, and a virtual casino operated from Angola. Business email compromise continues to be among the most prominent threats affecting African organizations, says Derek Manky, global vice president of threat intelligence for Fortinet, a network-security firm that aided Interpol with technical and intelligence support.

"Users should be aware of this type of attack and always verify the identity of any source giving instructions, especially for payment and even within your organization," he says, adding, "Threat sharing is important to enable quick mobilization of protections for customers across many vendors and to help break down technical barriers to enabling protections."

**A Hard-Won, but Short, Respite**

Despite the large number of arrests, the operation will likely result only in a brief reduction in cybercriminal activity, as disrupted groups will quickly pivot and recreate their infrastructure, says Stephen Hilt, a senior threat researcher with cybersecurity firm Trend Micro, which also collaborated with authorities on the global intelligence support.

"While impactful, these efforts need to be part of a broader strategy," he says. "For long-term reductions in cybercrime, developing nations must strengthen their legal frameworks to increase the cost of cybercriminal activities. ... Without these measures, the underlying socioeconomic factors that drive cybercrime will persist."

African nations — and organizations worldwide — need to invest in cybersecurity education to bolster awareness of the current threats and safe behavior online, he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

African Law Enforcement Nabs 1,000+ Cybercrime Suspects

PRESS RELEASE

BOSTON, MA -- December 4, 2024 – Onapsis, the global leader in SAP cybersecurity and compliance, today announced the expansion of its Control product line to include a new bundle that enhances application security testing capabilities for SAP Business Technology Platform (BTP). The new offering supports both new and existing customers by enabling seamless, automated code scanning in SAP’s most commonly used integrated development environments (IDEs) and Git repositories.  This helps teams accelerate development, automate manual effort, enhance security and mitigate risks in their RISE with SAP and SAP BTP projects.

As SAP continues to drive cloud adoption for its SAP S/4HANA ecosystem, organizations are increasingly turning to SAP BTP for custom application development. However, as these projects scale, ensuring the security and integrity of the code is more important than ever. The expanded capabilities of the Control for BTP bundle address this challenge by providing development and quality assurance teams with comprehensive application security testing support, embedded directly into their development workflows.

Key features of the new offering include:

*   Code Scanning Across SAP Recommended IDEs for BTP: Control now supports SAP’s most frequently used IDEs, including SAP Business Application Studio (SAP BAS), Visual Studio Code and Eclipse with ABAP Development Tools. This capability ensures that developers working in RISE with SAP or SAP BTP environments can scan their code for issues and vulnerabilities within the IDEs they already use on a day to day basis.
    

*   Inline Security “Spell Check” for Developers: To help developers accelerate and de-risk projects, Control for BTP offers real-time, inline security scanning while code is being written. Just like a spell checker in a word processor, the product identifies code issues as they occur, providing developers with immediate feedback and actionable fixes to address security risks during the development process. 
    

*   Centralized Git Repository Scanning: As SAP development increasingly moves toward Git-based workflows, Control for BTP allows developers to centrally manage code security scans. Whether performing individual scans or bulk scans across multiple Gits, developers can quickly and efficiently scan entire code projects by simply pointing the product to the relevant Git repositories, saving time and reducing manual efforts.
    

“We’re excited to be the first to market with this comprehensive application security solution for SAP BTP,” said Sadik Al-Abdulla, Chief Product Officer of Onapsis. “SAP’s fiscal Q3 cloud revenue is up 25%, demonstrating growing adoption of its cloud services for SAP S/4HANA as companies look to update and modernize their legacy SAP ECC landscapes. As such, securing code throughout the software development lifecycle has never been more critical. With our expanded code security testing capabilities for BTP, we’re empowering developers to proactively find and fix vulnerabilities, ensuring faster, safer and more successful RISE with SAP projects.”

Onapsis is the only application security and compliance vendor endorsed by SAP. With the extension of BTP support to Control, Onapsis now offers customers comprehensive security and compliance coverage for SAP BTP across all of its key product lines - Assess, Defend and Control.

SAP BTP is a cornerstone of SAP’s CleanCore approach, designed to minimize customizations and simplify system upgrades. Onapsis’ new offering provides peace of mind by ensuring that code developed for SAP BTP is free from vulnerabilities that could lead to compliance issues, production failures, unplanned downtime or project delays.

Onapsis has been recognized in the Gartner® Magic Quadrant™ for Application Security Testing for three consecutive years.

Availability

The expanded SAP BTP security offering is generally available in Q4 2024, with pricing and further details available through Onapsis sales representatives or authorized systems integrators. For more information, please visit: https://onapsis.com/platform/btp/.   

Gartner, Magic Quadrant for Application Security Testing, by Mark Horvath, Dale Gardner, Manjunath Bhat, Ravisha Chugh, Angela Zhao, 30 April 2024 

Gartner is a registered trademark and service mark, and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. 

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About Onapsis

Onapsis is the global leader in SAP cybersecurity and compliance, trusted by the world’s leading organizations to securely accelerate their SAP cloud digital transformations with confidence. As the SAP-endorsed and most widely used solution to protect SAP, the Onapsis Platform empowers Cybersecurity and SAP teams with automated compliance, vulnerability management, threat detection, and secure development for their RISE with SAP, S/4HANA Cloud and hybrid SAP applications. Powered by threat insights from the Onapsis Research Labs, the world’s leading SAP cybersecurity experts, Onapsis provides unparalleled protection, ease of use, and rapid time to value, empowering SAP customers to innovate faster and securely. Connect with Onapsis on LinkedIn, X, or visit https://www.onapsis.com.

Onapsis Expands Code Security Capabilities to Accelerate and De-Risk SAP BTP Development Projects

PRESS RELEASE

Washington, D.C. – U.S. Senator Ron Wyden, D-Ore., and Senator Eric Schmitt, R-Mo., called for the Defense Department’s top watchdog to investigate the Pentagon’s failure to secure its communications from foreign spies, following the devastating “Salt Typhoon” hack of major telecom companies by Chinese government hackers.  

In a letter to Department of Defense Inspector General Robert Storch, Wyden and Schmitt highlighted the DOD’s failure to secure its communications from foreign spies. The senators revealed that DOD informed Congress that it signed a major contract this year, worth up to $2.7 billion, for wireless phone services for U.S. military personnel, even though DOD knew that the phone companies’ networks were vulnerable to foreign surveillance. 

Last month, the FBI and the Cybersecurity and Infrastructure Security Agency confirmed hackers working for the Chinese government breached multiple telecommunications companies and targeted call information for President-elect Trump, Vice President-elect Vance and Senate Majority Leader Schumer, among other high-profile targets.

“DOD’s failure to secure its unclassified voice, video, and text communications with end-to-end encryption technology has left it needlessly vulnerable to foreign espionage. Moreover, although DOD is among the largest buyers of wireless telephone service in the United States, it has failed to use its purchasing power to require cyber defenses and accountability from wireless carriers,” Wyden and Schmitt wrote. “We urge you to investigate DOD’s failure to secure its communications, and to recommend the changes in policy necessary to protect DOD communications from foreign adversaries.”

Wyden and Schmitt revealed multiple concerning new details about DOD’s inability and unwillingness to protect soldiers and civilian employees who rely on wireless phone networks, in their letter today: 

*   DOD has requested copies of independent, third-party cybersecurity audits phone carriers commissioned for their networks, but the carriers refused to produce those audits, citing attorney-client privilege, according to DOD.
    
*   DOD is still evaluating whether it has authority conduct its own cybersecurity audits of carriers that serve the Pentagon.
    
*   In August, DOD claimed that unencrypted phone lines did not pose an unnecessary risk and declined to adopt a policy banning use of unencrypted phone lines by DOD personnel. 
    

Read the full letter here.

You May Also Like

Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

Individuals concerned about the privacy of their communications should consider using encrypted messaging apps and encrypted voice communications, CISA and FBI officials say.

Source: Weitwinkel via Shtterstock

Concerns over the extent of China-backed Salt Typhoon's intrusions into US telecom networks have prompted the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI to issue guidance to the sector on addressing the threat.

The detailed recommendations come as officials from the authoring agencies this week described victims of the attack — which include Verizon, AT&T, and Lumen — as still working to eradicate the threat actor from their networks.

**Still Working to Evict**

"We cannot say with certainty that the adversary has been evicted, because we still don't know the scope of what they're doing," Jeff Greene, executive assistant director for cybersecurity at CISA, said in a media call this week.

"I have confidence that we are on top of it in terms of tracking them down and seeing what's going on, but we cannot, with confidence, say that we know everything," Greene said, according to a transcript of the media call that CISA made available to Dark Reading. Given where most victims are in their investigations, it is "impossible" to predict a timeframe for when they will complete fully evicting the threat actor, he said.

Several security experts consider Salt Typhoon's attacks on US telecom infrastructure as one of the most egregious cyber espionage campaigns ever in size and scope. It's unknown how many companies the threat actor has compromised as part of the campaign so far, but known victims include some of the biggest telecom providers in the country, including AT&T and Verizon.

The attacks enabled multiple activities, including theft of a large number of call detail records — such as a caller's and receiver's phone numbers, call duration, call type, and cell tower location — of telecom customers. In a smaller number of instances, Salt Typhoon used its presence on telecom provider networks to intercept calls and messages of targeted individuals, which include government officials and politicians. Separately, the threat actor also collected information on an unknown number of individuals who were the subjects of legal national security and law enforcement intercepts.

"The continued investigation into the PRC targeting commercial telecom infrastructure has revealed a broad and significant cyber-espionage campaign," an FBI official said on background during this week's media call. "We have identified that PRC-affiliated cyber actors have compromised networks of multiple telecom companies to enable multiple activities.

**Detailed Recommendations**

The new guidance for addressing the threat includes recommendations for quickly detecting Salt Typhoon activity, improving visibility, reducing existing vulnerabilities, eliminating common misconfigurations, and limiting the attack surface. The guidelines include a section devoted to hardening Cisco network gear, which the authoring agencies described as a popular target for the attacker in the ongoing campaign.

"Right now, the hardening guidance that we put out specifically would make the activities that we've seen across the victims much harder to continue," Greene said. "In some cases, it might result in limiting their access." He described Salt Typhoon actors as employing a variety of tactics to breach victim networks, so response and mitigation approaches will differ on a case by case basis. "These are not cookie-cutter compromises in terms of how deeply compromised a victim might be, or what the actor has been able to do."

**Use Encrypted Messaging Apps and Services**

Green and the FBI official on the media call recommended that individuals concerned about the privacy of their mobile device communications should consider using encrypted messaging apps — examples of which would include WhatsApp and Signal — and encrypted voice communications. "People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption, and phishing resistant MFA for email, social media, and collaboration tools," the FBI official said.

Trey Ford, chief information security officer (CISO) at Bugcrowd pointed to phishing-resistant multifactor authentication in the new guidance as something that organizations should consider prioritizing. "Everything we can do to raise the cost and work factor for malicious actors and nation state communities helps," he notes. He also recommends that organizations add encryption to all traffic crossing third-party communications infrastructure and leverage apps like WhatsApp and Signal where it makes sense. "Also, I would recommend adding a second factor of authentication, something stronger than SMS, such as Yubikeys, Apple's Secure Element, or pseudo-random code generators like Google Authenticator, Authy, \[and\] Duo, to all of your online accounts."

Chris Pierson, CEO and founder of Blackcloak, perceives the new hardening advice as useful in helping companies in the telecom sector prioritize their controls, remediation, and ongoing assessment activity. The advice to individual consumers and business executives to protect against Salt Typhoon is useful as well, he notes: "From tips on using security messaging as opposed to text/SMS, reducing the likelihood of SIM swapping by using a SIM PIN, and implementing dual factor authentication on key accounts, the guidance makes it easier for key executives and highly targeted persons to protect themselves."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat

Parasitic advanced persistent threat Secret Blizzard accesses another APT's infrastructure and steals what it has stolen from South Asian government and military targets.

Source: ArcadeImages via Alamy Stock Photo

Hackers operating on behalf of Russian state intelligence have breached hackers operating out of Pakistan, latching onto their espionage campaigns to steal information from government, military, and defense targets in Afghanistan and India.

In December 2022, Secret Blizzard (aka Turla) — which the Cybersecurity and Infrastructure Security Agency (CISA) has tied to Russia's Federal Security Service (FSB) — gained access to a server run by another advanced persistent threat (APT), Storm-0156 (aka Transparent Tribe, SideCopy, APT36). It soon expanded into 33 separate command-and-control (C2) nodes operated by Storm-0156 and, in April 2023, breached individual workstations owned by its fellow hackers.

Since then, researchers from Microsoft and Black Lotus Labs say, Secret Blizzard has been able to leech off of Storm-0156's cyberattacks, accessing sensitive information from various Afghani government agencies and Indian military and defense targets.

**Spy vs. Spy**

Ironically, threat actors — even those working for nation-states — might make easy pickings for other threat actors. As Ryan English, researcher at Black Lotus Labs explains, they don't often work hard at defending their own infrastructure. "If you spend a lot of time making your network a fortress, you're spending less time doing offensive stuff. At the end of the day, it's a time and a cost issue," he says.

Even if cyberattackers wanted to improve their cybersecurity, they'd face unique challenges in doing so. This much was demonstrated just recently, when a threat actor tried experimenting with Palo Alto's Cortex extended detection and response (XDR). By installing Cortex, they inadvertently allowed Palo Alto researchers a window into their operations.

It isn't clear how Secret Blizzard gained initial access into that first Storm-0156 server, but "our thinking is that they were identifying \[Storm-0156\] C2 nodes from public reporting. So their offensive team was working almost as a threat researcher would — spending time looking at public reports, looking for the possibility that they could get into somebody else's stuff," English says.

However, he adds, "They just weren't satisfied with what was available publicly. They probably did some reconnaissance. We think that they used some remote desktop pivoting to leverage their way into the target's other \[infrastructure\]. That's not an easy task."

**What Secret Blizzard Stole From Storm-0156**

With its C2 nodes and workstations in hand, Secret Blizzard had extensive visibility into — and control over — Storm-0156's tooling, its tactics, techniques, and procedures (TTPs), and the data it had already stolen from its victims. It used all of this to powerful and creative effect.

In some cases, the Russians used Storm-0156's servers to drop backdoors onto systems belonging to its existing victims. This allowed them to steal sensitive information from a variety of Afghan government agencies, including its Ministry of Foreign Affairs, General Directorate of Intelligence (GDI), and foreign consulates.

Against targets from India, though, Secret Blizzard took a different tack. In only one instance did it deploy its backdoor, "TwoDash," against an entity within India. Instead, it deployed a backdoor against Storm-0156 itself, siphoning off the sensitive records the Pakistanis had already stolen from targets in India's military and defense. Microsoft speculated that "the difference in Secret Blizzard’s approach in Afghanistan and India could reflect political considerations within the Russian leadership, differing geographical areas of responsibility within the FSB, or a collection gap on Microsoft Threat Intelligence's part."

**Unprecedented Security Through Obscurity**

Threat actors collaborate frequently, but researchers haven't identified any other groups that have hacked one another for the sake of sharing access to targets in the way Secret Blizzard has.

It's not the first time Secret Blizzard has done it, either. First in 2017, the group accessed tools and infrastructure belonging to Iran's APT 34 (aka Hazel Sandstorm, OilRig, Crambus). In an upcoming blog post, Microsoft will disclose details of another Secret Blizzard campaign in Ukraine, during which it used bots and a backdoor belonging to two other threat actors.

And then there was the case which broke last year. In January, Mandiant reported on a campaign it tied to Secret Blizzard. In April, Kaspersky alleged that the activity was, instead, carried out by the Kazakhstan-based APT Tomiris (aka Storm-0473). It appears now that Mandiant's guess was correct: Secret Blizzard was behind it, but confused researchers by using Tomiris' backdoor. Dark Reading has reached out to Kaspersky following this latest development.

That Tomiris smokescreen speaks to the benefits of Secret Blizzard's approach. By hacking just one APT, of course, it can access infrastructure and sensitive data belonging to all of that APT's victims. But beyond efficiency, it can also use that access to mask its activity, passing it off as if it originated from another threat actor.

English recalls how, last month, "I was at CyberWarCon, and a couple of people there were having a conversation, saying: 'You know, we haven't heard from Turla lately.' And I started laughing."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Russian FSB Hackers Breach Pakistan's APT Storm-0156

The vulnerability affects certain versions of the Veeam Service Provider Console that can only be fixed by updating with the latest patch.

Source: Postmodern Studio via Alamy Stock Photo

NEWS BRIEF

Data protection vendor Veeam released an update to address a critical vulnerability affecting the Veeam Service Provider Console (VSPC) that, if exploited, could lead to remote code execution (RCE).

Tracked as CVE-2024-42448 with a CVSS score of 9.9, the vulnerability was discovered by Veeam during internal testing. 

Veeam found another vulnerability in the process, CVE-2024-42449, with a high CVSS score of 7.1, which could leak an NTLM hash of the VSPC server service account and delete files off the machine.

Both of the vulnerabilities affect VSPC 8.1.0.21377 and all earlier versions of 7 and 8 builds.

"These service providers often trust their third-party vendor tools to manage client data and ensure business continuity," Elad Luz, head of research as Oasis Security, wrote in an emailed statement to Dark Reading. "When these vendors, like Veeam, have vulnerabilities that allow remote code execution, it exposes critical backup infrastructure to potential exploitation. In industries where data security is paramount, such as finance, healthcare, and legal services, the risk is amplified as these sectors hold sensitive data that is attractive to cybercriminals."

As there are no mitigations available for these vulnerabilities, Veeam recommends users of the supported versions of VSPC update to the latest cumulative patch.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Veeam Urges Updates After Discovering Critical Vulnerability

The notorious spyware from Israel's NSO Group has been found targeting journalists, government officials, and corporate executives in multiple variants discovered in a threat scan of 3,500 mobile phones.

Source: Coredesign via Shutterstock

Researchers have discovered seven new Pegasus spyware infections targeting journalists, government officials, and corporate executives that started several years ago and span both iPhone and Android devices, demonstrating that the range of the notorious spyware may be even greater than once thought.

Researchers from iVerify discovered multiple devices compromised by Israeli company NSO Group's spyware via attacks initiated between 2021 and 2023 that affect Apple iPhone iOS versions 14, 15, and 16.6, as well as Android, they revealed in a blog post published on Dec. 4. The infections were discovered in May during a threat-hunting scan of 3,500 devices from iVerify users who opted in to the checks.

Specifically, the investigation uncovered multiple Pegasus variants in five unique malware types across iOS and Android. The researchers detected forensic artifacts in diagnostic data, shutdown logs, and crash logs found on the devices.

"Our investigation detected 2.5 infected devices per 1,000 scans — a rate significantly higher than any previously published reports," Matthias Frielingsdorf, Verify co-founder and iOS security researcher, wrote in the post. Each of the infections "represented a device that could have been silently monitored, its data compromised without the owner's knowledge," he wrote.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

"The discovery supported our thesis about the prevalence of spyware on mobile devices — it was hiding in plain sight, undetected by traditional endpoint security measures."

**Pegasus Spyware Reach Underestimated?**

The findings also demonstrate that security researchers, in general, may have underestimated the reach of mobile spyware, particularly Pegasus, Rocky Cole, co-founder and COO of iVerify, tells Dark Reading.

Pegasus, developed by NSO Group — an adversary that iVerify tracks as "Rainbow Ronin" — is a particularly nasty piece of spyware that allows the controller to exploit OS vulnerabilities and leverage zero-click attacks to access and extract whatever they want from an exploited mobile device. Attackers can intercept and transmit messages, emails, media files, passwords, and detailed location information without a user's knowledge or interaction.

Pegasus gained initial notoriety in 2021 when security researchers found that it was being used by state-sponsored actors in illegal surveillance against journalists, politicians, human rights advocates, and other persons of interest to government intelligence agencies. Since then, numerous other infections have surfaced that show how governments have wielded the spyware, with journalists in particular in the crosshairs.

Related:Name That Edge Toon: Shackled!

Now iVerify's discovery suggests that state-sponsored actors not only are using mobile spyware in a narrow way to surveil the most high-profile of targets, but also could be spying on people within typically targeted populations who wouldn’t seem likely to be on their radar, Cole says.

"Previously considered a rare and highly targeted threat, Pegasus was found to be more prevalent and capable of infecting a wider range of devices, not just those belonging to high-risk users," he says.

Moreover, as iVerify’s investigation uncovered multiple Pegasus infections across several iOS versions, some dating back years, it's clear that traditional security measures often fail to detect such threats. This suggests that mobile device users themselves must be included in the detection of malware so they have "the power to understand and defend against threats that were previously invisible," Frielingsdorf wrote.

**Hunt Your Own Device Threats**

Cole says that best practices for preventing spyware infections before they occur include regularly updating devices to the latest OS as soon as possible, as spyware often exploits unpatched vulnerabilities. And though EDR may not pick up every infection, it can be a useful tool for organizations to use alongside more proactive device-specific threat-hunting to "help detect and respond to threats in real time," he says.

Related:Microsoft Boosts Device Security With Windows Resiliency Initiative

Organizations also should educate employees, Cole adds, especially those in high-risk roles, about the risks and best practices for mobile security as an essential protection against spyware infections.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The evolving regulatory environment presents both challenges and opportunities for businesses.

Michael McLaughlin, Co-Leader, Cybersecurity and Data Privacy Practice Group, Buchanan Ingersoll & Rooney

December 4, 2024

4 Min Read

Source: filmfoto via Alamy Stock Photo

COMMENTARY

In 2024, the cybersecurity regulatory landscape underwent significant changes, as major economies worldwide introduced new rules to combat increasingly sophisticated cyber threats, such as advanced ransomware and AI-driven attacks. For businesses, navigating this evolving landscape is not merely a compliance issue but a strategic imperative that demands careful attention and adaptation.

**Understanding the Current Regulatory Landscape**

In the United States, the cybersecurity regulatory framework has evolved to address the growing complexity of cyber threats. This framework consists of a combination of federal laws, agency regulations, and state-specific requirements, each targeting different aspects of cybersecurity and data protection. At the federal level, the National Cybersecurity Strategy outlines a comprehensive approach, emphasizing the redistribution of cybersecurity responsibilities from individuals and small businesses to larger organizations with more resources. 

Several key regulations shape the landscape. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates that critical infrastructure entities report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery, enhancing the federal government's ability to respond to these threats. The Securities and Exchange Commission (SEC) has implemented rules requiring publicly traded companies to disclose material cybersecurity risks and incidents promptly, ensuring investors receive timely information. The Health Infrastructure Security and Accountability Act (HISAA) proposes mandatory cybersecurity standards for healthcare organizations, focusing on electronic protected health information (e-PHI) and system resilience. State breach notification laws further add complexity, requiring organizations to notify affected individuals and state authorities following a data breach, with varying requirements across states.

**Increasing Cybersecurity Budgets and Strategies**

In response to heightened regulatory demands and sophisticated cyber threats, organizations are significantly increasing their cybersecurity budgets. While awareness of cyber-risks is widespread, many companies still face gaps in implementation and preparedness. The rise of ransomware-as-a-service and other complex attack vectors has prompted businesses to invest in robust cybersecurity infrastructure, including advanced threat detection systems, multifactor authentication, enhanced incident response capabilities, and zero-trust architectures. By integrating cybersecurity as a core business function, organizations can better protect their digital assets and maintain operational resilience.

Furthermore, businesses are recognizing the importance of C-suite collaboration in cybersecurity initiatives. Chief information security officers (CISOs) are increasingly involved in strategic planning and board reporting, ensuring that cybersecurity considerations are integrated into broader business strategies. This alignment is crucial for developing comprehensive cybersecurity strategies that are informed by regulatory requirements and industry best practices.

**Expectations for the Legal Landscape in Cybersecurity**

The legal landscape for cybersecurity is poised for continued evolution, with increasing emphasis on transparency, accountability, and compliance. The Supreme Court's overturning of the Chevron deference in Loper Bright Enterprises v. Raimondo grants courts greater authority to interpret laws, potentially leading to more challenges against agency regulations, including cybersecurity rules. This landmark decision is likely to result in more prescriptive language in federal legislation regarding agency authorities.

This shift underscores the need for businesses to stay informed about legal developments and adapt their compliance strategies accordingly. Organizations must be prepared to navigate a more dynamic regulatory environment, where judicial scrutiny may alter the consistency and scope of regulatory guidance. Legal frameworks will increasingly focus on ensuring that businesses not only comply with existing regulations but also demonstrate proactive measures to mitigate cyber-risks, including adopting best practices for data protection, incident reporting, and risk management.

**Insights From Government and Federal Roles**

In the United States, public-private partnerships play a crucial role in securing the digital ecosystem and enhancing cybersecurity. Timely dissemination of threat intelligence by the government enables organizations to quickly update security protocols and deploy countermeasures, thereby protecting sensitive data and infrastructure from breaches. In the military context, such intelligence is vital for both defensive and offensive operations, ensuring the protection of networks and supporting strategic cyber operations against adversaries.

Intelligence sharing also underpins effective legal and diplomatic responses to cyber threats. It provides law enforcement agencies with the evidence needed to indict cybercriminals, serving as a deterrent to future attacks. By presenting clear evidence of malicious activities, nations can engage in diplomatic negotiations to resolve cyber conflicts. Economic sanctions, informed by shared intelligence, can target entities or individuals involved in cyberattacks, applying economic pressure to curtail state-sponsored cyber behavior.

**Preparing for a Cyber-Secure Future**

To effectively navigate the cybersecurity regulatory landscape, businesses must prioritize cybersecurity as a strategic business function. This involves aligning cybersecurity initiatives with business objectives, understanding regulatory and statutory requirements, and demonstrating the return on investment in cybersecurity measures.

Organizations should leverage industry benchmarks to assess their cybersecurity posture and identify areas for improvement. Moreover, businesses must remain vigilant to the evolving threat landscape and continuously update their cybersecurity strategies to address emerging risks. This includes investing in advanced technologies, conducting regular risk assessments, and fostering a culture of cybersecurity awareness across the organization.

**Conclusion**

The evolving regulatory environment presents both challenges and opportunities for businesses. By investing in robust cybersecurity measures and aligning them with business objectives, ensuring effective incident response plans are in place and regularly exercised, and continuously keeping pace with industry-specific threats, organizations can build a resilient digital future that is prepared to withstand the challenges of an ever-changing cyber landscape.

**About the Author**

Co-Leader, Cybersecurity and Data Privacy Practice Group, Buchanan Ingersoll & Rooney

Michael McLaughlin is the Cybersecurity and Data Privacy Practice Group co-leader at Buchanan, Ingersoll & Rooney, a leading national law firm, where he helps clients navigate the complexities of cybersecurity, data privacy, and the related regulatory landscape. Previously, Michael served in the United States Navy as a Naval Intelligence Officer, and has held multiple postings worldwide, including senior counterintelligence adviser for United States Cyber Command and chief of counterintelligence and human intelligence for the Cyber National Mission Force, where he directed all counterintelligence, human intelligence, and law enforcement operations, investigations, and support to the Department of Defense's global cyberspace operations.

Navigating the Changing Landscape of Cybersecurity Regulations

Proposals from Google and Apple drastically reduce the life cycle of certificates, which should mean more oversight — and hopefully better control.

Source: ArtemisDiana via Alamy Stock Photo

Shortening the life cycle of Transport Layer Security (TLS) certificates can significantly reduce the vulnerability of websites and hardware devices that require these certificates. TLS certificates are exchanged between Web server and Web client (or server to server) to establish a secure connection and safeguard sensitive data. The majority of today's digital certificates have a time-to-live of 398 days — that's a 365-day certificate with a 33-day grace period, equaling 398 actual days before the certificate expires. If the proposals from Google and Apple are approved, however, that life cycle could drop to 100 days (90 days plus a grace period) or even 47 days (30 days plus a grace period).

It is not unusual to find certificates as short as 10 days or less in DevOps environments, says Jason Soroko, a senior fellow and CTO at Sectigo. Shorter lives are set because the number of days a certificate is live increases the possibility that data will be lost if the certificate is compromised. An expired certificate can lead to denying a browser connection, effectively interrupting the breach and stopping data exfiltration.

**Automated Updates Make Change Easier**

Despite the marked change in how often digital certificates will renew, not much will change operationally for organizations that currently rely on security information and event management (SIEM); security orchestration, automation, and response (SOAR); or some other method for automating the renewal of such certificates, a common setup. In fact, Soroko says, certificate life cycle management (CLM) logs feed into the organization's SIEM and SOAR systems to ensure that the certificates are updated before they expire, which creates business continuity.

Many small to midsize businesses (SMBs) that employ a service provider to manage their networks and network security might already be getting automated certificate updates through CLM services. Organizations using managed service providers or managed security service providers should ask them whether such updates are in place. CLM manages contracts from initiation through renewal. Using CLM software to automate processes can help limit organizational liability and improve compliance with legal requirements.

The only groups that could be significantly affected operationally are those that still manually update certificates. Each time a certificate needs manual updating, errors could be introduced, Soroko says. Instead of the annual updates done today, a 30-day certificate (plus its proposed 17-day grace period) would require 12 updates annually, a multiplier of 12 in introducing errors and increasing risk.

"For smaller companies that don't have unlimited resources to manage their infrastructure, it's going to be quite a wake-up call," says Arvid Vermote, GlobalSign's worldwide CIO and CISO, a Brussels-based certificate and identification authority. "In the past, \[certificate authorities\] have been advocating automation. They have been providing the tools. But why change if it's not needed?"

As the certificates' time to live gradually shrinks, companies doing a manual process will soon realize that automation is not only a quicker way but also a more reliable way to renew certificates.

Updating certificates manually is not easy, Soroko notes.

"It's a very technical task, and it's not difficult to fat-finger it and make an error that takes a website down," he says, adding that most larger enterprises could not afford to have downtime on their Web assets, so they started to deploy CLM rather than manual updates years ago.

Regardless of the size of the company, Soroko says, the organization should automate updates. The technology is "ideally suited for everyone, and not just handing you a cert, but handing you visibility, automation, and discovery of \[digital\] certificates you don't even know you have," he says.

**CLM Casts Light on Shadow IT**

The frequent rotation of certificates means the CLM system will be scanning your environment often for certificates to update — possibly even finding digital certificates the IT department did not have on record, Soroko adds. This happens sometimes when enterprise department heads with signing authority to purchase services acquire software-as-a-service applications and Web services to address operational needs but do not report these services to the IT team.

With rogue applications running on virtual machines, Web servers, load balancers, and other hardware, it can be difficult to identify all elements of shadow IT. However, having the CLM systems constantly monitoring certificates can help identify new hardware, virtual servers, and cloud instances requiring digital certificates that might have been overlooked in the past. A certificate on an unknown device or virtual machine might be identified as an unauthorized connection or breach in progress.

The change in certificate life cycles likely will affect SMBs the most, Vermote says. In fact, this could be a good time for the CISO to go to the board and request funding for automation if they do not already have it.

"\[The\] CISO only gets money from the board if there is an incident," Vermote notes. "CIOs only get money from the board when systems are unavailable. In this case, it's both, because if the board doesn't give them the funding to properly automate and inventories of certificates expire, websites \[and\] legitimate services provided to customers, internal or external, will become unavailable."

Justin Lam, an analyst with 451 Research, says enterprises need to look at digital certificates from a proactive risk management perspective rather than a reactive compliance perspective. While certificates with a longer life always could be revoked in the case of a breach or incident, shorter life cycles mean there is more oversight — and hopefully better control — of certificates that IT might not have been made aware of.

"Many security professionals do not actually own the environments where these things are protected," Lam says.

And while managing all of the tools for cloud security posture management, zero trust, cloud-native application protection, and other security tools falls under the auspices of the CISO, many CISOs do not know when cloud sessions that require digital certificates are spun up. They have the responsibility to defend their networks but not necessarily the visibility into those networks — or the funding to protect everything.

**About the Author**

Contributing Writer

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at \[email protected\].

Digital Certificates With Shorter Lifespans Reduce Security Vulnerabilities

BCID mitigates the risk of consumers being harmed by fraud and bad actors by vetting to deliver a trusted, branded call experience for consumers.

Source: Andrey Suslov via Alamy Stock Photo

NEWS BRIEF

In an effort to convince consumers that it's safe to answer their phones, root of trust provider SecureG has partnered with CTIA, a trade association that represents the wireless communications industry, on an initiative intended to deliver a secure branded call experience for businesses.

Branded Calling ID (BCID) is an industry-led, standards-based Rich Call Data project to create a secure, interoperable ecosystem in which businesses can embed information like their logos and reason for calling when they reach out to consumers by phone. BCID digital signatures are secured by SecureG's public key infrastructure (PKI) solutions. 

"No one wants to answer their phone because of all the spam and scams, and it is only getting worse now that AI-generated voices can impersonate people and businesses," said Todd Warble, CTO of SecureG, in a statement. BCID has a secure-by-design foundation that enables consumers to trust the authenticity of the brands and intentions of the caller, Warble said.

To secure the caller's brand identity, SecureG provides high-assurance operations of the CTIA Secure Telephone Identity Certification Authority (CTIA STI-CA), Intermediate Certification Authority, and the Certificate Repository. The SecureG trust anchors, secured in hardened concrete bunkers, give BDIC the ability to authenticate participants to sign calls. The BCID system is designed to work across networks and mobile phones, and enterprise customers pay only for branded calls that are confirmed delivered. 

BCID allows businesses to brand their calls while preventing scammers and spammers from gaining access to NCID signing certificate. BCID is designed to work seamlessly across networks and mobile phones, so enterprise businesses can deliver trusted, branded calls to their consumers.

The initiative is aimed at reducing the risk of fraud and spam calls from bad actors who impersonate real businesses. A recent survey found that three-quarters of respondents would answer a call if the caller was authenticated by a name, logo, or reason for the call, the company said in a statement. BCID mitigates the risk of consumers being harmed by fraud and bad actors by vetting to deliver a trusted, branded call experience for consumers.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Source

DARKReading