A stealthy JavaScript injection attack steals data from the checkout page of sites, either by creating a fake credit card form or extracting data directly from payment fields.

Source: Kim Kuperkova via Shutterstock

Attackers are targeting Magento e-commerce websites with a new card-skimming malware that can dynamically lift payment details from checkout pages of online transactions. The attack, discovered by a researcher from Web security firm Surcuri, comes as online retailers and shoppers are priming for this week's historically busy Black Friday online shopping day.

Sucuri security analyst Weston Henry discovered the attack in the form of a malicious JavaScript injection, which has multiple variants and target sites built on the popular e-commerce platform in two different ways, according to a blog post published on Nov. 26.

One way is by creating a fake credit card form to steal card details, the other is by extracting the data directly from the payment fields. "Its dynamic approach and encryption mechanisms make it challenging to detect," Sucuri security analyst Puja Srivastava explained in the post. The data is then encrypted and exfiltrated to a remote server controlled by the attacker.

Magento-based websites are a frequent target for cybercriminals due to their widespread usage for e-commerce and the valuable customer data they handle, including payment card or bank account details. And card-skimming — typically by a group of cybercriminals collectively known as Magecart — is a popular attack vector to steal such data from these sites.

Related:News Desk 2024: Can GenAI Write Secure Code?

**Cyber Victims Targeted During Shopper Checkout**

Henry discovered the malicious script during a routine inspection of a Magento-based site with Sucuri's SiteCheck. "The tool identified a resource originating from the blacklisted domain dynamicopenfonts.app," explained Sucuri security analyst Puja Srivastava in the post. Eventually, the resource was found in two locations on the site.  

One of the locations where it was found was within the <referenceContainer> directive of the XML file, which is designed to load a JavaScript resource just before the closing <body> tag.

Attackers obfuscated the contents of the external script to avoid detection, "making it challenging to identify at first glance," Srivastava noted.

Once executed, the script activates only on pages containing the word "checkout" but excluding the word "cart" in the URL, with the aim of extracting sensitive credit card information from specific fields on the checkout page.

After it's completed this malicious task, the malware collects additional user data through Magento’s APIs, including the user's name, address, email, phone number, and other billing information. "This data is retrieved via Magento's customer-data and quote models," Srivastava explained.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

**Magento Malware's Strong Anti-Detection Game**

Attackers behind the malware have taken care to use multiple anti-detection techniques to hide their malicious activity, the researchers found. While the malware is collecting the data, it first encodes it as JSON and then XOR-encrypts it with the key "script" to add an extra layer of obfuscation, the researchers found.

The encrypted data also is Base64-encoded before being sent via a beaconing technique to a remote server at staticfonts.com. Beaconing is a method whereby a script or program sends data silently from the client to a remote server without alerting the user or interrupting their activity.

While legitimate applications such as analysis tools also use beaconing, malicious actors favor the technology because it's a stealthy and hard-to-detect way to transmit stolen data, the researchers noted.

**How to Secure E-Commerce Sites From Cyberattack**

To protect e-commerce sites from stealthy card-skimmers — particularly on busy shopping days like Black Friday, which are a goldmine for cybercriminals — Sucuri recommends administrators conduct regular security audits, monitor unusual activity, and deploy a robust Web application firewall (WAF) to protect sites.

Related:'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

They also should ensure that sites are consistently updated with the latest security patches, as "outdated software is a primary target for attackers who exploit vulnerabilities in old plug-ins and themes," Srivastava wrote.

Administrators also should ensure they use strong, unique passwords on e-commerce sites to bolster security and avoid having them easily cracked by attackers. Finally, implementing file integrity monitoring to detect any unauthorized changes to website files also can serve as an early warning system.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

The lessons I've learned soaring through the skies have extended far beyond the runway.

Source: Stanislav Duben via Alamy Stock Photo

COMMENTARY

As a child, airplanes fascinated me — I was taken by their gravity-defying magic, their technical wonders, their sleek designs, and the adventures they unlocked. I dreamed of flying one myself.

Although I pursued a career in cybersecurity, flying always inspired me — so I chased my lifelong dream of becoming a licensed pilot. I continue to fly light aircraft in the little spare time I get alongside my role as the CEO of a leading cyber-risk management company. 

**Always Have Backup**

A recent experience prompted me to think more closely about the interplay between my two passions. 

Not long ago, I completed an advanced course for pilots of two-engine planes. Previously, I had only flown planes with one engine, which is a risk: If the engine malfunctions, you're in big trouble. 

In the final training session, we practiced different responses in the event of an engine breaking down. As our instructor walked us through different tactics, one thought went through my mind: the critical need for a "defense in depth" approach to security. Just as the smooth functioning of an airplane relies on multiple mechanisms supporting one another, a modern cybersecurity platform also leverages numerous defensive techniques, so that if a threat slips through one layer, it will be caught by another. 

That was when I realized: While aviation and cybersecurity may appear as far apart as the heavens and earth, the skills I've learned from flying have profoundly influenced my career.  

**Know Your Environment**

Even at the beginning of my career, as a junior systems analyst and IT team manager, I understood that an organization's cybersecurity posture is much broader than any single tool or platform. Effective cybersecurity requires a thorough understanding of the operating environment and all the tools therein. Before an organization can identify vulnerabilities and secure itself against attacks, it needs a complete understanding of its internal and external assets, digital surfaces, devices, brand assets, and more. 

Likewise, becoming a pilot not only required me to master the practical skills of navigating an aircraft through various conditions but also necessitated a deep understanding of the equipment on board. Flying without a confident grasp of my instruments or expected flight environment is like playing Russian roulette: potentially fine … or lethal. 

In cybersecurity, just as in aviation, one can never be passive. Full visibility into a technology environment is required to be able to manage risks, quickly adjust course, identify and communicate issues, and fix those issues under pressure. 

**Continuous Learning and Testing**

In the modern cybersecurity landscape, threats are always evolving, and hackers are constantly honing their skills. That’s why I ensure my company continuously tests its defenses and my employees constantly learn new skills to keep pace with the rapidly changing threat landscape. 

During a recent performance review with one of my direct reports, the employee suggested that some of our threat simulations and training sessions were so time-consuming that they prevented his team from carrying out other deliverables. I acknowledged that learning and testing take up a lot of time, but doubled down on the importance of learning from past incidents to understand future threats and tactics. A cybersecurity company that prioritizes this will serve its customers better in the long run, even if it means a routine report or product update will be slightly delayed. 

**Muscle Memory and Task Execution**

A little-known insight into a pilot's mindset: When landing my aircraft, I barely think about what I am doing. That's because I have practiced and repeated the same maneuver hundreds of times, making complex tasks feel like second nature. 

It's just as vital to develop this sort of muscle memory among security professionals. Security teams should regularly practice routine protocols for any scenario. Conducting tabletop exercises and attack simulation drills allows teams to react quickly and effectively when a real threat emerges. 

By promoting constant preparedness, I aim to ensure that my teams can execute the best course of action without hesitation, even in high-pressure situations.

**Small Issues Become Big Ones**

After flying for a few years, I felt like I'd finally memorized the dozens of separate tasks that form part of a pre-flight checklist. In reality, I'd started to prioritize — I knew that I'd always have to check whether there was enough fuel in the tank to complete the journey, but making sure each seatbelt on the plane was fastened correctly seemed secondary. 

One time, I experienced a particularly bumpy landing. I asked a fellow pilot why that might have occurred, and he suggested checking the air pressure in the tires. I took a look and realized that I'd completely forgotten to check the tires before the flight. A tire low on air won't cause the plane to fall from the sky, but landing on a flat tire can be extremely dangerous. If a flat tire hits the runway, it could burst and send the plane swerving. Incidents like this can easily be avoided — by running through the correct procedures to identify any small issue before it becomes a big one. 

In cybersecurity, small vulnerabilities in a system can easily be overlooked and are therefore ripe for exploitation. In short, cybersecurity is not just about responding to attacks — it's about mitigating risks before they can cause damage. By implementing best practices and checklist procedures, security teams can do just that.  

**The Sky's the Limit**

The lessons I've learned soaring through the skies have extended far beyond the runway. 

Learning from my mistakes and internalizing the discipline it takes to be a pilot have allowed me not only to lead my company with clarity and resilience; it also has provided me with a new perspective on the ever-evolving landscape of cybersecurity. Incorporating these lessons into the flight plan of my professional life has helped foster a culture of continuous improvement at our workplace, which ultimately has helped our customers. 

**About the Author**

CEO, Cyberint

Yochai Corem is the CEO of Cyberint, a leading external cyber-risk management provider that supports hundreds of organizations around the globe in understanding and managing their threat exposure. 

Yochai is a seasoned executive and strategic cybersecurity leader and innovator, with more than 25 years of experience in driving business success for cyber security companies. 

Prior to Cyberint, Yochai held multiple executive positions at CYE, Cyberbit, 3i-Mind, and Verint in the areas of sales, product strategy and services. 

Yochai has registered multiple patents in the area of cybersecurity, which have been applied in commercial products, and is often invited to share insights on the Israeli cyber security innovation and leadership landscape. 

Yochai is a former officer of the Israeli Intelligence Unit 8200 and holds an MBA from the Reichman University (IDC) in Herzliya and a BSc in electrical engineering cum laude from Tel Aviv University.

How Learning to Fly Made Me a Better Cybersecurity CEO

Over the past year, "Matrix" has used publicly available malware tools and exploit scripts to target weakly secured IoT devices — and enterprise servers.

Source: Kundra via Shutterstock

A Russian script kiddie using little more than publicly available malware tools and exploits targeting weak credentials and configurations has assembled a distributed denial-of-service (DDoS) botnet capable of disruption on a global scale.

In assembling the botnet, the attacker has targeted not just vulnerable Internet-of-Things (IoT) devices, as is the common practice these days, but also enterprise development and production servers, significantly increasing its potential for widespread disruption.

**Matrix Unleashed**

The attacker, whom researchers at Aqua Nautilus are tracking as "Matrix" after spotting the campaign recently, has established a store of sorts on Telegram, where customers can buy different DDoS plans and services. These include plans ranging from "Basic" to "Enterprise" that allow purchasers to unleash DDoS attacks of different durations at the transport and applications layers of targets of their choice.

"Although this campaign does not use advanced techniques, it capitalizes on widespread security gaps across a range of devices and software," said Assaf Morag, lead data analyst at Aqua in a blog post this week. "The simplicity of these methods highlights the importance of addressing fundamental security practices, such as changing default credentials, securing administrative protocols, and applying timely firmware updates, to protect against broad, opportunistic attacks like this one."

DDoS attacks have been a standard item in attacker playbooks for a long time. Though organizations have generally gotten better at dealing with them over the years, DDoS attacks remain hard to protect against entirely. Threat actors have continuously increased the volume and duration of DDoS attacks while developing techniques to target different layers of the network to maximize their disruptive impact. A Gcore study released earlier this year showed a 46% increase in DDoS attacks in the first half of 2024 compared with the same period last year. Some attacks peaked in excess of multiple terabits of attack traffic per second.

Matrix's campaign appears to have launched in November 2023 with the creation of a GitHub account. The attacker has been using the account primarily as a repository for various publicly available malware tools downloaded from different sources and which, in some cases, Matrix then modified for use in the DDoS campaign.

**Off-the-Shelf Attack Tools**

Aqua's analysis of Matrix's GitHub account showed a collection of commonly available DDoS botnet tools, including perennial favorite Mirai, DDoS agent, Pybot, Pynet, SSH Scan Hacktool, and Discord Go. Most of these tools are publicly available and open source; what distinguishes Matrix is how it's been able to integrate and use these tools effectively in assembling a DDoS botnet. "Instead of forking repositories, the tools are downloaded and modified locally, suggesting a level of customization and adaptability," Morag said.

Matrix has been using the tools to scan the Internet for IoT devices with known vulnerabilities in them that the owners have left unpatched. Many of the vulnerabilities that the threat actor's attack scripts scan for are older flaws, including one from 2014 (CVE-2014-8361) a remote code execution (RCE) vulnerability in Realtek Software Development Kit.

Aqua listed vulnerabilities the attacker is targeting, including three from 2017 (CVE-2017-17215, CVE-2017-18368, and CVE-2017-17106); another three targeted vulnerabilities are from 2018 (CVE-2018-10561, CVE-2018-10562, and CVE-2018-9995). The vulnerabilities affect a range of Internet-connected devices including network routers, DVRs, cameras, and telecom equipment.

And in something of a departure from typical DDoS campaigns, the threat actor is scanning the IP ranges of several cloud service providers for vulnerabilities and misconfigurations in telnet, SSH, Hadoop YARN, and other enterprise servers. One of the vulnerabilities that Matrix has targeted is CVE-2024-27348, a critical RCE vulnerability in Apache HugeGraph servers. Nearly half (48%) the scanning activity that Aqua observed targeted servers in AWS environments, 34% were in Microsoft Azure, and 16% on Google's cloud platform. For the moment at least, Matrix's primary focus appears to be China and Japan, likely due to the high density of IoT devices in those countries, Morag said.

**Brute-Force Attacks**

As is common in most such campaigns, Matrix has also been taking advantage of default and weak passwords and misconfigurations to compromise IoT devices and enterprise servers and making them part of the DDoS botnet. Aqua found Matrix using a brute-force script against 167 username and password pairs that organizations had used to secure access to their IoT and server environments. A startling 134 of the pairs granted root or admin level access on affected devices.

Aqua's analysis showed there are 35 million systems running the software that the attacker appears to be targeting. Not all of them are vulnerable. But if even if just 1% are exploitable, that would give the attacker a botnet of around 350,000 devices.

In comments to Dark Reading, Morag says only content delivery networks and organizations with visibility into Internet traffic logs can really say what the actual size of the botnet that Matrix has assembled. But indications are that it is large. "We have hundreds of honeypots, and we usually see an attack/campaign on one or two types of honeypots. But in this case, we saw attacks on our SSH, Telnet, Jupytar Lab, Jupytar Notebook, Hadoop, HugeGraph, and a few simulators of IoT devices," which is unusual, he says. "In addition, the attacker utilized some of our honeypots to attack Telnet and SSH, with a 95% success rate."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Russian Script Kiddie Assembles Massive DDoS Botnet

Enterprise cybersecurity teams tell Omdia's Maxine Holt that they want to dig out from underneath mounting tech and pivot to a simpler platform model — but they are finding that tricky to pull off.

Omdia's survey of cybersecurity leaders demonstrated that they're currently in a conundrum — drowning in security products they want to pare down but instead having to add layers to cope with the exploding threat landscape.

It's a challenge they are looking at cybersecurity platforms to solve, but it's going to take time.

Maxine Holt, who leads the Omdia cybersecurity research group, joined the Dark Reading News Desk at Black Hat USA 2024 fresh off the Omdia Summit, where her team of analysts presented the detailed results of their 2024 survey of cybersecurity decision-makers. They found the typical organization is running somewhere between 21 to 50 separate cybersecurity tools. And while three-quarters of organizations indicated they were interested in cutting that number down to a more manageable number, 87% of respondents had nonetheless added tools to their systems over the past year.

"They're struggling with the threat landscape," Holt said. "It's not as easy as unplugging one thing and plugging in something else."

These organizations will have the opportunity to migrate over to a cybersecurity platform over the next three to five years, as their contracts sunset, according to the survey.

Major players in the cybersecurity platform space, including CrowdStrike, Palo Alto Networks, Fortinet, and Check Point, stand to gain market share in the next few years as the shift occurs, but Holt stressed the need for a healthy ecosystem of vendors.

"We have to support the thousands of vendors in the space so they can innovate," Holt said.

News Desk 2024: The Rise of Cybersecurity Platforms

GenAI's 30%-50% coding productivity boost comes with a downside — it's also generating vulnerabilities. Veracode's Chris Wysopal talks about what he finds out in this News Desk interview during Black Hat USA.

It's faster, for sure, but generative artificial intelligence (GenAI) is learning how to code just like a human developer would — and that means picking up mistakes along the way.

GenAI and large language models (LLMs) learn how to code based off of open source models, which themselves are flawed, explained Chris Wysopal, CTO and co-founder of Veracode, at this year's Dark Reading News Desk at Black Hat USA 2024.

"\[GenAI\] can write a lot more code a lot faster," he said. "So what you end up with is more code and more vulnerabilities per unit of time."

The trick then becomes finding and fixing vulnerabilities at the same pace.

In his research presented at the conference, "From HAL to HALT: Thwarting Skynet's Siblings in the GenAI Coding Era" (a titled itself written by an LLM), Wysopal proposes the best way forward is using AI to find and fix the vulnerabilities in AI-generated software code. But we're not there yet.

According to research, the current model that can write code the best is an LLM called StarCoder. That's not to say it writes code completely free of vulnerabilities, but it's the best thing going. ChatGPT 4.0 and ChatGPT 2.5 were also found to be fairy adept at writing secure code.

"A general purpose LLM can fix some security bugs, but it turns out it's not great at it," Wysopal says. "And so we're seeing specialized LLMs that are trained just to secure code."

Wysopal and his team at Veracode are working on that, as well as other companies, he adds.

News Desk 2024: Can GenAI Write Secure Code?

The preview version now includes multiple security-focused additions Microsoft had promised to add, such as SecureBoot, BitLocker, and Windows Hello.

Source: Mundissima via Shutterstock

Six months after announcing (and modifying and delaying) Windows Recall, Microsoft has released a first-look preview of a reworked version for Windows Insiders via its Dev Channel. 

The preview is available only to Windows Insiders with Qualcomm Snapdragon X Elite and Plus Copilot+ PCs. The build of Windows that includes Recall (preview) with Click to Do (Preview) is Windows 11 Insider Preview Build 26120.2415 (KB5046723), Microsoft said. Support for Intel- and AMD-powered Copilot+ PCs will be available at a later date.

Recall takes "snapshots" of a user's PC that can be searched at anytime, thus allowing users to "recall" any application action, website visited, or image or document previously accessed on the system. Recall uses optical character recognition (OCR) to extract the text in screenshots and saves both of the images and text into a searchable database. When users describe what they are looking for, Recall searches the database to help them find it. The built-in neural processing unit is capable of running artificial intelligence (AI) and machine learning workloads locally and does not store anything in the cloud. This means Microsoft doesn't have access to any Recall snapshots, and none of the snapshots will be used to train Microsoft's AI models.

Recall was initially scheduled to be released last summer, but Microsoft had repeatedly delayed it to address privacy concerns. In September, the company explained how it was working to secure Recall snapshots.

Several of the new security-focused additions are available in the preview. Those who download the preview must opt in to saving snapshots, which is a change from the original plan to make it an opt-out feature. Recall now requires BitLocker disk encryption and Secure Boot to be enabled. Users must also be enrolled in Windows Hello because they must reauthenticate with Hello each time they access Recall's database. Users have the ability to delete any snapshot they want, and the system can detect sensitive personal data, like credit card numbers, passwords, and PINs, and won’t save them.

Users can also opt out of using Recall on specific apps and websites or just uninstall it altogether. For enterprise and education users, Recall will be managed by IT administrators. Administrators can also completely uninstall Recall if they are concerned about data exposure. 

The purpose of the Windows Insider preview is to give users the ability to try out the feature in real-world scenarios and help Microsoft identify issues that need to be addressed. Users can submit their feedback of the preview versions of Recall and Click to Do (recognize text and images in Recall snapshots and then copy the text or save images out of the snapshots) via the Feedback Hub. Insiders are asked to provide feedback on Recall's "updated security and privacy architecture" through the Windows Insider Preview Bug Bounty Program. 

Microsoft did not say how long it plans to keep Recall in preview before it would be considered ready for general release.

Microsoft Finally Releases Recall as Part of Windows Insider Preview

With a focus on creating technologies for other markets, Israel continues to be a valued destination for venture capital in cybersecurity outside the US and Europe.

Source: thinkhubstudio via Shutterstock

Though funding for cybersecurity startups began slowing globally in late 2022, Israeli startups continue to win significant cybersecurity investments, even with the nation's ongoing military operation in Gaza and escalating regional tensions.

The continued investment shows that Israel continues to be one of the strongest hubs for tech innovation in the US outside of Silicon Valley, says Or Shoshani, CEO and co-founder of Tel Aviv-based Stream.Security. His company, a cloud detection and response firm, garnered its first round of funding — a $26 million Series A — in March 2022 at the tail end of the boom. Earlier this month, the company was awarded a Series B round for $30 million.

"I've been traveling more than I've been doing in the last four years. Why? Just to show that we are here to support our customers, and we have built a business that is truly resilient, regardless of where we are and regardless of the state \[of affairs\] Israel is experiencing."

Following a two-year drought, cybersecurity startup companies are seeing an uptick in investment internationally, with the value of deals expected to grow by 45% in 2024 — a reversal of fortunes compared to the 40% decrease in 2022 and 49% drop in 2023, according to data from cybersecurity investment-advisory firm Altitude Cyber.

Related:Microsoft VS Code Undermined in Asian Spy Attack

Following a peak in Q4 2021, investment in cybersecurity firms tapered off for two years. It's starting to return. Top: Number of deals. Bottom: Value of deals in billions of US$. Source: Altitude Cyber

The investment focus of Altitude Cyber's clients, for example, remains the US, Israel, and Europe, followed by the rest of the world, says Dino Boukouris, founder and managing partner at the firm.

"We don't anticipate that trend will change any time soon," he says. "Even with the geopolitical climate we're in, Israel has continued to deliver, the US cyber market remains as strong as ever, and Europe \[and the\] UK continue to innovate and produce really great cyber companies."

**Cybersecurity Springs Back**

Israel's research and development centers took off during the US regulatory assault on encryption in the 1990s and the migration of chip design to many of the technology parks around Tel Aviv and Haifa during the past two decades. On the cybersecurity side, the nation has developed "outsized" capabilities, according to a recent history of Israel's evolution in cybersecurity.

Similar to Silicon Valley, going out for a cup of coffee often means running into two or three entrepreneurs that are going to tell you about their latest idea, says Jacques Benkoski, general partner at US Venture Partners, an investor in Stream.Security.

With the country's focus on cybersecurity and the density of talent and education available in a small area, innovation naturally follows, he says. 

Related:Under-Resourced Maintainers Pose Risk to Africa's Open Source Push

"When you look at the history of venture capital, you have nodes of innovation that are characterized by a catalytic density of talent — you look at places like Silicon Valley, you look at places like Tel Aviv, and you just have a lot of people that are focused on the same thing," he says. "And from the acceleration through dialogues and the collisions \[of ideas\] between those people comes more innovation" than other parts of the world.

Yet, one aspect of Israel's venture-capital scene is that investors do not want to fund companies solving local problems. Instead, the focus is on creating technologies and businesses that address issues in the US, Europe, and worldwide, Benkoski say.

"We typically invest in companies that see the US as their primary market — it's actually an investment condition," he says. Second rounds of venture capital for companies like Stream.Security are often to develop a stronger presence in their primary market, he adds.

**Broadening Out Cybersecurity Investment**

While the country's cybersecurity ecosystem certainly has its adherents, other investors see a focus on local ecosystems to be desirable. Ukraine has historically had a strong cybersecurity community — albeit mixed with its share of cybercriminal groups — and that could see a resurgence if Russia ends its war, says Ron Gula, president of Gula Tech Adventures, an investment firm.

Related:Software Productivity Tools Hijacked to Deliver Infostealers

"I'm hopeful that the Ukraine war will end soon, and believe the tech ecosystem there will emerge as a rival to the Israeli ecosystem," he says.

Other areas of the world also offer substantial benefits for investment. In addition to expanding its investment into Israel, Forgepoint Capital plans to focus on Latin America and the Asia-Pacific regions, where the mobile-first ecosystem requires a tailored approach to cybersecurity, managing director J. Alberto Yépez says.

"Other geographies have more of a built-in enterprise industry infrastructure to support local innovation, with established institutions taking an active role to drive collaboration and better anticipate and address their customers' needs," he says, adding that the firm has partnered with global financial institutions to help innovate. "We aim to address a critical gap in growth funding for startups in Europe while expanding our purview into Latin America and Israel," he says.

One overhyped technology for investors? AI. While artificial intelligence has technology giants spending heavily — and nearly every cybersecurity firm boasts of AI features — the impact of AI startups on cybersecurity remains modest, says Altitude's Boukouris. But there have been some significant financing deals for AI-cybersecurity companies in past few years, including Protect AI ($60 million in Series B funding, HiddenLayer ($50 million, Series A), Witness AI ($28 million, Series A), and Cranium ($25 million, Series A), he says.

"Vendors specifically focused on security for AI/ML are still primarily in the early stages in terms of funding," he says. "We've only seen one significant M&A event so far, with Robust Intelligence being acquired by Cisco for around $300 million, which indicates that we are still in the early stages of security for AI."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Israel Defies VC Downturn With More Cybersecurity Investments

Neurodivergent talent can add so much to a cybersecurity team. How can companies ensure they have the right hiring and onboarding practices in place to help these employees succeed?

Source: Jess Rodriguez via Alamy Stock Photo

Hiring and retaining neurodivergent talent is a crucial step toward fostering a more inclusive and innovative cybersecurity workforce. But traditional hiring processes and standardized training programs can often create barriers for these individuals and lead companies to lose out on talent.

Here are eight tips for ensuring that your hiring and training processes are more inclusive and that neurodivergent candidates can succeed and thrive within your organization once they are on the job.

**1\. Embrace Performance-Based Interviews**

Traditional interviews may not showcase a neurodivergent candidate's full potential. Instead, use performance-based interviews where candidates can demonstrate their skills in a comfortable, simulated work environment. This provides better insight into their capabilities and reduces stress related to social interactions.

"Sitting in a room answering questions, especially when you're seeking a job that is going to have less social interaction, is not the way to do it," says Megan Roddie-Fonseca, a senior security engineer at Datadog and a neurodivergent person with autism and ADHD. "When it comes to showing my skill set, I'm going to be doing that on a computer, in an environment I'm comfortable with."

**2\. Communicate Clear Expectations**

Clarity is key when working with neurodivergent candidates. During interviews and onboarding, provide clear instructions and explain expectations thoroughly. Avoid using metaphors or vague language, which can create confusion for some candidates.

"Due to my auditory processing disorder, I often rely on written communication to fully process information," says Meghan Maneval, senior director of product marketing at LogicGate.

**3\. Use Flexible Interview Formats**

Allowing candidates to complete tasks at their own pace and in familiar environments can help them showcase their strengths without the added pressure of time constraints or sensory distractions.

"Many neurodivergent employees I have spoken with tell me they are at their best when they have time and mental space to solve a problem on their own, in their own way, and then bring it back to the team," says Jodi Asbell-Clarke, a senior researcher in neurodiversity in STEM education at the nonprofit TERC and author of Reaching and Teaching Neurodivergent Learners in STEM.

**4\. Develop Individualized Training Plans**

Neurodivergent employees often benefit from tailored training programs. Rather than a one-size-fits-all approach, offer flexible training options, such as self-paced modules, to accommodate different learning styles.

"Giving neurodivergent employees space for autonomy of thought during training can be beneficial," Asbell-Clarke says.

**5\. Build a Culture of Inclusion**

Foster open dialogue about neurodiversity and encourage conversations about the needs of neurodivergent employees. Create employee resource groups (ERGs) to provide a platform for neurodivergent voices and make sure they feel heard.

“It's a culture shift because a lot of people are afraid to bring up those things because people think they're silly or they'll feel like, you know, they're going to get fired or not be a candidate for hire because they made a request like this," Roddie-Fonseca says.

**6\. Implement Universal Design Principles**

Adopt universal design practices that benefit everyone in the workplace, whether or not they disclose a neurodivergent condition. Simple accommodations, such as allowing flexible workspaces, reducing sensory distractions, and providing access to tools, can help everyone thrive.

"Neurodivergence is already present in about 20% of the workforce, but not everyone will disclose it. So it's important to have support systems in place that everyone can access," says Liz Green, an occupational therapist and business consultant specializing in neurodiversity and inclusive design, who often works with cybersecurity clients.

**7\. Regularly Check in With Employees**

Create a culture of regular check-ins, where managers and employees can discuss accommodations, work environment preferences, and overall well-being. This ensures neurodivergent employees feel supported and understood. But do it in different ways so that the check-ins are not intrusive. This can be done with short check-in surveys, for example.

"Quick checks are very helpful," Green says. "Regular check-ins allow managers to understand how employees are doing and if any accommodations need adjustment."

**8\. Be Open to Learning and Adapting**

Creating an inclusive environment for neurodivergent employees requires a willingness to learn and adapt. Encourage managers to engage in ongoing training and education on neurodiversity and foster a workplace culture that supports continuous learning and improvement. Make sure that neurodivergent employees are included in all conversations and initiatives that are centered on inclusion.

"The most important thing is bringing forth the voices of the population," Green says. "It's about making an effort to listen and then act on what neurodivergent employees are saying."

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

8 Tips for Hiring and Training Neurodivergent Talent

The innocuously named Russian-sponsored cyber threat actor has combined critical and serious vulnerabilities in Windows and Firefox products in a zero-click code execution exploit.

Source: Collection Chrisophel via Alamy Stock Photo

For a brief window of time in October, Russian hackers had the ability to launch arbitrary code against anyone in the world using Firefox or Tor.

On Oct. 8, researchers from ESET first spotted malicious files on a server managed by the Russian advanced persistent threat (APT) RomCom (aka Storm-0978, Tropical Scorpius, UNC2596). The files had gone online just five days earlier, on Oct. 3. Analysis showed that they leveraged two zero-day vulnerabilities: one affecting Mozilla software, the other Windows. The result: an exploit that spread the RomCom backdoor to anyone who visited an infected website, no clicks required.

Luckily, both issues were remediated quickly. "The attackers only had a really small window to try to compromise computers," explains Romain Dumont, malware researcher with ESET. "Yes, there was a zero-day vulnerability. But, still, it was patched really fast."

Dark Reading has reached out to Mozilla for comment on this story.

**A Zero-Day in Firefox & Tor**

The first of the two vulnerabilities, CVE-2024-9680, is a use-after-free opportunity in Firefox animation timelines — the browser mechanism that handles how animations play out based on user interactions with websites. Its power to afford attackers arbitrary command execution earned it a "critical" 9.8 rating from the Common Vulnerability Scoring System (CVSS). 

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

Importantly, CVE-2024-9680 affects more than just Firefox. Mozilla's open source email client "Thunderbird" is also impacted, as is the ultrasecretive Tor browser, which is built from a modified version of Firefox's Extended Support Release (ESR) browser.

In October, RomCom deployed specially crafted websites that would instantly trigger CVE-2024-9680 without the need for any victim interaction. Victims would unknowingly download the RomCom backdoor from RomCom-controlled servers, then quickly be redirected to the original website they thought they were visiting all along.

These malicious domains were made to mimic the real sites associated with the ConnectWise and Devolutions IT services platforms, and Correctiv, a nonprofit newsroom for investigative journalism in Germany. That these organizations are both political and economic in nature might not surprise those familiar with RomCom, which has always conducted opportunistic cybercrime, but in more recent times has added politically motivated espionage to its agenda. Its activity in 2024 has included campaigns against the insurance and pharmaceutical sectors in the US, but also the defense, energy, and government sectors in Ukraine.

Related:News Desk 2024: Can GenAI Write Secure Code?

It's unclear by what means of social engineering RomCom might have spread these malicious sites.

**What We Know of RomCom's Campaign**

Not content with only running code in a victim's browser, however, RomCom also employed a second vulnerability, CVE-2024-49039. This high-severity 8.8 CVSS-rated bug in the Windows Task Scheduler allows for privilege escalation, thanks to an undocumented remote procedure calls (RPC) endpoint unintentionally accessible to low level users. In this case, RomCom used CVE-2024-49039 to escape the browser sandbox and onto a victim's machine at large.

The damage that might've been done with such a powerful exploit chain, and exactly who was affected by it last month, remains unknown. What's clear at this point is that the overwhelming majority of targets were located in North America and Europe — particularly the Czech Republic, France, Germany, Poland, Spain, Italy, and the US — plus scattered victims in New Zealand and French Guiana.

Also, notably, none of the victims tracked by ESET were compromised via Tor. "Tor has some predefined settings that differ from Firefox, so maybe it would not have worked," Damien Schaeffer, senior malware researcher at ESET speculates. He notes, too, that RomCom's primary targets appeared to be corporations, which rarely use Tor.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

Both CVE-2024-9680 and CVE-2024-49039 have since been patched — the former on Oct. 9, just 25 hours after Mozilla was notified of the issue, and the latter on Nov. 12.

"By now, I hope, the problem is more or less done," Schaeffer says. Still, for any given organization, "It'll depend on their policies. If you have good patch management, this would have been fixed in one day or so. But it's up to people to fix their stuff."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

New York state regulators punish insurers after cybercriminals illegally access customer info they then used to file scam unemployment claims during the COVID-19 pandemic.

Source: Phanie - Sipa Press via Alamy Stock Photo

Two auto insurance companies will pay a hefty penalty for what the State of New York says was inadequate security that allowed hackers to compromise personal data of more than 12,000 state residents.

New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris said the $11.3 million fines against Government Employees Insurance Co. (GEICO) and the Travelers Indemnity Co. follows what the state deemed "poor data security" practices that allowed cybercriminals to steal driver license numbers. Worse, at the height of the COVID-19 crisis, they used that info to file fraudulent unemployment claims. Specifically, the insurers were found to have violated a state regulation to "implement policies, procedures, and controls designed to protect consumer data as well as the financial institutions themselves," their statement said.

GEICO has been ordered to pay $9.75 million, and Travelers will pay $1.55 million.

“GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers' personal information,” James said. “Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously.”

GEICO experienced a November 2020 compromise of its auto insurance quoting tool, allowing threat actors to steal driver license numbers from the company's public-facing website, New York regulators said.

"Despite being notified by DFS of an industry-wide cyberattack campaign to obtain driver's license numbers, and suffering, disclosing, and remediating separate cybersecurity incidents, GEICO failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks," the statement continued.

Following that breach, hackers pivoted to exploit a vulnerability in GEICO's quoting tool for insurance agents on a separate platform.

Both cyberattacks against GEICO exposed the personal information of about 116,000 New York residents, most of those leaked in the second compromise, the statement added.

Travelers too was breached through a similar cyberattack against its auto insurance quoting tool, this time a calculator used by independent agents. Despite receiving multiple alerts that threat actors were conducting these types of campaigns, in April 2021, hackers were able to use compromised credentials to generate reports with license numbers in plain text, exposing the data of 4,000 New Yorkers, the statement said.

Besides the penalties, these insurers have agreed to improve their cybersecurity practices including improving protections for private information, conducting a comprehensive data inventory, requiring authentication to access private data, implementing logging and monitoring, and enhancing threat response planning and procedures.

GEICO also agreed to conduct remedial measures, including comprehensive risk assessment and penetration testing, plus developing an action plan to address any resulting issues. Travelers agreed to review its systems, assess its own access controls, and improve protections against unauthorized access to nonpublic personal information, according to the regulators' statement.

Source

DARKReading