Given increased tensions with China over tariffs, companies could see a shift in attacks, but also fewer regulations and a run at a business-friendly federal privacy law.

Source: Anna Moneymaker via Shutterstock

President-elect Donald Trump's return and his promised shift to a more insular foreign policy will likely result in a new set of cyber threats, fewer regulations for most industrial sectors, and possible business-friendly federal privacy legislation, cybersecurity and legal experts say.

The president-elect is moving quickly with nominations for cabinet officials and other high-level appointees. While he named South Dakota Gov. Kristi Noem to lead the Department of Homeland Security, Trump has not yet named a candidate for director of the Cybersecurity and Infrastructure Security Agency (CISA), which leads government cybersecurity efforts.

Overall, however, companies should expect far less emphasis on regulations and more focus on protecting critical infrastructure and technology companies, says Michael Bahar, co-lead of global cybersecurity and data privacy at Eversheds Sutherland, a global legal advisory firm.

"We are going to see — at the federal level — a deprioritization of cybersecurity regulations and cybersecurity enforcement," he says. "One really important exception is where cybersecurity intersects with trade policy and national security and technology. That's actually where you're going to see an increase of enforcement and at least a continuation of the regulatory environment."

Threats will likely shift depending on the changes in foreign policy initiated by the incoming Trump administration. Already, China has become a major concern for its cyber operations in the Asia Pacific, opposing US support for Taiwanese democracy and international opposition to China's claims to large areas of the South China Sea. Trump's stated support for Israeli settlers and for Russia's annexation of parts of Ukraine will also likely drive increasing cyber threats.

With the departure from the policy of the Biden administration, the incoming US government will spur different rivalries, says Lou Steinberg, founder and managing partner of CTM Insights

"As a new administration comes in — and there's a perception that maybe there's more support for Israel over Palestine, or more support for a deal with Russia, and maybe more toe-to-toe \[tensions\] with China — those will result in a different set of motivations, and so a different kind of response," Steinberg says. "We need to realign to the new kinds of threats that come from a new political landscape."

**Administration — and Threats — to Focus on Critical Infrastructure**

The GOP platform hosted on the Trump for President site already prioritizes the safety of critical infrastructure and the industrial base against cyber threats. But that remains the only mention of cyber in the entire document.

The president-elect's support for cybersecurity efforts shifted during his first term. In 2018, he signed the Cybersecurity and Infrastructure Security Agency Act, establishing the agency of the same name to lead efforts to protect critical infrastructure from cyberattack. Yet following his loss in the 2020 election, then President Trump criticized CISA's statement validating the security of the elections and fired then-Director Chris Krebs.

Still, the threat landscape has evolved since then, and in ways that align with the incoming Trump administration's priorities. Both China and Iran are considered larger threats, with a variety of officials pointing to China's effort to establish a network of digital beachheads for a future possible conflict as particularly dangerous.

President-elect Trump's pledge to set high tariffs on Chinese goods will likely increase tensions, and potentially lead to more significant attacks, causing China to shift its covert efforts to overt disruption, says Steinberg.

"If China thinks we're going to engage directly, their response could completely change," he says. "We're likely to see a sustained attack against critical infrastructure — so yes power, yes water, yes communications. We usually think of \[distributed denial-of-service\] attacks as last\[ing\] a couple of days, not months, but the point will be to degrade our ability to respond."

Meanwhile, Iran will likely ramp up efforts against US and Israeli targets, following the president-elect's deep support for Israel. Russia and Iran will likely continue to use disinformation against the US administration, but the approach may change, as both countries are focused on sowing discord, rather than supporting the agenda of one party over another.

**Easing Regulations, but Will It Matter?**

The deprioritization of cybersecurity regulations — and promised efforts to shrink the federal government — will likely lead to less enforcement of cyber regulations against businesses. Yet data-protection and privacy regulations will likely see a shake-up, as states look to bolster privacy and give their attorneys general the ability to pursue violators.

As a result, the US could see federal privacy legislation, says Bahar, who also co-leads Eversheds Sutherland's Congressional Investigations group.

"I think, at the state level, you're going to see an uptick — if that's even possible — of regulatory activity, in large part because there might be a perception that they need to step in to ... 'fill the void,'" he says. "It's actually likely you're going to get a federal privacy law —  a very business-friendly federal privacy law — so that \[companies do not have to deal with\] that patchwork effect of state laws."

In the end, however, easing regulations may not result in less corporate focus on cybersecurity, because the latest cybercriminal attacks often threaten business operations, Steinberg says.

"We've seen more and more companies — even less regulated companies — start to worry about cyberattacks like ransomware," he says. "So do I think a decrease in the regulatory environment might lead to a decrease in cybersecurity investment? Yeah, a little, but probably not in the defense industry, probably not in financial services, and maybe not in healthcare."

With increasing global tensions come increasing dangers, Steinberg says, and most companies will likely not be able to justify cutting budgets in the face of an uncertain threat landscape.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Trump 2.0 May Mean Fewer Cybersecurity Regs, Shift in Threats

The proposed rules codify existing temporary directives requiring pipeline and railroad operators to report cyber incidents and create cyber risk management plans.

The Transportation Security Administration (TSA) has released a Notice of Proposed Rulemaking to establish cyber risk management and reporting practices for pipeline, railroad, bus and other public transportation systems. The proposed rules extends existing cybersecurity framework developed by the National Institute of Standards and Technology as well as the cybersecurity performance goals of the Cybersecurity and Infrastructure Security Agency (CISA).

 The proposed rules, as laid out in the Federal Register on Thursday, would affect "certain pipeline and rail owner/operators," and impose lesser requirements on some types of bus operators. These organizations would be required to establish and maintain comprehensive cyber risk management programs, to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA), and to designate a physical security coordinator and report significant physical security concerns to TSA. The cyber risk management plans will need to include annual cybersecurity evaluations; assessment plans that identify unaddressed vulnerabilities; and a cybersecurity operational implementation plan describing officials in charge of cyber, critical cyber systems and how they are protected, measures in place to detect cyberattacks, and what will be done to address and recover from cyber incidents.

If approved, the new rules would impact just under 300 surface transportation owners/operators regulated by the TSA across freight railroad, passenger railroad, rail transit and pipeline sectors, and would also require the aviation sector to comply. Specifically, the rules would impact 73 of the approximately 620 freight railroads currently operating in the U.S., 34 of the approximately 92 public transportation agencies and passenger railroads, 71 over-the-road bus owners and operators, and 115 of the more than 2,000 pipeline facilities and systems.

"TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure," said TSA Administrator David Pekoske in a statement. "The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation."

This is one of the Biden administration’s last efforts to shore up the cybersecurity of critical infrastructure in the wake of the ransomware attack that crippled Colonial Pipeline back in 2021. The proposed rule is open for public comment until February 2, 2025.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

TSA Proposes Cyber Risk Mandates for Pipelines, Transportation Systems

Frenos offers a zero-impact, continuous security assessment platform for operational technology environments.

Source: Zoonar GmbH via Alamy Stock Photo

Continuous security assessment platform newcomer Frenos narrowly edged out the competition to win this year's DataTribe Challenge, held by seed-stage venture capital firm DataTribe.

Four finalists were chosen from hundreds of pre-seed and seed stage cybersecurity and data science startups, and each got to present their case during Wednesday's Challenge Finalists Event. In addition to splitting part of a $25,000 prize, finalists were given the opportunity to present their business to a panel of judges, investors and industry leaders. Finalists also received one-on-one messaging and strategy coaching from DataTribe.

When evaluating the finalists, whether the company has the right team in place — and if they're truly experts in their field — plays a big part, says DataTribe's chief innovation officer Leo Scott. The judges also evaluate the addressable market for each company’s offering and how well they meet that need. 

Frenos, based in Charlotte, N.C., has both.

The startup created a zero-impact, continuous security assessment platform for operational technology environments, giving OT organizations the ability to perform attack simulations and penetration testing. 

"They are truly leading experts in the OT environment," Scott says. "And if you look into the geopolitical landscape, it is a pretty important space, from broad national security to literally keeping the lights on."

The list of finalists include Austin, Tex.-based DataMonstr, New Jersey-based Force Field, and San Francisco-based Validia.

*   DataMonstr provides protection to the developer environment, both at developer endpoints and at the source code repository level. 
    
*   Force Field offers a system to verify the authenticity of photos, videos and audio to reduce fraud in areas like insurance claims. 
    
*   Validia provides real-time identify verification to combat deepfakes and impersonation in remote work environments. 
    

For Brian Proctor, founder and CEO of Frenos, participating in the competition has helped the company on its road to landing seed funding. 

"One of the great things about it, which we really liked, is that every finalist is assigned an advisor from DataTribe. So they really work hand in hand with you to refine the pitch, get feedback on your presentation," says Proctor. "We had an excellent advisor, David, who was part of our team. Honestly, without David, I'm not sure what the outcome would have been. He was a huge help."

DataTribe has invested in eight of the finalists of its six previous competitions, and more than 20 companies have received funding after participating in the competition, Scott says.

Check out what DataTribe's Leo Scott had to say regarding the DataTribe Challenge in this Dark Reading News Desk segment from Black Hat USA 2024.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Frenos Takes Home the Prize at 2024 DataTribe Challenge

Several versions of PostgreSQL are impacted, and customers will need to upgrade in order to patch.

Source: tofino via Alamy Stock Photo

Researchers at Varonis discovered a vulnerability within Postgres language extension PL/Perl, allowing a user to set arbitrary environment variables in PostgreSQL session processes.

The vulnerability was given a CVSS 8.8 score for severity and could lead to severe security issues, depending on the scenario where it's exploited.

Tracked as CVE-2024-10979, the flaw allows a threat actor to modify a sensitive environment, ultimately allowing them to execute arbitrary code without accessing a user of the operating system.

The vulnerability also allows a threat actor to run additional queries to gather information on the machine and its contents.

Versions preceding PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected by this vulnerability and can be mitigated by upgrading to PostgreSQL, "to the latest minor version at a minimum," according to the researchers, as well as restricting allowed extensions.

Postgres customers should also examine ddl logs for creation of functions they do not recognize or did not create themselves to assess if they have been impacted.

**About the Author**

Varonis Warns of Bug Discovered in PostgreSQL PL/Perl

In addition to his prison sentence, he will have to pay more than $1 million in restitution to his victims.

Source: Gregg Vignal via Alamy Stock Photo

Robert Purbeck, 45, received a 10-year prison sentence for hacking into 19 computer servers across the US, stealing the personally identifiable information (PII) of 132,000 people, attempting to extort an orthodontist in exchange for Bitcoin, and threatening to make public the patient records he stole.

In 2017, Purbeck purchased access to a medical clinic's computer server on a cybercriminal marketplace. Using these stolen credentials, he accessed the clinic's computers and downloaded records for more than 43,000 individuals that included names, addresses, birthdates, and Social Security numbers.

Nearly a year later, Purbeck purchased credentials on the Dark Web for a police department server in Newnan, Ga., stealing documents, police reports, and sensitive information of over 14,000 people.

And in July 2018, Purbeck threatened an orthodontist he'd stolen data from, demanding a ransom in Bitcoin. He also threatened to sell the PII of the orthodontist's child, harassing the orthodontist and his patients with threatening emails and messages.

The FBI ultimately executed a federal search warrant at Purbeck's home in 2019, seizing his computers and devices. Earlier this year, he pleaded guilty to two counts of "intentionally accessing and obtaining information from a protected computer without authorization."

Alongside his prison sentence, Purbeck was ordered to serve three years of supervised release as well as pay $1,048,702 in restitution to his victims.

Idaho Man Turns to RaaS to Extort Orthodontist

As alerts pile up, the complexity can overwhelm security professionals, allowing real threats to be missed. This is where vendors must step up.

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

For most of my cybersecurity career, I worked on the vendor side, in presales capacity, helping businesses identify and address security pain points. Now, as an information security engineer, I am on the other side, engaging with security vendors. A typical sales engagement includes pre-sales, proof of concept (PoC), onboarding, and support. While PoCs are useful, the real complexity of a product is understood only when the customer is fully onboarding. 

Although customers are responsible for accurate implementation of systems, vendors must realize they play a key role in guiding them through settings to ensure optimal performance and reduced alert fatigue. 

Achieving 100% efficiency will always be an ongoing challenge, but alert fatigue remains a significant issue. Modern security systems involve multiple components, each generating alerts that require teams to collaborate. And as alerts pile up, the complexity can overwhelm security professionals, allowing real threats to be missed. This is where vendors must step up. 

**The Reality of Alert Fatigue**

Alert fatigue is not new, but the problem becomes bigger as organizations adopt more complex security solutions. These tools detect every potential anomaly, generating a flood of alerts, many of which are low-priority or false positives, obscuring critical signals. 

When faced with hundreds of alerts daily, analysts can become numb, ignoring or delaying important alerts, which leads to security breaches. Vendors currently address only part of the challenge by delivering systems that detect every possible attack are only doing half their job. However, these products alone fall short in helping companies effectively manage the alert flood, often times requiring a managed security service provider (MSSP) to bridge the gap. But they must do a better job helping companies manage the resulting flood of information. 

**Why Vendors Must Take Ownership**

It may be tempting for vendors to shift alert management to customers, but vendors create the underlying logic that generates these alerts, and therefore, they must ensure their tools enable users to respond effectively rather than overwhelming them. 

Here's how vendors need to take lead: 

1.  Smart filtering and prioritization: Vendors should design tools that prioritize high-risk alerts while suppressing noise using machine learning and contextual analytics. This reduces irrelevant notifications. 
    
2.  Automation to reduce manual work: The volume of alerts makes manual intervention impractical. Vendors should offer built-in automation for routine alerts, allowing security engineers to focus on critical ones, such as sinkholing, rate-limiting, blocking malicious IPs, or isolating suspicious files. 
    
3.  Actionable alerts with context: Vendors need to provide meaningful data with each alert, contextualizing it for the customer's environment and offering clear next steps, enabling quicker, more effective responses. 
    
4.  Continuous engagement and customization: Vendors must stay engaged with customers beyond the initial setup, helping tailor systems to meet specific needs. Regular optimization reduces unnecessary alerts and ensures critical threats are identified. 
    
5.  Feedback-based adaptive learning: Vendors should provide solutions that evolve with feedback loops, learning from customer input. False positives or low-priority alert floods should lead to system adjustments, improving accuracy over time. 
    

**The Cost of Ignoring Alert Fatigue**

If vendors fail to address alert fatigue, security teams may miss critical threats, leading to breaches. Overwhelmed staff may burn out, increasing turnover. For vendors, poor alert management can erode customer trust, leading to dissatisfaction and potential churn. 

**Needed: A Partnership for Success**

Alert fatigue is a shared problem, but vendors play the key role in solving it. By offering smarter, more responsive systems, ongoing optimization, and automation with context, vendors help customers focus on what matters the most. 

This isn't just about efficiency — it's about creating a partnership between vendors and customers. Together, they must be able to cut through the noise and be able to provide clarity in the fight against modern cyber threats. Vendors must ensure their solutions don't just alert but empower users to make the best decisions. 

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Security Engineer

Supradeep Bokkasam is a Brisbane-based information security engineer with nearly 20 years of IT experience. He has worked extensively in the content delivery network (CDN) space, focusing on network and application security, identity and access management (IAM), and zero-trust network access (ZTNA). He has worked with organizations across various sectors to identify and safeguard critical assets against cyber threats.

The Vendor's Role in Combating Alert Fatigue

Cloud service providers are getting better at protecting data, pushing adversaries to develop new cloud ransomware scripts to target PHP applications, a new report says.

Instead of solely leaning on leaky buckets and cloud service provider (CSP) vulnerabilities to exfiltrate sensitive data, a fresh crop of cloud-targeting ransomware is aimed instead at exploiting unprotected Web applications to drop encryptors and lock up victims' data.

The pivot to focusing on PHP applications demonstrates the success that CSPs have had in shoring up their environments with policies like AWS's Key Management Service, according to a new report from SentinelOne on the state of cloud ransomware landscape in 2024. CSPs can now ensure that almost no data is really lost, thanks to policies that require a waiting period and confirmation before data can be deleted. There are some fairly exotic malicious workarounds for some of these protections, but attacks can easily be blocked by implementing service control policies, the report said.

**Cloud Ransomware's New Look at Web Applications**

Cloud ransomware operators have started to mine Web applications for opportunities in increasing volumes, according to SentinelOne.

"Web applications are often run via cloud services," SentinelOne's report explained. "Their more minimal nature makes cloud environments a natural hosting point where the applications are easier to manage and require less configuration and upkeep than running on a full operating system. However, Web applications themselves are vulnerable to extortion attacks."

Related:5 Ways to Save Your Organization From Cloud Security Threats

Analysis uncovered new ransomware scripts specifically developed to attack PHP applications — such as a Python script named "Pandora," and another attributed to Indonesian-based threat actor IndoSec group.

"The Pandora script uses AES encryption to target several types of systems, including PHP servers, Android, and Linux," the report added. "The PHP ransom functions encrypt files using AES via the OpenSSL library. The Pandora Python script runs on the Web server, writing the PHP code output to the path pandora/Ransomware with a file name provided as an argument at runtime and appended with the php extension."

The ransom script targeting PHP applications developed by IndoSec uses a PHP backdoor to manage and delete files, according to the report. It searches through directories, reads, and then encodes the file contents using a Web service's API.

"This is an interesting approach because the encryption is provided through a remote service, rather than using native functionality like many other tools," the report noted.

**Using Legitimate Cloud-Native Functions to Steal Data**

Aside from trying to breach them, adversaries have also figured out how to use these cloud services themselves to exfiltrate stolen data, the report explained. SentinelOne offers the example of September Rhysdia and BianLian cloud ransomware attacks that abandoned their historical exfiltration tools like MEGAsync and rclone, and instead used Azure Storage Explorer to download the data. The following month, the LockBit ransomware group was discovered using Amazon's S3 storage to exfiltrate data from Windows and macOS systems, SentinelOne added.

Related:Google AI Platform Bugs Leak Proprietary Enterprise LLMs

In keeping with the trend, the SentinelOne research identified a new Python script on VirusTotal it named "RansomES." This code is designed to infiltrate a Windows system, look for files with extensions that indicate the file contains data, including .doc, .xls, .jpg, .png, or .txt. Once those files have been identified, the RansomES code allows the ransomware attacker to exfiltrate those files to an S3 storage bucket or an FTP site, and encrypt the local versions.

"RansomES is a simple script, and we do not believe it has been used in the wild," the report noted. "The author included an Internet connectivity check to the WannaCry killswitch domain, which may suggest the script was developed by a researcher or someone with an interest in threat intelligence."

Related:2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit

The key to protecting data against Web application cloud ransomware attacks is to assess the overall cloud environment to protect against misconfigurations and overly permissive storage buckets, the report concluded.

"Additionally, always enforce good identity management practices such as requiring MFA on all admin accounts, and deploy runtime protection against all cloud workloads and resources," according to SentinelOne.

Cloud Ransomware Flexes Fresh Scripts Against Web Apps

If the government truly wants to protect the US's most vital assets, it must rethink its cybersecurity policies and prioritize proactive, coordinated, and enforceable measures.

Jeffrey Wells, Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

November 14, 2024

6 Min Read

Source: Sergey Borisov via Alamy Stock Photo

COMMENTARY

The recent revelations about the Salt Typhoon cyber-espionage group breaching major US telecommunications companies, including Verizon, AT&T, and Lumen Technologies, lay bare a systemic vulnerability in America's approach to cybersecurity. This incident is not just an isolated attack; it's an indictment of the US government's inadequate response to the increasing cyber threats posed by state-backed entities like China. Despite years of warnings and multiple high-profile breaches, the government's cybersecurity posture remains reactionary, fragmented, and underwhelming.  

**The Critical Failures in US Cybersecurity Strategy**

Salt Typhoon's targeting of systems used for government intelligence collection, including those integral to surveillance and wiretapping capabilities, is a brazen assault on America's most sensitive digital infrastructure. It exposes a critical flaw: the lack of robust, proactive measures to secure such vital systems. How did a foreign state-backed group infiltrate and potentially remain undetected in these systems for months? The answer lies in insufficient federal oversight, underinvestment in cutting-edge defenses, and an overreliance on private companies to self-police. 

US telecom giants have historically enjoyed light regulatory oversight, often lobbying for fewer obligations and responsibilities. The government, in turn, has adopted a laissez-faire approach, trusting these corporations to manage their cybersecurity. This model is fundamentally flawed. When private entities prioritize profits over robust security measures, it opens the door for adversaries like Salt Typhoon to exploit weak points. The compromised systems at Verizon, AT&T, and Lumen Technologies illustrate the risks of letting corporations with such immense national security implications operate without stringent and enforceable cybersecurity standards. 

**Lawmakers' Outrage: Too Little, Too Late**

In the wake of the Salt Typhoon breach, US lawmakers have begun demanding answers from the affected companies, calling for greater accountability and urging federal regulators to impose stricter standards. While this post-breach outrage may seem like a strong response, it's another chapter in the reactive cycle that defines American cybersecurity policy. Rather than addressing systemic vulnerabilities before they are exploited, federal agencies and lawmakers are again playing catch-up. 

The reality is that sophisticated state-backed actors like Salt Typhoon have likely been probing and compromising critical US infrastructure for years, undetected and unchallenged. The question is not just why this breach happened but why the US government consistently finds itself responding after the fact. The issue goes beyond the individual companies breached — this pattern reflects a more significant failure in Washington to develop a proactive, cohesive, well-resourced cybersecurity strategy.

**The Illusion of Federal Oversight**

Federal authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), are reportedly investigating the extent of these breaches. However, these investigations often lack the teeth and reach necessary to effect real change. Despite the resources and expertise within agencies like CISA, they are limited in their power to enforce compliance or impose significant penalties on corporations that fail to meet cybersecurity benchmarks. This hands-off approach only emboldens adversaries who know that American companies are not adequately protected and that the government's response mechanisms are limited. 

Further, the fragmented nature of federal oversight complicates a comprehensive defense strategy. With multiple agencies sharing responsibility — yet lacking a unified and coordinated approach — gaps in response capabilities are inevitable. The breaches at Verizon, AT&T, and Lumen Technologies should serve as a wake-up call: The current oversight model is failing to keep pace with the sophistication of state-backed cyber threats. 

**The Need for a Paradigm Shift**

The US must abandon its outdated and ineffective approach to cybersecurity regulation to address these vulnerabilities. Here are key steps the government should take: 

*   Mandatory federal standards and penalties: Telecom companies are critical to national security. They must be held to federal standards that are not just recommendations but legal obligations, with meaningful penalties for non-compliance. The government cannot leave the protection of such vital infrastructure to the discretion of profit-driven entities. 
    
*   A unified cyber defense agency: The United States must streamline its response by creating a centralized agency with the power and authority to coordinate and enforce cybersecurity measures across the public and private sectors. The current patchwork of agencies is insufficient in an era where cyber threats know no borders or jurisdictions. 
    
*   Investment in advanced detection and response capabilities: The government must invest heavily in advanced technologies that provide real-time monitoring and automated response capabilities. Relying on companies to detect and report breaches months after they occur is unacceptable when adversaries can inflict catastrophic damage in seconds. 
    
*   Active cyber deterrence: The US must adopt a more aggressive cyber-deterrence strategy. The current approach of merely investigating breaches after the fact does not dissuade adversaries. It's time for the government to develop and deploy offensive cyber capabilities that signal a clear and present cost for any attempt to infiltrate US systems. 
    

**The Cost of Complacency**

The Salt Typhoon breach is just the latest chapter in a series of cyber-espionage incidents that have exposed the inadequacies of the US cybersecurity framework. If this pattern of complacency and reactionary policy continues, it won't be long before another attack not only compromises intelligence-gathering capabilities but potentially cripples critical infrastructure. The stakes are too high for lawmakers and federal agencies to continue operating with the exact amount of inertia and neglect. 

If Washington truly wants to protect the nation's most vital assets, it must rethink its cybersecurity policies and prioritize proactive, coordinated, and enforceable measures. Otherwise, the US will continue to react to — rather than prevent — attacks that undermine its national security and global standing. 

Don't miss the free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

Jeffrey Wells is a distinguished cybersecurity, technology, and geopolitical risk leader with over 35 years of experience. His expertise is crucial in addressing cyber threats with significant geopolitical and security implications. Wells is a Visiting Fellow at George Mason University's Cyber and Tech Center (CTC) and a Truman National Security Project Defense Council Fellow.

He has extensive experience helping organizations design and operationalize cyber resiliency strategies, programs, incident response, and instituting business continuity worldwide.

As a founding partner of the NIST's National Cybersecurity Center of Excellence and a Visiting Fellow at the National Security Institute, Jeffrey is proficient in deploying and operationalizing cybersecurity standards and best practices in the full spectrum of IT/OT and infrastructure ecosystems.

Washington's Cybersecurity Storm of Complacency

Less-experienced users of Microsoft's website building platform may not understand all the implications of the access controls in its low- or no-code environment.

Source: IB Photography via Alamy Stock Photo

Untold millions of sensitive records and personal data are exposed on the open Web right now, thanks to missing or misconfigured access controls in websites built with Microsoft Power Pages.

Power Pages, born in 2022 from PowerApps Portals, is Microsoft's low-code website building platform. It is commonly used to design externally facing sites, such as portals for employees and retailers, or event registration or management sites. Back when it was released to the general public, Microsoft bragged that it already served more than 100 million monthly active website users, in industries as diverse as high tech and healthcare, education, finance, manufacturing, and government.

Alongside its suite of easy, drag-and-drop tools and features, Power Pages comes fitted with role-based access controls, which developers can use to define the data any given user can access. But as Aaron Costello, chief of software-as-a-service (SaaS) security research at AppOmni, recently discovered, many sites simply aren't implementing these controls correctly, if at all.

The result: Vast swaths of sensitive information, from sites around the Web, are available right now to anyone who cares to look for it.

**Misconfigured Power Pages**

Power Pages sites use Microsoft's cloud-based relational database, Dataverse, to store structured data. To protect that data, developers can call upon a variety of access controls.

First and most obvious are site-level settings, which define whether and how users need to authenticate and register accounts on a site.

The next tier down is table-level controls. With these, site administrators can define which kinds of users can perform what actions on what data.

The most granular of Power Pages access controls apply at the level of Dataverse columns. One notable tool Power Pages offers at this level is "masking," where site admins can obfuscate certain categories of data, like the first five digits of Social Security numbers listed in a given column.

The problem is that admins aren't always making use of these three rungs of access controls, if any at all. As a result, accessing the data on their sites is "very, very trivial," Costello says. "Once you understand \[what's going on\], it's just a matter of going to these URLs."

"Typically what happens is that instead of granting someone the ability to view their own data, they've actually granted them the ability to view all data. As a result, excessive amounts of information — often sensitive — is exposed to each user," he explains.

Some sites grant even anonymous users "global access" to read data from tables, for example, and not one website Costello probed in his research implemented any sort of column-level security. Other sites restrict certain data to authenticated users, but undermine that protection by allowing anyone from the Web to register and authenticate themselves.

Costello only probed websites hosted by organizations with cybersecurity disclosure policies — those which might be more amenable to hearing about their lacking security postures. Even with that limitation, he ultimately discovered 5 million to 7 million exposed records from a wide array of Power Pages websites.

One large business service provider, for example, leaked personal information belonging to 1.1 million employees of the UK's National Health Service (NHS). The data included employees' telephone numbers, email addresses, home addresses, and more.

**An Industrywide Issue**

As Costello is quick to point out, "In previous research, I discussed the exact same kind of issue in other popular SaaS platforms, such as Salesforce, ServiceNow, and NetSuite. And those are all platforms that have different use cases. I wouldn't say that this is by any means a unique problem to Power Pages. What this comes down to isn't the product itself, but more so a misunderstanding of its access controls."

When it comes to warning users about landmines, Power Pages does quite well. "When you do misconfigure data to be accessible by anyone, you get warning banners popping up on your page in a variety of different places, Costello adds. "So Microsoft really does their best to make organizations aware of what they're doing is dangerous. However, organizations are choosing to ignore the warning signs."

Besides negligence, the frequency of Power Pages misconfigurations might theoretically be explained by the demographics of its audience. By their nature, low- and no-code platforms are more attractive to less technical users, who may be less well-versed in matters of cybersecurity.

"If you're someone who is not technical, and you're just dragging and dropping buttons and forms to design a page, you may not be the type of person who has an understanding of what access controls are even necessary," Costello posits. Or, perhaps, the ease of designing a low- or no-code site might ease the more careful, analytical parts of one's brain. "Low-code platforms do typically lend a false sense of security," he says.

Dark Reading has reached out to Microsoft for comment on this story.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Power Pages Leak Millions of Private Records

APT Wirte is doing double duty, adding all manner of supplemental malware to gain access, eavesdrop, and wipe data, depending on the target.

Source: Christophe Coat via Alamy Stock Photo

A longstanding threat actor affiliated with Hamas has been conducting espionage against governments across the Middle East and destructive wiper attacks in Israel.

"Wirte" is a 6 1/2-year-old advanced persistent threat (APT) working to support Hamas' political agenda. Check Point Research identifies it as a subgroup of the Gaza Cybergang (aka Molerats), which is also thought to overlap with TA402.

In recent weeks and months, Wirte has leveraged the Gaza war to spread phishing attacks against government entities spread across the region. It has also been carrying out wiper attacks in Israel. "It shows that Hamas still has cyber capabilities, even with the ongoing war," says Sergey Shykevich, threat intelligence group manager at Check Point.

**Wirte's Spying and Wiping Attacks**

Wirte attacks are not particularly unique or sophisticated. A PDF in an email might contain a link directing targets to a file for download, named in some way to lend it legitimacy (e.g., "Beirut — Developments of the War in Lebanon 2"). The file will contain a lure document, one or more legitimate executables, and the malware.

To upgrade this infection chain, Wirte has sometimes made use of the IronWind loader, starting in October 2023. IronWind uses a complex, multistage infection chain to drop malware, with the goal of frustrating analysis. It employs geofencing, and reflective loaders that run code directly in memory, rather than on the disk, where it might otherwise be spotted by antivirus software.

In an espionage-focused attack, the end of this chain might bring the open source penetration testing framework "Havoc." Havoc enables persistent access to a compromised machine, useful for establishing remote control, performing lateral movement, stealing data, and more.

In February and October 2024, by contrast, Wirte campaigns climaxed with the deployment of a wiper called "SameCoin."

Last month, Wirte puppetted the email address of a legitimate Israeli reseller of ESET software. Its lure message — sent to hospitals, municipal governments, and others — warned recipients that "Government-based attackers may be trying to compromise your device!" and included a download link. The link first tried to connect to the website for Israel's Home Front Command, a wing of the Israel Defense Forces (IDF) responsible for protecting civilians. Its site is accessible only to those within Israel, so if the redirection succeeded, the attack would proceed.

Next, a downloaded zip file dropped and decrypted a pro-Hamas wallpaper JPG, a propaganda video, a tool designed to enable lateral movement within targeted networks, and the SameCoin wiper.

Still image from a political video spread in the SameCoin campaign; Source: @NicoleFishi19 on X

**What Wirte Wants**

Wirte spying has crossed into Egypt and Saudi Arabia, but its favored targets appear to be from Jordan and the Palestinian Authority (PA), the government entity that oversees parts of the West Bank and is controlled by Fatah, Hamas's primary political rival within Palestine. For the most part, this has remained consistent in its half-dozen-year history.

Wirte has evolved somewhat is in its approach to Israel. And in this way, it has also mirrored other Palestinian threat actors.

"Before the war, it was focused mostly on espionage, and stealthy persistence in networks," Shykevich explains. This is in stark contrast to its latest wave of loud wiper attacks, for example, which were timed to begin on Oct. 7, the one-year anniversary of Hamas's Operation Al-Aqsa Flood, the terror attack that killed more than 1,000 Israelis and led to the capture of nearly 250 more.

"Now, it has become more and more about making \[breaches\] public, showing the data, the destruction. The focus is more and more on hack-and-leak operations, and how they can use cyber capabilities to try to shape a narrative."

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading