Windows 11 machines remain open to downgrade attacks, where attackers can abuse the Windows Update process to revive a patched driver signature enforcement (DSE) bypass.

Source: willi Lumintang via Shutterstock

Fully patched Windows 11 systems are vulnerable to attacks that allow an adversary to install custom rootkits that can neutralize endpoint security mechanisms, hide malicious processes and network activity, maintain persistence and stealth on a compromised system, and more.

The assault involves a Windows OS downgrade attack technique that SafeBreach security researcher Alon Leviev demonstrated at Black Hat USA 2024 in August, and for which he developed an exploit tool called Windows Downdate. Leviev showed how an attacker, with admin-level access to a system, could tamper with the Windows Update process and revert fully patched Windows components, including dynamic link libraries, drivers, and the kernel, back to a previously vulnerable state.

**Windows OS Downgrade Attack**

As part of the demo, the researcher showed how the attack would work even in situations where an organization might have enabled virtualization-based security (VBS) to protect critical OS components. As part of the demo, Leviev downgraded VBS features like Secure Kernel and Credential Guard’s Isolated User Mode Process to expose privilege escalation vulnerabilities in them that Microsoft had previously already addressed.

"I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term 'fully patched' meaningless on any Windows machine in the world," Leviev wrote in August.

Since then, Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) that Leviev reported to the company after discovering and exploiting them as part of his attack chain. However, Microsoft has so far not addressed the ability for an attacker with admin access to abuse the Windows Update process itself to downgrade critical OS components back to insecure states.

**Not a Security Vulnerability?**

The issue has to do with Microsoft refusing to consider the ability for an admin-level user to gain kernel code execution as crossing a security boundary. "Microsoft did fix every vulnerability that resulted from crossing a defined security boundary," Leviev tells Dark Reading. "Crossing from administrator to the kernel is not considered a security boundary, and hence it was not fixed."

To show why that remains a threat, Leviev on Oct. 26 released details of a new Windows downgrade attack he developed, where he used his Windows Downdate tool to revive a driver signature enforcement (DSE) bypass attack that Microsoft had mitigated with its patch for CVE-2024-21302. He showed how an attacker could abuse the issue to load unsigned kernel drivers and deploy bespoke rootkits.

"The 'ItsNotASecurityBoundary' DSE bypass belongs to a new class of flaws known as False File Immutability (FFI)" that researchers at Elastic Security reported earlier this year, Leviev wrote in his Oct. 26 post. "This class exploits incorrect assumptions about file immutability — specifically, that blocking write access sharing makes a file immutable."

Leviev says that all he had to do to execute the attack was to identify the specific OS module (CI.dll) to which Microsoft had applied the patch for CVE-2024-21302, and then use his Downdate tool to downgrade the module back to its unpatched version.  

"Downgrading only ci.dll to its unpatched version works well against a fully patched Windows 11 23h2 machine," Leviev wrote on Oct. 26. The researcher added he was able to exploit the issue even when VBS was enabled, with and without UEFI lock for securing the boot process and firmware configuration. "To fully mitigate the attack, VBS needs to be enabled with UEFI lock and the 'Mandatory' flag. Otherwise, it would be possible for an attacker to disable VBS, downgrade ci.dll, and successfully exploit the flaw," he noted.

In an emailed comment, Tim Peck, senior threat researcher at Securonix, described the Windows Downdate attacks as taking advantage of Windows not always validating the version numbers of its DLLs when loading them. This enables "attackers to trick the operating system (OS) into using outdated files that are more susceptible to exploitation," he explained. "If the attacker is able to downgrade Windows Defender, especially in regards to security updates, they would have free rein to execute malicious files or tactics that would normally have been caught."

**Microsoft Is Now Working on a Fix**

A Microsoft spokesman noted in an email that the company is "actively developing mitigations to protect against these risks," without specifying what measures it might be taking or when they would be available. The company is thoroughly investigating update development and compatibility development, he wrote.

"We are developing a security update that will revoke outdated, unpatched VBS system files to mitigate this threat," he wrote. "Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions."

Microsoft will also continue to update information around CVE-2024-21302, he wrote, with additional mitigation or relevant risk reduction guidance as they become available.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Windows 'Downdate' Attack Reverts Patched PCs to a Vulnerable State

The nation leads in the number of capture-the-flag tournaments sponsored by government and industry — a strategy from which Western nations could learn.

Source: KB-photodesign via Shutterstock

Over the last decade, the Chinese government has established an efficient pipeline of capture-the-flag (CTF) tournaments both as a way to attract cyber-savvy citizens to cybersecurity, and as part of its cybersecurity curriculum and training regimen.

The efforts have paid off.

Today, the nation has more than 50 annual competitions used as part of the training of tens of thousands — and possibly, hundreds of thousands — of cybersecurity specialists, while creating stronger connections to government and industry, according to a research report published by the Atlantic Council on Oct. 18. Moreover, sector-specific contests — targeting mobile, autonomous vehicles, and smart cities, for example — help deepen the technical expertise of participants and address the specific needs of each industry.

Overall, the Chinese government has successfully marshaled the nation toward solving its cybersecurity shortages and the goal of becoming a cyber superpower, says Eugenio Benincasa, senior cyber defense researcher at the Center of Security Studies at ETH Zurich and a co-author of the report.

"China, like the West, has a scarcity of talents, and addressing that scarcity through a system that can help you to evaluate talent is definitely a better way of addressing the problem," he says. "If you look at the entire ecosystem, there are many ways in which hacking contests can bring better allocation of resources, both in the short and also in the long term."

In 2014, Chinese President Xi Jinping called for the country to become a "cyber great power," aiming to strengthen its technology industry, while at the same time, embarking on a domestic effort to restrict its reliance on foreign technology. Cybersecurity has become a key element of that effort: The Chinese government has successfully created a pipeline for training future cybersecurity specialists, restricted the dissemination of vulnerability information, and established its own cybersecurity providers. These include hacking firms and cyber-range operators — such as Beijing Integrity Tech and Cyber Peace — which act both as hosts for legitimate infrastructure and for some nation-state actors, such as Flax Typhoon.

**Critical Curriculum for Cybersecurity Studies**

Hacking contests are a key component of the nation's efforts. At least 129 unique cybersecurity events, including 54 annual contests, were identified by the report's authors, Benincasa and Dakota Cary, a strategic advisory consultant at Sentinel One.

China's Ministry of Education accounts for the most competitions — a total of 22 — identified by the researchers, compared with 14 associated with the Cyberspace Administration of China, and 13 sponsored by the Ministry of Public Security, according to the report. About two-thirds of universities considered hacking contests to be an important part of the curriculum for cybersecurity specialists, with more than three-quarters of students (77%) participating in at least one event by the end of their sophomore year.

Since the early 2010s, China's CTF competitions have taken off. Source: "Capture the (red) flag" report, Atlantic Council

Among other benefits, the competitions allow the Chinese government to gain important information on new strategies and techniques, as well as collecting exploit techniques used by participants, which the government mandated since 2018. Hacking contests can also attract younger participants, such as high schoolers, into the field of cybersecurity, and help professionals keep up their skills.

Compared to China's comprehensive approach, Western nations continue to fall short, Benincasa says.

"There are contests that are organized by the private companies or universities, but they do not go into the detail or scale that we see in China, nor they are part of university degrees," he says. "They do not count as part of the evaluation to your grades, and so that practical-skill, direct-confrontation component is absent compared to the Chinese ecosystem."

**China's Reversal of Cyber Fortunes**

The effort is a reversal of the situation before 2015, when Chinese CTF teams struggled in international contests and met with social condemnation domestically for profiting from vulnerability awards. China's CTF ecosystems — especially the intercollegiate competitions, which bring together hundreds of teams — are now the best in the world, according to the researchers. Major contests include the Information Security Ironman Triathlon, Qiang Wang Cup, Wangding Cup, and National University Cyber Security League.

The events all have government support, with the Ministry of Public Security, the People's Liberation Army, the Ministry of State Security, and the Ministry of Education all sponsoring at least one of the university-based events each.

Western governments could learn from the approach, Benincasa says. Currently, the US and Europe face a scarcity of cyber talent because of a lack of a pipeline for funneling technically minded students into cybersecurity roles.

"We are behind when it comes to, specifically, the hacking-contest ecosystem," he says. "We need to integrate CTF contests into academic curricula, so we can have a better, more direct correlation between hacking classes and the graduation of talent."

China was able to turnaround its cybersecurity picture, and the lesson is, focusing on practical experience through hacking contests and CTF tournaments — as well as creating deeper pipelines between universities, the government, and industry — could go a long way toward solving the problems.

"This was very much a bottom-up, organically driven process that at some point the state recognized and encouraged," he says. "They started seeing these successes abroad and recognizing — because of geopolitical events like Stuxnet and \[Edward\] Snowden — recognizing how important \[cybersecurity\] is and that contributed to the breaking of taboos and ... a big change in the culture."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

China's Elite Cyber Corps Hone Skills on Virtual Battlefields

Delta argues that it lost hundreds of million of dollars in downtime and other costs in the aftermath of the incident, while CrowdStrike says it isn't liable for more than $10 million.

Source: Francis Vachon via Alamy Stock Photo

UPDATE

Delta Air Lines is suing CrowdStrike to recover the $500 million in revenue it lost due to the CrowdStrike outage earlier this year, which led to an assortment of issues and disrupted businesses, airlines, healthcare providers, and more.

The cause of the infamous outage that occurred in July was a defective threat intelligence update for the CrowdStrike Falcon Sensor, a cloud-based endpoint detection and prevention software. After investigating the issue, CrowdStrike reported that its engineering team had discovered a bug in the memory scanning prevention policy, a flaw that was not identified during testing stages. That ultimately led to Microsoft servers displaying the "blue screen of death" across the world, and collective disarray in response.

At the time of the outage, Delta reported that it had to cancel thousands of flights — about 7,000 between July 19 and July 24 — affecting 1.3 million customers and prompting multiple class-action lawsuits.

In its Securities and Exchange Commission (SEC) filing, the airline estimated that recovery from the outage would cost around $170 million.

Now, the airline is seeking legal recourse to regain its lost funds, plus punitive damages for the outage.

**A Multimillion-Dollar Lawsuit Tests Cyber Liability**

Last week, Delta launched a formal complaint against CrowdStrike in a Georgia state court, arguing that the cybersecurity company failed to properly test the Falcon sensor update before deploying, leading to widespread disruption.

"CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit," Delta said in the lawsuit, which was filed in Fulton County Superior Court in Georgia.

CrowdStrike, however, argues that Delta is operating with "misinformation" and is trying to shift blame for its notably slow recovery from the outage. 

"While we aimed to reach a business resolution that puts customers first, Delta has chosen a different path," a CrowdStrike spokesperson tells Dark Reading. "Delta's claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure."

Indeed, the US Department of Transportation is investigating why Delta took longer to recover from the outage compared with other air carriers. Pete Buttigieg, US transportation secretary, said he also would look into complaints regarding Delta's less-than-stellar customer service during the outage, which resulted in long waits for assistance and unaccompanied minors stranded at airports.

A CrowdStrike spokesperson told the Associated Press that CrowdStrike attempted to settle these disputes with Delta earlier this year; however, there are disagreements as to how much lost revenue CrowdStrike is liable for, with the security firm arguing that it is less than $10 million.

"We have filed for a declaratory judgment to make it clear that CrowdStrike did not cause the harm that Delta claims and they repeatedly refused assistance from both CrowdStrike and Microsoft," the CrowdStrike spokesperson adds. "Any claims of gross negligence and willful misconduct have no basis in fact."

This story was updated at 5:40 p.m. ET on Oct. 28 to reflect comments from CrowdStrike.

Delta Launches $500M Lawsuit Against CrowdStrike

Posing as an application used to locate Ukrainian military recruiters, a Kremlin-backed hacking initiative delivers malware, along with disinformation designed to undermine sign-ups for soldiers in the war against Russia.

Bumble Dee Via Alamy Stock Photo

Ukrainian efforts to recruit new soldiers to serve in its military in the country's war against Russia is under a two-pronged cyberattack by Kremlin-backed threat actors.

Researchers at Google's Threat Intelligence Group (TAG) and Mandiant have tracked down an active campaign that uses a spoofed version of the legitimate Ukrainian-language tool "Civil Defense," a crowdsourced mapping tool used to locate military recruiters. Attackers are using the fake version to perform dual malicious actions — dropping malware and delivering misinformation.

The hybrid op, which researchers named UNC5812, uses a Telegram channel to lure perspective recruits to a download the malicious version of "Civil Defense" from a spoofed site, outside of the confines of Google Play. Once downloaded, the application drops Windows and Android malware.

**Russian Opp Uses Malware With a Side of Social Engineering**

Windows users who make their way to the fake "Civil Defense" site to download the tool will be delivered the Pronsis Loader, which then starts a chain to deliver a malicious mapping application called Sunspinner, as well as an infostealer called Purestealer.

Android users, on the other hand, get a common user backdoor called Craxsrat, in addition to Sunspinner.

"Notably, the Civil Defense website also contains an unconventional form of social engineering designed to preempt user suspicions about APK delivery outside of the App Store and justify the extensive permissions required for the Craxsrat installation," the report noted. "The website's FAQ contains a strained justification for the Android application being hosted outside the App Store, suggesting it is an effort to 'protect the anonymity and security' of its users, and directing them to a set of accompanying video instructions."

The video also provides instructions on how to disable Google Play Protect.

"While the Civil Defense website also advertises support for macOS and iPhones, only Windows and Android payloads were available at the time of analysis," the report said.

Sunspinner, a decoy graphical user interface (GUI) application written using the Flutter framework, offers functionality aimed to convince victims that the application is legitimate.

"Consistent with the functionality advertised on the \[legitimate\] Civil Defense website, Sunspinner is capable of displaying crowdsourced markers with the locations of the Ukrainian military recruiters, with an option for users to add their own markers," according to the Google TAG analysis. But the fake map offers only fake locations: "However, despite possessing the limited functionality required for users to register and add markers, the displayed map does not appear to have any genuine user inputs. All markers present \[were pulled from the attacker's C2 and\] were added on the same day by the same user."

**Parallel Anti-Mobilization Effort Against Ukrainian Military**

In tandem with the espionage effort, the other goal of the Russian fake Civil Defense campaign is to deliver disinformation aimed at suppressing Ukraine's military mobilization effort for the war. The malicious versions of Civil Defense's site and Telegram have pushed out videos with incendiary, anti-Ukrainian-military titles like, "Unfair Actions From Territorial Recruitment Centers," the TAG Mandiant report added.

Users who click on the button provided by the Russian hacker-operated site to "Send Material," ostensibly to discredit recruitment efforts, are automatically fed an attacker-controlled chat thread," the report said. "Anti-mobilization content cross-posted to the group's website and Telegram channel appears to be sourced from wider pro-Russian social media ecosystems. In at least one instance, a video shared by UNC5812 was shared a day later by the Russian Embassy in South Africa's X account."

Russia has consistently used cyberattacks as part of its war strategy against Ukraine, as well as against other governments, including a recent distributed denial-of-service (DDoS) cyberattack campaign against shipping ports in Japan. Russian hackers have also been working feverishly to distribute disinformation ahead of the US 2024 election. The threat group currently understood to be most actively, and directly, supporting Russian military activities in Ukraine is Sandworm, but, as this newly uncovered "Civilian Defense" campaign highlights, that's just one of many hacker groups doing the Kremlin's dirty work in cyberspace.

Russia Kneecaps Ukraine Army Recruitment With Spoofed 'Civil Defense' App

LLMs tend to miss the forest for the trees, understanding specific instructions but not their broader context. Bad actors can take advantage of this myopia to get them to do malicious things, with a new prompt-injection technique.

Source: Igor Stevanovic via Alamy Stock Photo

A new prompt-injection technique could allow anyone to bypass the safety guardrails in OpenAI's most advanced language learning model (LLM).

GPT-4o, released May 13, is faster, more efficient, and more multifunctional than any of the previous models underpinning ChatGPT. It can process multiple different forms of input data in dozens of languages, then spit out a response in milliseconds. It can engage in real-time conversations, analyze live camera feeds, and maintain an understanding of context over extended conversations with users. When it comes to user-generated content management, however, GPT-4o is in some ways still archaic.

Marco Figueroa, generative AI (GenAI) bug-bounty programs manager at Mozilla, demonstrated in a new report how bad actors can leverage the power of GPT-4o while skipping over its guardrails. The key is to essentially distract the model by encoding malicious instructions in an unorthodox format, and spread them out in distinct steps.

**Tricking ChatGPT Into Writing Exploit Code**

To prevent malicious abuse, GPT-4o analyzes user inputs for any signs of bad language, instructions with ill intent, etc.

But at the end of the day, Figueroa says, "It's just word filters. That's what I've seen through experience, and we know exactly how to bypass these filters."

For example, he says, "We can modify how something's spelled out — break it up in certain ways — and the LLM interprets it." GPT-4o might not reject a malicious instruction if it's presented with a spelling or phrasing that doesn't accord with typical natural language.

Figuring out the exact right way to present information in order to dupe state-of-the-art AI, though, requires lots of creative brain power. It turns out that there's a much simpler method for bypassing GPT-4o's content filtering: encoding instructions in a format other than natural language.

To demonstrate, Figueroa arranged an experiment with the goal of getting ChatGPT to do something it otherwise shouldn't: write exploit code for a software vulnerability. He picked CVE-2024-41110, a bypass for authorization plug-ins in Docker that earned a "critical" 9.9 out of 10 rating in the Common Vulnerability Scoring System (CVSS) this summer.

To trick the model, he encoded his malicious input in hexadecimal format, and provided a set of instructions for decoding it. GPT-4o took that input — a long series of digits and letters A through F — and followed those instructions, ultimately decoding the message as an instruction to research CVE-2024-41110 and write a Python exploit for it. To make it less likely that the program would make a fuss over that instruction, he used some leet speak, asking for an "3xploit," instead of an "exploit."

Source: Mozilla

In a minute flat, ChatGPT generated a working exploit similar to, but not exactly like, another PoC already published to GitHub. Then, as a bonus, it attempted to execute the code against itself. "There wasn't any instruction that specifically said to execute it. I just wanted to print it out. I didn't even know why it went ahead and did that," Figueroa says.

**What's Missing in GPT-4o?**

It's not just that GPT-4o is getting distracted by decoding, according to Figueroa, but that it's in some sense missing the forest for the trees — a phenomenon that has been documented in other prompt-injection techniques lately.

"The language model is designed to follow instructions step-by-step, but lacks deep context awareness to evaluate the safety of each individual step in the broader context of its ultimate goal," he wrote in the report. The model analyzes each input — which, on its own, doesn't immediately read as harmful — but not what the inputs produce in sum. Rather than stop and think about how instruction one bears on instruction two, it just charges ahead.

"This compartmentalized execution of tasks allows attackers to exploit the model's efficiency at following instructions without deeper analysis of the overall outcome," according to Figueroa.

If this is the case, ChatGPT will not only need to improve how it handles encoded information but also develop a kind of broader context around instructions split into distinct steps.

To Figueroa, though, OpenAI appears to have been valuing innovation at the cost of security when developing its programs. "To me, they don't care. It just feels like that," he says. By contrast, he's had much more trouble trying the same jailbreaking tactics against models by Anthropic, another prominent AI company founded by former OpenAI employees. "Anthropic has the strongest security because they have built both a prompt firewall \[for analyzing inputs\] and response filter \[for analyzing outputs\], so this becomes 10 times more difficult," he explains.

Dark Reading is awaiting comment from OpenAI on this story.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Mozilla: ChatGPT Can Be Manipulated Using Hex Code

Relying on EOL software leaves critical systems exposed — making it a problem no business can afford to ignore.

Jason Meller, Vice President of Product, 1Password

October 28, 2024

5 Min Read

Source: Brain light via Alamy Stock Photo

COMMENTARY

When you've bought a haunted house, the worst thing you can do is decide to just live with it. Yet in every horror movie, there's always that one person — usually the father — who doesn't want to leave. Plates are flying off the shelves, blood is erupting from the sink, and Dad is ignoring all of it while pruning the ficus in the living room. 

Dad doesn't last long in those movies, and it's because he's ignoring one universal truth: Denying that a threat is real won't protect you from it. 

You'd think security-minded organizations would have learned that lesson by now. Unfortunately, many are just like Dad, resigned to an IT infrastructure that's lousy with ghosts. 

Here's one ghost we can vanquish right now: obsolete software. End-of-life (EOL) software is surprisingly common; nearly two-thirds of companies still rely on applications that no longer receive security updates from their vendors. This leaves critical systems exposed, making it a problem no business can afford to ignore. 

**The Terrors of EOL**

So, if EOL software is so scary, why is it so pervasive? Before we start berating companies — like a horror movie audience yelling at the characters onscreen to make better choices — let's try and understand what makes obsolete software so challenging to manage.  

**Cost**

Budget is undoubtedly the biggest reason companies use unsupported legacy applications. Sometimes, this is understandable — for instance, plenty of healthcare providers simply can't afford to replace their very expensive and specialized legacy tools. 

But let's be honest: A lot of companies just don't want to pony up the cash needed to maintain their tech stack properly. Updating or replacing software can be costly and disruptive. Who wants to take on that challenge, especially when the danger of inaction seems hypothetical?  

But this logic is (fatally) flawed. Any money you save by clinging to EOL software will be swallowed by the inevitable cost of a data breach. And that cost is likely to be higher if you're running outdated software, with no support to get your compromised systems back online.  

**Shadow IT**

EOL software has such a long afterlife that admins frequently aren't aware of it.  

Occasionally, vendors fail to adequately communicate when software is no longer supported ("Why … that program's been dead for over 40 years."). And sometimes, EOL software takes the form of shadow IT.  

Our 2023 study showed that 47% of companies allow employees to access resources from unmanaged devices. That means any individual user could have EOL (or simply unpatched) software on their device, and admins would have no way of knowing.  

**Put EOL Software to Rest**

Hopefully, by now, you're convinced that EOL software is a problem and you're sharpening stakes and smelting silver bullets.  

But while it's straightforward enough to update the legacy systems you know about, what are you supposed to do about all the EOL software you don't know about? How do you fight what you can't see? 

**Monitor EOL Status**

Start with a complete audit of all the work-related software in your organization. That includes not just the company-wide, big-ticket items but every end user's device (even BYOD). If you find a user still running, say, Big Sur, stop them from accessing company resources until they update to a supported version.  

Manually, keeping up with EOL dates is a tall order. But there are tools, like this API from endoflife.date, that can alert you when software becomes obsolete. A purpose-built agent like osquery can help discover the presence of installed EOL software across your fleet. 

From there, you need to establish ownership of EOL remediation so it's not just a game of whack-a-mole for the security team. Instead, make it a part of your existing patch management and compliance strategy and check in regularly. 

**Banish EOL Software From Your Systems**

Anyone dreading the approach of Windows 10 EOL in 2025 knows that these transitions require a lot of care and planning, and you can expect resistance from leadership and end users alike.  

The only way to overcome the fears around EOL software is to face them through clear communication. That starts by getting leadership buy-in and extends to communicating with end users when you find EOL shadow IT. Once you've set a policy, use a device trust solution to block devices running EOL software. But use blocking as a chance to explain the dangers of this software. Then, instruct users on how to fix the problem themselves. 

Everyone knows that in horror movies "Let's split up, gang!" is a recipe for disaster. When you're fighting to clear up a companywide problem, you need collaboration at a companywide level. So when you start diving into the scary world of EOL software, my advice is: Don't go it alone. 

**About the Author**

Vice President of Product, 1Password

Jason Meller is a Vice President of Product at 1Password and the founder of Kolide. He is the author of "honest.security" and has spent his career building tools and products that turn everyday people into the greatest resource available to security teams to solve the industry's most nuanced problems. Jason began his security and product career at GE's elite computer incident response team defending the organization from state-sponsored targeted attacks. From there, he moved to Mandiant, quickly working his way up from an entry-level analyst position to becoming the Chief Security Strategist in 2015. He later founded and served as the CEO of Kolide, a successful VC-backed authentication security company, until its acquisition by 1Password in 2024.

Put End-of-Life Software to Rest

The networking company found liable for illegally gathering user data for targeted advertising by the Irish Data Protection Commission.

Source: Iain Masterton via Alamy Stock Photo

LinkedIn earned itself a €310 million ($335 million) fine by European Union regulators on Oct. 24 for its violations of the General Data Protection Regulation (GDPR) data privacy rules.

Ireland's Data Protection Commission (DPC) cited concerns regarding the lawfulness, fairness, and transparency of personal data processing for the professional networking site's advertising purposes.

As LinkedIn's lead privacy regulator, the DPC reported that it carried out an investigation and found that LinkedIn did not have lawful basis to be compiling data to target its users with ads, ultimately breaching GDPR. This investigation was launched following a complaint initially made by the French Data Protection Authority.

"The inquiry examined LinkedIn's processing of personal data for the purposes of behavioural analysis and targeted advertising of users who have created LinkedIn profiles (members)," according to a DPC press release. "The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million."

LinkedIn asserts that it believes it has been in compliance with the rules but acknowledges that it will work to ensure its ad practices meet the requirements.

**About the Author**

LinkedIn Hit With $335M Fine for Data Privacy Violations

Kremlin intelligence carried out a wide-scale phishing campaign in contrast to its usual, more targeted operations.

Source: Design Pics Inc via Alamy Stock Photo

Russia's premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.

APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the world's most notorious threat actor. An arm of the Russian Federation's Foreign Intelligence Service (SVR), it's best known for the historic breaches of SolarWinds and the Democratic National Committee (DNC). Lately, it has breached Microsoft's codebase and political targets across Europe, Africa, and beyond.

"APT29 embodies the 'persistent' part of 'advanced persistent threat,'" says Satnam Narang, senior staff research engineer at Tenable. "It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations."

Along these same lines, the Computer Emergency Response Team of Ukraine (CERT-UA) recently discovered APT29 phishing Windows credentials from government, military, and private sector targets in Ukraine. And after comparing notes with authorities in other countries, CERT-UA found that the campaign was actually spread across "a wide geography."

That APT29 would go after sensitive credentials from geopolitically prominent and diverse organizations is no surprise, Narang notes, though he adds that "the one thing that does kind of stray from the path would be its broad targeting, versus \[its typical more\] narrowly focused attacks."

**AWS and Microsoft**

The campaign, which dates back to August, was carried out using malicious domain names designed to seem like they were associated with Amazon Web Services (AWS). The emails sent from these domains pretended to advise recipients on how to integrate AWS with Microsoft services, and how to implement zero trust architecture.

Despite the masquerade, AWS itself reported that the attackers weren't after Amazon, or its customers' AWS credentials.

What APT29 really wanted was revealed in the attachments to those emails: configuration files for Remote Desktop, Microsoft's application for implementing the Remote Desktop Protocol (RDP). RDP is a popular tool that legitimate users and hackers alike use to operate computers remotely.

"Normally, attackers will try to brute force their way into your system or exploit vulnerabilities, then have RDP configured. In this case, they're basically saying: 'We want to establish that connection \[upfront\],'" Narang says.

Launching one of these malicious attachments would have immediately triggered an outgoing RDP connection to an APT29 server. But that wasn't all: The files also contained a number of other malicious parameters, such that when a connection was made, the attacker was given access to the target computer's storage, clipboard, audio devices, network resources, printers, communication (COM) ports, and more, with the added ability to run custom malicious scripts.

**Block RDP**

APT29 may not have used any legitimate AWS domains, but Amazon still managed to interrupt the campaign by seizing the group's malicious copycats.

For potential victims, CERT-UA recommends strict precautions: not just monitoring network logs for connections to IP addresses tied to APT29 but also analyzing all outgoing connections to all IP addresses on the wider Web through the end of the month.

And for organizations at risk in the future, Narang offers simpler advice. "First and foremost, don't allow RDP files to be received. You can block them at your email gateway. That's going to kneecap this whole thing," he says.

AWS declined to provide further comment for this story. Dark Reading has also reached out to Microsoft for its perspective.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Russia's APT29 Mimics AWS Domains to Steal Windows Credentials

Four companies — Avaya, Check Point, Mimecast, and Unisys — have been charged by the SEC for misleading disclosures in the aftermath of the 2020 SolarWinds compromise.

Source: Ascannio via Alamy Stock Photo

The initial attack might be years old, but regulators at the Securities and Exchange Commission (SEC) are still sifting through the details of the 2020 SolarWinds breach. This week, the SEC announced it has charged four companies for what the agency determined was an intentional effort to minimize the impact of the hack to their systems.

Unisys was dealt the largest civil penalty — $4 million — for its disclosure practices, as well as for controls violations.

"The SEC's order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data," the SEC announcement of the fines read. "The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls."

Unisys has not responded to Dark Reading's request for comment.

Avaya Holdings Corp. agreed to pay $1 million for its statements that admitted a threat actor has accessed what the company characterized at the time as a "limited number" of company email messages, but failed to mention the company was also aware that 145 files in its cloud environment were also compromised, according to the SEC.

Avaya, similarly to the other fined companies, said in its statement the company is glad to put this issue to rest.

"We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls," according to a statement from Avaya provided to Dark Reading. "Avaya continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations."

Check Point was intentionally vague in its disclosures, according to the SEC, which fined the software company $995,000. Check Point's statement maintains the company acted earnestly but is glad to move on.

"The SEC's announcement concerns the same issue that we discussed in a 6-K from December 2023, regarding our settlement discussions on the 2020 SolarWinds Orion cyber vulnerability and the question of whether this should have been reported in Check Point's 2021 20-F Annual Report filing," the Check Point statement read. "As mentioned in the SEC's order, Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed. Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world."

The SEC dealt the lightest penalty to Mimecast, which will pay $990,000, for "failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed," the SEC said.

Mimecast said in a statement that the company acted transparently, adding that it is no longer a publicly traded company under SEC jurisdiction, but nonetheless will continue to comply with the SEC enforcement.

"In responding to the incident in 2021, Mimecast made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected," the Mimecast statement read. "We believed that we complied with our disclosure obligations based on the regulatory requirements at that time. As we responded to the incident, Mimecast took the opportunity to enhance our resilience. While Mimecast is no longer a publicly traded company, we have cooperated fully and extensively with the SEC. We resolved this matter to put it behind us and continue to maintain our strong focus on serving our customers."

**SEC Trying to Deter Vague Data Breach Disclosures**

The intention of the charges and subsequent fines is to deter other companies from taking the same "half-truth" communications approach following a breach, the SEC explained.

"Downplaying the extent of a material cybersecurity breach is a bad strategy," Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit said in a statement. "In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized."

The lesson companies should take from this SEC enforcement action is that regulators are looking for technically precise disclosures, according to cybersecurity attorney Beth Burgin Waller.

"Companies can no longer rely on generalizations or hypotheticals," she adds. "The challenge for many companies will be thinking of post-ligation risk from all angles including later data breach class actions or customer lawsuits."

This new enterprise cybersecurity terrain will require chief information security officers to work more closely legal teams, Burgin Waller says.

"The SEC is creating tension for many companies post-incident by forcing disclosure of details very early on in an incident investigation that will be cited back to the business in future litigation," she adds. "CISOs need to be prepared to work closely with in-house and outside counsel on SEC cyber-incident materiality determinations, especially in light of the technical precision required of companies in these enforcement announcements."

SEC Fines Companies Millions for Downplaying SolarWinds Breach

Eight months after the breach occurred, Change Healthcare has finally sent out millions of notices of compromised data to affected individuals.

Source: Jim West via Alamy Stock Photo

For the first time since being breached, United Healthcare has admitted to the number of individuals affected by the Change Healthcare ransomware attack — a staggering 100 million people.

The incident occurred in February, yet Change Healthcare didn't send out a notification warning to those impacted until June. In May, Andrew Witty, CEO of UnitedHealth, hinted at the massive scale of the breach, estimating that it was possible a third of all American health data had been compromised in the ransomware attack.

The breach has caused wave after wave of issues and prompted numerous calls for action regarding the state of cybersecurity in the healthcare sector. The ransomware attack was perpetrated at the hands of BlackCat/ALPHV, which Change Healthcare ultimately decided to pay off in order to get its systems back up and running. 

But the breaches didn't stop there. The company faced yet another attack, this time at the hands of RansomHub, which demanded a payment for the 4TB of data it stole, most of it medical records and financial data belonging to US military personnel. RansomHub has threatened to sell the sensitive information to the highest bidder.

After testifying in Congress in May, Change Healthcare revealed it had paid $22 million in ransom to the attackers who compromised its systems in February. It also revealed that the attackers were able to use previously compromised credentials to get into Change Healthcare’s system, which was not protected with multifactor authentication (MFA). Overall, the revelations in the hearing pointed to a lack of security maturity, leading to easy access for the attackers and a breach that caused delays in healthcare services.

"UnitedHealth is a very large, very complex entity from a systems point of view, and the regulatory framework is equally large and complex — considering all the variables and processes involved — the time frame for confirmation seems within reason," Dan Ortega, security strategist at Anomali, wrote in an emailed statement. "However, this doesn't mean that it's acceptable from an operational efficiency or public safety standpoint."

For the 100 million Americans affected by this breach who have received notice of their compromised data, their information that was stolen includes health insurance data; health information such as medical records, prescriptions, test results, images, diagnoses, and more; billing, claims, and financial and banking information; and Social Security numbers, driver's license information, and passport numbers.

Source

DARKReading