Challenges with cybercrime prosecution are making it easier for attackers to act with impunity. Law enforcement needs to catch up.

Source: Tero Vesalainen via Alamy Stock Photo

COMMENTARY

Historically, cybercriminals have always had an edge over law enforcement. It may take a few hours to steal thousands of credit cards after exploiting a SQL injection flaw, but the subsequent investigation and prosecution of the cybercriminals can take years — and still fail.

Europol described the challenges in investigating and prosecuting cybercrime — the collection and preservation of digital evidence, difficulty tracing and identifying attackers, and legal and judicial hurdles associated with cross-border investigations — back in 2019. These challenges remain relevant in 2024.

**Challenges That Law Enforcement Faces**

While many countries have one or more specialized law enforcement agencies (LEAs) or police units capable of investigating cybercrime, the general trend is to commingle computer-enabled crimes (cybercrimes) with cyberattacks and send them all to a single agency.

Cybercrimes, which include online dating scams and other types of digital fraud that rely on social engineering, cause damages ranging from 100 to several thousand dollars. Compare that with cyberattacks — which require fairly advanced tech skills and resources from cyber gangs — such as ransomware attacks on critical national infrastructure and advanced persistent threats aimed at stealthily stealing valuable trade secrets from large companies or classified information from governmental agencies. When a single agency is tasked with handling all types of digital crimes, it is unsurprising that just the initial triage of incoming cases can consume virtually all agency resources.

In contrast to overwhelmed LEAs dealing with all kinds of tasks simultaneously using extremely modest resources, modern cyber gangs usually have narrow specializations, such as vulnerability research and exploit development, where they truly excel technically and financially. Cyber mercenaries may use breached LEAs as proxies to attack other systems and slow down investigations, while state-backed groups may exploit backdoored LEAs for perfidious attacks trying to frame their political enemies. On the Dark Web, the number of announcements selling access to backdoored LEA systems or networks is steadily growing.

Despite national security being a hot topic for lawmakers on both sides of the Atlantic — and the increased funding that attention brings — specialized LEAs or units dedicated to tackling cybercrime still remain underfunded compared to their highly sophisticated, extraordinarily well-prepared, and well-funded adversaries.

Insufficient funding makes it harder to attract talented individuals to work on defense. In Western countries, state agencies struggle to compete with the deep-pocketed private sector for talented cybersecurity professionals, who can be swayed by perks unavailable to most government employees, such as higher salaries, longer leaves, and working from home. The situation is even worse in other countries: Young graduates with good technical skills can earn their annual salaries in a couple of weeks working for cybercrime conglomerates that actively prospect and recruit new members. In January 2024, FBI director Christopher Wray estimated that the number of hackers in China outnumbers all available FBI cyber personnel by at least 50 to 1.

Likewise, forensic tools and special equipment designed to bypass encryption on mobile devices or acquire digital evidence from a multicloud environment are also quite expensive, oftentimes being affordable only to leading national agencies or central forensic labs that serve thousands of requests from an entire country. As a result, a backlog of cybercrime investigations is building relentlessly, undermining people's trust in their government's capacity to protect their privacy and property on the Internet.

**Advantages for the Cyber Gangs**

International collaboration and judicial assistance in cybercrime investigation has never been simple. The Budapest Convention of 2001 is probably the most important international treaty designed to combat cross-border cybercrime. But even after the enactment of the Second Additional Protocol, the convention has fallen short of its original goals for political and organizational reasons. The recently proposed UN Treaty on Cybercrime is unlikely to do much better amid the unfolding geopolitical crises and the weakening force of international law.

The problem is that some countries, even after ratifying a treaty, are very selective when complying with the underlying duties and obligations owed to other signatories. They frequently ignore or simply delay required actions to the extent that, by the time they're finally performed, they are worthless — for instance, seizing volatile digital evidence several years after receiving a mutual legal assistance (MLAT) request from another sovereign state.

Indeed, some countries are considered safe harbors for cyber gangs that cooperate with, or work for, the government. These barons enjoy a luxurious lifestyle, safe in the knowledge that they will never be prosecuted domestically, let alone extradited, for cybercrimes that do not conflict with state public policy. Such cybercrime havens create a strong feeling of impunity among perpetrators, who believe — usually accurately — that they are above the law. Even if they are apprehended, cybercriminals usually get lenient punishments for the financial damage caused, compared to the decades-long and even life sentences for leaders of drug cartels or masterminds of Ponzi schemes.

Alarmingly, as the World Economic Forum reports, cybercrime has started to merge with organized and violent crime — for example, exploiting forced labor to staff large-scale online fraud and extortion campaigns.

**How Law Enforcement Can Make Up Ground**

To win against the seemingly invincible cybercrime hydra, governments should better organize their national cybercrime LEAs. Here's what they need to do:

*   Create specialization and internal segmentation.
    
*   Allocate additional funding to these agencies.
    
*   Form more public-private partnerships to jointly trace and dismantle cyber gangs.
    
*   Revise national legislation, including sentencing guidelines, for cybercrimes to boost the deterrence effect.
    

Otherwise, in a few years, the Internet may become an uncontrollable zone of lawlessness and chaos, co-managed by rival cyber gangs.

For a longer version of this article, please contact the author.

**About the Author**

Partner, Platt Law

Dr. Ilia Kolochenko is a Swiss expert in cybersecurity, cybercrime investigation, and cyber law. He is also a lawyer admitted to the DC Bar in Washington, DC. His legal practice is mainly focused on data protection, privacy, and cybersecurity law. Dr. Ilia Kolochenko currently serves as a Chief Architect and CEO at ImmuniWeb, a global application security company headquartered in Geneva, Switzerland. He is also a Partner & Cybersecurity Practice Lead at a US law firm with offices in New York and Washington. As part of his academic activities, Dr. Kolochenko is an Adjunct Professor of Cybersecurity Practice & Cyber Law at Capitol Technology University in Maryland, and a Faculty Member at the DC Bar Continuous Legal Education (CLE) Program, where he teaches a cybersecurity and privacy course for lawyers and other legal and judicial professionals.

Dr. Ilia Kolochenko has an LL.M. (Master of Laws) degree in Information Technology Law from the University of Edinburgh Law School, an M.Sc. in Criminal Justice (Cybercrime Investigations & Cybersecurity) from Boston University, and a Ph.D. in Computer Science from Capitol Technology University. He currently completes an advanced LL.M. in Cyber, Information and National Security (CINS) at George Mason University, Antonin Scalia Law School.

He is a Fellow of Information Privacy (FIP) and a Privacy Law Specialist (PLS) at the International Association of Privacy Professionals (IAPP), two most advanced credentials in privacy practice and privacy law by the IAPP, respectively, while also holding AIGP, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, and CIPT privacy certifications. Additionally, he earned numerous offensive and defensive security certifications by the Global Information Assurance Certification (GIAC) after ongoing training in advanced cloud security, cyber operations, and investigations at SANS Institute.

Dr. Ilia Kolochenko currently serves a Vice-Chair of the Information Security Committee at the American Bar Association (ABA), also being a Fellow at the European Law Institute (ELI) and a Member of the Cybercrime Investigation & Cybersecurity (CIC) Center at Boston University. Additionally, Dr. Kolochenko is part of the Europol's Data Protection Experts Network (EDEN), INTERPOL's Digital Forensics Expert Group (DFEG), National Association of Criminal Defense Lawyers (NACDL), SANS CISO Network, and the EU CyberNet.

Dr. Ilia Kolochenko has authored over 75 articles on cybersecurity, computer crime investigations, cyber law, and artificial intelligence. His interviews and expert comments have been published in over 250 media across Europe and the US; he is also a frequent lecturer at cybersecurity, law enforcement, and legal conferences around the globe.

Cyber Gangs Aren't Afraid of Prosecution

As in golf, security requires collaboration across the entire organization, from individual contributors in each department to the executive level and the board.

Source: SunFlowerStudio via Alamy Stock Photo

COMMENTARY

I was talking with some friends about the recent 2024 Presidents Cup matchups, and how Mackenzie Hughes — a fellow Canadian — was going to play a pivotal role on the International Team. As we dug into game strategy, I had one of those lightbulb moments: There is a lot in common between golf and cybersecurity.  

Now, comparing a quiet game on a manicured golf course with a high-intensity, never-ending battle to secure critical data and digital assets might seem like a stretch. But stay with me — there is a real overlap between the challenges security leaders face and the sport that's been surging in popularity.  

Here are five takeaways that stand out to me. 

**Teamwork Is Critical **

Golf is often seen as an individual sport, but tournaments like the Presidents Cup remind us of the importance of teamwork. For those unfamiliar: At the Presidents Cup, 12 US golfers compete against a team of golfers from the rest of the world. Even as traditionally played, golf requires close collaboration. Golf Digest magazine recently declared that "professional golf is no longer an individual sport," as players now rely not only on their trusted caddies but also on statisticians, short game coaches, trainers, sports psychologists — you name it.  

It's the same with cybersecurity. There's a common misperception that it's IT's problem, but it's everyone's job to protect the company. In fact, recent research shows that nearly one in three employees think security isn't their problem — which likely explains why 54% of employees admit they don't always follow their company's security policies.  

Just like golf, security requires collaboration across the entire organization, from individual contributors in each department to the executive level and the board. Without a team effort, you're not going to get far.

**Fundamentals Matter **

In golf, it's tempting to think the latest gear will magically fix your game, but even with the most advanced clubs, you won't perform well if your grip, swing, and stance are off. In cybersecurity, it's the same. It's easy to get caught up in the buzz around new AI tools or fancy software, but if your fundamentals are weak, no shiny new tech is going to save you. 

At its core, security is about getting the basics right: things like multifactor authentication (MFA), keeping software updated, and maintaining strong password practices. Once those fundamentals are locked in, you can build from there. But skipping them? That's like trying to tee off without knowing how to hold the club properly.

**You Need a Full Bag of Clubs**

Every golfer knows that one club won't get you through a full round. You need a driver, irons, wedges, and a putter to handle different situations. The same goes for cybersecurity. There is no "silver bullet" solution that can handle all your security needs.  

A hybrid workforce, with employees using their personal devices across different locations, adds layers of complexity. You need a suite of tools that complement each other, working in harmony with human behavior. The best security tools don't focus only on protection — they also prioritize ease of use and help employees be productive while staying safe. 

**Shooting Par Is Hard**

To a non-golfer, shooting par might sound like an average accomplishment. But anyone who's tried it knows it's really hard, and keeping your organization safe is no different. Achieving a solid baseline of security is tough, especially when cybercriminals are constantly upping their game. 

More than one in three businesses (36%) have suffered cyberattacks costing more than $1 million in the past year, up from 27% the previous yearup from 27% the previous year. With generative AI (GenAI), attackers are creating more sophisticated, hard-to-detect threats, with deepfakes alone projected to cost $40 billion in 2027. 

As long as there's money to be made, criminals will continue to innovate fast. Staying the course and ahead of the competition will require security professionals and golfers alike to seize every edge, from technology to training.  

**The Best Make It Look Easy**

Watching a pro golfer hit a perfect shot can make the game look simple, but anyone who's tried knows better. In cybersecurity, the best solutions are often the easiest, most seamless, and least disruptive for employees to use. The easier it is for employees to follow security protocols without interrupting their flow, the more secure your organization will be.  

**About the Author**

CEO, 1Password

Jeff Shiner is the CEO of 1Password, a leading identity security company. Since joining in 2012, Jeff has grown the company from 20 people to a more than 1,000-employee global organization with a $6.8 billion valuation. Trusted by more than 150,000 businesses and millions of individuals, 1Password has expanded into a multiproduct identity security company that can secure every sign-in to every app from every device — even the unmanaged apps and devices that can’t easily be secured today in hybrid work environments. The company has been recognized on the Forbes Cloud 100 list, Fortune’s Cyber 60, Redpoint’s Infrared 100, and Quartz’s Best Companies for Remote Workers.

What Cybersecurity Leaders Can Learn From the Game of Golf

The long-active, India-sponsored cyber-threat group targeted multiple entities across Asia, Africa, the Middle East, and even Europe in a recent attack wave that demonstrated the use of a previously unknown post-exploit tool called StealerBot.

Source: Papilio via Alamy Stock Photo

The elusive, India-based advanced persistent threat (APT) group SideWinder has unleashed a new flurry of attacks against high-profile entities and strategic infrastructure targets that span numerous countries in Asia, the Middle East, Africa, and even Europe, signaling an expansion of its geographic reach. The attacks also show the group is using an advanced post-exploitation toolkit dubbed "StealerBot" to further its cyber-espionage activity, researchers have found.

The state-sponsored group — active since 2012, publicly outed in 2018, and mainly known for attacking rivals in Pakistan, Afghanistan, China, and Nepal — has demonstrated a widening of its geographic scope in the last six months. The latest attacks, observed by researchers at Kaspersky and outlined in a post on the SecureList blog, for the first time revealed some of SideWinder's post-compromise activities, which have remained largely unknown despite years of study by researchers.

Specifically, SideWinder has lately targeted entities in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the United Arab Emirates in the attacks. Affected sectors are varied, and include: government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies. Attackers also targeted diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco.

As for StealerBot, the researchers described the malware — which they believe is the main post-exploitation tool used by SideWinder — as "an advanced modular implant designed specifically for espionage activities."

**SideWinder's Typical Cyberattack Chain**

Though geography and post-exploit tactics vary, SideWinder used its typical attack chain in the latest spate of attacks. The group started with a spear-phishing email with an attachment, which is usually a Microsoft OOXML document — ie, .docx or .xlsx — or a .zip archive, which in turn contains a malicious .lnk file. This file triggers a multistage infection chain with various JavaScript and .NET downloaders, which ultimately ends with the installation of the StealerBot espionage tool for further activity.

The documents used in the spear-phishing part of the campaign often contain information obtained from public websites, "which is used to lure the victim into opening the file and believing it to be legitimate," Kaspersky lead security researchers Giampaolo Dedola and Vasily Berdnikov wrote in the post. In this case, some of the email lures included public photos, images, and references to diplomatic and other activity that might be of interest to the intended target.

All the documents in the attacks use the remote template injection technique to download an .rtf file that is stored on a remote server controlled by the attackers. These files are specifically crafted to exploit CVE-2017-11882, a 7-year-old memory corruption vulnerability in Microsoft Office software, to download further shellcode and malware that uses various tricks to avoid sandboxes and complicate analysis, the researchers said. The ultimate purpose of the malware is to extricate data from infected systems and conduct cyberespionage.

**New StealerBot Modular Malware**

StealerBot, so-named by the attacker, is a modular implant developed with .NET to perform espionage activities. Rather than loading the malware's components on the filesystem of the infected machine, as is typical, the attack chain observed by the researchers loads them into memory by one of the numerous modules of the malware, which in this case acts as a backdoor loader that attackers dubbed "ModuleInstaller."

That module is a downloader that deploys the Trojan that SideWinder uses to maintain a foothold on compromised machines. It's a tool previously wielded by the group and observed by Kaspersky, but not unveiled publicly until now, the researchers noted.

The attackers designed ModuleInstaller to drop at least four files: a legitimate and signed application used to sideload a malicious library; a .config manifest embedded in the program as a resource and required by the next stage to properly load additional modules; a malicious library; and an encrypted payload. "We observed various combinations of the dropped files," the researchers noted.

Another module, called the "Orchestrator," is the main component of the malware that communicates with SideWinder command-and-control (C2) and executes and manages the other malware plugins. All told, StealerBot includes various modules for: installing additional malware, capturing screenshots, logging keystrokes, stealing passwords from browsers, stealing files, phishing Windows credentials, and escalating privileges by bypassing user account control (UAC), among other activities.

**Largely Underestimated Attackers**

SideWinder long has been perceived as a low-skilled threat group due to its use of public exploits and remote access Trojans (RATs), as well as malicious .lnk files and scripts as infection vectors, according to Kaspersky. However, they should not be underestimated by defenders, as "their true capabilities only become apparent when you carefully examine the details of their operations," the researchers wrote.

As the new wave of attacks shows "a significant expansion of the group’s activities," those who may be targeted should be on alert and aware of the threat posed by the group, they said.

To help defenders recognize the presence of SideWinder and its tool StealerBot on their networks, the researchers included a comprehensive list of indicators of compromise (IoCs) for various stages of the attack in their post.

The IoCs include references to malicious documents, and .rtf and .lnk files, as well as specific IoCs to various modules of StealerBot. A long list of malicious domains and IPs associated with the attacks also is included in the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Sidewinder Casts Wide Geographic Net in Latest Attack Spree

The thieves modify transaction messages to initiate unauthorized withdrawals, even when there are insufficient funds.

Source: Panther Media GmbH via Alamy Stock Photo

North Korean threat actors are using a Linux variant from a malware family known as "FASTCash" to conduct a financially motivated cyber campaign.

FASTCash is a payment switch malware, first documented by the US government in October 2018 when it was being used by North Korean adversaries in an ATM scheme targeting banks in Africa and Asia.

Since that time, there have been two significant developments within the campaign. The first is its capability to conduct the scheme against banks hosting their switch application on Windows Server, and the second is its expansion of the campaign to target interbank payment processors.

Prior versions of the malware targeted systems running Microsoft Windows and IBM AIX, though the latest findings of the malware now indicate that it is designed to infiltrated Linux systems.

The malware modifies ISO 8583 transaction messages used in debit and credit card transactions to initiate unauthorized withdrawals, even managing to manipulate declined transactions due to insufficient funds, then approve them to withdraw money in Turkish currency ranging from 12,000 to 30,000 lira ($350 to $875).

"The process injection technique employed to intercept the transaction messages should be flagged by any commercial \[endpoint detection and response\] or opensource Linux agent with the appropriate configuration to detect usage of the ptrace system call," noted the researchers in the report.

The researchers also highlight Cybersecurity and Infrastructure Security Agency (CISA) recommendations of implementing chip and PIN requirements for debit cards, requiring and verifying message authentication codes on issue financial request response messages, and performing authorization response cryptogram validation for chip and PIN transactions to prevent exploitation attempts.

**About the Author**

North Korea Hackers Get Cash Fast in Linux Cyber Heists

The FHE Technical Consortium for Hardware (FHETCH) brings together developers, hardware manufacturers and cloud providers to collaborate on technical standards necessary to develop commercial fully homomorphic encryption solutions and lower adoption barriers.

Source: vchalup via Adobe Stock Photo

Quantum-resilient cryptography took a step forward this week with the launch of the FHE Technical Consortium for Hardware (FHETCH), a group focused on interoperability between fully homomorphic encryption (FHE) hardware and software for real-world applications. The new alliance will bring together FHE developers, hardware manufacturers, and cloud providers to accelerate the development of commercial FHE products.

Fully homomorphic encryption is a quantum-resilient cryptography method that allows encrypted data to be processed without first decrypting it. This method maintains data privacy and allows organizations to securely share data across industries, even in untrusted environments. Potential applications include medical data analysis, financial transactions, private cloud computing, machine learning and other types of confidential transactions or communications. 

Niobium, one of the three founding members, noted in a company blog post that FHE needs "more practical standardization." Optalysys and Chain Reaction are the other two founding members.

"Without common technical standards, implementing FHE has been costly and complex for enterprises," Niobium said.

There is currently a performance gap between existing FHE solutions and what organizations need to make FHE deployment practical. FHETCH will focus on creating FHE hardware acceleration technologies, creating open technical standards to ensure resulting products align with global regulatory frameworks, and integrating with existing data center formats and software libraries.

The consortium's initial focus will be on developing an API abstraction layer to enable any FHE hardware accelerator to interface with any FHE library. This will increase the flexibility of FHE deployments, simplify application development, and accelerate the development of new hardware and software solutions, the consortium said in a statement.

"FHETCH will give the industry a shared foundation, enabling the rapid development of badly needed FHE solutions that will mathematically guarantee privacy and compliance long-term," Jorge Myszne, CPO of Niobium's CPO, said in a statement.  

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

FHE Consortium Pushes for Quantum-Resilient Cryptography Standards

Organizations should be on high alert until next month's US presidential election to ensure the integrity of the voting process, researchers warn.

Source: Jon Helgason via Alamy Stock Photo

Cyber-threat actors have ramped up their targeting of the 2024 US elections with a flood of malicious activity expected to peak over the next month, aimed at causing disruption to voters and the election process and requiring increased vigilance on the part of stakeholders.

Specifically, attackers have bolstered election-related threat activity since the beginning of the year with an increase in the sale of phishing kits targeting US voters and campaign donors; the registration of more than 1,000 domains aimed at exploiting election-related content for malicious purposes; and increased ransomware activity targeting government entities, according to research from FortiGuard Labs Threat Research released today.

Since the inception of Internet-related threats, cyber-threat actors have typically increased malicious activity ahead of elections, notes Derek Manky, chief security strategist and vice president of global threat intelligence at Fortinet. However, they aim to be especially disruptive during the current election cycle, requiring that all stakeholders be prepared to fend off malicious actors in the upcoming weeks to protect election outcomes.

"As the 2024 US presidential election approaches, it's critical to recognize and understand the cyber threats that may impact the integrity and trustworthiness of the election process and the welfare of the participating citizens," he says.

Indeed, separate research has found that adversaries from Russia, China, and Iran in particular have been using cyber operations to stoke discord and influence election outcomes rather than make direct attacks on voting machines or other voter infrastructure. These more insidious tactics require a different type of vigilance on the part of defenders, the researchers noted.

**Specific Threats to Watch For**

FortiGuard Labs' latest election-threat research is the result of analysis of threats gathered from January 2024 to August 2024 that may affect US-based entities and the electoral process. The researchers discovered several key areas of threat activity that have been on the rise.

One is a significant increase in the availability of affordable phishing kits on the Dark Web designed to target voters and donors by impersonating the presidential candidates and their campaigns. Specifically, the researchers found kits for $1,260 created to impersonate US presidential candidates and to harvest personal information, including names, addresses, and credit card details.

Part of the phishing activity around the current election cycle also includes an increase of highly convincing mobile scams that use phone calls, voicemails, or messaging services that leverage deepfake technology to spread misinformation, which can affect voter outcomes, notes Alex Quilici, CEO at YouMail.

"AI can now create highly convincing voice attacks that make it sound like a trusted figure, such as a candidate, urging you not to vote or spreading false information," he says. "This kind of deception can seriously undermine public trust and disrupt the electoral process."

Attackers also have registered more than 1,000 new potentially malicious domains since the beginning of 2024 that incorporate election-related content and candidates to lure unsuspecting targets and potentially conduct nefarious activities, the researchers noted. The two most-used hosting providers for these election-themed websites are AMAZON-02 and CLOUDFLARENET, demonstrating that attackers are leveraging known, reputable services to bolster the legitimacy of malicious domains.

Another way cyberattackers can spread misinformation and disrupt the democratic process is through the use of people's personal information to directly target them, the researchers noted. Fortinet found that there currently is an abundance of this type of material on the Dark Web, with more than 1.3 billion rows of combo lists — which include usernames, email addresses, and passwords — of US citizens for sale for nefarious use.

The availability of this data poses a considerable risk for credential-stuffing attacks that allow cybercriminals to gain unauthorized access to people's accounts. Overall, the availability of so much personal data of various election stakeholders creates potential indirect disruption in the voting process, notes Casey Ellis, founder and chief strategy officer at Bugcrowd.

"While it may be difficult to use these records to commit the kind of fraud or attacks that would directly modify the outcome of an election, it's certainly a cheap and simple exercise to simply highlight the possibility of their use as a way to instill distrust in the democratic process, and to potential affect and manipulate voter turnout," he says.

FortiGuard Labs researchers also noted a 28% increase in ransomware attacks against the US government year-over-year based on observed leak sites. This type of activity also can threaten the integrity of the election process by undermining citizens' trust in the ability of the government to protect the personal data they collect from them.

**Protect Election Integrity**

To ensure the US presidential election process runs smoothly for all that wish to participate, Fortinet offered some recommendations to prevent and mitigate attacks between now and election day. The researchers advised that individuals and organizations alike always remain vigilant for suspicious behavior or activity leading up to major election-related events and prioritize good cyber hygiene in general to reduce potential threats.

Organizations, especially those related to the election or government agencies, should prioritize employee training and awareness about the cyber threats that exist that aim to disrupt the election process. Enforcing multifactor authentication and a strong password policy across both individuals' and organizations' online accounts also can protect against intrusion.

Finally, any organization with a stake in the election also should install endpoint protection solutions, patch operating systems and Web servers, and update software regularly to ensure systems are as secure as possible, Fortinet recommended.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Unleash Flood of Potentially Disruptive Election-Related Activity

The inherent intelligence of large language models gives them unprecedented capabilities like no other enterprise tool before.

Shaked Reiner, Principal Security Researcher, CyberArk Labs

October 15, 2024

5 Min Read

Source: Krot\_Studio via Alamy Stock Photo

Today, security teams are treating large language models (LLMs) as a vital and trusted business tool that can automate tasks, free up employees to do more strategic functions, and give their company a competitive edge. However, the inherent intelligence of LLMs gives them unprecedented capabilities like no other enterprise tool before. The models are inherently susceptible to manipulation, so they behave in ways they aren't supposed to, and adding more capabilities makes the impact of that risk even more severe.

This is particularly risky if the LLM is integrated with another system, such as a database containing sensitive financial information. It's similar to an enterprise giving a random contractor access to sensitive systems, telling them to follow all orders given to them by anyone, and trusting them not to be susceptible to coercion.

Because LLMs lack critical thinking capabilities and are designed to just respond to queries with guardrails of limited degrees of strength, they need to be treated as potential adversaries, and security architectures should be designed following a new "assume breach" paradigm. Security teams must operate under the assumption that the LLM can and will act in the best interest of an attacker and build protections around it.

**LLM Security Threats to the Enterprise**

There are a number of security risks LLMs pose to enterprises. One common risk is that they can be jailbroken and forced to operate in a way they were not intended for. This can be accomplished by inputting a prompt in a manner that breaks the model's safety alignment. For example, many LLMs are designed to not provide detailed instructions when prompted for how to make a bomb. They respond that they can't answer that prompt. But there are certain techniques that can be used to get around the guardrails. An LLM that has access to internal corporate user and HR data could conceivably be tricked into providing details and analysis about employee working hours, history, and the org chart to reveal information that could be used for phishing and other cyberattacks.

A second, bigger threat to organizations is that LLMs can contribute to remote code execution (RCE) vulnerabilities in systems or environments. Threat researchers presented a paper at Black Hat Asia this spring that found that 31% of the targeted code bases — mostly GitHub repositories of frameworks and tools that companies deploy in their networks — had remote execution vulnerabilities caused by LLMs.

When LLMs are integrated with other systems within the organization, the potential attack surface expands. For example, if an LLM is integrated with a core business operation like finance or auditing, a jailbreak can be used to trigger a particular action within that other system. This capability could lead to lateral movement to other applications, theft of sensitive data, and even making changes to data within financial documents that might be shared externally, impacting share price or otherwise causing harm to the business.

**Fixing the Root Cause Is More Than a Patch Away**

These are not theoretical risks. A year ago, a vulnerability was discovered in the popular LangChain framework for developing LLM-integrated apps, and other iterations of it have been reported recently. The vulnerability could be used by an attacker to make the LLM execute code, say a reverse shell, which would give access to the server running the system.

Currently, there aren't sufficient security measures in place to address these issues. There are content filtering systems, designed to identify and block malicious or harmful content, possibly based on static analysis or filtering and block lists. And Meta offers Llama Guard, which is an LLM trained to identify jailbreaks and malicious attempts at manipulating other LLMs. But that is more of a holistic approach to treating the problem externally, rather than addressing the root cause.

It's not an easy problem to fix, because it's difficult to detect the root cause. With traditional vulnerabilities, you can patch the specific line of code that is problematic. But LLMs are more obscure, and we don't have visibility into the black box that we need to do specific code fixes like that. The big LLM vendors are working on security, but it's not a top priority; they're all competing for market share, so they're focused on features.

Despite these limitations, there are things enterprises can do to protect themselves. Here are five recommendations to help mitigate the insider threat that LLMs can become:

1.  Enforce the privilege of least privilege: Provide the bare minimum privilege needed to perform a task. Ask yourself: How does providing least privilege materially affect the functionality and reliability of the LLM?
    
2.  Don't use an LLM as a security perimeter: Only give it the abilities you intend it to use, and don't rely on a system prompt or alignment to enforce security.
    
3.  Limit the LLM's scope of action: Restrict its capabilities by making it impersonate the end user.
    
4.  Sanitize the training data and LLM output and the training data: Before using any LLM, make sure there is no sensitive data going into the system, and validate all output. For example, remove XSS payloads that are in the form of markdown syntax or HTML tags.
    
5.  Use a sandbox: In the event you want to use the LLM to run code, you will want to keep the LLM in a protected area.
    

The OWASP Top 10 list for LLMs has additional information and recommendations, but the industry is in the early stages of research in this field. The pace of development and adoption has happened so quickly that threat intel and risk mitigation haven't been able to keep up. Until then, enterprises need to use the insider threat paradigm to protect against LLM threats.

**About the Author**

Principal Security Researcher, CyberArk Labs

Shaked Reiner is a principal security researcher at CyberArk Labs with over a decade of experience in reverse engineering and vulnerability research. His expertise spans malware, low-level systems, operating systems, blockchain, and AI. Shaked has a passion for researching peculiar machines and enjoys explaining complex ideas in an accessible way, whether in cybersecurity or philosophy.

LLMs Are a New Type of Insider Adversary

WordPress moves could have security implications for sites using Advanced Custom Fields plug-in.

Source: Primakov via Shutterstock

Organizations using WordPress plug-in Advanced Custom Fields (ACF) are in the middle of an ugly and very public dispute between WP Engine (WPE), the maker of the plug-in, and Matt Mullenweg, the founder of the open source content management system.

At stake is how users of the plug-in receive security fixes and other updates going forward after Mullenweg announced his decision over the weekend to fork ACF into a new version called Secure Content Fields (SCF). He also cut off WPE's access to WordPress.org's update servers.

**Forced Changes**

Following the fork, sites that use free versions of ACF and also have auto-updates from WordPress.org enabled will automatically get switched to SCF and receive future updates for the plug-in through WordPress.org. Sites owners that want to remain on ACF and receive updates via WPE need to install an alternate update mechanism that the vendor has released.

Meanwhile, customers of the paid ACF version will continue to receive updates directly from WPE and need to do nothing differently.

Mullenweg is the founder of WordPress and CEO of Automattic, the owner of WordPress.com, which hosts a commercial version of the content management system, just like WP Engine does.  In recent weeks, Mullenweg has launched a series of scathing attacks on WP Engine, a company he has described as profiting enormously off the open source software model while returning very little back to the community.

**Bitter and Escalating Battle**

"What WP Engine gives you is not WordPress, it's something that they’ve chopped up, hacked, butchered to look like WordPress, but actually they’re giving you a cheap knock-off and charging you more for it," Mullenweg asserted in a September blog post. "This is one of the many reasons they are a cancer to WordPress, and it’s important to remember that unchecked, cancer will spread." Mullenweg described his decision to fork ACF into a new plug-in as a move to "remove commercial upsells and fix a security problem" that WP Engine allegedly has failed to fix.

Mullenweg recently claimed that WPE needed a trademark license to continue selling services under the WordPress name and demanded 8% of the company's revenue on a monthly basis for the right to use the name. In September, he banned WPE from accessing WordPress.org resources, citing the need for the company to have a trademark license.

WPE's ACF team, for its part, characterized Mullenweg's decision as violating open source guidelines and setting a troubling precedent. The company has dismissed Mullenweg's claims about the plug-in's security. "A plugin under active development has never been unilaterally and forcibly taken away from its creator without content in the 21 year history of WordPress," the ACF team posted on social media site X.

In a blog post, Ian Poulson, product manager for ACF, pointed to over 15 releases and significant new functionality the ACF team has made to the free version of the plug-in over the past two years, in addition to improvements to the paid version. Mullenweg's decision to fork ACF is "inconsistent with open source values and principles," he noted.

"The change made by Mullenweg is maliciously being used to update millions of existing installations of ACF with code that is unapproved and untrusted by the Advanced Custom Fields team," Poulson wrote. Organizations using a free version of ACF must download version 6.3.8 from Advanced Custom Fields if they wish to continue receiving ACF-approved updates, he noted.

Earlier this month, WPE filed a lawsuit citing "abuse of power, extortion, and greed" against Automattic and Mullenweg. WPE has also sent a cease-and-desist letter to Automattic over the same issue.

**User Confusion?**

Stephen Kowski, field chief technology officer for SlashNext Email Security, says the dispute between WordPress and WP Engine over the Advanced Custom Fields plug-in reveals tensions in open source software management that could signal the start of a messier ongoing conflict.

"This conflict could result in user confusion and potential migration work, as automatic updates may lead to unknowing transitions to the new Secure Custom Fields plug-in," he notes. "Users may ultimately need to do further due diligence taking into account security and migration resources if needed, in order to choose between WP Engine's original ACF plug-in and WordPress' forked version, Secure Custom Fields."

Kowski perceives Mullenweg's decision as having a twofold impact. The newly forked Secure Custom Fields plug-in addresses a security issue that WP Engine has already patched and therefore is unlikely to be of any benefit for users. "On the other hand, the update process may introduce new risks if users are not aware of the changes or do not properly transition to the new plug-in," he says. "Users should exercise caution and carefully evaluate the plug-ins they use to ensure they are getting updates from trusted sources."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

WP Engine Accuses WordPress of 'Forcibly' Taking Over Its Plug-in

A heated regulatory landscape, uncertainty over AI use, and how it all ties back to cybersecurity means CISOs have to add privacy to their portfolios.

Source: Leo Wolfert via Alamy Stock Photo

Years ago, when Mark Eggleston was tasked with building a privacy program for a national healthcare provider, he saw firsthand the importance of cross-functional collaboration.

"I needed legal experts to debate the HIPAA Privacy, NPRM \[Notice of Proposed Rulemaking\], final rule, and guidance and convert those requirements into internal policies," Eggleston recalls. "CISOs can bring efficiency and reliance to these procedures by implementing technical controls."

Eggleston, who is currently the chief information security officer (CISO) at CSC, a provider of business administration and compliance solutions, now recognizes how this collaboration underscores a larger trend occurring: CISOs are increasingly taking responsibility for privacy within organizations. According to research from IANS, CISO ownership of privacy has surged from 35% to 47% over the past five years. This growing role comes as privacy management and cybersecurity become more intertwined, fueled by regulatory pressures; evolving questions and concerns about certain technologies, like artificial intelligence (AI); and the always present desire to avoid becoming a victim of a data breach.

Traditionally, privacy and security were considered separate domains within an organization. Privacy was the responsibility of legal or compliance teams, while CISOs focused on protecting the organization from cyber threats. However, the line between these two areas is blurring, and more CISOs are being asked to handle privacy functions.

"When a CISO conducts a risk assessment or looks at data flow, they're already thinking about how to protect that information," says Rebecca Herold, CEO of The Privacy Professor and an IANS faculty member. Adding privacy to the role simply formalizes what they're already doing in many cases, she says.

Yunique Demann, senior director and data protection officer at NTT Data Americas, began her career in a security role and then moved into a privacy position, giving her a view into both disciplines.

"With the rise in data breaches, regulations, and regulatory scrutiny outside your legal, risk, or compliance functions, CISOs are becoming a natural fit to oversee privacy controls," she says. "Privacy is one of many areas that have impacted a CISO's role."

**Why CISOs Are Taking on Privacy Roles**

Another driver behind the shift in responsibility is the ever-changing regulatory landscape. Privacy laws, like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the US, are placing greater demands on organizations to protect personal data. These regulations require organizations to have robust privacy controls, and, in many cases, the CISO is seen as integral to helping to oversee those efforts. CSC's Eggleston, who has held both CISO and chief privacy officer (CPO) roles, says the shift has been afoot for years, as CISOs have had to work with other departments where privacy is also essential.

"Most CISOs are already working strongly with human resources and legal teams, and the focus on privacy makes it paramount to continue to do so, as both HR and legal have core interest in privacy matters," he says. "Even the NIST Cybersecurity Framework is now integrating privacy into its guidelines."

With CISOs taking on more privacy duties comes a growing need to balance these responsibilities with their traditional focus on cybersecurity. There is also the potential for a conflict of interest, Demann says.

"But this is handled when operational privacy responsibilities are given to a DPO \[data protection officer\], while keeping the reporting line into security," she says.

In addition to regulatory pressures, advances in technology, such as the widespread adoption of AI, are contributing to CISOs' expanded role in privacy management. A recent survey from the International Association of Privacy Professionals (IAPP) found that 69% of chief privacy officers now have additional responsibility for AI governance, and 37% for cybersecurity regulatory compliance. And for good reason, says Demann, because many areas around AI require more scrutiny from both a privacy and security perspective.

"Privacy risks occur when the use of AI conflicts with these fundamentals and lacks transparency and incorporates bias in the process," she says. "Just because your LLM \[large language model\] can utilize huge amounts of data points, it doesn't mean it should, especially without consent of the individuals whose data you are using. Consent should be clear and explicit. Unfortunately, we are finding too many situations where consent is hidden."

**Reskilling to Handle Privacy**

The skills required for privacy management are also evolving, and CISOs must be prepared to adapt.

"Privacy is fundamentally about protecting individuals' rights and ensuring the processing of personal data is performed in accordance with applicable laws," Demann says. "This requires a deeper understanding of legal, ethical, and regulatory frameworks and a focus on data governance, consent management, and transparency."

She encourages CISOs to engage with privacy communities, collaborate with privacy leads, and actively seek opportunities to expand their knowledge of privacy issues.

For CISOs, collaboration with CPOs and legal departments is also key to ensuring both security and privacy compliance within their organizations. Demann recommends regular communication and joint initiatives, such as combined tabletop exercises and industry presentations, to create a unified approach to privacy and security.

"The more privacy and security leads can show up together, the easier it is for the organization to have a strategic approach," she says.

Eggleston stresses the importance of staying informed through think tank digests, privacy updates from legal firms, and ongoing discussions with jurisdictional staff.

"Many EMEA countries have much more detailed and stronger requirements for privacy," he notes, citing Luxembourg's Professional Secrecy obligation as an example.

Looking ahead, CISOs need to be prepared to navigate emerging privacy trends, whether or not privacy is in their purview. As the role expands, they will need to continue building their knowledge of privacy laws and collaborating across departments to protect both company data and individuals' rights.

"Security is about confidentiality, and privacy is fundamentally about confidentiality," Eggleston concludes. "Privacy and security are stronger together."

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

CISOs' Privacy Responsibilities Keep Growing

Use SSO, don't use SSO. Have MFA, don't have MFA. An analysis of a snapshot of organizations using Push Security's platform finds that 99% of accounts susceptible to phishing attacks.

With organizations adopting cloud services, mobile devices, and other digital technologies to meet customer needs and to support an increasingly remote workforce, identity is the security perimeter. Identity is where organizations authenticate, authorize, and manage users, applications, and devices. This requires organizations to invest in identity technologies such as single sign-on, multifactor authentication, continuous monitoring, and identity access management.

Currently, there are a lot of gaps that leave organizations vulnerable to identity-based attacks such as credential stuffing, brute-force, and phishing.

In an analysis of 300,000 accounts and associated login methods, Push Security’s research team calculated the average employee in an average organization has 15 identities. A little over a third (37%) of identities used password-based logins with no MFA enabled, according to Push Security data.

According to the analysis, 61% of accounts relied only on single sign-on, and 29% had only passwords, and 10% of identities allowed both single sign-on and a password. Almost two-thirds (63%) of accounts — regardless of whether single sign-on was available or not — used some form of MFA. Almost all of them relied on what Push Security deemed “phishable MFA,” which refers to methods vulnerable to bypass attacks such as MFA fatigue or advanced attacker-in-the-middle phishing toolkits. Less than 1% of accounts using single sign-on methods used “phishing-resistant MFA,” according to Push Security.

For accounts that had only a password, 80% did not have MFA enabled, while 40% of accounts that had both SSO login and a password lacked MFA.

The problem with accounts having both SSO and passwords is that it opens the door to ghost logins, or situations where an account has multiple login methods. In this case, despite having single sign-on, these accounts could potentially be compromised if the attacker figures out the password via credential stuffing or brute-force attacks.

Even in cases where SSO is used, there is a password login to the identity provider at the beginning of the flow. A look at the identity provider account shows that 17% does not have MFA enabled, and 10% reused passwords. If this password is somehow compromised — perhaps by credential stuffing or phishing — the accounts with SSO logins are also compromised.

Another thing about MFA: identity provider accounts are among the “most critical accounts that a user can have,” Push Security noted, but 20% are missing MFA.

What was also worrying that 9% of identities had a breached, weak, or reused password and had no MFA enabled, making these identities susceptible to attack. “Accounts that are missing MFA are vulnerable to credential stuffing attacks targeting stolen, weak, or reused passwords, and even the most basic phishing toolkits,” Push Security said.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Source

DARKReading