Google's Manifest V3 offers better privacy and security controls for browser extensions than the previous M2, but too many lax permissions and gaps remain.

Source: QubixStudio via Shutterstock

Malicious browser extensions are bypassing Google's latest security and privacy standard for Chrome extensions, and they are finding their way into the Chrome Web Store — putting organizations and individuals at considerable risk.

That's according to researchers at Singapore-based SquareX, who recently demonstrated how bad actors could sneak harmful browser add-ons past the protections in Google's latest Manifest V3 update for Chrome extensions.

**Malicious Chrome Extensions Are a Continuing Problem**

In a presentation at DefCon 32, the researchers showed how such extensions could steal live video feeds from platforms like Google Meet and Zoom without requiring any special permissions. They then demonstrated how attackers could use extensions based on the Manifest V3 standard to redirect users to credential-stealing pages, add collaborators to private GitHub repos, and steal site cookies, browsing history, and other user data relatively easily.

Google introduced Manifest V3 in 2018 to address issues in the previous Manifest V2 standard, which more easily allowed bad actors to craft Chrome extensions with a range of malicious capabilities. A study by researchers at Stanford University concluded that there were a staggering 280 million installs of such malicious Chrome extensions between July 2020 and February 2023.

Related:Dark Reading Confidential: The CISO and the SEC

As Google explains it, Manifest V3 is part of a broader effort by the company to "improve the privacy, security, and performance of extensions." Improvements in Manifest V3 include a stricter content security policy, updated and more secure APIs, more granular permission control for users, and changes to how extensions can make cross-origin requests. Some of the updates, like one that changes how Chrome handles content-blocking extensions, have been controversial. Privacy advocates and makers of ad-blocking extensions have described the feature as drastically curtailing the ability for Chrome users to block ads and tracking mechanisms. But overall, the goal with Manifest V3 is improved security and privacy controls around Chrome extensions.

The ground reality is somewhat different, says Vivek Ramachandran, CEO and founder of SquareX. "\[Manifest V3's\] permission model remains too broad, allowing malicious actors to exploit minimal permissions to steal data," he says.

**Overly Broad Permissions for Manifest V3?**

A key example is host permissions that allow an extension to modify or read any Web content on visited pages. "SquareX demonstrated a Google Meet stream-stealing extension that only required host permission," Ramachandran says. "This type of permission is very common in the extension store. In fact, many extensions, like grammar checkers, rely on it."

Related:Mideast, Turkey Cyber Threats Spike, Prompting Defense Changes

Ramachandran estimates there are already hundreds if not thousands of malicious browser extensions based on Manifest V3 that are already in the Chrome Web Store. He expects that number to increase dramatically as more extensions cut over to Manifest V3.

"Google needs to enforce stricter security controls in MV3," Ramachandran says. "They should collaborate with the Web and security community to develop a more robust permission model that is less broad. Additionally, Google should improve the vetting process for extensions and introduce tools to monitor real-time behavior."

Google did not immediately respond to a Dark Reading request for comment on SquareX's research. But the Internet giant previously has conceded that with more than 250,000 browser extensions in Chrome Web Store, there are chances some extensions could pose risks to users and sometimes request permissions that might violate a company's policies.  

"As with any software, extensions can also introduce risk," Google said in a blog post shortly after the Stanford researchers released their paper on risky extensions in the Chrome Web Store.

Related:Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report

**Boosting Chrome Ecosystem Security**

In that blog post and in previous updates, like this one in April 2023, Google has highlighted its efforts to bolster security around Chrome extensions. These include browser extension management capabilities that security teams can use to view and set policies for all installed extensions in their environment, and the ability to review extensions before users can install them.

Chrome security features also include one that alerts admins when a user might install a new browser extension, to make tracking and management easier. And last year, Google introduced two risk assessment tools — CRXcavator and Spin.AI Risk Assessment — that give enterprise admins a way to assess and score extensions for risk.

Google also points to its Chrome extensions page (chrome://extensions/) as a resource that individuals can use to see if their installed extensions pose a security risk; a warning panel appears on the page if Google detects any installed extensions as being suspicious. That definition includes: browsers suspected of containing malware; browsers that violate Chrome Web Store polices; unpublished — and therefore no longer supported extensions; and extensions that are not explicit about their privacy and data-collection practices.

Google had set a deadline of this past June for browser extension makers to migrate to Manifest V3 and has noted that it would also begin disabling Manifest V2 extensions in its pre-stable versions of Chrome at that time. The company has given enterprise organizations until June 2025 to migrate Manifest V2 extensions to the new version. As of Oct. 4, 60.4% of all Chrome browser extension have migrated to Manifest V3.

Ramachandran says enterprises should audit installed extensions and limit their permissions. His advice is that organizations also enable better visibility and control over extensions in the environment. Think of browsers like Chrome as complex platforms, much like operating systems, he suggests.

"Extensions run as internal applications, but endpoint security tools only have visibility at the process level," Ramachandran says. "They cannot assess or control what browser extensions are doing internally."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Malicious Chrome Extensions Skate Past Google's Updated Security

Creating a new office of cyber-regulation strategy is the government's best opportunity to improve security and to protect Americans in an increasingly dangerous world.

Jason Healey, Senior Research Scholar, Columbia University School of International and Public Affairs

October 7, 2024

5 Min Read

Source: Martin Shields via Alamy Stock Photo

COMMENTARY

Regulation is the most complex and politically sensitive cybersecurity measure ever undertaken by the US government.  

The most important step the White House can take is starting a cyber-regulation strategy and creating a new office within the Office of the National Cyber Director (ONCD) to drive smart regulation and harmonization. 

**Regulating Cybersecurity: Strategy Needed**

Government mandates, especially ones to regulate an area tied to speech, touch at the heart of the role of government in a free society. They are far more inherently political than most other cybersecurity initiatives, such as building the cyber workforce, a topic for which ONCD has already created a dedicated strategy. 

Cyber regulation is also exceedingly complex. To improve cybersecurity, the government might impose minimum baseline cybersecurity controls for critical infrastructures (for everything from rail to customer information held by banks), charge companies for fraud under the False Claims Act, use securities laws to criminally charge corporate security executives, impose labeling requirements for smart devices, or regulate cybersecurity for broadband Internet access. 

The US government is defaulting to doing all of these, plus many more, all at once. 

Some of these initiatives are more in line with the president's strategy and priorities than others; some are best done first, others later; some might be challenged in court, post-Chevron; and some will impose larger costs, for fewer gains, than others seeking the same end. 

All will create winners and losers. Unlike efforts to fix the cyber workforce, some might even affect the outcome of elections. 

ONCD must accordingly develop a new strategy (or at least a less-formal road map) for regulating cyberspace, laying out the major options and trade-offs, timelines, and measures of success. The final deciders must be the nation's political leadership in the National Security Council and National Economic Council. 

**New White House Office Also Needed**

To ensure the success of the cyber-workforce strategy, ONCD created a dedicated team, led by an assistant national cyber director. ONCD must create another such special office to focus on the far more politically sensitive and complex topic of regulation. 

ONCD's office would work to not just "create a coherent regulatory system and harmonize cybersecurity requirements," as recommended by the American Chamber of Commerce, or oversee a Harmonization Committee, per a recent Senate bill. It would draft the strategy, develop an implementation plan and track completion, develop frameworks to harmonize regulations, champion mutual recognition, and help oversee if regulations are working and at reasonable cost. 

This office would work with other departments and agencies — especially the Cybersecurity Forum for Independent and Executive Branch Regulators and the Cybersecurity and Infrastructure Security Agency, recently tasked to harmonize critical infrastructure regulations.  

And there are a lot regulations needing coordination. Just in the past few months, there is not only the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), but also: 

1\. Cybersecurity in the Marine Transportation System, "establishing minimum cybersecurity requirements for U.S. flagged vessels" (from the Coast Guard)  

2\. Data Breach Reporting Requirements for telecommunications providers (the Federal Communications Commission) 

3\. Cybersecurity Labeling for Internet of Things (IoT) (FCC) 

4\. Cybersecurity Maturity Model Certification for contractors (Department of Defense) 

5\. Significant Cybersecurity Incident Reporting Requirements for federally approved mortgage lenders (Department of Housing and Urban Development) 

6\. New requirements for US infrastructure-as-a-service (IaaS) providers (Department of Commerce) 

Meanwhile, the Environmental Protection Agency is "increasing inspections and enforcement" of community water systems and "the Centers for Medicare and Medicaid Services (CMS) will be drafting new rules" for hospitals. 

ONCD's harmonization efforts have been solid, led by Nick Leiserson, Brian Scott, and Elizabeth Irwin, among others. But this team is also working on a wide range of other policies and programs, such as including cyber in federal grants to states. Regulation, complex, and politically fraught, deserves a dedicated team and leadership. 

**But It's Close to an Election!**

The next presidential administration may be less eager to regulate than this one, but it will still need a regulatory plan of some sort to coordinate and harmonize between independent agencies and engage with states and the European Union.  

ONCD is staffed not just by political appointees and detailed civil servants — as is the National Security Council, the traditional heart of White House cyber policymaking — but also permanent staff. Starting the work on such a document now can help the smartest policies to survive between administrations and improve predictability for regulated companies. 

This is the White House's best opportunity for perhaps a generation to get this right, to improve security, to protect Americans in an increasingly dangerous world, and to decrease the cost and improve predictability for companies building our digitized economy. 

If the White House doesn't solve other important cyber issues, future administrations will have other chances. The critics fighting regulation will not be so forgiving. 

**About the Author**

Senior Research Scholar, Columbia University School of International and Public Affairs

Jason Healey is a senior research scholar at Columbia University’s School for International and Public Affairs, specializing in cyber-risk and conflict.  Jason was a founding member of both the Office of the National Cyber Director at the White House (2022) and the first cyber command in the world, the Joint Task Force for Computer Network Defense, in 1998. He created Goldman Sachs’ first capabilities for cyber-incident response and threat intelligence and later oversaw the bank’s crisis management and business continuity in Asia. He served as the vice chair of the Financial Services Information Sharing and Analysis Center (FS-ISAC), and is a certified board director (NACD.DC) and information systems security professional (CISSP).

What the White House Should Do Next for Cyber Regulation

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

CISOs and their staff are under more pressure than ever to work their cybersecurity magic. Know the feeling? Send us a cybersecurity-related caption to explain the scene, above, and our favorite will win its creator a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the October 30, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 Amazon gift card — to our friend Paul Mauriks, ICT security specialist, technology solutions, at the Department of Justice and Community Safety in Victoria, Australia. Paul's caption for last month's "Bug Off" cartoon captured first place and appears below. A big thank you to all who participated.

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: And For My Next Trick ...

The popular LiteSpeed Cache plug-in is vulnerable to unauthenticated privilege escalation via a dangerous XSS flaw.

Source: Primakov via Shutterstock

A WordPress plug-in installed more than 6 million times is vulnerable to a cross-site scripting flaw (XSS) that allows attackers to escalate privileges and potentially install malicious code to enable redirects, ads, and other HTML payloads onto an affected website.

A security researcher who goes by the online name "TaiYou" discovered the flaw, tracked as CVE-2024-47374, in LiteSpeed Cache, known as the most popular caching plug-in for the WordPress content management system (CMS). TaiYou reported the flaw on Sept. 24 to Patchstack via the Patchstack Bug Bounty Program for WordPress; it affects LiteSpeed Cache through version 6.5.0.2, and users should update immediately to avoid being vulnerable to attack.

LiteSpeed Cache is described by its developers as an "all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features." It supports WordPress Multisite and is compatible with the most popular plug-ins, including WooCommerce, bbPress, and Yoast SEO.

The flaw that requires immediate attention is an unauthenticated stored XSS vulnerability that "could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," according to Patchstack.

XSS is one of the most oft-exploited and oldest Web vulnerabilities, allowing an attacker to inject malicious code into a legitimate webpage or application to execute malicious scripts that affect the person visiting the site.

**Three WordPress Plug-in Flaws, One Dangerous**

TaiYou actually found three flaws in the plug-in, including another XSS flaw as well as a path-traversal vulnerability. However, only CVE-2024-47374 is considered dangerous and expected to be exploited by attackers, according to Patchstack.

Upon notification by Patchstack, the developers of LiteSpeed cache plug-in sent back a patch for validation on the same day. Patchstack published an update that fixes all three flaws in LiteSpeed cache version 6.5.1 on Sept. 25, and added the flaws to its vulnerability database five days later.

CVE-2024-47374 is characterized as creating "Improper Neutralization of Input During Web Page Generation," according to its listing on CVEdetails.com. "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users," according to the listing.

The vulnerability occurs because the code that handles the view of a queue in a particular piece of the plug-in doesn’t implement sanitization and output escaping, according to Patchstack.

"The plugin outputs a list of URLs that are queued for unique CSS generation and with the URL another functionality called 'Vary Group' is printed on the Admin page," according to the blog post.

In this output, the "Vary Group" functionality combines the concepts of "cache varies" and "user roles." "The vulnerability occurs because Vary Group can be supplied by a user via an HTTP Header and printed on the admin page without sanitization," according to Patchstack.

**Update & Mitigate CVE-2024-47374**

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to target singular plug-ins with large install bases, which makes vulnerable versions of LiteSpeed Cache a likely target.

The patch for CVE-2024-47374 is "fairly simple," sanitizing the output using esc\_html, according to Patchstack. The company issued a virtual patch to mitigate the flaw by blocking any attacks until its customers have updated to a fixed version. Meanwhile, all administrators of WordPress sites that use LiteSpeed Cache are advised to update to fixed version 6.5.1 immediately.

Patchstack also recommends that WordPress website developers working with the plug-in apply escaping and sanitization to any message that will be displayed as an admin notice to mitigate the vulnerability.

"Depending on the context of the data, we recommend using sanitize\_text\_field to sanitize value for HTML output (outside of HTML attribute) or esc\_html," according to the post. "For escaping values inside of attributes, you can use the esc\_attr function."

Patchstack also recommends that site developers working with LiteSpeed Cache also apply a proper permission or authorization check to the registered rest route endpoints to avoid exposing a site to XSS vulnerability.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Single HTTP Request Can Exploit 6M WordPress Sites

The collaboration with industry partners will improve collective AI defenses. Trusted contributors receive protected and anonymized data on real-world AI incidents.

Source: Myron Standret via Alamy Stock Photo

MITRE’s Center for Threat-Informed Defense announced the launch of the AI Incident Sharing initiative this week, a collaboration with more than 15 companies to increase community knowledge of threats and defenses for AI-enabled systems. 

The incident sharing initiative falls under the purview of the center’s Secure AI project, and aims to enable quick and secure collaboration on threats, attacks and accidents involving AI-enabled systems. It expands the reach of the MITRE ATLAS community knowledge base, which has been collecting and characterizing data on anonymized incidents for two years. Under this initiative, a community of collaborators will receive protected and anonymized data on real-world AI incidents. 

Incidents can be submitted via web (at https://ai-incidents.mitre.org/) by anyone. Submitting organizations will be considered for membership with the goal of enabling data-driven risk intelligence and analysis at scale. 

Secure AI also extended the ATLAS threat framework to incorporate information on the generative AI-enabled system threat landscape, adding several new generative AI-focused case studies and attack techniques, as well as new methods to mitigate attacks on these systems. In November 2023, in collaboration with Microsoft, MITRE released updates to the ATLAS knowledge base focused on generative AI. 

"Standardized and rapid information sharing about incidents will allow the entire community to improve the collective defense of such systems and mitigate external harms," said Douglas Robbins, vice president, MITRE Labs, in a statement.

MITRE operates a similar information-sharing public private partnership with the Aviation Safety Information Analysis and Sharing database for sharing data and safety information to identify and prevent hazards in aviation.

Collaborators on Secure AI span industries, with representatives from financial services, technology, and healthcare. The list includes AttackIQ, BlueRock, booz Allen Hamilton, CATO Networks, Citigroup, Cloud Security Alliance, CrowdStrike, FS-ISAC, Fujitsu, HCA Healthcare, HiddenLayer, Intel, JPMorgan Chase Bank, Microsoft, Standard Chartered, and Verizon Business.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

MITRE Launches AI Incident Sharing Initiative

CVE-2024-44204 is one of two new Apple iOS security vulnerabilities that showcase an unexpected coming together of privacy snafus and accessibility features.

Source: Aleksey Boldin via Alamy Stock Photo

Apple has patched two quirky bugs that might have offended privacy-oriented iPhone and iPad owners.

The first — an issue with Apple's VoiceOver accessibility feature — could have caused iPhones or iPads to announce sensitive passwords out loud. The other issue — affecting voice messages on new iPhone models — could have recorded users for brief seconds before they knew they were being recorded.

New operating system versions are available for both iOS and iPadOS (18.0.1), fixing each bug with improved validation and checks, respectively. Users should update their devices to avoid being vulnerable.

As Michael Covington, vice president of portfolio strategy for Jamf points out, "The good news is that neither of these highlighted issues involve remote exploits. They are, in fact, issues that will arise with use of the device, and it's user privacy that is ultimately at risk."

Still, he says that "for businesses that use mobile in any capacity for work, I recommend they pay close attention to both of the security issues and take appropriate action to update devices as soon as possible."

**Bug #1: Reading Passwords Aloud**

The first issue involves VoiceOver, the accessibility feature that provides visually impaired users with audible descriptions of the various elements on their screens — text, buttons, images, etc. VoiceOver also allows users to navigate their devices using voice commands and gestures.

Perhaps not everything on a device should be read aloud, though, like passwords. Last month, as part of iOS and iPadOS 18, Apple released a brand new app, "Passwords," allowing users to easily store and manage logins on their devices. CVE-2024-44204 is a logic issue that could have allowed VoiceOver to read out such a user's passwords. It affected essentially every model of iPhone and iPad released since 2018.

VoiceOver is off by default, meaning that only select iPhone users were potentially affected.

Covington notes, "This is not the first time we've seen accessibility features misused. Previous instances include screen reader technology being used by misbehaving apps to capture on-screen details and exfiltrate data from the device. Fortunately, most accessibility features go through extensive security and privacy testing, so these scenarios do not tend to arise often."

**Bug #2: Beginning Audio Messages Too Early**

If iPhone users are on the go, have a lot to say, or maybe just have tired thumbs, they might choose to record an audio message in iMessage, instead of a regular text. After they hit that plus sign on the left side of the message box and choose "Audio," the device will indicate that it has started recording with a red-highlighted sound wave in place of the message box, and a little orange dot in the pill-sized Dynamic Island at the top of the screen.

A security researcher recently discovered though that audio messages could have captured a few seconds of audio before users were made aware that their microphone was hot. The issue has been labeled CVE-2024-44207, and affects all models of the new iPhone 16.

Though it might seem — and, in most cases, would be — a relatively minor issue, Covington points out, "this disconnect between device function and the associated visual indicators is something that Jamf’s own threat research team has connected to persistence techniques used by attackers to maintain a presence on the device following a successful exploit. Addressing this bug before it can be misused is a big win for Apple."

Neither the VoiceOver nor the audio message vulnerability has received a rating in the Common Vulnerability Scoring System (CVSS) yet, nor are any further details public at this time.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

iPhone 'VoiceOver' Feature Could Read Passwords Aloud

A growing number of organizations are taking longer to get back on their feet after an attack, and they're paying high price tags to do so — up to $2M or more.

Source: Panther Media GmbH via Alamy Stock Photo

Organizations are seeing staggering increases in cyberattacks that stem from insider threats, with price tags for remediation reaching eyewatering heights of up to $2 million per incident.

According to research from Gurucul — which surveyed more than 400 IT and cybersecurity professionals — organizations are seeing a rising tide when it comes to insider threats. In 2023, 60% of organizations reported insider attacks, but in 2024 this number jumped to 83%. And in a dramatic shift, the number of organizations experiencing six to 10 attacks in the year doubled from 13% to 25%. Overall, almost half of organizations in the Gurucul study said that the occurrence of inside attacks has become more frequent over the past 12 months.

"Cybersecurity professionals define insider threats as risks originating from individuals within an organization who have authorized access to systems and data but misuse that access, either maliciously or unintentionally," Jason Soroko, senior fellow at Sectigo, wrote in an emailed statement to Dark Reading. "This definition encompasses employees, contractors, or partners who, due to complex IT environments, hybrid work models, or the adoption of advanced tools like GenAI, might exploit vulnerabilities."

This could mean a situation in which an employee steals sensitive data, accidentally leaking data after falling for a phishing scam, or ignoring security updates and protocols, ultimately leading to a security breach, he added.

Related:Dark Reading News Desk Live From Black Hat USA 2024

The Gurucul researchers found that the biggest driver of insider attacks are the growing IT complexities that organizations are faced with, which create visibility gaps that are hard to close. Technology is becoming more complex, and more employees are accessing system networks, extending the attack surface and making it more difficult to cybersecurity staff to safeguard. Not just this, but the adoption of new technologies like Internet of Things (IoT), artificial intelligence (AI), cloud services, and software-as-a-service (SaaS) applications play a role as well in the rapid growth rate that is difficult for organizations to keep pace with. 

With the implementation of new technology, these added "layers of complexity" create challenges for existing staff to combat threats, causing IT staff to become overworked and burned out. Nearly 30% of respondents noted that there is insufficient staff to implement and maintain tools and, if there are enough employees to go around, many lack the training and expertise to effectively manage the tools to safeguard networks. The researchers recommended that organizations that struggle with this cut their losses and transition to more intuitive tools that "reduce alert triage and false positives by providing a complete case of evidence with context and advanced behavior analytics."

Related:MITRE Launches AI Incident Sharing Initiative

Gurucul also pointed out that gaps in insider risk management are also to blame. "Weak enforcement policies, including a lack of consequences for employees and insufficient monitoring, were identified by 31% as contributing factors," according to the report. A fifth (20%) of respondents also cited executive management and policy issues as being one of the major obstacles to combating insider threats and implementing effective management tools and strategies.

Ultimately, it's a story that many in the cybersecurity industry have heard before: Executives need to give cyber threats the attention they deserve and support policy frameworks to help combat it; enforcing this mentality on a companywide level is also essential to strengthen mitigation.

**From Insider Attacks to Financial Spiral**

Insider attacks don't just compromise an organization's safety and information — they come with a high price tag, too. 

According to the study, after dealing with an attack of this kind, the cost of remediation for many organizations (32%) ranges from $100,000 to $499,000. And for others, it’s even more costly: 27% of organizations estimate the cost of remediation to range between $500,000 to $1 million, while 21% say that the costs range from $1 million to $2 million.

Related:Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

And that's just the financial impact for each individual insider attack an enterprise faces. With many experiencing roughly six to 10 attacks a year, these numbers multiply to a price that is likely just too costly to cough up. 

Those high price tags usually add up due to a variety of activities, such as system restoration, data recovery, legal fees, regulatory fines, and reputational damage control. 

And even if organizations can put money into remediation, their recovery is still slow. Roughly 45% of organizations take a week or longer to get back on their feet after an insider attack. The lengthy recovery time is usually due to the technical challenges that cybersecurity teams face when trying to restore intricate systems, a lack of unified visibility, and siloed security tools. Limited resources, regulatory compliances, and ongoing investigations also play a role in dragging out remediation efforts, keeping companies down while they’re most vulnerable. 

"It's essential for organizations to leverage advanced incident-response solutions that go beyond basic automation," according to the Gurucul researchers. "These solutions integrate dynamic risk-based prioritization, machine learning, and comprehensive contextual analysis to ensure that security teams can focus on the most critical threats, thereby reducing recovery times."

But in the end, prevention is better than reaction: That means educating existing employees (who complain of technical challenges, limited resources, compliance and privacy concerns, among other issues as leading to inadvertent mistakes), while also bringing in new cybersecurity talent so that security teams can effectively do their jobs and safeguard and mitigate against threats.

"Investing in ongoing training and development for cybersecurity teams to build the necessary expertise is crucial to address this challenge," the researchers wrote. "Managed security services can supplement internal capabilities, ensuring that tools are effectively implemented and maintained without overburdening existing staff."

Insider Threat Damage Balloons as Visibility Gaps Widen

The successful disruption of notorious Russian hacker group Star Blizzard's operations arrives one month out from the US presidential election — one of the APT's prime targets.

Source: Enik via Alamy Stock Photo

Microsoft and the US Department of Justice joined forces this week to take down more than 100 domains linked to a Russian-sponsored hacker group known as Star Blizzard.

The advanced persistent threat (APT), active since 2017, has targeted journalists, non-governmental organizations (NGOs), and Russia experts, particularly those supporting Ukraine.

The operation, which dismantled the group’s server infrastructure in the West, is expected to delay the cyberattackers' ability to regroup and operate.

"Today's seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action — using all tools to disrupt and deter malicious, state-sponsored cyber actors," Deputy Attorney General Lisa Monaco said in a statement issued by the DoJ.

Star Blizzard, also referred to as "Cold River" and "Callisto," uses primarily phishing emails to steal login credentials from its targets, and had recently developed its first custom backdoor.

In a partially unsealed indictment, the DoJ also revealed that two FSB officers, Ruslan Peretyatko and Andrey Korinets, were charged last December for their involvement in Star Blizzard espionage campaigns, which have extended to the UK, NATO countries, and Ukraine. The government's affidavit reveals that in the US, the group targeted military contractors, intelligence community personnel, and government agencies, among others.

The Kremlin-sponsored APT is known for its sophisticated evasion techniques, although Microsoft has been following it, and disrupted the group's activities in 2022 and again last year.

"Rebuilding infrastructure takes time, absorbs resources, and costs money," Microsoft noted in a blog post on the most recent takedown. "Today's action is an example of the impact we can have against cybercrime when we work together."

**A Step in Protection as US Election Nears**

The disruption comes at a crucial time, as US officials are on high alert for foreign interference ahead of the upcoming presidential election. With Star Blizzard's status as a tool for advancing Russian interests, including election disruption, Microsoft emphasized that the takedown action directly impacts efforts to protect the US democratic process from external threats.

"Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations — journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive — by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities. While we expect Star Blizzard to always be establishing new infrastructure, today's action impacts their operations at a critical point in time when foreign interference in US democratic processes is of utmost concern."

**Russian Threat Likely to Persist**

Sean McNee, head of threat research at DomainTools, says he anticipates a dramatic increase in nation-state backed groups turning toward purchasing domains to carry out cyberespionage, and to seed misinformation and disinformation around the US election as well — so the combined DoJ/Microsoft action might just be a drop in the ocean.

"\[The Star Blizzard takedown is a\] huge step in protecting the Internet," he says, but adds it is likely only "scratching the surface" when it comes to FSB or other groups who have purchased domains to seed malignant websites.

"We have found that some domain hosting services sell domain registrations indiscriminately and are not always responsive when notified about malicious content or coordinated misinformation," he explains.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, warns Russia has "ratcheted up the cyber insurgency" in American cyberspace.

"Russia is cognizant that the soft underbelly of the US is our dependence on technology," he says, pointing out that the Star Blizzard revelations show that "the GRU and a few cybercrime cartels are collaborating in widespread campaigns of infiltration."

He says he is concerned that the resultant backdoors will be used to deploy destructive malware in the coming days, adding threat hunting must be expanded and runtime security must be activated to blunt the Russian campaign.

"Something wicked this way comes," Kellerman says. "The private sector must take this warning seriously."

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

Thoughtfully applied, humor breaks through security fatigue, increases engagement, and fosters a culture of security awareness.

Akhil Mittal, Senior Manager, Synopsys Software Integrity Group

October 4, 2024

5 Min Read

Source: M-SUR via Alamy Stock Photo

COMMENTARY

In the high-pressure world of cybersecurity, daily headlines about breaches, ransomware, and phishing threats create a sense of urgency and tension. But what if one of the most effective tools for defense wasn't just technology, but humor? While it may seem unexpected, humor is emerging as a powerful asset in security training and culture-building. It boosts employee engagement, improves retention of key security concepts, and fosters a resilient security culture — ultimately strengthening an organization's defenses. 

However, humor isn't just about laughs — it's about combating challenges like security fatigue and ineffective training. As cyber threats evolve, the human element remains one of the weakest links. Humor can address that, but it must be carefully navigated. 

**Why Humor Works in Security Training**

According to a study from CompTIA, the human element accounts for the root cause of 52% of data breaches. Despite this, traditional cybersecurity training often fails to engage employees, resulting in low retention and inconsistent application of critical security behaviors. Dry, repetitive sessions packed with jargon cause employees to tune out — this is where humor comes in. 

According to TrainSmart, humor in training can boost retention and create a more relaxed learning environment. Research by Edutopia supports this, showing humor activates dopamine pathways, essential for motivation and memory retention. 

Imagine a monotonous security session versus a phishing simulation email from "IT Support" asking for your password to "upgrade the Internet." Humor transforms routine tasks into memorable learning experiences. 

**Real-World Examples**

Financial institutions and organizations are increasingly turning to gamification to enhance cybersecurity awareness. For example, some organizations have launched superhero-themed phishing campaigns where employees help fictional heroes identify threats, making training more interactive and fun. According to the Gamification at Work Survey by Talent LMS, 83% of participants reported feeling more motivated with gamified training, while 87% saw improvements in productivity and engagement. Additionally, 82% mentioned they felt happier at work due to these engaging methods. Similarly, some organizations use "bad password hall of fame" competitions, where employees guess the worst passwords ever used. These humorous contests make lessons about password strength more memorable, reinforcing security practices. Notably, 80% of organizations that implemented awareness training reported a reduction in phishing susceptibility, showcasing the effectiveness of these innovative approaches. 

**Reducing Security Fatigue**

Security fatigue is a growing issue in corporate environments. Employees face constant alerts, password updates, and phishing warnings, which can lead to negligence. 

Injecting humor into routine security tasks — like humorous phishing emails or lighthearted reminders — provides much-needed relief, keeping employees engaged without overwhelming them.

**Humor as a Solution for Remote Work**

The shift to remote work has highlighted the importance of engaging employees in security practices. Isolated from their IT teams, remote workers have become both the first and last lines of defense. However, 60% of remote employees feel disconnected from their company's cybersecurity efforts, according to Ponemon. In this environment, humor helps combat burnout, while reinforcing critical cybersecurity behaviors. 

**Risks and Challenges**

While humor can be effective, it also carries risks. If not implemented carefully, humor may trivialize serious threats, leading employees to view cybersecurity risks as less critical. Balance is key — humor should engage without undermining the importance of vigilance. 

Moreover, not all humor works in every context, particularly across diverse cultures. A cartoon-style phishing simulation may succeed in one region but be inappropriate elsewhere. To avoid alienating employees, it's crucial to test humor-based campaigns with different cultural groups before deployment. 

It's also critical to measure the effectiveness of humor in security training. Organizations should track phishing reporting rates, training completion, and quiz scores to assess engagement and overall security posture. 

**Learning From Mistakes **

Not all humor-based campaigns are successful. For instance, one company used sarcastic dark humor in its training sessions, which led to complaints from employees who felt the tone was dismissive of real security risks. The lesson? Humor that fails to take security seriously can do more harm than good. 

**Actionable Takeaways**

For organizations looking to enhance cybersecurity training with humor, here are some practical steps: 

*   Incorporate humor in training: Introduce humor into phishing simulations and training exercises to boost engagement and retention. 
    

*   Gamify security awareness: Create competitions or leaderboards where employees race to spot phishing attempts, using humor to reduce monotony. 
    

*   Test for cultural sensitivity: Ensure humor resonates globally by testing content with various employee groups before rolling it out. 
    

*   Track key metrics: Monitor phishing reporting rates, training completion, and engagement metrics to assess the effectiveness of humor in cybersecurity efforts.
    

**Conclusion**

Cybersecurity is serious, but it doesn't have to be boring. Thoughtfully applied, humor breaks through security fatigue, increases engagement, and fosters a culture of security awareness. By balancing humor and seriousness, organizations can strengthen their defenses while keeping employees alert and engaged. Now is the time to inject levity into cybersecurity efforts — without losing sight of vigilance. 

**About the Author**

Senior Manager, Synopsys Software Integrity Group

Akhil Mittal is a recognized cybersecurity leader with more than two decades of experience in application security, cloud security, and DevSecOps. As a Gartner Cybersecurity ambassador and senior manager at Synopsys, he leads key security initiatives, helping global organizations strengthen their defenses against advanced cyber threats. Akhil has worked closely with chief information security officers (CISOs) and executive leadership to align security strategies with business goals, ensuring robust protection across industries. He also contributes his expertise through leading cybersecurity publications and serves as a judge for top industry awards and hackathons. Certified in CISSP and CCSP, his work continues to shape the future of cybersecurity, driving innovation and resilience worldwide.

Cybersecurity Is Serious — but It Doesn't Have to Be Boring

The booming economies of Africa, rich in natural resources and brimming with potential, are attracting not just investors but also cybercriminals.

Source: Skorzewiak via Alamy Stock Photo

The industry consensus about ransomware is that it's not going away anytime soon, evidenced by the consistent growth of ransomware attacks over the past decade. We've seen some of the biggest ransomware attacks in history — including the JBS, Colonial Pipeline, and Equifax breaches — over the past five years. What's more, between 2023 and 2024, there was an 81% year-on-year jump in the number of recorded ransomware attacks, according to cybersecurity research firm Black Kite.

And according to a report earlier this year by cybersecurity research firm Performanta, ransomware gangs have a new strategy: Ransomware-as-a-service (RaaS) organizations are focusing on African nations as initial targets for nation-state attacks before launching malicious campaigns in more developed climes.

But what makes Africa a choice destination for these so-called "RaaS gangs," and what does this mean for the burgeoning economies on the continent?

**Why Africa?**

The booming economies of Africa, rich in natural resources and brimming with potential, are attracting not just investors but also cybercriminals. Performanta's report, which shows that Africa is increasingly becoming a testing ground for ransomware attacks, raises serious concerns for the continent's future and underscores the urgent need for collaboration among African states, corporations, and the West.

One draw for the cybergangs is the continent's overall low levels of cybersecurity strategy at the national level. In the 2024 edition of the International Telecommunication Union's Global Cybersecurity Index, only nine out of 44 countries in Africa qualified for the first or second tier of cybersecurity maturity. While this is an improvement over the previous report's rankings, that still leaves swathes of the continent less prepared.

Funsho Richard, a senior cybersecurity analyst and consultant, agrees with Performanta's findings.

"Africa's potential for profitable attacks amidst its digital growth is a magnet for cybercriminals," he says. Ransomware gangs and nation-state actors are exploiting the continent's weaker cybersecurity defenses to refine their methods in a "lower-risk environment" before launching attacks on better-secured developed nations.

This approach makes perfect sense from the attackers' perspective, as Gal Nakash, co-founder and CPO at identity-based SaaS security company Reco, explains.

"Building a sophisticated testing environment for a campaign is challenging," Nakash says. "Leveraging less interesting or poorly secured victims is more effective and increases the likelihood of remaining undetected by security tools."

In June, South Africa's National Health Laboratory Service (NHLS) confirmed it was dealing with a ransomware attack that significantly affected the dissemination of lab results as the country was responding to an outbreak of mpox (previously known as monkeypox). The NHLS runs 265 laboratories across South Africa that provide testing services for public healthcare facilities in the country's nine provinces. The spokesperson declined to say which ransomware group was behind the incident or whether a ransom was paid.

**Signs and Guardrails**

So how can African businesses identify these potential "ransomware testing" campaigns? Richard points out that, unlike traditional ransomware attacks that target specific industries like finance or energy, these campaigns might target a wider range of businesses.

Traditionally, ransomware gangs have a well-defined appetite: high-value sectors like finance, manufacturing, and energy. A recent surge in attacks targeting a wider range of businesses across various industries in Africa could be a red flag, indicating a testing campaign in progress.

Performanta's research also validates this concern. The report reveals a "large increase in financial/banking trojans with a 59% increase in Kenya and a 32% increase in Nigeria across a single quarter," suggesting gangs are casting a wider net.

Performanta's report suggests African organizations may not be fully prepared for this shift in attack tactics. While Nakash expresses confidence in the capabilities of modern cybersecurity solutions like extended detection and response/endpoint detection and response (XDR/EDR), he acknowledges a lack of widespread adoption. But he says that businesses that regularly update their cybersecurity controls and policies can stop attackers dead in their tracks.

"This includes maintaining visibility into their entire network environment, encompassing cloud, SaaS \[software-as-a-service\], on-premises infrastructure, and all the applications they use daily," Nakash says. "Critical applications should be mapped, and robust policies and alert notifications should be set up to identify and address any violations or misconfigurations that could create potential security vulnerabilities."

However, to spot the wider trend of test campaigns requires national coordination and strategy, as well as regional cooperation. The Africa Center for Strategic Studies cites several regional initiatives, such as Afripol, but warns that only 17 countries on the continent even have a national cybersecurity strategy.

**Building a Strong Defense**

What businesses on the continent need to stay cybersafe is a foundational approach — doing the basic things the right way. Ensuring that all configurations adhere to best security practices and setting up alert notifications for any suspicious activity are essential steps to prevent potential threats.

"Organizations need thorough visibility into their entire network environment, including cloud and on-premises infrastructure," Nakash says.

The fight against cybercrime requires a united front, says Guy Golan, executive chairman and CEO at Performanta.

"The West and Africa must implement long-term collaborative efforts to build a strong defense against this threat," he says. By sharing knowledge, resources, and best practices, both continents can work together to create a more secure digital landscape for all.

Building resilience against these attacks isn't just about protecting individual businesses; it's about safeguarding the future of Africa's booming digital economy.

"The solution lies in long-term collaborative efforts. Only then can we effectively combat this growing threat," says Richard.

**About the Author**

Contributing Writer

Kolawole Samuel Adebayo is a Harvard-trained tech entrepreneur, tech enthusiast, tech writer/journalist, and an executive ghostwriter. He has 10+ years of experience covering various tech news stories, writing thought leadership blogs, reports, datasheets, and case studies. His areas of expertise include cybersecurity, AI, ML, DevOps, blockchain, metaverse, and big data for C-level executive audiences. He has written for several publications, including VentureBeat, RSI Security, NWTechs, WATI Security, Draft.dev, Codecov, Teleport, Doppler, HotCars, and many more. He is also an award-winning poet, with works published in several journals around the world.

Source

DARKReading