An environment that values creativity, continuous learning, and calculated risk-taking can prevent boredom while building a resilient, adaptable team ready to tackle whatever challenges come their way.

Source: ronstik via Alamy Stock Photo

COMMENTARY

We're so fixated on external threats that we usually fail to look within. Boredom in IT teams often led by technical debt is a real problem, and it's costing companies more than they realize. Cyber threats are evolving, and our approach to combating these threats needs to evolve alongside it. Security is now a problem we need to tackle at all levels, but essentially, it requires a team of reactive developers that can tackle these threats at the start of the development life cycle. The engagement level of your IT team should really be a security concern.

**The Ripple Effect of Boredom**

Think about the last time you were genuinely excited about a project. It's likely it involved building innovative solutions or solving complex problems. That's no coincidence. The best software engineers thrive on creativity, continuous learning, and curiosity. 

When IT teams get stuck maintaining legacy systems or performing repetitive tasks, that fuel starts to run dry. The result is a team that's not just bored but actively falling behind in an industry that never stops moving forward.

How do you spot boredom? I've seen it plenty of times in my own career. Typical warning signs include:

*   Technical debt accumulates: Small issues can easily compound into major headaches and, if not solved immediately, create tedious work in the future. As one of our clients experienced, what began as a "we'll fix it later" API workaround ended up costing months of refactoring when they needed to scale.
    
*   Innovation stagnates: Boredom kills creativity. Consider how a simple idea like containerization revolutionized deployment practices. These innovations don't come from teams going through the motions, they emerge when curious minds are given room to explore.
    
*   Skills atrophy: The tech world moves fast. If your team isn't learning, they're falling behind. I've seen teams struggling with cloud migrations because their skills were anchored in on-premises solutions. The cost isn't solely in retraining but in the missed opportunities and the inability to leverage new technologies effectively.
    
*   Talent exodus: The best engineers won't stick around if they're not challenged. Expect increased turnover.
    
*   Security vulnerabilities increase: Engaged teams are your first line of defense against cyber threats. When developers are invested in their work, they're more likely to spot potential security issues early. Bored teams, on the other hand, might miss critical vulnerabilities hidden in seemingly routine code. 
    
*   Product quality suffers: Passionate developers think about edge cases, user experience, and long-term maintainability. When motivation is eroded, so is attention to detail. This could manifest as buggy releases, poor user experiences, or systems that become increasingly difficult to maintain over time.
    

**How to Keep Things Interesting **

Even cutting-edge teams can fall into ruts if they're not careful. The key factor isn't necessarily the age of the technology, but the approach to working with it. Are you just keeping the lights on, or are you constantly looking for ways to improve and evolve your systems?

So, how do we fix this? Installing ping-pong tables or providing free snacks isn't quite what you should be after. The first priority is creating an environment where creativity and innovation can thrive, and where security is more than a boring checklist. 

Here are some concrete steps to take to wake up and engage your IT team:

*   Allow space for creativity and exploration: Set aside dedicated time for your team to exercise their creativity and curiosity. For example, implement a "10% time" policy where developers can work on self-directed projects one afternoon a week. This could lead to innovations like a new internal tool that streamlines your deployment process, or a creative solution to a long-standing bug.
    
*   Modernize and automate the boring stuff: Actively look for opportunities to introduce new tech — and do that by listening to the devs themselves and what tech they want to work with daily. Aggressively reduce false positives and noise in your workflows. Implement tools that automate repetitive tasks and filter out low-impact alerts. This frees up your team to focus on challenging, high-value problems. 
    
*   Give developers ownership of security: Instead of treating security as a separate, boring checklist, integrate it into the development process. Make security accessible to developers by giving them the tools and knowledge to "shift left" — addressing security early in the development cycle. This turns security from a chore into an engaging part of the creative process.
    
*   Implement a "get back to building" mindset: Focus on letting developers do what they love — building. Structure workflows to minimize interruptions and context-switching. For example, set up "no-meeting Wednesdays" or four-hour blocks of uninterrupted development time. This allows for deep work and the satisfaction of seeing projects progress.
    
*   Encourage continuous learning with practical applications: Provide context-rich, actionable information in your training efforts. Instead of generic training sessions, tie learning directly to ongoing projects. For instance, when introducing a new security tool, frame it as a workshop where the team applies it to a current development challenge.
    
*   Simplify and streamline processes: Look for ways to simplify your development and security processes. Could your code review process be streamlined? Is your deployment pipeline overly complex? Engage your team in finding elegant solutions to these challenges. The process of simplification itself can be a motivating and creative exercise.
    
*   Implement "security as code": Treat security configurations and policies as code. This not only improves consistency and version control but also makes security work feel more like a core development task rather than an external obligation.
    

The goal isn't to implement every new idea or chase every trend. It's about creating a culture where ideas flow freely, challenges are framed as learning opportunities, and your team feels encouraged to be creative. If you create an environment that values creativity, continuous learning, and calculated risk-taking, you can not only fight boredom, you can also build a resilient, adaptable team ready to tackle whatever challenges come their way.

Take a look at your team. Are they just going through the motions, or are they genuinely engaged? If it's the former, it's time to shake things up.

**About the Author**

Security Researcher & Advocate, Aikido

As a security researcher and advocate at Aikido, Mackenzie spends his days translating security jargon into human speak and convincing developers that they can care about security without sacrificing their will to live. He loves creating and advocating for security tools that easily integrate into the development process, focusing on reducing alert fatigue and improving the overall developer experience in security implementations.

Before joining Aikido, Mackenzie served as a developer advocate at GitGuardian for more than four years and co-founded and acted as chief technology officer (CTO) for Conpago, a technology company focused on combating social isolation among the elderly through innovative communication devices. Mackenzie is the host ofThe Security Repopodcast, where he explores emerging tech topics in cybersecurity and interviews other experts. In his personal time he brings cybersecurity stories to life in The Red Team Chronicles comic series. Mackenzie also regularly speaks at tech conferences like DevOxx, DefCon, NDC and BlackAlps.

Boredom Is the Silent Killer in Your IT Systems

Researchers have uncovered one of the first examples of threat actors using artificial intelligence chatbots for malware creation, in a phishing attack spreading the open source remote access Trojan.

Source: Irene R via Shutterstock

Threat actors have used generative artificial intelligence (GenAI) to write malicious code in the wild to spread an open source remote access Trojan (RAT). It's one of the first observed examples of attackers weaponizing the chatbot technology for this purpose.

Researchers from HP Wolf Security have found evidence of the campaign, in which the attackers used GenAI to help them write VBScript and JavaScript code that was then used to distribute the AsyncRAT, an easily accessible, commercial malware that can be used for controlling a victim's computer.

The researchers first noticed the behavior when investigating a suspicious email in June. It had "an unusual French email attachment" posing as an invoice, HP Wolf Security revealed in its "Threat Insights Report" (PDF) for this month. The researchers ultimately discovered a campaign that was using both scripting types — code that was not, as it usually is, obfuscated — to spread AsyncRAT.

"The scripts' structure, comments, and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," according to the report.

It's widely believed that attackers already have used GenAI to help them write more convincing phishing emails, but so far there has been little evidence of the use of the technology to write malicious code, largely because legitimate chatbot tools have guardrails that prevent malicious use. However, security experts have known since the advent of the technology that it was only a matter of time before threat actors would find a way around those gates, and malicious chatbot development is a phenomenon on the Dark Web.

Related:Dark Reading Confidential: The CISO and the SEC

The campaign demonstrates that attackers are quickly leveling up in their use of GenAI in a way that should put defenders on alert, the researchers noted. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints or malicious files before they even reach someone's inbox," according to the report.

**Investigating a Malicious Email Campaign**

Once the researchers discovered the disguised invoice, they dug deeper to find that the attachment was simply an HTML file which, when opened in the browser, asks for a password. At first they believed the threat to be an HTML-smuggling attack; however, it didn't behave the way other threats do in that the payload stored inside the HTML file was not encrypted inside an archive.

Instead, the file was encrypted within the JavaScript code itself, using the Advanced Encryption Standard (AES) and implementing it without making any mistakes. This meant that for researchers to decrypt the file, they needed the correct password.

Related:How Should CISOs Navigate the SEC Cybersecurity and Disclosure Rules?

Eventually, the research team brute-forced the correct password to the file and found that the decrypted archive contained a VBScript file that, when run, starts an infection chain that ultimately deploys the AsyncRAT. "The VBScript writes various variables to the Windows Registry, which are reused later in the chain," according to the report.

Part of that infection chain is the drop of a JavaScript file into the user directory that then reads a PowerShell script from the registry and injects it into a newly started PowerShell process. The PowerShell script then makes use of the other registry variables, and runs two more executables, which start the malware payload after injecting it into a legitimate process.

**Unpacking GenAI-Generated Scripts**

It was through a deeper analysis of both the VBScript and the JavaScript used in the infection chain that the researchers noticed that the code was not obfuscated, which seemed odd because code obfuscation is something attackers typically use to cover their tracks.

"In fact, the attacker had left comments throughout the code, describing what each line does — even for simple functions," according to the report. "Genuine code comments in malware are rare because attackers want to their make malware as difficult to understand as possible."

Related:Cybersecurity Success Hinges on Full Organizational Support, New CompTIA Report Asserts

This behavior and the scripts' structure, consistent comments for each function, and the choice of function names and variables, made it reasonably clear that the attacker used GenAI to develop the scripts, according to HP Wolf Security.

Now that threat actors are starting to harness GenAI in their attack strategies, defenders also should integrate the technology into their security posture to fight fire with fire. Organizations can use GenAI to recognize patterns of threats to identify unauthorized access or malicious intent before attackers have a chance to infiltrate an environment. Indeed, the same efficiencies that GenAI create in an attack flow for malicious actors also can be leveraged by defenders to make their jobs easier, the security researchers said.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

GenAI Writes Malicious Code to Spread AsyncRAT

Who needs advanced malware when you can take advantage of a bunch of OSS tools and free cloud services to compromise your target?

Source: National Picture Library via Alamy Stock Photo

A threat actor is leveraging Cloudflare Worker cloud services and other tools to perform espionage against government and law enforcement targets in and around the Indian subcontinent.

"SloppyLemming" is an advanced persistent threat (APT) that Crowdstrike (tracking it as Outrider Tiger) has previously linked to India. That attribution rings consistent with the group's latest effort to steal valuable intelligence from a wide range of sensitive organizations in countries hugging India's borders.

Among its victims: government agencies — legislative bodies, foreign affairs, defense — IT and telecommunications providers, construction companies, and Pakistan's sole nuclear power facility. Pakistani police departments and other law enforcement came under particular fire, but SloppyLemming's attacks also spread to the Bangladeshi and Sri Lankan militaries and governments, as well as organizations in China's energy and academic sectors, and there have been hints of potential targeting in or around Australia's capital, Canberra.

The campaign, described in a new blog post from Cloudflare, employs Discord, Dropbox, GitHub, and most notably Cloudflare's own "Workers" platform together in phishing attack chains that end in credential harvesting and email compromise.

**Hackers Using Cloudflare Workers**

SloppyLemming attacks generally begin with a spear-phishing email — say, a fake maintenance alert from a police station's IT department. It distinguishes itself more in step two when it abuses Cloudflare's Workers service.

Cloudflare Workers are a serverless computing platform for running scripts that operate on Web traffic flowing through Cloudflare's global servers. They're essentially chunks of JavaScript that intercept requests made to a user's website in transit — before they reach the user's origin server and apply some sort of function to them, for example, redirecting links or adding security headers.

Like other flexible, multifunctional legitimate services, Cloudflare Workers can also be abused for malicious ends. In 2020, Korean hackers used Workers to perform SEO spam, and a backdoor called "BlackWater" used it to interface with its command-and-control (C2) server; the following year, attackers used it to facilitate a cryptocurrency scam.

SloppyLemming uses a custom-built tool called "CloudPhish" to handle credential logging logic and exfiltration. CloudPhish users first define their targets, and their intended channel for exfiltration. Then the program scrapes the HTML content associated with the target's webmail login page, and creates a malicious copycat with it. When the target enters their login information, it's stolen via a Discord webhook.

**Abusing Cloud Services**

SloppyLemming has other tricks up its sleeve, too. In limited cases, it used a malicious Worker to collect Google OAuth tokens.

Another Worker was used to redirect to a Dropbox URL, where lay a RAR file designed to exploit CVE-2023-38831, a "high" severity, 7.8 out of 10 CVSS-rated issue in WinRAR versions prior to 6.23. The same vulnerability was recently used by a Russian threat group against Ukrainian citizens. At the end of this Dropbox-heavy exploit chain was a remote access tool (RAT) that engaged several more Workers.

"They use at least three, or four, or five different cloud tools," notes Blake Darché, head of Cloudforce One at Cloudflare. "Threat actors generally are trying to take advantage of companies by using different services from different companies, so \[victims\] can't coordinate what they're doing."

To make sense of attack chains that spread across so many platforms, he says, "You've got to have good control of your network, and implement zero-trust architectures so you understand what's going in and out of your network, through all the different peripheries: DNS traffic, email traffic, Web traffic, understanding it in totality. I think a lot of organizations really struggle in this area."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'SloppyLemming' APT Abuses Cloudflare Service in Pakistan Attacks

The latest draft version of NIST's password guidelines simplifies password management best practices and eliminates those that did not promote stronger security.

Source: Vitalii Vodolazskyi via Shutterstock

The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords.

NIST's second public draft version of its password guidelines (SP 800-63-4) outlines technical requirements as well as recommended best practices for password management and authentication. The latest guidelines instruct credential service providers (CSP) to stop requiring users to set passwords that use specific types or characters or mandating periodic password changes (commonly every 60 or 90 days). Also, CSPs were instructed to stop using knowledge-based authentication or security questions when selecting passwords.

Other recommendations include:

*   CSPs shall require passwords to be minimum of eight characters in length and should require passwords to be a minimum of 15 characters in length.
    
*   CSPs should allow passwords of a maximum of at least 64 characters.
    
*   CSPs should allow ASCII and Unicode characters to be included in passwords.
    

When NIST first introduced its password recommendations (NIST 800-63B) in 2017, it recommended complexity: passwords comprising a mix of uppercase and lowercase letters, numbers, and special characters. However, complex passwords are not always strong (i.e., "Password123!" or "q1@We3$Rt5"). And complexity meant users were making their passwords predictable and easy to guess, writing them down in easy-to-find places, or reusing them across accounts. In recent years, NIST has shifted its focus to password length, since longer passwords are harder to crack with brute-force attacks and can be easier for users to remember without being predictable.

NIST also is now recommending password resets in the case of a credential breach only. Making people change passwords frequently has resulted in people choosing weaker passwords. When passwords are sufficiently long and random, and there's no evidence of a breach, making users change it could potentially lead to weaker security.

The difference with this draft is the shift in language. Previous versions used the words "should not" while this draft says "shall not," which means the rule has moved from a suggestion to an actual requirement.

*   Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and
    
*   Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
    

Public comment on this draft (via email \[email protected\]) is open until 11:59 pm Eastern Time on Oct. 7.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

NIST Drops Password Complexity, Mandatory Reset Rules

The company said the rogue update that caused disruptions on a global scale resulted from a "perfect storm" of issues.

Source: wisely via Shutterstock

A contrite CrowdStrike executive this week described the company's faulty July 19 content configuration update that crashed 8.5 million Windows systems worldwide as resulting from a "perfect storm" of issues that have since been addressed.

Testifying before members of the House Committee on Homeland Security on Sept. 24, CrowdStrike's senior vice president, Adam Meyers, apologized for the incident and reassured the committee of steps the company has implemented since then to prevent a similar failure.

The House Committee called for the hearing in July after a CrowdStrike content configuration update for the company's Falcon Sensor caused millions of Windows systems to crash, triggering widespread and lengthy service disruptions for businesses, government agencies, and critical infrastructure organizations worldwide. Some have pegged losses to affected organizations from the incident to be in the billions of dollars.

**Chess Game Gone Awry**

When asked to explain the root cause for the incident, Meyers told the House Committee that the problem stemmed from a mismatch between what the Falcon sensor expected and what the content configuration update actually contained.

Essentially, the update caused Falcon Sensor to try and follow a threat detection configuration for which there were no corresponding rules on what to do. "If you think about a chessboard \[and\] trying to move a chess piece to someplace where's there's no square," Meyers said. "That's effectively what happened inside the sensor. This was kind of a perfect storm of issues."

CrowdStrike's validation and testing processes for content configuration updates did not catch the issue because this specific scenario had not occurred before, Meyers explained.

Rep. Morgan Luttrell of Texas characterized CrowdStrike's failure to spot the buggy update as a "very large miss," especially for a company with a large presence in government and critical infrastructure sectors. "You mentioned North Korea, China, and Iran \[and other\] outside actors are trying to get us every day," Luttrell said during the hearing. "We shot ourselves in the foot inside of the house," with the faulty update. Luttrell demanded to know what preventive measures CrowdStrike has implemented since July.

In his written testimony and responses to questions from committee members, Meyers listed several changes that CrowdStrike has implemented to prevent against a similar lapse. The measures include new validation and testing processes, more control for customers over how and when they receive updates, and a phased rollout process that enables CrowdStrike to quickly reverse an update if problems surface. Following the incident, CrowdStrike has also begun treating all content updates as code, meaning they receive the same level of scrutiny and testing as code updates.

**Multiple Changes**

"Since July 19, 2024, we have implemented multiple enhancements to our deployment processes to make them more robust and help prevent recurrence of such an incident — without compromising our ability to protect customers against rapidly-evolving cyber threats," Meyers said in written testimony.

Meyers defended the need for companies like CrowdStrike to be able to continue making updates at the kernel level of the operating system when committee members probed him about the potential risks associated with the practice. "I would suggest that while things can be conducted in user mode, from a security perspective, kernel visibility is certainly critical," he stated. In its root cause analysis of the incident, CrowdStrike noted that considerable work still needs to happen within the Windows ecosystem for security vendors to be able to issue updates directly to user space instead of the Windows kernel.

**Missing the Bigger Picture?**

But some viewed the hearing as not going far enough to identify and focus on some of the more significant takeaways from the incident. "To think of the July 19 outage as a CrowdStrike failure is simply wrong," says Jim Taylor, chief product and technology officer at RSA. "More than 8 million devices failed, and it's not CrowdStrike's fault that those didn't have backups built to withstand an outage, or that the Microsoft systems they were running couldn't default to on-premises backups," he notes.

The global outage was the result of organizations for years abdicating responsibility for building resilient systems and instead relying on a limited number of cloud vendors to carry out critical business functions. "Focusing on one company misses the forest for the trees," Meyers says. "I wish the hearing had done more to ask what organizations are doing to build resilient systems capable of withstanding an outage."

Grant Leonard, chief information security officer (CISO) of Lumifi, says one shortcoming of the hearing was overemphasis on the root cause of the outage and relatively less focus on lessons learned. "Questions about CrowdStrike's decision-making process during the crisis, their communication strategies with affected clients, and their plans for preventing similar incidents in the future would have provided more actionable insights for the industry," Leonard says. "Exploring these areas could help other companies improve their incident response protocols and quality assurance processes."

Leonard expects the hearing will result in a renewed emphasis on quality assurance processes across the cybersecurity industry. "We will likely see an uptick in solid reviews and trial runs of business continuity and disaster recovery plans," he says. The incident could also lead to a more cautious approach to auto-updates and patching across the industry, with companies implementing more rigorous testing protocols. "Additionally, it could prompt a reevaluation of liability and indemnity clauses in cybersecurity service contracts, potentially shifting the balance of responsibility between vendors and clients."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CrowdStrike Offers Mea Culpa to House Committee

There will be four major categories in the 2025 retread of the hacking competition, with prizes ranging for each challenge, from $20,000 to half a million.

Source: Zoonar GmbH via Alamy Stock Photo

The Pwn20wn Automotive contest will be returning to Tokyo in 2025 for its second year, offering a new set of challenges and winnings of more than $1 million in cash and prizes.

A random drawing will determine the schedule of attempts the day before the contest begins, focusing on four categories: Tesla, in-vehicle infotainment (IVI), electric vehicle chargers, and operating systems.

Each of these categories have individual targets and vary in prize amounts. In the Tesla category, the highest prize is half a million dollars for the Autopilot target in the "full remote with unconfined root" subcategory. The other three categories have fewer targets and smaller prize offerings, ranging from $20,000 to $60,000. Points are accumulated for each successful attempt on each target, and the participant with the most points by the end of the competition will earn the Master of Pwn crown and instant Platinum status in 2026.

The rules of the contest can be found on the Zero Day Initiative (ZDI) website, and can change without notice, so participants should regularly update themselves on the guidelines. Registration closes on Jan. 16, 2025, at 5 p.m. Japanese Standard Time.

**About the Author**

Pwn2Own Auto Offers $500K for Tesla Hacks

The state-sponsored advanced persistent threat (APT) is going after high-value communications service provider networks in the US, potentially with a dual set of goals.

Source: BSIP SA via Alamy Stock Photo

A freshly discovered advanced persistent threat (APT) dubbed "Salt Typhoon" has reportedly infiltrated Internet service provider (ISP) networks in the US, looking to steal information and potentially set up a launchpad for disruptive attacks.

Citing "people familiar with the matter," the Wall Street Journal broke the news on Sept. 25 that the Chinese-sponsored state hackers have successfully targeted "a handful" of cable and broadband service providers during the campaign.

Other details are scant, but Salt Typhoon's efforts highlight China's priorities when it comes to geopolitical realities, researchers note.

**A Sprinkle of Espionage, A Dash of Pre-Positioning**

For instance, a position within the service provider network would offer valuable reconnaissance for how to further target high-value marks working for the federal government, law enforcement, manufacturers, military contractors, and Fortune 100 companies. 

"Obtaining access to ISPs would make it easier to survey those users of the ISPs for information on their location and what kinds of services are being accessed," says Sean McNee, vice president of research and data at DomainTools. "Bad actors could get information about the ISP's users, where they live and billing information, and what kind of access or usage they have, \[who they call, and\] text messages."

But the concern doesn't stop there. Given China's desire to control Taiwan and other assets in the region, there's very likely a military component to the campaign as well.

"Based on the recent history of Chinese-sponsored cyber campaigns and warnings from \[the Cybersecurity and Infrastructure Security Agency\] and FBI, China has escalated from surveillance-only goals toward installing an offensive capability to disrupt critical US civilian and military infrastructure," warns Sean Deuby, principal technologist at Semperis. "This could potentially range from 'blinking the lights' to dissuade US intervention to actively delaying or crippling a US response to Chinese activities."

There's precedent for that assessment. Microsoft outed Volt Typhoon in January and its alarming efforts to plant itself inside military bases, critical infrastructure assets, and telecom infrastructure — all with the goal of being able to cause outages, disrupt communications, and sow panic in the event of a kinetic conflict with the US in the South China Sea. Since then, China has denied the allegations, while the APT has been actively expanding its efforts despite its cover being blown.

**China's Recipe: Targeting Telecom, ISPs, Critical Infrastructure**

The development is the latest in a string of Chinese-sponsored efforts to subvert critical infrastructure in the US and destabilize Pacific Rim allies, many flagged by Microsoft using hurricane-related names.

For instance, a Chinese threat actor known as Flax Typhoon emerged a year ago, using legitimate tools and utilities built into the Windows operating system to carry out an extremely stealthy and persistent spy operation against entities in Taiwan. Last week, news emerged that the APT had built a 200,000-device Internet of Things (IoT) botnet in order to gain a foothold in government, military, and critical manufacturing targets in the US.

There's also the APT that Microsoft calls Brass Typhoon (aka APT41, Earth Baxia, and Wicked Panda) that recently attacked Taiwanese government agencies, Filipino and Japanese military, and energy companies in Vietnam, installing backdoors for cyberespionage purposes.  

On top of that, other China-linked groups have made a name for themselves in specifically targeting communications service providers, such as Mustang Panda, especially in Taiwan and other countries of interest.

"Chinese-backed threat actors have been conducting attacks against telcos for as long as I can remember," Semperis' Deuby says. "Historically, their goals are to create 'persistence' in the carrier. By that I mean they will infiltrate a target, gain a foothold, and then move laterally with the goal of maintaining persistence and extracting data from strategic targets as needed."

He adds that lurking and listening is a specialty: "While Chinese government actors were behind the infamous Operation Soft Cell campaign in 2019, where the threat actor stole call data records, they had infiltrated some of the telcos more than five years before being discovered."

**Communications Service Provider Defenses Need Seasoning**

The ongoing targeting of communications infrastructure should put carriers and service providers on notice to harden their defenses.

Aside from phishing and social engineering of employees, Terry Dunlap, chief security strategist at NetRise, notes that firmware and supply chain attacks using core network gear could both be attack avenues against ISPs.

"ISPs' blind spots are the firmware running their devices. Most firmware contains insecure or sloppy code that can be easily exploited, if discovered," he notes. "Another attack vector would be the supply chain. For example, if the Ethernet controller in a router or switch is supplied by a Chinese company, there are scenarios where malicious code or backdoors could be integrated into that Ethernet controller, providing an adversary easy access to that important piece of networking equipment."

In 2020, the World Economic Forum and its global partners developed a set of best practices for ISPs (PDF), including principles such as sharing threat intelligence between peers, working more closely with hardware manufacturers to increase minimum levels of security, and improving routing security, Deuby says.

Still, "as someone that's talked to many organizations about the well-understood security steps they should be taking versus their actual security posture, I'm sure plenty of gaps remain."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs

Though the critical vulnerability was patched in August, Ivanti is reminding customers to update as soon as possible as attacks from unauthenticated threat actors start circulating.

Source: Kristoffer Tripplaar via Alamy Stock Photo

The Cybersecurity and Infrastructure Security Agency (CISA) has added a third Ivanti vulnerability to the agency's Known Exploited Vulnerabilities (KEV) Catalog in as many weeks.

CVE-2024-7593 is a virtual traffic manager authentication bypass vulnerability that could be exploited by a remote unauthenticated attacker to bypass the admin panel and create their own admin accounts. The vulnerability stems from incorrect implementation of an authentication algorithm in older versions of Ivanti vTM.

The bug was given a high-severity core of 9.8 and was patched with the release of vTM versions 22.2R1, 22.3R3, 22.5R2, 22.6R2, and 22.7R2 in August. 

At the time, Ivanti noted that a proof-of-concept was available and that customers should upgrade to the latest patched version of vTM as soon as possible. However, it's unclear whether the vulnerability is being exploited in the wild and, if so, who might be behind it.

As noted, this wouldn't be the first Ivanti vulnerability to come under active exploitation in recently; two flaws affecting the vendor's Cloud Service Appliance — CVE-2024-8963 and CVE-2024-8190 — have also been exploited by malicious actors.

**About the Author**

Third Ivanti Bug Comes Under Active Exploit, CISA Warns

While these threats remain a valid concern, US government agencies have doubled down on their assurances to the American public that election infrastructure is secure.

Source: Tetra Images via Alamy Stock Photo

COMMENTARY

Adversaries of the United States have been hard at work in advance of the 2024 presidential election. Rather than direct attacks against infrastructure such as voting machines, these nation-state actors — primarily from Russia, China, and Iran — are using cyber operations to stoke discord and influence election outcomes.

The good news is, US leaders have been preparing for these threats for years — and adversaries' efforts have largely been ineffective, despite significant resources invested. Even new artificial intelligence-powered tactics have resulted only in "incremental" productivity and content-generation gains, according to Meta.

Nevertheless, nation-state attacks are a concern. Covert influence campaigns are underway, attempting to: exploit university protests related to the Israel-Hamas conflict in order to erode Americans' trust in US institutions; reduce domestic support for providing military and financial aid to US allies like Ukraine; support and/or undermine political candidates based on whether their policies are perceived as favorable; and more.

**Russia Continues to Dominate Disruption**

Employing a whole-of-government strategy, the Russian government has been the most prolific adversary attempting to disrupt and influence US elections. Operations have increased since 2022, with Russia remaining the top source of disinformation networks disrupted on Facebook and Instagram. Russia recently attempted to impersonate US citizens and media organizations, and Meta has removed more than 5,000 accounts and pages linked to Russian propaganda network Doppelgänger since May 2024. Generative AI (GenAI) is also boosting Russia's capabilities, scaling campaigns via content creation, translation capabilities, and image creation.

Russian operatives have stood up several inauthentic news portals, taking advantage of the increasing trend among Americans to seek news from alternative sources. Fake news websites now outnumber legitimate local news sites, in large part thanks to Russia.

The war in Ukraine has not slowed these efforts, though the Kremlin has outsourced some cyber operations to private contractors.

Russia likely will promote candidates who oppose aid to Ukraine, attack those who support Ukraine, and undermine popular support for Ukraine in swing states.

Due to increased government and researcher scrutiny — such as the Department of Justice's criminal investigation into Americans who have collaborated with Russia's state television networks — Russia-backed campaigns have responded by significantly changing their tactics. Meta reported "notable shifts" in Doppelgänger's operational tactics in response to "aggressive enforcement." But these efforts are unlikely to impact Russia's long-term operations, given its deep pockets and near-unlimited resources. 

**Iran Rises in Prominence**

The government of Iran has emerged as a more significant threat this year than in previous election cycles. The US-Iranian relationship remains tense, and Iran's cyber activities are likely to continue as a tool of statecraft. Like Moscow, Tehran undoubtedly views the election as consequential for its own interests and will attempt to shape the outcome.

Iran's objective is to undermine confidence in democratic institutions and carry out aggressive cyber activities on multiple fronts to gather intelligence. Iranian cyberattacks recently attempted to access sensitive US election information. Other recent attacks targeted the Trump and Biden-Harris presidential campaigns, and breached the email of Roger Stone, a longtime Trump ally and political adviser.

Separate reporting indicates Iranian actors have also spent recent months creating fake news sites and impersonating activists, laying the groundwork to stoke division and potentially sway American voters this fall, especially in swing states.

**China Works to Divide Voters**

The Chinese government continues to amplify polarizing domestic issues ahead of the US elections, increasingly targeting specific candidates and parties. However, China's interference likely will remain limited compared with Russia and Iran, in order to avoid risking its diplomatic relations with the US government.

Nevertheless, Chinese influence campaigns have grown more sophisticated, including Spamouflage Dragon. China has also increased its use of AI-generated content. Chinese operatives use fake social media accounts to poll voters to identify and better understand the most divisive issues in American society. The number of these sock-puppet accounts, likely run by the Chinese Communist Party (CCP), have continued to steadily grow since their emergence in 2023. These operations have achieved very little organic engagement, despite thousands of assets being deployed. Still, there appears to be a clear effort to improve China's understanding of the American political landscape and become more effective at future interference.

**The US Retaliates With Disruption**

Disruption is the name of the game when it comes to defending against these threats. US government agencies continue to name and shame these activities, taking some wind out of adversaries' sails.

In the private sector, some companies are taking a more active approach to identifying influence operations, countering bogus accounts, and taking down infrastructure. Some of these efforts seem effective, with adversaries scrambling to stay operational.

However, tech layoffs have hampered teams responsible for trust and safety, and some social media platforms are retreating from the misinformation fight. The most dramatic pullback has been from social platform X, where misinformation now proliferates under the banner of free speech. The impact on US elections remains to be seen. 

Russia, China, Iran, and other adversaries will continue to target US elections because they know that a united, strong America is not in their own national interest. Thankfully, while these threats remain a valid concern, US government agencies have doubled down on their assurances to the American public that election infrastructure is more secure than ever.

**About the Author**

Cyber Threat Intelligence Analyst, LastPass

Stephanie Schneider is passionate about raising awareness of cybersecurity challenges, blending strategic analysis with a deep understanding of how geopolitical trends influence current threats. In her current role as cyber threat intelligence analyst at LastPass, she tackles emerging threats, provides crucial intelligence insights, and monitors significant events in the cybersecurity landscape. Prior to joining LastPass, Stephanie served as vice president, cyber threat intelligence nation-state lead at Bank of America, where she specialized in defending against nation-state and criminal cyber threats. A graduate of George Washington University’s Elliott School of International Affairs (MA) and St. Edward’s University (BA), Stephanie currently lives in Washington, DC.

How Russia, China &amp; Iran Are Targeting US Elections

The advanced Python-based PysSilon malware can steal data, record keystrokes, and execute remote commands. The attackers behind it are promising to leak details of deleted X posts related to accused rapper and music producer Sean Combs.

Source: Photo 12 via Alamy Stock Photo

Threat actors are using the public's interest in a current scandal surrounding celebrity rapper Sean "Diddy" Combs to spread spyware, via files promising to reveal details of deleted posts related to Combs from the X social media platform.

Researchers have uncovered a version of the open source PySilon RAT, a remote access Trojan called "PdiddySploit" hiding in files posted online and then submitted to VirusTotal, according to analysis from Veriti Research published Sept. 24.

PySilon RAT is an advanced Python-based malware that can steal sensitive information, record keystrokes, capture screen activity, and execute remote commands, posing "serious threats to personal and organizational security," according to the post by Veriti.

Combs (aka P. Diddy), a rapper, record producer, and entrepreneur who has been in the public eye since the 1990s, is facing multiple charges of sexual assault and misconduct in New York, which has thrust him into the recent media spotlight. One area of acute public interest are controversial posts related to Combs and alleged illicit activity on X by fellow celebrities and musicians, such as Usher and Pink, as well as Combs himself that have since been deleted, according to Veriti.

"One of the most concerning aspects of this trend is the use of files related to Combs' social media activity, particularly from X.com," according to the post.

Related:Security Concerns Plague Emerging Chip Architecture

Specifically, the researchers uncovered files containing posts and replies from Combs' now-deleted account on VirusTotal, where they were uploaded by a user named @lamps\_apple. "These files are part of an automated process of 'collecting posts and replies,' but they pose a high risk because they can be easily armed with malicious payloads," according to Veriti.

**Taking Advantage of Current Events**

The activity demonstrates how attackers are quick to take advantage of current events or media stories of interest to the public to spread malware by weaponizing content related to them. One clear example of this activity was during the COVID-19 pandemic, when multiple phishing and other malicious campaigns leveraged public interest in the virus and other health-related topics to spread malware.

"Given the intense media coverage surrounding P. Diddy and other public figures, attackers are using these files to lure curious users into downloading them, only to be infected with malware," according to Veriti. "The fact that P. Diddy and others have deleted their social media content adds an additional layer of intrigue, tempting users to open these files to see what was deleted."

Related:How to Establish & Enhance Endpoint Security

PsySilon RAT — discovered in 2022 — also has seen a surge in recent use by multiple threat actors, with more than 300 samples reported on VirusTotal since June 2023, according to Cyble Research and Intelligence Labs (CRIL). Attackers use the malware to infiltrate systems, steal information, and even control devices remotely, according to Veriti.

PsySilon RAT is currently in version 3.6 and has been detected in numerous samples that imitate software, tools, and cracks, which likely originate from phishing websites, free software-downloading websites, and the like, according to Cyble.

Given the discovery of the RAT lurking behind the cover of PdiddySploit, it's likely that as the related scandal continues to attract attention, even more attackers will "leverage this malware to exploit public interest," according to Veriti.

**Don't Let Curiosity Cloud Safe Judgment**

It's perfectly natural for people to take an interest in trending topics and celebrity scandals, the researchers noted. However, that doesn't mean people should throw caution to the wind when interacting with any related files or content online.

"Curiosity can be dangerous," Veriti researchers warned, especially as attackers are well-versed in social engineering and "are always looking for ways to exploit human nature."

Related:RansomHub Rolls Out Brand-New, EDR-Killing BYOVD Binary

To avoid falling prey to attackers aiming to capitalize on this and other news of public interest, Veriti advised that people avoid downloading suspicious files, especially if they encounter files claiming to contain deleted posts or exclusive content related to a celebrity scandal. They should always verify the source of these or any files before downloading something from the Internet, the researchers noted.

People also should be wary of email attachments because phishing emails remain a primary way that attackers spread malware. "If you receive an email with attachments related to the P. Diddy scandal, think twice before opening it," according to Veriti. Using up-to-date antivirus software and other protections to secure email accounts also effectively can delete malware or malicious files before they even reach someone's inbox.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading