To maintain AI leadership, Congress and regulatory agencies must recognize that our foreign competitors are working to surpass us.

Haiman Wong, Fellow, Cybersecurity & Emerging Threats, R Street Institute

September 25, 2024

3 Min Read

Source: NicoElNino via Alamy Stock Photo

COMMENTARY

As a global leader in artificial intelligence (AI) innovation, the United States currently enjoys a significant competitive advantage economically, militarily, and technologically. To maintain this leadership, Congress and federal regulatory agencies must avoid complacency and recognize that our foreign competitors are diligently working to surpass us.

According to a recent report by the United Nations World Intellectual Property Organization, China filed more than 38,000 generative AI patents between 2014 and 2023, demonstrating its aggressive push to dominate AI advancement. This surge in patent activity underscores the critical need for the United States to accelerate its ongoing research and development efforts to maintain our global AI leadership.

To meet the demands of this moment, the US federal government must focus on three strategic AI research and development priorities that enhance our cyber resilience and national defense:

**1\. Clarifying the Definitions of Key AI-Related Terms**

Ambiguity and inconsistency in AI terminology continue to pose significant risks and challenges. Without precise and consistent definitions for key AI-related terms like "open source AI," "AI security," and "trustworthy AI," our country faces challenges in ensuring the responsible use of AI. Focused research and development efforts toward closing this gap can help create a more comprehensive and nuanced taxonomy, mapping out potential varying definitions and detailing parameters. For example, standardizing the term "AI security" could not only help promote secure development practices but also address emerging challenges like prompt injections and ensuring visibility into AI usage across organizations to prevent data leaks.

By systematically analyzing and standardizing terminology through collaborative efforts across academia, industry, and government stakeholders, the United States can lay a foundation for developing robust strategies that protect our national security and promote cyber resilience.

**2\. Developing a Scientific Understanding of AI**

A comprehensive scientific understanding of AI's limitations and capabilities is vital for assessing its impact and countering adversarial threats. The recent Private and Civil Liberties Oversight Board (PCLOB) AI Forum emphasized the importance of continuous research to measure AI's safety and reliability throughout its life cycle. To address this need, focused and strategically aligned research and development efforts are essential.

By developing ways to measure, test, audit, and evaluate AI capabilities, we can establish reliable methods to quantify AI's performance. These methods are critical for conducting accurate risk assessments and for our ability to continually improve AI systems and uses. Building a scientific understanding of AI, led by agencies like the National Institute of Standards and Technology (NIST) in collaboration with industry, academia, and other federal partners, will bolster our national and cybersecurity defenses by ensuring that AI systems are safe, reliable, and effective under various conditions and adversarial scenarios.

**3\. Developing AI Standards Adhering to US Mission and Values**

Establishing AI standards that reflect our mission and values, such as transparency and accountability, is crucial for maintaining national security. The PCLOB AI Forum also highlighted the importance of developing clear standards that guide acceptable and non-acceptable uses of AI, particularly in the intelligence community.

Research and development can support this effort by identifying best practices and creating robust frameworks that ensure AI technologies are deployed ethically and securely. By focusing on these priorities, we can ensure that AI advancements align with American values and strengthen our national security and cybersecurity. This makes the development of AI standards an urgent and essential aspect of AI research and development.

Recognizing AI's pivotal role in national security, policymakers have already made significant investments in its advancement. To ensure these efforts remain focused and strategically aligned, Congress must consider targeted legislative measures while empowering federal agencies to facilitate coordination, promote public-private partnerships, and set actionable research and development priorities that encourage innovation within these established guidelines.

By prioritizing the clarification of key AI-related terms, building a scientific understanding of AI, and establishing AI standards that adhere to our mission and values, the United States can maintain the momentum of our advancements in AI and meet our cyber resilience and national defense imperatives.

**About the Author**

Fellow, Cybersecurity & Emerging Threats, R Street Institute

Haiman Wong is a fellow for the R Street Institute’s Cybersecurity and Emerging Threats team. Outside of R Street, she serves as a co-chair in the AI Safety, Cybersecurity, and Inclusion Through Advanced Text Analytics minitrack at the Hawaii International Conference on System Sciences (HICSS). 

Before joining R Street, Haiman was a cyber threat intelligence associate and data scientist at Northern Trust, where she used NLP techniques to analyze more than a million cybersecurity logs. She also advised executive leadership on emerging cyber threat activities to shape the firm’s global cyber defense strategy. 

Haiman is a doctoral candidate at Purdue University, exploring the intersection of technology leadership in innovation and the influence of emerging technologies on the democratic exchange of digital information. She holds a master’s degree in data science with a cybersecurity concentration, and a bachelor’s degree in interdisciplinary studies (communications, legal institutions, economics, and government) from American University.

US May Be Losing the Race for Global AI Leadership

Crafty bad actors can infect all of an organization's virtual machines at once, rendering tier-one applications useless.

Morey Haber, Chief Security Officer, BeyondTrust

September 25, 2024

5 Min Read

Source: Panther Media via Alamy Stock Photo

COMMENTARY

For at least the past 20 years, virtual machines and enterprise-ready hypervisors were marketed, sold, and adopted as the future of server-based computing. Dedicated power-hungry servers sitting in racks on a raised floor were replaced by systems architected to host multiple virtual servers simultaneously and to optimize resources based on load. The time of idle RAM, underutilized networks, and free hard disk storage was transformed by load-balancing technology, shared resources, and CPU prioritization to minimize costs, energy, and footprint. The goals were achieved, and the technology worked.

When organizations began shifting their tier-one mission-critical servers to virtual machines, the need to provide redundancy and high availability to meet uptime service-level agreements became paramount. Virtual machine hypervisors introduced redundancy technology, mirroring, real-time backups, cold spares, and myriad other solutions to mitigate the risks of an outage both in hardware and software. This technology even included mitigations for the hypervisor itself, just in case it became fully unavailable.

However, what happens if all of your hypervisors become unavailable — in essence, if all of your virtual data centers went offline, including all redundancy? This risk was not a consideration in the past, based on the maturity of virtualization, but today it poses a real threat and is why tier-one applications should no longer be virtualized. Why? Read on.

**Hypervisor Attacks on the Rise**

In the past few years, hypervisors have been targeted in high-profile malware and ransomware attacks. Instead of just attacking the data on a server, or a server or workstation operating system, threat actors have become brazen in attacking hypervisors and encrypting all the virtual machines hosted by the system. And if the attack vector is crafty enough, it can infect all virtual machines and hypervisors, regardless of their geolocation and backup status, simultaneously. This essentially renders all technology hosted as a virtual machine — including your tier-one applications — useless and unable to complete their mission.

So how did this change come about? Vulnerabilities, exploits, poor identity security, malware, social engineering, and, of course, ransomware. To understand this risk, let us look at some exploits that affected VMware, a leading enterprise virtualization technology, and some of its key components.

According to CVE Details, since Jan. 1, 2020, there have been 334 reported vulnerabilities for all VMware solutions. Of those, 19% were critical and, if exploited, could lead to a compromise of the affected VMware solution.

However, at least two are especially important to this discussion, despite their age: CVE-2021-21974 and CVE-2020-3992. Each could lead to a full hypervisor outage if exploited. The obvious answer from many security professionals is to patch. However, when patching these vulnerabilities, the entire hypervisor generally needs to be taken offline and all virtual machines paused or stopped to complete the upgrade. If the environment is large, potentially dozens or even hundreds of virtual machines may need to come offline. That type of outage is typically lengthy and unacceptable for tier-one applications.

**Migrate to a More Fitting Solution**

Most organizations will avoid patching due to the downtime alone, instead using other mitigations to avoid exploitation. This, however, does not solve the problem. If the hypervisor or any of its components are exposed to the Internet, these vulnerabilities are ticking time bombs. Not patching critical vulnerabilities will lead to exploitation at some point. The rise in hypervisor-based vulnerabilities is increasing and will continue to escalate, as shown by CVE Details data.

Therefore, organizations have four potential solutions:

1.  Continue to include tier-one applications as virtual machines but ensure maintenance is up to date, accept downtime, and continue running as originally designed.
    
2.  Do not include tier-one applications in virtual environments. Deploy them as physical hardware and plan to patch them regularly as physical implementations to remediate the risks.
    
3.  Stop hosting tier-one applications in virtual environments and using dedicated hardware on-premises altogether. Move them to the cloud and let the provider maintain the application and hypervisor, as well as manage back-end risks like upgrades, for you.
    
4.  Modernize your ecosystem and migrate the tier-one application to a software-as-a-service (SaaS) solution.
    

Choosing your path requires some analysis and decisions before taking down your unpatched virtualized tier-one applications. First, categorize all applications by mission criticality. Is it a tier-one application, where any outage is unacceptable to the business, or a tier-two application, where downtime is acceptable (if it's minimal) for hypervisor patching? Next, which tier-one applications can be cloud-washed — that is, directly moved to a hypervisor in the cloud and maintained by the provider — or replaced by a modern SaaS solution? Most organizations prefer a SaaS solution because it does not need virtual machine maintenance like their on-premises counterparts. That is one of the biggest benefits of SaaS.

Once you have made these decisions, your organization needs to separate tier-one applications from on-premises hypervisors. Like any other technology migration, document all planning, testing, requirements, service-level agreements, and so forth so that you can measure success. In the end, however, the risk mitigation is priceless, since the business no longer has to accept the risk of unpatched hypervisors and the potential for mass exploitation of ransomware.

In my opinion, tier-one applications should not depend on hypervisors to ensure availability. Points of failure for such applications should be minimized. In recent years, attacks against hypervisors have proved that the risks are real and may no longer be acceptable to a business. This is why I believe tier-one applications should no longer be implemented using on-premises virtual machines.

**About the Author**

Chief Security Officer, BeyondTrust

With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology encompassing intelligent identity and access security solutions, as well as BeyondTrust's own internal information security strategies.

Keep Tier-One Applications Out of Virtual Environments

Leaders in professional athletics lament the realities and risks of growth in connected stadium environments, social networks, and legalized gambling.

Source: Robert Landau via Alamy Stock Photo

Professional sporting events have long been prime targets for violent attacks and terrorism, given their vast audiences. In recent years, these events have become targets of cyberattacks as adversaries exploit venue operations to disrupt events, abuse payment systems for fraud, breach networks to steal data, and take advantage of how athletes interact with fans.

While game time is pivotal, there are many other vulnerabilities to which sports franchise operators and event organizers must apply resources, including a growing and increasingly fragmented ecosystem of stakeholders like broadcast and streaming partners, ticket distributors, and legalized gambling platforms.

"We've done pretty well so far," said Betsy Cooper, director of the Aspen Institute tech policy hub, during a panel at the 2024 Aspen Cyber Summit in Washington, DC. Despite the expanded threat, operators of major franchises, leagues, and international events (such as the Olympic games in Paris) believe their proactiveness has prevented devastating events that other industries have faced.

**1\. Athletes Need More Training**

Athletes are increasingly relying on social media and technology platforms to engage with fans and develop their brand. "I represent a lot of athletes, and a lot of them depend heavily on social media to build their brand and build their audience," Jaia Thomas — founder of Diverse Representation, a group of African American agents, attorneys, managers, PR reps, and financial advisors for athletes and entertainers — said during the panel discussion. "A lot of mistakes happen along the way, and they're not always the most tech-savvy people."

These athletes are also quite young and may be unaware that using these platforms exposes them to potential ransomware attacks or increased risks of being doxxed. "You're talking about kids, for the most part, that make up these teams, and the education piece needs to be strengthened," Eric Tysarczyk, senior vice president of the National Hockey League, said on the panel.

**2\. Event Attendees Are Vulnerable**

Now that most events only accept e-tickets, almost all attendees have phones with them. The NHL says fans need to take precautions with their mobile devices.

"Imagine if everyone that was in that arena is walking around with all their personal data taped to their back on a piece of paper, and how attractive that arena would be to a malicious actor to get in and just start cultivating all that data," Tysarczyk said.

**3\. Partnerships Are Critical for Major Events**

Reynold Hoover, the CEO of Los Angeles 2028 Olympic & Paralympic Games, told panel attendees that one of the reasons there were no disruptive cyberattacks during the Summer Olympics in Paris was due to information sharing across law enforcement and partners. The most notable activity leading up to the games was influence campaigns waged by Russian threat actors. "The Russians were very active in Paris, trying to disrupt," said Hoover, a former Army and National Guard lieutenant general with a background in military intelligence.

The Los Angeles Olympic Games in 2028 is expected to draw as many as 15 million visitors, 15,000 athletes, and 25,000 broadcasters across 800 different sporting events. Hoover said the committee is preparing for threat actors ranging from "goobers in their basements trying to do something stupid, all the way to nation-state actors."

The Los Angeles 2028 committee has partnered with the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency, and the Federal Communications Commission, among other US agencies.

"We cannot do it alone," Hoover said. "It requires a public-private partnership and open and honest information sharing."

**4\. New Streaming Models Create New Challenges**

As all the major leagues expand their broadcast distribution rights to streaming providers, they can reach new audiences and gain new revenues. However, an attack that even briefly interrupts a broadcast could be costly in terms of lost advertising revenue, Tysarczyk said. "We're putting a lot of faith in those third-party operating techniques and what their cyber protections are," he said.

**5\. Legal Sports Betting Puts Premium on Inside Data**

Further, now that sports gambling is now legal in 38 US states, including Washington, DC, and Puerto Rico, stealing data is more lucrative for threat actors than ever. Non-public information, including health records and other proprietary statistics, is especially valuable. "\[It's\] the data that people use to develop trends and see where the wagers go and things like that," Tysarczyk said.

**6\. Expanded Partnerships Require Advanced Data Protection**

A broader ecosystem that shares increasing amounts of data needs to ensure that information is air-gapped, which was the focus in Paris this summer, Hoover said. "It really requires a partnership effort, and it was an all-hands-on-deck effort in Paris to defend the networks," he said. "It's a closed network, and so we are very concerned about the integrity of the sport, the safety of our athletes, and the safety of our fans that attend, and making sure that we can protect the data and keep that inbound and the right people are getting the right data."

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

6 Cybersecurity Headaches Sports Organizations Have to Worry About

The RISC-V chip architecture is gaining popularity worldwide, but the fact that it is easy to modify the processor design means it is also easy to introduce hard-to-patch vulnerabilities in the chips.

Source: Science Photo Library via Alamy Stock Photo

An emerging chip architecture gaining traction in smartphones, automotive technologies, and other electronics may find adoption stymied by security concerns.

Using x86 and ARM processors for hardware development can get expensive because of royalties that have to be paid to the owners (Intel and Arm). RISC-V is an instruction set on which customers can personalize silicon chips to meet their needs, much like how Lego blocks are put together. RISC-V is open and free to license, so anyone can design, manufacture, and sell RISC-V chips and software.

RISC-V is drawing interest among companies in the auto, critical infrastructure, and industrial sectors. For example, NASA is creating chips based on RISC-V that it intends to use in its space programs. Omdia estimates RISC-V shipments could tally 17 billion processors in 2030, improving 50% every year starting in 2024.

"46% of those processors are expected to be found in industrial applications, although the biggest growth over the forecast period will come in the automotive segment," Omdia said.

**Vulnerabilities in Designs**

RISC-V's open-source ethos is its biggest advantage, but also a liability: bad actors could introduce backdoors in the chip designs. Vulnerabilities in RISC-V chips used in automotive technology or critical infrastructure could be disastrous.

At Black Hat USA in August, researchers disclosed Ghostwrite, which allows users to bypass memory protection and access privileged memory in a RISC-V chip design called Xuantie C910. The Xuantie C910, designed by T-Head, a subsidiary of China-based Alibaba Group, received a lot of publicity when it was launched three years ago. It was one of the earliest RISC-V processors with a vector extension, which helps CPUs run demanding applications that include AI.

The vulnerability is particularly concerning because it affects the chip's proprietary vector extension, which wasn't properly implemented, says Fabian Thomas, a researcher in the group at CISPA Helmholtz Center for Information Security that discovered GhostWrite. Chip makers can patch the C910 by disabling the vector extension, but it will still be difficult to implement.

"People bought it and built 64-core machines because of that, and now we have to tell them to disable it," Thomas says.

**Shared Designs, Hard to Patch**

The issue is not in the RISC-V architecture itself, but in a faulty silicon implementation. Chip designers are enthusiastic about sharing RISC-V designs, but this means that designs with vulnerabilities may potentially be replicated and used in various areas. Resulting devices could be vulnerable to attack, and may be difficult to patch with microcode updates.

"The digital transformation happening in these sectors means they're all connected now, creating potential to exploit across all these very safety-critical systems," says Margaret Schmitt, a hardware security consultant.

It's already difficult to fix hardware vulnerabilities with firmware updates. The open nature of this chip architecture means it will be difficult to fix them in the field. "The silicon vulnerability is worse because you can't really fix them in the field in many cases... if it connects to critical infrastructure, this could be seen forever," says Alex Matrosov, CEO at Binarly.io.

There are hundreds of RISC-V designs available on GitHub to pick up, but security teams need to consider the risks of winding up with malicious chip designs with backdoors. "This is similar to open-source software projects where people \[make\] changes, saying 'I'm making it better,' but it's actually a backdoor or malware," Schmitt says.

The concern is especially heightened as the RISC-V architecture has become a priority for Russia and China, which are investing heavily in the technology to build homegrown chips. China and Russia ramped up RISC-V adoption after the U.S. banned the export of advanced chips to these countries amid trade and political hostilities.

The U.S. government has already talked about limiting RISC-V access to China, though that may be hard to do as the architecture is open source.

"You're seeing a potential basis for China to use this, a potential for unintended or intentionally added weaknesses to be a serious concern," says Schmitt.

**Working With Security Partners**

Organizations working with RISC-V chips on a shoestring budget may make the decision to sacrifice security, says Mike Eftimakis, vice president of strategy and ecosystem at Codasip, a software company.

"To be able to find a bug, you have to have the infrastructure behind you. It's very expensive and requires specialized knowledge, so it naturally shrinks the base of people who could potentially help with the verification of these devices," Eftimakis says.

Hardware security experts recommended going to established RISC-V companies with solid security processes, a strong customer base, and a good track record of designing chips. One example is Santa Clara, Calif.-based SiFive, which handles security analysis and rigorous compliance testing in its cores. The company has a large customer base that includes Google and NASA, a spokesman said in an email.

Another RISC-V company, Cupertino, Calif-based Ventana Micro Systems, uses the Caliptra specification to put security features directly in computing chips. Caliptra was developed by the Open Compute Project, a coalition which includes Google, Microsoft, AMD, and Nvidia.

Ventana Micro leaders have extensive experience working with x86 and ARM architectures, and are using that experience to secure RISC-V chips. "We applied these learnings during our ground-up development and have many patented features targeted at making our microarchitecture resilient to attacks," a company spokesperson said in an email.

**About the Author**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Security Concerns Plague Emerging Chip Architecture

A water treatment facility in a small city took serious precautions to prevent any bad outcomes from a hazy cyber incident.

Source: Dmitry Kaminsky via Alamy Stock Photo

The water treatment facility for a small city in Kansas experienced a "cybersecurity incident" on the morning of Sept. 22.

Arkansas City — population 12,000, a two-hour drive north of Oklahoma City — sits at the junction of the Walnut and Arkansas Rivers, the latter of which supplies the town's drinking water. A notice from the city's Environmental Services Administration revealed that on Sept. 22, its treatment facility experienced a "cybersecurity incident." Authorities were contacted and precautionary measures taken. Most notably, the facility moved to fully manual operations — a temporary decision made "out of caution," according to city manager Randy Frazer in the notice.

"Despite the incident, the water supply remains completely safe, and there has been no disruption to service," Frazer wrote. "Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period."

The administration added that "Cybersecurity experts and government authorities are working to resolve the situation and return the facility to normal operations. Enhanced security measures are currently in place to protect the water supply, and no changes to water quality or service are expected for residents."

Dark Reading has reached out to Arkansas City for more information about the incident. In lieu of details, Shawn Waldman, CEO and founder of Secure Cyber, points out that a switch to manual operations could indicate some degree of seriousness.

"In a breach that we investigated last November, we actually never went to manual mode," he recalls. "We were able to isolate the human-machine interfaces (HMIs) and keep the Russian malware contained, and we let the plant operate as normal. There's a lot of strain on employees when you put a plant in manual mode. That's the last case scenario — you don't want to go into manual mode unless you have to."

**The Problem With State-of-the-Art Systems**

Industrial control systems have long struggled to match old, legacy equipment to the demands of modern day cybersecurity.

Less often spoken of is the opposite problem: newer facilities designed with greater connectivity in mind, which introduce attack surfaces that the dinosaur, often analog machines, didn't have.

The new 5.4 million-gallon-per-day water treatment facility in Arkansas City opened in February 2018. It cost $22 million to build, and sports "advanced technology" estimated to save the city up to 20% on operational and maintenance costs. The exact nature of its cybersecurity posture is unknown. 

"Just because a city comes out and says: 'We just upgraded everything, and it's all new, and we should be good' — well, that's great, but what about cybersecurity?" asks Waldman. "Some cities are not making a proper investment into securing their critical infrastructure.

"My city did that exact thing: I know for a fact that they did not upgrade cybersecurity, but they spent around $14 million or more to upgrade all the infrastructure."

To ensure that cities don't leave security out of their budgets, Waldman says, "The EPA and Congress need to step up and get that new EPA standard for cybersecurity passed. They tried to do it before, and then they got sued. And what did we give up? Weeks after that, Iran launched a bunch of attacks on the water systems in the United States. Because, big surprise, Iran reads the US news."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Kansas Water Plant Pivots to Analog After Cyber Event

The encrypted messaging service said it will share users' IP addresses and phone numbers with authorities when requested.

Source: Geoff Smith via Alamy Stock Photo

Telegram will hand over user information, such as phone numbers and IP addresses, to authorities in order to limit the criminal activity that occurs on the platform, the company said in an update to its privacy policies.

"If Telegram receives a valid order from the relevant judicial authorities that confirms you're a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities," said Telegram in its user privacy policy.

This recent change in policy comes after Telegram CEO Pavel Durov was arrested and indicted in France after being held liable for the behavior of users on the platform.

This set off speculation of whether this would change the way Telegram has become a harbor for threat actors to communicate with one another, sell stolen data, and distribute malware, among other things. Initial signs pointed to things remaining the same, however, this update indicates a new era for the messaging app.

Telegram will also update its search feature to remove problematic content from its search results. And it will implement a system to allow users to report illegal search terms through an @SearchReport bot that will be reviewed by human moderators.

**About the Author**

Telegram to Share User Info With Law Enforcement in Policy Shift

The security vulnerabilities could lead to everything from gas spills to operations data disclosure, affecting gas stations, airports, military bases, and other hypersensitive locations.

Source: Bax Walker via Alamy Stock Photo

Multiple critical security vulnerabilities in automatic tank gauge (ATG) systems, some unpatched, threaten critical infrastructure facilities with disruption and physical damage, researchers are warning.

ATGs are sensor systems that monitor and manage fuel storage tanks to ensure that fill levels aren't too low or too high, to see that leaks are detected in real-time, and to manage inventory. ATGs can be found where you'd expect them to be, like at gas stations and airports, but also in less obvious installations.

"In the US, for example, we were told that you are required by law to have an ATG system installed in any fuel tank of a certain size," Pedro Umbelino, principal research scientist at Bitsight's TRACE unit, explains to Dark Reading. "Gas stations are the largest and most obvious use case, but the second largest use case for ATGs are critical facilities that require large backup generators — you often see these in facilities like hospitals, military installations and airports."

Worryingly, most of the newly discovered vulnerabilities allow for an attacker to have full control of an ATG as an administrator. And according to Umbelino, the 11 bugs across six ATG systems from five different vendors can thus open the door to a gamut of nefarious activities, ranging from making fueling unavailable to wreaking environmental havoc.

Related:Kansas Water Plant Pivots to Analog After Cyber Event

"What's even more concerning is that, besides multiple warnings in the past, thousands of ATGs are still currently online and directly accessible over the Internet, making them prime targets for cyberattacks, especially in sabotage or cyberwarfare scenarios," Umbelino said in an analysis released on Sept. 24.

The bugs were discovered six months ago, with Bitsight, the US Cybersecurity and Infrastructure Security Agency (CISA), and the affected vendors working in tandem to mitigate the problems. As a result of those efforts, "Maglink and Franklin have released patches," Umbelino says. "The affected OPW product has been EOL'd \[end of life\] and is no longer being supported by the vendor, so they will not be releasing a patch. Proteus and Alisonic have not engaged with us or with CISA as part of the disclosure process, so it's unclear to us if they’ve released or are working on a mitigation plan."

Patching isn't where the remediation needs stop, though.

"Even for devices that have had patches issued, my top recommendation is to disconnect these devices from the public Internet," Umbelino says. "Most of them were never designed to be connected in the way they are today, so they weren't built with the level of security that is required for Internet-connected devices. They're being used in ways that vendors hadn't initially intended, and that's what is at the core of these vulnerabilities. Taking them off the public Internet is the only true solution."

Related:Concerns Over Supply Chain Attacks on US Seaports Grow

**Major Cyber-Risk From ATG Tampering**

ATGs not only automatically measure and record the level, volume, and temperature of products in storage tanks, but they're usually connected to sirens, emergency shutoff valves, ventilation systems, and peripherals like fuel dispensers.

"Part of what makes these devices attractive to security researchers, or a malicious actor for that matter, is the potential ability to control physical processes that could lead to disastrous consequences if they are abused in unintended ways," Umbelino noted.

As Umbelino explained, "We found vanilla reflected cross-site scripting (XSS). The authentication bypasses were direct path access. The command injections lacked filtering. There were hardcoded administrator credentials. The arbitrary file read was a direct path traversal access, yielding admin credentials. The SQL injection could be exploited aided by full SQL error logs."

The vulnerabilities are as follows:

Related:Name That Toon: Tug of War

Source: Bitsight TRACE.

As an example of those consequences, attackers could exploit the bugs to change the amount of liquid a tank is capable of taking on, while also tampering with overflow alarms. The result could be an undetected tank overflow, which could cause gas spills and environmental chaos.

And as Umbelino explained in the post, "The most damaging attack is making the devices run in a way that might cause physical damage to their components or components connected to it. In our research, we've shown that an attacker can gain access to a device and drive the relays at very fast speeds, causing permanent damage to them."

Other bad outcomes include making the systems inaccessible via denial of service (DoS), exposing competitive operations data (delivery dates, pricing, inventory intel, types of alarms, etc.), or the loss of compliance data leading to potential regulatory fines. In a DoS scenario for instance, an attack could "lead to downtime and would usually require human intervention," Umbelino explained in the posting. "In fact, these types of attacks are currently ongoing, with claims of exploitation of at least one brand of devices for which we published a vulnerability on just two weeks ago."

**Critical Infrastructure Under Increasing Cyber Threat**

The critical infrastructure threat landscape continues to be a thorny problem for security practitioners, starting with the fact that ICS systems and the operational technology (OT) that controls them are designed to prioritize reliability and efficiency, not security.

"As a result, they often lack modern protections," Umbelino noted. "In addition ... vendors recently started to integrate them with newer technology to improve efficiency and remote access and this significantly changes their threat model. Of course, there is also a lack of cybersecurity experts that are familiar with ICS systems. It is hard to find vulnerabilities if no one is looking for them."

Threat actors have taken notice: Chinese APTs like Volt Typhoon and others are looking to gain a foothold within physical infrastructure, for operational espionage as well as cultivating the potential for disruptive attacks. Ransomware gangs have their own reasons for targeting ICS, as seen in the infamous Colonial Pipeline cyberattack.

"While not related to the vulnerabilities we found, there is a group consistently claiming ICT/OT disruption in the Ukraine-Russia war, including ATG systems," Umbelino says. "In this tweet, we can see an OPW ATG system being targeted, but they claim to have affected many other ICT/OT devices too, indicating that attackers do see these elements within critical infrastructure as a target."

CISA itself has flagged increased threats to water supply organizations, power plants, manufacturing, telecom carriers, military footprints, and more — attacks that are largely being spearheaded by APTs backed by China, Russia, and Iran.

So far, defenders have headed off catastrophic attacks at the pass, and there's no reason to expect mass gas spills anytime soon, given the complexity and sophistication required to exploit the bugs, but it's important to stay ahead of the risk.

"It’s not just about fixing vulnerabilities, it’s about adopting security practices that make them difficult to exist in the first place," Umbelino explained in the analysis. "And it is not just about the vulnerabilities themselves, it's about their exposure. Organizations need to understand they should not expose these types of critical systems to the public Internet. They need to effectively assess their exposure, understand their current risk and start addressing such issues, regardless of vendors ability to update their systems in a timely fashion."

Security researchers also have an important role to play, he adds, noting that stakeholders should be expanding their ICS focus.

"We should start paying more close attention to these types of systems that control very important parts of our society and that, if abused, can have a physical effect on the world, sometimes catastrophic," Umbelino says. "We need to systematically discover, classify and mitigate the risk of them being openly exposed to the Internet faster than the attackers, and be able to communicate that risk to all affected parties. It is not an easy task."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Critical Automated Tank Gauge Bugs Threaten Critical Infrastructure

The money-transfer company is going on day four of its services being suspended.

Source: Alistair Laming via Alamy Stock Photo

MoneyGram's systems and payment services are down due to a "cybersecurity issue," with no clear timeline as to when it will be back up and running once more.

The money-wiring service's in-person and online payment systems have been down since Friday, Sept. 20. The next day, MoneyGram posted on social media platform X, noting that it was experiencing a network outage that was affecting connectivity to its systems. 

"We are working diligently to better understand the nature and scope of the issue," the post said. "We recognize the importance and urgency of this matter to our customers."

On Sept. 23, MoneyGram posted an update to X, informing the public that it has launched an investigation into a cybersecurity issue and confirming that it took its systems offline. It also reported that it was working with third-party cybersecurity experts and coordinating with law enforcement, potentially indicating that the money-transfer company may have been victim to a data breach, though only time will tell.

Either way, as a financial services company, MoneyGram has access to a host of sensitive data, particularly bank accounts and credit card numbers, as well as names, addresses, and usernames and passwords. All of this makes MoneyGram and those it services a potential target for malicious actors and financial fraud or identity theft.

**About the Author**

MoneyGram Goes Offline After Vague Cyber Woes

A sound cyber-risk management strategy analyzes all the business impacts that may stem from an attack and estimates the related costs of mitigation versus the costs of not taking action.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY

Business risks encompass many overlapping categories, from operational and strategic risks to financial, legal, and compliance risks. Yet every category is affected by cyber-risks in some way. Operational problems such as equipment failures and supply chain disruptions should include the risks of a cyberattack disrupting IT networks. Similarly, the CFO's office manages credit risks, investment losses, and cash-flow issues. But the finance team should also recognize the ongoing threats of financial losses from ransomware attacks, or the reputational harm when private customer data gets leaked on the Internet.

Market research has repeatedly shown cybersecurity to be a key indicator of financial performance. In fact, companies with advanced cybersecurity performance create a 372% higher shareholder return compared with their peers that have basic cybersecurity performance. That's according to a recent report from Bitsight and Diligent that analyzed more than 4,000 mid- to large-cap companies in public indexes globally.

Nearly all chief information security officers (CISOs) and security leaders are adopting artificial intelligence as part of their strategy to defend against advanced cyberattacks. More than three-fourths of CISOs (78%) are already using AI to help their security teams, while 20% are waiting for more powerful models and better AI security tools before adopting, according to Bugcrowd's "Inside the Mind of a CISO 2024" report.

The global survey found that 91% of CISOs believe AI already outperforms security professionals, or will in the future, while 76% believe the AI threat landscape is evolving too quickly to adequately secure. However, the CISOs expressed mixed feelings about the risks of AI. More than half said the risks of AI are greater than the benefits (58%), while 42% indicated that there still is not yet a consensus on this issue.

Of course, cyber-risk is more than a technology problem to be solved solely through technical protections. The solution also requires people and policies to anticipate and prevent unforeseen events through advance preparations. Cyber-risks can have damaging impacts on important business decisions for mergers and acquisitions, supply chain partnerships, and third-party vendor transactions. That's why it's so important for leaders to raise awareness about cyber-risk management among their colleagues in less technical roles such as finance, sales, marketing, and human resources.

**Cyber Secure Practices Deliver Better Business Performance**

It's time for businesses to elevate cyber-risk management to an essential protocol that's managed as part of their overall risk management framework — all of which requires translating complex technical threats into clear financial contingency plans that will motivate the C-suite and board members to invest in security.

The impulse to improve cyber-awareness training and increase security is most prevalent among highly regulated industries such as healthcare and financial services. For these industries, noncompliance can lead to heavy fines, penalties, lawsuits, and damage brand reputation.

Faced with strict rules, these industries typically adopt cyber programs and best practices more quickly than other sectors, because they are familiar with, and better at, managing their risk. Their internal culture demands that they ensure compliance with specific regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) data privacy rules for healthcare providers. For such firms, accounting for cyber-risk is just one more compliance requirement to check off the list.

Similarly, companies that hold regular audit committee meetings have a culture that is more conducive to managing cyber-risks as a compliance issue. They use their regular reporting cadence and infrastructure to incorporate cyber into the larger discussion of regulatory compliance and business risk topics. Regulated industries have the highest cybersecurity ratings, and companies with either a specialized risk committee or audit committee achieve better cybersecurity performance compared with those with neither, according to the Bitsight report.

**It Pays to Support Smart Cyber-Risk Management**

Cyber incidents can have lasting impacts on business operations, workforce productivity, customer satisfaction, and brand reputation. For all these reasons, security should be the responsibility of the entire organization, not just the CISO or security operations center (SOC) team. Everyone must share a commitment to protect the organization's information and IT infrastructure, because that is what their customers and partners expect.

To do so, business leaders need to recognize and manage these cyber-risks just as they would manage any other business risk. Direct costs from cyberattacks can include data recovery and remediation to recover lost data and repair compromised systems. Making the decision to invest in preventative measures has proven to be much more cost-effective than addressing the fallout from a successful cyberattack after it happens.

As business leaders, we're asked to prioritize resources on a daily basis — for budgets, people, and facilities — based on the returns they provide to our business. Investing in cyber programs and best practices should be seen as a business enabler and force multiplier. After all, these investments can help drive revenue growth in the company by building and maintaining customer trust, in addition to protecting the business. In today's risk environment, the CISO should be elevated to be the peer to the rest of the C-suite and a direct report of the CEO — indicative of the strategic business importance of the role.

A sound cyber-risk management strategy is based on carefully analyzing all the business impacts that may stem from a potential attack and estimating the related costs of mitigation versus the costs of not taking action. In the end, as with all risk management, this process comes down to a basic dollars-and-cents financial decision.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

Managing Cyber-Risk Is No Different Than Managing Any Business Risk

The latest version of the evolving threat is a multistage attack demonstrating a move away from ransomware to purely espionage activities, typically targeting Ukraine and its supporters.

Source: Peter Treanor via Alamy Stock Photo

The RomCom cyber-espionage malware that rampaged through the Ukraine military and its supporters last year has resurfaced with a new variant. It leverages valid code-signing certificates to fly under the radar, allowing attackers to execute commands and download additional malicious files onto a victim's system in a multistage attack.

The variant, called SnipBot by researchers at Palo Alto's Unit 42, appears to have been spreading since December, picking up where the last version of RomCom left off, they revealed in analysis published this week. The malware is based on RomCom 3.0., but it also shares techniques already seen in RomCom 4.0, making it version 5.0 of the original RomCom remote access Trojan (RAT) family.

Earlier attacks of the actor behind RomCom — which also targeted supporters of Ukraine — often included ransomware payloads in addition to cyber-espionage activities. However, Unit 42 now believes that the attackers behind the malware have pivoted away from financial gain to exclusively focusing on intelligence-gathering, according to the post.

Even so, "the attacker's intentions are difficult to discern given the variety of targeted victims, which include organizations in sectors such as IT services, legal, and agriculture," Unit 42's Yaron Samuel and Dominik Reichel wrote in the analysis.

Related:Dark Reading News Desk Live From Black Hat USA 2024

**Email Kicks Off Initial RomCom Attack**

SnipBot first appears in either an executable downloadable file masquerading as a PDF, or as an actual PDF file sent to a victim in a phishing email that leads to an executable. The malware includes "a basic set of features that allows the attacker to run commands on a victim's system and download additional modules," the researchers wrote.

The PDF file shows distorted text that states a font is missing that's needed to show it correctly.

"If the victim clicks on the contained link that’s purported to download and install the font package, they will instead download the SnipBot downloader," the researchers wrote.

The malware itself is composed of several stages, with the executable file followed by remaining payloads that are either further executables or DLL files. Moreover, the downloader for the malware is always signed with a legitimate and valid code-signing certificate, the researchers noted.

"We don’t know how the threat actors obtain these certificates, but it's likely they steal them or gain them by fraud," they observed, adding that subsequent modules of the initial SnipBot malware were not signed.

**SnipBot's Infection Vector**

Related:Meet UNC1860: Iran's Low-Key Access Broker for State Hackers

As mentioned, the downloader that delivers SnipBot is signed with a presumably stolen or spoofed certificate and also is obfuscated with a window message-based control-flow obfuscation algorithm; the malware's code is split up into multiple unordered blocks that are triggered by custom window messages.

The downloader also uses "two simple yet effective" anti-sandbox tricks, the researchers wrote. "The first one checks for the original file name by comparing the hashed process name against a hard-coded value," while the second one checks whether there are at least 100 entries in a particular Microsoft Windows registry, "which is usually the case on a regular user’s system but less likely to be the case in a sandbox system," they wrote.

Upon execution, the downloader contacts various command-and-control (C2) domains to retrieve a PDF file, and then subsequent payloads to the infected machine, the first of which provides spyware capability. Ultimately, the main module of SnipBot provides the attacker with command-line, uploading, and downloading capabilities on a victim’s system, as well as the ability download and execute additional payloads from C2.

Unit 42 also witnessed post-infection activity aiming to gather information about the company's internal network as well as attempts to exfiltrate a list of different files from the victim’s documents, downloads, and OneDrive folders to an external, attacker-controlled server.

Related:Mastercard's Bet on Recorded Future a Win for Cyber-Threat Intel

**RomCom Remains an Active Threat**

The threat actor wielding RomCom has been active since at least 2022, and engages in various nefarious activities, including ransomware, extortion, and targeted credential gathering, likely to support intelligence-gathering operations. As mentioned, the threat actor seems to now be moving away from its previous financially motivated activities to engage exclusively in cyber espionage.

As SnipBot demonstrates an evolution in threat capabilities with novel obfuscation methods as well as post-exploitation activity, Unit 42 stressed "the need for organizations to remain vigilant and adopt advanced security measures to protect their systems and data from evolving cyberthreats," the researchers noted in their analysis.

Given the RomCom threat actor's interest in cyber espionage against Ukraine and its supporters, the Computer Emergency Response Team of Ukraine (CERT-UA) also has published information about the threat group and how it operates.

"This group is actively attacking employees of defense enterprises and the Defense Forces of Ukraine, constantly updating its malware arsenal, but their malicious activities are not limited to Ukraine," the agency warned.

CERT-UA advised organizations that may be targeted to remain vigilant about emails from unknown senders, even if they present themselves as a government employee, and to refrain from downloading or opening suspicious files.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading