As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, “Your First 100 Days as a vCISO – 5 Steps to Success”, which covers all the phases entailed in launching a successful vCISO engagement, along with recommended

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success", which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.

Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.

This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clients.

The workshop was delivered in partnership with Jesse Miller, co-author of the First 100 Days playbook, and founder of PowerPSA Consulting and the PowerGRYD. Jesse is a long-time CISO/vCISO and infosec strategist who has made it his mission to help service providers crack the code for premium vCISO profits. You can watch the entire webinar, with more details and real-world examples here.

**The Hidden Value in Reporting**

According to Miller, "It's one thing to do a great job, it's quite another for your client to see it that way." This is where reporting should focus. A tight reporting process is the cherry on top of a connected journey for the client in a successful vCISO program.

However, as Miller reveals, reporting is not primarily for the purpose of demonstrating the activities the vCISO performs for the client, which is a common misconception. Rather, the real value lies in making the client the hero of their security journey. Therefore, vCISO reports should focus on the client and their organization's goals, not the vCISO's activities. The ultimate goal of any report is to enable a business strategy discussion that revolves around security.

**vCISO Reporting Benefits**

Drilling down into the aforementioned purpose, vCISO reporting provides multiple benefits for both the vCISO and the client:

For the vCISO -

*   Ensuring the vCISO is aligned with client expectations
*   Ensuring the client understands their security and compliance posture
*   Creating a shared vision between the vCISO and the client
*   Build consensus on an improvement path (rather than solely pushing recommendations one-sidedly)
*   Anchoring initiatives into business outcomes
*   Driving retention and sales

For the client -

*   Controlling their security destiny
*   Designing their security journey based on business outcomes and allowing them to own the risk associated with their decisions and actions
*   Simplified decision-making
*   Noise reduction
*   Bandwidth and scale
*   Getting easy buttons and resources for tactical execution
*   Ensuring they perceive the high ROI being provided for their vCISO investment

**4 Essential Sections of a vCISO Report**

To uncover all the benefits listed above, it is recommended to create a report that covers four sections:

*   **Section 1: General Recap -** The summary, top-level metrics and any "hot stove" items.
*   **Section 2: Tactical Review -** How controls perform, data "stories" and setting the stage for the recommendations and initiatives to come in the following sections.
*   **Section 3: Strategic Review -** A roadmap review, holding a business-led discussion, recommendations and mapping the RCT (Resource, Commitment, Time) for the next steps.
*   **Section 4: Future Initiatives -** Current work in progress, protecting from risk and building up the sales funnel.

Now let's dive into each one.

**Section 1: General Recap**

The first section of the report provides an overview and summary, teasers for the rest of the report and high-level metrics. It is also where "hot-stove" items can be addressed. For example, informing about an attacker foothold and answering any open questions.

By providing a brief initial section focused on the outcomes, vCISOs can concisely share the story they are telling. It also allows Executives and Business Leaders to join the first part of the report for an overview, leaving the practitioners to dig into the granular details later on.

For example, in this sample report by Cynomi, we can see the first part of the general recap, showing the posture score, together with a brief explanation about what it means and alluding to the risk.

**Section 2: Tactical Review**

The second section allows telling stories with the data. Since there's a wide range of data that can be pulled into the reports, it's important to ensure the right data is used. This will allow the creating of the right story.

Remember, the idea is to make the client the hero, showing them how they get what they want for the business from their security program.

For example, a highly technical audience can get into the granular details of the security programs. However, a high level decision maker will not be able to understand the story from the same data. Therefore, it's recommended to automate the gathering of data, and then collate and prune the data for the type of client that's being presented to.

This section can also show progress and recommendations tailored for various decision makers, security incidents and how to address them, recommended actions to support business processes (like M&As), and more.

For example, in this section from a sample report by Cynomi, the vCISO can drill down into the status of the various policies and domains that need to be better secured. Later on, the report also shows the scan results that are the evidence for this analysis.

**Section 3: Strategic Review**

The strategic review section is intended to create a prioritized security journey. To build this story, it's important to link the risk assessment, the security roadmap and the recommendations. This means creating a system where the high-level risk assessment finds delinquencies in security controls, like vulnerability management, malware control, or incident response. Then, the recommendation report should clearly state which solutions need to be deployed and the roadmap should list priorities, i.e. creating a journey.

Pro tips:

*   Don't spread FUD. Rather, go with a "compliment sandwich" approach, starting and ending with positive feedback.
*   Before asking clients to spend money, show them how recommendations and actions save them money and support the business.
*   Use the RCT (Resources, Cost, Time) mapping to help clients make a decision.

For example, in this Cynomi report, the vCISO can show the state of meeting compliance and leverage this for the recommendations and roadmap.

**Section 4: Future Initiatives**

In the end, it's time to discuss future initiatives. Since clients do not have endless resources, this section helps queue up work and prioritize it based on a business-led consensus.

This section also helps protect both the client and vCISO from risk. For example, showing progress month over month helps show auditors and regulatory bodies the client is performing due care. This protects both the vCISO and the client.

Finally, this section creates accountability among customers. With the vCISO clearly showing the business outcomes of accepting proposed recommendations, the client can make a business decision, and own the risk for that decision.

**What's Next?**

Reporting is part of a holistic vCISO approach that creates trust with the client. Making the client the hero shows them you have their best interests at heart. When this is verifed through reporting, it drives vCISO scale and growth, making your business successful.

For more explanations and examples, watch the entire workshop here.

For more pro tips and proven practices for vCISO, read the guide "Your First 100 Days as a vCISO – 5 Steps to Success".

For daily insights on how to supercharge your vCISO profits, follow Jesse Miller on LinkedIn or join the PowerGRYD community.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

MSPs & MSSPs: How to Increase Engagement with Your Cybersecurity Clients Through vCISO Reporting

The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC.
BOINC, short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer computing" platform maintained by the University of California with an aim to carry out "large-scale

The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC.

BOINC, short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer computing" platform maintained by the University of California with an aim to carry out "large-scale distributed high-throughput computing" using participating home computers on which the app is installed.

"It's similar to a cryptocurrency miner in that way (using computer resources to do work), and it's actually designed to reward users with a specific type of cryptocurrency called Gridcoin, designed for this purpose," Huntress researchers Matt Anderson, Alden Schmidt, and Greg Linares said in a report published last week.

These malicious installations are designed to connect to an actor-controlled domain ("rosettahome\[.\]cn" or "rosettahome\[.\]top"), essentially acting as a command-and-control (C2) server to collect host data, transmit payloads, and push further commands. As of July 15, 10,032 clients are connected to the two domains.

The cybersecurity firm said while it hasn't observed any follow-on activity or tasks being executed by the infected hosts, it hypothesized that the "host connections could be sold off as initial access vectors to be used by other actors and potentially used to execute ransomware."

SocGholish attack sequences typically begin when users land on compromised websites, where they are prompted to download a fake browser update that, upon execution, triggers the retrieval of additional payloads to the infiltrated machines.

The JavaScript downloader, in this case, activates two disjointed chains, one that leads to the deployment of a fileless variant of AsyncRAT and the other resulting in the BOINC installation.

The BOINC app, which is renamed as "SecurityHealthService.exe" or "trustedinstaller.exe" to evade detection, sets persistence using a scheduled task by means of a PowerShell script.

The misuse of BOINC for malicious purposes hasn't gone unnoticed by the project maintainers, who are currently investigating the problem and finding a way to "defeat this malware." Evidence of the abuse dates back to at least June 26, 2024.

"The motivation and intent of the threat actor by loading this software onto infected hosts isn't clear at this point," the researchers said.

"Infected clients actively connecting to malicious BOINC servers present a fairly high risk, as there's potential for a motivated threat actor to misuse this connection and execute any number of malicious commands or software on the host to further escalate privileges or move laterally through a network and compromise an entire domain."

The development comes as Check Point said it's been tracking the use of compiled V8 JavaScript by malware authors to sidestep static detections and conceal remote access trojans, stealers, loaders, cryptocurrency miners, wipers, and ransomware.

"In the ongoing battle between security experts and threat actors, malware developers keep coming up with new tricks to hide their attacks," security researcher Moshe Marelus said. "It's not surprising that they've started using V8, as this technology is commonly used to create software as it is very widespread and extremely hard to analyze."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SocGholish Malware Exploits BOINC Project for Covert Cyberattacks

Plus: The FBI unlocks the Trump shooter’s phone, a security researcher gets legal threats for exposing hackable traffic lights, and more.

The week was particularly chock-full of dramatic security news. On Friday, a flawed update to CrowdStrike’s Falcon platform caused massive global service outages and disruptions around the world. The issue, which only impacted Windows computers, crashed PCs and servers, disrupting air travel, hospitals, banks, universities, and more.

Earlier in the week, WIRED had reported that following a massive data breach, AT&T paid $370,000 to get hackers to delete the stolen data. And, though it’s always possible that attackers saved a copy of the trove, a security researcher with knowledge of the transaction told WIRED he believes the only copy has been wiped. In a separate incident, hackers claimed last week to have stolen and leaked more than a terabyte of data comprising Disney’s complete Slack archive.

A WIRED analysis of Republican vice presidential nominee J.D. Vance’s Venmo account sheds some light on the Senator’s network and connections, including some of the architects of Project 2025 and enemies of Vance’s running mate, Donald Trump.

Federal prosecutors indicted a 20-year-old man on Tuesday for allegedly leading the violent and White supremacist Eastern European gang known as “Maniac Murder Cult,” or MKY. The group has been implicated in a number of assaults and attacks abroad, including at least one murder.

The US Supreme Court’s recent decision in _Loper Bright Enterprises v. Raimondo_ to overturn what’s known as the Chevron deference will have major implications for US cybersecurity defense, because federal agencies are now limited in their ability to regulate. And US senator Mark Warner of Virginia is working to pass new limits on government wiretaps, but at least two senators are quietly trying to stop him.

And there’s more. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

**Russian Hacktivists Who Attacked US Water Utilities Named and Sanctioned**

Sometimes “Julia,” the shadowy, pseudonymous Russian hacker telling you her grand plans to sabotage the West, really is just Julia. Or Yuliya.

On Friday, the Treasury Department announced that it is imposing sanctions on two alleged Russian cybercriminals for their alleged involvement in the hacktivist group Cyber Army of Russia Reborn, or CARR, which rose to prominence this year due to its reckless and somewhat sloppy attacks on Western critical infrastructure, as well as its apparent ties to Russia’s GRU military intelligence agency. Those two sanctioned hackers are identified in Treasury’s statement for the first time as Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko.

In May, WIRED interviewed a CARR spokesperson who called herself Julia about the group’s attacks, which included one that caused tens of thousands of gallons of water to be spilled from a water utility in the small town of Muleshoe, Texas. That spokesperson now appears to have likely been Pankratova, who is identified by Treasury as CARR’s spokesperson, while Degtyarenko is described as its “primary hacker.”

Treasury also notes that “instances of major damage to victims have thus far been avoided due to CARR’s lack of technical sophistication,” a line that, for any hacker, may hurt even worse than sanctions.

**FBI Gains Access to Trump Shooter’s Locked Phone**

For anyone who thought the locked phone of would-be Trump assassin Thomas Crooks was about to lead to another standoff between the FBI and the tech industry’s privacy advocates—standoff over. Immediately following the assassination attempt, which ended when Crooks was shot and killed by police, Crooks’ locked Android phone was unlocked by the FBI, the Bureau announced last weekend. Though the FBI didn’t reveal how it was able to crack the phone, Bloomberg reported later this week that law enforcement used “unreleased technology” from the phone-hacking software company Cellebrite.

**Security Researcher Shows Traffic Lights Are Hackable—and Gets a Legal Threat**

Hacking traffic lights has long been one of Hollywood’s favorite ideas of cyber mayhem, from the _Italian Job_ to _Live Free or Die Hard_. If only cyber defenders had known all along that they could prevent all that traffic hacking with a strongly worded letter from their lawyer.

This week, Andrew Lemon, a researcher for security firm Red Threat, published a pair of blog posts that outline how it would be possible to hack traffic light systems sold by the company Econolite due to a lack of authentication in their web interface. While the software had safeguards in place that would have prevented tampering with the lights to cause collisions, a hacker could nonetheless have messed with their configuration to cause traffic jams, Lemon found. When Lemon reported the issues to Econolite, however, its parent company, Q-Free, responded in a letter that not only didn’t suggest it would fix the issue—it said it no longer sells the systems—but also threatened Lemon by pointing out his hacking research was potentially illegal. A company spokesperson told TechCrunch, which broke the story, that municipalities that use the vulnerable system should not leave the traffic light software exposed online and should buy newer systems to replace them.

**North Korean Hackers Steal $230 Million in Crypto From WazirX Exchange**

Another week, another nine-figure injection of digital funds into the world’s most authoritarian country. WazirX, India’s largest cryptocurrency exchange, was hacked this week and robbed of nearly a quarter-billion dollars in crypto, largely in the form of SHIB, a Shiba Inu-themed cryptocurrency. Crypto-tracing firm Elliptic quickly tied the attack to North Korean hackers. That absurd and disturbing crime adds significantly to the $1.4 billion that hackers have stolen in crypto so far this year, which was already on pace to double last year’s total cryptocurrency thefts.

The Feds Say These Are the Russian Hackers Who Attacked US Water Utilities

### Impact
`API_URLS` is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks.

### References
[ISSUE](https://github.com/ARPSyndicate/puncia/issues/8)
[PATCH](https://github.com/ARPSyndicate/puncia/commit/033f3b68126eabbb2040ce16e2c3a2ce17437fbd#diff-3ec6c2de51e702726b23c452e3f4a899f6f4253af9fbf5be7254a5c1407ab526)


**\[PUNCIA\] \[CWE-319\] Cleartext Transmission of Sensitive Information via HTTP urls in \`API\_URLS\`**

Low severity GitHub Reviewed Published Jul 19, 2024 in ARPSyndicate/puncia • Updated Jul 19, 2024

GHSA-rwcj-7jjp-4w38: [PUNCIA] [CWE-319] Cleartext Transmission of Sensitive Information via HTTP urls in `API_URLS`

The Identity Theft Resource Center has published a report showing a 1,170% increase in compromised data victims compared to the same quarter last year.

Nope, that headline’s not a typo. Over one thousand percent.

The Identity Theft Resource Center (ITRC) tracked 1,041,312,601 data breach victims in Q2 2024, an increase of 1,170% over Q2 2023 (81,958,874 victims).

The ITRC is a national non-profit organization set up with the goal of minimizing the risk and mitigating the impact of identity compromise. Through public and private support, it provides no-cost victim assistance and consumer education.

The vast majority of that rise in numbers in due to a few very large compromises. The ITRC mentions Prudential (2.5 million people) and Infosys McCamish Systems (6 million people) as main contributors.

Because both of these breaches were announced/updated in the second quarter of 2024 they have a huge impact on the numbers. When we compare the number of data breach victims in the first half of 2024 (H1 2024) then we see an increase of 490 percent compared to the first half of 2023. Which is still significant and worrying.

The ITRC broke down some of the numbers to show them in an infographic.

Infographic by ITRC

Some notable statistics we can derive from the infographic:

*   Almost 90% of the compromises in H1 2024 are due to data breaches.
*   Financial services had the most breaches, followed by healthcare.
*   The largest data breaches in number of victims are Ticketmaster, Advance Auto Parts, and Dell.
*   80 supply chain attacks accounted for 446 affected entities and over 10 million victims.

Another trend the ITRC highlights is the increase in stolen driver’s license information. Mostly caused by a post pandemic trend to use driver’s license information for identity confirmation. This has increased both the chances of this information being included in a breach, and increased the value of that information to thieves.

The number of data breaches where driver’s license data was stolen totaled 198 instances in pre-pandemic, full-year 2019 compared to 636 in full-year 2023 and 308 through June 30, 2024.

Most of the data breaches are not the result of negligence but of targeted cyberattacks. This explains the rising demand for data deletion services. Not only does it play a significant role in safeguarding privacy rights on the business side, it also helps avoid or lessen the legal consequences of a breach.

ITRC president and CEO Eva Velasquez summarized the report like this:

> “The takeaway from this report is simple. Every person, business, institution and government agency must view data and identity protection with a greater sense of urgency.”

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check your exposure**

Looking at the numbers in the ITRC report, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan, and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

**Summer mega sale**

Go into your vacation knowing you’re much more secure: This summer you can get a huge **50% off a Malwarebytes Standard subscription** or **Malwarebytes Identity bundle**. Run, don’t walk!

 Number of data breach victims goes up 1,000% 

The Coalition for Secure AI is a consortium of influential AI companies aiming to develop tools to secure AI applications and set up an ecosystem for sharing best practices.

Source: ElenaBS via Alamy Stock Photo

The largest and most influential artificial intelligence (AI) companies are joining forces to map out a security-first approach to the development and use of generative AI.

The Coalition for Secure AI, also called CoSAI, aims to provide the tools to mitigate the risks involved in AI. The goal is to create standardized guardrails, security technologies, and tools for the secure development of models.

"Our initial workstreams include AI and software supply chain security and preparing defenders for a changing cyber landscape," CoSAI said in a statement.

The initial efforts include creating a secure bubble and systems of checks and balances around the access and use of AI, and creating a framework to protect AI models from cyberattacks, according to Google, one of the coalition's founding members. Google, OpenAI, and Anthropic own the most widely used large language models (LLMs). Other members include infrastructure providers Microsoft, IBM, Intel, Nvidia, and PayPal.

"AI developers need — and end users deserve — a framework for AI security that meets the moment and responsibly captures the opportunity in front of us. CoSAI is the next step in that journey, and we can expect more updates in the coming months," wrote Google's vice president of security engineering, Heather Adkins, and Google Cloud's chief information security officer, Phil Venables.

**AI Safety as a Priority**

AI safety has raised a host of cybersecurity concerns since the launch of ChatGPT in 2022. Those include misuse for social engineering to penetrate systems and the creation of deepfake videos to spread misinformation. At the same time, security firms, such as Trend Micro and CrowdStrike, are now turning to AI to help companies root out threats.

AI safety, trust, and transparency are important as results could steer organizations into faulty — and sometimes harmful — actions and decisions, says Gartner analyst Avivah Litan.

"AI cannot run on its own without guardrails to rein it in — errors and exceptions need to be highlighted and investigated," Litan says.

AI security issues could multiply with technologies such as AI agents, which are add-ons that generate more accurate answers from custom data.

"The right tools need to be in place to automatically remediate all but the most opaque exceptions," Litan says.

US President Joe Biden has challenged the private sector to prioritize AI safety and ethics. His concern was around AI's potential to propagate inequity and to compromise national security.

In July 2023, President Biden issued an executive order that required commitments from major companies that are now part of CoSAI to develop safety standards, share safety test results, and prevent AI's misuse for biological materials and fraud and deception.

CoSAI will work with other organizations, including the Frontier Model Forum, Partnership on AI, OpenSSF, and MLCommons, to develop common standards and best practices.

MLCommons this week told Dark Reading that in fall this year it will release an AI safety benchmarking suite that will rate LLMs on responses related to hate speech, exploitation, child abuse, and sex crimes.

CoSAI will be managed by OASIS Open, which, like the Linux Foundation, manages open source development projects. OASIS is best known for its work around the XML standard and for the ODF file format, which is an alternative to Microsoft Word's .doc file format.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Tech Giants Agree to Standardize AI Security

After an extended period underground, the Chinese hackers have added a more sophisticated infection chain and additional EDR evasion techniques.

Source: Rokas Tenys via Alamy Stock Photo

The mysterious and covert Chinese hacking group GhostEmperor has resurfaced after a two-year hiatus with even more advanced capabilities and evasion techniques.

Initially discovered by Kaspersky Lab in 2021, GhostEmperor was notorious for targeting telecommunications and government entities in Southeast Asia through sophisticated supply chain attacks.

The group's recent activities were uncovered by cybersecurity firm Sygnia, which detailed the group's evolved attack methods in a report released this week. 

A recent investigation by the security firm into a compromised network of an unidentified client revealed that GhostEmperor was behind the breach.

The attackers used the compromised network as a launchpad to infiltrate another victim's systems, an incident which marks the first confirmed activity from GhostEmperor since 2021.

Sygnia's investigation found GhostEmperor had updated its well-known Demodex rootkit, a kernel-level tool that grants the highest level of access to the victim's operating system while evading endpoint detection and response (EDR) software.

The updated variant includes a reflective loader to execute the Core-Implant and employs new obfuscation techniques, such as different file names and registry keys. Additionally, the variant analyzed appears to have been compiled in July 2021, indicating it might be a newer version than what Kaspersky originally documented.

**Infection Chain, Evasion Techniques**

The analysis also noted significant alterations in GhostEmperor's infection chain.

Traditionally, the group gained initial access by exploiting vulnerabilities such as ProxyLogon. A batch file was executed to initiate the infection, deploying various tools that communicated with a set of command-and-control (C2) servers.

In the most recent breach, GhostEmperor employed the WMIExec tool from the Impacket Toolkit to execute commands remotely via Windows Management Instrumentation (WMI), initiating the infection chain on the compromised machine.

The report noted the new infection chain is more sophisticated and stealthier, incorporating additional EDR evasion techniques.

“We are seeing, again and again — especially in this scenario, when we went into the customer's domain — that people are not aware of their environment,” Azeem Aleem, Sygnia's managing director, told The Record, cybersecurity firm Recorded Future's news site. 

**GhostEmperor Left a Global Trail**

When GhostEmperor was first identified in September 2021, Kaspersky described the group as a highly skilled and sophisticated threat actor, primarily targeting high-profile entities in Southeast Asia, including Malaysia, Thailand, Vietnam, and Indonesia. 

Additional victims included entities in Egypt, Ethiopia, and Afghanistan, indicating a broad and ambitious scope of operations.

The initial discovery by Kaspersky highlighted GhostEmperor's use of multistage malware designed for stealth and persistence, leveraging rootkits and other advanced tools to maintain a foothold in compromised networks.

The group's ability to evade detection and employ complex attack strategies led researchers to categorize them as a state-sponsored actor, given the resources and expertise required to develop and deploy such tools.

**Chinese Threat Actors Multiply **

This month alone Chinese threat actors have been discovered targeting Internet cafes in China that allow attackers to execute malicious code with the highest privileges. 

The Chinese state-sponsored actor APT40 was discovered exploiting newly discovered software vulnerabilities within hours targeting organizations globally, including repeated attacks on Australian networks. At the start of the month China-backed threat group Velvet Ant was discovered using targeted malware to exploit a vulnerability in Cisco's NX-OS software for managing a variety of switches.

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Notorious Chinese Hacker Gang GhostEmperor Re-Emerges After 2 Years

A defective CrowdStrike kernel driver sent computers around the globe into a reboot death spiral, taking down air travel, hospitals, banks, and more with it. Here’s how that’s possible.

Only a handful of times in history has a single piece of code managed to instantly wreck computer systems worldwide. The Slammer worm of 2003. Russia’s Ukraine-targeted NotPetya cyberattack. North Korea’s self-spreading ransomware WannaCry. But the ongoing digital catastrophe that rocked the internet and IT infrastructure around the globe over the past 12 hours appears to have been triggered not by malicious code released by hackers, but by the software designed to stop them.

A software update from cybersecurity company CrowdStrike appears to have inadvertently disrupted IT systems globally.

Two internet infrastructure disasters collided on Friday to produce disruptions around the world in airports, train systems, banks, health care organizations, hotels, television stations, and more. On Thursday night, Microsoft’s cloud platform Azure experienced a widespread outage. By Friday morning, the situation turned into a perfect storm when the security firm CrowdStrike released a flawed software update that sent Windows computers into a catastrophic reboot spiral. A Microsoft spokesperson tells WIRED that the two IT failures are unrelated.

The cause of one of those two disasters, at least, has become clear: buggy code pushed out as an update to CrowdStrike’s Falcon monitoring product, essentially an antivirus platform that runs with deep system access on “endpoints” like laptops, servers, and routers to detect malware and suspicious activity that could indicate compromise. Falcon requires permission to update itself automatically and regularly, since CrowdStrike is constantly adding detections to the system to defend against new and evolving threats. The downside of this arrangement, though, is the risk that this system, which is meant to enhance security and stability, could end up undermining it instead.

“It's the biggest case in history. We’ve never had a worldwide workstation outage like this,” says Mikko Hyppönen, the chief research officer at cybersecurity company WithSecure. Around a decade ago, Hyppönen says, widespread outages were more common due to the spread of worms or trojans. More recently, global outages have happened on the “server side” of systems, meaning outages often stem from cloud providers such as Amazon’s Web Services, internet cable cuts, or authentication and DNS issues.

CrowdStrike CEO George Kurtz said on Friday that the issues were caused by a “defect” in code the company released for Windows. Mac and Linux systems were not affected. “The issue has been identified, isolated and a fix has been deployed,” Kurtz said in a statement, adding the problems were not the result of a cyberattack. In an interview with NBC, Kurtz apologized for the disruption and said it may take some time for things to be back to normal.

The widespread Windows outages have been linked to a software update from cybersecurity giant ​​CrowdStrike. It is believed the issues are not linked to a malicious cyberattack, cybersecurity officials say, but rather stem from a misconfigured/corrupted update that CrowdStrike pushed out to its customers.

Security and IT analysts searching for the root cause of the gargantuan outage say that it appears to be related to a “kernel driver” update to CrowdStrike’s Falcon software. Kernel drivers are the software components that allow applications to interact with Windows at its deepest level, the core of the operating system known as its kernel. That highly sensitive level of access is necessary for security software, so that it can run prior to any malicious software installed on the system and access any part of the system where hackers might seek to plant their code. As malware has improved and evolved, it has pushed defense software to require constant connection and more extensive control.

That deeper access also introduces a far higher possibility that security software—and updates to that software—will crash the whole system, says Matthieu Suiche, head of detection engineering at the security firm Magnet Forensics. He compares running malicious code detection software at the kernel level of an operating system to “open-heart surgery.”

Yet it’s nonetheless surprising that a kernel driver update would be able to cause such a massive global computer crash, says Costin Raiu, who worked at Russian security software firm Kaspersky for 23 years and led its threat intelligence team before leaving the company last year. During his years at Kaspersky, he says, driver updates for Windows software were closely scrutinized and tested for weeks before they were pushed out.

More importantly, they require that Microsoft also vet the code and cryptographically sign it, suggesting that Microsoft, too, may well have missed whatever bug in CrowdStrike’s Falcon driver triggered this outage. “It’s surprising that with the extreme attention paid to driver updates, this still happened,” says Raiu. “One simple driver can bring down everything. Which is what we saw here.”

A Microsoft spokesperson told WIRED that the “CrowdStrike update was responsible for bringing down a number of IT systems globally,” and added that “Microsoft does not have oversight into updates that CrowdStrike makes in its systems,” without further explanation of whether Microsoft does in fact inspect and sign kernel driver updates.

Raiu adds that even so, CrowdStrike is far from the only security firm to trigger Windows crashes with a driver update. Updates to Kaspersky and even Windows’ own built-in antivirus software Windows Defender have caused similar Blue Screen of Death crashes in years past, he notes. “Every security solution on the planet has had their CrowdStrike moments,” Raiu says. “This is nothing new but the scale of the event.”

Cybersecurity authorities around the world have issued alerts about the disruption, but have similarly been quick to rule out any nefarious activity by hackers. “The NCSC assesses that these have not been caused by malicious cyber attacks,” Felicity Oswald, CEO of the UK’s National Cyber Security Center, said. Officials in Australia have come to the same conclusion.

Nevertheless, the impact has been sweeping and dramatic. Around the world, the outages have been spiraling as companies, public bodies, and IT teams race to fix bricked machines, which involves manually taking machines through a series of corrective steps, including rebooting. In the UK, Israel, and Germany, health care services and hospitals saw systems that they use to communicate with patients disrupted, and canceled some appointments. Emergency services in the US using 911 have reportedly had problems with their lines too. In the earliest hours of the outages, some TV stations, including Sky News in the UK, stopped live news broadcasts.

Global air travel has been one of the most impacted sectors so far. Huge lines formed at airports around the world, with one airport in India using handwritten boarding passes. In the US, Delta, United, and American Airlines grounded all flights at least temporarily, with a dramatic graphic showing air traffic plummeting above the US.

The catastrophic situation reflects the fragility and deep interconnectedness of the internet. Numerous security practitioners told WIRED that they anticipated or even worked with clients to attempt to protect against a scenario where defense software itself caused cascading failures as a result of malicious exploitation or human error, as is the case with CrowdStrike. “This is an incredibly powerful illustration of our global digital vulnerabilities and the fragility of core internet infrastructure,” says Ciaran Martin, a professor at the University of Oxford and the former head of the UK’s National Cyber Security Center.

The ability of one update to trigger such massive disruption still puzzles Raiu. According to Gartner, a market research firm, CrowdStrike accounts for 14 percent of the security software market by revenue, meaning its software is on a wide array of systems. Raiu suggests that the Falcon update must have triggered crashes in other parts of web infrastructure, which could have multiplied the disaster. “CrowdStrike is big, but it can’t be this big,” Raiu says. “Airports, critical infrastructure, hospitals. It cannot be just CrowdStrike everywhere. I suspect we’re seeing a combination of factors, a cascading effect, a chain reaction.”

Hyppönen, from WithSecure, says his “guess” is that the issues may have happened due to “human error” in the update process. “An engineer at CrowdStrike is having a really bad day,” he says. Hyppönen suggests that CrowdStrike could have shipped software different to what they had been testing or mixed up files, or there could’ve been a combination of different factors. “Software like this has to go through extensive testing,” Hyppönen says. “That's what we do. That's what CrowdStrike, of course, does. You have to be really careful about what you ship, which is tough to do because security software is updated very frequently.”

While many of the impacts of the outage are ongoing and still unraveling, the nature of the problem means that individually impacted machines may need to be rebooted manually rather than through an automated process. “It could be some time for some systems that just automatically won’t recover,” CrowdStrike CEO Kurtz told NBC.

The company’s initial “workaround” guidance for dealing with the incident says Windows machines should be booted in a safe mode, a specific file should be deleted, and then rebooted. “The fixes we’ve seen so far mean that you have to physically go to every machine, which will take days, because it’s millions of machines around the world which are having the problem right now,” says Hyppönen from WithSecure.

As system administrators race to contain the fallout, the larger existential question of how to prevent another, similar crisis looms large.

“People may now demand changes in this operating model,” says Jake Williams, vice president of research and development at the cybersecurity consultancy Hunter Strategy. “For better or worse, CrowdStrike has just shown why pushing updates without IT intervention is unsustainable.”

_Update 7/19/2024, 11am ET: Added comment from Microsoft saying that the Azure outage and the CrowdStrike kernel driver issue are unrelated._

_Update 7/19/2024, 12:30pm ET: Added further comment from Microsoft about its lack of oversight of CrowdStrike's updates._

_Update 7/19/2024, 3:45pm ET: Updated to clarify that Amazon Web Services was not impacted by the CrowdStrike update, according to the company._

How One Bad CrowdStrike Update Crashed the World’s Computers

Private sector organizations are "hesitant" to seek guidance from the Coast Guard, which isn't sufficiently equipped to help them yet.

Source: Rick Pisio/RWP Photography via Alamy Stock Photo

The Coast Guard is struggling to secure the US maritime supply chain thanks to inadequate staffing, training, authority, and cyber expertise.

A new report from the Department of Homeland Security's Office of Inspector General paints a picture of an industry reluctant to seek cybersecurity support, and a military unable to adequately provide it.

Coast Guard "Cyber Protection Teams" (CPTs) have offered free cybersecurity help to organizations in the Maritime Transportation System (MTS) since 2021, yet only 36% of qualifying organizations have taken them up on it. The private sector is "hesitant," the report says, despite the many security vulnerabilities CPT assessments typically uncover.

Part of the blame lies with the Coast Guard itself. The DHS Inspector General's Office's found that CPT inspections of marine facilities and vessels don't always account for "the full scope of potential cybersecurity threats. This occurred because Coast Guard does not have the authority or training to enforce private industry compliance with standard cybersecurity practices."

Plus, the service branch lacks staff with cyber expertise, according to the DHS IG.

**Coast Guard Role in Private Sector Cybersecurity**

Earlier this year, the Biden administration issued an executive order that, among other things, empowered the Coast Guard to take an even greater role in private sector security.

The military branch now has the authority to quarterback response efforts after any facilities, harbors, ports, or individual vessels are impacted by cyber incidents, including by inspecting or even controlling the movement of vessels which might otherwise threaten US infrastructure. It was also assigned the task of creating a set of minimum cybersecurity requirements for the industry.

"You don't see the Air Force directly taking on transportation \[security\], but it makes sense here in this case due to their \[the Coast Guard's\] sector expertise," says Itay Glick, operational technology expert and vice president of products at Opswat. "They already have relationships with the different groups — ships, ports, etc. — because of their day- to-day work, and adding that layer of cybersecurity actually makes sense."

In some ways, the Coast Guard has been quite productive so far. Cyber incidents reported to, and reviewed by, the Coast Guard have risen 111% in the past few years. Its vulnerability assessments have uncovered hundreds of incidents involving dozens of vulnerabilities, more than half of "critical" or "high" severity, meaning they could cause complete network, application, or system compromise.

In other ways, though, the service branch has not seemed up to the task. The DHS observed some CPT inspectors ignoring cybersecurity entirely, and found that they "expressed a limited understanding of how to address cybersecurity" thanks to little to no cybersecurity training. And even when vulnerabilities were found, the branch had insufficient means to force companies to comply with its recommendations for remediation.

**Threats to Maritime**

If it wasn't obvious enough in years prior, the world learned just how valuable and sensitive the MTS is from COVID and the Ever Given incident in the Suez Canal. Hackers learned it, too, and now cyber threats to the system are far greater than they ever were before.

A report from the Coast Guard Cyber Command last year found an 80% rise in reported ransomware incidents, with ransom demands tripling on average. Cyber disruptions to marine industries can come in many other forms as well, and cyber espionage — particularly from capable nation-state adversaries — is a persistent risk.

A failure to account for the kinds of vulnerabilities uncovered by plenty of CPT assessments already could, in the worst-case scenarios, lead to physical danger for crew members or marine life, and major disruptions to the global supply chain.

"Years ago, you saw \[how\] you couldn't bring new supplies into countries across the world. This is something that can happen again," Glick Warns, "and this is what we need to fear. If you don't have produce coming in, that might terribly impact the commercial industry here in the US."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DHS Inspector General: Coast Guard Shortcomings Hinder US Maritime Security

As threat actors get smarter about how they target employees, the onus is on organizations to create a strong line of defense — and the human element is a critical component.

Masha Sedova, VP, Human Risk Strategy, Mimecast

July 19, 2024

4 Min Read

Source: Yuliya Volkovska via Alamy Stock Vector

COMMENTARY

As the stakes of cyberattacks continue to rise, organizations are throwing more and more money at innovative new services and equipment to thwart them. But, at the same time, many are still taking a customary, one-size-fits-all approach to securing perhaps the most critical threat vector: the human element. There's little to be gained by spending more on locks and security guards if someone unknowingly leaves the door open for robbers into the building.

Year after year, the human element consistently ranks among the greatest risk factors in cybersecurity — it is projected to play a central role in 68% to 90% of breaches in 2024 — and the standard practice of mandated security awareness trainings isn't driving improvement, as stolen credentials, data leaks, and targeted phishing emails remain prevalent. To address this critical vulnerability, chief information security officers (CISOs) must take a more data-driven, tailored approach to mitigating human risk that goes beyond just training — one that requires human-by-design cybersecurity.

**Quantifying Risk**

Security awareness training helps, but it doesn't complete the job, as it treats every employee the same. In reality, some users are highly adept at sniffing out threats, while others require additional support. Some subsets of users are targeted with great regularity, while others receive very few phishing attempts. As such, a human-centric security approach must begin with a detailed understanding of the organization's distribution of risk.

The first step is pinning down those at the company who are most at risk. Studies have found that just 8% of employees cause 80% of incidents, and many in this subset typically are repeat offenders. Certain individuals are also targeted more frequently, due to their prominence: Managers receive 2.5 times more phishing emails on average than non-managers, and the rate of attempts goes up for all employees the longer they remain at a company, nearly doubling every three years.

These figures can vary widely between organizations, so it's key for businesses to perform their own analysis. This can be done by analyzing data that's often overlooked — like the logs generated by security endpoints when they prevent employees from executing malware — and gathering patterns from it. In the ideal framework, security administrators should be able to pull data from all manner of security tools to understand what good or risky security decisions users make on an ongoing basis and build a profile on users' individual security risk.

**Managing Risk**

Much like financial institutions with credit scores or insurance companies with premiums, organizations can then begin leveraging these risk scores to create a personalized, adaptive approach to security, beginning with tailored training.

Rather than making all employees complete the same generic security awareness modules (which, let's be honest, most people will just blow through with little attention paid), individuals who have proven themselves a low risk can instead be served a light slate of policy reminders and checklists. Those on the opposite end of the spectrum, who are either frequently targeted or will be, can be mandated to take more rigorous training with a focus on the topics related to the risks they face.

With detailed insights into behavior patterns, organizations can also reward good security practices with recognition. They can then take steps to stem bad habits with interventions like adaptive nudges — personalized messages sent out at the right time, or context to prevent users from falling victim to attacks — or strategies like tighter email security filtering, stricter browsing permissions, or reducing the time that multifactor authentication tokens are valid on at-risk users' machines.

It's important that these practices are carried out with transparency so employees know how the security team plans on using this collected data. When security teams take a constructive stance — for example, by sending out report cards that affirm positive behavior and suggest areas to improve — employees almost universally respond with openness and appreciation. For the small percentage of users in the high-risk group, extra care should be taken to explain how the additional training and adaptive measures are designed to help them get better.

**Tracking Improvement**

Collecting and analyzing security events also allows administrators to take a more data-driven approach to measuring results and, ideally, improvement. By gauging their baseline, security teams can then track the number of risky behaviors occurring on the network over time and dial in the best methods of "bubble wrapping" subsets of the user base to reduce future occurrences.

This measurability stands in stark contrast to conventional human risk mitigation practices (i.e., simple awareness training), which can often take the form of a black hole in terms of understanding impact and, in turn, return on investment (ROI). With an objective, outcomes-first approach, CISOs can both deliver security improvement and clearly demonstrate the success of the investment to the rest of the C-suite.

As threat actors get smarter about how they target employees, the onus is on organizations and their cybersecurity partners to create a strong line of defense — and the human element is a critical component. Companies that take a more intelligent, personalized approach to curbing risky behavior will stand the best chance of safeguarding their organizations against cyberattacks, all while making more efficient use of their security budgets.

**About the Author(s)**

VP, Human Risk Strategy, Mimecast

Masha Sedova, co-founder of Elevate Security, has made her mark in cybersecurity through her practical and human-centered approach to the field. Under her leadership, Elevate Security's innovative platform significantly reduced user-related risks for enterprises. This led to its acquisition by Mimecast in 2024 where she now serves as VP of human risk strategy.

Tag

#auth