Until CEOs and boards prioritize learning more about mitigating threats, organizations are leaving themselves and their businesses open to the potential for disaster.

Erik Gaston, CIO & Vice President of Global Executive Engagement, Tanium

October 24, 2024

6 Min Read

Source: Stephen Barnes/Business via Alamy Stock Photo

COMMENTARY

With the mounting, competitive pressure to leverage generative artificial intelligence (GenAI), now is the time for CEOs to better understand the technology themselves.  

Cybersecurity deserves this same level of attention — and so does the discrepancy between C-level enthusiasm and skill level. Leveraging AI tools, cybercriminals and their attacks have become more sophisticated, and with this technology comes a swath of security concerns when used in a company environment. As GenAI use grows within organizations, so does tension across executive teams and in the boardroom, especially as the chief information security officer (CISO) role shifts in remit. We're also seeing significant spikes in data breaches. All of this coalesces to signal the need for more cybersecurity acumen across the C-suite in order to provide leadership and guidance to firms.  

Why? Because enduring companies understand how to navigate one of the most common and consequential risks in business.  

**Improved Strategic Decision-Making, Resource Allocation, and Collaboration**

Cybersecurity acumen at the top of the org chart can significantly impact the company's overall security posture and ability to manage risk. This, in turn, translates into several additional benefits for the company.  

For starters, companies can now integrate security into decision-making processes and strategic direction. This should never be an afterthought. Cyber-risk lurks everywhere and crops up in more decisions than people realize. It's not just in overly simple passwords or opening phishing emails; software-as-a-service (SaaS) tools can serve as an easy entry point for man-in-the-middle attacks that threaten businesses. 

Leaders in 2024 must recognize the need for security. While businesses have access to incredible levels of technology that can help a company thrive, so do malicious actors. Understanding the variety of sources a threat can stem from better equips a leader to make strategic choices that bolster the protection of data and intellectual property, rather than put it at further risk.  

That said, security is not always cheap, and finding qualified resources in an already scarce security and AI market is challenging at best. Resource allocation is critical in the decision-making process to balance both attention to threats and business costs. In today's economic climate, budgets are being heavily scrutinized for technology and business leaders. Those with a broader and deeper understanding of the risks that come with deprioritizing security are better prepared to make smart decisions about where to allocate investments.  

Furthermore, attaining that kind of security knowledge intrinsically improves leadership's ability to collaborate with all of the different internal teams. These conversations drive quicker, better decisions, especially during a crisis, while increasing the respect between the office of the chief information officer (CIO) and the chief security officer (CSO). Enabling that sort of alignment will also bring better, more articulate conversations with the board that protect businesses against risk.  

Attack surfaces continue to grow for businesses in every industry, which only makes transparency and collaboration more necessary. Regulators are rising to the challenge of finding ways to deal with this new cyber reality, and the pressure is mounting. You can see this in new rules and directives from the Securities and Exchange Commission, and in regulations like the General Data Protection Regulation (GDPR) and the Digital Operational Resilience Act (DORA), just to name a few. Noncompliance is costly both financially and in terms of losing an opportunity to defend against attackers. But compliance requires departments and leaders to communicate in order to create and execute new strategies and policies.  

However, the burden of proof still falls to top leadership to make this happen. It's in the C-suite's best interest and within its responsibilities to protect data and assets as best it can for customers and the firm. Financial and reputational impacts due to cyberattacks are a consideration that must be recognized in all major decisions at the board level. The rising threat landscape creates a perfect storm that, if left unchecked, leaves businesses vulnerable to major loss.  

**Credibility Allows Senior Leaders to Perform Better on the Job**

Cybersecurity is a critical topic on every board's agenda as we continue to see stories about threats sneaking through technological infrastructure and impacting the customer experience on at scale. Leaders need the kind of "street cred" to effectively lead a dynamic, smart organization of technologists and operations professionals. Few have the kind of pointed knowledge to recommend, lead, or drive change toward a more secure work culture — only making it that much more critical.  

Those who can think technically while still demonstrating a business mindset will be best positioned to help their organizations succeed. Some of the strongest leaders and executives I have encountered are those who not only know what they're talking about, but also have a keen ability to explain the "why" of what they're talking about in terms that resonate with those who are unfamiliar with the subject matter.  It is time for experts to direct the action instead of "actors."  

In the words of one of my mentors: "Leaders have followers. Managers just tell people what to do in a hierarchy." It's not enough to just know your stuff; you need to be able to equip others with that knowledge as well. That's what makes you indispensable as a leader. And with the average tenure of most cyber leaders at less than a year and a half, those of us in these positions can't afford to ignore that kind of reality. Commanding the space rather than putting yourself in a situation where you're forced to react isn't just good for the business but good for the leader, too.  

**Leaders Can't Afford to Ignore the Need for This Kind of Knowledge**

Cybersecurity acumen is no longer specialized or reserved for only the educated few. This was reflected in a recent decision by the Securities and Exchange Commission requiring companies to report a material breach within four days of occurrence. While it did not specifically call for cybersecurity expertise in the boardroom for public companies, it has long been highlighted that only a small percentage of publicly traded companies have such expertise. Although the mandate ultimately didn't pass, this is a proof point of how seriously agencies and regulatory bodies are taking cybersecurity, and it is only a matter of time before this becomes the official guidance.  

Prioritizing risk management and assessment must come from the top down. Until CEOs and boards have prioritized learning more about these threats and how to mitigate them, organizations are leaving themselves and their businesses open to the potential for disaster. But the leaders who spend the time and effort to study the game, the players, and the playbook toward better threat protection will see the dividends for years to come. 

**About the Author**

CIO & Vice President of Global Executive Engagement, Tanium

Erik Gaston is a chief information officer (CIO), vice president of global executive engagement at Tanium. He hass spent most of his career as a CIO/CTO (chief technology officer), leading large global organizations on Wall Street and in the tech and software-as-a-service (SaaS) space.

Why Cybersecurity Acumen Matters in the C-Suite

Pinterest is facing a complaint because it failed to comply with GDPR rules about using personal data for personalized advertising.

Pinterest has received a complaint from privacy watchdog noyb (None of your business) over the unsolicited tracking of its users.

Pinterest allows you to pin images to virtual pinboards; useful for interior design, recipe ideas, party inspiration, and much more. It started as a virtual replacement for paper catalogs to share recipes, but has since grown into a visual search and e-commerce platform.

With the growth came the advertisers, and what their goals with the platform were. And as we are all undoubtedly aware, targeted and especially personalized advertising is much more effective than regular advertising.

So, like many other social media platforms before it, Pinterest claimed to have a legitimate interest in using personal data without asking for consent.

The “legitimate interest” argument comes from one of the six lawful bases granted in the European Union’s (EU’s) General Data Protection Regulation (GDPR) which states that processing of personal data is allowed if it is:

> “…necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”

Social media platforms have a habit of claiming to need that ability for economic reasons, to improve their service, or to safeguard security of both users and the platform. But in every case I know of, the Court of Justice of the European Union (CJEU) has ruled against platforms using personal data without consent.

Pinterest users are not made aware of the fact that they can turn off “ads personalisation” under the “privacy and data” settings, according to the complaint. This setting is turned on by default, allowing Pinterest to use information from visited websites and from other third parties to show users personalized ads.

When a complainant filed an access request to find out what data Pinterest had about her, she received a copy of her data on the same day, but quickly realized that it didn’t include any information about the recipients of her data.

Two additional requests made her none the wiser about the categories of data that were shared with third parties, which means that Pinterest failed to adequately respond to the access request under Article 15(1)(c) of the GDPR.

Based on this, noyb has filed a complaint with the French data protection authority (CNIL). The grounds of that complaint are that Pinterest violated Article 6(1) GDPR by processing the complainant’s personal data for personalized advertising on the basis of legitimate interest, and violated Article 15(1)(c) GDPR by failing to provide access to the categories of data shared with third parties.

To turn off personalized ads on Pinterest:

*   Log in to your Pinterest account
*   Click the chevron-down icon at the top-right corner to open your menu
*   Click **Settings**
*   Select **Privacy and data**
*   Adjust your personalization settings
*   Click **Save**.

Pinterest reminds users that this setting does not apply to information about purchases you initiate on Pinterest. More information about this setting is available in Pinterest’s Help Center.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Pinterest tracks users without consent, alleges complaint 

Cybersecurity researchers have disclosed a security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) that could have resulted in an account takeover under specific circumstances.
"The impact of this issue could, in certain scenarios, allow an attacker to gain administrative access to a target AWS account, resulting in a full account takeover," Aqua said in a report shared

Cybersecurity researchers have disclosed a security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) that could have resulted in an account takeover under specific circumstances.

"The impact of this issue could, in certain scenarios, allow an attacker to gain administrative access to a target AWS account, resulting in a full account takeover," Aqua said in a report shared with The Hacker News.

Following responsible disclosure on June 27, 2024, the issue was addressed by the project maintainers in CDK version 2.149.0 released in July.

AWS CDK is an open-source software development framework for defining cloud application resources using Python, TypeScript, or JavaScript and provisioning them via CloudFormation.

The problem identified by Aqua builds upon prior findings from the cloud security firm about shadow resources in AWS, and how predefined naming conventions for AWS Simple Storage Service (S3) buckets could be weaponized to orchestrate Bucket Monopoly attacks and gain access to sensitive data.

Preparing an AWS environment for usage with the AWS Cloud Development Kit (AWS CDK) is accomplished by a process called bootstrapping, wherein certain AWS resources are provisioned to the environment. This includes an AWS S3 bucket, Amazon Elastic Container Registry (Amazon ECR) repository, and AWS Identity and Access Management (IAM) roles.

"Resources and their configuration that are used by the CDK are defined in an AWS CloudFormation template," according to AWS documentation.

"To bootstrap an environment, you use the AWS CDK Command Line Interface (AWS CDK CLI) cdk bootstrap command. The CDK CLI retrieves the template and deploys it to AWS CloudFormation as a stack, known as the bootstrap stack. By default, the stack name is CDKToolkit."

Some of the IAM roles created as part of the bootstrapping process grant permission to upload and delete assets from the associated S3 bucket, as well as perform stack deployments with administrator access.

Aqua said the naming pattern of the IAM roles created by AWS CDK follows the structure "cdk-{Qualifier}-{Description}-{Account-ID}-{Region}," where each of the fields are explained below -

*   Qualifier, a unique, nine-character string value that defaults to "hnb659fds" although it can be customized during the bootstrapping phase
*   Description, resource description (e.g., cfn-exec-role)
*   Account-ID, AWS account ID of the environment
*   Region, AWS region of the environment

In a similar vein, the S3 bucket created during bootstrapping follows the naming pattern "cdk-{Qualifier}-assets-{Account-ID}-{Region}."

"Since many users run the cdk bootstrap command without customizing the qualifier, the S3 bucket naming pattern of the staging bucket becomes predictable," Aqua said. "This is because the default value for the bucket name qualifier is set to 'hnb659fds,' making it easier to anticipate the bucket's name."

With thousands of instances discovered on GitHub where the default qualifier is used, this also means that guessing the bucket's name is as simple as finding the AWS Account ID and the region to which the CDK is deployed.

Combining this aspect with the fact that S3 bucket names are globally unique across all AWS accounts, the loophole opens the door for what's called S3 Bucket Namesquatting (or Bucket Sniping), allowing an attacker to claim another user's CDK bucket if it doesn't exist already.

This could then pave the way for a partial denial-of-service (DoS) when a user attempts to bootstrap the CDK with the same account ID and region, a scenario that could be resolved by specifying a custom qualifier during bootstrapping.

A more serious consequence could occur if the victim's CDK has permission to both read and write data from and to the attacker-controlled S3 bucket, thereby making it possible to tamper with CloudFormation templates and execute malicious actions within the victim's AWS account.

"The deploy role of the CloudFormation service, which is the role CloudFormationExecutionRole in CDK, has administrative privileges within the account by default," Aqua pointed out.

"This means that any CloudFormation template written to the attacker's S3 bucket by the victim's CDK would be deployed later with administrative privileges in the victim's account. This would allow the attacker to create privileged resources."

In a hypothetical attack, should a user have initiated the CDK bootstrap process in the past and subsequently deleted the S3 bucket due to quota limits, an adversary could take advantage of the situation to create a bucket with the same name.

This could then cause the CDK to implicitly trust the rogue bucket and read/write CloudFormation templates to it, making them susceptible to exploitation. However, for this to succeed, the attacker is expected to fulfil the below prerequisites -

Claim the bucket with the predictable name and allow public access

Create a Lambda function that will inject a malicious admin role or backdoor into a given CloudFormation template file whenever it's uploaded to the bucket

In the final stage, when the user deploys the CDK using "cdk deploy," not only does the process send the template to the replica bucket, but also inject an admin role that the attacker can assume to ultimately gain control of the victim's account.

Put differently, the attack chain facilitates the creation of an admin role in a target AWS account when a CDK S3 bucket set up during the bootstrap process is deleted and the CDK is used again. AWS has since confirmed that approximately 1% of CDK users were vulnerable to the attack vector.

The fix put in place by AWS ensures that assets are only uploaded to buckets within the user's account so as to prevent the CDK from pushing data to buckets not owned by the account that launched the bootstrapping. It has also urged customers to use a bespoke qualifier instead of the default "hnb659fds."

That said, user action is required if bootstrapping was carried out using CDK version v2.148.1 or earlier, necessitating that they update the CDK to the latest version and re-run the bootstrap command. Alternatively, users have the option of applying an IAM policy condition to the FilePublishingRole CDK role.

The findings once again call for keeping AWS account IDs a secret, defining a scoped IAM policy, and avoiding giving predictable names to S3 buckets.

"Instead, generate unique hashes or random identifiers per region and account, and incorporate them into your S3 bucket names," Aqua concluded. "This strategy helps protect against attackers preemptively claiming your bucket."

The disclosure comes as Broadcom-owned Symantec found several Android and iOS apps that hard-coded and unencrypted cloud service credentials for AWS and Microsoft Azure Blob Storage, putting user data at risk.

Some of the offending apps include Pic Stitch: Collage Maker, Crumbl, Eureka: Earn Money for Surveys, Videoshop - Video Editor, Meru Cabs, Sulekha Business, and ReSound Tinnitus Relief.

"This dangerous practice means that anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches," security researchers Yuanjing Guo and Tommy Dong said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

AWS Cloud Development Kit Vulnerability Exposes Users to Potential Account Takeover Risks

The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome to seize control of infected devices.
Cybersecurity vendor Kaspersky said it discovered a novel attack chain in May 2024 that targeted the personal computer of an unnamed Russian national with the Manuscrypt backdoor.
This entails triggering the

The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome to seize control of infected devices.

Cybersecurity vendor Kaspersky said it discovered a novel attack chain in May 2024 that targeted the personal computer of an unnamed Russian national with the Manuscrypt backdoor.

This entails triggering the zero-day exploit simply upon visiting a fake game website ("detankzone\[.\]com") that was aimed at the individuals in the cryptocurrency sector. The campaign is estimated to have commenced in February 2024.

"On the surface, this website resembled a professionally designed product page for a decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game, inviting users to download a trial version," Kaspersky researchers Boris Larin and Vasily Berdnikov said.

"But that was just a disguise. Under the hood, this website had a hidden script that ran in the user's Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim's PC."

The vulnerability in question is CVE-2024-4947, a type confusion bug in the V8 JavaScript and WebAssembly engine that Google patched in mid-May 2024.

The use of a malicious tank game (DeTankWar, DeFiTankWar, DeTankZone, or TankWarsZone) as a conduit to deliver malware is a tactic that Microsoft has attributed to another North Korean threat activity cluster dubbed Moonstone Sleet.

These attacks are carried out by approaching prospective targets through email or messaging platforms, tricking them into installing the game by posing as a blockchain company or a game developer seeking investment opportunities.

Kaspersky's latest findings add another piece to the attack puzzle, highlighting the role played by the zero-day browser exploit in the campaign.

Specifically, the exploit contains code for two vulnerabilities: the first is used to give attackers read and write access to the entire address space of the Chrome process from the JavaScript (CVE-2024-4947), and the second is abused to get around the V8 sandbox.

"The \[second\] vulnerability is that the virtual machine has a fixed number of registers and a dedicated array for storing them, but the register indexes are decoded from the instruction bodies and are not checked," the researchers explained. "This allows attackers to access the memory outside the bounds of the register array."

The V8 sandbox bypass was patched by Google in March 2024 following a bug report that was submitted on March 20, 2024. That said, it's currently not known if the attackers discovered it earlier and weaponized it as a zero-day, or if it was exploited as an N-day vulnerability.

Successful exploitation is followed by the threat actor running a validator that takes the form of a shellcode responsible for gathering system information, which is then used to determine if the machine is valuable enough to conduct further post-exploitation actions. The exact payload delivered after this stage is currently unknown.

"What never ceases to impress us is how much effort Lazarus APT puts into their social engineering campaigns," the Russian company said, pointing out the threat actor's pattern of contacting influential figures in the cryptocurrency space to help them promote their malicious website.

"For several months, the attackers were building their social media presence, regularly making posts on X (formerly Twitter) from multiple accounts and promoting their game with content produced by generative AI and graphic designers."

The attacker's activity has been observed across X and LinkedIn, not to mention the specially-crafted websites and email messages sent to targets of interest.

The website is also designed to lure visitors into downloading a ZIP archive ("detankzone.zip") that, once launched, is a fully functional downloadable game that requires player registration, but also harbors code to launch a custom loader codenamed YouieLoad, as previously detailed by Microsoft.

What's more, it's believed that the Lazarus Group stole the source code for the game from a legitimate blockchain play-to-earn (P2E) game named DeFiTankLand (DFTL), which suffered a hack of its own in March 2024, leading to the theft of $20,000 worth of DFTL2 coins.

Although the project developers blamed an insider for the breach, Kaspersky suspects that the Lazarus Group was behind it, and that they stole the game's source code alongside the DFTL2 coins and repurposed it to advance their goals.

"Lazarus is one of the most active and sophisticated APT actors, and financial gain remains one of their top motivations," the researchers said.

"The attackers' tactics are evolving and they're constantly coming up with new, complex social engineering schemes. Lazarus has already successfully started using generative AI, and we predict that they will come up with even more elaborate attacks using it."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices

A hacker leaked the personal data of 180,000 Esport North Africa users just before the tournament. While no…

A hacker leaked the personal data of 180,000 Esport North Africa users just before the tournament. While no financial details were exposed, users are advised to change passwords and stay alert for phishing attacks.

The hacker, known as “Shooked,” leaked the personal details of over 180,000 Esport North Africa (ESNA) users just one day before the tournament is set to begin in Morocco. The 3 GB data dump, which Shooked claims is the “full database,” was released on **Breach Forums** on the morning of Wednesday, October 23, 2024. The ESNA tournament is scheduled to start on Thursday, October 24th.

Screenshot from the targeted site

For context, Esport North Africa (ESNA – Electronic Sports North Africa) is a platform designed to promote competitive gaming and esports development across the North African region. It organizes tournaments in popular games such as FC25, Free Fire, Street Fighter 6, and other competitive titles, providing opportunities for gamers to showcase their skills.

The leaked data was analyzed by the Hackread.com research team and contains over 9 million lines. However, after the removal of duplicate entries, the total number of unique user records stands at 180,000. This data includes the following information:

*   **User ID**
*   **Country**
*   **Usernames**
*   **IP addresses**
*   **Timestamp**
*   **Session ID**
*   **WordPress URLs**
*   **Email addresses (179,224)**

and other details…

Hacker on Breach Forum and sample data (Screenshot: Hackread.com)

While the leaked data does not include passwords or financial details, the breach appears legitimate. However, final confirmation is pending a response from the organization, which Hackread.com has reached out to for comment.

Cyberattacks on gaming companies and gamers are not new, as they are often lucrative targets for criminals. Last year, Akamai’s research revealed how hackers used **the Dark Frost Botnet** to target gaming companies and players, compromising devices to execute DDoS attacks.

If you have an account on ESNA (ESNA.GG), it’s recommended to change your password as a precaution. Additionally, be cautious of potential phishing emails from cybercriminals posing as Esport North Africa representatives, attempting to **exploit the breach**.

**RELATED ARTICLES**

1.  **Online gaming and protection against cyber attacks**
2.  **RapperBot malware hits gaming servers with DDoS attacks**
3.  **Gaming Giant Activision Employees Hit by SMS Phishing Attack**
4.  **Gaming controllers manufacturer exposed 1.1M customer records**
5.  **How data collected in gaming can be used to breach user privacy**

Hackers Leak 180,000 Esport North Africa User Records a Day Before Tournament Begins

The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.

Source: MAHATHIR MOHD YASIN via Shutterstock

North Korea's infamous Lazarus Group is using a well-designed fake game website, a now-patched Chrome zero-day bug, professional LinkedIn accounts, AI-generated images, and other tricks to try and steal from cryptocurrency users worldwide.

The group appears to have launched the elaborate campaign in February and has since used multiple accounts on X and tricked influential figures in the cryptocurrency space to promote their malware-infected crypto game site.

**Elaborate Campaign**

"Over the years, we have uncovered many \[Lazarus\] attacks on the cryptocurrency industry, and one thing is certain: these attacks are not going away," said researchers at Kaspersky, after discovering the latest campaign while investigating a recent malware infection. "Lazarus has already successfully started using generative AI, and we predict that they will come up with even more elaborate attacks using it," the security vendor noted.

The state-sponsored Lazarus group may not quite be a recognizable name yet, but it is easily among the most prolific and dangerous cyber threat actors in operation. Since making headlines with an attack on Sony Pictures back in 2014, Lazarus — and subgroups such as Andariel and Bluenoroff — have figured in countless notorious security incidents. These have included the WannaCry ransomware outbreak, the $81 million heist at Bank of Bangladesh, and attempts to steal COVID-vaccine-related secrets from major pharmaceutical companies during the height of the pandemic.

Analysts believe that many of the group's financially motivated attacks, including those involving ransomware, card-skimming, and cryptocurrency users, are really attempts to generate revenue for the money-strapped North Korean government's missile program.

In the latest campaign the group appears to have refined some of the social engineering tricks employed in past campaigns. Central to the new scam is detankzone dot-com, a professionally designed product page that invites visitors to download an NFT-based multiplayer online tank game. Kaspersky researchers found the game to be well designed and functional, but only because Lazarus actors had stolen the source code of a legitimate game to build it.

**A Chrome Zero-Day and a Second Bug**

Kaspersky found the website to contain exploit code for two Chrome vulnerabilities. One of them, tracked as CVE-2024-4947, was a previously unknown zero-day bug in Chrome's V8 browser engine. It gave the attackers a way to execute arbitrary code inside a browser sandbox via a specially crafted HTML page. Google addressed the vulnerability in May after Kaspersky reported the flaw to the company.

The other Chrome vulnerability that Kaspersky observed in the latest Lazarus Group exploit is that it does not appear to have a formal identifier. It gave the attackers a way to escape the Chrome V8 sandbox entirely and gain full access to the system. The threat actor used that access to deploy shellcode for collecting information on the compromised system before deciding whether to deploy further malicious payloads on the compromised system, including a backdoor called Manuscrypt.

What makes the campaign noteworthy is the effort that Lazarus Group actors appear to have put into its social engineering angle. "They focused on building a sense of trust to maximize the campaign's effectiveness, designing details to make the promotional activities appear as genuine as possible," Kaspersky researchers Boris Larin and Vasily Berdnikov wrote. They used multiple fake accounts to promote their site via X and LinkedIn along AI-generated content and images to create an illusion of authenticity around their fake game site.

"The attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence not only to distribute the threat but also to target their crypto accounts directly," Larin and Berdnikov wrote.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Lazarus Group Exploits Chrome Zero-Day in Latest Campaign

The software development kit will simplify building and testing of CHERI-enabled RISC-V applications.

Source: Mentor58 via Alamy Stock Photo

German processor design company Codasip has donated its latest RISC-V software development kit to chip security consortium CHERI Alliance to help developers add memory safety to chips.

RISC-V is an instruction set architecture (ISA) that allows developers and manufacturers to personalize silicon chips with capabilities to meet their needs, such as for use in smartphones, space technologies, industrial applications, and automotive technologies, to name a few. RISV-V is open and free to license, so anyone can design, manufacture, and sell RISC-V chips and software.

CHERI (Capability Hardware Enhanced RISC Instructions) extends ISA to manage memory access control to prevent common vulnerabilities, such as buffer overflows and memory corruption. The method involves isolating the hardware and software so that adversaries cannot inject attack code into memory. The CHERI Alliance is an industry consortium focused on promoting the development and adoption of security technologies that protect data stored in hardware memory.

Developers need access to tools and packages that are available for CHERI — this is what the SDK that Codasip built and donated to the CHERI Alliance offers. The compiler is capable of generating the modified instructions. Anyone implementing CHERI on RISC-V chips can access the SDK, which is freely available on GitHub.

The SDK includes:

*   C/C++ compiler and toolchain based on LLVM17
    

*   QEMU open source emulator
    
*   OpenSBI implementation of the RISC-V Supervisor Binary Interface
    

*   Yocto build system for Linux
    
*   Basic user space environment based on Busybox
    

"As more organizations and governments discover the potential of the CHERI technology to protect us, we need to speed up the pace of making the technology available in real systems," Codasip CEO Ron Black said in a statement. "We have made a massive effort to implement a full Linux-capable SDK that we are now opening for everyone to use."

**About the Author**

Codasip Donates Tools to Develop Memory-Safe Chips

Operation Overload pushes dressed up Russian state propaganda with the aim of flooding the US with election disinformation.

Source: Jozef Polc via Alamy Stock Photo

In the final days of the 2024 US election season, Russian state-backed actors are pushing enormous amounts of fake news disguised as information from reputable news outlets with the intention of flooding the American news ecosphere with enough garbage to influence who eventually wins the White House.

The Kremlin's full-scale propaganda push, named Operation Overload by researchers at Recorded Future who uncovered the effort, is pretty basic: influence the outcome of the US election by overwhelming already thread-bare newsroom resources. If the handful of journalists and trusted news sources left standing in the US are endlessly deploying scarce investigative resources to chase down fake news, there are fewer journalists left to debunk the junk.

It's an effective tactic that has been used by Operation Overload before. The Russian state-backed group honed its fake news skills with similar campaigns in France recently, Recorded Future pointed out in its report.

"Previously attempting to undermine the 2024 French elections and the Paris Olympics, the operation is now shifting its focus to the 2024 US presidential election," the report warned. "It involves creating fake news sites, false fact-checking resources, and AI-generated audio that mimics legitimate media outlets."

The group also adds branding and logos that make the disinformation look like it's from a trusted US news organization, making it difficult for consumers to know what's real and what isn't.

**Taking Aim at Tim Walz**

Most recently, the Russian fake news farm has been pushing disinformation against vice presidential candidate Tim Walz.

"Based on newly available intelligence, for example, the IC assesses that Russian influence actors manufactured and amplified inauthentic content claiming illegal activity committed by the Democratic vice-presidential candidate during his earlier career," an alert from the office of the director of national intelligence warned on Tuesday.

Besides fake news doctored up to look like legitimate reports, AI-generated content, and flooding media with propaganda to fact check, the effort relies heavily on automated social media posts to continuously pump out bad information, Recorded Future said.

It's on Elon Musk's X platform where many of the Operation Overload disinformation gets a lot of traction. Three separate false narratives being pushed by the Russian troll farm against Walz in recent days were traced back to X accounts by CBS News.

In the days to come, Recorded Future warned Operation Overload will continue to push three distinct varieties of disinformation aimed at influencing the outcome of the US election: stoking political violence, targeting candidates, and vilifying Ukrainians as well as the LGBTQIA+ community.

"The operation seeks to directly inject influence content into mainstream discussion of contentious political issues, eroding public trust in the democratic process, provoking US domestic concerns of political violence and 'civil war,' and exploiting existing social divisions," the report explained.

Russian Trolls Pose as Reputable Media to Sow US Election Chaos

The risk of exploitation is heightened, thanks to a proof-of-concept that's been made publicly available.

Source: Ascannio via Alamy Stock Photo

A high-severity flaw in Microsoft SharePoint, tracked as CVE-2024-38094, is under active exploit.

The bug is a deserialization vulnerability, which is often used as attack vectors by malicious cyber actors and poses a serious threat to federal enterprises. If successfully exploited, it could give threat actors remote code execution capabilities. The vulnerability has earned a CVSS score of 7.2 out of 10.

"An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server," Microsoft reported in an alert. 

Patches for the flaw were released in July as part of a series of Patch Tuesday updates, and it has since been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog.

The risk of potential continued exploitation of the vulnerability is further heightened due to the fact that a proof-of-concept is now available on GitHub for public viewing.

No additional details about how the vulnerability is being actively exploited have been shared, but due to these developments, Federal Civilian Executive Branch (FCEB) agencies are required to apply the latest fixes by Nov. 12.

**About the Author**

Microsoft SharePoint Vuln Is Under Active Exploit

New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation.
"Only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the

New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation.

"Only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the world, further developing new malware and establishing new infrastructure," Kaspersky said in an analysis published Tuesday.

Some of the other freshly incorporated tricks include the use of a domain generation algorithm (DGA) for command-and-control (C2) communications, ciphertext stealing (CTS) encryption, and mouse tracking. Also observed are "lighter, local versions" that are specifically focused on targeting banking customers in Mexico.

Grandoreiro, active since 2016, has consistently evolved over time, taking efforts to stay undetected, while also widening its geographic scope to Latin America and Europe. It's capable of stealing credentials for 1,700 financial institutions, located in 45 countries and territories.

It's said to operate under the malware-as-a-service (MaaS) model, although evidence points to it being only offered to select cybercriminals and trusted partners.

One of the most significant developments this year concerning Grandoreiro is the arrests of some of the group's members, an event that has led to the fragmentation of the malware's Delphi codebase.

"This discovery is supported by the existence of two distinct codebases in simultaneous campaigns: newer samples featuring updated code, and older samples which rely on the legacy codebase, now targeting only users in Mexico — customers of around 30 banks," Kaspersky said.

Grandoreiro is primarily distributed by means of a phishing email, and to a lesser extent, through malicious ads served on Google. The first stage is a ZIP file, which, in turn, contains a legitimate file and an MSI loader that's responsible for downloading and launching the malware.

Campaigns observed in 2023 have been found to leverage extremely large portable executables with a file size of 390 MB by masquerading as AMD External Data SSD drivers to bypass sandboxes and fly under the radar.

The banking malware comes equipped with features to gather host information and IP address location data. It also extracts the username and checks if it contains the strings "John" or "WORK," and if so, halts its execution.

"Grandoreiro searches for anti-malware solutions such as AVAST, Bitdefender, Nod32, Kaspersky, McAfee, Windows Defender, Sophos, Virus Free, Adaware, Symantec, Tencent, Avira, ActiveScan, and CrowdStrike," the company said. "It also looks for banking security software, such as Topaz OFD and Trusteer."

Another notable function of the malware is to check for the presence of certain web browsers, email clients, VPN, and cloud storage applications on the system and monitor user activity across those apps. Furthermore, it can act as a clipper to reroute cryptocurrency transactions to wallets under the threat actor's control.

Newer attack chains detected in the aftermath of the arrests this year include a CAPTCHA barrier prior to the execution of the main payload as a way to get around automatic analysis.

The latest version of Grandoreiro has also received significant updates, including the ability to self-update, log keystrokes, select the country for listing victims, detect banking security solutions, use Outlook to send spam emails and monitor Outlook emails for specific keywords.

It's also equipped to capture mouse movements, signaling an attempt to mimic user behavior and trick anti-fraud systems into identifying the activity as legitimate.

"This discovery highlights the continuous evolution of malware like Grandoreiro, where attackers are increasingly incorporating tactics designed to counter modern security solutions that rely on behavioral biometrics and machine learning," the researchers said.

Once the credentials are obtained, the threat actors cash out the funds to accounts belonging to local money mules by means of transfer apps, cryptocurrency, or gift cards, or an ATM. The mules are identified using Telegram channels, paying them $200 to $500 per day.

Remote access to the victim machine is facilitated using a Delphi-based tool named Operator that displays a list of victims whenever they begin browsing a targeted financial institution website.

"The threat actors behind the Grandoreiro banking malware are continuously evolving their tactics and malware to successfully carry out attacks against their targets and evade security solutions," Kaspersky said.

"Brazilian banking trojans are already an international threat; they're filling the gaps left by Eastern European gangs who have migrated into ransomware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git