A new report from the Open Software Supply Chain Attack Reference (OSC&R) team provides a framework to reduce how much vulnerable software reaches production.

Neatsun Ziv, CEO & Co-Founder, Ox Security

November 15, 2024

5 Min Read

Source: Andrey Kryuchkov via Alamy Stock Photo

COMMENTARY

The complexity of today's software development — a mix of open source and third-party components, as well as internally developed code — has resulted in an abundance of vulnerabilities for attackers to exploit throughout the software supply chain.

We've seen the direct effects of software supply chain attacks in incidents like the MOVEit and SolarWinds breaches, revealing that no industry sector, size of company, or stage of software development is immune. According to a survey from Enterprise Strategy Group (ESG), 91% of organizations experienced at least one software supply chain security incident in 2023, and 2024 hasn't seemed any better.

Security teams are overwhelmed by the task of sorting through, assessing, and prioritizing the mitigation of tens of thousands of alerts to discern those that pose real risk from those that are benign. In 2023, a group of AppSec experts addressed this problem by launching the Open Software Supply Chain Attack Reference (OSC&R), a freely available, MITRE ATT&CK-like framework to help organizations gain a deeper understanding of their software supply chain vulnerabilities.

The OSC&R community's inaugural report, "OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures," offers a comprehensive analysis of the severity of vulnerabilities across the software supply kill chain. Based on a nine-month analysis of over 100 million alerts, tens of thousands of code repositories, and 140,000 real-world applications, it examines the risk to software supply chains and probes the alignment between the vulnerabilities found in the wild and the focus of AppSec teams today.

The research offers some eye-opening statistics, including that 95% of organizations have at least one high, critical, or apocalyptic risk in their software supply chain, with the average organization having nine such issues. What's more, the OSC&R data shows that many of the most common software supply chain vulnerabilities are tied to fundamental security controls, such as authentication, encryption, publicly available information in logs, and the principle of least privilege. Following are some of the most important takeaways from the report.

**1\. Watch for Run-Time Exposure**

One in five applications was found to contain high, critical, or apocalyptic runtime vulnerabilities during the execution phase of an attack. This makes them prime targets for attackers. Because the most significant software vulnerabilities tend to surface in later attack stages, it's crucial to catch issues early in the software development life cycle.

As such, AppSec and DevOps teams should aim to strengthen application runtime security. This can be accomplished by integrating continuous monitoring and real-time protection mechanisms that focus on the later stages of an attack, when the damage potential is greatest.

**2\. It's Worth Fixing Older Vulnerabilities**

While newer vulnerabilities may grab headlines, older vulnerabilities remain the most common attack vectors when it comes to supply chain security. Techniques like command injection (15.4% of applications), sensitive data in log files (12.4% of applications), and cross-site scripting (11.4% of applications) — as well as slow-burn vulnerabilities like CVE-2024-3094, which targeted the compression utility XZ Utils in major Linux distributions — still wreak havoc in unpatched systems. Attackers continue to successfully use historical tactics and techniques, showing that "old school" vulnerabilities present significant and persistent risks.

To counter these tactics and techniques and drive down the opportunity for attack, organizations should regularly review and update legacy systems and codebases to patch known vulnerabilities. Further, implementing a robust vulnerability management program that includes continuous scanning for both old and emerging threats will harden software to known risks.

**3\. Vulnerabilities That Span Multiple Attack Stages Amplify Damage**

In the OSC&R report data analysis, 36% of applications were found to be vulnerable to exploits in the initial access attack stage, with many overlapping across multiple stages of attack. Indeed, vulnerabilities in initial access stages often open the door for more severe threats, such as persistence and execution exploits.

The data underscores the need for AppSec and DevOps team to bolster defenses across all stages of the attack life cycle, not just in initial phases. Organizations should adopt multilayered security solutions that can detect and neutralize threats at various stages of the kill chain to prevent attackers from moving laterally within systems and causing widespread cyber and business damage.

**Next Steps for AppSec Teams**

One of the questions the inaugural OSC&R report sought to answer was whether what AppSec and DevOps teams focus on matched the vulnerabilities found in the wild. The data reveals that this is not yet the case. Progress is being made, but the high volume of vulnerabilities passing through the supply chain into live applications, and the large percentage of organizations that report supply chain security incidents, indicate that greater focus on proactive software security measures is needed.

In addition, organizations need to do a better job of looking systemically at both their software development processes and the attack lifecycle to identify the places most likely to be at risk. But historical data alone is not the answer. Organizations must implement the tools and processes that give them holistic visibility of their supply chain — from the build stage all the way through runtime, and including the development and testing environments, which are occasionally overlooked.

Further, it's clear that focusing on one or two stages of software development or one stage of the attack lifecycle isn't enough. Businesses must adopt a multilayered, full-lifecycle AppSec strategy — accompanied by tools that can unify all stages — to reduce the probability of attack.

Development and security teams now have a reference they can use to map their programs to known attack vectors and tactics. OSC&R, in effect, sets the foundation for operating a streamlined software security program that reduces the number of vulnerabilities that reach production, enhancing the resiliency of the organization as a whole and easing the fears of breach due to software flaws.

**About the Author**

CEO & Co-Founder, Ox Security

Neatsun Ziv is the CEO and Co-Founder of Ox Security, the end-to-end software Active ASPM Platform. Prior to that, he was the VP of Cyber Security at Check Point, where he oversaw all cyber initiatives. His team was one of the first to respond to SolarWinds, NotPetya, and other major attacks, working closely with Interpol, Local CERT, and other enforcement agencies. Neatsun is a passionate and seasoned entrepreneur with vast cybersecurity experience. He served in the IDF Cyber Intelligence Unit and is a frequent speaker at global forums, including RSA and CPX, among others. Neatsun holds a B.Sc. from Israel's Open University (honors) and an MBA from the Technion (Magna Cum Laude).

Lessons From OSC&amp;R on Protecting the Software Supply Chain

In recent years, artificial intelligence (AI) has begun revolutionizing Identity Access Management (IAM), reshaping how cybersecurity is approached in this crucial field. Leveraging AI in IAM is about tapping into its analytical capabilities to monitor access patterns and identify anomalies that could signal a potential security breach. The focus has expanded beyond merely managing human

How AI Is Transforming IAM and Identity Security

A data broker has confirmed a business contact information database containing 132.8 million records has been leaked online.

A data broker has confirmed a business contact information database containing 132.8 million records has been leaked online.

In February, 2024, a cybercriminal offered the records for sale on a data breach forum claiming the information came from pureincubation\[.\]com.

Cybercriminal offering to sell Pure Incubation data

Pure Incubation was founded in 2012, and the company later rebranded to DemandScience. DemandScience describes itself as “a leading global B2B demand generation company accelerating global growth for clients.”

DemandScience says it specializes in lead generation, content marketing, and software development offering data intelligence and marketing solutions for B2B organizations. That’s a mouthful to describe a data broker that specializes in selling aggregated public data that other companies can use in their marketing campaigns.

When contacted by BleepingComputer about the leak, DemandScience responded by email:

> “Regarding the matter referenced in your email, we have conducted a thorough internal investigation and conclude that none of our current operational systems were exploited. We also conclude that the leaked data originated from a system that has been decommissioned for approximately two years.”

It might not be a current system, but a third-party count of the data still showed around 122 million unique business email addresses. Although at some point when we all have switched jobs, it will become worthless. Maybe that’s why the cybercriminals offered to sell for $6,000.

That the company left a decommissioned system online for a criminal to find and plunder should be grounds for a hefty fine.

Despite DemandScience playing it down, the data is valuable. How else is it making money by gathering it from public records?

**What can you do?**

Any business that meets the definition of data broker must register with the California Privacy Protection Agency (CPPA) annually. The CPPA defines data brokers as businesses that consumers don’t directly interact with, but that buy and sell information about consumers from and to other businesses.

This is good news, because it offers Californians a sort of opt-out opportunity, by filling out this form: https://demandscience.com/privacy-policy-ccpa/

You can check whether your email address was included in this data breach by using Malwarebytes’ free Digital Footprint scan. Fill in the email address you’re curious about and we’ll give you a free report.

This leak also shows how important it can be to have your data removed from data brokers sites like these. To help you, Malwarebytes offers a Personal Data Remover service (US only) that can delete your information from search results, spam lists, people search sites, data brokers, and more.

 122 million people&#8217;s business contact info leaked by data broker 

As alerts pile up, the complexity can overwhelm security professionals, allowing real threats to be missed. This is where vendors must step up.

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

For most of my cybersecurity career, I worked on the vendor side, in presales capacity, helping businesses identify and address security pain points. Now, as an information security engineer, I am on the other side, engaging with security vendors. A typical sales engagement includes pre-sales, proof of concept (PoC), onboarding, and support. While PoCs are useful, the real complexity of a product is understood only when the customer is fully onboarding. 

Although customers are responsible for accurate implementation of systems, vendors must realize they play a key role in guiding them through settings to ensure optimal performance and reduced alert fatigue. 

Achieving 100% efficiency will always be an ongoing challenge, but alert fatigue remains a significant issue. Modern security systems involve multiple components, each generating alerts that require teams to collaborate. And as alerts pile up, the complexity can overwhelm security professionals, allowing real threats to be missed. This is where vendors must step up. 

**The Reality of Alert Fatigue**

Alert fatigue is not new, but the problem becomes bigger as organizations adopt more complex security solutions. These tools detect every potential anomaly, generating a flood of alerts, many of which are low-priority or false positives, obscuring critical signals. 

When faced with hundreds of alerts daily, analysts can become numb, ignoring or delaying important alerts, which leads to security breaches. Vendors currently address only part of the challenge by delivering systems that detect every possible attack are only doing half their job. However, these products alone fall short in helping companies effectively manage the alert flood, often times requiring a managed security service provider (MSSP) to bridge the gap. But they must do a better job helping companies manage the resulting flood of information. 

**Why Vendors Must Take Ownership**

It may be tempting for vendors to shift alert management to customers, but vendors create the underlying logic that generates these alerts, and therefore, they must ensure their tools enable users to respond effectively rather than overwhelming them. 

Here's how vendors need to take lead: 

1.  Smart filtering and prioritization: Vendors should design tools that prioritize high-risk alerts while suppressing noise using machine learning and contextual analytics. This reduces irrelevant notifications. 
    
2.  Automation to reduce manual work: The volume of alerts makes manual intervention impractical. Vendors should offer built-in automation for routine alerts, allowing security engineers to focus on critical ones, such as sinkholing, rate-limiting, blocking malicious IPs, or isolating suspicious files. 
    
3.  Actionable alerts with context: Vendors need to provide meaningful data with each alert, contextualizing it for the customer's environment and offering clear next steps, enabling quicker, more effective responses. 
    
4.  Continuous engagement and customization: Vendors must stay engaged with customers beyond the initial setup, helping tailor systems to meet specific needs. Regular optimization reduces unnecessary alerts and ensures critical threats are identified. 
    
5.  Feedback-based adaptive learning: Vendors should provide solutions that evolve with feedback loops, learning from customer input. False positives or low-priority alert floods should lead to system adjustments, improving accuracy over time. 
    

**The Cost of Ignoring Alert Fatigue**

If vendors fail to address alert fatigue, security teams may miss critical threats, leading to breaches. Overwhelmed staff may burn out, increasing turnover. For vendors, poor alert management can erode customer trust, leading to dissatisfaction and potential churn. 

**Needed: A Partnership for Success**

Alert fatigue is a shared problem, but vendors play the key role in solving it. By offering smarter, more responsive systems, ongoing optimization, and automation with context, vendors help customers focus on what matters the most. 

This isn't just about efficiency — it's about creating a partnership between vendors and customers. Together, they must be able to cut through the noise and be able to provide clarity in the fight against modern cyber threats. Vendors must ensure their solutions don't just alert but empower users to make the best decisions. 

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Security Engineer

Supradeep Bokkasam is a Brisbane-based information security engineer with nearly 20 years of IT experience. He has worked extensively in the content delivery network (CDN) space, focusing on network and application security, identity and access management (IAM), and zero-trust network access (ZTNA). He has worked with organizations across various sectors to identify and safeguard critical assets against cyber threats.

The Vendor's Role in Combating Alert Fatigue

Cloud service providers are getting better at protecting data, pushing adversaries to develop new cloud ransomware scripts to target PHP applications, a new report says.

Instead of solely leaning on leaky buckets and cloud service provider (CSP) vulnerabilities to exfiltrate sensitive data, a fresh crop of cloud-targeting ransomware is aimed instead at exploiting unprotected Web applications to drop encryptors and lock up victims' data.

The pivot to focusing on PHP applications demonstrates the success that CSPs have had in shoring up their environments with policies like AWS's Key Management Service, according to a new report from SentinelOne on the state of cloud ransomware landscape in 2024. CSPs can now ensure that almost no data is really lost, thanks to policies that require a waiting period and confirmation before data can be deleted. There are some fairly exotic malicious workarounds for some of these protections, but attacks can easily be blocked by implementing service control policies, the report said.

**Cloud Ransomware's New Look at Web Applications**

Cloud ransomware operators have started to mine Web applications for opportunities in increasing volumes, according to SentinelOne.

"Web applications are often run via cloud services," SentinelOne's report explained. "Their more minimal nature makes cloud environments a natural hosting point where the applications are easier to manage and require less configuration and upkeep than running on a full operating system. However, Web applications themselves are vulnerable to extortion attacks."

Related:5 Ways to Save Your Organization From Cloud Security Threats

Analysis uncovered new ransomware scripts specifically developed to attack PHP applications — such as a Python script named "Pandora," and another attributed to Indonesian-based threat actor IndoSec group.

"The Pandora script uses AES encryption to target several types of systems, including PHP servers, Android, and Linux," the report added. "The PHP ransom functions encrypt files using AES via the OpenSSL library. The Pandora Python script runs on the Web server, writing the PHP code output to the path pandora/Ransomware with a file name provided as an argument at runtime and appended with the php extension."

The ransom script targeting PHP applications developed by IndoSec uses a PHP backdoor to manage and delete files, according to the report. It searches through directories, reads, and then encodes the file contents using a Web service's API.

"This is an interesting approach because the encryption is provided through a remote service, rather than using native functionality like many other tools," the report noted.

**Using Legitimate Cloud-Native Functions to Steal Data**

Aside from trying to breach them, adversaries have also figured out how to use these cloud services themselves to exfiltrate stolen data, the report explained. SentinelOne offers the example of September Rhysdia and BianLian cloud ransomware attacks that abandoned their historical exfiltration tools like MEGAsync and rclone, and instead used Azure Storage Explorer to download the data. The following month, the LockBit ransomware group was discovered using Amazon's S3 storage to exfiltrate data from Windows and macOS systems, SentinelOne added.

Related:Google AI Platform Bugs Leak Proprietary Enterprise LLMs

In keeping with the trend, the SentinelOne research identified a new Python script on VirusTotal it named "RansomES." This code is designed to infiltrate a Windows system, look for files with extensions that indicate the file contains data, including .doc, .xls, .jpg, .png, or .txt. Once those files have been identified, the RansomES code allows the ransomware attacker to exfiltrate those files to an S3 storage bucket or an FTP site, and encrypt the local versions.

"RansomES is a simple script, and we do not believe it has been used in the wild," the report noted. "The author included an Internet connectivity check to the WannaCry killswitch domain, which may suggest the script was developed by a researcher or someone with an interest in threat intelligence."

Related:2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit

The key to protecting data against Web application cloud ransomware attacks is to assess the overall cloud environment to protect against misconfigurations and overly permissive storage buckets, the report concluded.

"Additionally, always enforce good identity management practices such as requiring MFA on all admin accounts, and deploy runtime protection against all cloud workloads and resources," according to SentinelOne.

Cloud Ransomware Flexes Fresh Scripts Against Web Apps

The CISA and FBI have issued an advisory detailing a sophisticated cyberespionage campaign by state-sponsored Chinese hackers that…

The CISA and FBI have issued an advisory detailing a sophisticated cyberespionage campaign by state-sponsored Chinese hackers that has successfully infiltrated US telecommunications networks.

The US government has exposed a large-scale cyberespionage campaign launched by Chinese state-sponsored hackers. This campaign is mainly targeting critical telecommunications infrastructure in the United States and has resulted in the theft of sensitive data, including call records and private communications of individuals involved in government and political activities.

It is worth noting that this security advisory follows just a month after China’s Salt Typhoon group was accused of hacking AT&T and Verizon, allegedly accessing sensitive wiretap data.

According to the advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), Chinese state-sponsored actors have successfully compromised the networks of multiple telecommunications providers.

> _“Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders.”_
> 
> CISA – FBI

One of the most concerning aspects is the possible impact of this attack on US national security. By targeting telecommunications providers, hackers can gain a trove of sensitive information, including communications between government officials, military personnel, and other high-value targets. The compromised data could be used for intelligence gathering, blackmail, or other malicious purposes.  

The advisory states that the US government has taken steps to mitigate the threat posed by this cyberespionage campaign. CISA and the FBI are working closely with affected telecommunications providers to identify and address vulnerabilities. Additionally, the US government is urging individuals and organizations to take steps to protect themselves from cyber threats. 

****The China Threat****

While the United States is known for targeting Chinese infrastructure, China has also emerged as a persistent threat to US critical infrastructure, with state-sponsored hacking groups repeatedly targeting key sectors.

Last month, Chinese hacking group Salt Typhoon (aka GhostEmperor, FamousSparrow, and Earth Estries) breached the systems of major US telecom companies AT&T, Verizon, and Lumen Technologies, potentially compromising wiretap systems used in criminal investigations. 

Another Chinese state-sponsored threat actor Volt Typhoon hacked Singapore-based Singtel a few days back, probably in preparation for attacks against US wireless carriers, Bloomberg reported. 

Considering the extensive implications of such persistent threats, telecommunications providers must invest in advanced security technologies and train their employees to recognize/respond to cyber threats. Additionally, international cooperation is essential to combat cybercrime and hold cybercriminals accountable.

1.  **United Airlines Hacked by Chinese Group Behind The OPM Breach**
2.  **Chinese SMS Phishing Group Hits iPhone Users in India Post Scam**
3.  **China Hacked Federal Deposit Insurance Corporation with Malware**
4.  **Five Eyes Accuses Chinese APT40 for Hacking Government Networks**
5.  **Critical Vulnerabilities Expose Nearly 1 Million DrayTek Routers Globally**

CISA and FBI: Chinese Hackers Compromised US Telecom Networks

If the government truly wants to protect the US's most vital assets, it must rethink its cybersecurity policies and prioritize proactive, coordinated, and enforceable measures.

Jeffrey Wells, Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

November 14, 2024

6 Min Read

Source: Sergey Borisov via Alamy Stock Photo

COMMENTARY

The recent revelations about the Salt Typhoon cyber-espionage group breaching major US telecommunications companies, including Verizon, AT&T, and Lumen Technologies, lay bare a systemic vulnerability in America's approach to cybersecurity. This incident is not just an isolated attack; it's an indictment of the US government's inadequate response to the increasing cyber threats posed by state-backed entities like China. Despite years of warnings and multiple high-profile breaches, the government's cybersecurity posture remains reactionary, fragmented, and underwhelming.  

**The Critical Failures in US Cybersecurity Strategy**

Salt Typhoon's targeting of systems used for government intelligence collection, including those integral to surveillance and wiretapping capabilities, is a brazen assault on America's most sensitive digital infrastructure. It exposes a critical flaw: the lack of robust, proactive measures to secure such vital systems. How did a foreign state-backed group infiltrate and potentially remain undetected in these systems for months? The answer lies in insufficient federal oversight, underinvestment in cutting-edge defenses, and an overreliance on private companies to self-police. 

US telecom giants have historically enjoyed light regulatory oversight, often lobbying for fewer obligations and responsibilities. The government, in turn, has adopted a laissez-faire approach, trusting these corporations to manage their cybersecurity. This model is fundamentally flawed. When private entities prioritize profits over robust security measures, it opens the door for adversaries like Salt Typhoon to exploit weak points. The compromised systems at Verizon, AT&T, and Lumen Technologies illustrate the risks of letting corporations with such immense national security implications operate without stringent and enforceable cybersecurity standards. 

**Lawmakers' Outrage: Too Little, Too Late**

In the wake of the Salt Typhoon breach, US lawmakers have begun demanding answers from the affected companies, calling for greater accountability and urging federal regulators to impose stricter standards. While this post-breach outrage may seem like a strong response, it's another chapter in the reactive cycle that defines American cybersecurity policy. Rather than addressing systemic vulnerabilities before they are exploited, federal agencies and lawmakers are again playing catch-up. 

The reality is that sophisticated state-backed actors like Salt Typhoon have likely been probing and compromising critical US infrastructure for years, undetected and unchallenged. The question is not just why this breach happened but why the US government consistently finds itself responding after the fact. The issue goes beyond the individual companies breached — this pattern reflects a more significant failure in Washington to develop a proactive, cohesive, well-resourced cybersecurity strategy.

**The Illusion of Federal Oversight**

Federal authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), are reportedly investigating the extent of these breaches. However, these investigations often lack the teeth and reach necessary to effect real change. Despite the resources and expertise within agencies like CISA, they are limited in their power to enforce compliance or impose significant penalties on corporations that fail to meet cybersecurity benchmarks. This hands-off approach only emboldens adversaries who know that American companies are not adequately protected and that the government's response mechanisms are limited. 

Further, the fragmented nature of federal oversight complicates a comprehensive defense strategy. With multiple agencies sharing responsibility — yet lacking a unified and coordinated approach — gaps in response capabilities are inevitable. The breaches at Verizon, AT&T, and Lumen Technologies should serve as a wake-up call: The current oversight model is failing to keep pace with the sophistication of state-backed cyber threats. 

**The Need for a Paradigm Shift**

The US must abandon its outdated and ineffective approach to cybersecurity regulation to address these vulnerabilities. Here are key steps the government should take: 

*   Mandatory federal standards and penalties: Telecom companies are critical to national security. They must be held to federal standards that are not just recommendations but legal obligations, with meaningful penalties for non-compliance. The government cannot leave the protection of such vital infrastructure to the discretion of profit-driven entities. 
    
*   A unified cyber defense agency: The United States must streamline its response by creating a centralized agency with the power and authority to coordinate and enforce cybersecurity measures across the public and private sectors. The current patchwork of agencies is insufficient in an era where cyber threats know no borders or jurisdictions. 
    
*   Investment in advanced detection and response capabilities: The government must invest heavily in advanced technologies that provide real-time monitoring and automated response capabilities. Relying on companies to detect and report breaches months after they occur is unacceptable when adversaries can inflict catastrophic damage in seconds. 
    
*   Active cyber deterrence: The US must adopt a more aggressive cyber-deterrence strategy. The current approach of merely investigating breaches after the fact does not dissuade adversaries. It's time for the government to develop and deploy offensive cyber capabilities that signal a clear and present cost for any attempt to infiltrate US systems. 
    

**The Cost of Complacency**

The Salt Typhoon breach is just the latest chapter in a series of cyber-espionage incidents that have exposed the inadequacies of the US cybersecurity framework. If this pattern of complacency and reactionary policy continues, it won't be long before another attack not only compromises intelligence-gathering capabilities but potentially cripples critical infrastructure. The stakes are too high for lawmakers and federal agencies to continue operating with the exact amount of inertia and neglect. 

If Washington truly wants to protect the nation's most vital assets, it must rethink its cybersecurity policies and prioritize proactive, coordinated, and enforceable measures. Otherwise, the US will continue to react to — rather than prevent — attacks that undermine its national security and global standing. 

Don't miss the free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

Jeffrey Wells is a distinguished cybersecurity, technology, and geopolitical risk leader with over 35 years of experience. His expertise is crucial in addressing cyber threats with significant geopolitical and security implications. Wells is a Visiting Fellow at George Mason University's Cyber and Tech Center (CTC) and a Truman National Security Project Defense Council Fellow.

He has extensive experience helping organizations design and operationalize cyber resiliency strategies, programs, incident response, and instituting business continuity worldwide.

As a founding partner of the NIST's National Cybersecurity Center of Excellence and a Visiting Fellow at the National Security Institute, Jeffrey is proficient in deploying and operationalizing cybersecurity standards and best practices in the full spectrum of IT/OT and infrastructure ecosystems.

Washington's Cybersecurity Storm of Complacency

Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on…

Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on macOS. Learn how this advanced persistent threat (APT) is evading detection and the steps you can take to protect yourself.   

Cybersecurity researchers at Group-IB report that the North Korean state-backed **APT Lazarus group**, is now deploying a new macOS trojan called “RustyAttr.” This malware, along with a new evasion technique, lets Lazarus carry out its operations while remaining undetected.

Since May 2024, the Lazarus Group has been employing a technique that hides malicious code within the extended attributes (EAs) of files on macOS systems, utilizing the RustyAttr trojan. Extended attributes are hidden data containers attached to files, enabling the storage of additional information beyond standard attributes such as size or creation date.

This method is particularly tricky because these attributes are invisible by default in applications like Finder or Terminal. However, using the .xattr command, attackers can easily access and exploit this hidden data.

In 2020, **Bundlore adware** used a similar technique to hide its payload in resource forks which stored structured data on older macOS systems, researchers noted in the **blog post** shared with Hackread.com.

The possible attack scenario involves a legitimate-looking malicious application, built using the Tauri framework. It displays **fake PDF files** related to job opportunities or cryptocurrency, a theme consistent with Lazarus. 

For your information, the Tauri framework is a web-based tool for creating lightweight desktop applications, enabling developers to use HTML, CSS, JavaScript, and Rust for front and backend, respectively, to execute malicious scripts.

The shell scripts reveal two types of decoys: one fetches a PDF file from a file hosting service, containing questions related to game project development and funding, and the other displays a dialogue stating that the app does not support the specified version, while a web request to the staging server processes in the background. The malicious script is hidden within a custom extended attribute named “test”. 

The application leverages a JavaScript file named “preload.js” to interact with the hidden script. This JavaScript code, using **Tauri’s functionalities**, retrieves the script from the extended attribute and executes it. 

Example of one of the malicious PDF files pushing a fake job advert (Via Group-IB)

“Interestingly, the next behaviour is as follows – if the attribute exists, no user interface will be shown whereas, if the attribute is absent, the fake webpage will be shown,” the researchers revealed.

The malicious components are hidden within the extended attributes, making them invisible to antivirus scanners. The applications were initially signed with a leaked certificate (revoked by Apple now) but remained unnotarized, bypassing another layer of possible detection.

While the researchers haven’t identified any confirmed victims yet, they believe Lazarus might be experimenting with this technique for future attacks. This discovery is important because it’s a completely new tactic, not yet documented in the MITRE ATT&CK framework, a standard reference for attack techniques.

The Lazarus group’s sophistication and continuous expansion of tactics show their efforts to evade detection and compromise systems. To stay safe, verify the source and legitimacy of files before downloading or executing them, and avoid downloading harmless content like PDFs without checking even if it appears legitimate.

Keep **macOS Gatekeeper** on as it prevents the execution of untrusted applications. Lastly, utilize advanced threat intelligence solutions to remain aware of emerging threats and develop effective protection strategies.

1.  **Fake North Korean IT Workers Infiltrate Western Firms**
2.  **North Korean Hackers Team Up with Play Ransomware**
3.  **N Korean hackers stole $1.7 billion from crypto exchanges**
4.  **North Korean Hackers Drop Linux Malware for ATM Cashouts**
5.  **SnatchCrypto attack hits DeFi, Blockchain Firms with backdoor**

Lazarus Group Targets macOS with RustyAttr Trojan in Fake Job PDFs

Less-experienced users of Microsoft's website building platform may not understand all the implications of the access controls in its low- or no-code environment.

Source: IB Photography via Alamy Stock Photo

Untold millions of sensitive records and personal data are exposed on the open Web right now, thanks to missing or misconfigured access controls in websites built with Microsoft Power Pages.

Power Pages, born in 2022 from PowerApps Portals, is Microsoft's low-code website building platform. It is commonly used to design externally facing sites, such as portals for employees and retailers, or event registration or management sites. Back when it was released to the general public, Microsoft bragged that it already served more than 100 million monthly active website users, in industries as diverse as high tech and healthcare, education, finance, manufacturing, and government.

Alongside its suite of easy, drag-and-drop tools and features, Power Pages comes fitted with role-based access controls, which developers can use to define the data any given user can access. But as Aaron Costello, chief of software-as-a-service (SaaS) security research at AppOmni, recently discovered, many sites simply aren't implementing these controls correctly, if at all.

The result: Vast swaths of sensitive information, from sites around the Web, are available right now to anyone who cares to look for it.

**Misconfigured Power Pages**

Power Pages sites use Microsoft's cloud-based relational database, Dataverse, to store structured data. To protect that data, developers can call upon a variety of access controls.

First and most obvious are site-level settings, which define whether and how users need to authenticate and register accounts on a site.

The next tier down is table-level controls. With these, site administrators can define which kinds of users can perform what actions on what data.

The most granular of Power Pages access controls apply at the level of Dataverse columns. One notable tool Power Pages offers at this level is "masking," where site admins can obfuscate certain categories of data, like the first five digits of Social Security numbers listed in a given column.

The problem is that admins aren't always making use of these three rungs of access controls, if any at all. As a result, accessing the data on their sites is "very, very trivial," Costello says. "Once you understand \[what's going on\], it's just a matter of going to these URLs."

"Typically what happens is that instead of granting someone the ability to view their own data, they've actually granted them the ability to view all data. As a result, excessive amounts of information — often sensitive — is exposed to each user," he explains.

Some sites grant even anonymous users "global access" to read data from tables, for example, and not one website Costello probed in his research implemented any sort of column-level security. Other sites restrict certain data to authenticated users, but undermine that protection by allowing anyone from the Web to register and authenticate themselves.

Costello only probed websites hosted by organizations with cybersecurity disclosure policies — those which might be more amenable to hearing about their lacking security postures. Even with that limitation, he ultimately discovered 5 million to 7 million exposed records from a wide array of Power Pages websites.

One large business service provider, for example, leaked personal information belonging to 1.1 million employees of the UK's National Health Service (NHS). The data included employees' telephone numbers, email addresses, home addresses, and more.

**An Industrywide Issue**

As Costello is quick to point out, "In previous research, I discussed the exact same kind of issue in other popular SaaS platforms, such as Salesforce, ServiceNow, and NetSuite. And those are all platforms that have different use cases. I wouldn't say that this is by any means a unique problem to Power Pages. What this comes down to isn't the product itself, but more so a misunderstanding of its access controls."

When it comes to warning users about landmines, Power Pages does quite well. "When you do misconfigure data to be accessible by anyone, you get warning banners popping up on your page in a variety of different places, Costello adds. "So Microsoft really does their best to make organizations aware of what they're doing is dangerous. However, organizations are choosing to ignore the warning signs."

Besides negligence, the frequency of Power Pages misconfigurations might theoretically be explained by the demographics of its audience. By their nature, low- and no-code platforms are more attractive to less technical users, who may be less well-versed in matters of cybersecurity.

"If you're someone who is not technical, and you're just dragging and dropping buttons and forms to design a page, you may not be the type of person who has an understanding of what access controls are even necessary," Costello posits. Or, perhaps, the ease of designing a low- or no-code site might ease the more careful, analytical parts of one's brain. "Low-code platforms do typically lend a false sense of security," he says.

Dark Reading has reached out to Microsoft for comment on this story.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Power Pages Leak Millions of Private Records

Experts expect Donald Trump’s next administration to relax cybersecurity rules on businesses, abandon concerns around human rights, and take an aggressive stance against the cyber armies of US adversaries.

For American companies grousing about new cybersecurity rules, spyware firms eager to expand their global business, and hackers trying to break AI systems, Donald Trump’s second term as president will be a breath of fresh air.

For nearly four years, president Joe Biden’s administration has tried to make powerful US tech firms and infrastructure operators more responsible for the nation’s cybersecurity posture, as well as restrict the spread of spyware, apply guardrails to AI, and combat online misinformation. But when Trump takes office in January, he will almost certainly eliminate or significantly curtail those programs in favor of cyber strategies that benefit business interests, downplay human-rights concerns, and emphasize aggressive offense against the cyber armies of Russia, China, Iran, and North Korea.

“There will be a national security focus, with a strong emphasis on protecting critical infrastructure, government networks, and key industries from cyber threats,” says Brian Harrell, who served as the Cybersecurity and Infrastructure Security Agency’s assistant director for infrastructure security during Trump’s first term.

From projects whose days are numbered to areas where Trump will go further than Biden, here is what a second Trump administration will likely mean for US cybersecurity policy.

**Full Reversal**

The incoming Trump administration is likely to scrap Biden’s ambitious effort to impose cyber regulations on sectors of US infrastructure that currently lack meaningful digital-security safeguards. That effort has borne fruit with railroads, pipelines, and aviation but has hit hurdles in sectors like water and health care.

Despite mounting cyberattacks targeting vital systems—and despite this year’s Republican Party platform promising to “raise the security standards for our critical systems and networks”—conservatives are unlikely to support new regulatory mandates on infrastructure operators.

There will be “no more regulation without explicit congressional authorization,” says James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies.

Harrell says “more regulation will be dismantled than introduced.” Biden’s presidency was “riddled with new cyber regulation” that sometimes confused and overburdened industry, he adds. “The new White House will be looking to reduce regulatory burdens while streamlining smart compliance.”

This approach may not last, according to a US cyber official who requested anonymity to discuss politically sensitive issues. “I think they’ll eventually recognize that the efforts focused on regulation in cyber are needed to ensure the security of our critical infrastructure.”

“Regulation is the only tool that works,” Lewis says.

Some Biden cyber rules might be overturned in court, now that the Supreme Court has eliminated the deference that judges previously gave to agencies in disputes over their regulations. John Miller, senior vice president of policy at the Information Technology Industry Council, a major tech trade group, says it’s also possible that Trump officials “might not wait for the courts” to void those rules.

Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, predicts that the Trump administration will emphasize cooperation and incentives in its efforts to protect vulnerable industries. He points to a House GOP plan for water cybersecurity standards as an example.

Trump’s election also likely spells doom for CISA’s work to counter mis- and disinformation, especially around elections. After Trump lost the 2020 election, he fired CISA’s first director for debunking right-wing election conspiracy theories, and the conservative backlash to anti-misinformation work has only grown since then.

In 2022, Trump outlined a “free speech policy initiative” to “break up the entire toxic censorship industry that has arisen under the false guise of tackling so-called ‘mis-’ and ‘dis-information.’” Elon Musk, the billionaire owner of Tesla, SpaceX, and X whom Trump has tapped to colead a “government efficiency” initiative, enthusiastically shared the plan last week.

CISA has already dramatically scaled back its efforts to combat online falsehoods following a right-wing pressure campaign, but Trump appointees are almost certain to smother what remains of that mission. “Disinformation efforts will be eliminated,” Montgomery predicts.

Harrell agrees that Trump would “refocus” CISA on core cyber initiatives, saying the agency’s “priorities have mistakenly bordered on social issues lately.”

Also likely on the chopping block: elements of Biden’s artificial intelligence safety agenda that focus on AI’s social harms, like bias and discrimination, as well as Biden’s requirement for large AI developers to report to the government about their model training.

“I expect the repeal of Biden’s executive order on AI, specifically because of its references to AI regulation,” says Nick Reese, a director of emerging technology policy at the Department of Homeland Security under Trump and Biden. “We should expect a change in direction toward less regulation, which would mean less compulsory AI safety measures.”

Trump is also unlikely to continue the Biden administration’s campaign to limit the proliferation of commercial spyware technologies, which authoritarian governments have used to harass journalists, civil-rights protesters, and opposition politicians. Trump and his allies maintain close political and financial ties with two of the most prolific users of commercial spyware tools, Saudi Arabia and the United Arab Emirates, and he showed little concern about those governments’ human-rights abuses in his first term.

“There’s a high probability that we see big rollbacks on spyware policy,” says Steven Feldstein, a senior fellow in the Carnegie Endowment for International Peace’s Democracy, Conflict, and Governance Program. Trump officials are likely to care more about spyware makers’ counterterrorism arguments than about digital-rights advocates’ criticisms of those tools.

Spyware companies “will undoubtedly receive a more favorable audience under Trump,” Feldstein says—especially market leader NSO Group, which is closely affiliated with the Trump-aligned Israeli government.

**Dubious Prospects**

Other Biden cyber initiatives are also in jeopardy, even if their fates are not as clear.

Biden’s National Cybersecurity Strategy emphasized the need for greater corporate responsibility, arguing that well-resourced tech firms must do more to prevent hackers from abusing their products in devastating cyberattacks. Over the past few years, CISA launched a messaging campaign to encourage companies to make their products “secure by design,” the Justice Department created a Civil Cyber-Fraud Initiative to prosecute contractors that mislead the government about their security practices, and White House officials began considering proposals to make software vendors liable for damaging vulnerabilities.

That corporate-accountability push is unlikely to receive strong support from the incoming Trump administration, which is almost certain to be stocked with former business leaders hostile to government pressure.

Henry Young, senior director of policy at the software trade group BSA, predicts that the secure-by-design campaign will “evolve to more realistically balance the responsibilities of governments, businesses, and customers, and hopefully eschew finger pointing in favor of collaborative efforts to continue to improve security and resilience.”

A Democratic administration might have used the secure-by-design push as a springboard to new corporate regulations. Under Trump, secure-by-design will remain at most a rhetorical slogan. “Turning it into something more tangible will be the challenge,” the US cyber official says.

**Chipping Away at the Edges**

One landmark cyber program can’t easily be scrapped under a second Trump administration but could still be dramatically transformed.

In 2022, Congress passed a law requiring CISA to create cyber incident reporting regulations for critical infrastructure operators. CISA released the text of the proposed regulations in April, sparking an immediate backlash from industry groups that said it went too far. Corporate America warned that CISA was asking too many companies for too much information about too many incidents.

Trump’s election could throw a wrench in CISA’s ambitious incident-reporting plans. New appointees at the White House, DHS, and CISA itself could force agency staff to rewrite the rules to be more industry-friendly, exempting entire swaths of critical infrastructure or eliminating requirements for companies to report certain data. Trump’s team has months to revise the final rule before its required publication in late 2025.

BSA’s Young expects Trump’s team to scale back the regulations, which he says “take a very broad view of the authority CISA believes Congress granted it.”

The current rule is “particularly vulnerable to a court challenge” because it exceeds Congress’s intent, ITI’s Miller warns, and Trump’s team “may direct CISA to scale it back” if the agency doesn’t “proceed cautiously” on its own.

**New Urgency**

One area where Trump might pick up the baton from the Biden administration is the government’s use of military hacking operations and its response to foreign adversaries’ cyberattacks.

Under Biden, the military’s US Cyber Command has scaled up its overseas hacker-hunting engagements with allies. But Republicans have pressed Biden to respond more muscularly to Chinese, Russian, and Iranian hacks, and Trump is likely to embrace that approach—particularly after picking representative Mike Waltz, an advocate for cyberattacks on Russia, North Korea, and Mexican cartels, as his national security adviser.

“A much more aggressive stance will be taken against China, which is sorely needed,” Harrell says, predicting that Chinese hackers penetrating US critical infrastructure “will be held to account.”

Montgomery agrees that Trump may “adopt a more aggressive approach” to national cyber defense, including giving the National Guard “a more significant role” in protecting domestic infrastructure.

Montgomery also says he expects more frequent and more muscular offensive operations by Cyber Command, which Trump elevated to a full combatant command during his first term. He predicts the Trump administration will “look more favorably” on creating a separate military cyber service, which the Biden administration opposed, and “take a more skeptical view” of the joint leadership of Cyber Command and the National Security Agency, which the Biden administration supported.

Trump could also harness other tools to constrain China, including authorities he created during his first term to block the use of risky technology in the US. “The Trump administration will look at the full set of policy levers when deciding how to push back on China in cyberspace,” says Kevin Allison, a consultant on geopolitics and technology.

Tag

#intel