As Superman has kryptonite, software has weaknesses — with misconfigurations leading the pack.

Mark Troester, Vice President of Strategy, Progress

September 27, 2024

4 Min Read

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY

The convergence of rising cyber threats, advanced artificial intelligence (AI), remote work, and hybrid infrastructures presents significant cybersecurity challenges in today's IT landscape. As a result, it's necessary to make your endpoints, cloud infrastructure, and remote access channels more secure. As cyber adversaries adopt new tactics, organizations worldwide respond by expanding the use of continuous threat exposure management (CTEM) systems, investing in robust security solutions, and leveraging cross-functional collaboration to mitigate risks and safeguard digital assets effectively.

But like Superman has kryptonite, even the best software has weaknesses, with misconfigurations leading the pack.

Consider this: Microsoft research indicates that a staggering 80% of ransomware attacks can be attributed to common configuration errors in software and devices. 

Misconfigurations now hold an unenviable fifth place on the Open Worldwide Application Security Project Top 10 — a crucial vulnerability reference for the cybersecurity community. OWASP found 208,000 occurrences of common weakness enumeration (CWE) within 90% of applications tested for misconfiguration, highlighting the widespread nature of this vulnerability.

OWASP says, "Without a concerted, repeatable application security configuration process, systems are at a higher risk."

With this evidence, it's no wonder that organizations are paying more attention to "misconfigurations."

**Picture This ... **

You're sitting down with your morning cuppa and stories of a data leak hit the headlines. The company affected is a leading insurance firm, and the personal information of thousands of customers has been made available on the Internet for months. With a little research, you learn that the firm left several customer records unprotected on one of its clouds, making it easy for anyone to access this information through a simple SQL command. While digging through the tabloids you stumble upon the cause of such a tremendously ironic turn of events. Turns out, it was a simple misconfiguration error: The system administrator left the cloud open to the public since they missed updating the privacy settings and permissions for the cloud storage in question.

We learn that human errors, despite stringent protocols, are difficult to control and, consequentially, remove. The increasing complexity of distributed and component-based systems and common misunderstandings of system requirements and design will likely lead to more problems. While humans play a critical role in decision-making and monitoring systems, manual updates are no longer viable.

**So, What Can You Do About It?**

With all that's happening in cybersecurity, can you confidently say you have all your endpoints covered? And by all, I mean all — including the data on third-party systems. If your answer to this is yes, congratulations! You're doing better than most organizations in the world! But if your answer is no, I would like you to consider the following measures to improve the security of your systems: 

1.  Employ automation that extends DevOps from application delivery to IT operations to DevSecOps. Automation is the remedy that will help organizations avoid manual errors. It will allow employees to use their precious time for more important tasks while confirming that initial and ongoing configurations are error-free. By automating audits on configurations, you can create a repeatable system hardening process that will potentially save you a lot of time and money in the future. Automation will enable you to reduce human error, improve reliability, maintain consistency, and support collaboration across teams. It will also give all stakeholders visibility over the security posture of your IT estate.
    
2.  Use a policy-as-code approach to help frame your security and compliance policies or rules. Organizations can configure systems by encoding security rules in human-readable and machine-enforceable policies and continuously checking for and remediating drift. In fact, policy-as-code brings both configuration and compliance management into a single step. This removes the security silo and brings all stakeholders into a shared pipeline and framework, enabling collaboration among team members and allowing for security to be shifted left in the development process. The policy-as-code approach can help detect misconfigurations, increase efficiency and speed, and reduce the risk of production errors.
    

While there is a technical aspect to DevSecOps, there is also a human aspect that involves collaboration and planning. A multiprong approach that starts with collaboration across IT operations and security and compliance teams, while discussing the appropriate external and internal compliance requirements, is a critical starting point.

After understanding the configuration and policies, you can start with pre-packaged policies that align with standards such as the Center for Internet Security (CIS) Benchmarks and the Department of Defense Systems Agency-Security Technical Implementation Guides (DISA-STIG). Consider using an automated system to verify if your configurations are continuously accurate. This, in turn, will allow your organization to address complex and heterogeneous environments, including cloud-native public cloud services, Kubernetes configurations, and any on-premises or hybrid cloud workload.

**About the Author**

Vice President of Strategy, Progress

Mark Troester is the vice president of strategy at Progress. He helped guide the strategic go-to-market efforts for Progress before transitioning into a leadership role for the Progress Infrastructure Management division, which includes DevOps/DevSecOps, network management, network detection and response, and application delivery control offerings. Previously, he worked with both upstarts and stalwarts like Sonatype, SAS, and Progress DataDirect. Before these positions, Mark worked as a developer and developer manager for startups and enterprises alike. Mark has extensive speaking experience on topics at the intersection of business and technology, including industry events hosted by Gartner, Forrester, TDWI, and more.

Could Security Misconfigurations Become No. 1 in OWASP Top 10?

As security technology and threat awareness among organizations improves so do the adversaries who are adopting and relying on new techniques to maximize speed and impact while evading detection.
Ransomware and malware continue to be the method of choice by big game hunting (BGH) cyber criminals, and the increased use of hands-on or “interactive intrusion” techniques is especially alarming.

How to Plan and Prepare for Penetration Testing

The threat actor known as Storm-0501 has targeted government, manufacturing, transportation, and law enforcement sectors in the U.S. to stage ransomware attacks.
The multi-stage attack campaign is designed to compromise hybrid cloud environments and perform lateral movement from on-premises to cloud environment, ultimately resulting in data exfiltration, credential theft, tampering, persistent

The threat actor known as Storm-0501 has targeted government, manufacturing, transportation, and law enforcement sectors in the U.S. to stage ransomware attacks.

The multi-stage attack campaign is designed to compromise hybrid cloud environments and perform lateral movement from on-premises to cloud environment, ultimately resulting in data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment, Microsoft said.

"Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations," according to the tech giant's threat intelligence team.

Active since 2021, the threat actor has a history of targeting education entities with Sabbath (54bb47h) ransomware before evolving into a ransomware-as-a-service (RaaS) affiliate delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.

A notable aspect of Storm-0501's attacks is the use of weak credentials and over-privileged accounts to move from organizations on-premises to cloud infrastructure.

Other initial access methods include using a foothold already established by access brokers like Storm-0249 and Storm-0900, or exploiting various known remote code execution vulnerabilities in unpatched internet-facing servers such as Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016.

The access afforded by any of the aforementioned approaches paves the way for extensive discovery operations to determine high-value assets, gather domain information, and perform Active Directory reconnaissance. This is followed by the deployment of remote monitoring and management tools (RMMs) like AnyDesk to maintain persistence.

"The threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods," Microsoft said.

"The threat actor primarily utilized Impacket's SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials."

The compromised credentials are then used to access even more devices and extract additional credentials, with the threat actor simultaneously accessing sensitive files to extract KeePass secrets and conducting brute-force attacks to obtain credentials for specific accounts.

Microsoft said it detected Storm-0501 employing Cobalt Strike to move laterally across the network using the compromised credentials and send follow-on commands. Data exfiltration from the on-premises environment is accomplished by using Rclone to transfer the data to the MegaSync public cloud storage service.

The threat actor has also been observed creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises, making it the latest threat actor to target hybrid cloud setups after Octo Tempest and Manatee Tempest.

"The threat actor used the credentials, specifically Microsoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises to the cloud environment and establish persistent access to the target network through a backdoor," Redmond said.

The pivot to the cloud is said to be accomplished either through a compromised Microsoft Entra Connect Sync user account or via cloud session hijacking of an on-premises user account that has a respective admin account in the cloud with multi-factor authentication (MFA) disabled.

The attack culminates with the deployment of Embargo ransomware across the victim organization upon obtaining sufficient control over the network, exfiltrating files of interest, and lateral movement to the cloud. Embargo is a Rust-based ransomware first discovered in May 2024.

"Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom," Microsoft said.

"Embargo affiliates employ double extortion tactics, where they first encrypt a victim's files and threaten to leak stolen sensitive data unless a ransom is paid."

The disclosure comes as the DragonForce ransomware group has been targeting companies in manufacturing, real estate, and transportation sectors using a variant of the leaked LockBit3.0 builder and a modified version of Conti.

The attacks are characterized by the use of the SystemBC backdoor for persistence, Mimikatz and Cobalt Strike for credential harvesting, and Cobalt Strike for lateral movement. The U.S. accounts for more than 50% of the total victims, followed by the U.K. and Australia.

"The group employs double extortion tactics, encrypting data, and threatening leaks unless a ransom is paid," Singapore-headquartered Group-IB said. "The affiliate program, launched on 26 June 2024, offers 80% of the ransom to affiliates, along with tools for attack management and automation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks

Russian-speaking users have been targeted as part of a new campaign distributing a commodity trojan called DCRat (aka DarkCrystal RAT) by means of a technique known as HTML smuggling.
The development marks the first time the malware has been deployed using this method, a departure from previously observed delivery vectors such as compromised or fake websites, or phishing emails bearing PDF

Russian-speaking users have been targeted as part of a new campaign distributing a commodity trojan called DCRat (aka DarkCrystal RAT) by means of a technique known as HTML smuggling.

The development marks the first time the malware has been deployed using this method, a departure from previously observed delivery vectors such as compromised or fake websites, or phishing emails bearing PDF attachments or macro-laced Microsoft Excel documents.

"HTML smuggling is primarily a payload delivery mechanism," Netskope researcher Nikhil Hegde said in an analysis published Thursday. "The payload can be embedded within the HTML itself or retrieved from a remote resource."

The HTML file, in turn, can be propagated via bogus sites or malspam campaigns. Once the file is launched via the victim's web browser, the concealed payload is decoded and downloaded onto the machine.

The attack subsequently banks on some level of social engineering to convince the victim to open the malicious payload.

Netskope said it discovered HTML pages mimicking TrueConf and VK in the Russian language that when opened in a web browser, automatically download a password-protected ZIP archive to disk in an attempt to evade detection. The ZIP payload contains a nested RarSFX archive that ultimately leads to the deployment of the DCRat malware.

First released in 2018, DCRat is capable of functioning as a full-fledged backdoor that can be paired with additional plugins to extend its functionality. It can execute shell commands, log keystrokes, and exfiltrate files and credentials, among others.

Organizations are recommended to review HTTP and HTTPS traffic to ensure that systems are not communicating with malicious domains.

The development comes as Russian companies have been targeted by a threat cluster dubbed Stone Wolf to infect them with Meduza Stealer by sending phishing emails masquerading as a legitimate provider of industrial automation solutions.

"Adversaries continue to use archives with both malicious files and legitimate attachments which serve to distract the victim," BI.ZONE said. By using the names and data of real organizations, attackers have a greater chance to trick their victims into downloading and opening malicious attachments."

It also follows the emergence of malicious campaigns that have likely leveraged generative artificial intelligence (GenAI) to write VBScript and JavaScript code responsible for spreading AsyncRAT via HTML smuggling.

"The scripts' structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," HP Wolf Security said. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New HTML Smuggling Campaign Delivers DCRat Malware to Russian-Speaking Users

The U.S. government on Thursday sanctioned two cryptocurrency exchanges and unsealed an indictment against a Russian national for his alleged involvement in the operation of several money laundering services that were offered to cybercriminals.
The virtual currency exchanges, Cryptex and PM2BTC, have been alleged to facilitate the laundering of cryptocurrencies possibly obtained through

The U.S. government on Thursday sanctioned two cryptocurrency exchanges and unsealed an indictment against a Russian national for his alleged involvement in the operation of several money laundering services that were offered to cybercriminals.

The virtual currency exchanges, Cryptex and PM2BTC, have been alleged to facilitate the laundering of cryptocurrencies possibly obtained through cybercrime.

The coordinated action was carried out in collaboration with the Netherlands Police and the Dutch Fiscal Intelligence and Investigation Service (FIOD) as part of an ongoing law enforcement crackdown called Operation Endgame.

Pursuant to the exercise, the websites associated with both the exchanges have been confiscated and replaced with a law enforcement seizure banner. Furthermore, it has led to the seizure of cryptocurrency worth €7 million ($7.8 million).

"The United States and our international partners remain resolute in our commitment to prevent cybercrime facilitators like PM2BTC and Cryptex from operating with impunity," said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith.

"Treasury, in close coordination with our allies and partners, will continue to use all tools and authorities to disrupt the networks that seek to leverage the virtual assets ecosystem to facilitate their illicit activities."

PM2BTC ("btc2pm\[.\]me"), the Treasury said, facilitated the laundering of convertible virtual currency (CVC) associated with ransomware and other illicit actors operating in Russia. It has been operational since 2014.

It's also said to have provided direct CVC-to-ruble exchange services, while failing to implement effective anti-money laundering (AML) and Know Your Customer (KYC) programs as required by U.S. federal law.

"PM2BTC facilitates a substantially greater proportion of transactions with apparent links to money laundering activity in connection with Russian illicit finance as compared to 99 percent of other virtual asset service providers," it said. "PM2BTC employs an unusual obfuscation that inhibits attribution of transactions to illicit activity and actors."

Cryptex ("Cryptex\[.\]net"), in a similar vein, has been accused of advertising virtual currency services directly to cybercriminals, receiving over $51.2 million in illicit proceeds derived from ransomware attacks. It further claimed "complete anonymity" when registering for an account.

It is also estimated to have received no less than $720 million in transactions linked to illegal services used by Russia-based ransomware actors and cybercriminals, including fraud shops, mixing services, exchanges lacking KYC programs, and the now-sanctioned virtual currency exchange Garantex.

A 44-year-old Russian national, Sergey Sergeevich Ivanov (aka UAPS or TALEON), has been charged for his role as a professional cyber money launderer for nearly two decades, and for providing his services, counting Cryptex and PM2BTC, to other e-crime groups and drug traffickers.

Ivanov's other charges include payment processing support to the carding website Rescator and laundering the illegal funds originating from Joker's Stash, another popular carding forum that voluntarily shut down its operations in February 2021.

Two such payment processing services are PinPays and UAPS ("uaps\[.\]so"), which stands for Universal Anonymous Payment System and has facilitated payments for several fraud shops like Genesis Market, BriansClub/Brian Dumps, and Faceless, per Chainalysis.

"UAPS and Cryptex have processed over $7.5 billion worth of transactions since their inception in 2013 and 2018, respectively," the blockchain analytics company noted.

Elliptic, another blockchain intelligence firm, said it's aware of "thousands of additional addresses" connected to Cryptex, PM2BTC, PinPays, and Joker's Stash, outside of the four cryptoasset addresses listed by the Treasury as tied to Cryptex.

A second Russian national, Timur Shakhmametov, 38, has also been charged with operating Joker's Stash and laundering its proceeds. The carding marketplace, which offered for sale data from nearly 40 million payment cards annually. It's believed that the service netted the threat actors anywhere between $280 million to more than $1 billion in profits.

Concurrent with the actions, the U.S. Department of State has announced rewards of up to $10 million each for information leading to the arrests and/or convictions of Timur Shakhmametov and Sergey Ivanov.

An additional $1 million is also up for grabs for providing information leading to the identification of other key members linked to UAPS, PM2BTC, PinPays, and Joker's Stash.

"One of the most critical tactics in disrupting illicit actors is to disrupt the infrastructure they abuse to facilitate money laundering and other transnational cybercrime," Chainalysis said.

"Today's actions represent \[Office of Foreign Assets Control's\] continued efforts to work with key international partners to make the internet a safer place by shutting down fraudulent services and the infrastructure that hosts them."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Sanctions Two Crypto Exchanges for Facilitating Cybercrime and Money Laundering

PRESS RELEASE

DOWNERS GROVE, Ill., Sept. 24, 2024 – Cybersecurity is the top technology priority for the vast majority of organizations, but moving from aspiration to reality requires a top-to-bottom commitment that many companies have yet to make, according to new research released today by CompTIA, the nonprofit association for the technology industry and workforce.

CompTIA’s “State of Cybersecurity 2025” report reveals that cybersecurity is a primary or secondary priority for 98% of organizations. Yet only 25% of survey respondents feel that the overall direction of cybersecurity is improving dramatically, and only 22% characterize their organization’s cybersecurity efforts as completely satisfactory. Nearly 1,200 business and IT professionals across seven global regions were surveyed.

“Something is missing, either in the approach organizations are taking or in their expectations around what ideal cybersecurity would look like,” said Seth Robinson, vice president, industry research, CompTIA.

Cybersecurity’s unique status as a business imperative at all organizational levels – staff, management, executives and governing bodies – may be the reason of the disconnect.

“Gone are the days when achieving cybersecurity improvement was a simple matter of purchasing updated technology,” Robinson explained. “Businesses must have ongoing discussions around their cybersecurity technology stack, processes that ensure protection of assets and an organizational structure that provides cutting-edge expertise.”

Cybersecurity expertise needed

The report identifies a growing need to build multiple layers of cybersecurity expertise. Among North American companies, 53% are considering new hiring as an option. An even greater percentage (56%) plan to pursue training for their current cybersecurity workforce, and 42% plan to offer cybersecurity certifications as a way of establishing core concepts within the team and extending skillsets into emerging focus areas.

Hiring and training require a financial commitment, though, and that remains a challenge for some. While a significant majority of respondents state that cybersecurity is a high priority at their firm, only 49% feel that it is relatively easy to procure funds for cybersecurity activities or that budgets are increasing.

“Developing skills is the most significant action companies may take in improving efficiency, but there are other options as well,” Robinson noted. “Increasing visibility and awareness among senior executives, establishing organizational imperatives and metrics and building policies that drive employee behavior will create a culture of cybersecurity.”

AI and cybersecurity

Artificial intelligence (AI) has the potential to accelerate, automate and complicate cybersecurity efforts. North American companies are evenly split between an emphasis on using AI internally to improve their defense and on learning about new forms of AI-enabled attacks. Current AI-enabled use cases include monitoring network traffic, generating defense tests and predicting future breaches.

CompTIA’s “State of Cybersecurity 2025” report is available at https://www.comptia.org/content/research/cybersecurity-trends-research.

About CompTIA 

The Computing Technology Industry Association (CompTIA) is the world’s leading information technology (IT) certification and training body. CompTIA is a mission-driven organization committed to unlocking the potential of every student, career changer or professional seeking to begin or advance in a technology career. Millions of current and aspiring technology workers around the world rely on CompTIA for the training, education and professional certifications that give them the confidence and skills to work in tech. https://www.comptia.org/

Cybersecurity Success Hinges on Full Organizational Support, New CompTIA Report Asserts

PRESS RELEASE

JASPER, Ind., Sept. 23, 2024 /PRNewswire-PRWeb/ -- As National Cybersecurity Awareness Month approaches this October, PIER Group is drawing attention to the unique cybersecurity challenges faced by research-focused universities and institutions nationwide. With the rise of cloud computing and data sharing, safeguarding the sensitive research data, intellectual property, and high-value projects emerging from these academic hubs is more critical than ever. PIER Group, a leader in providing IT solutions and cybersecurity services to R1 and R2 universities, is at the forefront of helping these institutions navigate this complex cybersecurity landscape.

"R1 and R2 universities are some of the most targeted institutions by cybercriminals due to the immense value of the research they conduct and their large attack surface. Their networks handle hundreds of thousands of devices and connect to other universities all over the world," said Chad Williams, president of PIER Group. "At PIER Group, we see it as our responsibility to ensure that these institutions not only stay at the forefront of global research, but do so securely. We're building the infrastructures that allow them to innovate without fear of compromise."

During National Cybersecurity Awareness Month, universities have the opportunity to assess their cybersecurity strategies and adopt solutions that will protect their campuses, students, and research for years to come. Williams and his colleagues at PIER Group have identified five strategies that top universities should be implementing now or planning for:

1\. Adopt AI for Cybersecurity. For managing networks at the scale of major research universities, with thousands of devices connected to campus networks, AI is essential for detecting threats and responding quickly. AI-driven tools can analyze vast amounts of data to detect anomalies and provide automated threat responses.   
● What Universities Should Do: Adopt AI-enhanced cybersecurity tools that provide proactive monitoring and fast response to cyber threats.

2\. Implement Network Access Control (NAC) Systems. Modern access control solutions, often enhanced with AI, make it much easier for university staff to segment the university population so only authorized users can access sensitive information, applications and data.   
● What Universities Should Do: Implement sophisticated NAC systems that use AI for smarter, more effective user management.

3\. Combat Social Media Attacks. Cyber criminals are using social media apps like LinkedIn and Instagram to launch attacks on individuals, with an overarching goal of breaching a university network.   
● What Universities Should Do: Universities should always follow the 3-2-1-1 rule - three copies of data at two different locations, one offsite and one immutable. They should also educate campus communities on social media risks and employ cybersecurity solutions that monitor and mitigate these threats.

4\. Leave Legacy Equipment Behind. Most universities have older equipment, but even equipment that is just a few years old can leave universities vulnerable to cyberattacks. Transitioning networks and storage to the cloud is proving to be the most economical and flexible solution, adding greater security while allowing universities to quickly scale up or down.   
● What Universities Should Do: Focus on phasing out older equipment as soon as possible and migrate those computing needs to the cloud.

5\. Collaborate Securely with the Broader Research Ecosystem. Universities' openness for collaboration complicates security. Real-time partnerships with research centers and external partners demand secure data-sharing, supported by networks like The Quilt. Strong security measures are crucial to protect sensitive research and intellectual property. Secure collaboration fuels innovation in medicine and technology while safeguarding valuable data.   
● What Universities Should Do: Universities should ensure their networks are built to handle secure, high-speed collaboration with both internal and external research partners. PIER Group's support and partnership with R1 and R2 research organizations help facilitate university-wide collaboration, enabling discussions on the best procedures and solutions to secure student, institutional, and research data necessary for innovation.

As cyber threats become more sophisticated, universities must implement strategies to protect their students, staff, and the integrity of their research. By doing so, they contribute to a safer global research ecosystem. For more information on how R1 and R2 universities can achieve technology leadership, visit http://www.piergroup.com.

About PIER Group   
PIER Group is a leading IT and cybersecurity solutions provider with decades of experience specializing in research universities and large academic institutions. They excel in securing and optimizing campus and research networks, demonstrated by their work with top national R1 and R2 universities from coast to coast including Indiana University, University of South Carolina and the University of Maryland. PIER Group's expertise includes implementing robust security measures, such as Aruba ClearPass, to protect sensitive data and support national research networks like The Quilt. Their commitment helps universities navigate complex cybersecurity challenges and makes high-speed, high-stakes collaborations possible. For more information, visit piergroup.com.

5 Cyber Strategies Research Universities Can Adopt to Lead in Global Research

The AI Incident Reporting and Security Enhancement Act would allow NIST to create a process for reporting and tracking vulnerabilities found in AI systems.

Source: zemkooo via Alamy Stock Photo

A House committee advanced a bill that would allow the National Institute of Standards and Technology (NIST) to create a formal process for reporting security vulnerabilities in artificial intelligence (AI) systems. As is the case for many security projects, funding concerns could stymie the initiative.

The AI Incident Reporting and Security Enhancement Act was approved by voice vote by the House Science, Space and Technology committee on Wednesday. The bill was introduced by a bipartisan trio of representatives from North Carolina, California, and Virginia. If approved by the full Congress and signed into law, it would give NIST the mandate to incorporate AI systems in the National Vulnerability Database (NVD).

NVD is the federal government's centralized repository for tracking security vulnerabilities in software and hardware. In its current form, the bill would add to the workload of the already-beleaguered NIST teams managing the NVD. NIST earlier this year paused updating data on reported vulnerabilities, in a move program manager Tanya Brewer said was the result of budget cuts, flat staff growth, and an increase in database-related email traffic.

The bill specifies that the increased workload for NIST would be "subject to the availability of funding," but Rep. Deborah Ross (D-NC), a sponsor of the bill, said that they were aware of "significant funding and scaling challenges" NIST already experienced maintaining the database.

"My colleagues and I on this committee are actively exploring solutions to help NIST address this problem and get the money," she said.

Even though the bill was approved in committee, some committee members expressed concern about some of the language used in the bill. There were concerns that terms such as "substantial artificial intelligence security incident" and "intelligence incident" would need to be clarified to make it more likely that the bill would pass. This kind of specificity is also a bigger concern in Congress in the wake of the Supreme Court overturning the Chevron doctrine.

The bill would also require NIST to consult with other federal agencies, like the Cybersecurity and Infrastructure Security Agency, private-sector organizations, standards organizations, and civil society groups, to develop a common lexicon for reporting AI cybersecurity incidents.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Congress Advances Bill to Add AI to National Vulnerability Database

It shouldn’t just be viewed as a cybersecurity issue, because for a hardware supply chain attack, an adversary would likely need to physically infiltrate or tamper with the manufacturing process.

Thursday, September 26, 2024 14:00

The recent attacks in the Middle East triggering explosions on pagers has raised new fears around physical hardware supply chain attacks. 

In cybersecurity, we typically consider supply chain attacks to target software, in which adversaries infect a legitimate tool with a malicious, fake update that then spreads malware to affected devices. Think SolarWinds, Log4j, MOVEit, etc. 

In the case of hardware supply chain attacks, malicious actors infiltrate the supply of devices, or the physical manufacturing process of pieces of hardware and purposefully build in security flaws, faulty parts, or backdoors they know they can take advantage of in the future, such as malicious microchips on a circuit board.  

For Cisco’s part, the Cisco Trustworthy technologies program, including secure boot, Cisco Trust Anchor module (TAm), and runtime defenses give customers the confidence that the product is genuinely from Cisco. 

As I was thinking about the threat of hardware supply chain attacks, I was left wondering who, exactly, should be tasked with solving this problem. And I think I’ve decided the onus falls on several different sectors. 

It shouldn’t just be viewed as a cybersecurity issue, because for a hardware supply chain attack, an adversary would likely need to physically infiltrate or tamper with the manufacturing process. Entering a manufacturing facility or other stops along the logistics chain would require some level of network-level manipulation, such as faking a card reader or finding a way to trick physical defenses — that’s why Cisco Talos Incident Response looks for these types of things in Purple Team exercises.  

But it’s also a question of logistics and storage. Could a device be tampered with while it’s just being stored in a warehouse awaiting shipment? What about entering the back of a tractor-trailer that’s hauling the devices? Or even just being able to sneak photos of the devices’ information, say, for example, the EID on a cellphone or its SIM card.  

The process to protect against supply chain hardware attacks is not straightforward, unfortunately. There is little synchronization and partnership between logistics, cybersecurity, and manufacturing companies.  

There are also new technologies that can protect against physical tampering, like smart containers, real-time monitoring systems and automated security checkpoints, but these are all expensive solutions for security teams (at the physical and network levels) that are already stretched for budget and human capital.  

The cybersecurity industry certainly has a role to play in addressing supply chain attacks of all kinds, but it’s also not something this community alone can solve.  

**The one big thing **

Attackers are abusing features of legitimate internet websites to transmit spam. This web infrastructure and its associated email infrastructure are otherwise used for legitimate purposes, which makes blocking these messages more difficult for defenders, according to new research from Talos.  

**Why do I care? **

As a spammer, one of the problems with spinning up your own architecture to deliver mail is that once the spam starts flowing, these sources (IPs/domains) can be blocked. Realizing this, many spammers have elected to attack webpages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited emails. Adversaries are still finding new ways to leverage preexisting tools and structures in email systems to send spam and malicious attachments that defenders wouldn’t normally consider.  

**So now what? **

There are several steps users can take to avoid receiving large amounts of spam or being duped by bad actors using “traditional” email tools. A strong password for your email account, or even better, a password manager, can keep your email account secure. When someone is using unique credentials everywhere, one single compromised account will not impact any other online accounts belonging to that victim. For admins and defenders, educating your users to be wary of such email messages is a good way to prevent them from falling victim to phishing and other attacks that arrive by email. 

**Top security headlines of the week **

**Representatives from cybersecurity company CrowdStrike spoke to U.S. Congress this week about a faulty update that shut down Windows machines across the country earlier this year.** The incident caused disruptions across multiple industries, including commercial flights, public transportation, retail and more. Lawmakers questioned whether the affected software should have access to core systems on computers, and the threat that AI-written code could present in the future. Executives from CrowdStrike took responsibility for the outage. They said the company was doing everything possible to prevent a similar incident from happening again and executing a broad “lessons learned” process. The incident forced over 8 million Microsoft Windows machines into the dreaded “Blue Screen of Death.” For the first 24 hours of the incident, rebooting the systems only worked if the user carried out a specific process that was complicated and needed to be explained by an expert. Eventually, an automatic update rolled out and fixed the issue. (Washington Post, BBC) 

**Security researchers have discovered a new Iranian state-sponsored actor that is providing initial access for other well-known APTs in the same country.** UNC1860 is believed to have ties to Iran’s Ministry of Intelligence and Security (MOIS) and provides access to other Iranian threat actors like OilRig and Scarred Manticore. The group’s focus is reportedly solely focused on breaching networks and obtaining an initial foothold, targeting a range of sectors including government, media, education, critical infrastructure and telecommunications. Researchers say UNC1860 has teamed up for attacks targeting organizations in Iraq, Saudi Arabia and Qatar, and laid the groundwork for wiper attacks in Albania and Israel. The group’s activities had gone largely undetected thus far because their implants are entirely passive, and don’t send any information out of the target network. The APT also doesn’t rely on any kind of command and control (C2) infrastructure. (Dark Reading, SecurityWeek) 

**Popular AI chat tool ChatGPT contains a flaw that could allow adversaries to implant false “memories” and steal user data in perpetuity.** A security researcher discovered a proof of concept in which they could store false information and malicious instructions in a user’s long-term memory settings through indirect prompt injection. The researcher first reported the vulnerability to OpenAI, the creator of ChatGPT, in May, but at the time the issue was labeled as a safety issue and not a security issue, closing out the case. After developing the POC, the company eventually released a partial fix earlier this month that prevents memories from being abused as an exfiltration vector. However, an adversary could still implant long-term information into ChatGPT through prompt injections targeting the memory tool, just not through the traditional ChatGPT web interface that most users access the tool through. (Ars Technica, wunderwuzzi's blog) 

**Can’t get enough Talos? ****Upcoming events where you can find Talos**

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8   
**MD5:** b209df2951e29ab5eab4009579b10b8d  
**Typical Filename:** FileZilla\_3.67.1\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.76491DF69A-95.SBX.TG 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 581866eb9d50265b80bae4c49b04f033e2019797131e7697ca81ae267d1b4971   
**MD5:** 4c5fdfd4868ac91db8be52a9955649af   
**Typical Filename:** N/A   
**Claimed Product:** N/A   
**Detection Name:** W32.581866EB9D-100.SBX.TG

Are hardware supply chain attacks “cyber attacks?”

ABB Cylon Aspect version 3.07.01 BMS/BAS controller is operating with default and hard-coded credentials contained in install package while exposed to the Internet.

    ABB Cylon Aspect 3.07.01 (config.inc.php) Hard-coded Credentials in phpMyAdminVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.07.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller is operating with default and hard-codedcredentials contained in install package while exposed to the Internet.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)           phpMyAdmin 2.11.9Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceReported by DIVDAdvisory ID: ZSL-2024-5830Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5830.phpCVE ID: CVE-2024-4007CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-400721.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ cat max/var/www/html/phpMyAdmin/config.inc.php | grep control$cfg['Servers'][$i]['controluser'] = 'root';$cfg['Servers'][$i]['controlpass'] = 'F@c1liTy';

Tag

#intel