The threat of ransomware hasn't gone away. But law enforcement has struck a blow by adjusting its tactics and taking out some of the biggest adversaries in the ransomware scene.

Source: Andreas Prott via Alamy Stock Photo

COMMENTARY

The year to date has been particularly eventful across the ransomware landscape, with prolific ransomware groups, including LockBit, seeing their operations seized and dismantled. The strategies used to take down these groups were meticulously planned and executed, successfully undermining the most accomplished cybercriminal experts.

The fight against ransomware has for years felt like an uphill battle. Each takedown faces the inevitable criticism that these actions are temporary, resulting in groups reforming and coming back.

However, the past year has seen some of history's biggest takedowns, with international collaborative efforts from law enforcement employing new tactics. Are we seeing the balance of power beginning to shift?

**The Development of Law Enforcement's Strategy**

Law enforcement agencies have had to change their approach to remain successful in an environment where cybercriminal gangs adapt and develop constantly. Although previous takedowns have shown initial success in disrupting gangs on a technical level, law enforcement agencies have recognized the need to go further and think outside of the box.

Adding a twist, ransomware takedown teams are focusing on publicly damaging groups' credibility, acknowledging the fact that reputation and trust are (somewhat counterintuitively) valued commodities on the Dark Web.

Law enforcement's new approach was rolled out with Operation Cronos, the disruption campaign against one of the most prolific ransomware gangs, LockBit.

With a force of 10 countries' law enforcement agencies, the highlights of the takedown included 34 servers being seized, 200 cryptocurrency accounts being frozen, and two arrests taking place, and it didn't stop there.

The National Crime Agency (NCA) deployed psyops methods, using LockBits' own site, which it had hijacked, to publish images of LockBit's administration system and leak internal conversations, while publishing the usernames and login details of 194 LockBit "affiliate" members. Then, the unmasking of "LockBitSupp" — the gang's leader — was teased with a countdown timer on the LockBit website, eventually naming him as Dmitry Khoroshev. Law enforcement also implied that he had collaborated with them by leaking the affiliate's details, creating more doubt among Dark Web associates. 

When logging in to their systems, LockBit members were greeted with personalized messages stating that the authorities had details regarding their IP addresses, cryptocurrency wallet details, internal chats, and their personal identity.

Law enforcement's strategy undermined LockBit's reputation and emphasized its fragility. Hijacking the website exposed infrastructure weaknesses, unmasking LockBit's leader proved he had weak operations security, and leaking the affiliates demonstrated the risks of associating with LockBit. These methods dethroned LockBit's reputation further. Although the group is still active, recent data shows that the average number of monthly LockBit attacks in the UK has reduced by 73% since February.

**The Snowball Effect in the Dark Web Community**

The LockBit takedown has caused a ripple effect and garnered a lot of attention across the ransomware landscape, eliciting the message that if LockBit can be taken down, anyone could be next. Targeting the biggest ransomware group was law enforcement's message that no group is beyond its reach.

Two weeks later, BlackCat, the second biggest ransomware group, claimed to have been disrupted by law enforcement, even uploading a fake seizure banner. However, law enforcement quickly denied its involvement. In fact, the group appears to have closed itself down after stealing a large sum of money from its affiliate, following a ransomware attack on Change Healthcare. The timing of BlackCat's retirement suggests a potential reaction to the LockBit takedown, showing a newfound sense of fear on the Dark Web.

**What Comes Next?**

Disrupting some of the world's most dangerous and prolific ransomware groups such as LockBit and BlackCat, which have dominated the ransomware landscape in recent years, is a huge achievement. 

Of course, these successes have not immediately led to the collapse of the ransomware underground. In fact, our statistics show that there were 73 ransomware groups in operation in the first half 2024 compared with the same period for 2023, representing a 56% increase in the number of ransomware groups. 

However, although there are more groups, we have seen a 16% decrease in victims listed between the second half of 2023 and the first half of 2024, which suggests that taking on the big groups with new tactics has had a measurable impact. It appears that what we are actually observing is a diversification — rather than growth — in the ransomware landscape.

A recent Europol report also highlighted a fragmentation of the ransomware landscape. While the threat is no longer coming primarily from a group of three to four dominant ransomware-as-a-service (RaaS) groups, the affiliates who led a mass exodus have started their own operations, developing their own ransomware tooling and lessening their reliance on the big players. 

This creates its own challenges for security professionals. A more diverse ransomware ecosystem means a more diverse landscape for cybersecurity teams to navigate. As things move quickly in the ransomware world, collecting up-to-date intelligence on ransomware groups is more important than ever before.

The threat of ransomware hasn't gone away. However, law enforcement has certainly struck a blow by adjusting its tactics and has potentially created some breathing room for security professionals by taking out some of the biggest adversaries in the ransomware scene.

**About the Author**

CTO & Co-founder, Searchlight Cyber

Dr. Gareth Owenson is the CTO and co-founder of the Dark Web intelligence company Searchlight Cyber. Gareth completed his Ph.D. in computer science in 2007 and is a world leader in Tor Dark Web research. He advises governments, military, and law enforcement on Dark Web technologies and guides the development of a suite of technologies that have put Searchlight Cyber in the forefront of Dark Web investigative and intelligence efforts. Gareth co-founded Searchlight Cyber in 2017 to help governments, law enforcement, and enterprises in the fight to protect society from threats that emanate from the Dark Web.

How Law Enforcement's Ransomware Strategies Are Evolving

In the "PixHell" attack, sound waves generated by pixels on a screen can transmit information across seemingly impenetrable air gaps.

Source: Miscellaneoustock via Alamy Stock Photo

A newly devised covert channel attack method could undermine diligently devised air gaps at highly sensitive organizations.

In industrial control systems security, the term "air gap" is contested. It typically describes a total physical separation between networks — a literal gap through which no Wi-Fi signals, wires, etc., can pass. The most critical military, government, and industrial sites use air gaps to prevent Internet-based cyber threats from penetrating the kinds of networks that protect state secrets and human lives.

But any medium capable of transmitting information can, in theory, be weaponized to transmit the bad kind. Mordechai Guri of Israel's Ben-Gurion University has long researched ways of crossing air gaps with sound waves: via computer fans, hard disk drives, CD/DVD drives, and more. His latest attack scenario, "Pixhell," enables data theft using sounds produced by specially generated, rapidly shifting bitmap patterns on an LCD screen.

**How Pixhell Works**

It's midnight, and everyone working at the top secret intelligence facility has long gone home for the night, when all of a sudden a computer screen flashes with what appears to be random noise, as if it's missing a signal. It isn't missing a signal — the apparent noise is the signal.  

Pixhell only works if an attacker can infect or control at least one device on each side of an air gap.

Air gaps typically connect critical networks with less critical networks, so the latter half of that job might be achieved by an Internet-based attack, while the former will require more stringent measures. Still, a machine behind an air gap can be infected in any number of ways: via supply chain compromise, a removable drive in the hands of a malicious or unwitting insider, or assorted other options.

Then, with no other obvious means of communicating — not Wi-Fi, Bluetooth, a speaker, or anything else — a computer can be made to transmit information over an air gap via the sounds generated by its screen.

Simplified, LCD screens have capacitors — which store and release electrical charge — and inductors — which help manage the voltage to those capacitors. While they're working, these components generate the faintest of high-pitched frequencies, inaudible to the human ear.

However, "Speakers and microphones generally have a frequency range that is broader than human hearing," explains Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. "The high end of the frequency range is where you can encode the greatest amount of information — the largest number of bits per second — and it's ultrasound. Dogs might freak out in the room, but humans can't hear it."

In experiments, the Pixhell malware manipulated pixels on a screen in such a way as to cause its inductors and capacitors to vibrate at specific frequencies. In so doing, they generated sound waves translating stolen, encoded data to the machine on the other side of an air gap, with varying fidelity at distances of up to two and a half meters. As Ginter puts it, "An attacker can send information from either computer to the other's microphone, and you can be sitting in the room and not realize information is being communicated."

**The Wide World of Covert Channel Attacks**

Besides acoustics, there are any number of other, equally creative means to carry out covert channel attacks in theory.

"It's been reported that with sufficient effort, you can use Ethernet wiring as software-defined radio transmitters and receivers," Ginter notes. Some 20 years ago, 56-kilobit-per-second modems had an LED on the front so users could see if their data was moving. Ginter says you could turn the LED on when there was a one bit being transmitted, or off when it was a zero bit. "And it turned out that the LED was extremely responsive — so responsive that if you had a fast enough camera or detector, you could actually detect every bit that was being sent through the modem by watching the LED," he adds. 

Countless other fun examples can be found in the annals of computer research archives. "Some computers have the ability to do detailed measurements on the voltage that's coming into the battery. And what that means is that if you have two computers plugged into the same circuit, even if they're using different outlets, one computer can consume more power briefly and less power a fraction of a second later, and the other one can detect these very tiny changes in voltage, so they can signal to each other that way. Even though they're electrically connected to different networks, they're both connected to the same power," he explains.

**What the Best Air Gaps Look Like**

For the overwhelming majority of organizations, a physical air gap is sufficient to protect against even high-level adversaries, who aren't likely to pull off Pixhell-style attacks.

Those few most sensitive sites on the planet that have to worry about covert channel attacks — spy agencies, military headquarters, power plants — have already dedicated significant time and resources to building not just air gaps, but air gaps that make these scenarios impractical.

"At some extremely sensitive OT sites, they will have all of the OT equipment in one server room, and they'll have the IT equipment in another server room down the hall. And the only connection between the server rooms is a single fiber-optic connection that is a unidirectional gateway from OT to IT," Ginter explains.

Past that, he adds, the greater the distance between communicating computers, the more difficult it is to exploit covert channels. "If it's an electrical \[channel you're worried about\], you've got electrical noise between rooms. If it's audible, there are closed doors in the way. If it's temperature, you can heat up the room in a region very slightly \[at intervals\], so there's so much thermal noise that it becomes impractical to send any information out." The operative idea is signal-to-noise ratio (SNR): How much noise does one have to generate to make a covert channel attack impractical?

Whether such science-fiction-level defenses are warranted will depend on the organization at risk. "Some of the countermeasures were given for scientific discussion, but they are less practical to deploy in real life," Guri says. As an example, he points out that acoustic jammers would stop Pixhall right in its tracks: "Such a noise jammer may work in countering the attack, but it will make the environment too noisy for people to work."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Air-Gapped Networks Vulnerable to Acoustic Attack via LCD Screens

An attack dubbed "WordDrone" that uses an old flaw to install a backdoor could be related to previously reported cyber incidents against Taiwan's military and satellite industrial supply chain.

Source: Ron Ardity via Alamy Stock Photo

Attackers are weaponizing an "ancient" version of Microsoft Word in a recent wave of attacks on Taiwanese drone makers that's delivering malware aimed at cyber espionage and disrupting the military- and satellite-related industrial supply chains.

Researchers from the Acronis Threat Research Unit have discovered an attack they've dubbed "WordDrone" that uses a dynamic link library (DLL) side-loading technique common in the installation process of Microsoft Word, to install a persistent backdoor called ClientEndPoint on infected systems.

The Acronis team members discovered the unusual attack vector when they investigated a customer escalation from Taiwan "about a strangely behaving process of an ancient version of Microsoft Word," they wrote in a blog post published Sept. 10.

"Three files were brought to the system: a legitimate copy of Winword 2010, a signed wwlib.dll file, and a file with a random name and file extension," they wrote in the post. "Microsoft Word was used to side load the malicious 'wwlib' DLL, which acts as a loader for the actual payload, the one residing inside the encrypted file with a random name."

They eventually found similar two-stage attack scenarios across multiple environments between April and July this year. The first stage of the attacks focuses on Windows desktop machines, while the second stage sees attackers trying to move over to Windows servers, the researchers said.

**Similarities to "TIDrone" Campaign**

It's unclear if the attack vector is related to a similar wave of cyber incidents against Taiwanese drone makers by a threat actor dubbed "TIDrone" reported by researchers at Trend Micro. That actor, linked to other Chinese-speaking threat groups, uses enterprise resource planning (ERP) software or remote desktop tools to deploy proprietary malware.

Similarly, the WordDrone attack also appears to have an ERP component, the researchers said. While they couldn't find "definitive evidence about how attackers were gaining initial access," the first appearance of the malicious files in the attack was inside the folder of a popular Taiwanese ERP software called Digiwin.

"Upon further investigation, we found multiple components of Digiwin … being deployed in the target environments," the researchers wrote. Moreover, some of Digiwin's components contained known vulnerabilities like CVE-2024-40521, a remote code execution (RCE) flaw with a CVSS score of 8.8.

"Based on all the information collected, we believe that there is high probability of exploitation or a supply chain attack being involved with the ERP software in question," the researchers noted.

**Targeting a Side-Loading Flaw**

The attack leverages a side-loading vulnerability in an old version of Winword (v14.0.4762.1000) allowing attackers to use it to load a DLL that has a name matching the original supplied by Microsoft.

"In the very same directory where Winword was located, we could see only two additional files, a ... DLL called wwlib.dll, which is normally part of a standard Microsoft Office installation package — this time having an unusually small size — and another file called 'gimaqkwo.iqq' which already looked suspicious," the researchers explained.

Upon further inspection, the wwlib library turned out to be acting as a loader with the sole purpose of reading the main payload that is stored in the encrypted "gimaqkwo.iqq" file in the same directory, they said. The file name of the payload — the ClientEndPoint backdoor — is stored in an encrypted form in the loader.

The backdoor has functionality typical to this type of malware, including the ability to listen in on user sessions, send and receive commands from the attacker-controlled command and control (C2), and exfiltrate data and send it back to the C2. It also has a proxy configuration mode in which one infected host can receive data and commands from another infected host on the local network while only one of them is in direct communication with the C2.

**Why Target Taiwanese Drone Makers?**

The fact that two separate security research teams have been investigating a spate of cyberattacks against Taiwanese drone makers brings up the question of motive on the part of attackers, which the Acronis team attempted to address.

Drone manufacturing has increased remarkably in Taiwan since 2022, with significant financial backing from the government, the researchers noted. There currently are about a dozen Taiwanese companies in the space  — often providing components for original equipment manufacturers (OEMs) — and even more if the country's global aerospace industry is taken into consideration, they said.

This investment in drone manufacturing and the considerable technological prowess of Taiwan, as well as its position as a US ally, "make them a prime target for adversaries interested in military espionage or supply chain attacks," the researchers observed.

"The extreme growth of the drone industry in the past decade also had an unfortunate side effect — even consumer models are used for military purposes now," they wrote in the post.

The research team shared their intelligence with Taiwan's appropriate cybersecurity authorities and included a list of indicators of compromise (IoCs) in the blog post. As drone makers of all sizes could be targeted by WordDrone attacks, defenders should be mindful of any suspicious activity, especially as it relates to older versions of Microsoft Word that might be present in their environment. Small businesses in the sector in particular should be mindful and shore up defenses, the researchers wrote, "as traditional AV solutions are no longer efficient against the type of advanced threats they might face in the near future."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Ancient' MSFT Word Bug Anchors Taiwanese Drone-Maker Attacks

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.
The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech

Windows Security / Vulnerability

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.

The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech giant resolved in its Chromium-based Edge browser since last month's Patch Tuesday release.

The three vulnerabilities that have been weaponized in a malicious context are listed below, alongside a bug that Microsoft is treating as exploited -

*   **CVE-2024-38014** (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability
*   **CVE-2024-38217** (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
*   **CVE-2024-38226** (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability
*   **CVE-2024-43491** (CVSS score: 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability

"Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running," Satnam Narang, senior staff research engineer at Tenable, said in a statement.

"In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226."

As disclosed by Elastic Security Labs last month, CVE-2024-38217 – also referred to as LNK Stomping – is said to have been abused in the wild as far back as February 2018.

CVE-2024-43491, on the other hand, is notable for the fact that it's similar to the downgrade attack that cybersecurity company SafeBreach detailed early last month.

"Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015)," Redmond noted.

"This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 — KB5035858 (OS Build 10240.20526) or other updates released until August 2024."

The Windows maker further said it can be resolved by installing the September 2024 Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.

It's also worth pointing out that Microsoft's "Exploitation Detected" assessment for CVE-2024-43491 stems from the rollback of fixes that addressed vulnerabilities impacting some Optional Components for Windows 10 (version 1507) that have been previously exploited.

"No exploitation of CVE-2024-43491 itself has been detected," the company said. "In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Arm
*   Bosch
*   Broadcom (including VMware)
*   Cisco
*   Citrix
*   CODESYS
*   D-Link
*   Dell
*   Drupal
*   F5
*   Fortinet
*   Fortra
*   GitLab
*   Google Android and Pixel
*   Google Chrome
*   Google Cloud
*   Google Wear OS
*   Hitachi Energy
*   HP
*   HP Enterprise (including Aruba Networks)
*   IBM
*   Intel
*   Ivanti
*   Lenovo
*   Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MongoDB
*   Mozilla Firefox, Firefox ESR, Focus and Thunderbird
*   NVIDIA
*   ownCloud
*   Palo Alto Networks
*   Progress Software
*   QNAP
*   Qualcomm
*   Rockwell Automation
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   SonicWall
*   Spring Framework
*   Synology
*   Veeam
*   Zimbra
*   Zoho ManageEngine ServiceDesk Plus, SupportCenter Plus, and ServiceDesk Plus MSP
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Palo Alto, USA/California, 11th September 2024, CyberNewsWire

Opus’ innovative engine integrates AI-driven intelligence, contextual data and automated decision-making to drive precise, efficient vulnerability remediation.

Opus Security, the leader in unified cloud-native remediation, today announced the launch of its **Advanced Multi-Layered Prioritization Engine**, designed to revolutionize how organizations manage, prioritize and remediate security vulnerabilities. Leveraging AI-driven intelligence, deep contextual data and automated decision-making capabilities, this innovative engine helps organizations prioritize the most critical vulnerabilities, enhancing both security posture and operational efficiency.

**A Breakthrough in Vulnerability Remediation**

Security teams are overwhelmed by the need to rapidly prioritize alerts from multiple tools across various attack surfaces. These may include redundant alerts or negligible findings and teams must decide which to address first without adequate information, context and ability to do so. Security teams struggle to identify and address the most critical issues, and developers have limited time and scope to devote to security fixes—especially when it isn’t clear what is important and what is negligible. Developers are often bombarded with alerts that are duplicates or irrelevant due to inefficient prioritization—wasting time and increasing friction and frustration.

Opus Security’s Advanced Multi-Layered Prioritization Engine is a transformative approach to vulnerability management. By integrating multiple layers of intelligence, contextual analysis and risk mitigation, the engine ensures that security teams can effectively prioritize and address the most critical vulnerabilities, reducing risk, enhancing operational efficiency and supporting overall business goals. The engine integrates traditional vulnerability severity scoring with dynamic exploitability analysis, detailed environmental context and an automated decision-making process to provide a robust method for ranking vulnerabilities.

A key component of this engine is the **AI-Based Vulnerability Intelligence Layer**, which goes beyond traditional severity scoring. This layer leverages over 700 real-time threat intelligence feeds to build a deep and nuanced understanding of each vulnerability’s risk. By incorporating intelligence from sources such as dark web forums, social media, open-source tools, exploit databases and active threat campaigns, the engine can flag high-risk issues with unparalleled accuracy. This intelligence-driven approach ensures that organizations are aware of vulnerabilities and their likelihood of exploitation in the wild, allowing for proactive and informed remediation efforts.

Using a five-layered framework, the engine first performs a **Base Severity Assessment**, aggregating severity scores from leading security tools and public databases to ensure that no critical vulnerabilities are overlooked. Next, the **AI-Based Vulnerability Intelligence** layer leverages real-time threat intelligence to flag high-risk issues based on their likelihood of exploitation. The **Contextual Impact** layer then prioritizes vulnerabilities according to their relevance to specific business functions, protecting critical systems first, especially those that handle sensitive data. The engine is the first to enable real SSVC decision-making, fully baked into the product. This helps teams categorize vulnerabilities into specific response actions based on the affected environment’s severity, exploitability and criticality. Finally, the **Risk Customization layer** allows organizations to tailor prioritization according to their unique risk appetite and operational needs.

Additionally, Opus Security introduces **Effortless Data Querying**, allowing users to interact with the platform using natural language. This feature enables users to quickly refine vulnerability lists based on specific concerns and make precise, data-driven decisions by leveraging advanced AI-powered insights.

****Driving Value and Operational Excellence****

The engine’s multi-layered approach ensures unprecedented precision in risk management by integrating real-time intelligence with detailed contextual analysis. This integration enables SSVC decision-making, allowing security teams to focus on vulnerabilities that truly matter, reducing the likelihood of overlooking critical vulnerabilities.

Opus aligns security decisions with business priorities by deeply understanding the organization’s structure, critical services and risk profiles, driving context-aware decision-making that protects critical assets and directly supports strategic goals.

“Opus’ new Advanced Multi-Layered Prioritization Engine is a game-changer in vulnerability remediation, simplifying, streamlining and optimizing the process considerably. The engine’s ability to prioritize the vulnerabilities that pose the greatest risk reduces overall security costs and helps security and developer teams avoid unnecessary remediation of low-risk issues,” said Meny Har, CEO of Opus Security. “Minimizing friction between development and security teams, driving smoother collaboration and ensuring that security measures do not impede the development process means that all teams can focus on what matters and fix what counts.”

****About Opus Security****

Opus Security is at the forefront of cloud-native vulnerability remediation, delivering solutions that streamline remediation across complex IT ecosystems. Opus Security provides unparalleled visibility and control over vulnerabilities by integrating existing security tools and enhancing them with advanced AI and contextual intelligence. The platform’s innovative features, including the new Advanced Multi-Layered Prioritization Engine, empower organizations to protect their most critical assets with confidence and precision.

**Contact**

**Senior Account Executive**  
**Hannah Sather**  
**Montner Tech PR**  
**\[email protected\]**

Opus Security Elevates Vulnerability Management With its AI-Powered Multi-Layered Prioritization Engine

As attacks on satellites rise with nation-state conflicts, the South Asian nation joins other space-capable countries in doubling down on cybersecurity.

Source: NicoElNino via Shutterstock

A year ago, India landed a spacecraft — the Chandrayaan-3 — on the moon, becoming only the fourth nation to accomplish such a feat.

Yet, while the country continues to invest in its space capability and ground-based support infrastructure, a greater focus on cybersecurity is necessary to protect the software and hardware on which the systems rely, Dr. Sreedhara Panicker Somanath, chairman of the Indian Space Research Organization, said in a speech last week at the groundbreaking for a cybersecurity training center.

With nearly five dozen satellites in orbit, large nationwide networks for collaboration, and command-and-control networks that connect across the globe for 24-hour access to space-based assets, India needs to focus on cybersecurity for the entire system, he said.

"When the Chandrayaan-3 was landing, our data was coming from Australia and Spain and South Africa and many other places, and we have been coordinating to work with all of this during the landing process," he said. "You should all realize that such command and control of satellites from across the globe could be very, very vulnerable, and ... many of our satellites can become ... easily targets of such attacks."

India is one of perhaps a dozen nations with space ambitions. The competition between nations has bred threats to ground- and space-based infrastructure, and attacks on space systems have increased as nation-state conflicts have heated up. In 2022, Russian attacks on Ukraine's connection to the Viasat KA-SAT network caused communications outages as the Russian army invaded the country. Soon after, Russia cyber-operators attempted to hack and jam the Starlink network, SpaceX CEO Elon Musk stated at the time, while hackers claimed responsibility for delivering malware to a host of satellite terminals, taking communications offline in 2023.

The attacks demonstrated to the world that the cyberthreat to satellites is real, although attackers to date have mostly focused on disrupting communications. However, an emerging space effort, such as India's, could attract regional attackers, says Patrick Lin, director of the Ethics + Emerging Sciences Group at California Polytechnic State University in San Luis Obispo, which received a grant in 2022 from the National Science Foundation to study cybersecurity for space systems.

"India doesn't have as many adversaries as the United States does — its main competitor and sometimes adversary is China, but it also has tense relations with Pakistan," he says. "China has advanced cyber capabilities as well as a strong space program, and it doesn't like regional competition much, so it's not a stretch to think that China and others might target India's rise as a major space power."

**Space: The Next Frontier for Cyberattacks**

India's current effort aims to develop the cybersecurity tools and expertise to protect its space-focused systems and software, much of which are created in-house or by domestic firms. India already sees more than 3,300 attacks per week per organization, which is 81% higher than the global average of 1,830 attacks, according to data from Check Point Software.

Rapid digitization makes India a growing target, says Omer Dembinsky, data research group manager at Check Point Software.

"Indian organizations face double the global average of cyberattacks due to rapid digitalization, which has outpaced the implementation of robust cybersecurity measures, creating a large attack surface," he says. "A fast-growing Internet user base, underdeveloped cybersecurity infrastructure not able to keep up with the growing sophistication of cyberattacks, and lack of cybersecurity awareness within organizations also make them attractive targets."

The aerospace and defense sector is ranked as the fifth most-attacked industry, and India's space agency reportedly faces more than 100 attacks daily.

Other space-based nations are rapidly researching the potential of cyberattacks targeting space assets and how to defend against those attacks. The US National Institute of Standards and Technology (NIST) has teamed up with MITRE Corp. to create a version of its NIST Cybersecurity Framework for the space sector, while The Aerospace Corp. has created the Space Attack Research and Tactics Analysis, or SPARTA, matrix. The Aerospace Corp. also worked with the US military to create a satellite that can act as a testbed for real-world cyberattacks on space assets, called "Moonlighter."

**India Needs Cybersecurity Training**

Space is not the only industry that needs cybersecurity professionals, so government initiatives such as Atmanirbhar Bharat — or "Self-Reliant India" — hope to create more startups and a larger ecosystem of homegrown software. Indian organizations have more than 40,000 openings for skilled cybersecurity workers, according to tech staffing firm TeamLease. The country had only about 100,000 cybersecurity professionals in 2021, which tripled to 300,000 in two years.

The need for increased cybersecurity expertise is acute, says Check Point Software's Dembinsky. The country needs to support more training for cybersecurity professionals and emphasize a focus on cyber-awareness training programs.

"The demand for proficient cybersecurity professionals surpasses the qualified talent pool, creating a significant industry void," Dembinsky says. "Currently, a lot of focus on skilled cybersecurity professionals burnout is being reported on, due to the consistent nature of managing these evolving threats."

In addition, the focus on research and development in space technology means that most projects are novel and lack rigorous security testing. The reality of these obscure technologies is that they both benefit — and suffer — from their uniqueness, says CalPoly's Lin.

"Many space projects today are ... one-of-a-kind prototypes in this new era of experimentation with space technologies," he says. "This provides a 'security by novelty' layer of protection, but the flip side of that is, if your technology is under-studied by threat actors, that means you don't know where your system's vulnerabilities are, either."

The lesson for India should be that critical infrastructure — whether it supports scientific research, corporate intellectual property, or financial transactions — is not safe, says ISRO's Somanath.

"Nothing is safe in the world — I think anybody can hack or create havoc in our system," he said. "The data that we have collected, especially the design data, or the personal data or the scientific data that we are created over the years, could all be very vulnerable."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

India Needs Better Cybersecurity for Space, Critical Infrastructure

Microsoft Corp. today released updates to fix at least 79 security vulnerabilities in its Windows operating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused some Windows 10 PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.

**Microsoft Corp.** today released updates to fix at least 79 security vulnerabilities in its **Windows** operating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused some **Windows 10** PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.

By far the most curious security weakness Microsoft disclosed today has the snappy name of CVE-2024-43491, which Microsoft says is a vulnerability that led to the rolling back of fixes for some vulnerabilities affecting “optional components” on certain Windows 10 systems produced in 2015. Those include Windows 10 systems that installed the monthly security update for Windows released in March 2024, or other updates released until August 2024.

**Satnam Narang**, senior staff research engineer at **Tenable**, said that while the phrase “exploitation detected” in a Microsoft advisory normally implies the flaw is being exploited by cybercriminals, it appears labeled this way with CVE-2024-43491 because the rollback of fixes reintroduced vulnerabilities that were previously know to be exploited.

“To correct this issue, users need to apply both the September 2024 Servicing Stack Update and the September 2024 Windows Security Updates,” Narang said.

**Kev Breen**, senior director of threat research at **Immersive Labs**, said the root cause of CVE-2024-43491 is that on specific versions of Windows 10, the build version numbers that are checked by the update service were not properly handled in the code.

“The notes from Microsoft say that the ‘build version numbers crossed into a range that triggered a code defect’,” Breen said. “The short version is that some versions of Windows 10 with optional components enabled was left in a vulnerable state.”

Zero Day #1 this month is CVE-2024-38226, and it concerns a weakness in **Microsoft Publisher**, a standalone application included in some versions of **Microsoft Office**. This flaw lets attackers bypass Microsoft’s “**Mark of the Web**,” a Windows security feature that marks files downloaded from the Internet as potentially unsafe.

Zero Day #2 is CVE-2024-38217, also a Mark of the Web bypass affecting Office. Both zero-day flaws rely on the target opening a booby-trapped Office file.

Security firm **Rapid7** notes that CVE-2024-38217 has been publicly disclosed via an extensive write-up, with exploit code also available on GitHub.

According to Microsoft, CVE-2024-38014, an “elevation of privilege” bug in the Windows Installer, is also being actively exploited.

June’s coverage of Microsoft Patch Tuesday was titled “Recall Edition,” because the big news then was that Microsoft was facing a torrent of criticism from privacy and security experts over “**Recall**,” a new artificial intelligence (AI) feature of Redmond’s flagship Copilot+ PCs that constantly takes screenshots of whatever users are doing on their computers.

At the time, Microsoft responded by suggesting Recall would no longer be enabled by default. But last week, the software giant clarified that what it really meant was that the ability to disable Recall was a bug/feature in the preview version of Copilot+ that will not be available to Windows customers going forward. Translation: New versions of Windows are shipping with Recall deeply embedded in the operating system.

It’s pretty rich that Microsoft, which already collects an insane amount of information from its customers on a near constant basis, is calling the Recall removal feature a bug, while treating Recall as a desirable feature. Because from where I sit, Recall is a feature nobody asked for that turns Windows into a bug (of the surveillance variety).

When Redmond first responded to critics about Recall, they noted that Recall snapshots never leave the user’s system, and that even if attackers managed to hack a Copilot+ PC they would not be able to exfiltrate on-device Recall data.

But that claim rang hollow after former Microsoft threat analyst **Kevin Beaumont** detailed on his blog how any user on the system (even a non-administrator) can export Recall data, which is just stored in an SQLite database locally.

As it is apt to do on Microsoft Patch Tuesday, Adobe has released updates to fix security vulnerabilities in a range of products, including **Reader** and **Acrobat**, **After Effects**, **Premiere Pro**, **Illustrator**, **ColdFusion**, **Adobe Audition**, and **Photoshop**. Adobe says it is not aware of any exploits in the wild for any of the issues addressed in its updates.

Seeking a more detailed breakdown of the patches released by Microsoft today? Check out the SANS Internet Storm Center’s thorough list. People responsible for administering many systems in an enterprise environment would do well to keep an eye on AskWoody.com, which often has the skinny on any wonky Windows patches that may be causing problems for some users.

As always, if you experience any issues applying this month’s patch batch, consider dropping a note in the comments here about it.

Bug Left Some Windows PCs Dangerously Unpatched

Besides operational issues connected to a talent shortage, the cost of running security platforms — and their training costs — also keeps CISOs up at night.

Source: Eddie Gerald via Alamy Stock Photo

While SecOps leaders face a variety of challenges in their roles, the two biggest standouts are the difficulty navigating the skills gap in the cyber field and the challenge of operating and investigating commonly used tools.

Researchers at Command Zero have released a report on challenges that chief information security officers (CISOs) and other leaders face, with data collected through hundreds of detailed interviews with cybersecurity professionals from 15 industries. The researchers argue that over the past 40 years, certain innovations have been markers for waves of "digital innovation," such as the creation of the Internet, cellphones, and cloud computing. Now, the latest wave of innovation comes in the form of artificial intelligence (AI). In all of these arenas, the advantages they provide come with deep security challenges.

**Where's the Talent When You Need It?**

The primary and seemingly obvious challenge is the skills shortage in cybersecurity, for all disciplines, but especially in the area of cyber investigations, according to the report.

This is likely because the average cyber investigator must meet extensive requirements to be qualified for such a position. According to the researchers, these kinds of analysts need to be "subject matter experts" when it comes to analysis and have administrator-level knowledge of data sources.

Given the ongoing shortage of cyber professionals who meet that high bar of qualifications and knowledge, existing teams are stretched thin, some working the equivalent of two jobs to keep up with the latest threats. While this may keep a business afloat, it can also lead to burnout, oversights and, ultimately, a decrease in overall effectiveness of mitigating potential threats.

In addition, part of building such a substantial wealth of knowledge to be this kind of analyst is working in an environment that stresses and fosters the importance of continuous learning. However, "this is challenging when teams are constantly in fire-fighting mode" according to the researchers.

Because of this shortage, 88% of individuals interviewed expressed concerns regarding operational issues because of the lack of staffing while threats continue to grow. Not only this, but 74% of respondents said that they felt their team lacked sufficient public cloud skills to perform "high-quality investigations."

Command Zero recommends companies prioritize and resolve these issues by investing in analysts as well as improving job satisfaction to reduce turnover and improve talent retention.

**No Absolutes Within SecOps Tools**

Three tools are amongst the most widely used SecOps tools by SOC and IR teams in the industry: endpoint and other detection and response (EDR/XDR); security information and event management (SIEM); and security orchestration, automation, and response (SOAR). All three pose their own challenges for cyber professionals.

EDR/XDR, according to the researchers, is the most heavily relied upon investigation tool, but, it has its limits when it comes to correlating network and cloud telemetry. It's also expensive — it can be costly to use EDR/XDR "at scale in cloud environments," meaning that when it is used, it's not to its full potential leading to gaps in visibility.

Some 59% of respondents pointed to the staffing costs that come with using SIEM for investigations. Three-quarters report that they have a "lack of resources and skills required for integrating data sources into SIEM and SOAR," with some of them employing the services of a third party to keep the systems operational.

There's likely a correlation between the two, as deploying, customizing, and maintaining a SIEM requires highly specialized skills; training for these skills is costly, making them expensive to grow and cultivate, even moreso to staff when they're seemingly so high in demand.

Unfortunately, none of these three tools wallow for 100% coverage of all IT systems. The researchers recommend that companies invest in conceptual and technology-based training for security operations and identify the gaps in security they might have.

**Staffing Shortage vs. Job Openings: Which Is It?**

The cyber industry has been complaining for years of a staffing shortage, encouraging individuals to apply to jobs in an industry that claims it has much to offer. But is anyone actually hiring? Apparently so, but applicants have to be well qualified.

"Most cyber roles require cross-disciplinary experience and capabilities in IT," the researchers of the report tell Dark Reading, noting that hiring is difficult. "Unlike a system administrator role, which requires specialization in only one kind of system, cyber roles require a fundamental understanding of networking, endpoint, applications, and systems. This makes these roles hard to fill."

There's also a high demand from many competitive companies for the same qualified individuals. This means that these individuals have a lot of options, creating heavy turnover in an endless vicious cycle.

Their recommendations for landing a role? Look for cyber internships and part-time jobs while in school, or aim for adjacent roles to help gain experience.

"Your path into cyber can be networking, systems engineering, or software development," the researchers say. "While this may sound counter-intuitive, a lot of security professionals started their careers as non-security professionals in IT. So, starting out as a network associate or systems engineer can give you some of the cross-disciplinary experience you need to break into cyber."

And the learning never stops. "Because of how quickly cyber evolves," they added, "you need to continue investing into professional growth throughout your career."

Cyber Staffing Shortages Remain CISOs' Biggest Challenge

A trio of threat activity clusters linked to China has been observed compromising more government organizations in Southeast Asia as part of a renewed state-sponsored operation codenamed Crimson Palace, indicating an expansion in the scope of the espionage effort.
Cybersecurity firm Sophos, which has been monitoring the cyber offensive, said it comprises three intrusion sets tracked as Cluster

Malware / Cyber Espionage

A trio of threat activity clusters linked to China has been observed compromising more government organizations in Southeast Asia as part of a renewed state-sponsored operation codenamed **Crimson Palace**, indicating an expansion in the scope of the espionage effort.

Cybersecurity firm Sophos, which has been monitoring the cyber offensive, said it comprises three intrusion sets tracked as Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305). STAC is an abbreviation for "security threat activity cluster."

"The attackers consistently used other compromised organizational and public service networks in that region to deliver malware and tools under the guise of a trusted access point," security researchers Mark Parsons, Morgan Demboski, and Sean Gallagher said in a technical report shared with The Hacker News.

A noteworthy aspect of the attacks is that it entails the use of an unnamed organization's systems as a command-and-control (C2) relay point and a staging ground for tools. A second organization's compromised Microsoft Exchange Server is said to have been utilized to host malware.

Crimson Palace was first documented by the cybersecurity company in early June 2024, with the attacks taking place between March 2023 and April 2024.

While initial activity associated with Cluster Bravo, which overlaps with a threat group called Unfading Sea Haze, was confined to March 2023, a new attack wave detected between January and June 2024 has been observed targeting 11 other organizations and agencies in the same region.

A set of new attacks orchestrated by Cluster Charlie, a cluster that's referred to as Earth Longzhi, has also been identified between September 2023 and June 2024, some of which also involve the deployment of the C2 frameworks like Cobalt Strike, Havoc, and XieBroC2 in order to facilitate post-exploitation and deliver additional payloads like SharpHound for Active Directory infrastructure mapping.

"Exfiltration of data of intelligence value was still an objective after the resumption of activity," the researchers said. "However, much of their effort appeared to be focused on re-establishing and extending their foothold on the target network by bypassing EDR software and rapidly re-establishing access when their C2 implants had been blocked."

Another significant aspect is Cluster Charlie's heavy reliance on DLL hijacking to execute malware, an approach previously adopted by threat actors behind Cluster Alpha, indicating a "cross-pollination" of tactics.

Some of the other open-source programs used by the threat actor include RealBlindingEDR and Alcatraz, which allow for terminating antivirus processes and obfuscating portable executable files (e.g., .exe, .dll, and .sys) with an aim to fly under the radar.

Rounding off the cluster's malware arsenal is a previously unknown keylogger codenamed TattleTale that was originally identified in August 2023 and is capable of collecting Google Chrome and Microsoft Edge browser data.

"The malware can fingerprint the compromised system and check for mounted physical and network drives by impersonating a logged-on user," the researchers explained.

"TattleTale also collects the domain controller name and steals the LSA (Local Security Authority) Query Information Policy, which is known to contain sensitive information related to password policies, security settings, and sometimes cached passwords."

In a nutshell, the three clusters work hand in hand, while simultaneously focusing on specific tasks in the attack chain: infiltrating target environments and conducting reconnaissance (Alpha), burrow deep into the networks using various C2 mechanisms (Bravo), and exfiltrating valuable data (Charlie).

"Throughout the engagement, the adversary appeared to continually test and refine their techniques, tools, and practices," the researchers concluded. "As we deployed countermeasures for their bespoke malware, they combined the use of their custom-developed tools with generic, open-source tools often used by legitimate penetration testers, testing different combinations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Experts Identify 3 Chinese-Linked Clusters Behind Cyberattacks in Southeast Asia

CISA has added CVE-2024-40766 to its Known Exploited Vulnerabilities catalog.

Source: Michael Vi via Shutterstock

Threat actors, including Akira ransomware affiliates, have begun exploiting a critical remote code execution (RCE) vulnerability that SonicWall disclosed — and patched — in its Gen 5, Gen 6, and some versions of its Gen 7 firewall products last month.

The attack activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability, identified as CVE-2024-40766, to its Known Exploited Vulnerabilities (KEV) database. The vulnerability is one of the three that CISA added to its KEV catalog this week and wants federal civilian executive branch (FCEB) agencies to address by Sept. 30.

**Improper Access Control Bug**

CVE-2024-40766 is an improper access control bug in the management access component of SonicWall SonicOS running on the company’s SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older. It lets attackers gain complete control of affected devices and in some cases cause the firewall to crash entirely.

SonicWall first disclosed the bug on Aug. 22 and assigned it a severity rating of 9.3 out a possible maximum of 10 on the CVSS scale. On Sept. 6, the network security vendor updated the advisory to include the local SSLVPN accounts as being vulnerable to CVE-2024-40766 as well. The advisory also warned customers about attack activity targeting the vulnerability and urged organizations to immediately apply the company's recommended mitigations for it.

Artic Wolf on Friday said it had observed Akira ransomware affiliates abusing the vulnerability to compromise SSLVPN accounts on SonicWall devices. "In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory," Arctic Wolf said.  "Additionally, MFA was disabled for all compromised accounts."

SonicWall wants customers of affected appliances to update to fixed versions of the technology as soon as possible. The company also recommends that organizations limit firewall management functions to trusted sources and to disable WAN management via the Internet. "Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet," SonicWall advised.

The company is also "strongly" advocating that administrators of the company's Gen 5 and Gen6 firewalls ensure that SSLVPN users with locally managed accounts change their passwords immediately to protect against unauthorized access. Additionally, SonicWall has recommended that organizations enable multifactor authentication (MFA) for all SSLVPN users.

**SonicWall: A Popular Target**

SonicWall's firewall products, like routers, VPNs and other network security technologies are an attractive attack target because of the elevated privileges threat actors can gain on a target network by compromising one of these products. Many network security products give attackers access to all traffic flowing in and out of a network and also to the valuable assets and data that are behind the devices. In recent years, security vendors such as Cisco and entities like CISA and the UK's National Cyber Security Center (NCSC) have warned repeatedly about attackers targeting vulnerabilities in network devices as a means to gain an initial foothold on target devices.

Earlier this year, CISA, for instance, identified China's notorious Volt Typhoon group as routinely targeting networking appliances from vendors such as Fortinet, Ivanti, NetGear, Cisco, and Citrix to obtain initial access. In a 2023 report, Cisco said it had observed continuous malicious activity, including traffic manipulation and copying, infrastructure reconnaissance, and active attempts to weaken network defenses, by state sponsored actors and intelligence agencies around the world. The company assessed that attackers like targeting network technologies such as routers and switches because of the deep visibility they enable on a victim network and because organizations often fail to keep the devices properly secured and patched.

Concerns over heightening government exposure to such attacks prompted CISA to issue a binding operational directive in late June that required FCEB agencies to implement strong measures to protect management interfaces for specific network devices such as firewalls, routers, switches, VPN concentrators, load balancers, and proxies.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#intel