The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

Tuesday, October 8, 2024 15:04

The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings.  

October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities.   

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.  

CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability.  

The security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability. 

The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.  

CVE-2024-43583, an elevation of privilege vulnerability in Winlogon, has also been publicly disclosed, according to Microsoft, but has not yet been exploited in the wild. This vulnerability could allow an attacker to obtain SYSTEM-level privilege. In addition to applying the patch, Microsoft also recommends users enable a Microsoft first-party Input Method Editor (IME) on their devices to prevent adversaries from being able to exploit third-party IMEs during the sign-in process. 

October’s Patch Tuesday also includes three critical vulnerabilities that could all lead to remote code execution. 

CVE-2024-43468 is the most serious of this bunch, with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability in Microsoft Configuration Manager to execute commands on the targeted server or underlying database. 

Another remote code execution vulnerability, CVE-2024-43488, exists in the Visual Studio Code extension for Arduino, an open-source platform for building and managing single-board microcontrollers and microcontroller kits. A missing authentication protocol could allow an adversary to execute remote code over the network.  

Microsoft stated that the company has already mitigated this vulnerability and users do not need to take any additional steps. This extension has also been deprecated and can no longer be downloaded from the internet. 

Lastly, CVE-2024-43582 exists in the Windows Remote Desktop Protocol server and could allow an attacker to execute code on the server side with the same permissions as the RPC service. An adversary could exploit this vulnerability by sending malformed packets to an RPC host. However, exploitation also requires that the adversary win a race condition first.  

Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited: 

*   CVE-2024-43502: Elevation of privilege vulnerability in Windows Kernel 
*   CVE-2024-43509 and CVE-2024-43556: Elevation of privilege vulnerabilities in Windows Graphics Component     
*   CVE-2024-43560: Elevation of privilege vulnerability in Windows Storage Port 
*   CVE-2024-43581 and CVE-2024-43615: Remote code execution vulnerability in Microsoft OpenSSH for Windows  
*   CVE-2024-43609: Spoofing vulnerability in Microsoft Office 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 - 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 - 301036 and 301041.

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

As healthcare organizations struggle against operational issues, two-thirds of the industry suffered ransomware attacks in the past year, and an increasing number are caving to extortion and paying up.

Source: Yuri A/PeopleImages via ShutterStock

The healthcare sector continues to grow, but without the proper focus on cybersecurity, the prognosis for the industry's resilience against ransomware and other attacks has only worsened.

Against a backdrop of non-IT disruptions — such as private equity failures, shortages of medicines, and the cutting of services — two-thirds (66%) of healthcare organizations also suffered ransomware attacks in the past year, up from 60% in the prior year, according to a report from cybersecurity firm Sophos. Major attacks on hospitals and medical-service providers have led to disruptions of services, significant financial outlay, and the exposure of sensitive patient data. In some cases, they also affected patient outcomes.

There are also new threats emerging all the time. The Trinity ransomware, for instance, first seen last May, poses a "significant threat" to the healthcare and public health sector, according to an alert this week from the US Department of Health and Human Services.  

Overall, more than 14 million US citizens — and an unknown number worldwide — have been affected by healthcare breaches in 2024, according to another data set from security firm SonicWall.

Healthcare suffers such a cyber malaise that Senate Finance Committee chair Ron Wyden (D-Ore.), and Sen. Mark Warner (D-Va.) last week announced legislation to attempt to patch up the system. The bill would require jail time for healthcare CEOs that lie to the government about their cybersecurity postures, offer federal resources to rural and underserved hospitals for cyber improvements, and introduce accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data. The bill would also remove the existing cap on fines for data mishandling under the Health Insurance Portability and Accountability Act (HIPAA).

"Mega-corporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result," Wyden said in a statement announcing the bill. "The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy."

**Healthcare Cyber-Profiles Are Ripe for Infection**

Healthcare organizations have three attributes that ensure ransomware gangs will continue to focus on the industry: Their operations are critical to society, their technology is often old and rife with vulnerabilities, and individual organizations are willing to pay ransoms, says Doug McKee, executive director of threat research of SonicWall.

"There's a lot of money in healthcare, \[and\] healthcare is not only notorious for having a lot of money, but they've been painted as an industry that's willing to pay the ransom," he says. "If we're going to keep paying the ransom, the attackers are going to keep ramping up in that industry. The math is that simple."

The cybersecurity problems plaguing the industry are not just affecting the business of healthcare. They're also having real impacts on patients and national health efforts. Attackers used stolen credentials, for example, to compromise UnitedHealth subsidiary Change Healthcare and infect its systems with ransomware in February, leading to stalled payments for doctors, pharmacies, and hospitals — and eventually a $22 million ransom paid to the criminals. In the United Kingdom, an attack on medical-services provider Synnovis in June led to delays in matching patient blood types and other pathology services. The same month, an attack on South Africa's National Health Laboratory Service (NHLS) disrupted the service provided by the government-run testing laboratories, while the nation found itself in the midst of an mpox outbreak.

"I can either pay the ransom, get back up and running, or I can try to rebuild it myself and pray that we get everything back set up running in a week — not an option," says Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC). "So now, we've got a sector who is more prevalent to pay, and I think the bad guys — cybercriminals, nation-states that are doing this — figured that out pretty quickly. I think it's getting worse, and I think that they've also figured out the weak spots in the sector."

**A Pound of Cure Typically Fails**

The weakest spot for healthcare entities is arguably the inter-reliance of hospitals and pharmacies on their third-party providers. When Change Healthcare suffered its weekslong outage, the incident demonstrated that efforts to shore up cyber resilience has to extend all the way to any third-party suppliers on which healthcare providers rely.

"Change Healthcare definitely rocked the sector and made us \[realize\] that it's a single point of failure for so many services," Weiss says. "We had thousands of patients across the US that couldn't get prescriptions filled because of that outage, and then ... we had hospitals that couldn't file claims."

Similarly, the attacks on Synnovis and NHLS slowed diagnostic services.

While their operational requirements — prioritizing human life, which means keeping open the access to needed data — pose challenging issues, healthcare organizations must gain oversight over their (often legacy) technology and the large variety of medical devices and equipment, which might not be kept totally up to date. Seven out of every eight breaches were caused by exploitable vulnerabilities, compromised credentials, and malicious emails — so focusing on those three areas could pay significant dividends for cybercriminals, says Christopher Budd, director of threat research for Sophos X-Ops.

"Healthcare — along with energy, oil/gas, and utilities — is challenged by higher levels of legacy technology, and infrastructure controls more than most other sectors, which likely makes it harder to secure devices, limit lateral movement, and prevent attacks from spreading," he says.

**Time for an Ounce of Prevention**

Yet, perhaps most telling is the industry's problems with backups.

In 95% of attacks targeting healthcare organizations, the attacker tried to compromise the backups. Unfortunately, they succeeded in 66%, putting healthcare organizations' defensive shortcomings behind that of only the energy, oil/gas, and utilities sector (79%) and the education sector (71%), according to Sophos' report.

While healthcare organizations continue to use backups to recover, many also pay ransoms. Source: Sophos

The loss of backups results in much worse — and more expensive — outcomes, the report stated. The value of the initial ransom demand more than tripled, to $4.4 million, compared with $1.3 million for organizations with backups, and the organizations were far more likely to pay the ransom, with 63% of organizations with a failed backup paying the ransom, compared with 27% of organizations with complete backups.

In its threat brief, SonicWall recommended the typical trio of cybersecurity best practices: patch management, strong access controls, and continuous monitoring. However, out of those three, monitoring is the most important capability for organizations to establish first, says SonicWall's McKee. Companies with good visibility can detect cybersecurity issues early and remediate them before they are attacked, he says.

While the outlook is currently messy, progress is being made, he added.

"I think that we've gotten better," McKee says. "Over the last five years, I've seen a huge improvement in healthcare, as far as being able to turn around cybersecurity best practices ... but \[technology\] has to get through all the regulatory requirements ... and that's simply going to take time ... probably years, for healthcare to get to a point that we're able to reduce some of the effectiveness of these attacks."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Healthcare's Grim Cyber Prognosis Requires Security Booster

Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work…

Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work and how to stay protected.

The cybersecurity researchers at Morphisec Threat Labs have uncovered and thwarted multiple variants of Lua malware specifically targeting the educational sector. These attacks exploit the popularity of **Lua-based gaming engine supplements**, which are widely used by student gamers. Even more concerning, the malware campaigns were observed targeting unsuspecting users globally including across North America, South America, Europe, Asia, and Australia.

The malware strain was first reported in March 2024 (do not confuse Lua malware with the infamous **Luabot DDoS malware** identified in 2016). Over the past months, the delivery methods of Lua malware have changed to become simpler, possibly to evade detection mechanisms. Instead of using compiled Lua bytecode, which can easily raise suspicion, the malware is now frequently delivered through obfuscated Lua scripts.

****Malicious ZIP Files****

The malware is typically distributed in the form of an installer or a ZIP archive and often disguised as game cheats or other gaming-related tools, making it particularly lucrative to students who are searching for ways to enhance their gaming experience.

According to Morphisec Threat Labs’ detailed technical **blog post** shared with Hackread.com ahead of publishing on Tuesday, when a user downloads the infected file, typically from platforms like GitHub, they receive a ZIP archive containing four key components: Lua51.dll: A runtime interpreter for Lua, Compiler.exe: A lightweight loader, Obfuscated Lua Script: The malicious code and Launcher.bat: A batch file that executes the Lua script.

Upon execution, the batch file runs the Compiler.exe, which loads the Lua51.dll and interprets the obfuscated Lua script. This script then establishes communication with a Command and Control (C2) server, sending detailed information about the infected machine. The C2 server responds with tasks, which can be categorized into two types: Lua Loader Tasks: Actions such as maintaining persistence or hiding processes. Task Payloads: Instructions to download and configure new payloads.

Attack flow (Via Morphisec Threat Labs)

****Lua Malware and SEO Poisoning****

The delivery techniques used in these attacks include **SEO poisoning**, where search engine results are manipulated to lead users to malicious websites. For instance, advertisements for popular cheating script engines like Solara and Electron, often associated with Roblox, have been found to direct users to GitHub repositories hosting various Lua malware variants. These repositories frequently use github.com/user-attachments push requests to distribute the malware.

****Additional InfoStealer Like Redline****

The infection chain does not end with Lua malware infection. The malware ultimately leads to the deployment of infostealers, notably Redline Infostealers. For your information, infostealers like **Redline, Vidar and Formbook** are gaining prominence as the harvested credentials are sold on the dark web **especially ChatGPT credentials**, opening the door to more attacks in the future.

SEO poisoning in action (Via Morphisec Threat Labs)

****Watch Out Students and Gamers****

Gamers, educational institutions, and students should be cautious of Lua and other malware threats by avoiding downloads from untrustworthy sources. Keeping security software up to date and informing users about the **cybersecurity risks of downloading game cheats** and unverified content can help reduce the chances of these attacks.

1.  **Fake League of Legends Download Ads Drop Lumma Stealer**
2.  **Global malspam targets hotels, spreading Redline, Vidar stealers**
3.  **Fake Windows site dropped Redline malware as Windows 11 upgrade**
4.  **Fake CAPTCHA Verification Pages Spreading Lumma Stealer Malware**
5.  **Ransomware Hidden as a Game: Kransom’s Attack Via DLL Side-Loading**

Lua Malware Targeting Student Gamers via Fake Game Cheats

This week on the Lock and Code podcast, we speak with Zach Hinkle and Pieter Arntz about the Facebook funeral livestream scam.

_This week on the Lock and Code podcast…_

Online scammers were seen this August stooping to a new low—abusing local funerals to steal from bereaved family and friends.

Cybercrime has never been a job of morals (calling it a “job” is already lending it too much credit), but, for many years, scams wavered between clever and brusque. Take the “Nigerian prince” email scam which has plagued victims for close to two decades. In it, would-be victims would receive a mysterious, unwanted message from alleged royalty, and, in exchange for a little help in moving funds across international borders, would be handsomely rewarded.

The scam was preposterous but effective—in fact, in 2019, CNBC reported that this very same “Nigerian prince” scam campaign resulted in $700,000 in losses for victims in the United States.

Since then, scams have evolved dramatically.

Cybercriminals today willl send deceptive emails claiming to come from Netflix, or Google, or Uber, tricking victims into “resetting” their passwords. Cybercriminals will leverage global crises, like the COVID-19 pandemic, and send fraudulent requests for donations to nonprofits and hospital funds. And, time and again, cybercriminals will find a way to play on our emotions—be they fear, or urgency, or even affection—to lure us into unsafe places online.

This summer, Malwarebytes social media manager Zach Hinkle encountered one such scam, and it happened while attending a funeral for a friend. In a campaign that Malwarebytes Labs is calling the “Facebook funeral live stream scam,” attendees at real funerals are being tricked into potentially signing up for a “live stream” service of the funerals they just attended.

Today on the Lock and Code podcast with host David Ruiz, we speak with Hinkle and Malwarebytes security researcher Pieter Arntz about the Facebook funeral live stream scam, what potential victims have to watch out for, and how cybercriminals are targeting actual, grieving family members with such foul deceit. Hinkle also describes what he felt in the moment of trying to not only take the scam down, but to protect his friends from falling for it.

> “You’re grieving… and you go through a service and you’re feeling all these emotions, and then the emotion you feel is anger because someone is trying to take advantage of friends and loved ones, of somebody who has just died. That’s so appalling”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Exposing the Facebook funeral livestream scam (Lock and Code S05E21) 

Apple Security Advisory 10-03-2024-1 - iOS 18.0.1 and iPadOS 18.0.1 addresses an audio capturing issue and a logic issue related to passwords being read aloud.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1

iOS 18.0.1 and iPadOS 18.0.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121373.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Media Session  
Available for: iPhone 16 (all models)  
Impact: Audio messages in Messages may be able to capture a few seconds  
of audio before the microphone indicator is activated  
Description: This issue was addressed with improved checks.  
CVE-2024-44207: Michael Jimenez and an anonymous researcher

Passwords  
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch  
3rd generation and later, iPad Pro 11-inch 1st generation and later,  
iPad Air 3rd generation and later, iPad 7th generation and later, and  
iPad mini 5th generation and later  
Impact: A user's saved passwords may be read aloud by VoiceOver  
Description: A logic issue was addressed with improved validation.  
CVE-2024-44204: Bistrit Dahal

This update is available through iTunes and Software Update on your  
iOS device, and will not appear in your computer's Software Update  
application, or in the Apple Downloads site. Make sure you have an  
Internet connection and have installed the latest version of iTunes  
from https://www.apple.com/itunes/

iTunes and Software Update on the device will automatically check  
Apple's update server on its weekly schedule. When an update is  
detected, it is downloaded and the option to be installed is  
presented to the user when the iOS device is docked. We recommend  
applying the update immediately if possible. Selecting  
Don't Install will present the option the next time you connect  
your iOS device.

The automatic update process may take up to a week depending on  
the day that iTunes or the device checks for updates. You may  
manually obtain the update via the Check for Updates button  
within iTunes, or the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings  
* Select General  
* Select About. The version after applying this update will be  
"iOS 18.0.1 and iPadOS 18.0.1".

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmb/LLMACgkQX+5d1TXa  
Ivp/oBAAtCfF765M4s/Iwi15gaFUFbOe5Droq7gCJEvtwSsfYFESbM5eCiGZjn4y  
Na+d9SrlgymDhIz5j6ZDZdSHKjCLhlkYc+JxpjgUM7rPxJtpn1QBGdDcjUfhpesV  
sPxIaQk3lok4uLdBt9tbDT1a+pI67vKa2hm3FmZHsj5MZLSUJaR3d5rq2MWo3RjD  
dfVsDhdCvnhk0vSA7ro8/EXVX1W6Jq8UQRGMjXcZgTiSWIx4TLdx6cNGD53dPuzl  
ffP6M4XHi247tolr8gs0+EBBlnwUVF1DGgx5MZGuxO++MNLo0SF25HTZN6bmuEQy  
zcQjuOHUzEazRzs9lO6IqAoY+YFQKW/UN3+Fj0RNKl2OXloRf2DTgl1C53V+uVyB  
MdtJtYCJ1YxwKnhzGsmjclk5oqUrtEKL4Yeri1TxbfXBgoFflNLNRgRrwqkIoPKy  
XURcpZ7/yD62Y4uMDIXFWV6FlEPZ/lPnM9Yh7Nh3ocJwJFlsHItuhJrwgyjLkfCZ  
Lnerb7en4FbxEfewnjbdCh06P58e5c3XVVSVGNwIyIxeoTO7lT7E7V9tcaSi1L9s  
QYN5+zcssTumEdbns6mwivpES16Z+4LuQZfgcfynreLZA6B7LHgqXEmSDcujF8SC  
P4hiBFqyccXGrvTR47fGf8+6JPnErrFKOBEcfEu7NUYW8smtxM0=  
=n+NZ  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-03-2024-1

San Francisco, CA, 8th October 2024, CyberNewsWire

**San Francisco, CA, October 8th, 2024, CyberNewsWire**

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined user experience.

**Badge Inc****.**, the award-winning privacy company enabling Identity without Secrets™, today announced a partnership with CyberArk and the public release of its integration in the CyberArk Marketplace.

According to the CyberArk website: The Badge CyberArk Identity integration allows specified users to authenticate into CyberArk Identity and its downstream apps and services, using Badge. This enables user-centric privacy, allowing users to issue and revoke digital identity and keys on-demand using biometrics and/or other factors.

The blog post mentions that privileged users hold highly sensitive access credentials and face an ever-increasing threat surface. This has made these users and their credentials prime targets for cyber-attacks. By leveraging Badge’s technology to eliminate the storage of user credentials, organizations benefit unprecedented security, while maintaining a great user experience.

> Archit Lohokare, CyberArk’s GM for Workforce Solutions, “CyberArk is excited to partner with Badge and offer this new integration. It is an important step forward in our mission to deliver comprehensive identity security solutions across all identities and all environments. Badge’s expertise in eliminating stored secrets and removing friction in difficult use cases complements our identity security platform.”

**Integration to CyberArk Marketplace**

Badge and CyberArk are launching a new integration that: 

1.  Enables unprecedented multi-factor authentication experience across all channels, including new and shared devices,
2.  Offers next-generation privacy technology and a more streamlined user experience to customers
3.  Brings phishing-resistant authentication to account recovery workflows.

> “We’re proud to partner with CyberArk. This integration represents a pivotal step forward in the quest to defeat cyber threats targeting privileged accounts. Stored privileged credentials are a high-target vulnerability, and eliminating this weak point is a big step forward. It also underscores the importance of innovative cybersecurity solutions and demonstrates how advancements in technology can be leveraged to enhance security measures across the board,” said Dr. Tina P. Srivastava, Badge Co-founder. “By addressing the vulnerabilities associated with traditional authentication methods like passwords, organizations can protect their most critical assets more effectively, ensuring that their ‘keys to the kingdom’ remain out of reach from cyber adversaries.”

As cyber threats evolve, so are the approaches to cybersecurity. Together, Badge and CyberArk are helping businesses eliminate vulnerable attack surfaces and provide a more streamlined user experience.

**About CyberArk** 

CyberArk is the global leader in identity security. Centered on intelligent privilege controls, CyberArk provides the most comprehensive security offering for any identity – human or machine – across business applications, distributed workforces, hybrid cloud environments and throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help secure their most critical assets.

**About Badge**

Badge enables privacy-preserving authentication to every application, on any device, without storing user secrets or PII. Badge’s patented technology allows users to derive private keys on the fly using their biometrics and factors of choice without the need for hardware tokens or secrets. Badge was founded by field-tested cryptography PhDs from MIT and is venture-backed by tier 1 investors. Customers and partners include top Fortune companies across healthcare, banking, retail, and services. To learn more: **www.badgeinc.com****.**

**Contact**

**Media Contact**  
**John O’Brien**  
**SBS Comms**  
**\[email protected\]**

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

Company leadership needs to ensure technology teams are managing continuous monitoring, automated testing, and alignment with business needs across their enterprise.

Source: Stu Gray via Alamy Stock Photo

COMMENTARY

This summer, a cyberattack disrupted the normal operations of thousands of auto dealerships across the United States, affecting everything from records to scheduling, causing no end to annoyances and leaving hordes of exasperated salespeople and customers at their wits' end.

The most recent and dramatic example of hacker success illustrates that IT security must become the first priority at the highest levels of an organization. This modern-day plague shows no sign of subsiding. With each successful attack, hackers become even more emboldened. 

It's an all-out assault, requiring the corporate equivalent of an all-points bulletin. In short, cybersecurity is not just an IT issue; it's a critical business risk that requires active involvement from the entire C-suite, in particular, the CEO. This is one area of the enterprise that may benefit from micromanagement in an effort to display the importance of the pursuit.

My colleagues and I regularly advise our clients that they should be asking three questions of their team: What are we doing? Is it enough? How do we know?

Effective cybersecurity requires the right balance of spending and technology value, continuous assessment, and the adoption of advanced technologies such as automation and artificial intelligence. Few regret wise investments in cybersecurity defenses.

The increasing frequency and sophistication of cyberattacks underscore the seriousness for executive-level engagement in cybersecurity. Recent incidents, such as the SEC's $10 million fine on the New York Stock Exchange's parent company and the notorious SolarWinds action, illustrate the severe impact on business operations and regulatory compliance. These events highlight the necessity for CEOs to recognize their critical role in cybersecurity. 

Ascension Healthcare's ransomware attack, among other prime examples, serves as an object lesson in the urgency of the matter, especially in healthcare. Doctors and pharmacies struggled with order and prescription issues, leading to lost revenue as patients sought services elsewhere, and virtually bringing the massive hospital system to its figurative knees, causing tremendous frustration among staff and patients. This situation underscored the need for technologists to understand business operations and implement security measures that support the business. 

CEOs must understand that cybersecurity is central to their management duties and not just "tech stuff" to be delegated. They need to receive business-outcome-focused reporting with the same level of rigor as financial and safety reporting. This reporting should answer the above three questions using system-generated metrics and integrate results into business decisions to stay ahead of the increasingly destructive capabilities of adversaries conspiring to do them harm.

CEOs set the organizational tone and ultimately are responsible for cybersecurity. Their endorsement of security measures can drive home their importance, ensure alignment with business goals across the senior leadership team, and communicate capabilities to their boards. The following steps are essential for CEOs to prioritize cybersecurity:

*   Engage in cybersecurity planning and response: CEOs and executive leaders must be actively involved in cybersecurity planning and response. Their endorsement and understanding of cybersecurity's importance can fuel organizational commitment and set the right tone. Deciding how to handle hypothetical ransom, extortion, and fraud events accelerates response when an event occurs.
    

*   Conduct business analysis for cyber spending: Utilize business analysis to determine the appropriate cybersecurity investments. Focus on preventive technologies that provide greater risk reduction and ensure that the spending aligns with business priorities.
    

*   Implement multifactor authentication: Ensure that multifactor authentication is in place and effective. Avoid inferior solutions that users can mindlessly click through, and prioritize strong authentication measures for password resets to enhance security.
    

*   Regularly review and assess cybersecurity measures: Frequently review assessment results and address important gaps. This includes adopting automation for continuous threat exposure management and ensuring cybersecurity is integrated into business operations.
    

*   Adopt advanced technologies and continuous testing: Embrace automation and advanced technologies for security testing and closing security gaps. Stay ahead of emerging threats by keeping up with advancements in AI and other technologies.
    

*   Seek independent advice and expertise: Business leaders will be called to answer for hiring well-qualified cybersecurity advisers and executives. Use the three questions to understand the current state of cybersecurity within the organization. Seek independent advice to keep up with current threats and defenses. Obtain board members' cybersecurity expertise combined with other essential business skills, or hire independent advisers to provide valuable insights.
    

What hasn't played out yet is the full impact of increased AI usage by both attackers and defenders. As AI technology advances, organizations must keep up to ensure their cybersecurity measures are effective. A recent survey of IT security officers revealed that increasing use of AI will lead to more security breaches, while, conversely, four in five intend to use AI to guard against those same breaches. The ongoing complexity and expanding surface area of systems likely will lead to an increase in cyberattacks through 2030. This necessitates continuous vigilance, adoption of automation for threat and vulnerability management, and regular reviews of cybersecurity measures. Companies will also have to understand and protect against new AI-enabled systems that they are developing. 

Cyber-risk is inherently a business risk, and effective cybersecurity measures are essential for protecting valuable information and maintaining system availability.

One might argue that cybersecurity can be managed solely by IT departments. However, without executive-level involvement, organizations may face significant business disruptions and regulatory penalties. CEOs must understand their role in cybersecurity to ensure comprehensive protection.

The consistent pattern of cyber incidents causing business disruptions and regulatory fines supports the conclusion that CEO involvement is crucial to ensure that companies can answer the three questions: What are we doing? Is it enough? How do we know? Determining business value at risk and the right amount of protection requires business input. As company leadership, now is the time to ensure that technology teams are managing continuous monitoring, automated testing, and alignment with business needs across the enterprise.

**About the Author**

Managing Director, BPM

Ken Frantz is a transformational IT leader and consultant with experience in global financial services, emerging technology, and top-tier health system networks. He focuses on innovative technology advancement with reduced risk and is interested in high impact/high value opportunities to improve IT operations, deliver value, and help companies grow efficiently and effectively.

Your IT Systems Are Being Attacked. Are You Prepared?

A little-known threat actor tracked as GoldenJackal has been linked to a series of cyber attacks targeting embassies and governmental organizations with an aim to infiltrate air-gapped systems using two disparate bespoke toolsets.
Victims included a South Asian embassy in Belarus and a European Union government (E.U.) organization, Slovak cybersecurity company ESET said.
"The ultimate goal of

A little-known threat actor tracked as **GoldenJackal** has been linked to a series of cyber attacks targeting embassies and governmental organizations with an aim to infiltrate air-gapped systems using two disparate bespoke toolsets.

Victims included a South Asian embassy in Belarus and a European Union government (E.U.) organization, Slovak cybersecurity company ESET said.

"The ultimate goal of GoldenJackal seems to be stealing confidential information, especially from high-profile machines that might not be connected to the internet," security researcher Matías Porolli noted in an exhaustive analysis.

GoldenJackal first came to light in May 2023, when Russian security vendor Kaspersky detailed the threat cluster's attacks on government and diplomatic entities in the Middle East and South Asia. The adversary's origins stretch back to at least 2019.

An important characteristic of the intrusions is the use of a worm named JackalWorm that's capable of infecting connected USB drives and delivering a trojan dubbed JackalControl.

While there is insufficient information to conclusively tie the activities to a specific nation-state threat, there is some tactical overlap with malicious tools used in campaigns linked to Turla and MoustachedBouncer, the latter of which has also singled out foreign embassies in Belarus.

ESET said it discovered GoldenJackal artifacts at a South Asian embassy in Belarus in August and September 2019, and again in July 2021. Of particular interest is how the threat actor also managed to deploy a completely revamped toolset between May 2022 and March 2024 against an E.U. government entity.

"With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems," Porolli pointed out. "This speaks to the resourcefulness of the group."

The attack against the South Asian embassy in Belarus is said to have made use of three different malware families, in addition to JackalControl, JackalSteal, and JackalWorm -

*   **GoldenDealer**, which is used to deliver executables to the air-gapped system via compromised USB drives
*   **GoldenHowl**, a modular backdoor with capabilities to steal files, create scheduled tasks, upload/download files to and from a remote server, and create an SSH tunnel, and
*   **GoldenRobo**, a file collector and data exfiltration tool

The attacks targeting the unnamed government organization in Europe, on the other hand, have been found to rely on an entirely new set of malware tools mostly written in Go. They are engineered to collect files from USB drives, spread malware via USB drives, exfiltrate data, and use some machine servers as staging servers to distribute payloads to other hosts -

*   **GoldenUsbCopy** and its improved successor **GoldenUsbGo**, which monitor USB drives and copy files for exfiltration
*   **GoldenAce**, which is used to propagate the malware, including a lightweight version of JackalWorm, to other systems (not necessarily those that are air-gapped) using USB drives
*   **GoldenBlacklist** and its Python implementation **GoldenPyBlacklist**, which are designed to process email messages of interest for subsequent exfiltration
*   **GoldenMailer**, which sends the stolen information to attackers via email
*   **GoldenDrive**, which uploads stolen information to Google Drive

It's currently not known as to how GoldenJackal manages to gain initial compromise to breach target environments. However, Kaspersky previously alluded to the possibility of trojanized Skype installers and malicious Microsoft Word documents as entry points.

GoldenDealer, which is already present in a computer connected to the internet and delivered via an as-yet-undetermined mechanism, springs into action when a USB drive is inserted, causing itself and an unknown worm component to be copied into the removable device.

It's suspected that the unknown component is executed when the infected USB drive is connected to the air-gapped system, following which GoldenDealer saves information about the machine to the USB drive.

When the USB device is inserted into the aforementioned internet-connected machine a second time, GoldenDealer passes the information stored in the drive to an external server, which then responds with appropriate payloads to be run on the air-gapped system.

The malware is also responsible for copying the downloaded executables to the USB drive. In the last stage, when the device is connected to the air-gapped machine again, GoldenDealer takes the copied executables and runs them.

For its part, GoldenRobo is also executed on the internet-connected PC and is equipped to take the files from the USB drive and transmit them to the attacker-controlled server. The malware, written in Go, gets its name from the use of a legitimate Windows utility called robocopy to copy the files.

ESET said it has yet to uncover a separate module that takes care of copying the files from the air-gapped computer to the USB drive itself.

"Managing to deploy two separate toolsets for breaching air-gapped networks in only five years shows that GoldenJackal is a sophisticated threat actor aware of network segmentation used by its targets," Porolli said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GoldenJackal Target Embassies and Air-Gapped Systems Using Malware Toolsets

Introduction 
Artificial intelligence (AI) deepfakes and misinformation may cause worry in the world of technology and investment, but this powerful, foundational technology has the potential to benefit organizations of all kinds when harnessed appropriately. 
In the world of cybersecurity, one of the most important areas of application of AI is augmenting and enhancing identity management

Machine Learning / Data Security

**Introduction**

Artificial intelligence (AI) deepfakes and misinformation may cause worry in the world of technology and investment, but this powerful, foundational technology has the potential to benefit organizations of all kinds when harnessed appropriately.

In the world of cybersecurity, one of the most important areas of application of AI is augmenting and enhancing identity management systems. AI-powered identity lifecycle management is at the vanguard of digital identity and is used to enhance security, streamline governance and improve the UX of an identity system.

**Benefits of an AI-powered identity**

AI is a technology that crosses barriers between traditionally opposing business area drivers, bringing previously conflicting areas together:

*   AI enables better operational efficiency by reducing risk and improving security
*   AI enables businesses to achieve goals by securing cyber-resilience
*   AI facilitates agile and secure access by ensuring regulatory compliance

**AI and unified identity**

AI-powered identity delivers the intelligence needed to repel attacks and correct access anomalies impacting our identity infrastructure. However, a key enabler of AI within an identity lifecycle management system is the unification of identity. AI can find applications across a unified identity surface, working symbiotically to meet the requisites of the business drivers.

**AI-powered identity in practice**

When applied appropriately, AI technologies have the power to mitigate access errors and tackle the current onslaught of identity-centered cyberattacks. AI-powered identity can leverage machine learning models to identify signals of an attack, such as behavioral anomalies, that point to a data exfiltration event.

One Identity has capitalized on the power of AI models to enhance and enable various aspects of identity security:

**Risk detection for identity governance and administration (IGA)**

AI-powered identity governance and administration (IGA) offers a method to identify unusual behavior and spot the signals of data exposure and data exfiltration events. One Identity Safeguard uses an AI model known as "Random Forests," a machine learning algorithm combining the output from multiple decision trees to deliver insights. Safeguard analyzes data from such events as mouse movement, keystroke dynamics, login time and command analytics to identify behavioral anomalies and automate attack. Human operators then interact with a dashboard to interpret and make decisions based on the AI-generated output to allow an organization to effectively lower the cybersecurity skills barrier.

**Access management**

Data from access management authentication events can be leveraged to identify a signal of cyberattack and credential compromise. The access event data (e.g., identity, location, device, etc.) is gathered when someone logs in. An authorization decision is made, and security requirements may then use step-up authentication rather than deny access.

However, AI advances this simple model. One Identity OneLogin uses Vigilance AI™ Threat Engine15 to analyze large volumes of data to identify threats. By utilizing User and Entity Behavior Analytics (UEBA), a profile of typical user behavior is created as a baseline. This is then used to identify anomalies and prevent risk.

OneLogin can feed the data from access requests, as well as its derived analytical insights, in the form of rich syslogs into SIEM and SOC systems.

**Entitlement management**

Role-based access is a fundamental principle of identity security. But managing those roles manually can pose a challenge. Machine learning has been used in identity "role mining" or "role discovery" for some time, but a novel application from One Identity delivers the role mining insights directly to the relevant person for streamlined entitlement management.

For example, you can use AI to optimize team role policies on an ongoing basis, making entitlement management an ongoing, automated task that provides accurate insights into access requirements across the organization.

**Conclusion**

Identity management systems must respond to the increasing volume of sophisticated identity-based threats. The response comes in the form of system augmentation through AI, with authoritative, high-quality identity data feeding the AI models used to enhance identity lifecycle management. This capability enhancement is essential in developing and delivering entitle management and IGA for a robust security posture and cyber resilience. With the unification of identity-related services making identity management simpler and more effective, adding AI to a unified identity platform endows an organization with the resilience to resist even the most complex identity-related threats.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Value of AI-Powered Identity

**How could an attacker exploit this vulnerability?**

An attacker who successfully exploited this vulnerability could gain remote code execution (RCE) on the victim's machine.

Tag

#mac