The Regional Transportation Commission of Southern Nevada, which includes Las Vegas, will be the first transit system in the U.S. to implement system-wide AI weapons scans.
Transit systems nationwide are grappling with ways to reduce violence.
AI-linked cameras and acoustic technology are seen as viable options to better respond to mass shootings in public places across the U.S., according to law enforcement and public safety teams, though both approaches have downsides.
A sign promoting safety is seen on the Regional Transportation Commission 109 Maryland Parkway bus in Las Vegas Thursday, June 8, 2023. Las Vegas Review-journal | Tribune News Service | Getty Images
On your next visit to Vegas, an extra set of eyes will be watching you if you decide to hop onto the local transit system.
As part of a $33 million multi-year upgrade to fortify its security, the Regional Transportation Commission of Southern Nevada is set to add a system-wide AI from gun detection software vendor ZeroEyes that scans riders on its over 400 buses in an attempt to identify anyone brandishing a firearm.
Tom Atteberry, RTC’s director of safety and security operations, said that seconds matter in a situation where an active shooting unfolds, and implementing the system could give authorities an edge. “Time is of the essence; it gives us time to identify a firearm being brandished, so they can be notified and get to the scene and save lives,” he said.
Monitoring and preventing mass shooting is one that public places across the country grapple with daily. Violent crime on transit systems, specifically, remains an issue in major metro areas, with a report released in late 2023 by the Department of Transportation detailing concerns from transit agency officials around the U.S. about rising violence on their transit systems. According to a database maintained by the Bureau of Transportation Statistics, assaults on transit systems have spiked, and there has been a rise in public fears about transportation safety.
As an Applied Cryptographer, you will research about various cryptographic protocols and have knowledge of cryptographic primitives or concepts, like elliptic curve cryptography, hash functions, and PCPs. You should have experience with at least one major language, like Rust, Python, Java, or C; the exact language is not too important. You should be familiar with versioning software (specifically, GitHub), testing, and a familiarity with algorithms and data structures.
As a Cloud Security Specialist, you will design, implement, and manage Azure and Microsoft 365 security solutions. Monitor security alerts, lead incident response, and conduct regular assessments. Ensure compliance with ISO 27001, SOC2 Type II and NIST standards.
As a CISO, you will develop and implement comprehensive cybersecurity policies and procedures. Ensure compliance with relevant regulations and standards (e.g., GDPR, ISO 27001). Conduct risk assessments and develop mitigation strategies. Advise on security best practices and emerging threats. Collaborate with clients to enhance their security posture.
Cyber Range Lead
Booz Allen Hamilton | Japan | On-site – No longer accepting applications
As a Cyber Range Lead, you will lead a team of professionals as they use cyberspace capabilities to evaluate potential weaknesses as well as the effectiveness of mitigations for cyber security solutions. You will leverage cyberspace operations systems to aggregate threat feeds that inform briefings for senior leadership aligned to our client’s mission area.
As a Cybersecurity Technical Consultant, you will provide onsite or remote consulting services and support to Thales customer with a focus on high quality, accuracy and customer satisfaction. Develop and deliver technical hands-on product deep knowledge transfer to customers. Track and ensure successful completion of high impact projects by creating project scoping plans, design guides and relevant documentation.
As a Cyber Security Advisor, you will conduct security assessment of in-house developed and/or by third-party provided solutions in order to ensure that they are in compliance with H&M’s security standards. Conduct security maturity and risk assessment for internal and external partners.
As a Cyber Security Engineer, you will develop and implement cyber security policies, procedures, and controls to protect the company’s digital assets. Conduct Pen-tests, monitor network traffic and security alerts to detect and respond to potential security breaches. Perform vulnerability assessments and penetration testing to identify and remediate security vulnerabilities. Conduct regular audits of security systems and processes to ensure compliance with industry standards and regulations.
As a Cyber Security Governance Risk & Compliance Manager, you will develop, implement, and maintain a robust IT governance, risk, and compliance framework in line with industry best practices and regulatory requirements. Drive risk maturity through project lifecycle and provide independent assessments, challenge inherent risks in material changes e.g., business decisions, projects, process changes, implementation of new systems, applications, and infrastructure.
As a Cyber Security Instructor, you will create dynamic classroom learning experiences using various teaching strategies to facilitate adult learners in achieving learning objectives in accordance with the program objectives as set out in the curriculum. Ensure students are motivated to learn and to maximize their potential. Develop different classroom strategies to ensure knowledge and skills acquisition and retention.
As a Digital Forensics and Incident Response Analyst, you will perform incident response to cybersecurity incidents, including but not limited to APT & Nation State attacks, Ransomware infections and Malware outbreaks, Insider Threats, BEC, DDOS, Security and Data breach, etc. Conduct in-depth investigations of cybersecurity incidents, identifying the root cause, the extent of the impact, and recommended actions for containment, eradication, and recovery, and providing a final report that contains recommendations on how to prevent the same attack in the future by strengthening security posture.
Director of Information Security, Cyber Risk and Compliance
S&P Global | Italy | On-site – No longer accepting applications
As a Director of Information Security, Cyber Risk and Compliance, you will become familiar with the Cyber Risk and Compliance team activities and Market Intelligence regarding SOC reporting, relevant regulatory requirements, control frameworks, internal and external audit processes, customer interactions including security questions and audits, and overall company and divisional cyber security processes and controls. Make recommendations related to balancing requirements and deadlines made by corporate departments with human resource and technical capabilities that exist in Market Intelligence. Negotiate differences to find and implement solutions acceptable to both corporate groups and Market Intelligence.
As Head of Identity Management Platform, you will leverage your strong background in Identity and Privileged Access Management, expertise in IT technologies, and in-depth knowledge of IT security to organize and lead complex projects, manage third-party teams, and oversee platform lifecycle activities such as upgrades and integrations.
As a Head of Consulting, you will lead, mentor, and develop a team of cybersecurity consultants, fostering a culture of excellence and continuous improvement. Define and implement the consultancy department’s strategy in alignment with the company’s goals, ensuring the delivery of innovative and effective cybersecurity solutions. Ensure that all consultancy activities adhere to industry standards, regulatory requirements, and best practices, mitigating risks to both clients and the company.
As a Head of Security CU TH, you will facilitate execution of and follow up on security strategy, policies & instructions, governance model and frameworks. Support the business in implementation and maintenance of ISO 27001 controls across the CU as per the MA scope and Ericsson Global ISO 27001 control framework. Manage local security incidents and support investigations.
As an IT Program Manager, you will develop, implement, and manage cybersecurity programs in alignment with the organization’s strategic objectives. Oversee the security projects related to enterprise applications, with a focus on safeguarding sensitive data and ensuring compliance with regulatory standards. Facilitate regular security assessments and audits to identify vulnerabilities and implement corrective actions.
As a Penetration Tester, you will manage penetration tests from inception through delivery. Identify and prescribe remediation for vulnerabilities in NFCU applications, systems, and networks. Leverage complex tactics including, but not limited to, lateral movement, network tunneling/pivoting, credential compromise, and hash cracking.
As a Principal Data Security Specialist, you will focus on delivering technical and procedural guidance to assist customers in defining the platform requirement though to realisation of the subscription value. Research and evaluate emerging solutions and services to drive continuous improvement.
As a Senior Architect – Cyber Security, you will develop and implement security architecture solutions to secure the organization’s IT infrastructure. Design and review security policies, standards, and procedures. Conduct security assessments and risk analysis to identify vulnerabilities and recommend mitigation strategies. Lead security projects and collaborate with cross-functional teams to integrate security measures.
Senior CyberSecurity Architect
Hexagon Geosystems | European Economic Area | Remote – View job details
As a Senior CyberSecurity Architect, you will plan, organize, test, and document the implementation of new security systems and tools; define the success criteria and security requirements, and develop reference architecture, functional and non-functional requirements for proof-of-concept efforts and projects. Lead in performing threat modeling, security architecture review, and risk assessments of new and existing technical solutions.
As a (Senior) Information Security Officer, you will develop, implement, and monitor a strategic, comprehensive company information security and IT risk management program, based on the Oetker Group-wide security directive. Manage and assist in the development in implementation of the information security policies, procedures, and guidelines. Provide guidance and counsel to the C-Level, the senior management team, and staff about information security and its alignment with business objectives and risk management.
As a Technology & Cyber Risk: Senior Officer – Cybersecurity Risk, you will review and evaluate compliance and cyber policies and procedures, technology and tools, and governance processes to provide credible challenge for minimizing losses from cyber risks. Assess cyber risks and evaluates actions to address the root causes that persistently lead to operational risk losses by challenging both historical and proposed practices. Support independent assurance activities to assess areas of concern including substantive and controls testing.
As a Vulnerability Manager, you will be responsible for identifying, assessing, prioritizing, and managing vulnerabilities across our systems and networks. Conduct regular vulnerability assessments and penetration tests across our systems, applications, and networks.
By now, most people are aware of – or have been personally affected by – the largest IT outage the world have ever witnessed, courtesy of a defective update for Crowdstrike Falcon Sensors that threw Windows hosts into a blue-screen-of-death (BSOD) loop.
“We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices, or less than one percent of all Windows machines. While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services,” David Weston, Microsoft’s VP of Enterprise and OS Security, stated on Saturday.
CrowdStrike claimed earlier today that “a significant number” of affected systems are back online and operational.
“Together with customers, we tested a new technique to accelerate impacted system remediation. We’re in the process of operationalizing an opt-in to this technique,” they noted on their remediation and guidance hub. “Customers are encouraged to follow the Tech Alerts for latest updates as they happen and they will be notified when action is needed.”
Microsoft collaborates with Crowdstrike, provides recovery tool
Microsoft is, understandably, doing everything it can to speed up worldwide recovery from the issue, has deployed hundreds of Microsoft engineers and experts to work with customers to restore services, and is collaborating with CrowdStrike.
“CrowdStrike has helped us develop a scalable solution that will help Microsoft’s Azure infrastructure accelerate a fix for CrowdStrike’s faulty update. We have also worked with both AWS and GCP to collaborate on the most effective approaches,” Weston explained.
Microsoft has also released a recovery tool that can be downloaded and used by IT admins to make the repair process less time-consuming.
The tool provides two repair options.
The first one – Recover from WinPE (Preinstallation Environment) – does not require local admin privileges, but requires the person to manually enter the BitLocker recovery key (if BitLocker is used on the device).
The second one – Recover from safe mode – may allow recovery without entering the BitLocker recovery keys.
“For this option, you must have access to an account with local administrator rights on the device. Use this approach for devices using TPM-only protectors, devices that are not encrypted, or situations where the BitLocker recovery key is unknown,” the Intune Support Team noted.
They also included detailed recovery steps for Windows clients, servers, and OSes hosted on Hyper-V.
Microsoft has previously confirmed that the buggy CrowdStrike update affected Windows 365 Cloud PCs and that users “may restore their Windows 365 Cloud PC to a known good state prior to the release of the update (July 19, 2024)”. The company has also provided guidance for restoring affected Azure virtual machines.
Cloud security company Orca has released a script that automates the remediation of Windows virtual machines hosted on AWS.
Threat actor exploiting the situation
As expected, scammers and threat actors have immediately started taking advantage of the chaos that resulted from the faulty update.
Trend Micro researchers provided examples of tech support scams doing the rounds, and even legal scams.
A tech support scam exploiting the situation (Source: Trend Micro)
Phishers and vishers impersonating CrowdStrike support and contacting customers
Scammers posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
“CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels,” the company said.
UPDATE (July 23, 2024, 05:15 a.m. ET):
CrowdStrike has provided a way for remediating affected systems more quickly. Customers must opt in to use the technique via the support portal. (A Reddit user has explained the process involved.)
The company has also released a video explaining how users can self-remediate affected remote Windows laptops.
Secure email gateways (SEG) do a lot to protect organizations from malware, spam, and phishing email. For some threat actors though, they also offer an attractive option for sneaking malicious mail past other SEGs.
Security researchers from Cofense this week reported observing a recent surge in attacks, where threat actors have used SEGs to encode or to rewrite malicious URLs embedded in their emails to potential victims. In many cases, when the emails arrived at their destination, SEGs allowed the malicious URLs to go through without properly vetting the link.
The SEG Versus SEG Threat
The reason, says Max Gannon, threat intelligence manager at Cofense, is that some secure email gateway products appear not to be handling SEG-encoded URLs properly and assume them to be always safe, when in reality they are not.
“We do not have access to the internals of SEGs, so I can’t say for certain,” Gannon says. “But they likely either implicitly trust the URLs or they attempt to scan them, but the domain of the SEG that encodes the URL is trusted, so the [receiving] SEG assumes the URL itself is legitimate.”
In SEG encoding, a secure email gateway product essentially rewrites every URL in an outgoing email into a link that points to its own infrastructure. When a recipient clicks on the encoded link, the user is first directed to the sender’s SEG system, which checks if the URL is safe before redirecting the user to the intended destination. The checks usually involve assessing the URL using reputation, blacklists, signatures, and other mechanisms, which means sometimes it might take an SEG days and even weeks before it designates a URL as malicious.
In these situations, problems can arise if the recipient’s secure email gateway technology does not recognize an already encoded URL as needing scanning, or if the recipient’s SEG scans the URL, but only sees the sending email gateway’s domain and not the final destination.
“Oftentimes when SEGs detect URLs in emails that are already SEG-encoded they do not scan the URLs, or the scanning shows only the security tool’s scanning page and not the actual destination,” Cofense wrote in its report this week. “As a result, when an email already has SEG-encoded URLs, the recipient’s SEG often allows the email through without properly checking the embedded URLs.”
A Substantial Increase
Attackers have abused SEG encoding previously to sneak malicious emails into target environments. But there has been a substantial increase in use of the tactic in the second quarter of this year, May in particular. Cofense said.
According to the security vendor, the four email security gateways that threat actors have abused the most to encode URLs and sneak them past email defense mechanisms are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.
Cofense said its researchers had observed attackers using these SEGs to encode malicious URLs in variously themed campaigns targeted at users protected by SEGs from a variety of vendors.
Gannon says some SEG encodings would require the threat actor to run their URL through the SEG. “Other encodings like Barracuda Link Protect would let you simply prepend their URL to the malicious URL you are trying to bypass with,” he says. “For example, to use Barracuda Link Protect to bypass SEGs with the URL hxxp[:]//badplace[.]com/, I would simply add the Barracuda Link Protect URL and make it: hxxps://linkprotect[.]cudasvc[.]com/url?a=hxxp[:]//badplace[.]com/.”
Gannon says one reason why threat actors likely aren’t using the tactic on a much broader scale is because it involves additional work. “The biggest thing it comes down to is effort,” he says. If a threat actor can take an hour to encode all the URLs in a campaign and reach 500 more inboxes, they could take the same hour and just find an additional 1,000 email addresses to send the campaign to.”
Protecting against the tactic can be relatively difficult, as most SEGs don’t have tuning methods for ignoring other SEG encodings, Gannon says. Therefore, the best way to combat the tactic remains user awareness and training. “A vigilant and informed employee is not going to click a link in a suspect email, even if the URL is encoded by a SEG.”
Incorporating artificial intelligence (AI) seems like a logical step for businesses looking to maximize efficiency and productivity. But the adverse effects of AI use, such as data security risk and misinformation, could bring more harm than good.
According to the World Economic Forum’s Global Risks Report 2024, AI-generated misinformation and disinformation are among the top global risks businesses face today.
To address the security risks posed by the increasing use of AI technologies in business processes, the National Institute of Standards and Technology (NIST) released the Artificial Intelligence Risk Management Framework (AI RMF 1.0) in January 2023.
Adhering to this framework not only puts your organization in strong position to avoid the dangers of AI-based exploits, it also adds an impressive type of compliance to your portfolio, instilling confidence in external stakeholders. Moreover, while NIST AI RMF is more of a guideline than a regulation, today there are several AI laws in the process of being enacted, so adhering to NIST’s framework helps CISOs to future-proof their AI compliance postures.
Let’s examine the four key pillars of the framework – govern, map, measure and manage – and see how you can incorporate them to better protect your organization from AI-related risks.
1.Establish AI Governance Structures
In the context of NIST AI RMF, governance is the process of establishing processes, procedures, and standards that guide responsible AI development, deployment, and use. Its main goal is to connect the technical aspect of AI system design and development with organizational goals, values, and principles.
Strong governance starts from the top, and NIST recommends establishing accountability structures with the appropriate teams responsible for AI risk management, under the framework’s “Govern” function. These teams will be responsible for putting in place structures, systems and processes, with the end goal of establishing a strong culture of responsible AI use throughout the organization.
Using automated tools is a great way to streamline the often tedious process of policy creation and governance. “We view it as our responsibility to help organizations maximize the benefits of AI while effectively mitigating the risks and ensuring compliance with best practices and good governance,” said Arik Solomon, CEO of Cypago, a SaaS platform that automates governance, risk management, and compliance (GRC) processes in line with the latest frameworks.
“These latest features ensure that Cypago supports the newest AI and cyber governance frameworks, enabling GRC and cybersecurity teams to automate GRC with the most up-to-date requirements.”
Rather than existing as a stand-alone component, governance should be incorporated into every other NIST AI RMF function, particularly those associated with assessment and compliance. This will foster a strong organizational risk culture and improve internal processes and standards.
2.Map And Categorize AI Systems
The framework’s “Map” function supports governance efforts while also providing a foundation for measuring and managing risk. It’s here that the risks associated with an AI system are put into context, which will ultimately determine the appropriateness or need for the given AI solution.
As Opice Blum data privacy expert Henrique Fabretti Moraes explained, “Mapping the tools in use – or those intended for use – is crucial for understanding and fine-tuning acceptable use policies and potential mitigation measures to decrease the risks involved in their utilization.”
But how do you actually put this mapping process into practice?
NIST recommends the following approach:
Clearly establish why you need or want to implement the AI system. What are the expectations? What are the prospective settings where the system will be deployed? You should also determine the organizational risk tolerance for operating the system.
Map all of the risks and benefits associated with using the system. Here is where you should also determine your risk tolerance, not only with monetary costs but also those stemming from AI errors or malfunctions.
Analyze the likelihood and magnitude of the impact the AI system will have on the organization, including employees, customers, and society as a whole.
3.Measure AI Performance and Risk
The “Measure” function utilizes qualitative and quantitative techniques to analyze and monitor the AI-related risks identified in the “Map” function.
AI systems should be tested before deployment and frequently thereafter. But measuring risk with AI systems can be tricky. The technology is fairly new, so there are no standardized metrics yet. This might change in the near future, as developing these metrics is a high priority for many consulting firms. For example, Ernst & Young (EY) is developing an AI Confidence Index.
“Our confidence index is founded on five criteria – privacy and security, bias and fairness, reliability, transparency and explainability, and the last is accountability,” noted Kapish Vanvaria, EY Americas Risk Market Leader. The other axis includes regulations and ethics.
“Then you can have a heat map of the different processes you’re looking at and the functions in which they’re deployed,” he says. “And you can go through each one and apply a weighted scoring method to it.”
In the NIST framework’s priorities, there are three main components of an AI system that must be measured: trustworthiness, social impact, and how humans interact with the system. The measuring process will likely consist of extensive software testing, performance assessments and benchmarks, along with reporting and documentation of results.
4.Adopt Risk Management Strategies
The “Manage” function puts everything together by allocating the necessary resources to regularly attend to uncovered risks during the previous stages. The means to do so are typically determined with governance efforts, and can be in the form of human intervention, automated tools for real-time detection and response, or other strategies.
To manage AI risks effectively, it’s crucial to maintain ongoing visibility across all organizational tools, applications, and models. AI should not be handled as a separate entity but integrated seamlessly into a comprehensive risk management framework.
Ayesha Gulley, an AI policy expert from Holistic AI, urges businesses to adopt risk management strategies early, taking into account five factors: robustness, bias, privacy, exploitability and efficacy. Holistic’s software platform includes modules for AI auditing and risk posture reporting.
“While AI risk management can be started at any point in the project development,” she said, “implementing a risk management framework sooner than later can help enterprises increase trust and scale with confidence.”
Evolve With AI
The NIST AI Framework is not designed to restrict the efficient use of AI technology. On the contrary, it aims to encourage adoption and innovation by providing clear guidelines and best practices for developing and using AI securely and responsibly.
Implementing the framework will not only help you reach compliance standards but also make your organization much more capable of maximizing the benefits of AI technologies without compromising on risk.
Microsoft has given administrators plenty of work to do with July’s security update that contains patches for a brutal 139 unique CVEs, including two that attackers are actively exploiting and one that’s publicly known but remains unexploited for the moment.
The July update contains fixes for more vulnerabilities than the previous two monthly releases combined and addresses issues that left unmitigated could enable remote code execution, privilege escalation, data theft, security feature bypass, and other malicious activities. The update included patches for four non-Microsoft CVEs, one of which is a publicly known Intel microprocessor vulnerability.
Lack of Details Heighten Urgency to Fix Zero-Days
One of the zero-day vulnerabilities (CVE-2024-38080) affects Microsoft’s Windows Hyper-V virtualization technology and allows an authenticated attacker to execute code with system-level privileges on affected systems. Though Microsoft has assessed the vulnerability as being easy to exploit and requiring no special privileges or user interaction to exploit, the company has given it only a moderate — or important — severity rating of 6.8 on the 10-point CVSS scale.
As is typical, Microsoft provided scant information on the flaw in its release notes. But the fact that attackers are already actively exploiting the flaw is reason enough to patch now, said Kev Breen, senior director threat research at Immersive Labs, in an emailed comment. “Threat hunters would benefit from additional details, so that they can determine if they have already been compromised by this vulnerability,” he said.
The other zero-day bug, tracked as CVE-2024-38112, affects the Windows MSHTML Platform (aka Trident browser engine) and has a similarly moderate CVSS severity rating of 7.0. Microsoft described the bug as a spoofing vulnerability that an attacker could exploit only by convincing a user to click on a malicious link.
That description left some wondering about the actual nature of the threat it represented. “This bug is listed as ‘spoofing’ for the impact, but it’s not clear exactly what is being spoofed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), wrote in a blog post. “Microsoft has used this wording in the past for NTLM relay attacks, but that seems unlikely here.”
Rob Reeves, principal cybersecurity engineer at Immersive Labs, viewed the vulnerability as likely enabling remote code execution but potentially complex to exploit, based on Microsoft’s sparse description. “Exploitation also likely requires the use of an ‘attack chain’ of exploits or programmatic changes on the target host,” he said in prepared comments. “But without further information from Microsoft or the original reporter … it is difficult to give specific guidance.”
Other High-Priority Bugs
The two bugs that were publicly known prior to Microsoft’s July update — and hence are also technically zero-day flaws — are CVE-2024-35264, a remote code execution vulnerability in .Net and Visual Studio, and CVE-2024-37985, which actually is a third-party (Intel) CVE that Microsoft has integrated into its release.
In all, Microsoft rated just four of the flaws in its enormous update as being of critical severity. Three are of them, each with a near maximum severity rating of 9.8 on 10, affect the Windows Remote Desktop Licensing Service component that manages client access licenses (CALs) for remote desktop services. The vulnerabilities, identified as CVE-2024-38076, CVE-2024-38077, and CVE-2024-38089, all enable remote code execution and should be on the top of the list of bugs to prioritize this month. “Exploitation of this should be straightforward, as any unauthenticated user could execute their code simply by sending a malicious message to an affected server,” Child said in his post.
Microsoft wants organizations to disable the Remote Desktop Licensing Service if they are not using it. The company also recommends organizations immediately install the patches for the three vulnerabilities even if they plan to disable the service.
One eyebrow-raising aspect in this month’s Microsoft security update is the number of unique CVEs that affect Microsoft SQL Server — some 39, or more than a quarter of the 139 disclosed vulnerabilities. “Thankfully, none of them are critical based on their CVSS scores and they’re all listed as ‘Exploitation Less Likely,'” saysTyler Reguly, associate director of security R&D at Fortra. “Even with those saving graces, there are still a lot of CVSS 8.8 vulnerabilities that SQL Server customers will be looking to patch,” he noted.
As has been the trend in recent months, there were 20 elevation of privilege (EoP) bugs in this month’s update, slightly outnumbering remote code execution vulnerabilities (18). Though Microsoft and other software vendors often tend to rate EoP bugs overall as being less severe than remote code execution vulnerabilities, security researchers have advocated that security teams pay equal attention to both. That’s because privilege escalation bugs often allow attackers to take complete admin control of affected systems and wreak the same kind of havoc as they would by running arbitrary code on it remotely.
In this Help Net Security interview, Rob Greer, VP and GM of the Enterprise Security Group at Broadcom, discusses the impact of nation-state cyber attacks on public sector services and citizens, as well as the broader implications for trust and infrastructure.
Greer also discusses common vulnerabilities in government IT systems and the potential of AI and public-private collaborations to enhance cybersecurity defenses.
How do nation-state attacks affect the public sector and services provided to citizens?
All attacks, nation-state or not, have the potential to impact public sector services and the citizens who rely on them.
Just recently on June 3, 2024, Synnovis, a provider to the UK National Health Service (NHS), suffered a cyber attack preventing the processing of blood test results and impacting thousands of patient appointments and surgeries. In 2017, the WannaCry attack, which spread to 150 countries across the world, disrupted the UK NHS, limiting ambulance service, patient appointments, medical tests and results, and forcing the closure of various facilities.
In the United States, many private sector organizations that provide public or critical infrastructure services have been significantly affected by cyberattacks. In 2021, JBS Foods, the largest US meat processor, was breached, forcing it to cease operations at 13 of its meat processing plants, impacting the US meat supply. One month prior, Colonial Pipeline was hit with a ransomware cyberattack, causing a run on gas in the eastern seaboard and requiring a presidential executive order to allow gas transport via semi-trucks.
A cyber attack in the Ukraine in 2015 brought down power for 230,000 customers, and such attacks have continued to disrupt the Ukrainian power grid since then.
In the US, we have seen the same nation-states employ less aggressive but potentially more disruptive strategies of espionage and misinformation in an effort to undermine the public’s trust in the electoral system.
While these are just a few notable examples, the impact ranges from delays and inconveniences to more significant repercussions like reduced capacity of healthcare services and other critical infrastructure. What’s harder to calculate is the degradation of trust when the public sector is compromised due to a cyber attack.
What are the most common vulnerabilities within government IT systems that cyber attackers exploit?
Many of the attack techniques that we see nation-states use are picked up by more common cyber criminals shortly after. While nation-states do have advanced capabilities and visibility that are hard or impossible for cyber criminals to replicate, the general strategy for attackers is to target vulnerable perimeter devices such as VPNs or firewalls as an entry point to the network. Next they focus on obtaining privileged credentials while leveraging legitimate software to masquerade as normal activity while they scout the environments for valuable data or large repositories to disrupt.
It’s important to note that the commonly exploited vulnerabilities in government IT systems are not distinctly different from the vulnerabilities exploited more broadly. Government IT systems are often extremely diverse and thus, subject to a variety of exploits. CISA actively maintains a Known Exploited Vulnerabilities (KEV) Catalog. These are vulnerabilities known to be exploited in the wild and pose an increased risk of exploitation for government organizations using any of the technologies cataloged.
How can governments use AI to strengthen cybersecurity defenses against sophisticated attacks?
AI has been in use for more than a decade in state-of-the-art security technologies, primarily to detect novel and constantly evolving attacks. Detecting the sheer volume of attacks today, as well as finding the singular “needle in a haystack” cannot be done by classic technologies, but is possible with sophisticated AI techniques. As a baseline, governments should evaluate their security technology to understand how effective AI and machine learning are at detecting the latest threats.
The more advanced capabilities can analyze the infrastructure to determine typical behavior and usage patterns and auto-configure security settings and policies, providing adaptive security that is even more efficient at detecting anomalous activities.
The latest generative AI technologies are also helping drive efficiency in the Security Operations Center (SOC). GenAI can help SOC analysts more quickly and fully understand attacks, and provide guidance to analysts using natural language. This is especially important as we face continued challenges staffing security professionals.
Are there any specific regulatory frameworks or policies that must be implemented or improved?
Currently, there are numerous policies and regulations, both domestically and internationally, which are inconsistent and vary in their requirements. These administrative requirements take significant resources which could otherwise be used to strengthen a company’s cybersecurity program. Therefore, it is imperative that existing and forthcoming cybersecurity regulations be harmonized and policies be considered comprehensively.
The recent summary from the Office of the National Cyber Director (ONCD) on the 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI) shows that the U.S. Government understands this problem. The report finds that the “lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens.” The ONCD is working with other federal agencies as well as the private sector to address these issues by seeking to “simplify oversight and regulatory responsibilities of cyber regulators” and “substantially reduce the administrative burden and cost on regulated entities.”
This is a much-needed exercise and it’s encouraging to see steps being taken to ensure that cybersecurity regulations are comprehensive, effective, and efficient.
What role should the private sector play in supporting government cybersecurity efforts?
The private sector has threat intelligence that the government often doesn’t have. This makes the bidirectional sharing of information between the private and public sectors essential in combating bad actors. Partnerships between leading cybersecurity research groups and vendors like the Cyber Threat Alliance (CTA), as well as public and private sector partnerships like the Joint Cyber Defense Collaborative (JCDC), help the cybersecurity community at large bring its combined intelligence to bear to help defend our global digital ecosystem.
Beyond the devices that use them, Wi-Fi hubs themselves can leak interesting data, thanks to some quirks in Apple’s geolocation system.
SOURCE: FRANTIC VIA ALAMY STOCK PHOTO
Apple’s Wi-Fi Positioning System (WPS) can be used to map and track Wi-Fi access points (APs) around the globe. But in a presentation at Black Hat 2024, University of Maryland researcher Erik Rye will demonstrate how he mapped hundreds of millions of APs in a matter of days, without even needing an Apple device or any kind of permissions along the way.
How Apple Exposes Global APs
Have you ever wondered how your phone knows where it is in the world?
The Global Positioning System (GPS) is one tool it uses, of course, but it’s not a perfect one. It becomes less effective when the device loses a clear line to the sky, and it consumes a good deal of power, which isn’t ideal for such a persistent task.
That’s where the Wi-Fi Positioning System comes in. WPS works a bit like GPS, if you substitute the satellites with Wi-Fi access points (APs).
You Can’t Keep Up with Emerging Threats or Technologies
Business Impact: Staying ahead of emerging threats and technologies is essential for protecting your business from cyberattacks. Falling behind can leave your business vulnerable to breaches, resulting in data loss, financial damage, and reputational harm. A cybersecurity consultant can help you stay current and implement the latest defenses, ensuring your business remains secure and competitive.
Expectation: CEOs should expect cybersecurity consultants to provide continuous education and training programs for their staff, ensuring the team stays updated with the latest cybersecurity trends and technologies. This empowers employees to recognize and respond to threats more effectively and reinforces a culture of security within the organization.
You Need an Impartial Security Assessment
Business Impact: Internal disagreements about security protocols can lead to inefficiencies and increased risk. An impartial assessment from a cybersecurity consultant can provide clarity, help to align your team and ensure that security measures are effective and unbiased. This can lead to a more cohesive security strategy and a more robust overall security posture.
Expectation: CEOs should expect cybersecurity consultants to conduct regular third-party security audits. These audits maintain an unbiased perspective on the company’s cybersecurity posture, uncover hidden vulnerabilities, and ensure that security measures evolve with the changing threat landscape.
You’re Lacking Innovation in Your Security Strategies
Business Impact: Innovation in security strategies is vital to staying ahead of cyber threats. A consultant brings fresh perspectives and innovative solutions that can enhance your existing security measures, leading to improved efficiency and effectiveness. This can result in cost savings, better resource allocation, and a more robust defense against cyber threats.
Expectation: CEOs should expect consultants to help establish a dedicated innovation team within the security department. This team should explore and integrate new technologies and methodologies, collaborating with the consultants to bring cutting-edge solutions to the organization.
You’re Unable to Meet Your Security Goals
Business Impact: Failing to meet security goals can expose your business to risks and hinder growth. A consultant can help identify the root causes of these challenges and provide actionable insights to achieve your objectives. Meeting security goals can enhance your business’s credibility, reduce the risk of breaches, and support overall business growth.
Expectation: CEOs should expect cybersecurity consultants to implement a structured framework like the NIST Cybersecurity Framework. This framework guides the security strategy and goal-setting processes, helping to identify gaps, set realistic goals, and track progress effectively.
Your Business Isn’t Growing, and You Don’t Know Why
Business Impact: Stagnant growth can indicate underlying security issues that are not immediately apparent. A cybersecurity consultant can conduct a thorough analysis to uncover hidden problems and provide solutions. Addressing these issues can remove barriers to growth, improve operational efficiency, and enhance your business’s financial performance.
Expectation: CEOs should expect cybersecurity consultants to perform a comprehensive security health check during the business strategy review. This health check identifies unseen security issues that may be hindering growth, and addressing them can streamline operations and enhance overall performance.
You’re Stalling on Implementing New Security Measures
Business Impact: Delaying important security initiatives can leave your business vulnerable and impede progress. A consultant can provide the expertise and resources needed to implement new security measures promptly. This can improve your security posture, reduce risk, and enable you to confidently take advantage of new business opportunities.
Expectation: CEOs should expect cybersecurity consultants to develop a clear, phased implementation plan for new security measures, prioritizing critical vulnerabilities first. This plan should include milestones and timelines to ensure steady progress and accountability.
You’re Working Outside Your Expertise
Business Impact: Focusing on areas outside your expertise can lead to suboptimal decisions and wasted resources. By hiring a cybersecurity consultant, you can ensure that specialized tasks are handled by experts, allowing you to focus on your strengths. This can lead to better decision-making, increased efficiency, and a higher quality of security measures.
Expectation: CEOs should expect cybersecurity consultants to establish a strategic partnership to handle specialized tasks. This ensures reliance on expert advice and services, allowing the CEO to focus on core business activities and leading to better overall outcomes.
You Lack In-House Security Expertise
Business Impact: A lack of in-house cybersecurity expertise can leave your business vulnerable to attacks and regulatory non-compliance. A consultant can fill this gap, providing the necessary skills and knowledge to protect your business. This can enhance your security posture, ensure compliance with industry regulations, and reduce the risk of costly breaches.
Expectation: CEOs should expect cybersecurity consultants to help implement an MSSP to supplement in-house capabilities. An MSSP provides continuous monitoring, threat detection, and response services, ensuring robust security even with limited internal resources.
You Have Tunnel Vision Regarding Security Issues
Business Impact: Working too closely on security problems can limit your perspective and lead to missed solutions. A consultant brings fresh eyes and can identify issues and solutions you might overlook. This can lead to more effective problem-solving, reduced risk, and improved overall security.
Expectation: CEOs should expect cybersecurity consultants to host regular brainstorming sessions with cross-functional teams. These sessions encourage diverse insights into security challenges, helping to uncover innovative solutions and prevent oversight.
You’re Working on a Time-Sensitive Security Project
Business Impact: Urgent security projects require expertise and efficiency to ensure success. A consultant can provide support to meet tight deadlines and achieve project goals.
Expectation: CEOs should expect cybersecurity consultants to utilize project management tools and methodologies like Agile to manage time-sensitive security projects efficiently. These tools streamline workflows, enhance collaboration, and meet critical deadlines without compromising quality.
FAQ’s
How do you verify the credentials and experience of a cybersecurity consultant?
To verify a cybersecurity consultant’s credentials and experience, you can:
Check Certifications: Look for reputable certifications like CISSP, CISM, CEH, or others recognized in the industry.
Review Past Projects: Ask for case studies or examples of past work that demonstrate their ability to handle challenges similar to yours.
Seek References: Contact previous clients to get feedback on their experiences with the consultant.
Interview Thoroughly: Conduct in-depth interviews to assess their knowledge, approach, and how they keep up with industry changes.
Assess Continuous Learning: Inquire about their commitment to ongoing education and professional development.
What are the typical costs associated with hiring a cybersecurity consultant?
The cost can vary widely based on factors such as the scope of work, the consultant’s experience, and the duration of the engagement. Typical costs might include:
Hourly Rates: Ranging from $150 to $500+ per hour.
Project-Based Fees: Project fees can range from a few thousand dollars to hundreds of thousands, depending on the complexity.
Retainer Agreements: Monthly retainers can range from $5,000 to $20,000 or more for ongoing support.
Discussing and agreeing on the fee structure upfront is essential to ensure it aligns with your budget and expectations.
What are the common red flags when interviewing potential cybersecurity consultants?
Some red flags to watch out for include:
Lack of Specific Experience: They must provide detailed examples of past projects or relevant experience.
Overemphasis on Certifications: While important, certifications alone don’t guarantee practical expertise.
Poor Communication Skills: Inability to clearly explain complex concepts or their approach to your specific issues.
Vague proposals lack details about how they will address your needs or what deliverables you can expect.
Unrealistic Promises: Guarantees of absolute security or immediate fixes are often unrealistic and should be scrutinized.
Can you provide examples of successful cybersecurity consultant engagements?
Examples of successful engagements include:
Incident Response: A consultant helped a mid-sized company recover from a ransomware attack by quickly identifying the breach, containing the threat, and restoring data from backups, minimizing downtime and data loss.
Security Program Development: A consultant worked with a healthcare provider to develop a comprehensive security program, achieving regulatory compliance and significantly reducing the risk of data breaches.
Vulnerability Assessment: For a financial services firm, a consultant conducted a thorough vulnerability assessment, identifying and addressing critical security gaps that previously went unnoticed, enhancing overall security posture.
.
How do cybersecurity consultants stay updated on the latest threats and technologies?
Cybersecurity consultants stay current by:
Continuous Education: Regularly attend training sessions and webinars and obtain advanced certifications.
Professional Networks: Being active in professional organizations like (ISC)², ISACA, and others, which offer resources and networking opportunities.
Industry Conferences: Participating in conferences such as Black Hat, DEF CON, and RSA Conference to learn about the latest trends and technologies.
Research and Publications: I read industry publications and research papers and participated in cybersecurity forums and discussions.
Hands-On Experience: Engaging in ongoing practical work and simulations to apply new techniques and tools in real-world scenarios.
This commitment to continuous learning ensures they can provide up-to-date and effective security solutions.
A malware campaign of huge magnitude, and perhaps run by just one group, is using artificially nested files for distribution named ‘WEXTRACT.EXE .MUI’.
More than 50,000 files worldwide featuring this method are delivered by different stealers and loaders such as Redline, RisePro, and Amadey.
Several samples are associated with an Eastern European cybercriminal-linked Autonomous System.
Cybersecurity researchers at OutPost24 recently detected that a new hacker group has been attacking the system with 1o malware at the same time.
10 Malware At Same Time
The “WEXTRACT.EXE .MUI” malware distribution system is one that makes use of nested cabinet files to distribute a number of malware samples such as stealers and loaders.
This method’s complex execution sequence drops and runs malware in reverse order, which may result in bypassing security measures.
The technique could cause multiple infections as the loaders may download more malware.
From February 2023 through the start of 2024, a massive malware distribution campaign nested multiple malware families, such as Redline, Mystic Stealer, RisePro, Amadey, and SmokeLoader.
The campaign developed over time, incorporating obfuscation tools and different distribution methods.
An examination of over two thousand one hundred examples showed some malware combinations in which victims might be infected by several stealers and loaders simultaneously.
This suggests that there was a single actor behind the infrastructure and tactics for this campaign.
Distribution steps of one sample of WEXTRACT (Source – OutPost24)
It is likely that the campaign to distribute malware called “Unfurling Hemlock” buys distribution services from other actors.
Its earliest phases were in email attachments and downloads from hacked or hoax websites.
The infrastructure, mostly based on AS 203727, uses both exclusive and shared IPs for distributing WEXTRACT and other malware.
This indicates one actor or entity that is responsible for the campaign but delegates some of its distribution aspects to others.
The malware campaign uses different C2 URLs and IP addresses, some of which are specific to the WEXTRACT-related malware and others that are common to other campaigns.
The diversity in infrastructure supports the insight that this actor could be supplying samples from other campaigns, possibly encouraged by financial interest.
While the upload locations may not indicate the actual infection sites, the infection sources cut across several countries.
Here below we have mentioned the countries:-
Origin of the samples (Source – OutPost24)
Unlike the usual trend, this huge malware attack mainly targets Western institutions, including Russia.
This operation launched different types of malware simultaneously to increase the possibilities of infection and diversify potential paybacks.
Though not highly developed, this “cluster bomb” method may be adopted by threat actors in the future.
Researchers recommended using the latest anti-malware tools, performing analysis of packed files, and user alertness to be cautious about suspicious downloads and emails.
Fake IT support sites promote malicious PowerShell “fixes” for common Windows errors, like the 0x80070643 error, to infect devices with information-stealing malware.
First discovered by eSentire’s Threat Response Unit (TRU), the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator.
In particular, the threat actors are creating fake videos promoting a fix for the 0x80070643 error that millions of Windows users have been dealing with since January.
“There were some problems installing updates, but we’ll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643),” reads the Windows Update error.
0x80070643 in Windows Update Source: BleepingComputer
It turns out that Windows Update is displaying an incorrect error message, as it was supposed to display a CBS_E_INSUFFICIENT_DISK_SPACE error on systems with a Windows Recovery Environment (WinRE) partition that’s too small for the update to install.
Microsoft explained that the new security update requires that the WinRE partition have 250 megabytes of free space, and if it doesn’t, you must manually expand the partition yourself.
However, expanding the WinRE partition is complicated, if not impossible, for those whose WinRE is not the last partition on the drive.
Due to this, many are unable to install the security update and are left with the 0x80070643 error message every time they use Windows Update.
These errors have caused many frustrated Windows users to seek a solution online, allowing threat actors to capitalize on their search for a fix.
Fake IT sites promote PowerShell fixes
According to eSentire, threat actors are creating numerous fake IT support sites that are specifically designed to help users with common Windows errors, heavily focusing on the 0x80070643 error.
“In June 2024, eSentire’s Threat Response Unit (TRU) observed an intriguing case involving a Vidar Stealer infection initiated through a fake IT support website (Figure 1),” explains the eSentire report.
“The infection began when the victim performed a web search for solutions to a Windows Update Error code.”
The researchers found two fake IT support sites promoted on YouTube named pchelprwizzards[.]com and pchelprwizardsguide[.]com. While writing this article, BleepingComputer found additional sites at pchelprwizardpro[.]com, pchelperwizard[.]com, and fixedguides[.]com.
Like the other videos eSentire found for the PCHelperWizard typo sites, BleepingComputer also found YouTube videos for the FixedGuides site, also promoting fixes for the 0x80070643 errors.
These sites all offer fixes that either require you to copy and run a PowerShell script or import the contents of a Windows Registry file.
Regardless of which “solution” is used, a PowerShell script will be executed that downloads malware on the device.
eSentire’s report outlines how the PCHelperWizard sites (not to be confused with the legitimate course site) will walk users through copying a PowerShell script into the Windows Clipboard and execute it in a PowerShell prompt.
Malicious PowerShell script disguised as a Windows error fix Source: BleepingComputer
This PowerShell script contains a Base64 encoded script that will connect to a remote server to download another PowerShell script, which installs the Vidar information-stealing malware on the device.
When the script is finished, it will display a message that the fix was successful and to restart the computer, which will also launch the malware.
The FixedGuides site does it a bit differently, using an obfuscated Windows Registry file to hide autostarts that launch a malicious PowerShell script.
However, when I extracted the strings from the above file, you can see that it contains a valid Registry file that adds a Windows autostart (RunOnce) entry that runs a PowerShell script. This script ultimately downloads and installs information-stealing malware on the computer.
Using either fake fix will result in the information-stealing malware launching after Windows is restarted. Once started, the malware will extract saved credentials, credit cards, cookies, and browsing history from your browser.
Vidar can also steal cryptocurrency wallets, text files, and Authy 2FA authenticator databases, as well as take screenshots of your desktop.
This data is compiled into an archive called a “log,” which is then uploaded to the attacker’s servers. The stolen data is then used to fuel other attacks, such as ransomware attacks, or sold to other threat actors on dark web marketplaces.
However, the infected user is now left with a nightmare, having all their accounts compromised and potentially suffering financial fraud.
While Windows errors can be annoying, it is crucial to download software and fixes only from trusted websites, not from random videos and websites with little or no reputation.
Your credentials have become a valuable commodity and threat actors are coming up with sneaky and creative methods to steal them, so unfortunately, everyone needs to stay vigilant against unusual attack methods.
As for the 0x80070643 errors, if you are unable to resize the WinRE partition, your best bet is to use Microsoft’s Show or Hide Tool to hide the KB5034441 update so that Windows Update no longer offers it on your system and not search on the Internet for a magic fix.
Mobile devices are at risk of wanton data theft and denial of service, thanks to vulnerabilities in 5G technologies.
At the upcoming Black Hat 2024 in Las Vegas, a team of seven Penn State University researchers will describe how hackers can go beyond sniffing your Internet traffic by literally providing your Internet connection to you. From there, spying, phishing, and plenty more are all on the table.
It’s a remarkably accessible form of attack, they say, involving commonly overlooked vulnerabilities and equipment you can buy online for a couple of hundred dollars.
Step 1: Set Up a Fake Base Station
When a device first attempts to connect with a mobile network base station, the two undergo an authentication and key agreement (AKA). The device sends a registration request, and the station replies with requests for authentication and security checks.
Though the station vets the phone, the phone does not initially vet the station. Its legitimacy is essentially accepted as a given.
“Base stations advertise their presence in a particular area by broadcasting ‘sib1’ messages every 20 milliseconds, or 40 milliseconds, and none of those broadcast messages have authentication, or any kind of security mechanisms,” explains Penn State assistant professor Syed Rafiul Hussain. “They’re just plaintext messages. So there’s no way that a phone or a device can check whether it’s coming from a fake tower.”
Setting up a fake tower isn’t as tall a task as it might seem. You just need to mimic a real one using a software-defined radio (SDR). As Kai Tu, another Penn State research assistant points out, “People can purchase them online — they’re easy to get. Then you can get some open source software (OSS) to run on it, and this kind of setup can be used as a fake base station.” Expensive SDRs might cost tens of thousands of dollars, but cheap ones that get the job done are available for only a few hundred.
It might seem counterintuitive that a small contraption could seduce your phone away from an established commercial tower. But a targeted attack with a nearby SDR could provide even greater 5G signal strength than a tower servicing thousands of other people at the same time. “By their nature, devices try to connect to the best possible cell towers — that is, the ones providing the highest signal strength,” Hussain says.
Step 2: Exploit a Vulnerability
Like any security process, AKA can be exploited. In the 5G modem integrated in one popular brand of mobile processor, for example, the researchers found a mishandled security header that an attacker could use to bypass the AKA process entirely.
This processor in question is used in the majority of devices manufactured by two of the world’s biggest smartphone companies. Dark Reading has agreed to keep its name confidential.
After having attracted a targeted device, an attacker could use this AKA bypass to return a maliciously crafted “registration accept” message and initiate a connection. At this point the attacker becomes the victim’s Internet service provider, capable of seeing everything they do on the Web in unencrypted form. They can also engage the victim by, for example, sending a spear phishing SMS message, or redirecting them to malicious sites.
Though AKA bypass was the most severe, the researchers discovered other vulnerabilities that would allow them to determine a device’s location, and perform denial of service (DoS).
How to Secure 5G
The Penn State researchers have reported all the vulnerabilities they discovered to their respective mobile vendors, which have all since deployed patches.
A more permanent solution, however, would have to begin with securing 5G authentication. As Hussain says, “If you want to ensure the authenticity of these broadcast messages, you need to use public key infrastructure (PKI). And deploying PKI is expensive — you need to update all of the cell towers. And there are some non-technical challenges. For example, who will be the root certificate authority of the public keys?”
It’s unlikely that such an overhaul will happen any time soon, as 5G systems were knowingly built to transmit messages in plaintext for specific reasons.
“It’s a matter of incentives. Messages are sent in milliseconds, so if you incorporate some kind of cryptographic mechanism, it will increase the computational overhead for the cell tower and for the user device. Computational overhead is also associated with time, so performance-wise it will be a bit slower,” Hussain explains.
Perhaps the performance incentives outweigh security ones. But whether it be via a fake cell tower, Stingray device, or any other means, “They all exploit this feature — the lack of authentication of the initial broadcast messages from the cell towers.”
Elastic Security Labs has uncovered a novel technique, GrimResource, that leverages specially crafted Microsoft Management Console (MMC) files for initial access and evasion, posing a significant threat to cybersecurity.
In response to Microsoft’s decision to disable Office macros by default for internet-sourced documents, attackers have been forced to adapt, exploring new infection vectors like JavaScript, MSI files, LNK objects, and ISOs. These traditional methods are now heavily scrutinized by defenders, pushing well-resourced attackers to innovate further. A recent example includes North Korean actors using a novel command execution technique within MMC files.
Elastic researchers have identified GrimResource, a new infection technique that exploits MSC files, allowing attackers to execute arbitrary code in the context of mmc.exe when a user opens a specially crafted MSC file. The first sample leveraging GrimResource was uploaded to VirusTotal on June 6th.
Key Takeaways
GrimResource enables attackers to execute arbitrary code in Microsoft Management Console with minimal security warnings, making it ideal for initial access and evasion.
Elastic Security Labs provides analysis and detection guidance to help the community defend against this technique.
Detailed Analysis
INITIAL DISCOVERY
The GrimResource method was identified after a sample was uploaded to VirusTotal on June 6th, 2024. This sample demonstrated a novel way to achieve code execution by exploiting the MSC file format, commonly used in administrative tools within Windows.
TECHNICAL BREAKDOWN
Exploitation of apds.dll Vulnerability
The core of the GrimResource technique exploits an old cross-site scripting (XSS) flaw in the apds.dll library. By crafting an MSC file that includes a reference to this vulnerable library in the StringTable section, attackers can execute arbitrary JavaScript in the context of mmc.exe. This approach leverages the following steps:
StringTable Manipulation: The MSC file is modified to include a reference to apds.dll.
JavaScript Execution: The XSS flaw in apds.dll allows JavaScript execution within MMC, enabling further payload delivery.
Combination with DotNetToJScript
To execute arbitrary code, attackers combine the XSS exploit with the DotNetToJScript technique:
Obfuscation Techniques: The initial sample uses the transformNode method for obfuscation, a technique also seen in recent macro-based attacks. This helps evade ActiveX security warnings.
Embedded VBScript: The obfuscated script within the MSC file sets environment variables with the target payload.
DotNetToJScript Execution: The script then uses DotNetToJScript to run an embedded .NET loader, named PASTALOADER, which retrieves the payload from the environment variables and executes it.
PASTALOADER Execution
PASTALOADER is designed to execute the payload in a stealthy manner:
Payload Injection: PASTALOADER injects the payload into a new instance of dllhost.exe, a legitimate system process, to avoid detection.
Stealth Techniques: The injection uses DirtyCLR, function unhooking, and indirect syscalls to minimize detection chances.
In the identified sample, the final payload is the Cobalt Strike Beacon, a widely used post-exploitation tool. The injection into dllhost.exe is done carefully to avoid triggering security mechanisms.
DETECTION METHODS
Elastic Security Labs’ Detection Techniques
Elastic Security Labs has developed several detection methods to identify GrimResource activity:
Suspicious Execution via Microsoft Common Console:
This detection looks for unusual processes spawned by mmc.exe, indicating potential malicious activity.
.NET COM Object Created in Non-standard Windows Script Interpreter:
Detects memory allocations by .NET on behalf of Windows Script Host (WSH) engines, indicative of DotNetToJScript usage.
Script Execution via MMC Console File:
Monitors file operations and process behaviors related to MSC file execution, particularly looking for the creation and use of apds.dll references.
Windows Script Execution via MMC Console File:
Correlates the creation of temporary HTML files in the INetCache folder, a hallmark of the APDS XSS redirection.
Example EQL Rules
sequence by process.entity_id with maxspan=1m
[process where event.action == “start” and process.executable : “?:\\Windows\\System32\\mmc.exe” and process.args : “*.msc”]
[file where event.action == “open” and file.path : “?:\\Windows\\System32\\apds.dll”]
Detecting Temporary HTML Files:
sequence by process.entity_id with maxspan=1m
[process where event.action == “start” and process.executable : “?:\\Windows\\System32\\mmc.exe” and process.args : “*.msc”]
[file where event.action in (“creation”, “overwrite”) and process.executable : “?:\\Windows\\System32\\mmc.exe” and file.name : “redirect[?]” and file.path : “?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*\\redirect[?]”]
Forensic Artifacts
The technique leaves several forensic artifacts, including:
MSC File Manipulations: Unusual references in StringTable sections.
Temporary Files: HTML files in the INetCache directory named “redirect[?]”.
Process Anomalies: Unexpected process creation and memory allocations by mmc.exe and dllhost.exe.
Attackers have developed a new technique to execute arbitrary code in Microsoft Management Console using crafted MSC files. Elastic’s defense-in-depth approach has proven effective against this novel threat. Defenders should implement the provided detection guidance to protect themselves and their customers from GrimResource before it proliferates among commodity threat groups.
A virtual Chief Information Security Officer (vCISO) service or (CISOaaS) may be appropriate for a variety of scenarios, including:
Your clients, collaborators (partners) and some regulatory requirements anticipate the presence of an individual fulfilling the position of Chief Information Security Officer (CISO).
Companies without an in-house CISO: Small and medium-sized companies may not have the budget or need for a full-time CISO. A vCISO service can provide these companies with access to a seasoned cybersecurity professional without having to hire a full-time employee.
Companies experiencing rapid growth or change: Companies that are growing quickly or undergoing significant changes, such as mergers or acquisitions, may benefit from the expertise of a vCISO to help them navigate the cybersecurity implications of these changes.
Companies with limited cybersecurity resources: Some companies may have an IT team but lack dedicated cybersecurity resources. A vCISO can help fill this gap by providing strategic guidance and oversight of the company’s cybersecurity program.
Compliance requirements: Companies in regulated industries, such as healthcare or financial services, may require a CISO to meet regulatory requirements. A vCISO can help these companies meet compliance requirements with standards (ISO 27001) and regulations (PCI, HIPAA, NIST CSF, etc.) without having to hire a full-time CISO.
Cybersecurity incident response: In the event of a cybersecurity incident, a vCISO can provide expertise and guidance to help the company respond effectively and minimize the impact of the incident.
Overall, a vCISO service can be a cost-effective way for companies to gain access to the expertise of a seasoned cybersecurity professional without having to hire a full-time employee.
Which organizations may need vCISO services:
Small to Medium-Sized Enterprises (SMEs):
These businesses may not have the resources to hire a full-time CISO but still require expert guidance to manage their cybersecurity needs.
Large companies with existing security teams may use vCISO services for additional expertise, specific projects, or temporary coverage to assist in house CISO.
Industries: Finance, healthcare, manufacturing, utilities, telecommunications, etc.
Non-Profit Organizations:
These organizations often need to protect sensitive donor and beneficiary information but might lack the budget for a full-time CISO.
Examples: Charitable organizations, educational institutions, and research entities.
Government Agencies:
Small to mid-sized government entities may utilize vCISO services to bolster their cybersecurity posture and comply with regulations.
Examples: Local municipalities, state agencies, and public health departments.
Regulated Industries:
Companies in heavily regulated industries need to adhere to strict compliance standards and may require specialized cybersecurity expertise.
Industries: Healthcare (HIPAA), finance (GLBA, SOX), and retail (PCI-DSS).
Organizations Undergoing Digital Transformation:
Businesses that are adopting new technologies, moving to the cloud, or modernizing their IT infrastructure may need vCISO services to manage the associated security risks.
Examples: Companies implementing IoT, AI, or big data solutions.
Businesses Experiencing Rapid Growth:
Fast-growing companies may face evolving cybersecurity challenges and can benefit from the strategic oversight of a vCISO.
Examples: Tech startups, e-commerce platforms, and fintech companies.
Companies Preparing for Mergers and Acquisitions:
Businesses involved in M&A activities need to ensure that cybersecurity due diligence is performed and that their security posture is strong to protect sensitive data.
Examples: Investment firms, private equity groups, and merging corporations.
Organizations Recovering from a Security Incident:
Companies that have experienced a breach or other security incident may hire a vCISO to help with incident response, recovery, and the implementation of stronger security measures.
Examples: Any business recovering from ransomware attacks, data breaches, or significant cybersecurity incidents to mitigate risk to an acceptable level and improves security posture
DISC InfoSec can offer tailored cybersecurity solutions that align with the specific needs and constraints of different types of organizations.
Organizations committed to prioritizing security encounter the difficulty of locating a Chief Information Security Officer (CISO) possessing the appropriate skills and knowledge. It becomes necessary for someone to take charge of the security and compliance strategy, but this requirement often surpasses the expertise possessed by operational IT/CIO.
What is CISOaaS? Chief Information Security Officer-as-a-Service (CISOaaS) provides information security leadership from an appropriate pool of expertise. CISOaaS provides security guidance to senior management and drives the organization’s information security program.
Cert-In issues new guidelines for government bodies, mandates appointment of CISO, Read more at: https://lnkd.in/dKcdHMtP
The benefits of our CISOaaS
Gain access to a diverse pool of highly experienced and specialized senior cyber security professionals.
Rapidly access valuable resources and eliminate the necessity of retaining talent.
Reduce your expenses by paying solely for the necessary support, effectively minimizing costs.
Based on CISOaaS being engaged for four days a month annually at current prices.
Based on your requirements, you can hire a vCISO 5-10 hours a week or per month.
Mitigate your risk by strengthening your cyber and information strategy through the implementation of a clearly defined roadmap, thereby enhancing your overall security posture.
Acquire valuable experience in effectively educating and presenting to board members, and non-technical senior staff across functional diverse backgrounds.
Leverage our independent perspective and established credibility to secure comprehensive cross-business support and successfully accomplish your information security objectives.
Are you Ready? DISC InfoSec offers a free consultation to evaluate your security posture and GRC requirements, providing you with an actionable plan that starts here…
Deura InfoSec Partners with Ostendio to Streamline Compliance & Security Offerings
Strategic Partnership: Ostendio and Deura InfoSec have formed a partnership to enhance compliance and risk management services for Deura InfoSec clients using Ostendio’s GRC platform.
Efficiency Gains: Deura InfoSec will leverage Ostendio’s platform to streamline compliance processes, significantly reducing the time clients spend on information security management by up to 50%.
Client Benefits: The partnership allows Deura InfoSec to overcome the challenges of fragmented security and simplify the processes and costs of delivering complex cybersecurity programs.
We’d love to hear from you! If you have any questions, comments, or feedback, don’t hesitate to get in touch. Our team is here to help, and we’re always looking to improve our services. You can reach us by email at info@deurainfosec.com or through our website.contact form.
We offer discounted initial assessment based on various industry standards and regulations to demonstrate our value and identify possible areas for improvement. Potentially a roadmap for the to-be state.
🔵 Important reminder for Azure users! When utilizing Azure cloud for your application, don’t overlook key testing areas such as user access, data protection, secure deployment, and other critical functions…
Top 10 threats to Azure applications
When deploying and managing applications on Microsoft Azure, it is essential to be aware of various security threats that could compromise the integrity, availability, and confidentiality of your services. Here are the top 10 threats to Azure applications:
Misconfiguration of Security Settings:
Misconfigured security settings in Azure resources such as Storage Accounts, Virtual Networks, and Azure Active Directory can lead to unauthorized access and data breaches.
Insecure APIs and Endpoints:
APIs and endpoints that are not properly secured can be exploited by attackers to gain unauthorized access or manipulate data.
Insufficient Identity and Access Management (IAM):
Weak IAM policies can result in inadequate permission controls, allowing unauthorized users or applications to access sensitive resources.
Data Breaches and Data Leakage:
Data stored in Azure services, if not properly encrypted and secured, can be susceptible to breaches and leakage.
Denial of Service (DoS) Attacks:
Azure applications can be targeted by DoS attacks, which aim to overwhelm the application with traffic, making it unavailable to legitimate users.
Vulnerable Virtual Machines and Containers:
Unpatched or poorly configured VMs and containers can be exploited by attackers to gain access to the underlying infrastructure.
Insufficient Logging and Monitoring:
Lack of comprehensive logging and monitoring can prevent detection of security incidents and hinder incident response efforts.
Weak Network Security:
Inadequate network security measures such as poorly configured Network Security Groups (NSGs) and lack of Virtual Network (VNet) isolation can expose Azure resources to external threats.
Phishing and Social Engineering Attacks:
Azure accounts and services can be compromised through phishing and social engineering attacks, leading to unauthorized access.
Vulnerabilities in Third-Party Dependencies:
Applications often rely on third-party libraries and services, which may have vulnerabilities that could be exploited by attackers if not properly managed and updated.
Mitigation Strategies
To mitigate these threats, organizations should implement a comprehensive security strategy that includes:
Regular Audits and Penetration Testing: Conduct regular security audits and penetration testing to identify and fix vulnerabilities.
Secure Configuration Management: Utilize Azure Security Center and Azure Policy to enforce security best practices and compliance.
Robust Identity and Access Management: Implement multi-factor authentication (MFA), role-based access control (RBAC), and conditional access policies.
Data Protection: Encrypt data at rest and in transit using Azure Key Vault and other encryption services.
Network Security: Use Azure Firewall, NSGs, and VNets to segment and secure network traffic.
Threat Detection and Response: Enable Azure Monitor, Azure Sentinel, and other logging and monitoring tools to detect and respond to security incidents.
Secure Development Practices: Follow secure coding practices and regularly update third-party dependencies to mitigate known vulnerabilities.
User Training and Awareness: Conduct regular training sessions to educate users about phishing and social engineering threats.
By being proactive and implementing these strategies, organizations can significantly reduce the risk of security threats to their Azure applications.
Ensuring thorough testing is vital for a secure seamless experience 🔴
The Definitive Guide to Testing and Securing Deployments…
With data breaches and cyber attacks a constant news feature, and the US suffering more publicly disclosed incidents than any other country, it’s no surprise that cybersecurity is an increasingly bigger concern.
Customers, partners, authorities, and other stakeholders all want assurances that organizations are taking reasonable steps to prevent data breaches.
After all, customers want to know that their data is safe. Partners don’t want to end up in the headlines due to a breach in their supply chain. And authorities want organizations to be meeting their legal obligations.
With that in mind, demand for ISO 27001 certification is increasing.
What is ISO 27001?
ISO 27001 is the internationally recognized standard that stipulates the requirements for an ISMS (information security management system). This standard was most recently updated in 2022.
A significant benefit of ISO 27001, compared to alternative standards (such as the NIST Cybersecurity Framework, is that organizations can achieve independent, accredited certification to it.
While organizations implementing an ISMS don’t have to achieve ISO 27001 certification, doing so has numerous benefits. Most notably, it offers potential and existing clients assurance that you’re following information security best practice.
How do you know whether the certificate or the certification body is legitimate?
The best way to validate a potential vendor’s certification is to ask for a copy of their certificate. Any organization with accredited certification should be happy to provide it.
How do you assess whether the certification body is accredited?
Certification bodies must also go through their own strict accreditation process to ensure they meet requirements and are qualified to carry out audits in line with ISO 27001.
To verify that a US certification body is accredited, check whether it is listed on an accreditation body’s website.
Accreditation bodies are selected and appointed by the IAF (International Accreditation Forum). For the US, in 2024, it has listed three accreditation bodies for ISO 27001:
ANAB (ANSI-ASQ National Accreditation Board)
IAS (International Accreditation Service)
UAF (United Accreditation Foundation)
For ISO 27001, ANAB is the biggest accreditation body. Here’s a list of ISO 27001 certification bodies it has accredited.
Microsoft President Brad Smith during a tense U.S. congressional hearing Thursday acknowledged responsibility for a series of security failures that facilitated multiple high-profile state-sponsored cyberattacks targeting government institutions and the company itself.
Lawmakers on the House Committee on Homeland Security grilled Smith over Microsoft’s failure to address critical vulnerabilities and its mishandling of whistleblower warnings, which they argued led to the SolarWinds attack and other major breaches that federal cyber authorities say could have been avoided.
Rep. Mark Green, R-Tenn., who chairs the committee, described recent federal findings about Microsoft’s security blunders as “extremely concerning” and said the company’s “underinvestment in essential security measures exposed critical vulnerabilities.”
“Microsoft is deeply integrated into our nation’s digital infrastructure,” Green said, adding that the company has a “heightened responsibility” to ensure federal systems are protected from intrusion.
The hearing took place the same day ProPublica released a bombshell report alleging Microsoft ignored warnings from a whistleblower about a critical vulnerability that left the company susceptible to Russian hackers for several years. The whistleblower left the company in August 2020 out of frustration with its handling of the security flaw that ultimately facilitated Russia’s attack against SolarWinds just months later.
The federally empaneled Cyber Safety Review Board in a report published following a seven-month probe of the company’s security practices blamed Microsoft’s corporate culture for deprioritizing enterprise security investments and allowing preventable security breaches.
“Before I say anything else, I think it’s especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” Smith said in his prepared opening remarks, adding: “Without equivocation or hesitation.”
The Russian state hacking group tracked as Midnight Blizzard, also known as APT29 and CozyBear, breached senior Microsoft executives’ email inboxes after using an unsophisticated hacking technique (see: Microsoft’s Latest Hack Sparks Major Security Concerns). The incident came less than a year after Microsoft disclosed that a group of Chinese hackers breached customers’ email systems as part of a cyberespionage campaign targeting federal agencies and other major organizations.
Lawmakers on both sides of the political aisle expressed doubts over whether Microsoft has been fully transparent with its customers and the federal government in the wake of recent security breaches. The ProPublica report published Thursday says that Smith testified to the Senate Intelligence Committee in 2017 that Microsoft became aware of the flaw leading to the SolarWinds attack only after the cybersecurity firm CyberArk published a blog post describing the exploit, known as Golden SAML.
“My concerns about whether we can rely on Microsoft to be transparent were heightened this morning when I read a ProPublica article about how an employee alerted Microsoft’s leadership to a vulnerability,” said ranking member Rep. Bennie Thompson, D-Mo. “That vulnerability was ultimately used by Russian hackers to carry out secondary phases of the SolarWinds attack in 2020.”
“Transparency is the foundation of trust, and Microsoft needs to be more transparent,” he said.
In response, Smith testified that Microsoft has made changes to its corporate governance structure to improve enterprisewide cybersecurity efforts and “integrate security into every process.” The company has added deputy CISOs to each of its components as part of its Secure Future Initiative, Smith said. The company launched the initiative in November 2023 (see: Microsoft Overhauls Security Practices After Major Breaches).
Smith also told lawmakers he is not aware of any vulnerabilities within Microsoft’s operating system that could affect government networks and said the company was “focused on identifying every vulnerability our employees can find.”
AJ Grotto, director of Stanford University’s geopolitics, technology and governance program and former senior White House director for cyber policy, said Microsoft “uses restrictive licensing to dominate the public sector” despite repeatedly putting federal networks in harm’s way.
“We’ve become accustomed to security flaws in Microsoft’s products, followed by promises from Microsoft to improve security, only to have the cycle repeat – with no consequences for Microsoft,” Grotto said in a statement sent to Information Security Media Group. Grotto urged lawmakers to demand the company “develop and share with Congress a plan for diversifying its exposure to cybersecurity risk.”
Smith told the House committee Microsoft has begun implementing 16 of the CSRB’s recommendations that apply directly to the company and added an additional 18 security measures to help improve its overall cyber posture.
Asked directly about the risk associated with the federal government’s reliance on a single technology vendor, Smith acknowledged potential concerns but said a network with too many players could be equally problematic.
“Just as there is risk relying on one vendor, there are risks in relying on multiple vendors,” Smith said. “Fundamentally, whether you have one vendor or multiple, the problem is similar – we all need to work together and just keep making progress.”
Microsoft President Brad Smith testifies before the House Committee on Homeland Security on June 13, 2024.
In February 2024, the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) made it known that Chinese state-sponsored hackers breached the Dutch Ministry of Defense in 2023 by exploiting a known FortiOS pre-auth RCE vulnerability (CVE-2022-42475), and used novel remote access trojan malware to create a persistent backdoor.
The RAT was dubbed Coathanger and found to be capable of surviving reboots and firmware upgrades. It’s also difficult to detect its presence by using FortiGate CLI commands, and to remove it from compromised devices.
The security services shared indicators of compromise and a variety of detection methods in an advisory, and explained that “the only currently identified way of removing [it] from an infected FortiGate device involves formatting the device and reinstalling and reconfiguring the device.”
On Monday, the Dutch National Cyber Security Center said that the MIVD continued to investigate the campaign, and found that:
The threat actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023
They exploited the FortiOS vulnerability (CVE-2022-42475) as a zero-day, at least two months before Fortinet announced it
“During this so-called ‘zero-day’ period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry,” the NCSC said.
The threat actor installed the Coathanger malware at a later time, on devices of relevant targets.
“It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data,” they said, and added that given the difficult discovery and clean-up process, “it is likely that the state actor still has access to systems of a significant number of victims.”
Another problem is that the Coathanger malware can be used in combination with any present or future vulnerability in FortiGate devices – whether zero- or N-day.
Advice for organizations
“Initial compromise of an IT network is difficult to prevent if the attacker uses a zero-day. It is therefore important that organizations apply the ‘assume breach’ principle,” the NCSC opined.
“This principle states that a successful digital attack has already taken place or will soon take place. Based on this, measures are taken to limit the damage and impact. This includes taking mitigating measures in the areas of segmentation, detection, incident response plans and forensic readiness.”
(In the attack targeting the Dutch MoD, the effects of the intrusion were limited due to effective network segmentation.)
Finally, the NCSC noted that the problem is not specifically Fortinet appliances, but “edge” devices – firewalls, VPN servers, routers, SMTP servers, etc. – in general.
“Recent incidents and identified vulnerabilities within various edge devices show that these products are often not designed according to modern security-by-design principles,” they said. Because almost every organization has one or more edge devices deployed, they added, it pays for threat actors to look for vulnerabilities affecting them.
The NCSC has, therefore, published helpful advice on how organizations should deal with using edge devices.
.webp)
.webp)
