Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild.
The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0.
"Path Traversal in the Ivanti CSA before 4.6 Patch

Enterprise Security / Network Security

Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild.

The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0.

"Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality," the company said in a Thursday bulletin.

It also noted that the flaw could be chained with CVE-2024-8190 (CVSS score: 7.2), permitting an attacker to bypass admin authentication and execute arbitrary commands on the appliance.

Ivanti has further warned that it's "aware of a limited number of customers who have been exploited by this vulnerability," days after it disclosed active exploitation attempts targeting CVE-2024-8190.

This indicates that the threat actors behind the activity are combining the twin flaws to achieve code execution on susceptible devices.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 10, 2024.

Users are highly recommended to upgrade to CSA version 5.0 as soon as possible, as version 4.6 is end-of-life and no longer supported.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks

How the Kimsuky nation-state group and other threat actors are exploiting poor email security — and what organizations can do to defend themselves.

Dr. Sean Costigan, Managing Director, Resilience Strategy, Red Sift

September 20, 2024

5 Min Read

Source: Brian Jackson via Alamy Stock Photo

COMMENTARY

With heightened geopolitical tensions, a surge in cyberattacks on US and allied organizations by a North Korean cyber-espionage group is hardly unexpected. What is disquieting, however, is that an advanced persistent threat (APT) group known as Kimsuky has seen remarkable success by turning a defensive strength into a weakness — exploiting poorly configured Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to carry out spear-phishing campaigns to secure advantage.

A May 2 advisory from the FBI, the National Security Agency (NSA), and the US State Department stated that Kimsuky, acting as an arm of North Korea's Reconnaissance General Bureau (RGB), has been sending spoofed emails to individuals in high-profile think tanks, media outlets, nonprofits, academia, and other organizations. The emails are part of an intelligence campaign to troll for information on geopolitics and foreign policy plans, particularly related to nuclear policies, sanctions, and other sensitive concerns involving the Korean peninsula.    

With sanctions biting, North Korea has developed a formidable cybercrime capability to generate liquidity for the regime. However, in this case, we see Kimsuky threat actors alter their focus to intelligence operations, targeting troves of information held by trusted parties and prominent organizations. Although the ongoing campaign has complex geopolitical implications, effectively defending against these attacks fundamentally relies on robust, actionable, and properly executed cyber-hygiene practices.

Related:Singapore Arrests 6 Suspected Members of African Cybercrime Group

**DMARC Misconfigurations Are Too Common**

Kimsuky is using trusted networks with improperly configured or missing DMARC to spoof legitimate domains and impersonate trusted personalities and organizations. The DMARC protocol was created to stop the compromise of user accounts and hinder the very types of social engineering at work here.

This is how it's supposed to work: DMARC allows email recipients to verify an email's origin through the Domain Name System (DNS), ensuring that threat actors cannot spoof legitimate domains. DMARC checks the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records for an incoming email and, if it does not appear to be legitimate, tells the receiving email server what to do next.

But as Kimsuky's attacks have shown, that only works if DMARC services are properly configured. As the IC3 advisories detail, misconfigurations are far too common or policies are poorly defined by the domain owners. For some organizations, self-managing DMARC may seem cost-effective, but it can also lead to significant oversights, including increasing vulnerabilities, failing to pay heed to evolving threats, missing sound compliance reporting, and creating a false sense of security.  

Related:Indian Army Propaganda Spread by 1.4K AI-Powered Social Media Accounts

**What North Korea's Attack Looks Like**

Kimsuky's spear-phishing campaigns may begin with an innocuous email from a seemingly credible source, building trust before sending a subsequent email with a malicious link or attachment. The group then uses successful compromises to escalate attacks with more credible spear-phishing emails aimed at higher-value targets.

The group focuses its intelligence-gathering activities against South Korea, Japan, and the United States, targeting individuals identified as experts in various fields. According to a subsequent advisory from the Cybersecurity and Infrastructure Security Agency (CISA), think tanks and South Korean government entities have also been targeted.  

One real-world example from the FBI-NSA advisory had a subject line reading: "\[Invitation\] US Policy Toward North Korea Conference." The message, seemingly from a known university, begins: "I hope you and your family are enjoying a lovely holiday and a restful season. It is my privilege to invite you to provide a keynote address for a private workshop, hosted by the \[legitimate think tank\] to discuss the U.S. policy toward North Korea." As further inducement, the email also offers a $500 speaker's fee.

Related:Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection

Another email had the subject line "Questions about N. Korea," with the writer posing as a journalist from a legitimate media outlet and requesting an interview, followed by a broad outline of North Korea's nuclear activities.

In the university example, the email received a "pass" from SPF and DKIM checks, suggesting the attacker gained access to the university's legitimate email client. And although DMARC returned a "fail" because the sender's email domain differed from SPF and DKIM records for the legitimate source, the organization's DMARC policy was not set to take filtering action, so the message was delivered. In the second case, no DMARC policy was present, allowing the attacker to spoof the journalist's name and the news organization's email domain.

**Why DMARC Matters**

The US government's advisories offer compelling reasons for organizations to secure their digital estates. Kimsuky is not alone among APTs nor, more broadly, cybercriminals who work for profit: Lessons are shared and all are becoming increasingly savvy at targeting misconfigurations and weaknesses.

Securing and properly configuring DMARC is key since it improves organizational cyber hygiene and broadly protects against ubiquitous threats like business email compromise and ransomware email attacks.

Notably, industry or regulatory requirements may already make DMARC a requirement for your organization. As of February 2024, Google and Yahoo have required DMARC for organizations sending large volumes of email, and Microsoft is reportedly planning to follow suit. Additionally, the PCI DSS 4.0 requires implementation of DMARC. According to BIMI Radar, since the FBI's May 2 advisory, DMARC adoption globally has grown from 3.74 million organizations to 5.71 million organizations, as of June 17. 

There's a business imperative at work as well. Organizations must prioritize cyber hygiene to safeguard their digital assets, prevent data breaches, and protect against evolving cybersecurity threats. DMARC should be part of your organization's cyber posture. When properly managed, not only does it ensure better deliverability, provide protection against phishing and business email compromise (BEC), and enable the deployment of Brand Indicators for Message Identification (BIMI), but it can help close doors against nation-state espionage and cybercrime.

**About the Author**

Managing Director, Resilience Strategy, Red Sift

Sean Costigan is an expert in emerging security challenges and a highly sought-after speaker on technology and national security. He is the lead for NATO’s cybersecurity curriculum and is widely published on national security matters relating to information security and hybrid threats. He is also a Professor at the George C. Marshall Center, where he educates on global cybersecurity, hybrid warfare, crime, and national security.

North Korean APT Bypasses DMARC Email Policies in Cyber-Espionage Attacks

Mastercard's $2.65 billion deal to acquire the threat intelligence provider will boost the credit-card company's AI-based cybersecurity protection capabilities.

Source: SOPA Images Limited via Alamy Stock Photo

The largest credit-card providers have made sizeable investments in advanced cybersecurity capabilities in recent years, but Mastercard is upping the ante with last week's agreement to buy Recorded Future from Insight Partners for $2.65 billion.

The deal, scheduled to close in the first quarter of 2025, would mark the second-largest acquisition in Mastercard's 58-year history. The price tag also nearly equals the $3 billion Mastercard is estimated to have previously spent on nine cybersecurity-related companies since launching its cybersecurity business unit in 2017, Strategy of Security analyst Cole Grolmus wrote on LinkedIn.

Recorded Future says it has 1,900 customers worldwide, including governments and half of the Fortune 100. According to a recent Frost & Sullivan report, the Recorded Future Intelligence Cloud hosts one of the largest threat repositories in the world. Recorded Future's Collective Insights integrates broadly with governance, risk, and compliance; third-party risk management; attack surface management; and other analytics tools, a May 2024 Forrester Research report noted.

"Combining Recorded Future's threat intelligence capabilities with Mastercard's extensive insight and knowledge of and partnership with merchants and financial institutions should provide greater protection to digital payment transactions," says Forrester principal research analyst Brian Wrozek. "This also gives Mastercard more direct control over a critical cybersecurity capability: threat intelligence."

Last year, Recorded Future added OpenAI's GPT model to the threat intelligence platform to enhance its real-time analytics capabilities. Using the pretrained transformer model, Recorded Future AI includes 10 years of threat analysis from its Insikt Group threat research subsidiary, which is integrated with the Recorded Future Intelligence Graph.

**Expanding Threat Intelligence Capabilities**

Mastercard has been investing in threat and risk intelligence capabilities for over a decade. In 2014, Mastercard launched SafetyNet, a tool to detect risks based on activity throughout its network. SafetyNet thwarted $20 billion in fraud attempts directed at its network in 2023, says Johan Gerber, Mastercard's EVP of security solutions.

"It's our AI-enabled Decision Intelligence \[solution\] that provides a score to banks, helping them identify and stop fraudulent transactions," he says.

Last year, Mastercard added AI-based risk management capabilities by acquiring Baffin Bay Networks, a threat protection provider based in Sweden. Mastercard integrated Baffin Bay's automated threat protection service to prevent attackers from penetrating or disabling cybersecurity systems through ransomware and distributed denial-of-service (DDoS) attacks.

Mastercard is not alone in its focus on threat and risk intelligence. Visa has invested more than $9 billion in cybersecurity over the past few years in new tools and services to help address fraud and account security in its payment services. The credit card company has embedded AI and analytics in more than 60 different services to stop and block payment fraud. The Visa Account Attack Intelligence (VAAI) offering uses generative AI components to identify and score enumeration attacks. The VAAI Score tool assigns each transaction with a risk score in real time to detect and prevent enumeration attacks in card-not-present transactions.

**Building on Mastercard's AI Capabilities**

Gerber says Recorded Future promises to build on Mastercard's AI-enabled Decision Intelligence capability, which gives scores to its member banks.

"Recorded Future has pioneered the use of AI in analyzing and reporting cyber threat intelligence," he says. "The ability to draw these trends from a wide range of sources will allow our customers to quickly access relevant insights and safeguard their critical operations and infrastructure. It allows us to quantify risk more accurately and simulate attacks based on the latest trends."

Gerber also sees the potential for adding Recorded Future's AI capabilities to RiskRecon, the third-party threat scanning and rating provider Mastercard acquired in 2020 that provides enterprise security monitoring and measures third-party and supply chain risk. Similarly, Recorded Future can boost two Mastercard service offerings launched in 2022: Cyber Front, which provides a threat simulation, and Cyber Quant, a service that identifies and prioritizes risks.

"The insights allow us to quantify risk more accurately," Gerber says. "Our customers will see benefits from the real-time threat insights that Recorded Future brings to the table."

Recorded Future will enhance the intelligence and security of all its products, he adds.

"It will help us create smarter models and anticipate emerging threats before cyberattacks can take place — in payments and beyond," Gerber notes.

Forrester's Wrozek says that Recorded Future promises to give Mastercard more direct control over critical threat intelligence, now a critical cybersecurity capability.

"This aligns perfectly with Mastercard's journey towards leading the defense of the global digital economy," he says.

Citing a 2024 Forrester survey, Wrozek notes that improving threat intelligence capabilities is consistently a top tactical security priority for companies, which typically purchase, on average, over half a dozen threat intelligence feeds.

"Companies need more threat intelligence to improve decision-making, expedite incident remediation, and shift from a reactive to a more proactive security posture," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Mastercard's Recorded Future Deal Furthers Its AI Security Goals

PRESS RELEASE

AUSTIN, Texas and Fal.Con 2024, Las Vegas – September 16, 2024 — CrowdStrike (NASDAQ: CRWD) today announced the launch of its second annual Cybersecurity Startup Accelerator with Amazon Web Services (AWS). NVIDIA also joins in supporting the Accelerator program, powering the next generation of artificial intelligence (AI) and cloud security startups. Targeting cybersecurity’s next market-defining disruptors across the U.S. and EMEA, AWS and CrowdStrike with NVIDIA through its Inception program, will provide mentorship, technical expertise, funding and go-to-market opportunities.  
Applications for the AWS and CrowdStrike Cybersecurity Startup Accelerator with NVIDIA are open from September 16, 2024 to January 10, 2025. Selected startups will be enrolled in a free eight-week program developed by AWS, CrowdStrike and NVIDIA that offers mentorship and guidance from industry experts and executives. Startups will also have access to top-tier global cybersecurity investors, enablement sessions, and up to $25,000 in AWS Activate credits, among other exclusive benefits.

At the end of the program, participants can present their innovations at an in-person Demo Day at the AWS Startup Loft in San Francisco, which will take place during the RSA Conference in April 2025. Winning presentations may be eligible to receive funding from the CrowdStrike Falcon® Fund. 

“CrowdStrike and AWS created the Cybersecurity Startup Accelerator as a formative, value creation experience for innovative startups to learn, create and grow. Since participating in the Accelerator, last year’s cohort participants raised over $150 million from leading global VCs,” said Daniel Bernard, chief business officer, CrowdStrike. “We’re proud to welcome NVIDIA as a supporter of the Accelerator program – bringing together market-leading cybersecurity, cloud and AI expertise to cultivate tomorrow’s great innovators.”

“For startups seeking to tackle the most pressing security challenges, the Cybersecurity Startup Accelerator provides the AI technologies, accelerated computing resources and technical expertise they need,” said Bartley Richardson, director of cybersecurity engineering at NVIDIA.

To apply, visit this website. Startups are encouraged to review the terms and conditions here.

You May Also Like

CrowdStrike Expands Cybersecurity Startup Accelerator With AWS and NVIDIA

PRESS RELEASE

SAN FRANCISCO, Sept. 18, 2024 /PRNewswire/ -- Abstract Security, building the future of AI-enabled security operations, today announced it has added support for deployments within Google Cloud Platform (GCP).

The support for GCP follows Abstract Security's existing support for AWS and Azure. Abstract enables multi-cloud deployments of its SOC platform, deploying multiple instances of Abstract Security around the world to support data localization requirements and eliminate data transfer costs. Additionally, Abstract supports transactions through both AWS and Azure marketplaces with GCP coming soon.

"Abstract's ability to offer customers a true multi-cloud offering with three different cloud platforms in AWS, Azure and now GCP is something we're very proud of for this growing startup," said Colby DeRodeff, co-founder and CEO of Abstract Security. "Because we deploy directly into our customers' cloud environment, we enable those customers to truly own their own data, which separates us from most of our competitors."

Abstract Security's SOC platform offers:

*   Seamless integration with local GCP services - Ensuring strong security coverage and visibility into GCP services.
    
*   Abstract Intel Gallery - As part of Abstract's data fabric, organizations can leverage no-code ETL to enrich events with real-time threat intelligence, enhancing detection accuracy and relevancy.
    
*   Real-time streaming threat detection - Security analytics are powered by AI, enabling enterprises to stay ahead of rapidly evolving cyber threats.
    
*   Compliance and data sovereignty - Providing a single search and reporting view across regional deployments, enabling compliance with data localization requirements.
    

Abstract has seen growing demand since emerging from stealth and announcing its Seed funding in March 2024. In April, Abstract announced the opening of its first Middle East office. In May, the company announced the addition of Christopher Key to its Board of Directors and was selected as a "Pioneering Cybersecurity Startup" winner, as part of the 2024 Global Infosec Awards.

About Abstract Security

Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

The leadership team of Colby DeRodeff, Ryan Clough, Aaron Shelmire, Chris Camacho, and Stefan Zier bring a unique set of experiences and backgrounds in product development and company-building expertise, at companies such as ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and Sumo Logic. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

You May Also Like

Abstract Security Expands Multi-Cloud Security Operations

Company urges organizations using self-hosting GitLab instances to apply updates for CVE-2024-45409 as soon as possible.

Source: T. Schneider via Shutterstock

Organizations with self-hosted GitLab instances configured for SAML-based authentication might want to update immediately to new versions of the DevOps platform that the company released this week.

The update addresses a maximum severity bug in GitLab Community Edition (CE) and Enterprise Edition (EE) that allows an attacker to bypass authentication checks and log in as an arbitrary user in an affected system. Depending on the level of access, an attacker could then steal leak or modify source code, inject malicious code into production systems, steal secrets and sensitive data, and execute a variety of other malicious actions.

**Maximum Severity Threat**

The bug, identified as CVE-2024-45409, has a severity score of 10.0, which is as critical as it gets on the CVSS rating scale. The bug has garnered the rating because of its high impact and also because exploiting it involves low-attack complexity, no special privileges, and no user interaction.

CVE-2024-45409 affects both GitLab Dedicated, the fully managed cloud-hosted version, and also self-managed instances of GitLab. The company already has updated all instances of GitLab Dedicated and says that customers of the managed version are already protected against the vulnerability. However, those running self-managed GitLab installations must patch now, the vendor advised. "We strongly recommend that all installations running a version affected by the issues … are upgraded to the latest version as soon as possible."

GitLab has recommended that organizations enable two-factor authentication for all user accounts for self-managed GitLab installations to mitigate against exploits targeting CVE-2024-45409. "Enabling identity provider multifactor authentication does not mitigate this vulnerability," GitLab cautioned. The company also recommends that organizations not allow the SAML two-factor bypass option in GitLab. In addition, GitLab's advisory provides detailed guidance on how to hunt for and detect signs of exploit activity tied to the flaw.

CVE-2024-45409 is present in versions 12.2 and older and versions 1.13.0 to 1.16.0 of Ruby SAML, a library which is a part of GitLab's SAML-based authentication feature. Ruby SAML is what allows organizations to authenticate users to GitLab via external identity providers.

**Improper Signature Verification**

The National Vulnerability Database's description of the flaw shows that affected Ruby SAML versions either aren't verifying or are incorrectly verifying the cryptographic signature in a SAML response. This allows an attacker with access to any signed SAML document from an identity provider to forge a SAML response. "This would allow the attacker to log in as \[an\] arbitrary user within the vulnerable system," the NVD said.

In its advisory, GitLab said that in order to craft a successful exploit for the flaw, an attacker would need to find a way to craft SAML assertions that are identical to those from an organization's legitimate identity provider. This would involve having the information needed to accurately replicate key fields like username, role, identity, and privileges.

"When crafting an exploit, there are many SAML assertions an attacker would need to craft to perfectly replicate a legitimate login," GitLab said. "These include both the key and value fields that you specify at your \[identity provider\] and may be unknown to unauthorized individuals — especially if you have customized these attributes."

**Particularly Troubling on Dev Platforms**

Researchers consider vulnerabilities in DevOps platforms like GitHub to be particularly troublesome because of the opportunities they provide attackers to compromise application development environments in multiple ways.

"The ability to bypass authentication checks is a huge threat, as it gives attackers the window of opportunity to easily enter development environments and cause tremendous damage — all without triggering any alerts," says Katie Teitler-Santullo, cybersecurity strategist at OX Security. "Presumably, and hopefully, organizations are using strong authentication — MFA least privilege, and zero-trust principles — to ensure that all access is fully authorized."

Jeff Williams, founder and CTO at Contrast Security, stresses the importance of addressing authentication bypass flaws. "In this case, a forged SAML assertion can be created to log on as any user and take any actions that a user can do," he says. "This might include tampering with pipelines, embedding malicious code in software products, stealing intellectual property, installing malware, or just about any other bad thing you can imagine."

CVE-2024-45409 is the most critical among 18 vulnerabilities that GitHub disclosed this month as part of its regular security updates. GitHub assessed one of the other 17 vulnerabilities as critical. The flaw (CVE-2024-6678), with a CVSS severity score of 9.9, affects multiple GitLab CE and EE versions. It is one of several in recent months that allows an unauthenticated, remote attacker to run a pipeline in the context of any user within a GitLab environment.

The vulnerability is similar to flaws that GitLab disclosed in May, June, and July and suggests a pattern of not taking security seriously, Williams says. "Critical vulns month after month. Maybe they're doing better testing? Good. Or maybe they aren't being proactive. We need transparency."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

GitLab Warns of Max Severity Authentication Bypass Bug

PRESS RELEASE

SAN FRANCISCO, Calif., September 16, 2024 – c/side, a cybersecurity company with tools for monitoring, optimizing, and securing vulnerable browser-side third-party scripts, today announced $6 million in seed funding. The round is led by Uncork Capital, with participation from Mantis VC, Scribble Ventures, Roar Ventures, and PrimeSet. c/side’s total funding is now $7.7 million, following a pre-seed round announced earlier this year. Scribble and Roar also participated in the pre-seed, along with strategic angel investors.

  
As headlines have continued to show since the infamous British Airways breach, the third-party code scripts that businesses add into their websites are often poorly monitored and undersecured. While these scripts are necessary for critical site functions such as analytics, chatbots, and error handling, the scripts change frequently without a business’ knowledge—posing significant risks. Malicious actors exploit vulnerabilities within the scripts to redirect website visitors, steal sensitive information, or manipulate website content. As a result of increased security awareness on the infrastructure and open source supply chain, malicious actors increasingly seek to weaponize the browser as the place of execution—yet most sites have nothing in place to monitor client-side behavior.

  
With an advanced proxy service and an AI-driven detection engine, c/side offers a comprehensive toolkit to identify and neutralize malicious scripts in real-time. The innovative solution not only bolsters website security, but also significantly enhances website performance. Beyond safeguarding organizations from cyberattacks, c/side’s technology also simplifies compliance with stringent industry regulations like PCI DSS 4.0, making it a critical and particularly timely tool for businesses accepting digital payments via their sites.

  
“Even in the few short months since we launched, major browser supply chain attacks like polyfill\[.\]io and regulatory breach incidents like the one at Kaiser Permanente have underscored just how significant and rapidly-escalating this attack vector has become,” said Simon Wijckmans, CEO and founder, c/side. “Security and IT teams cannot take a ‘set it and forget it’ approach to the third-party web scripts that run through their organization’s website. We understand what’s required to ensure ongoing visibility and protection, and offer an end-to-end solution that’s simple to deploy. We’re thrilled to bring on new investors with our seed funding, and look forward to our next stage.”

  
“c/side is addressing client-side app security, one of the most challenging threats to digital organizations and a problem that has been largely overlooked until now,” said Andy McLoughlin, Managing Partner at Uncork Capital. “Their AI-driven solution not only identifies these threats but acts swiftly to neutralize them, ensuring robust client-side web security. We’re thrilled to lead this round and support the c/side team as they develop solutions to protect businesses from costly and damaging browser-executed attacks."

  
“We’re impressed by c/side’s AI-driven approach and its potential to revolutionize client-side security at scale,” said Alex Pall, General Partner, Mantis VC. “This team has the expertise and vision to make a significant and lasting impact across the cybersecurity landscape, making web security more accessible to all. Whether you’re an early-stage grinding entrepreneur or a large established brand, c/side will grow to have your back. Simon and the team will make things rock!”

  
The seed funding will enable c/side to accelerate the development of its flagship product, the powerful proxy solution for securing third-party web scripts. The company will also deepen its vulnerability detection engine’s capabilities and grow its team to support customer service, sales, partnership, and marketing functions.

  
c/side’s free tier is now fully operational and available — anyone can sign up and begin securing their site in minutes. Business, Enterprise, and Partner tiers are in development; those interested can contact c/side here. 

  
About c/side  
c/side is a forward-thinking cybersecurity startup focused on browser-side detection and protection. Led by industry expert Simon Wijckmans, c/side is pioneering technologies to shield against sophisticated cyber threats, ensuring unparalleled security standards for users across the web.

c/side Lands $6M to Combat Rising Browser Supply Chain Attacks

Inc ransomware — one of the most popular among cybercriminals today — meets healthcare, the industry sector most targeted by RaaS.

Source: Photo 12 via Alamy Stock Photo

Inc ransomware is on the rise, with one well-known threat actor recently using it to target American healthcare organizations.

Vice Society, which Microsoft tracks as Vanilla Tempest, has been active since July 2022. In that time, the Russian-speaking group has made use of various families of ransomware to aid its double extortion attacks, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin — including its own variant — and its own, eponymous program.

In a series of posts on X, Microsoft Threat Intelligence Center (MSTIC) flagged the group's latest weapon: Inc ransomware.

"Vanilla Tempest is one of the most active ransomware operators MSTIC tracks," says Jeremy Dallman, senior director of threat intelligence for MSTIC. "While we've seen them targeting healthcare for quite a while, the notable shift here is their use of an Inc ransomware payload as they leverage the larger ransomware-as-a-service ecosystem."

**Vice Society's Latest Foray into Healthcare**

Vice Society flirts with various industries, including IT and manufacturing, but it's best known for its campaigns against the education and healthcare sectors.

In that sense, it's in line with the broader threat landscape. According to Check Point Research, healthcare is the industry most frequently targeted by ransomware actors. Other kinds of cybercriminals like it too, evidently, with global healthcare organizations experiencing an average of 2,018 attacks per week, a 32% rise over last year.

It only makes sense, warns Cindi Carter, Check Point's CISO for the Americas. Besides being hamstrung by outdated legacy technology and bureaucracy, "The type of data that healthcare organizations capture, create, and share is of high value to cybercriminals," she says. "Your medical record is the single most identifiable piece of digital information about you besides your own fingerprint," she says.

In recent activity leveraging the healthcare sector's inherent weaknesses, Vice Society received initial access to victims that previously had been infected with the Gootloader backdoor-loader. Then it deployed tools including the Supper backdoor, AnyDesk's remote monitoring and management (RMM) solution, and MEGA's data synchronization tool, the latter two of which are legitimate commercial products. The group used Remote Desktop Protocol (RDP) to perform lateral movement in affected networks, and abused the Windows Management Instrumentation (WMI) provider host to drop Inc ransomware.

**The Rise of Inc Ransomware**

Active since last summer, the Inc ransomware-as-a-service (RaaS) operation has earned plenty of headlines for its compromises of particularly large organizations — Xerox and Scotland's National Health Service (NHS), among others. And its modus operandi fits the scope of its ambition, says Jason Baker, threat intelligence consultant for GuidePoint Security.

"The aspect of Inc affiliates in particular that makes them stand out is that they have a very structured way of working through the negotiations process. There's no winging it. There are no off-the-cuff remarks. Agitation and threats are kept relatively minimal," he recalls from dealing with them firsthand.

"It's like the difference between somebody robbing a bank and somebody sticking somebody up in an alley. You can tell when somebody's put thought into \[an attack\] and knows what they're doing," he says.

As Dark Reading reported last month, Inc's malware leaked information about the nature and success of its data encryption. Though this could potentially lend defenders a leg up in remediation and potential negotiations with its affiliates, Baker warns that the reality is more complicated, especially when it comes to healthcare.

"If an organization knows that they can recover, and that they don't need a decryptor, that substantially decreases the feeling that they need to pay a ransom," he notes. "But where it's complicated is in modern double extortion, particularly if there's sensitive personally identifiable health information (PHI), or if there's sensitive intellectual property involved. There's a reason why the double extortion methodology has stuck around for as long as it has: It does, to some extent, overcome even an ability to recover."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Vice Society Pivots to Inc Ransomware in Healthcare Attack

German law enforcement agencies have managed to de-anonymize Tor users after putting surveillance on Tor servers for months.

Despite people generally considering the Tor network as an essential tool for anonymous browsing, german law enforcement agencies have managed to de-anonymize Tor users after putting surveillance on Tor servers for months.

Before we go into the what the agencies did, let’s take a look at some basics of Tor.

**How Tor works**

On a daily basis, millions of people use the Tor network to browse privately and visit websites on the dark web. Tor enhances privacy by directing internet traffic through a minimum of three randomly chosen routers, or nodes. During this process user data is encrypted before it reaches the destination via the exit node, ensuring a user’s activities and IP address remain confidential and secure.

Here’s a closer look at how this mechanism works:

*   **Entry node:** When you start browsing with Tor, your connection is first directed to an entry node, also known as a guard node. This is where your internet traffic enters the Tor network, with your IP address only visible to this node.
*   **Middle nodes:** After entering the Tor network, your traffic passes through one or more middle nodes. These nodes are randomly selected, and each one knows only the IP address of the previous relay and the next relay. This prevents any single relay from knowing the complete path of your internet activity.
*   **Exit node:** The last relay in the chain is the exit node. It decrypts the information from the middle relays and sends it out to the destination. Importantly, the exit node strips away layers of encryption to communicate with the target server but does not know the origin of the traffic, ensuring that your IP address remains hidden.

This layered security model, like peeling an onion, is where Tor gets its name. Tor is an acronym for The Onion Router. Each layer ensures that none of the nodes in the path knows where the traffic came from and where it is going, significantly increasing the user’s anonymity and making it exceedingly difficult for anyone to trace the full path of the data.

Although many researchers theoretically considered that de-anonymization was possible, in general it was thought practically unfeasible if a user followed all the necessary security measures.

**How did the de-anonymization work?**

German news outlet NDR reports that law enforcement agencies got hold of data while performing server surveillance which was processed in such a way that it completely cancelled Tor anonymity. The reporters saw documents that showed four successful measures in just one investigation.

After following up on a post on Reddit and two years of investigation, the reporters came to the conclusion that Tor users can be de-anonymized by correlating the timing patterns of network traffic entering and exiting the Tor network, combined with broad and long-term monitoring of Tor nodes in data centers.

If you can monitor the traffic at both the entry and the exit points of the Tor network, you may be able to correlate the timing of a user’s true IP address to the destination of their traffic. To do this, one typically needs to control or observe both the entry node and the exit node used in a Tor circuit. This does not work when connecting to onion sites however, because the traffic would never leave the Tor network in such a case.

The timing analysis uses the size of the data packets that are exchanged to link them to a user. You can imagine that with access to a middle node, you can tie the incoming and outgoing data packets to one user. While this doesn’t reveal any of the content of the messages, this could help in establishing who’s communicating with who.

The problem that Tor faces lies in the fact that it was designed with hundreds of thousands of different nodes all over the world in mind. In reality, there are about 7,000 to 8,000 active nodes, and many of them are in data centers. As a consequence, the “minimum of three” often means “only three” which increases the potential effectiveness of timing attacks.

The Tor Project said:

> “The Tor Project has not been granted access to supporting documents and has not been able to independently verify if this claim is true, if the attack took place, how it was carried out, and who was involved.”

Based on the information provided, the Tor Project concluded that one user of the long-retired application Ricochet was de-anonymized through a guard discovery attack. This was possible, at the time, because the user was using a version of the software that neither had Vanguards-lite, nor the Vanguards add on, which were introduced to protect users from this type of attack

Which means they feel confident to claim that Tor is still safe to use. However, we would like to add that users should be aware that several law enforcement agencies–and cybercriminals–run Tor nodes, which can pose risks.

If you use Tor, here are some basic rules to stay as anonymous as possible:

*   Always download Tor Browser from the official Tor Project website.
*   Keep Tor Browser updated to the latest version for security patches.
*   Use the default Tor Browser settings – don’t install add-ons or change the settings unless you know what you are doing and what the implications are.
*   Enable the “Safest” security level in Tor Browser settings.
*   Only visit HTTPS-encrypted websites.
*   Avoid logging into personal accounts or entering personal information. If you post your personal information somewhere that undermines the whole idea of staying anonymous.
*   Be extremely cautious about downloading files or clicking links, even more so on the Dark Web.
*   Disable JavaScript if possible although this may break some sites.
*   Clear cookies and local site data after each browsing session.
*   Use a reputable VPN in addition to Tor for an extra layer of encryption.
*   Run up-to-date antivirus/anti-malware software on your device.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Tor anonymity compromised by law enforcement. Is it still safe to use? 

US ports rely on cranes manufactured by a Chinese state-owned company, many with unmonitored cellular connections, causing cybersecurity concerns.

Source: GreenOak via Shutterstock

As the United States looks to shore up the cyber-resilience of its critical infrastructure, a congressional report has highlighted that the nation's maritime shipping and port operations rely too much on Chinese-made cranes and other systems whose software is often vulnerable and can be communicated with remotely.

Last week, the House of Representatives' Select Committee on the Chinese Communist Party released a report on the potential threats to the US port infrastructure, revealing that 80% of the ship-to-shore (STS) cranes at US ports are manufactured by a single Chinese government-owned company, Shanghai Zhenhua Heavy Industries (ZPMC). While the committee did not turn up evidence that the company used its access maliciously, the firm failed to address software vulnerabilities and retained the ability to remotely access the crane's systems via a cellular modem, often without explicit notification.

Even though the report does not find a smoking gun, the concerns are reasonable, says John Terrill, chief information security officer (CISO) at extended Internet-of-Things (IoT) security firm Phosphorus Cybersecurity.

"There could be legitimate purposes for \[a cellular modem\], but I think the general sentiment — because it's a Chinese-owned company — the \[committee\] is concerned that allowing access is setting up a ticking time bomb," he says. "If something happens geopolitically, the ports may, all of a sudden, not be able to operate the cranes."

Related:Name That Toon: Tug of War

The supply chains for critical economic sectors are attracting intense scrutiny from policymakers and security organizations. When Russia invaded Ukraine, the military targeted cyberattacks at infrastructure, such as satellite communications and nuclear power generation. The recent attacks on Lebanon-based Hezbollah militants — considered a terrorist organization by the US government — using pagers likely compromised through a supply-chain attack by Israel demonstrated the potential of cyber-physical attacks.

**Sea Change in Supply-Chain Focus**

Port facilities are often overlooked, but critically important, especially as drivers of the economy. US port facilities handle about 40% of the value of all international freight, with the top 12 ports processing about 47 million twenty-foot equivalent units (TEUs) of cargo in 2023. Cyber-physical attacks on such facilities could significantly disrupt the US economy. Cybersecurity experts have already warned that China-linked cyber-espionage groups are compromising critical infrastructure systems at facilities — such as ports — in preparation for future conflicts.

Related:SCADA Market Is Set to Reach $18.7B by 2031

The long-term risks outweigh the short-term gains of purchasing inexpensive port equipment, the House Select Committee stated in its report.

"The evidence gathered during our joint investigation indicates that ZPMC could, if desired, serve as a Trojan horse capable of helping the CCP and the PRC military exploit and manipulate US maritime equipment and technology at their request," the lawmakers stated. "This vulnerability in our critical infrastructure has the potential to affect Americans from coast to coast."

While historically overlooked, maritime supply-chain security and cybersecurity has become an increasing issue. In February, the US Department of Transportation warned that port facilities' over-reliance on Chinese vendors allowed China's government to collect information on trade and could lead to potential compromises if Sino-American relations worsen.

**Rough Seas for Cybersecurity**

Attacks on ports and ships are not unheard of. In February, the US reportedly hacked an Iranian military ship aiding Houthi rebels in the Red Sea and disrupting communications. An Indian nation-state cyber-operations group attacked maritime facilities and ports around in the Indian Ocean and as far away as the Mediterranean Sea. And spoofing of GPS signals have enabled rogue nations to cause problems for freighters and other shipping near their shores.

Related:Remote Access Sprawl Strains Industrial OT Network Security

Because so much of the infrastructure has integrated communications connected to software controlling physical equipment, cybersecurity is a significant issue, says Ron Fabela, strategic advisor to ICS/OT security firm Xona.

"Everything is remotely accessible now," he says. "If you haven't been in the industry, you might think our super-critical stuff isn't accessible from the Internet, surely, right? And oftentimes, that is not the case."

Port operators are looking to buy inexpensive port equipment, such as cranes, but then rely on the manufacturer to provide service, which leads to remote communications and data collection. In addition, numerous vulnerabilities have been found in ZPMC equipment, but bug reports disappear and are never publicized, and likely never fixed. Given China's law that forces disclosure of vulnerabilities to the government, it's likely that those vulnerabilities are being used or are being stockpiled for use, says Phosphorus' Terrill.

"A known vulnerability that is not patched is a backdoor by any other definition," he says.

**Protecting Untrusted Infrastructure**

The House CCP Committee's report recommends that the Department of Homeland Security and US Coast Guard make recommendations to disable the cellular modems in the ZPMC cranes, install technology to monitor and ensure the security of the cranes during operation, and focus extra security measures on critical ports, such as the seaport in Guam — a resupply point for the US military in the Pacific Ocean — and those designated by the Department of Defense as critical.

Port operators, however, may push back on mandates to disable the cellular devices. Turning off the cellular modems will likely mean hobbling the maintenance of the cranes and other equipment, says Xona's Fabela.

"In critical infrastructure, what I've seen is the asset owner — the purchaser of this equipment — doesn't want to maintain it," he says. "They want to have someone on the hook, if something goes wrong ... they want to ensure that the OEM or the manufacturer is the one supporting it, and being that a lot of our heavy industry is still being manufactured outside of our borders, it becomes a difficult problem."

Instead, operators should treat digital access like physical access, he says. Any session should be tightly controlled and scheduled, keeping devices offline at all other times.

"We'll monitor, and we'll over-the-shoulder their access — this is how they do it with physical access," he says. "A vendor can't just walk into a port and walk around. You have to have a reason to be there, usually a job order; you have to have a background check; and someone will escort you. So just extending those best practices to the cyber domain is often all that's needed."

In the long term, the House CCP Committee's report recommends that the US Department of Commerce study whether building cranes is the United States is feasible, as well as ways to improve US manufacturing competitiveness.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Latest News