A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint…

A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint vulnerability. The breach, dubbed “Fortileak,” was revealed on a forum with access credentials shared online.

A hacker using the alias “Fortibitch” has claimed responsibility for leaking 440 GB of data belonging to Fortinet, a prominent cybersecurity firm based in Sunnyvale, California. The hacker stated that the stolen data is now accessible for download via an Amazon S3 bucket, with details of the breach and access credentials shared on the popular underground forum, Breach Forum.

**The Breach: Fortileak**

Dubbed _Fortileak_ by the hacker, the breach allegedly originates from an exposure in Fortinet’s Azure SharePoint instance. In the forum post, the hacker pointed out recent acquisitions by Fortinet, including the Data Loss Prevention (DLP) firm Next DLP and the cloud security company Lacework. They then claimed that Fortinet’s Azure SharePoint had been compromised, allowing for the extraction of the substantial data cache.

The full scope of the compromised data remains unclear, though the hacker emphasized that the breach involves Fortinet’s cloud infrastructure. The hacker provided the following credentials for accessing the alleged stolen data:

Screenshot: Hackread.com

**Ransom Demands and Negotiation Breakdown**

In a further twist, the hacker claimed that Fortinet’s CEO, Ken Xie, walked away from ransom negotiations. In the forum post, the hacker ridiculed Xie, alleging that the CEO refused to engage, stating that he “would rather eat some p\*\*p than pay ransom.” The hacker also questioned why Fortinet had not filed an SEC 8-K form (PDF)—a document required by public companies to disclose major incidents.

The post also contained a mix of taunts and shout-outs to other individuals or groups, which seemed to further underline the hacker’s brash attitude toward the attack and its aftermath.

**Fortinet’s Response**

Hackread.com reached out to Fortinet for an official comment on the breach. A spokesperson for the company confirmed that an unauthorized individual had gained access to a limited number of files stored on a third-party cloud-based shared file drive. These files included data related to a “small” subset of Fortinet customers.

In their statement to Hackread.com, Fortinet reassured stakeholders that there has been no indication of any malicious activity affecting its customers. They emphasized that the company’s operations, products, and services have not been impacted by the breach. Fortinet stated that they have already communicated directly with the affected customers and are continuing to monitor the situation closely.

> _“An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number of Fortinet customers, and we have communicated directly with customers as appropriate. To-date there is no indication that this incident has resulted in malicious activity affecting any customers. Fortinet’s operations, products, and services have not been impacted.”_
> 
> Fortinet Spokesperson

This is not the first time Fortinet has faced a cybersecurity incident. Last year, Chinese hackers were reported to be exploiting a zero-day vulnerability in the company’s products. In another instance, hackers were found exploiting a vulnerability in FortiOS, the operating system for Fortinet’s security appliances, to compromise organizations and customers.

Nevertheless, for now, the full extent of the breach remains under investigation, and it is unclear whether the alleged stolen data will be used maliciously or if the ransom negotiations will have any further developments. As more information emerges, both customers and cybersecurity professionals will be watching closely to assess the impact of this incident.

1.  **World’s Leading Cybersecurity Firm Kaspersky Hacked**
2.  **CISA and Fortinet Warns of New FortiOS Zero-Day Flaws**
3.  **X Account of Google Cybersecurity Firm Mandiant Hacked**
4.  **Cybersecurity Firm Hacks Itself, Finds AWS Credentials Leak**
5.  **Hackers dump plain-text login credentials of Fortinet VPN users**

Fortinet Confirms Limited Data Breach After Hacker Leaks 440 GB of Data

Their findings highlight the frailty of some of the mechanisms for establishing trust on the Internet.

Source: Aree\_S via Shutterstock

Security researchers' ability to gain control of a chunk of the Internet's infrastructure for a mere $20 has focused attention on the fragility of the trust and cybersecurity mechanisms that organizations and users rely on daily.

The troubling event began with researchers at watchTowr on a whim looking for remote code execution vulnerabilities in WHOIS clients while at the recent Black Hat USA conference in Las Vegas. In poking around, the researchers discovered that the WHOIS server for the .mobi top level domain (TLD) — for mobile-optimized sites — had migrated a few years ago from "whois.dotmobiregistry.net" to "whois.nic.mobi". After the change, the registration for the original domain (whois.dotmobiregistry.net) expired last December.

**An Accidental Discovery**

A WHOIS server is like a public phone book for the Internet and contains information on the owners of an IP address or website along with lots of other related information. A WHOIS client is a tool that queries for and retrieves information about a specific domain name or IP address from a WHOIS server.

On a lark, the watchTowr researchers spent $20 to register the expired whois.dotmobiregistry.net in the company's name and stick a WHOIS server behind it to see if any WHOIS clients would query it. Their initial presumption was that few, if any, WHOIS clients would still touch the decommissioned server after the migration to the new .mobi authoritative WHOIS server (whois.nic.mobi) a few years ago.

To their surprise — and consternation — watchTowr researchers found over 76,000 unique IP addresses sending queries to their WHOIS server in just a couple hours. In about two days that number had ballooned to over 2.5 million queries from 135,000 unique systems worldwide.

Contrary to their expectations, among those querying watchTowr's WHOIS server were major domain registrars and websites performing WHOIS functions. Also querying watchTowr's WHOIS domain were mail servers for numerous government organizations in the US, Israel, Pakistan, India, the Philippines, a military entity in Sweden, and countless universities worldwide. Troublingly, even some security-related websites, including VirusTotal, queried watchTowr's WHOIS server as if it were the authoritative server for the .mobi TLD.

Had watchTowr been a bad actor, they could have easily abused their status as the owner of whois.dotmobiregistry.net to deliver malicious payloads to anyone querying the server, or to passively monitor email communications and potentially create other mayhem.

"In the wrong hands, owning the domain could enable attackers to 'respond' to queries and inject malicious payloads to exploit vulnerabilities in WHOIS clients," watchTowr's CEO and founder Benjamin Harris said in a FAQ on his company's discovery. From the standpoint of government mail servers reaching out to watchTowr's WHOIS servers, "traffic analysis can be performed to passively observe and infer email communication," he said.

**A Serious Domain Verification Weakness**

But even more troubling than that was watchTowr’s discovery of multiple Certificate Authorities (CA) — including those issuing TLS/SSL certificates for domains such as ‘microsoft.mobi and ‘google.mobi — using watchTowr’s server for domain verification purposes.

"It turns out that a number of TLS/SSL authorities will verify ownership of a domain by parsing WHOIS data for your domain— say watchTowr.mobi — and pulling out email addresses defined as the 'administrative contact'," watchTowr said. "The process is to then send that email address a verification link. Once clicked, the certificate authority is convinced that you control the domain that you are requesting a TLS/SSL cert for, and they will happily mint you a certificate."

In other words, watchTowr could provide its own email address to certificate authorities (CAs) in response to domain ownership queries and obtain TLS/SSL certificates on behalf of other organizations. Once again, contrary to expectations, watchTowr discovered multiple well known CAs — including Trustico, Comodo, GlobalSign, and Sectigo — using WHOIS data for domain verification.

"For 'microsoft.mobi', watchTowr demonstrated that CA GlobalSign would parse responses provided by its WHOIS server and present '\[email protected\]' as an authoritative email address," the security vendor said. "watchTowr's discovery effectively undermines the certificate authority process for the entire .mobi TLD, a process that has been targeted by nation-states overtly for years." The research highlights the trivial loopholes in the Internet's TLS/SSL vital encryption processes and structures and shows why trust in them is misplaced at this stage, the researchers wrote.

Nick France, CTO at Sectigo, says the issue has to do with CAs being allowed to use administrative emails on public WHOIS records for domain names. "However, the researchers found that the .mobi registry had changed their WHOIS server in the past and the 'old' name was now available as a registerable domain name — which they did," France says.

This is only a problem if a CA uses an outdated list of WHOIS server, he says. In that event, a CA's WHOIS query could get directed to an outdated server and any attacker that owns it could send any output in response, including an email address of their choice. "This leads to a failure of the domain verification process and thus mis-issued certificates."

The issue that watchTowr discovered highlights why CAs must keep their systems updated, especially with respect to critical processes like domain control validation, French says. "WHOIS is an old, insecure system — often neglected by researchers and users alike, leaving it primed for the discovery of flaws like this one," he notes.

While it may impact only smaller TLDs like .mobi, as opposed to .com, .net, and .gov, it still demonstrates a serious vulnerability in the domain verification process, he says.

Tim Callan, Sectigo's Chief Experience Officer, adds how the incident highlights a need to update some of the rules around Domain Control Validation (DCV). "We should expect the Certification Authority Browser Forum to move quickly on these changes in order to plug this particular hole."

In the meantime, the nonprofit Internet monitoring entity ShadowServer has sinkholed the dotmobiregistry.net domain and the whois.dotmobiregisry.net hostname and is redirecting all queries to the server to the legitimate WHOIS responsible for .mobi domains. "If you have code/systems still using the expired http://whois.dotmobiregistry.net to make WHOIS queries for the .mobi TLD, please update immediately to use the correct authoritative WHOIS server http://whois.nic.mobi," said Piotr Kijewski, ShadowServer's CEO in an email.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

For Just $20, Researchers Seize Part of Internet Infrastructure

An attacker is using the tool to deploy a cryptominer and the Tsunami DDoS bot on compromised systems.

Source: TippaPatt via Shutterstock

A threat actor is dropping a cryptominer and distributed denial-of-service (DDoS) malware on Oracle WebLogic Servers using "Hadooken."

Researchers at Aqua Nautilus spotted the malware when it hit one of their honeypots last month. Their subsequent analysis showed Hadooken to be the main payload in an attack chain that began with the threat actor brute-forcing its way into the administration panel of Aqua's weakly protected WebLogic honeypot. It appears Hadooken's authors named the malware after the iconic Surge Fist move in the Street Fighter series of video games.

Once inside the Aqua system, the attacker downloaded Hadooken to it using two nearly functionally identical scripts — a Python script and a "c" shell script — with one likely acting as a backup for the other. Aqua found both scripts designed to run Hadooken on the compromised honeypot and to then delete the file.

"In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers," Aqua's lead researcher, Assaf Morag, said in a report. "It then moves laterally across the organization or connected environments to further spread the Hadooken malware."

**A Valuable Target**

Oracle's WebLogic Server allows customers to build and deploy Java applications. Thousands of organizations — including some of the world's largest banking and financial services companies, professional services firms, healthcare entities, and manufacturing companies — have deployed WebLogic. These deployments include modernizing their Java enterprise application environment, deploying Java apps in the cloud, and building Java microservices. Critical vulnerabilities, including those that have enabled complete takeover of WebLogic Server, have made the technology a frequent target for attacks over the years. Configuration errors, such as weak passwords and Internet-exposed admin consoles, have exacerbated the risks around the platform.

In Aqua's honeypot attack, the threat actor gained initial access to the WebLogic server by brute-forcing past the security vendor's deliberately weak password. Hadooken then dropped two executable files: Tsunami, a malware used in numerous DDoS attacks going back at least a decade; and a cryptominer. In addition, Aqua found the malware creating multiple cron jobs — which schedule commands or scripts to run automatically at specific intervals or times — to maintain persistence on the compromised system.

**Potential for More Trouble**

Aqua's analysis showed no sign of the adversary actually using Tsunami in the attack, but the security vendor didn't rule out the possibility of that happening at a later stage. Equally likely is the possibility that the attacker could tweak Hadooken relatively easily to target other Linux platforms, Morag tells Dark Reading. "At the moment we've only seen indications the attackers are brute-forcing their way to WebLogic Servers," Morag says. "But based on other attacks and campaigns, we assume the attackers won't limit themselves to WebLogic."

It's also likely that the attackers won't limit themselves to cryptocurrency and DDoS malware in future Hadooken campaigns. Aqua's static analysis of the malware showed links in the code to Rhombus and NoEscape ransomware, but no actual use of the code during the attack on its honeypot. Aqua found the threat actor using two IP addresses, one in Germany and the other in Russia, to download Hadooken on compromised systems. The German IP address is one that two other threat groups — TeamTNT and Gang 8220 — have used in previous campaigns, but there is nothing to suggest they are linked to the Hadooken campaign, Aqua said.

The company recommends that organizations consider using mechanisms like infrastructure-as-code scanning tools, cloud security posture management tools, Kubernetes security and configuration tools, runtime security tools, and container security tools to mitigate threats like Hadooken.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Hadooken' Malware Targets Oracle's WebLogic Servers

The dangerous ransomware group is targeting financial and insurance sectors using smishing and vishing against IT service desk administrators, cybersecurity teams, and other employees with top-level privileges.

Source: Photo Spirit via Shutterstock

One of the world's most dangerous ransomware groups has been applying its hallmark savvy social engineering to targeted, sophisticated phishing attacks against financial and insurance companies, aiming to steal high-level permissions to cloud-based environments to ultimately deliver ransomware.

Scattered Spider has been using SMS and voice phishing — or smishing and vishing, respectively — attacks to target target high-privileged accounts, such as those of IT service desk administrators and cybersecurity teams. Attackers use the stolen credentials to compromise cloud-based services and ultimately gain access to victim environments for ransomware attacks, according to researchers at EclecticIQ.

"Scattered Spider frequently uses phone-based social engineering techniques … to deceive and manipulate targets, mainly targeting IT service desks and identity administrators," EclecticIQ Threat Intelligence Analyst Arda Büyükkaya wrote in a recent analysis. "The actor often impersonates employees to gain trust and access, manipulate MFA settings, and direct victims to fake login portals."

The attacks are so well-crafted that they often prompt unsuspecting identity administrators in charge of cloud infrastructures to enter credentials for VMware Workspace ONE, an application management and identity access policy platform, so attackers can gain unauthorized access even to accounts protected by multifactor authentication (MFA), Büyükkaya said.

**Cloud Services, SaaS in the Crosshairs**

Other ways Scattered Spider gains persistent access to cloud enviroments is to purchase stolen credentials, execute SIM swaps, and use cloud-native tools. In fact, the threat group is leveraging legitimate features of cloud infrastructure to carry out its nefarious activities, making their operations increasingly difficult to detect and counter, Büyükkaya noted.

"The cybercriminal group abuses legitimate cloud tools such as Azure’s Special Administration Console and Data Factory to remotely execute commands, transfer data, and maintain persistence while avoiding detection," he wrote.

The attacks observed by EclecticIQ targeted cloud-based services like Microsoft Entra ID and Amazon Web Services Elastic Computer Cloud, as well software as a service (SaaS) platforms such as Okta, ServiceNow, Zendesk, and VMware Workspace ONE "by deploying phishing pages that closely mimic single sign-on (SSO) portals," Büyükkaya wrote. These pages are delivered via socially engineered attacks that appear highly convincing — so much so that they even can fool cloud security engineers.

**Spinning a Complex Attack Web**

Scattered Spider, known also by Octo Tempest, made a significant name for itself in the ransomware game rather quickly. The group arrived on the scene in 2022 armed with sophisticated social-engineering techniques, an aptitude for understanding the psychology of Western business minds, and a command of native English — all of which it used as part of its heavy artillery. The group soon became infamous for the massive ransomware attacks on Caesars Palace and MGM Entertainment about a year later.

Scattered Spider teamed with BlackCat/Alphv ransomware early on but became a ransomware-as-a-service (RaaS) affilitate of RansomHub and Qilin earlier this year, after BlackCat/Alphv unceremoniously went dark in March, leaving affiliates in the lurch.

Of late, Scattered Spider has had global law enforcement, including the FBI, hot on its trail, and UK officials recently arrested a 17-year-old from the town of Walsall, UK, in July for his connection to the group.

The attacks outlined by EclecticIQ are the result of analysis conducted between 2023 and the second quarter of 2024, so it's as yet unclear how active Scattered Spider has been since that arrest. However, the research sheds new light on the complex web of attacks the group is capable of spinning to leverage identity compromise to target cloud environments successfully, the researchers noted.

**Defense and Mitigation**

EclecticIQ developed a specific framework outlining the ransomware deployment life cycle to help defenders thwart attacks by detailing the techniques used by the threat actor to infiltrate, persist, and execute ransomware within cloud environments. The accessibility of the cloud makes it a prime target for financially motivated criminals and has been the secret to success for Scattered Spider and other ransomware actors, according to Büyükkaya.

The company made a sweeping set of recommendations for organizations in terms of prevention, detection, and incident response that relate to but are not limited to: secure authentication; monitoring and alerts; hypervisor cloud resource security; firewall and network security; and other key and varied aspects that comprise an enterprise cloud environment.

Other recommendations made specifically focused on Scattered Spider's tendency to use phishing as its key method for initial access, advising organizations to regularly monitor for typosquatting domains. This includes their own organization’s legitimate domains, especially those targeting their own cloud environments.

"Proactively secure these domains to prevent phishing attacks and social engineering tactics," Büyükkaya advised.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Socially Savvy Scattered Spider Traps Cloud Admins in Web

Law enforcement seized electronics containing special hacking tools and software as well as a substantial amount of cash in the raids.

Source: Olaf Schuelke via Alamy Stock Photo

Six men — one Singaporean and the other five Chinese — were arrested in raids conducted by Singapore's law enforcement and charged in court yesterday for their suspected involvement in illicit cyber activities.

Singapore police officers raided multiple residential site across the island, seizing electronic devices such as laptops and mobile phones, as well as cash.

The five Chinese nationals arrested are believed to be involved in a global syndicate and face charges related to the Computer Misuse Act 1993. The Singaporean man was charged with abetting unauthorized access to websites.

"We have zero tolerance of the use of Singapore to conduct criminal activities, including illegal cyber activities," the Singapore police said in a statement. "We will deal severely with perpetrators."

All six men will be held as the police continue to look into each individual's network of contacts and how they were connected to their various syndicates.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Singapore Arrests 6 Suspected Members of African Cybercrime Group

Most investors aren't demanding cybersecurity preparedness from startups, but founders should still be worried about the risks.

Source: Illia Uriadnikov via Alamy Stock Photo

It was a tale of two startups.

"A company that I invested in — about, oh, five years ago — happened to be in the proptech \[property technology\] space," said David Rose, managing partner at Rose Tech Ventures, during a panel at Cybertech NYC last week. The property tech startup he was referring to helped people build their credit by paying their rent with credit cards. "So it was a really cool company, \[and\] it was going great. And then it turned out they had been hit by scammers, who were setting up fake buildings and fake credit cards, using them \[for fraud\]. And the entire company blew up because of that."

Another company from one of Rose's protégés had a similar idea and business model, but because the company had better security, it was able to grow. "So you see a company that had really interesting ideas, demonstrated a great potential, smart guys, but the company got killed because of cyber," Rose noted.

Startups are valued for their forward thinking, their financials, and their talent. No investment negotiation has ever broken down over the issue of cyber preparedness. Yet, clearly, an incident can be catastrophic to a promising but volatile new business, and anecdotal evidence suggests investors and founders alike are starting to take that risk seriously.

**The Threat to Startups**

Volt Typhoon, the Chinese advanced persistent threat (APT) du jour, has compromised critical infrastructure providers of every kind — Internet service providers, electric utilities, wastewater treatment, energy, and more — on multiple continents, targeting military organizations along the way. Its attacks are of the highest caliber among known APTs. But a few weeks ago, it went after a different type of prey: a startup.

Versa Networks attracted a lot of attention with its secure access service edge (SASE) software-as-a-service offering and earned $120 million in pre-IPO funding in October 2022. Less headline-grabbing was a bug in its software-defined wide area networking (SD-WAN) technology (CVE-2024-39717). The vulnerability — rated as "high" severity with a CVSS score of 7.2 — allowed Volt Typhoon to push a custom, credential-grabbing Web shell through the Versa Director platform, allowing the attackers to breach four Versa customers in the United States and one in India.

Though attacks and breaches can happen to any company, startups like Versa Networks, security camera firm Verkada — which was fined $3 million by the FTC last month following its breach where attackers took over customer cameras — and Rose's proptech failure are particularly vulnerable. Like any small or medium-sized businesses, they might struggle with budgets and resource allocation. More so than other businesses, though, startups sell excitement and promise. Where a typical business might aim to be secure, but simply lack the money and manpower to do it right, startups that aim to move fast and break things might simply deprioritize a cost that does not incur growth.

As Rose told Dark Reading at Cybertech, "In the case of the company that I mentioned, it \[cybersecurity\] hadn't even occurred to them. They were thinking about the upside \[of the business\], not the downside."

Unfortunately, the answer to securing startups isn't straightforward.

**When Startups Need to Think About Security**

When established companies shift their attention to beefing up their cybersecurity, they typically invest in personnel, training, and layered security software (among other things). But as Rose points out, "Virtually no founders we are speaking with are facing cyber security challenges because they don't have any product!"

Startup security is a more nuanced matter which largely rests on timing, explains Bob Ackerman, founder and managing director of the early-stage VC company AllegisCyber.

"When you're looking at a stage zero startup, security probably is not the number one consideration. It's, 'Is this a good idea?', 'Can this team perform?', 'Is there actually a business here?' But as companies gather steam, establish critical mass, the consequences of getting cybersecurity wrong increase," Ackerman says.

"Usually a mid-stage or later-stage company has enough cybersecurity questions for it to be obvious that we need a security team, a security program, \[and\] a security budget as well," says Will Lin, author of The VC Field Guide. "If I were to force a number, I would say that for companies over, say, 3,000 employees, it starts becoming more of a key topic for investors."

Lin cautions, though, that needs vary widely across companies of different kinds.

"You might find very, very large organizations — even above 3,000 people, for example — that have a tiny, three-person-or-less security team, and then you might find a small organization of 200 people spending quite a lot per year on security. Security budgets and programs and everything tends to be more reactive than \[saying\] 'Obviously, the next step of the company is we need to do X, Y, Z," Lin explains.

The variation occurs not just due to size and maturity, Ackerman adds, but also industry.

"Maybe a financial services company is going to have cyber risk exposure, and so \[be\] aware of it from a very early stage, particularly in sectors like financial services, where there is a lot of personally identifiable information, or anything in supply chain, where a compromise could be disruptive and have an adverse consequence," he says.

**Nudging Security to a Higher Priority**

According to a February survey from business insurance company Embroker, more than two thirds of founders have experienced a cyberattack against one of their businesses.

Founders seem to be extra cautious about security. In the survey, 86% reported owning some kind of cyber insurance, and 71% were considering additional security protections in addition to having insurance. About a third (31%) of the respondents reported being more concerned with security than they were the year prior.

Those who aren't thinking about cybersecurity may be nudged into doing something by the investors themselves. As Rose points out, "One of the things that we have on our standard investor checklist when we do full-on due diligence is: What is your cybersecurity plan? How is it going to work? Actually, in many cases, it's the first time anybody ever asked the startup founder about security."

He continues, "I would be very happy if they have something in their deck — at least in their appendix to their deck — which would say: 'Here's our thoughts, here's our plan, here's our vulnerability.' Just tell me that you've actually given more than two-and-a-half minutes worth of thought to the subject, and you will be ahead of 95% of other companies."

More mature, later-stage startups need to start making material investments, and hiring for executive positions, he explains, "And if you're a platform business that is open to the public, and you've got any kind of money going anywhere, then you damn well better have a really serious plan."

"If the world was under my control, I would say: Yes, as a startup founder with no paying clients until next year, I want you thinking about building in security from day one. But because that doesn't tie out to dollars day one — and startups are always pressed for dollars, always trying to move fast and break things — that's a very hard sell," he admits.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

When Startup Founders Should Start Thinking About Cybersecurity

PRESS RELEASE

SAN MATEO, Calif. — Sept. 10, 2024 — QuSecure™, Inc., a leader in post-quantum cryptography (PQC), today announced it has been selected for the United States Army Small Business Innovation Research (SBIR) project titled “Enhanced Post-Quantum Cryptography Suite for Tactical Networks.” 

This SBIR Phase II award further establishes QuSecure as a leading provider of Federal PQC solutions. The contract scope of work is organized to further enhance QuProtect™, the industry’s first end-to-end PQC software-based solution that enables organizations to springboard from cryptographic discovery and non-compliant algorithm detection straight to full quantum-resilience with live encryption management, continuous monitoring, vulnerability and alerting capabilities – all which can be achieved without the need to rip-and-replace current infrastructure.

“This project, in addition to all of our work and traction across all U.S. military branches, further validates that QuSecure is setting the standard for Federal PQC requirements,” said Pete Ford, Head of Federal Operations at QuSecure. “Serving the Government with this important U.S. Army project will provide Crypto Agility, Continuous Cryptographic Inventory (CCI) and Cryptography Orchestration (CO), so the U.S. Government can better protect and manage against classical, AI, and quantum computing threats to cryptography, bringing true resilience to the nation’s most secure encrypted communications for decades to come.”

This award is one of several that QuSecure has won in the past two years to address the most pressing PQC challenges being faced by the U.S. Government.

The recent landmark NIST PQC standards announcement was preceded by extensive government action over the past three years, with the aim of establishing U.S. leadership in protecting the nation’s digital assets form ongoing Harvest Now Decrypt Later (HNDL) attacks. The U.S. Government’s urgency to move toward a quantum safe future has been established with the recent actions taken by Congress and the White House. The Endless Frontiers Act set up a Technology and Innovation Directorate at the National Science Foundation, along with a $100 billion budget to research emerging technologies over five years, including quantum computing and post-quantum cryptography. Additionally, in December 2022 President Biden signed the Quantum Computing Cybersecurity Preparedness Act, a law that requires the Office of Management and Budget to prioritize federal agencies’ adoption of crypto-agile PQC as part of a greater migration effort to Zero Trust Network Access (ZTNA).

QuSecure’s QuProtect software is available now for testing and deployment. This suite offers a comprehensive, end-to-end quantum-security-as-a-service architecture that combines Crypto Agility, Continuous Cryptographic Inventory (CCI) and Cryptography Orchestration (CO) with zero-trust, next-generation quantum-resilient technology, cloud systems, edge devices, and satellite communications to protect networks against today’s cyberattacks and future quantum threats, all with minimal disruption to existing systems.

About QuSecure

QuSecure is a leader in quantum-safe cybersecurity with a mission to use the advent of quantum computing to act as a catalyst to fix the foundation of data security infrastructure. The QuProtect platform requires no quantum technologies to defend against quantum, AI, and classical threats to encryption, and can be purchased through the AWS marketplace or through direct outreach to QuSecure, Accenture, Dell, Cisco, or Carahsoft. QuSecure is proud to have more successful post-quantum cryptography deployments than any other organization in the world, and the technology is currently deployed with government, banking, telecommunications, and infrastructure customers across the globe. QuSecure’s quantum-resilient and crypto-agile solutions provide an easy transition path to quantum resiliency anytime, anywhere, on any device, and across any organization.

The company’s QuProtect solution is the industry’s first cryptographic-agility platform that facilitates the upgrade to PQC and beyond. You can Book a No-Obligation Two Hour CISO Road Mapping Workshop with QuSecure’s experts to get started on your PQC Migration planning and to take the QuProtect Software for a test drive.

US Army Selects QuSecure Solution for 'Enhanced Post-Quantum Cryptography Suite for Tactical Networks' Project

PRESS RELEASE

DELRAY BEACH, Fla., Sept. 10, 2024 /PRNewswire/ -- The global Security Testing Market size is projected to grow from USD 14.5 billionin 2024 to USD 43.9 billion by 2029 at a Compound Annual Growth Rate (CAGR) of 24.7% during the forecast period, according to a new report by MarketsandMarkets™.

One of the key factors promoting the security testing will be the increasing incidence of cyberattacks that target the software's vulnerabilities. However, the organizations, being in the digitalized world are getting more and more dependent on the digital applications that require the identification of the system's security risks and their resolution before the potential exploitation of such risks by the attackers which is becoming the new crucial practice. This rising concern pushes organizations to adopt the security testing process in order to guard their systems, data, and reputation from the possible breaches.

Request Sample Pages@ https://www.marketsandmarkets.com/requestsampleNew.asp?id=150407261

Based on the application testing tools, SAST accounts for the highest market size during the forecast period.

The adoption of Static Application Security Testing (SAST) tools is increasing as organizations prioritize secure software development. SAST tools enable developers to identify and fix security vulnerabilities early in the coding process, reducing the risk of security flaws in production. This shift is driven by the growing emphasis on integrating security into the software development lifecycle (SDLC) and the need to comply with stringent security standards. As a result, more companies are adopting SAST tools to enhance code security, improve development efficiency, and ensure that applications are robust against cyber threats from the outset.

By Application security testing type, web application security testing accounts for the highest market size during the forecast period.

The adoption of web application security testing is growing as organizations increasingly rely on web-based platforms for business operations and customer interactions. With the rise in cyber threats targeting web applications, such as SQL injection and cross-site scripting (XSS), companies are prioritizing security testing to identify and mitigate vulnerabilities before they can be exploited. This proactive approach is driven by the need to protect sensitive data, ensure compliance with regulations, and maintain customer trust in an environment where web applications are a critical part of the business landscape.

Inquire Before Buying@ https://www.marketsandmarkets.com/Enquiry\_Before\_BuyingNew.asp?id=150407261

By Region, Asia Pacific will grow at the highest CAGR during the forecast period.

The adoption of security testing services in the Asia Pacific region is rapidly increasing due to the region's expanding digital economy and the rising threat of cyberattacks. As businesses in Asia-Pacific embrace digital transformation and cloud computing, the need to identify and address vulnerabilities in their systems has become crucial. Regulatory pressures and growing awareness of cybersecurity risks are also driving organizations to invest in security testing solutions to ensure the resilience of their IT infrastructure and protect sensitive data from breaches. This trend is further fueled by the region's diverse and complex threat landscape, prompting a proactive approach to cybersecurity.

Top Key Companies in Security Testing Market:

IBM (US), HCLTech (India), Synopsys (US), OpenText (UK), Cigniti (US), Qualitest (UK), Intertek (UK), DXC Technology (US), eInfochips (US), Checkmarx (US), HackerOne (US), Invicti (US), DataArt (US), Cobalt Labs (US), Trustwave (US), Contrast Security (US), Veracode (US), Qualys (US), OffSec (US), NCC Group (UK), GitHub (US), Bugcrowd (US), Applause (US), Rapid7 (US), Parasoft (US), BreachLock (US), ImmuniWeb (Switzerland), Pentest People (UK), SafeAeon (US), and REDTEAM.PL (Poland) are the key players and other players in the Security Testing Market.

Browse Adjacent Market: Information Security Market Research Reports & Consulting

Browse Other Reports:

Blockchain Security Market - Global Forecast to 2029

IoT Security Market - Global Forecast to 2029

Exposure Management Market\- Global Forecast to 2029

Next-Generation Firewall Market\- Global Forecast to 2028

Digital Signature Market\- Global Forecast to 2028

Get access to the latest updates on Security Testing Companies and Security Testing Industry

About MarketsandMarkets™ 

MarketsandMarkets™ has been recognized as one of America's best management consulting firms by Forbes, as per their recent report.

MarketsandMarkets™ is a blue ocean alternative in growth consulting and program management, leveraging a man-machine offering to drive supernormal growth for progressive organizations in the B2B space. We have the widest lens on emerging technologies, making us proficient in co-creating supernormal growth for clients.

Earlier this year, we made a formal transformation into one of America's best management consulting firms as per a survey conducted by Forbes.

The B2B economy is witnessing the emergence of $25 trillion of new revenue streams that are substituting existing revenue streams in this decade alone. We work with clients on growth programs, helping them monetize this $25 trillion opportunity through our service lines - TAM Expansion, Go-to-Market (GTM) Strategy to Execution, Market Share Gain, Account Enablement, and Thought Leadership Marketing.

Built on the 'GIVE Growth' principle, we work with several Forbes Global 2000 B2B companies - helping them stay relevant in a disruptive ecosystem. Our insights and strategies are molded by our industry experts, cutting-edge AI-powered Market Intelligence Cloud, and years of research. The KnowledgeStore™ (our Market Intelligence Cloud) integrates our research, facilitates an analysis of interconnections through a set of applications, helping clients look at the entire ecosystem and understand the revenue shifts happening in their industry.

To find out more, visit www.MarketsandMarkets™.com or follow us on Twitter, LinkedIn and Facebook.

Security Testing Market Worth $43.9B by 2029

PRESS RELEASE

REDDING, Calif., Sept. 10, 2024 /PRNewswire/ -- According to a new market research report titled, 'SCADA Market by Type (Monolithic SCADA Systems, Distributed SCADA Systems, Networked SCADA Systems), Component (Hardware, Software, Services), Deployment Mode, End-use Industry (Oil & Gas, Automotive, F&B)—Global Forecast to 2031.

The rising adoption of automated technologies across Europe and Asia-Pacific, the advent of Industry 5.0, the growing demand for smart and digitized production processes, and the increasing emphasis on industrial automation are key factors driving the growth of SCADA. However, the high initial investment requirements for SCADA implementation are restraining the growth of this market.

Furthermore, the growing adoption of wireless sensor networks and the proliferation of smart factories are expected to generate growth opportunities for the players operating in this market. However, the risk of cyberattacks is a major challenge impacting market growth. Furthermore, the rising adoption of Industry 4.0 technologies and the increasing reliance on Human-Machine Interface (HMI) systems are prominent trends in the SCADA market.

Advent of Industry 5.0 Boosting the Demand for Scada Systems 

Industry 5.0, also known as the Fifth Industrial Revolution, is a new and emerging phase of industrialization that builds upon the principles of Industry 4.0 but emphasizes the human touch and the integration of human skills with advanced technologies. Industry 4.0 focused on technologies such as the Internet of Things and big data, whereas Industry 5.0 seeks to involve human, environmental, and social aspects.

As Industry 5.0 promotes enhanced collaboration between humans and machines, there is an increasing demand for sophisticated automation and control systems capable of effectively bridging the gap between these elements. SCADA systems facilitate real-time monitoring and control of industrial processes, playing an important role in enabling seamless interactions between humans and machines. They offer the necessary infrastructure for incorporating human input and feedback into automated workflows, thereby optimizing performance and efficiency. With Industry 5.0 driving the adoption of advanced technologies, the requirement for comprehensive monitoring and control solutions to ensure seamless integration and coordination is growing. SCADA systems have significantly improved the reliability and capability of automation. Centralized SCADA systems are increasingly utilized for decision-making in hazardous situations to prevent accidents in complex infrastructure. These systems oversee and manage entire sites, support informed decision-making, enhance efficiency, and minimize downtime. The advantages provided by SCADA systems, coupled with the escalating need to maintain the integrity and reliability of critical infrastructure, are driving market growth.

Governments are actively supporting industrial automation and digitalization initiatives. For example, in January 2021, the President of Spain introduced three new plans for SMEs (2021-2025)—the Connectivity Plan, the Strategy to Promote 5G Plan, and the National Strategy for Artificial Intelligence. These plans are part of the Spain 2025 Digital Agenda and aim to advance the development and deployment of SCADA systems across various industries. By enhancing capabilities and driving digital transformation, these initiatives are increasing demand for SCADA systems and contributing to market growth.

SCADA Market Analysis: Key Segmental Findings

*   By Type: In 2024, the networked SCADA systems segment is expected to account for the largest share of 47.5% of the SCADA market. Moreover, this segment is projected to register the highest CAGR of 8.2% during the forecast period from 2024 to 2031.
    
*   By Component: In 2024, the hardware segment is expected to account for the largest share of 55.9% of the SCADA market. However, the software segment is estimated to record the highest CAGR during the forecast period from 2024 to 2031.
    
*   By Deployment Mode: In 2024, the on-premise deployments segment is expected to account for the dominant share of the SCADA market. However, the cloud-based deployments segment is anticipated to register the highest CAGR of 10.5% during the forecast period from 2024 to 2031.
    
*   By End-use Industry: In 2024, the manufacturing segment is expected to account for the major share of 26.4% of the SCADA market. However, the automotive segment is slated to record the highest CAGR of 10.7% during the forecast period from 2024 to 2031.
    

Get A Glimpse Inside: Request Sample Pages \- https://www.meticulousresearch.com/request-sample-report/cp\_id=5186

Geographic Analysis:

By geography, the SCADA market is segmented into North America, Europe, Asia-Pacific, Latin America, and the Middle East & Africa. In 2024, North America is estimated to account for the largest share of 32.1% of the SCADA market. The North America SCADA market is expected to reach $5,488.3 million by 2031.

The industrial sector has seen extensive implementation of automation systems, especially in North America. Manufacturers in this region are increasingly deploying advanced automation technologies in their operations. North American countries are competing with their Asian and European counterparts to position themselves as key manufacturing centers, with the goal of lowering costs related to importing goods. The high labor costs in the U.S. are a primary impetus for the adoption of process control systems, such as SCADA (Supervisory Control and Data Acquisition), MES (Manufacturing Execution System), and DCS (Distributed Control System). These systems are instrumental in reducing the need for human oversight and management of automation processes.

Key market players are focusing on developing SCADA solutions with advanced features tailored for various industrial applications, including oil & gas, power, utilities, automotive, electronics, and F&B. For example, in October 2022, Emerson Electric Co. (U.S.) introduced Movicon.NExT 4.2, an advanced automation platform designed for seamless integration with field devices and enterprise systems. This software provides the data and insights necessary for achieving operational excellence across diverse applications in discrete and hybrid manufacturing sectors, including F&B, packaged consumer goods, energy, infrastructure, building automation, and machine automation.

Furthermore, in October 2022, AtomTech (U.S.) expanded its North American presence by launching AtomTech Canada. This move addresses the growing demand for automation, cybersecurity, SCADA, and IIoT 4.0 solutions across industries such as automotive, medical equipment, and warehouse logistics. Such developments support the growth of the SCADA market in the region during the forecast period.

Have specific research needs? Request a customized research report:- https://www.meticulousresearch.com/request-customization/cp\_id=5186

Asia-Pacific: The Fastest-growing Regional Market

The SCADA market in Asia-Pacific is poised to register the highest CAGR during the forecast period. In 2024, China is expected to account for the major share of the SCADA market in Asia-Pacific. Asia-Pacific generates significant growth opportunities for the adoption of industrial process control solutions, given its extensive and diverse manufacturing sector. Traditionally, manual or semi-automatic control processes have characterized industrial production in the region. However, advanced automation solutions are becoming essential for achieving the flexibility required in high-volume production lines, thereby enhancing overall operational efficiency.

Asia-Pacific is a prominent manufacturing hub across multiple sectors, including automotive, electronics, consumer goods, pharmaceuticals, and more. This manufacturing prominence is a significant driver of automation technology adoption in the region. SCADA solutions are increasingly being adopted in countries such as China, Japan, South Korea, and India, driven by efforts to modernize manufacturing facilities and the need for SCADA software to interface with Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs), and Human-Machine Interface (HMI) components. The focus on improving process efficiencies and reducing production costs further fuels market growth, enabling operators to analyze and make decisions from remote locations.

The rapid advancement of automation and artificial intelligence (AI) is having a profound impact on economies in the APAC region. Asiais expected to be the fastest-growing automation market, driven by factors such as population growth, urbanization, economic development, rising wages, and decreasing costs associated with automated industrial technologies. The increasing awareness of advanced industrial control solutions, including SCADA systems for comprehensive manufacturing process monitoring, is a key driver of this market growth.

The U.K. Continues to Dominate the SCADA Market in Europe

In 2024, the U.K. is expected to account for the largest share of the SCADA market in Europe. Several factors are driving the adoption of industrial control systems in the U.K., including the expansion of the manufacturing industry, stringent manufacturing and industrial safety regulations, increased diversity in consumer products, growing awareness of automated systems, and rising labor costs. Many enterprises and industries in the U.K. are increasingly adopting automated machines and control solutions to enhance operational process monitoring. Key sectors such as oil & gas, power, automotive, F&B, electronics, and semiconductors are leading the way in implementing industrial control systems. In response to the evolving needs of these industries, market players are actively developing advanced SCADA solutions. For example, in September 2020, Severn Trent plc (U.K.) invested USD 6.4 million to upgrade its SCADA monitoring and management systems to a cloud-based platform.

SCADA Market: Competition Analysis

This report offers a competitive analysis based on an extensive assessment of the leading players' product portfolios, geographic presence, and key growth strategies adopted over the past three to four years. Major companies in the SCADA market have implemented various strategies to expand their product offerings and global footprints and augment their market shares. The key strategies followed by most companies in the SCADA market were product launches & enhancements, acquisitions, expansion, partnerships, agreements, and collaborations. The key market players operating in the SCADA market include Rockwell Automation, Inc. (U.S.), Siemens AG (Germany), Eaton Corporation plc (Ireland), Schneider Electric SE (France), ABB Ltd (Switzerland), Yokogawa Electric Corporation (Japan), General Electric Company (U.S.), Emerson Electric Co. (U.S.), Honeywell International, Inc. (U.S.), Mitsubishi Electric Corporation (Japan), OMRON Corporation (Japan), Pilz GmbH & Co. KG (Germany), Survalent Technology Corporation (Canada), Valmet (Finland), and Hitachi, Ltd. (Japan).

Browse In-Depth Report Now - https://www.meticulousresearch.com/product/scada-market-5186

SCADA Industry Overview: Latest Developments from Key Industry Players

*   In June 2023, Siemens AG introduced the SICAM 8 power automation platform, which includes two new software solutions: the SICAM HMI (Human Machine Interface) visualization tool and the SICAM S8000 software solution for power automation. This platform is part of the Siemens Xcelerator portfolio, an open digital platform designed to help customers accelerate their digital transformation at scale.
    
*   In April 2023, Siemens AG partnered with Gujarat Metro Rail Corporation Limited (GMRCL) (India) to advance rail electrification technologies. Siemens Limited will deliver project management services and cutting-edge rail electrification technologies, including advanced power supply and distribution systems. Additionally, Siemens Limited will provide sophisticated digital solutions, such as Supervisory Control and Data Acquisition (SCADA) systems, for both metro projects.
    
*   In March 2023, Rockwell Automation launched FactoryTalk Optix, a new addition to the company's visualization portfolio. FactoryTalk Optix is a modern, cloud-enabled human-machine interface (HMI) platform that allows users to design, test, and deploy applications directly from a web browser remotely, in real time.
    
*   In February 2023, ABB launched the ABB Ability Symphony Plus distributed control system that delivers seamless and secure access to an extended digital ecosystem for power generation and water industries. It increases performance and enables plant-wide digitalization, offering a noninvasive modernization of the installed base.
    
*   In October 2022, Emerson released a new version of its DeltaV distributed control system (DCS). Version 15 helps plants digitally transform operations through improved production optimization and enhanced operator performance.
    
*   In April 2022, ABB partnered with Ramboll (Denmark) to explore new opportunities in offshore substations. ABB will leverage its expertise in the design and supply of electrical, SCADA, automation, and telecommunications equipment. This includes engineering, products, installation, commissioning, and operational maintenance of these systems.
    
*   In January 2022, Schneider Electric entered into an agreement with AVEVA, a leading technology company. This collaboration was designed to further AVEVA's digital and sustainability objectives. Schneider Electric's extensive reach and profound market expertise will support AVEVA in sustaining, expanding, and enhancing its leadership in the industrial automation software and SCADA sectors across the Pacific region.
    
*   In April 2021, Mitsubishi Electric updated its SCADA lineup with GENESIS64, introducing two new software products for system monitoring and process control. This new software suite replaced the MC Works64 SCADA software, which was designed for monitoring small production lines and managing multi-site monitoring.
    
*   In January 2021, Rockwell Automation acquired Fiix Inc. (Canada), an AI-enabled computerized maintenance management system (CMMS) company. This acquisition bolsters Rockwell Automation's software strategy and strengthens its Lifecycle Services business. The addition of Fiix enhances the company's ability to offer a comprehensive range of industrial automation services, aimed at maximizing the value of customers' production assets, systems, plants, and processes.

SCADA Market Is Set to Reach $18.7B by 2031

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America.

Thursday, September 12, 2024 14:00

I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again.  

That’s because the White House announced a new initiative last week for the U.S. government called the “Service for America” initiative designed to train new workers in the cybersecurity field. This measure directs U.S. federal agencies to help recruit and prepare Americans for jobs in cybersecurity and AI by removing certain degree requirements and emphasizing skills-based hiring. This means, hopefully, more educational resources for people looking to break into cybersecurity. 

On its face, I’m all in favor of this. I did eventually go back to school to get my associate's degree in cybersecurity, but much of what I’ve learned about this field has been from working at Talos and spending time around my talented and intelligent colleagues, many of whom did not go to college for cybersecurity.  

The U.S. government also has separate initiatives to support neurodivergent candidates who want to work in security, as well as those who are blind and visually impaired. 

My concern is that, even if we do train these employees and give them the proper skills, it’s on companies to eventually hire them.  

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America. Yet hiring in the industry has remained flat, according to a soon-to-be-released report from cybersecurity non-profit ISC2. This year, the global security workforce is estimated to be 5.5 million, which is only a 0.1 percent increase year over year, according to the report. 

Among the more than 15,000 cybersecurity practitioners from around the globe who responded to the study, 38 percent of respondents said their organizations had experienced a cybersecurity hiring freeze over the past year, up 8 percent from 2023. Thirty-seven percent of respondents reported budget cuts to the security program, and another 25 percent said their teams had experienced layoffs.  

That same CyberSeek report also found that, in the U.S., the amount of cybersecurity-related job postings decreased by 29 percent year-over-year. 

So as these skills gap-closing programs begin, we need to be thinking about what skills, exactly, managers want their workers to be trained in. There is obviously some sort of disconnect here between the people who want to work in security compared to the companies or managers who want to hire them. Or there just simply isn’t enough money to go around right now to handle staffing up cybersecurity teams, and that’s just the reality of the current economy in the U.S. and globally.  

I’m not saying this to discourage anyone from entering the security space or spread doom and gloom. But I do think it’s important to acknowledge that there are many already skilled and trained workers who simply cannot find work or are treading water throwing dozens of applications at the wall to see what sticks. 

I’ve seen too many people posting on LinkedIn recently looking for a cybersecurity job to think that the solution to bolstering security is getting \*another\* worker in with the same skillset to compete for the same job opening as someone who’s been in the industry for 10 years. 

**The one big thing **

Talos recently uncovered a new threat called “DragonRank” that primarily targets countries in Asia — and a few in Europe — operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation. DragonRank exploits targets’ web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities. Their PlugX not only used familiar sideloading techniques, but the Windows Structured Exception Handling (SEH) mechanism ensures that the legitimate file can load the PlugX without raising suspicion. 

**Why do I care? **

This group compromises Windows Internet Information Services (IIS) servers hosting corporate websites, with the intention of implanting the BadIIS malware. BadIIS is malware used to manipulate search engine crawlers and disrupt the SEO of the affected sites. With those compromised IIS servers, DragonRank can distribute the scam website to unsuspecting users. DragonRank engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's ranking in search results. They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings. These attacks can harm a company's online presence, lead to financial losses, and damage its reputation by associating the brand with deceptive or harmful practices. The actor then takes these compromised websites and promotes them, effectively turning these sites into platforms for scam operations. 

**So now what? **

Talos released a new Snort rule set and several ClamAV signatures to detect and block the malware used in these attacks. Talos has confirmed more than 35 IIS servers had been compromised and deployed the BadIIS malware across a diverse array of geographic regions, including Thailand, India, Korea, Belgium, Netherlands and China in this campaign, so it’s clearly still active and potentially growing. 

**Top security headlines of the week **

**A new type of attack called “RAMBO” could allow adversaries to steal data over air-gapped networks with RAM radio signals.** An Israeli academic researcher recently announced the discovery of RAMBO (Radiation of Air-gapped Memory Bus for Offense), in which an attacker could generate electromagnetic radiation from a device’s RAM to send data from air-gapped computers. Air-gapped systems are otherwise offline networks that are extremely isolated, often used in critical environments like government agencies, weapons systems and nuclear power stations. While RAMBO does not pose a threat for any hacker with access to the internet, it could open the door for insider threats with access to the network to deploy malware through physical media like USB drives or supply chain attacks. RAMBO could allow attackers to seal encoded files, encryption keys, images, keystrokes and biometric information from these systems at a rate of 1,000 bits per second. Researchers conducted tests into these types of attacks over distances of up to 23 feet. A technical paper published on the topic includes several potential mitigations, including RAM jamming, external EM jamming and Faraday enclosures around potentially targeted systems. (Bleeping Computer, SecurityWeek) 

**Commercial spyware makers are still finding ways to bypass government sanctions and, in some cases, have made their tools harder to detect.** A new report from the Atlantic Council found that “Most available evidence suggests that spyware sales are a present reality and likely to continue.” The report specifically highlights increased activity from Intellexa and the NSO Group, two companies known for creating and selling spyware tools that have been targeted over the past few years by international sanctions. These companies, and specifically Intellexa, have found ways to work around sanctions by restructuring their businesses with subsidiaries, partners and other relationships spread across multiple geographic areas. Intellexa is known for creating the Predator spyware, while the NSO Group is infamous for the Pegasus spyware. Both pieces of software often target high-risk individuals, sometimes by governments, such as journalists, politicians and activists. Security researchers also recently found that Intellexa has established new infrastructure in the Democratic Republic of the Congo and Angola, making “it more difficult for researchers and cybersecurity defenders to track the spread of Predator.” (Dark Reading, The Register) 

**Several Western intelligence agencies have formally charged the Russian GRU for carrying out cyber attacks against Ukraine designed to disrupt aid efforts.** Government agencies in the U.S., U.K. and several other countries blamed Unit 29155, which has been linked to past espionage campaigns, with targeting government and civilian agencies and civil society organizations in Western Europe, the EU and NATO after Russia invaded Ukraine in 2022. Intelligence agencies in the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada and Australia all signed the declaration. They also formally blamed Unit 29155 for the WhisperGate campaign, a coordinated attack on Ukrainian government agencies in January 2022 that seemed to set the stage for a physical ground invasion. The announcement stated that WhisperGate has since been used to “scout and disrupt” aid deliveries to Ukraine. When Talos first reported on WhisperGate in 2022, our researchers stated that “attackers used stolen credentials in the campaign and they likely had access to the victim network for months before the attack, a typical characteristic of sophisticated advanced persistent threat (APT) operations.” (Reuters, BBC) 

**Can’t get enough Talos? **

*   The 2024 Threat Landscape State of Play 
*   Vulnerability in Tencent WeChat custom browser could lead to remote code execution 
*   Watch our new documentary, "The Light We Keep: A Project PowerUp Story" 
*   Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API 
*   Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score 

**Upcoming events where you can find Talos **

**LABScon** **(Sept. 18 - 21)**  

_Scottsdale, Arizona_ 

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos  

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd

Latest News