Critical infrastructure is facing increasingly disruptive threats to physical processes, while thousands of devices are online with weak authentication and riddled with exploitable bugs.

Source: Tithi Luadthong via Alamy Stock Photo

Citing "heightened geopolitical tensions and adversarial cyber activity globally," industrial control systems (ICS) giant Rockwell Automation last month took the unusual step of telling its customers to disconnect their gear from the Internet. The move showcases not just growing cyber risk to critical infrastructure, but the unique challenges that security teams face in the sector, experts say.

By way of background, the US Cybersecurity and Infrastructure Security Agency (CISA) has been sounding the alarm for months on increased threats to water supply organizations, power plants, manufacturing, telecom carriers, military footprints, and more — attacks that are largely being spearheaded by advanced persistent threats (APTs) backed by China, Russia, and Iran. Especially now, facilities teams should be ramping up their vigilance, thanks to it being a high-volatility year of elections and war, CISA has warned.

"These nation-states are targeting critical infrastructure for political or economic gain," says Gary Southwell, general manager at ARIA Cybersecurity. "Russian-backed attackers are targeting allies of Ukraine. They also host many cybercriminals who target high value infrastructure because of the money they can extort. China is playing the long game: get embedded in as much of our critical infrastructure as possible so they can exercise political leverage against us. In the past it was mostly to steal IP but that is now secondary.

"In both cases, these attackers are finding ways in and trying to leave behind code that they can use to control systems and potentially wreak havoc," he warns.  

Adding yet further to the security concerns are the rafts of security vulnerabilities that make online-exposed ICS gear that much more at risk for compromise. These are difficult to patch without purpose-trained expertise and often require downtime to fix, making remediation a no-go for many organizations. Rockwell's advisory links to several concerning bugs, including CVE-2021-22681, CVE-2022-1159, CVE-2023-3595 and CVE-2023-3596, CVE-2023-46290, CVE-2024-21914, CVE-2024-21915, and CVE-2024-21917.

These can lead to attacks like denial-of-service (DoS) efforts that take down electrical grids; privilege escalation and lateral movement to burrow deeper into the operational technology (OT) environment in order to control it; modifying settings to, say, change safety thresholds for power generators; remotely compromising programmable logic controllers (PLCs) to halt water sector operations; or even conducting destructive Stuxnet-style attacks that can obliterate a site's ability to function permanently.

In response, "removing connectivity \[from ICS\] as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors," Rockwell noted in its advisory, adding that this should be done "immediately" (which it wrote in all caps, in case the urgency of the matter failed to resonate).

**Most ICS Gear Has No Business Being Online**

While the advisory pertains to "devices not specifically designed for public Internet connectivity," that unfortunately represents the majority of ICS gear found online. Most installations still run legacy assets that have been in use for many years, and were never designed to be part of connected, "smart" installations.  

It's not a small problem, either: A Shodan search for "Rockwell" returned more than 7,000 results, including thousands of legacy PLCs, which control the physical and operational processes within ICS environments and are not meant to be exposed.

And therein lies the crux of the issue: If the machines are not meant to be reachable online, how did they end up that way in the first place?

"All too often in a world of 'hello, it works,' organizations find themselves in a situation where \[things are working operationally, but\] hardware and software are installed and configured in ways that are not recommended, leaving them vulnerable to attack," explains Ken Dunham, cyber threat director at Qualys Threat Research Unit. "Organizations are doing the best that they can, with the limited resources they have, in compressed time frames, often without appropriate training, experience, and checks and balances in place to ensure secure, effective outcomes."

Beyond resource constraints, there's also a significant disconnect between the IT security staff, and those actually managing the ICS assets. For example, John Gallagher, vice president of Viakoo Labs at Viakoo, notes that in many manufacturing environments, it's the manufacturing team and not IT that sets up OT devices, which introduces unwanted Internet-facing connections. 

"Manufacturing plants tend to have Internet-facing devices for a variety of functions, ranging from office equipment to cloud-connected manufacturing systems," he explains. He adds that all too often, there's not enough security expertise amongst those configuring ICS to properly set up and maintain network segmentation from those other aspects. Thus, the ICS gear — many times inadvertently — ends up operating on internal networks that are directly or indirectly reachable from the outside.

This "make it work" approach using limited resources also means that such exposed devices often lack other basic security controls when it comes to authentication, according to Jim Routh, chief trust officer at Saviynt.

“Unfortunately, it is relatively common to have industrial control devices configured with access controls outside of the IT and identity and access management teams and infrastructure, resulting in weak passwords in use," he explains. "In this case, enterprise customers using the Rockwell ICS devices may have been connected to the Internet with limited access controls that need hardening and management."

**Establishing More Mature ICS Security Practices**

To recap: critical infrastructure is facing increasing disruptive threats to physical processes; thousands of devices are exposed online with weak authentication and riddled with exploitable bugs; and there's an endemic lack of security team participation in site design and asset/infrastructure management. All in all, it's not an ideal situation.

Disconnecting these devices from the Internet is the safest way to address the concerns — even though taking devices offline and reconfiguring them to work in a different topology may seem daunting.

"In cases like the situation with Rockwell, where Internet connections are improperly enabled, it will require scheduled maintenance downtime in order to reconfigure them," Viakoo's Gallagher says.

Southwell calls it a drastic measure — but stresses that the risk really is high enough to warrant it. Nonetheless, for those organizations who decline to disconnect ICS gear from the Internet, limiting online exposure is one way to go, he says.

"For instance, only have the ICS open for short periods, and only to specific devices from known vendors using specific protocols and ports for access," he advises.

Bringing an IT approach to asset management for ICS gear is another way to harden the environment, Routh explains, including where connected ICS devices are located, what they do, whether they're using a default password or a customized password, and whether they're patched.

"The identification and categorization of assets, the configuration standards required for those assets, and then the vulnerability management and ongoing responsibility for those assets — this has never really been applied to devices that weren't considered IT assets, including ICS," he says. "That needs to change."

Even if gear is taken offline as directed, Gallagher warns that "configuration drift," where over time holes emerge as new assets are added to the environment, is a problem. He advocates using discovery solutions designed for IoT/OT and ICS — ones that are agentless and aware of application-device relationships.

"This is critically important to ensure that all communication paths remain inside the network segment (or perhaps have an outbound-only connection), and they should be periodically checked to make sure that configurations have not changed. Configuration drift management is a difficult task for IoT/OT/ICS systems and requires using solutions like application-based discovery to baseline and monitor changes."

Despite all the alarm bells and publishing of specific guidance and alerts on the risk that critical infrastructure faces at the moment, movement appears to be slow on the part of utilities and others when it comes to hardening their environments, he adds.

"It's really a slow-motion train wreck," Gallagher warns. "Until more comprehensive threat discovery, assessment, and remediation practices specific to IoT/OT/ICS are being widely used, there will be the threat of a massive wakeup call in the form of a disruptive cyberattack."

Don't miss "Anatomy of a Data Breach: What to Do if It Happens to You," a free Dark Reading virtual event scheduled for June 20! Speakers include Verizon's Alex Pinto, plus execs from Snowflake, pharma giant GSK, Salesforce, and more — register today!

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Rockwell's ICS Directive Comes as Critical Infrastructure Risk Peaks

Nvidia's latest GPUs are a hot commodity for AI, but security vulnerabilities could expose them to attacks from hackers.

Source: Vasyl Yakobchuk via Alamy Stock Photo

Nvidia has issued 10 security alerts detailing vulnerabilities in the company's GPU drivers and virtualization software. The vulnerabilities, if successfully exploited, could allow attackers to steal or tamper with data, execute arbitrary code, or take control of programs, the company said. Considering Nvidia's growing prominence in artificial intelligence (AI) data centers, these attacks could cause significant damage.

Nvidia issued security patches addressing vulnerabilities in Nvidia's display drivers, which power GPU visuals on computers. The company also patched the drivers and software for the vGPU virtualization software stack, which is used in data centers and cloud services to serve up virtual desktops and applications. Five security vulnerabilities had "high" severity ratings, with the remaining rated "medium."

Nvidia urged companies to patch drivers for Linux and Windows PCs and servers affected by the vulnerabilities.

"Applying Nvidia's patches is crucial to prevent exploits, protect sensitive information, maintain system integrity, and ensure service availability," said Callie Guenther, senior manager, cyber threat research, at Critical Start, in a prepared research note.

**Impact on AI**

Nvidia's latest GPUs are increasingly being used to power AI workloads and data centers. The popularity of Nvidia's chips in AI make them an attractive target for hackers, says Kevin Krewell, a chip analyst at Tirias Research. AI data and models — especially the ones that are not open-sourced — are valuable and could be a target of GPU hacks, he says.

"With Nvidia chips going into more data centers and the rush to deploy new AI stacks, there's a new opportunity for vulnerabilities to be introduced," Krewell says.

Nvidia's 7-year-old Tesla GPUs, which are used in the Summit supercomputer (the ninth fastest supercomputer in the world), are among the affected products. Google also offers Tesla-based T4 instances to researchers developing AI applications for free via Google Colab. System administrators should pay close attention to patching these older GPUs, which are often ignored and are easy targets for hackers to break into server installations.

"Unpatched systems are definitely the easier way to break in. The issue is whether the Tesla chips have an inherent security vulnerability," Krewell says.

Adds John Bambanek, president at security consulting firm Bambenek Consulting: "Hardware always lives longer than manufacturers want it to, and the older you get, the more likely the operating system doesn’t centralize the patch management on them."

**Chips Need Timely Patches**

Chip makers have to be proactive in patching hardware and software vulnerabilities. Last month researchers published a paper demonstrating theft of data left by inactive processes on field-programmable gate arrays (FPGAs). FPGAs are used for applications that include machine learning in servers, PCs, Internet of Things, and telecom edge devices.

Nvidia had a 98% data-center GPU market share in 2023, according to research firm TechInsights. AMD plans to issue an updated driver to take care of data leakage issues in its MI300A and MI300X GPUs, which compete with Nvidia GPUs. Intel also patched a vulnerability in its AI software stack last month.

"AMD and Intel often produce regular reports on vulnerabilities that have been discovered, which can often be corrected by BIOS patches," Krewell says. "Tesla GPUs could be patched with new drivers."

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Nvidia Patches High-Severity Flaws in GPU Drivers

Face scans stored like passwords inevitably will be compromised, like passwords are. But there's a crucial difference between the two that organizations can rely on when their manufacturers fail.

Source: Zoonar GmbH via Alamy Stock Photo

Two dozen vulnerabilities in a biometric terminal used in critical facilities worldwide could allow hackers to gain unauthorized access, manipulate the device, deploy malware, and steal biometric data. And yet, exactly how damaging this could be for organizations is up for debate.

Biometric security is more popular today than ever, with widespread adoption in the public sector — law enforcement, national ID systems, etc. — as well as for commercial industries like travel and personal computing. In Japan, subway riders can "pay by face," and Singapore's immigration system relies on face scans and thumbprints to allow travelers into the country. The fact that even burger places are experimenting with face scans suggests something's brewing here.

In short order, though, hackers have found their way around and, sometimes, inside of these purportedly secure systems.

Recently, a Kaspersky researcher tore open terminals sold by the Chinese manufacturer ZKTeco. These white-label devices are used to guard corporate and critical premises worldwide, using face scans and QR codes. The research ended up yielding a couple of dozen garden-variety bugs, split into a number of categories, such as SQL injections, improper verifications of user input, and the like.

The risks to physical security are significant, but experts point out that a biometric data leak isn't necessarily as severe as a leak of other forms of personal data. Anyone worried about their face being stolen need not cry foul.

**Vulnerabilities in Biometric Terminals**

Exploiting a ZKTeco terminal could look like any other cyberattack, or it could involve rather inventive physical compromises.

On that first end of the spectrum are bugs like CVE-2023-3940 and CVE-2023-3942 — a path traversal and SQL injection flaw, respectively — which allow for viewing and extracting files, including users' biometric data and password hashes. Then there are CVE-2023-3939 and CVE-2023-3943, which allow for privileged command execution.

"It was quite astonishing to find a substantial number of SQL-injection vulnerabilities in the binary protocol used for transmitting control commands to the device," Georgy Kiguradze, senior application security specialist at Kaspersky, says. "Also, similar vulnerabilities were discovered in the QR code reader embedded within the device’s camera — a location where one would not typically expect to find such a vulnerability, as it is generally associated with remote attacks."

He's referring to CVE-2023-3938, where an attacker injects malicious data into a QR code to perform a SQL injection. When the terminal reads the code, it mistakes it as belonging to the most recently authorized legitimate user. In practice, then, an on-site attacker could trick a terminal into allowing them access to an otherwise restricted area. A modified version of this exploit with extra malicious data could also cause overflows and trigger a machine restart.

Kiguradze also found a means of physical attack via facial recognition. With a bug like CVE-2023-3941 — an issue with verification of user input — an intruder can access and remotely alter the machine's biometric database. At that point, they could upload their own face to the system alongside legitimate entries.

It's unclear yet whether ZKTeco has patched any of these vulnerabilities. Dark Reading has reached out to the manufacturer for more information.

**Securing Biometric Systems**

Biometrics generally are regarded as a step above typical authentication mechanisms — that extra James Bond-level of security necessary for the most sensitive devices and the most serious environments.

ZKTeco terminals, for example, are deployed around the globe at nuclear and chemical plants, hospitals, and the like. They guard server rooms, executive suites, and sensitive equipment. Vulnerabilities such as those described above might be ill-fitted for financially motivated cybercriminals, but devilishly useful to an insider or advanced nation-state threat actor intent on stealing data or even manipulating safety-critical processes.

The critical nature of the environments in which these systems are so often deployed necessitates that organizations go above and beyond to ensure their integrity. And that job takes much more than just patching newly discovered vulnerabilities.

"First, isolate a biometric reader on a separate network segment to limit potential attack vectors," Kiguradze recommends. Then, "implement robust administrator passwords and replace any default credentials. In general, it is advisable to conduct thorough audits of the device’s security settings and change any default configurations, as they are usually easier to exploit in a cyberattack."

"There have been recent security breaches — you've probably read about them," acknowledges Rohan Ramesh, director of product marketing at Entrust. But in general, he says, there are ways to protect databases with hardware security modules and other advanced encryption technologies.

Alternatively, organizations unsure about biometrics could focus on scaling them back where possible, or ensuring that they aren't the only protection in place. The trick is making sure those additional safeguards are invisible to the user, given that part of the appeal of biometrics is its frictionlessness.

"If I want to reset my multifactor authentication (MFA), or add a user to the system — if I want to change a server that hosts personally identifiable information (PII) or other critical data, or if I'm doing a banking transaction — I should need to go through extra verification through biometrics. You want biometrics to be a seamless option for certain situations," Ramesh says.

**The Big, Fat Silver Lining**

The bottom-line question for security teams is: Are biometrics materially safer than other forms of authentication if, in the end, the data is stored and protected the same way?

Well, yes, mostly, experts say.

"I want to address a common misconception," says iProov founder and CEO Andrew Bud, "which is that somehow a biometric is like a password and, therefore, like a password, if it were stolen or compromised, then it would become worthless. That is a fundamental conceptual error, because a biometric — like a face — is not a secret."

He explains, "A password is good because it's secret. But a face is not a secret in the modern world. It's enough to look on LinkedIn or Facebook to grab people's faces. What makes a face or any other kind of biometric so very valuable is not that it's confidential, but that the genuine article is unique. You can steal my password, but you cannot steal my face."

In practice, then, leaked photographs, fingerprints, or iris scans from a biometric scanner aren't the end of the world. One might instinctively cringe at the notion of a hacker holding a photograph of them, but facsimiles of the real thing shouldn't fool cutting-edge recognition technologies today. ZKTeco terminals have a temperature detection mechanism, for instance, that verifies personhood, preventing intruders from using, say, printed photographs to fool a facial-recognition terminal.

Alternatively, "You can do a bio-to-bio permutation," Ramesh suggests. "If I take a picture of you in May 2024, in May 2025, based on AI-based calculations and predictions, we could predict how you could \[physically\] change."

Or, Bud says, "When you check a person's face, you can introduce something unpredictable into the scene which causes the face to react in ways that are unique compared to a deepfake or copy."

He adds, "What we do is use the screen of the user's device to flash an unpredictable and unique sequence of colors that illuminates the user's face, and we stream video of the face back to our servers. The way that light reflects off a human's face, and the way that reflection interacts with the ambient light … that's a very, very, very peculiar, unusual, and unpredictable challenge, which is extremely difficult to forge."

If the facial recognition mechanism is robust to copies, he explains, "In principle, you don't have to rely upon the security of the device that it's collected on. In fact, we start out with the assumption that the device cannot be trusted at all."

Unfortunately, there is one caveat. Unlike with physical features like faces, eyes, and fingerprints, "It's extremely hard, if not impossible, to detect a deepfake voice," Bud says. "There is so little information in voiceprints that there aren't many signals of fakeness to find" — so, advanced versions of biometrics are the way to go.

Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks

As city officials continue to investigate, it's unclear which systems were affected and whether it was a ransomware attack.

Source: Mira via Alamy Stock Photo

Cleveland City Hall has been forced to close its doors due to a cyber incident that has disrupted the city's computer systems.

The city has not confirmed which systems were shut down, but the Department of Public Safety (911, police, fire, and emergency medical service), the Department of Port Control (Cleveland Hopkins and Burke Lakefront airports), and the Department of Public Utilities (water, water pollution control, and Cleveland Public Power) all remain operational. 

The cyber incident's nature and scope also have not been confirmed as an investigation is conducted. Only essential staff were required at City Hall on June 10, as officials continue to focus on securing and restoring services.

"According to the city officials, the incident was declared when they spotted abnormal activity on their network on Saturday. They immediately followed the pre-existing incident response plans (IRP)," said Ilia Sotnikov, security strategist and VP of user experience at Netwrix, in an emailed statement to Dark Reading. "We don't know the scope of the impact yet, but we can already say that the city has done a lot of right things to minimize the damage."

Those "right things" include shutting down affected services and isolating services that are high risk, as well as monitoring threats with early detection processes.

The City of Cleveland continues to provide updates through social media channels and is available during daytime hours to residents by calling 311.

**About the Author(s)**

Cleveland City Hall Shuts Down After Cyber Incident

Accused cybercriminal has special skills that helped Conti and LockBit ransomware evade detection, according to law enforcement.

Source: Andrew Unangst via Alamy Stock Photo

Police have arrested a 28-year-old Ukrainian man for his work as a freelance developer for the Russian ransomware groups Conti and LockBit.

The accused is an expert in developing cryptors, software that hides malware from antivirus detection, and according to a Ukrainian police report (translated with Google Translate), he frequently worked for Conti and LockBit in exchange for cryptocurrency. Law enforcement was able to identify his cryptors in successful ransomware attacks in Belgium and the Netherlands.

The crimes could land the accused in prison for up to 15 years, according to the announcement.

The splashy arrest is part of Operation Endgame, an ongoing international law enforcement campaign against cybercrime. Dutch officials said the suspect was taken into custody on April 18 with assistance from the multinational cooperation.

According to Dutch officials (also translated with Google Translate), "The police were tipped off by the NCSC (National Cyber Security Center) and, after further investigation, discovered that the Ukrainian man infected the computer networks of a company in the Netherlands with Conti's malware in 2021; a hacker group that offers ransomware for sale."

**About the Author(s)**

LockBit &amp; Conti Ransomware Hacker Busted in Ukraine

Obtaining — and maintaining — a complete inventory of technology assets is essential to effective enterprise security. How do organizations get that inventory?

Security professionals know that they need to be aware of the assets within their environments if they are to keep their organizations secure. After all, without a comprehensive view into asset inventory, it's impossible to perform effective risk assessment and prioritization of security efforts, vulnerability and attack surface management, and incident response.

The problem is, obtaining that accurate picture has remained elusive. It's a challenge that has increased in complexity and scale, often requiring chasing down information held within siloed teams, and in many ways lacks effective automation. In a recent Dark Reading report, "Effective Asset Management Is Critical to Enterprise Cybersecurity," experts outline the efforts needed to identify and manage business-technology assets to effectively protect an organization.

"Organizations struggle with gaining good visibility," says Tom Eston, offensive security expert and VP of consulting at cybersecurity services provider Bishop Fox.

Eston has witnessed the damage that can occur to an enterprise with a weak understanding of their networked assets. Much of the struggle Eston describes is due to the scale involved in obtaining a comprehensive asset inventory.

"There are just so many assets today," he says. "There are personal devices, company devices, and everything is now networked."

Eston shares an incident about when the physical security department at a client installed a number of inexpensive video cameras on their company network — and then forgot about them.

"No one knew these devices were installed. No one," he recalls. "They got popped."

Such challenges are at the top of CISOs' minds across every industry and for companies of all sizes. Jason Rader, VP and CISO at solutions integrator Insight Enterprises, agrees with Eston; he has had similar experiences.

"You can't secure what you can't see," he says.

The need for continuous digital transformation in the enterprise means asset management is a challenge that isn't going away. The underlying investments organizations make in software — both on-premises and cloud services — and the networked devices that entail such efforts will continue to create a complex, sprawling landscape of business-technology assets that, if not correctly identified and managed, will leave organizations vulnerable.

Download the report to learn how to gain control of your attack surfaces — not only how to know and discover the assets they have in place, but also to understand the security posture of these devices. This includes everything: on-premises software, endpoints, servers, the Internet of Things, operational technology and industrial-control system (OT/ICS) technologies, virtualized workloads, and cloud services.

**About the Author(s)**

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Asset Management Holds the Key to Enterprise Defense

An RCE vulnerability that affects the Web scripting language on Windows systems is easy to exploit and can provide a broad attack surface.

Source: Vladimir Stanisic via Alamy Stock Photo

A threat group is exploiting a critical, easily exploitable PHP bug for remote code execution (RCE) in living-off-the-land style ransomware attacks that target businesses and individuals running both Windows and Linux systems.

TellYouThePass is a ransomware group active since 2019 that attacks victims using known vulnerabilities, particularly those found within open source Web development languages, including the widely exploited Apache Log4j (CVE-2021-44228) and the Apache ActiveMQ Server RCE bug tracked as CVE-2023-46604, according to a blog post published this week by Imperva Threat Research.

Lately the group has been exploiting a critical RCE vulnerability found within the PHP scripting language discovered earlier this month and tracked as CVE-2024-4577. "We noticed a few campaigns, including WebShell upload attempts and several attempts to place ransomware on a target system," the researchers said.

Similar to Java, PHP is a commonly used language in Web development, making any flaws that affect it a broad attack surface for attackers. If the Log4j flaw is any indication, these types of vulnerabilities can set off a viral stream of attacks that can plague organizations and their respective security posture for years.

**Critical Flaw With Public Exploit**

CVE-2024-4577 is an argument-injection vulnerability that stems from errors in character-encoding conversions in PHP, particularly impacting the "Best Fit" feature on Windows systems. "It poses significant risks, potentially allowing malicious actors to execute arbitrary code on vulnerable servers," according to analysis of the flaw by Beagle Security.

Researchers at watchTowr released a proof-of-concept (PoC) exploit script for CVE-2024-4577 on their GitHub page on June 7, demonstrating that the bug was not difficult to exploit.

Apparently TellYouThePass got the memo and has pounced on the flaw to execute arbitrary PHP code on the target system, according to Imperva. Specifically, the group is "leveraging the code to use the 'system' function to run an HTML application file hosted on an attacker-controlled Web server via the mshta.exe binary," according to the post. Mshta.exe is a native Windows binary that can execute remote payloads; thus, the attack vector shows the group operating in a living-off-the-land style.

**How TellYouThePass Attacks**

First identified by security researchers in 2019, TellYouThePass and its ransomware has taken "various forms over the years," according to Imperva. Most recently, variants of the malware have taken the form of .NET samples delivered using HTML applications.

"The initial infection is performed with the use of an HTA file (dd3.hta), which contains a malicious VBScript," according to the post. "The VBScript contains a long base64 encoded string, which when decoded reveals bytes of a binary, which are loaded into memory during runtime."

Further analysis of the executable reveals that the ransomware is a .NET variant that upon initial execution sends an HTTP request to the command-and-control (C2) server containing details about the infected machine as a notification of infection. "The callback masquerades as a request to retrieve CSS resources likely designed to evade detection," according to Imperva.

Once executed, the ransomware enumerates directories, kills processes, generates encryption keys, and encrypts files within each enumerated directory that has a defined file extension. Its final act is to publish a ReadMe message in the Web root directory that provides victims the info they need to respond to the attack.

**Avoiding Compromise via CVE-2024-4577**

The issue affects PHP versions 8.1. before 8.1.29; 8.2. before 8.2.20; and 8.3. before 8.3.8 when using Apache and PHP-CGI on Windows. PHP versions 8.1.29, 8.2.20 and 8.3.8 patch the flaw.

There are other ways that organizations can mitigate exploit of the PHP flaw as well as avoid ransomware attacks in general. Patching affected systems would be the first obvious mitigation of CVE-2024-4577; however, as seen with Log4j, sometimes it's difficult to update every system that is affected by a flaw in a Web scripting language.

One way to minimize exploitation of the flaw is to disable running PHP with CGI mode enabled, according to an analysis of the flaw posted online by DEVCORE. "Since PHP CGI is an outdated and problematic architecture, it's still recommended to evaluate the possibility of migrating to a more secure architecture such as Mod-PHP, FastCGI, or PHP-FPM," according to the post.

Some general best practices to avoid being compromised by ransomware include having strong awareness of all the various assets and applications present in an environment and patching any vulnerabilities affecting them, according to Imperva. Organizations also should use Web firewall technology that can stop attacks once they are discovered, as well as a reliable anti-virus program as a first line of defense against malware campaigns like TellYouThePass.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

TellYouThePass Ransomware Group Exploits Critical PHP Flaw

Alignment between these domains is quickly becoming a strategic imperative.

Source: Panther Media GmbH via Alamy Stock

COMMENTARY

With an increasingly complex threat landscape and the progression of threat-actor tactics, effective cybersecurity is non-negotiable. At the same time, staffing challenges and an uncertain economy have made it increasingly challenging to manage your attack surface and keep would-be threat actors at bay.

That's not for lack of effort — or expenditure. Gartner forecasts that the world will spend $215 billion on risk management and cybersecurity in 2024. That's a 14% increase over 2023. Gartner expects that expenditures for IT will reach a whopping $5.1 trillion in 2024.

Amid all this, companies are striving for disruptive innovation and progress while keeping a close eye on budgets. Many workers are feeling spread thin, with more data and endpoints than ever and not enough qualified talent to be found. As a chief information officer (CIO), I can attest that I've seen this crunch particularly within the global IT space. This is not a good moment for IT to be stressed out and overworked. The stakes are simply too high.

So, how can organizations mitigate threats while maintaining momentum?

It's time to finally break down the silos between IT and security. That starts by fostering alignment between the CIO and chief information security officer (CISO).

**Streamlined, Secure — or Both?**

Individually, CISOs and CIOs are powerful forces with a lot on their plates — and a lot on the line. Together, they could be unstoppable. However, historically, organizational structures have relegated CISOs and CIOs to separate domains with distinct — and occasionally contradictory — objectives.

**Access, Please: The CIO Imperative**

For many CIOs, it's common to be focused on streamlining and efficiency, especially given staffing challenges. Additionally, CIOs and IT teams work to ensure continuous access to optimized tools that help employees get their jobs done. Sixty-one percent of IT professionals admit that negative technology experiences directly impact their morale, underscoring the palpable connection between tech efficiency and employee engagement.

Lack of access to the right tools can contribute to "shadow IT." Conversely, streamlined, efficient operations enhance speed and elevate the digital employee experience.

**Standing Guard: The CISO Imperative**

Meanwhile, my peers in the CISO role dial in to ensure organizations are as secure as possible. This is a critical and constantly moving target, as threat actors continue to find new avenues of attack. Effective cybersecurity prevents all manner of problems, ranging from the inconvenient (unexpected downtime) to the catastrophic (a major breach).

I have an enormous amount of respect for the CISO role, as should everyone impacted by security. (And that's all of us.) In 2022, the average cost of a single data breach was $4.5 million — not counting ransomware costs. Meanwhile, nearly 87% of businesses grapple with a shortfall in IT security staff. This talent crunch severely threatens organizations’ defenses against evolving cyber threats.

**Exploring the Overlap**

Both CIO and CISO roles seek to optimize business outcomes, though we often take differing approaches. "Streamlined" and "secure" are frequently mutually exclusive, particularly if your organization lacks the right tools.

There are several areas impacting both IT and security. Just two include:

*   Influx of devices and data: It's anticipated that more than 180 zettabytes of data will be floating around by 2025. If you thought we were already facing a data firehose, you haven't seen anything yet. The more data produced, the more streamlined operations must be to manage relevant data effectively — and the more importance must be placed on data protection.
    

*   Shifting work environments posing challenges: The mix of remote, hybrid, and in-person work environments — plus the increasing reliance on personal devices used to access company data — makes things more challenging for both IT and security.
    

Problems like these aren't theoretical — they’re real. According to Duke University research, "more than 80 percent of U.S. companies indicate their systems have been successfully hacked in an attempt to steal, change or make public important data." Meanwhile, the digital employee experience is more critical than ever in the battle to attract, engage, and retain top talent — so any tools and policies must be user friendly and secure.

I like to think of these challenges as shared opportunities. 

**Unlock the Collaborative Potential of CIOs and CISOs**

This is where alignment comes in. IT and security may have been siloed, but that could change. The past few years have shown change is not only possible but essential for survival. 

Breaking down the silos between your IT and security leaders doesn't diminish their roles, it elevates them.

Collaborative IT and security leaders, and their teams, enjoy the benefits of:

*   Financial optimization through consolidation: Streamlining vendor and technology portfolios for optimized spending and resource utilization.
    

*   Elevated employee engagement: Eradicating shadow IT and fortifying digital business for heightened engagement and security. 
    

*   Heightened enterprise resilience: Bolstering cybersecurity measures to curtail risks and fortify the organizational backbone.
    

Fostering alignment between these teams will vary, but there are a few universal principles to keep in mind:

*   Loop in your applicable executive(s), e.g., your CEO, from the start. They should be on board with and involved in facilitating this alignment.
    

*   Clarify objectives and define roles. Seek commonalities with your counterpart to identify overlap and gaps. 
    

*   Make yourself open for regular communication and collaboration — and find out if there are cross-training initiatives available.
    

*   In collaboration with applicable executives, adopt a unified approach to performance metrics, reporting mechanisms, risk management, data governance, and compliance.
    

*   Work together when making decisions on technology adoption, resource allocation, and budgeting.
    

*   Tooling should be a shared responsibility to ensure coverage and observability are always meeting key performance indicators (KPIs).
    

The endgame with these tactics is a more efficient operation to make life easier for both parties. Worth noting: Intelligent hyperautomation can be a massive benefit in streamlining processes and amplifying operational efficiency.

IT and security alignment is a strategic necessity. This collaborative effort fosters mutual accountability and improves overall security by eliminating data silos that hinder response times and hide crucial insights.

**About the Author(s)**

Chief Information Officer, Ivanti

Robert Grazioli is chief information officer (CIO) of Ivanti, responsible for all of its global IT systems and SaaS Operations, including the integration of Ivanti acquisitions over the past two years. Bob originally joined Ivanti in June 2020 as vice president of SaaS operations. Bob brings more than 25 years of global experience spanning the financial services and the software industry. He has been involved in some of the biggest software acquisitions in the industry over the past 10 years and has been responsible for some of the largest SaaS offerings in the industry. In addition, Bob has oversight of Customer Zero, taking Ivanti’s SaaS operations to the next level through leveraging our own learnings to benefit the needs of our customers.

Why CIO &amp; CISO Collaboration Is Key to Organizational Resilience

The threat group behind breaches at Caesars and MGM moves its business over to a different ransomware-as-a-service operation.

Source: Papilio via Alamy Stock Photo

Last spring's spectacular implosion of mainstay ransomware-as-a-service (RaaS) operation BlackCat/AlphV left its affiliates burned — gamed out of millions they were owed for past scams and left without infrastructure to support their future cybercrime aspirations. What ensued was a recruiting war for the best affiliates into the RaaS groups left standing.

The RansomHub RaaS group appears to have scored a major victory by attracting the Scattered Spider threat group into its affiliate ranks, according to new research from GuidePoint Security. A detailed analysis reveals that Scattered Spider, a notoriously aggressive threat group behind the 2023 ransomware attacks on Caesars Entertainment and MGM Resorts, has been carrying out ransomware attacks using RansomHub starting earlier this year.

**RansomHub RaaS Recruiting Campaign**

The timing jibes with ads posted on the Dark Web by RansomHub promising prospective affiliates juicy 90/10 ransom splits with the group, as well as the promise to allow the cybercriminals to get paid first and payout the group later, to avoid "exit scams" like the one BlackCat pulled last March, according to Jason Baker, senior threat consultant with GuidePoint Security.

"Scattered Spider affiliates may also have been attracted to RansomHub based on the movement of peers or positive word-of-mouth," Baker tells Dark Reading.

Since those ads began, RansomHub has seen remarkable growth, Baker adds.

"RansomHub began claiming victims publicly on its data leak site in February, and has since posted over 75 victims in an alarmingly quick rise to prominence amid its peers, who generally operate at a slower pace in early months of operations," he says. As the group continues to attract talented cybercriminals who can earn a dishonest buck with RansomHub, the RaaS outfit is likely to continue to expand its operation, Baker predicts.

"If RansomHub operations are enjoying some level of success in revenue generation, and/or if other sophisticated affiliates have begun working with RansomHub, it could make the group a more attractive destination amidst other options," Baker says.

RansomHub Brings Scattered Spider Into Its RaaS Nest

Greater collaboration between financial and law enforcement officials is needed to dismantle cybercrime scam centers in Cambodia, Laos, and Myanmar, which rake in tens of billions of dollars annually — and affect victims worldwide.

Source

DARKReading