Some customers found that they had the ability to cancel a stranger's flight to another country after opening the app, which was showing other individuals' flight details.

Source: Stonemeadow Photography via Alamy Stock Photo

Qantas, the flagship Australian airline, is investigating a privacy breach after its customers were able to see other individuals' boarding passes, flight details, and frequent flyer information.

Josh Withers, a Qantas customer, said he was able to see another passenger's name and flight details when he opened the Qantas app. Each time he re-opened the flight portal, the app would pull up a different customer's flight information. Other passengers reportedly had the ability to cancel passengers' flights to Europe via the app.

The airline reports that there was "no indication of a cyber security incident," though it also said its investigation is pointing to a technology issue that could potentially have caused system changes leading to this privacy breach.

Qantas was able to resolve the issue roughly three hours after it was discovered but is urging the customers that were affected to remain vigilant of social engineering scams using the exposed information.

**About the Author(s)**

Qantas Customers' Boarding Passes Exposed in Flight App Mishap

The newly discovered malware, which has so far mainly targeted Turkish telcos and has links to HiatusRat, infects routers and performs DNS and HTTP hijacking attacks on connections to private IP addresses.

Source: David Fleetham via Alamy Stock Photo

A never-before-seen malware strain is targeting enterprise-grade and SOHO routers to steal authentication details and other data from behind the network edge. It also performs DNS and HTTP hijacking attacks on connections to private IP addresses.

The packet-sniffing malware — dubbed "Cuttlefish" by the Black Lotus Labs team at Lumen Technologies who discovered it —features a zero-click approach to capturing data from users and devices, according to a blog post published May 1.

"Any data sent across network equipment infiltrated by this malware is potentially exposed," according to Black Lotus Labs. Attackers designed the modular malware to be triggered by a specific rule set, in particular to acquire authentication data, with an emphasis on public cloud-based services, the researchers said.

"To exfiltrate data, the threat actor first creates either a proxy or VPN tunnel back through a compromised router, then uses stolen credentials to access targeted resources," according to the post. "By sending the request through the router, we suspect the actor can evade anomalous sign-in based analytics by using the stolen authentication credentials."

Cuttlefish also has a secondary function that gives it the capacity to perform both DNS and HTTP hijacking for connections to private IP space that's associated with communications on an internal network. It can also interact with other devices on the LAN and move material or introduce new agents.

**Cuttlefish's Unique Malware Behavior**

Cuttlefish's capability to eavesdrop on edge networking equipment and perform DNS and HTTP hijacking "has seldom been observed;" however, campaigns such as ZuoRat, VPNFilter, Attor, and Plead exhibited similar behavior, according to Black Lotus Labs.

Unique to Cuttlefish, however, is its capability to zero in on private IP address connections for potential hijack, which is the first time the researchers have observed this capability and is likely for the purposes of anti-detection and persistence, they noted.

"We suspect that targeting these cloud services allows the attackers to gain access to many of the same materials hosted internally, without having to contend with security controls like EDR \[extended detection and response\] or network segmentation," according to the blog post.

The malware's combination of targeting networking equipment that's frequently unmonitored, as well as gaining access to cloud environments that often lack logging is intended to grant long-term persistent access to targeted ecosystems, the researchers noted.

**Turkish Telcos & Links to HiatusRAT**

Cuttlefish has been active since at least last July, with its latest campaign running from October through last month. The bulk of the infections occurred within Turkey via two telecommunications providers (a segment that's frequently targeted by cyberespionage malware), accounting for about 93% of infections, or 600 unique IP addresses.

There also have been "a handful" of non-Turkish victims, including IP addresses of clients likely associated with global satellite phone providers, and potentially a US-based data center, according to Black Lotus Labs.   

Researchers found links — specifically, code similarities and embedded build paths — to HiatusRat, thus they believe Cuttlefish also is aligned with the interests of China-based threat actors. However, so far Black Lotus Labs has not found shared victimology, surmising that the two malware clusters are operating concurrently.

**Infection Process and Execution**

While the researchers have not determined the initial infection vector, they did track the path of Cuttlefish once the targeted device was exploited, they said. The threat actor first deploys a bash script that gathers certain host-based data to send to the command-and-control server (C2). It also downloads and executes Cuttlefish in the form of a malicious binary compiled for all major architectures used by SOHO operating systems.

"This agent implements a multi-step process that begins with installing a packet filter for the inspection of all outbound connections and use of specific ports, protocols, and destination IP addresses," according to the post. "Cuttlefish constantly monitors all traffic through the device and only engages when it sees a particular set of activities."

The C2 sends updated and specified rules of engagement through a configuration file after it receives the host-based enumeration from the initial entry. The rule set directs the malware to hijack traffic destined to a private IP address; if heading to a public IP, it will initiate a sniffer function to steal credentials if certain parameters are met.

**Defending Against Router Attacks**

Aside from including a list of indicators of compromise (IoCs) in its post, the researchers also had separate advice for both corporate network defenders and those with SOHO routers to avoid and detect compromise by Cuttlefish.

Enterprise organizations should look for attacks on weak credentials and suspicious login attempts, even when they originate from residential IP addresses which bypass geofencing and ASN-based blocking. They also should encrypt network traffic with TLS/SSL to prevent sniffing when retrieving or sending data located remotely, such as when using cloud-based services or performing any type of authentication, the researchers advised.

Organizations that manage these types of routers should ensure that devices do not rely upon common default passwords, as well as that the management interfaces are properly secured and not accessible via the Internet. Inspection of SOHO devices for abnormal files such as binaries located in the /tmp directory or rogue iptables entries, as well as routinely power-cycling these devices to help remove malware samples in-memory can also help organizations avoid compromise. Enterprises also should implement certificate pinning when remotely connecting to high-value assets, such as cloud assets, to prevent threat actors from being able to hijack connections.

Consumers with SOHO routers should follow best practices of regularly rebooting routers and installing security updates and patches, as well as retiring and replacing routers that reach their end of life and thus support from their respective vendors.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Cuttlefish' Zero-Click Malware Steals Private Cloud Data

With mergers and acquisitions making a comeback, organizations need to be sure they safeguard their digital assets before, during, and after.

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

Mergers and acquisitions (M&A) activity is making a much-anticipated comeback, soaring in the US by 130% — to the tune of $288 billion. Around the world, M&As are up 56%, to $453 billion, according to data from Dealogic.

When two companies are combined, a vast amount of sensitive data and information is exchanged between them, including financial records, customer information, and intellectual property. Additionally, different types of software and hardware often need to be integrated, which can create security vulnerabilities for cybercriminals to exploit.

Cybersecurity is critical to protect and safeguard the integrity of confidential data and can make or break an M&A deal. Having worked across a range of industries in my career, from banking and finance to healthcare, technology, and government, I've witnessed firsthand the cybersecurity challenges associated with managing M&As. Each M&A transaction I've been involved with has been far more complex than initially envisioned and took longer than anticipated to complete. This is especially true when it comes to integrating the technology stack.

**Understanding Cybersecurity in M&A**

Merging with or acquiring a company with a poor cybersecurity posture makes it much easier for cybercriminals to launch an attack. A data breach not only carries severe financial consequences, including legal fees and financial penalties, it also can be extremely damaging to an organization's reputation.

Without effective prevention and mitigation of cyber-risks, organizations could lose the trust of customers, partners, and investors, jeopardizing the deal. This is why cybersecurity must be a key consideration right from the beginning of the M&A lifecycle — not after it has happened. Regulators are also ramping up scrutiny of M&A deals and issuing significant fines for non-compliance. In many states and countries, rules such as the EU's General Data Protection Regulation (GDPR) protect personal data when it is transferred between entities.

**M&A Cybersecurity Checklist**

Leveraging more than 25 years of experience in risk, governance, and cybersecurity, I've put together this checklist to help organizations safeguard their digital assets before, during, and after a merger and acquisition:

*   Conduct early due diligence. Both entities must collaborate to assess the target company's current cybersecurity practices, internal IT infrastructure, and incident history to identify any weaknesses and security vulnerabilities. They might even want to bring in external auditors and cybersecurity experts specializing in M&A transactions.
    

*   Adopt risk metrics. Before making a plan, both entities must agree on an accepted level of risk and how this risk will be measured. Standardized risk metrics ensure that risk stays within the agreed levels, facilitating communication and collaboration at all levels of leadership in the new organization.
    

*   Establish a cybersecurity team. Create a dedicated team, bringing together experts from both entities to work together on addressing and managing potential cyber-risks. This will ensure that security practices are consistent across the entire new organization.
    
*   Develop a risk mitigation strategy. Based on the early assessment, the cybersecurity team can determine what procedures, processes, and technologies must be implemented to enhance the target company's cybersecurity posture before the entities combine. This plan should also clearly outline company policies and the roles and responsibilities across both entities for managing cybersecurity.
    

*   Plan for IT integration. Security measures are essential when integrating IT systems and networks. These include reviewing and enhancing current security architecture, implementing security policies, and testing for any security vulnerabilities. Adopting new tools and technologies to safeguard data during the integration process may be necessary.
    

*   Check for third-party risks. If external vendors are involved in the M&A process, ask them to detail their processes around managing and monitoring cybersecurity risks. The assessment must ensure vendor practices align with the target company's cybersecurity standards.
    

*   Establish identity and access governance and management. Implement strong controls so only authorized people can access sensitive information, digital assets, data, or systems — with different access levels depending on roles and responsibilities. This will help prevent or minimize hacking, fraud, internal data breaches, and human error.
    

*   Create an incident response plan. If a data breach occurs, organizations need a plan to minimize disruption to the business. It's essential to back up critical databases and store them off of the network to ensure data can still be accessed. The incident response plan should be printed out or distributed among staff so everyone knows what to do during a cyberattack.
    

*   Ensure ongoing monitoring. Cybersecurity doesn't end when the deal closes, and the post-M&A period can be a particularly vulnerable time for companies — so it's essential to be vigilant. That's why organizations need mechanisms for continuous 24/7 monitoring of systems and networks and real-time threat detection to identify security vulnerabilities and potential breaches.
    

*   Train employees. Ensure all employees of both entities involved in the merger or acquisition receive comprehensive and regular training about cybersecurity best practices. It's vital to communicate that each person can help play a part by watching out for threats and promptly reporting them. Consider conducting cybersecurity drills to prepare staff for what a cyberattack might look like.
    

**About the Author(s)**

CISO, Gathid

As the Chief Information Security Officer and an Executive Director of Gathid Ltd., Craig Davies is passionate about helping organizations strengthen access management without completely overhauling their people, processes, physical infrastructure, and technology. He has spent more than 25 years in cybersecurity, working in a number of fields, including infrastructure operations, security architecture and software, web development, and operations. As the first CEO of AustCyber, he negotiated agreements with states and territories to establish innovation notes across the country and set out a plan to make Australia a global force in the cybersecurity market.

The Cybersecurity Checklist That Could Save Your M&amp;A Deal

MOVEit drove a big chunk of the increase, but human vulnerability to social engineering and failure to patch known bugs led to a doubling of breaches since 2023, said Verizon Business.

Security bugs are having a cybercrime moment: For 2023, 14% of all data breaches started with the exploitation of a vulnerability, which is up a jaw-dropping 180%, almost triple the exploit rate of the previous year.

Let's put this in context, though. The MOVEit software breach, which wreaked supply chain havoc on companies across every sector, accounted for a large chunk of the increase in using exploits as an initial access method, and likely drove overall breach volumes up as well.

That's according to Verizon Business' 2024 Data Breach Investigations Report (DBIR), which analyzed a record 30,458 security incidents, out of which 10,626 were confirmed breaches — as a stat in itself, that's more than double the numbers from a year ago.

**Organizations Still Lack Security Maturity**

The DBIR, released today, detailed just how far patching can go in heading off a data breach. It also noted that a full 68% of the breaches Verizon Business identified involved human error — either someone clicked on a phishing email, fell for an elaborate social-engineering gambit, was convinced by a deepfake, or had misconfigured security controls, among other snafus. That's about the same percentage as last year, indicating that practitioners are not having much success when it comes to patching the human vulnerability.

In all, a picture in this year's DBIR emerges of an organizational norm where gaps in basic security defenses — including the low-hanging fruit of timely patching and effective user awareness training — continue to plague security teams, despite the rising stakes for CISOs and others that come with "experiencing a cyber incident."

"It can be a bit overwhelming for CISOs, particularly in environments where the security maturity of the organization is not as high as they would like," Suzanne Widup, distinguished engineer in threat intelligence at Verizon Business, tells Dark Reading. "But seeing organizations (large and small) still falling down in some of the basics is disheartening."

She adds, "Sometimes it takes the stakes being raised to get the attention of the appropriate people to affect change, sadly. What began with the data breach reporting laws has moved into serious consequences to company officers being codified into laws and regulations. But the bottom line is most organizations are not in business to worry about security. It has been an add-on after the fact for so long."

Other trends in the DBIR underscore the fact that teams need to address their cyber risk as a priority, and soon: A full 15% of breaches in the past year came from the supply chain, including issues with data custodians, vulnerabilities in third-party code, malicious packages in software repositories, and so on. That is an eyewatering 68% increase from 12 months previous, indicating that adversaries have copped to the fact that this is a tough area for security teams to get their arms around.

**MOVEit Moves the Cybercrime Needle**

Using the MOVEit bug was like shooting proverbial fish in a barrel — the world suddenly became a target-rich environment in the middle of last year for the Cl0p extortion gang and those cybercriminals that followed in its footsteps.

MOVEit Transfer is a managed file transfer app from Progress Software that organizations use to exchange sensitive data and large files both internally and externally. Progress claims thousands of customers for MOVEit, including major brands such as Disney, Chase, BlueCross BlueShield, Geico, and Major League Baseball.

Cl0p reportedly spent two years developing the MOVEit file transfer zero-day exploit, first discovered and disclosed on May 31, 2023, by researchers after months of surreptitious attacks. Within a week of its public debut, CVE-2023-34362 was under mass exploitation by an array of threat actors; within a month, it had been used to breach at least 160 confirmed victims, including whales like Avast parent company Gen Digital, British Airways, Siemens, and UCLA. By the end of September 2023, it was linked to breaches at 900 different universities.

This MOVEit bonanza, which accounted for 8% of the breaches in Verizon Business' data set, had a ripple effect on several metrics in the DBIR, including a finding that 32% of all breaches involved some type of extortion technique (the MOVEit attacks involved stealing information and holding it for ransom) and the bump in supply chain breaches. And the DBIR found that the spike in the use of exploits for initial access was driven primarily by the increasing frequency of zero-day vulnerabilities by ransomware actors — a category that fits MOVEit to a T.

It should be noted, however, that zero-day use was up even outside of MOVEit: "The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises," said Chris Novak, senior director of cybersecurity consulting at Verizon Business, in a media statement.

And finally, 32% of breaches had an extortion or ransom element, with an average loss of $46,000 per company per incident.

**Challenges in Large-Scale Vulnerability Management**

Dovetailing with the increase in the use of bugs for initial access, Verizon Business also found that on average it takes organizations 55 days to remediate 50% of critical vulnerabilities listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Cybercriminals are a bit more johnny-on-the-spot: The median time for how long it takes for mass exploitations of the CISA KEV to develop on the Internet is just five days.

This "n-day" gap is one that threat actors have looked to exploit for years. But given the increasingly broad resources available to track and prioritize vulnerability patches, and the high stakes that now come with suffering a data breach (i.e., new mandatory SEC disclosure rules and personal liability for the CISO), it's clear that security teams need to make a coherent effort to move the needle on this risk.

"Time to patch the critical vulnerabilities getting faster would be welcome news," says Widup. "Having a background as a system admin, though, I do understand the necessities of testing the patches on complex environments to make sure you don't break production systems and cripple the organization. But at least working on that metric would be a good place to start."

One potential answer to getting off the patch-management hamster wheel is gaining more visibility into the attack surface, she advises.

"It's a bit like the tree falling in the forest — these software vulnerabilities exist whether or not someone finds them, and if we have more people looking for them by whatever means or motives, then we see them exploited (maliciously) or submitted to bug bounty programs (as a security researcher), which just means they are coming to light then," she explains. "The real action item for security teams is to do vulnerability scanning of the software that is deployed in their environments to see if they can find and report problems before they are found by someone with malicious intentions."

She also notes that considering vulnerability rates when bringing new platforms into the environment can help close the n-day gap simply by restricting the attack surface. "\[This means\] having security standards as part of the software vendor selection process, to make sure that the vendor is cognizant of the risks to their own organization and that of their customers. It may be that the best choice of a software vendor from a risk perspective is the one that follows the \[tenets\] of Secure by Design."

The overall lack of timely patching has had a surprise halo effect, according to the report: Despite the hype around AI risks, Verizon Business found little evidence that AI-enabled cybercrime was about to deliver organizations a data-breach Waterloo.

"While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach," said Novak.

**Humans Still the Weakest Cyber Link**

The DBIR found one trend that saw almost no change, ready for filing under "no surprise there": Most breaches (68%) involve a "non-malicious human element" who falls for phishing, misconfigures something, or otherwise makes a mistake. In other words, it's us. The problem is us.

And we fail fast, too. It takes less than 60 seconds for a mark to fall to a phishing routine, according to Verizon Business' phishing test results. The median time to click on a malicious link after an email is opened is 21 seconds, and then only another 28 seconds before the victim is obliviously entering their data into an attacker-controlled form.

Falling for social-engineering attacks in general is costly, too: The analysis found that the median loss in the past two years for business email compromise (BEC) scams is $50,000.

There was one slight glimmer of hope in the data-crunching: One-fifth (20%) of users identified and reported phishing in simulation engagements, and 11% of users who clicked on a decoy email went on to report it.

"So we did see some improvement in people not falling for the phish in simulations, and then those who have fallen for it, at least realizing it fairly quickly and reporting it," Widup explains. "It is vital to make sure that people can easily and quickly report when they have made a mistake, and not to discourage them with punishments. It is also important to have multiple layers of controls in place so that if someone does fall for a social attack, it doesn't necessarily mean a breach."

**Supply Chain Threats Accelerate to Warp Speed**

For the first time, Verizon is specifically breaking out supply-chain breaches as its own metric, which, as previously mentioned, are up significantly in volume in the last year.

"The threat actors are definitely turning towards compromising the larger third-party software companies, and it makes a lot of sense from their perspective if you think about it," says Widup. "They can compromise one vendor, and gain access to a large number of downstream victims in the form of their customer base. If they use the same kind of processes that push code updates, like we saw with SolarWinds, they have the opportunity to push malware to those systems without having to do the work of going into each of their environments. It's definitely more bang for their buck in terms of resources and effort expended. Then they can decide which of these newly compromised systems they want to leverage for further attacks."

The DBIR defines these as breaches that occur through a third-party "custodian," such as a managed service provider (common in the MOVEit cases); entry via a business partner (i.e, the HVAC incident that led to the 2013 Target breach); physical breaches in a partner company facility or even partner vehicles used to gain entry to a target; SolarWinds and 3CX-style breaches where software development processes and updates were hijacked; and vulnerabilities in open source or third-party software.

"This metric ultimately represents a failure of community resilience and recognition of how organizations depend on each other," according to the report's authors. "Every time a choice is made on a partner (or software provider) by your organization and it fails you, this metric goes up."

They added, "We recommend that organizations start looking at ways of making better choices so as to not reward the weakest links in the chain. In a time where disclosure of breaches is becoming mandatory, we might finally have the tools and information to help measure the security effectiveness of our prospective partners."

**Time to Shore Up the Security Basics**

For companies looking to take the DBIR findings to heart and take action, the report includes CIS Critical Security Controls for consideration in the sections where they apply.

"If they haven't already, I would recommend taking a look at them and all of the CIS Critical Security Controls as well, since their recommendations are tailored to the security maturity level of the organization," advises Widup. "It's a very helpful place to go for developing a security strategy, and we'd love to see more organizations adopting this or some other formal security methodology towards making their environments more secure. We break our metrics down into organizational size, industry, and regions to help our readers determine which threats they are most likely to face, and to point them in a direction where they can get some help with deciding how to increase their ability to defend against those threats."

The DBIR's focus on real-world metrics will hopefully be a tool for security teams to use to bring the stakes into focus for business owners and the board, she adds.

"People use the DBIR metrics to bring the threat from the theoretical 'this bad thing might happen to us' into the reality of 'this is already happening to other organizations of a similar size and in the same industry, and we need to address it now,'" she explains. "Breaches are not going away anytime soon, and any organization that thinks they are flying under the radar is in for a rude awakening. It is not a matter of if. It is a matter of when."

**For more information on the DBIR and what it means for your organizations, don't miss "Anatomy of a Data Breach: What to Do If It Happens to You," a free Dark Reading virtual event scheduled for June 20. Verizon's Alex Pinto will deliver a keynote, Up Close: Real-World Data Breaches, detailing DBIR findings and more.**

Verizon DBIR: Basic Security Gaffes Underpin Bumper Crop of Breaches

As the social media giant celebrates its two-decade anniversary, privacy experts reflect on how it changed the way the world shares information.

SourceL Skorzewiak via Alamy Stock Photo

In the 20 years since then-Harvard University student Mark Zuckerberg launched Facebook, there has been a profound shift in our understanding of privacy and security in the digital age. Facebook's path to becoming a digital town square has been fraught with challenges as the company — and the rest of the world — balanced the human desire to share information with the expectation of personal privacy.

In February, Zuckerberg went before a Senate committee and made apologies to parents who blame social media for what they say was its role in their children's death by suicide or from drug overdoses. Zuckerberg has appeared before congressional committees multiple times over the years to address concerns about the platform's impact. The issue of privacy, security, and Facebook has been a long-standing lightning rod, says Martin J. Kraemer, a security awareness advocate at KnowBe4 who has a doctorate in cybersecurity.

"Facebook's fundamental purpose, centered around the systematic collection of information, naturally conflicts with privacy and data protection laws," Kraemer says.

The social media company's missteps over the years have shaped the broader discussions and regulations around data privacy. In fact, it is that tension between social connectivity and privacy rights that prompted the need for robust data protection measures, influencing the creation of significant legal frameworks, like Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The Cambridge Analytica scandal in 2016 was a watershed moment for many, as the company's decision to grant third-party entities with unethical access to user data underscored the potential for personal data to be weaponized against democratic processes. This incident, according to Kraemer, was a direct catalyst for the CCPA and marked a decisive turn in how policymakers and the public at large perceived and prioritized online privacy and data security.

"Cambridge Analytica was the first time the dangers of mass data collection and processing became a tangible reality for the public," Kraemer says.

**The 'Attention Economy': Your Data Up For Sale**

Facebook has also been a key player in the development of the "attention economy," says Justin Daniels, a faculty member at IANS Research. Its creation catalyzed a shift toward the sale of user data as a commodity sold to the highest bidder under the guise of a "free" service.

"Their algorithm, designed to keep you on the site with things that you emotionally respond to, has resulted in the following: Information is available everywhere, yet the facts prove elusive, and anyone who disagrees with you becomes your adversary," Daniels says. "Our need to have convenience above all has made privacy and security afterthoughts for too many people."

The platform's initial slow response to recognize its role in disseminating misinformation, as evidenced by Zuckerberg's later retracted comments on the 2016 election, underscores the company's significant impact, Daniels says. Resulting state laws in Texas and Florida, targeting big tech, highlight a legislative response to privacy concerns directly influenced by Facebook's actions. Facebook's long-standing stance of neutrality as mere "engineers" has also allowed misinformation to proliferate, causing harm and dividing communities, he says.

Looking ahead, Daniels foresees a challenging future for online privacy and security, particularly with the advent of AI.

"If you connect the dots, you see that we are paying the price in privacy and security for Congressional inaction on the digital economy," he says. "They basically let the private sector innovate without any rules. Since big tech business models depend on collecting personal information, they are never going to voluntarily limit themselves, as data collection is critical to their business model. They are the richest companies in human history and now have great influence. An AI black swan event will be the culmination of this lack of regulatory oversight."

**A Privacy-Free Future?**

Like Daniels, AJ Nash, VP and Distinguished Fellow of Intelligence at ZeroFox, also thinks the quest for profitability, driving platforms like Facebook to maximize user engagement, comes at the expense of user privacy. Social media companies are neither legally accountable for user content, thanks to Section 230(c)(1) of the Communications Decency Act, nor are they obligated to adhere to First Amendment principles, he notes. That means policy changes within these platforms are primarily motivated by either the pursuit of growth or forced with governmental mandates, such as GDPR.

"If the user base shrinks or engagement drops as a result of user concerns regarding censorship, mis/dis/malinformation, privacy, or security \[for example\], social media platforms will likely be motivated to address those concerns with new policies," Nash says. "Beyond that, the only motivation any private corporation — including social media platforms — has for making any policy changes will likely be when they are required to do so by a government with the authority to enforce such mandates."

And as anyone working in security knows, social media's extensive data collection practices have also become a goldmine for attackers, enabling crimes ranging from theft to influence campaigns designed to sway public opinion — underscoring the complexity of securing user data against cyber threats on social sites that are designed to be, well, social.

"I recently read that 1.4 billion social media accounts are hacked every month, showing that hackers aren't reluctant to attack users directly," Nash says. "Social media platforms can \[and do\] collect an impressive amount of information about their users, including name, age, gender, location, IP address, devices used, hobbies/interests, shopping tendencies, political views, and individual or group pattern of life analysis … the list goes on. Most \[if not all\] social media platforms have reportedly been compromised at least once."

In light of this near-constant onslaught of attacks, Nash thinks there will be a shift toward resignation and skepticism among users. The concept of privacy also will be increasingly viewed as untenable in the face of the Internet and social media's expansion, he says.

"I think we've reached a point where most people believe they've been compromised and are becoming numb to — and skeptical of — the idea that their privacy can be protected," Nash says. "The two youngest generations seem largely less concerned with privacy than their predecessors. Social media probably played a significant role in all of this. As people spent more time on these platforms over the last two decades, they have grown accustomed to the news of data leaks, while becoming more interested in the potential benefits of less privacy than the associated risks. To be frank, I think we are nearing — if not already at — the dawn of a post-privacy world."

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Facebook at 20: Contemplating the Cost of Privacy

The purported metadata for each these containers had embedded links to malicious files.

Source: Tada Images via Shutterstock

Docker has removed nearly 3 million public repositories from Docker Hub after researchers discovered each one to be imageless and have no content besides an accompanying apparent description page that contained links to malicious content instead.

Researchers from JFrog spotted the threat in a recent investigation and identified the containers as being used in three large-scale campaigns to distribute spam and malware. Docker has since instituted a new mechanism that prevents links to external resources in the description pages of imageless repositories.

**More Moderation Needed?**

"Unlike typical attacks targeting developers and organizations directly, the attackers in this case tried to leverage Docker Hub's platform credibility, making it more difficult to identity the phishing and malware installation attempts," JFrog said in an April 30 report. "Almost 3 million malicious repositories, some of them active for over three years, highlight the attackers' continued misuse of the Docker Hub platform and the need for constant moderation on such platforms."

JFrog found that some 4.6 million imageless repositories were published on Docker Hub over a five-year period. Of that, nearly all of them had associated metadata that was malicious in nature. JFrog researchers counted a total of 208,739 fake accounts that the attackers used to upload the malicious repositories.

According to JFrog, what enabled the threat actors is a Docker policy that allows users to include short text descriptions and metadata in HTML format, along with any container images that they publish to Docker Hub. The purpose in allowing these descriptions is to enable users to search for and find images on the cloud-based registry service that they might find useful for their projects. The feature allowed threat actors to upload imageless containers and to relatively easily include description pages that had embedded links to spam, phishing, and malware sites.

The mass uploads happened in two distinct waves — one in 2021 and the other in 2023. JFrog researchers were able to tie many of the 2021 repository uploads to a campaign to get users to download pirated content and cheats for video games. Most of the URLs in the campaign resolved to sites for malicious file downloads. If a server hosting malicious files was shut down or became otherwise unavailable, the links resolved to a different active server. Another mass upload in 2021 involved a free e-book phishing campaign that appeared designed to steal credit card information.

The 2023 uploads to Docker Hub were a repeat of the 2021 campaign involving pirated content and video game cheats. But instead of the repositories directly pointing to malicious sources, JFrog found them pointing to legitimate resources that quickly redirected victims to a malicious source. One page on blogger.com, for instance, took all of 500 milliseconds to redirect visitors to the malicious payload.

JFrog also uncovered a third campaign that involved a threat actor uploading 1,000 repositories to Docker Hub daily for three years. While the content in the associated documentation appeared harmless, the motive was clearly malicious, JFrog said. The company surmised the threat actor might have been carrying out some kind of a stress testing before launching a malicious campaign.

**Taking Advantage of a Policy Loophole**

Brian Moussalli, malware research team leader at JFrog, says the threat actors were able to carry out the attacks due to the lack of a policy in place that could have prevented it. "After we disclosed the attacks to Docker Hub, they implemented a protection mechanism that blocks embedding links to external resources in the description pages of imageless repositories," he says.

It's hard to tell how effective the malicious campaigns really were, Moussalli says. But it's likely the attackers used a legitimate site like Docker Hub to host pages containing links to malicious files, so users searching for pirated content, video game cheats, and free e-books wouldn't get suspicious. "Another option could be that they used Docker Hub for legitimacy but spread the links to those pages via direct messages to victims," Moussalli says. "Unfortunately, we're unable to determine how exactly victims were manipulated into clicking those links."

Docker can make things harder for threat actors by implementing restriction on mass creation of accounts, alongside enforcing new rules on repository creation, he says. For example, it could prohibit creation of imageless repositories or not allow new users to embed external links for some time after creation of the account or the repository.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attackers Planted Millions of Imageless Repositories on Docker Hub

London Drugs offered no details about the nature of the incident, nor when its pharmacies would be functioning normally again.

Source: ton koene via Alamy Stock Photo

London Drugs, a Canadian pharmacy chain, has closed its stores until further notice due to an "operational issue."

A London Drugs spokesperson said the closure of stores in British Columbia, Alberta, and Saskatchewan is due to a "cybersecurity incident" that was discovered earlier this week, according to The Register.

The company doesn't believe any customer or employee data was affected, and it's working with third-party experts to investigate further. London Drugs also hasn't disclosed what kind of cyber incident occurred, such as a ransomware attack, nor who was responsible. It is unclear when stores will be operating regularly once more.

The retail chain posted on social platform X that its "pharmacists are standing by to support with urgent pharmacy needs." It recommends customers call in advance should they need services from their local pharmacy.

**About the Author(s)**

Canadian Drug Chain in Temporary Lockdown Mode After Cyber Incident

USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.

Source: Mohammad Aaref Barahouei via Alamy Stock Photo

Industrial cyberattackers are increasingly using removable media to penetrate operational technology (OT) networks, then leveraging the same old malware and vulnerabilities to make their mark.

For whatever reason, USB devices are a la mode again with some of the world's premier threat actors. Nowhere is this more evident than in the OT space where, according to Honeywell's "2024 USB Threat Report," attackers are "clearly" turning to USBs to get a foothold in industrial networks.

With that foothold, Honeywell reports, attackers are forgoing sophisticated exploitation techniques, zero-day vulnerabilities, or novel malware. Instead, they're leveraging old tools and bugs, plus the built-in capabilities of OT control systems to achieve their end goals.

**Why USBs?**

USBs have something that none of the newest, hottest attack techniques do: the ability to bridge air gaps.

True air gaps are physical separations between OT and IT networks designed to let no malicious attacks pass through. Some also use the term to describe other kinds of setups that distinguish IT and OT systems using access controls, segmentation, and the like. Air gaps are most often used in high-risk industries — think nuclear, military, financial services, etc. — where other means of demarcating IT and OT networks won't cut it.

"A lot of operational facilities are entirely air gapped," explains Matt Wiseman, director of OT product marketing at OPSWAT. "Those more modern approaches like email-based attack — something over the network — aren't really as effective when \[the OT systems\] are disconnected from the broader Internet. You need to be more creative, think outside the box. USBs and removable media are very interesting because they're the only threat you can pick up in your pocket and carry beyond that air gap."

Interestingly, the trend seems to have been born during COVID. In 2019, only 9% of USB-carried cyber threats to industry were actually designed for USBs. By 2022 — and consistently ever since — that number exceeded 50%.

Having crossed that air gap with a USB, attackers are opting for living-off-the-land tactics to perform data collection and exfiltration (observed in 36% of Honeywell's detected USB attacks), defense evasion (29%), and escalation privileges (18%), ultimately achieving persistence in the operational network.

Clearly novel and powerful malware and vulnerabilities are not the focus, as brand name tools of yesteryear such as BlackEnergy and Industroyer (aka CrashOverride) are still making rounds. The most common vulnerabilities exploited in such attacks — such as CVE-2010-2883 and CVE-2017-11882 — are equally dated. All of the most common CVEs listed in Honeywell's report have been known since at least 2018.

In most cases, the goal of these attacks is disruption or destruction. Around 80% of USB-based threats every year now are capable of causing disruptions to OT systems, including loss of visibility or control, or worse (ransomware, wipers, etc.).

**Defending Against USB Threats**

The good news for defenders is that with such antiquated threat vectors, fancy and expensive solutions aren't necessarily the solution. "You can always go with the fundamentals," Wiseman says, meaning strict USB policies and procedures.

At many organizations, he says, "You go back a number of years, there was an honor system. 'Hey, did you scan that?' Now you have technology that can check to make sure. If you plug something in, it's not going to work unless it has been scanned and checked by some type of formal security solution."

This technology often takes the form of a kiosk or "sanitation station" for scanning removable media, placed strategically at the exterior of a sensitive site in order to make sure no malicious ones make their way through. Sometimes those stations are paired with file transfer systems to ensure that no outside device ever actually has to cross the threshold of an industrial control floor.

"We're seeing more mature conversations now. What's our mobile program? What's the process for employees? What's the process for guests? How do we manage these devices? How do we view the activity that's occurring? And how do we ensure that we're ahead of it going forward?" he says. "There's definitely a massive realization of the threat that these devices can pose."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

To Damage OT Systems, Hackers Tap USBs, Old Bugs &amp; Malware

Verizon, AT&T, and T-Mobile USA are being fined for sharing location data. They plan to appeal the decision, which is the culmination of a four-year investigation into how carriers sold customer data to third parties.

Source: Wavebreak Media ltd via Alamy Stock Photo

The Federal Communications Commission (FCC) has fined the top US wireless carriers a collective $200 million for sharing access to customers' location information without consent, the culmination of an action proposed four years ago as authorities continue to grapple with how to reel in companies' handling of sensitive personal data. For carriers, who note that the fines are based on outdated programs that no longer exist, the action represents unsettled regulatory waters as requirements for handling customer data security and privacy in the modern era continue to shake out.

Specifically, the FCC fined Sprint and T-Mobile USA, which have merged since the investigation began, more than $12 million and $80 million, respectively; AT&T more than $57 million; and Verizon almost $47 million.

The agency proposed the fines in 2020 based on an investigation that started after reports that a Missouri sheriff consistently used a "location-finding service" operated by Securus, a company that provides and monitors telecommunications service in correctional facilities, to access the location information of the wireless carriers' customers without their consent between 2014 and 2017.

The case ultimately revealed that the four telecom providers had programs in place at the time that were selling customer-location data to two data-aggregation firms, who then resold access to this data to other entities.

"This action demonstrated the carriers offloading obligations to obtain customer consent onto downstream recipients of location information," which in many instances meant customers did not actually consent to releasing their data, according to an FCC press release (PDF) on the decision. For their part, the carriers say that the data was shared with the third parties in order to enable location-based safety services such as roadside assistance.

"Our communications providers have access to some of the most sensitive information about us," said FCC Chairwoman Jessica Rosenworcel in a statement on the fines. "These carriers failed to protect the information entrusted to them."

This is likely not the end of the fines: The commission also said that it plans to continue to resolve these types of older privacy cases regarding customer data, holding "all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data," she said.

**Wireless Cos Push Back on FCC Privacy Fines**

All of the carriers confirmed to Dark Reading that they will go to court to appeal the decision, which was based on a provision of the Communications Act of 1934 that requires US wireless carriers to take reasonable steps to safeguard specific customer data, such as location information.

Generally, the companies claim the action by the FCC is based on outdated scenarios at the telecom providers that have since been remedied, and they no longer allow third parties to access sensitive customer location-based data.

Verizon spokesman Rich Young says the order concerns an old program at Verizon that required customers to opt in and was shut down more than five years ago. The program "was intended to support services like roadside assistance and medical alerts," he tells Dark Reading, and Verizon shuttered it when the company discovered it was being used fraudulently.

"Verizon is deeply committed to protecting customer privacy," Young says. "Unfortunately, the  FCC's order gets it wrong on both the facts and the law, and we plan to appeal this decision."

For its part, T-Mobile USA gave Dark Reading a statement to much the same effect: "This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection, and emergency response would not be disrupted. We take our responsibility to keep customer data secure very seriously and have always supported the FCC's commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it."

AT&T too plans to appeal the fines, which apply for a service that was discontinued in 2019.

"The FCC order lacks both legal and factual merit," a spokesperson says. "It unfairly holds us responsible for another company's violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company's failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged. We expect to appeal the order after conducting a legal review."

A spokesman for CTIA, a telecommunications industry trade association representing US carriers and resellers, also criticized the fines, citing a "broken enforcement process" on the part of the FCC that deserves examination by Congress.

"After touting the potential of location-based services to provide benefits like roadside assistance and emergency medical alerts, the FCC refused CTIA's request for guidance on how providers should run those programs, and is now penalizing providers for facilitating them," said CTIA senior vice president and chief communications officer Nick Ludlum, in a media statement.

**Carrier Uncertainly: Customer-Privacy Worries Persist**

Complaints that the FCC is behind the times may indeed be justified, as the commission is not known for moving quickly on clarifying how telecom and VoIP providers handle customer privacy.

For instance, it took the FCC 16 years to update how telecom and VoIP providers report data-breaches, issuing new rules in February of this year that they must notify customers whenever there's personally identifiable information (PII) involved in a cyber incident. The new rules — which also require carriers and service providers to report breaches to the FCC, the FBI, and the Secret Service within seven days of discovery — were the first since 2007 to be issued by the commission regarding data-breach notifications.

Meanwhile, the issue of customer privacy when it comes to carriers continues to be a worry, and the fines appear to demonstrate a heavy hand by the FCC in holding communications providers accountable when private customer data leaks. Abroad, other privacy troubles concerning how carriers handle customer data also are brewing.

For example, a huge swathe of telecom customers in Namibia recently were faced with losing their phone service if they didn't hand over sensitive biometric data to the country's premier telco, Mobile Telecommunications Ltd. The potential privacy threat occurred after a well-intentioned plan to combat mobile fraud and identity theft went astray.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Wireless Carriers Face $200M FCC Fine As Data Privacy Waters Roil

Themed "The Art of Possible," this year's conference celebrates new challenges and opportunities in the age of AI.

Liat Hayun, Co-Founder & CEO, Eureka Security

April 30, 2024

3 Min Read

Source: Aleksandr Matveev via Alamy Stock Photo

COMMENTARY

This year's RSA Conference theme, "The Art of Possible," celebrates the challenges brought about by new frontiers, broken boundaries, and promising horizons. While the shift to the cloud initially caused concern and hesitation, as data began moving through it, across environments and with very little oversight, data security professionals knew this profound shift in the modern business model would bring about not only challenges but also opportunities. As we enter the age of AI, the security community must embrace the possibilities of improved data security mechanisms, alongside — without obstructing — improved business processes. Looking ahead to this year's RSA Conference, here are six leading data security sessions we're excited to attend — and that will help us uncover AI's risks and opportunities.

**My Top Six Picks****Operational Data Governance-by-Design Techniques for a Data Practitioner**

Monday, May 6

Why you should attend: This session, led by Cisco Systems, seems like a unique opportunity to discover practical tools for implementing data governance across your organization while presenting various use cases, with attention given to all aspects of data use and management. Assess your level of data governance by engaging with other data practitioners in the audience in this live discussion.

**Bridging Theory and Practice of Privacy and Data Protection**

Monday, May 6

Why you should attend: The more data floods the industry, the more practical tools security practitioners need to ensure that privacy and data protection concerns are addressed across their organizational environments. This session will include practical examples of integrating data security and privacy guardrails and measures in real business environments, sourced from the audience.

**ChatGPT Unleashed: Solving Data Breach Puzzles With Precision**

Monday, May 6

Why you should attend: A data security challenge leveraging AI? Sign us up! This unique session challenges participants to use ChatGPT prompts to mitigate a looming data breach, with hidden malware waiting to be found and fixed. Beyond a fun experience, this session will expand the knowledge of what may be possible with the next generation of AI technology and lead us through an innovative learning experience.

**Controlling a Data Footprint — How to Build a Data Disposition Framework**

Monday, May 6

Why you should attend: Data is a goldmine for organizations, and they're constantly innovating in how they gather and leverage it to achieve business goals. This session will equip you with a step-by-step approach to building a data lifecycle management framework. This framework will empower companies to decide how long to hold onto data, and outline methods for safeguarding, transforming, or eliminating data to comply with regulations.

**Establishing a Data Perimeter on AWS**

Wednesday, May 8

Why you should attend: While it may seem like there are no boundaries in the cloud era to where data can reside, be stored, and be used, data security guardrails and mechanisms exist for this purpose exactly — to let data roam free for business use, while ensuring that security controls are set in place and visibility is maintained across all environments, at all times. This session will present some of the controls used by AWS to protect data from unauthorized access.

**Data Heist: How Stolen Information Becomes a Hot Commodity**

Thursday, May 9

Why you should attend: We're so busy preventing breaches that we don't often take the time to consider what malicious actors do with the data they steal after the crime. This session dives deeper, exploring the clandestine marketplaces where stolen information is peddled. You'll be exposed to the inner workings of these criminal data shops, with comprehensive risk assessments comparing the vulnerabilities of various data types and how to best protect them.

**Final Thoughts**

While data security has been a top-of-mind business and security concern for the past decade, the ever-evolving landscape of data innovation constantly introduces new and emerging threats for security practitioners. To stay ahead of the curve, cybersecurity professionals must remain vigilant and adapt their strategies accordingly. The upcoming RSA Conference provides a phenomenal platform to achieve just that, with a wide range of sessions on the latest data security trends and solutions. Hope to see you there!

**About the Author(s)**

Co-Founder & CEO, Eureka Security

Liat Hayun is the Co-founder and CEO of Eureka Security, a Cloud Data Security Posture Management platform that enables security teams to successfully navigate the ongoing and often chaotic expansion and growth of cloud data. Prior to co-founding Eureka Security, Liat spent a decade leading cybersecurity efforts in the Israeli Cyber Command and Palo Alto Networks. Her IDF service merited the prestigious Israel Defense Prize. As VP of Product Management at PANW, Liat led the production of Cortex XDR and PANW’s Managed Threat Hunting service. These roles have enabled Liat to pursue her greatest interests and concerns in the cybersecurity threat landscape, as well work with wonderfully talented people on their solutions. Passionate about working closely with others, she is driven to identify meaningful operational security gaps and develop exciting new technologies and strategies to help fellow security leaders tackle them.

Source

DARKReading