Microsoft patched a record number of 147 new CVEs this month, though only three are rated "Critical."

Source: redbrickstock.com via Alamy Stock Photo

Microsoft outdid itself with this month's Patch Tuesday releases, which contain no zero-day patches, though at least one of the patches addresses a flaw already being actively exploited.

Products affected by the most recent Patch Tuesday updates include Windows and Windows Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot.

Microsoft's April update included 147 CVEs, three rated "Critical," 142 categorized as "Important," and two listed as "Moderate" in severity. That number swells to 155 CVEs if third-party flaws are included. The number represents a record high for Patch Tuesday fixes.

"Microsoft patched 147 CVEs in April, the largest number of CVEs patched in a month since we began tracking this data in 2017," Satnam Narang, senior staff researcher engineer at Tenable, said in a statement. "The last time there were over 100 CVEs patched was October 2023, when Microsoft addressed 103 CVEs." The previous high was in July 2023, with 130 CVEs patched, Narang added.

Microsoft did not indicate any of the April Patch Tuesday CVEs are zero-day threats, a welcome departure from last year's brisk clip of zero-day disclosures.

"This time last year, there were seven zero-day vulnerabilities exploited in the wild," Narang said. This year, there have only been two zero-days exploited and both were in February. "It's difficult to pinpoint why we've seen this decrease, whether it's just a lack of visibility or if it signifies a trend with attackers utilizing known vulnerabilities as part of their attacks on organizations."

However, Dustin Childs of the Zero Day Initiative noted in his April Microsoft Patch Tuesday analysis that his organization has evidence of a known exploited flaw in the list of this month's fixes.

**Patch Tuesday Fixes to Prioritize**

Childs pointed to the max-severity vulnerability in SmartScreen Prompt Security Feature Bypass (CVE-2024-29988) with a CVSS score of 8.8, which was discovered by ZDI but wasn't listed as exploited in Microsoft's Patch Tuesday update.

"However, the bug reported by ZDI threat hunter Peter Girrus was found in the wild," Childs added. "We have evidence this is being exploited in the wild, and I'm listing it as such."

Another max-severity bug impacting the Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2024-20678) was given a CVSS score of 8.8 and patched this month by Microsoft.

A spoofing vulnerability (CVE-2024-20670), listed as max-severity with a base CVSS of 8.1, was fixed in Outlook for Windows. And a Windows DNS Server Remote Code Execution, also listed as max-severity (CVE-2024-26221) with a CVSS score of 7.2, was patched as well.

**Microsoft SQL Gets Plenty of Patches**

Microsoft SQL Server vulnerabilities make up a large share of this month's Patch Tuesday fixes, according to Kev Breen, senior director threat research for Immersive Labs.

"While at first glance, it may appear that Microsoft has called out a large number of vulnerabilities in its latest notes, 40 of them are all related to the same product — Microsoft SQL Server," Breen said in a statement. "The main issue is with the Clients used to connect to an SQL server, not the server itself."

Breen went on to explain that all of these would require social engineering, making the SQL flaws difficult to exploit in any useful capacity.

"All the reported vulnerabilities follow a similar pattern: For an attacker to gain code execution, they must convince an authenticated user inside an organization to connect to a remote SQL server the attacker controls," Breen added. "While not impossible, this is unlikely to be exploited at scale by attackers."

Security teams concerned about these types of attacks should look for anomalous activity and block outbound connections except to trusted servers.

**Microsoft SmartScreen Prompt and Secure Boot Flaws**

Tenable's Narang noted this month's fix for the SmartScreen Prompt security feature bypass (CVE-2024-29988), with its CVSS score of 8.8, likewise relies on social engineering to make exploitation possible. A similar zero-day bug (CVE-2024-21412), discovered by the same researchers was used in a DarkGate campaign impersonating popular brands like Apple iTunes.

"Microsoft Defender SmartScreen is supposed to provide additional protections for end users against phishing and malicious websites," Narang said. "However, as the name implies, these flaws bypass these security features, which leads to end users being infected with malware."

Narang also suggested security teams take a look at the 24 Windows Secure Boot flaw fixes included in Microsoft's April Patch Tuesday release.

"The last time Microsoft patched a flaw in Windows Secure Boot (CVE-2023-24932) in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on Dark Web forums for $5,000," he said.

BlackLotus malware is able to block security protections while booting up.

"While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future," Narang stressed.

Microsoft Patch Tuesday Tsunami: No Zero-Days, but an Asterisk

PRESS RELEASE

SAN DIEGO, April 9, 2024/PRNewswire/ -- ESET, a global leader in digital security, is pleased to announce the introduction of ESET Small Business Security, which has been specifically designed to meet the cybersecurity needs of Small Office/Home Office business owners.

According to the Small Business Administration, out of the 33.3 million small businesses in the United States, over 27 million are managed solely by their owners and do not employ any additional personnel. Over 5 million small businesses have under 19 employees1. ESET's new comprehensive security solution is engineered to provide seamless, user-friendly protection, enabling these smaller SMBs to thrive in an increasingly digital landscape.

"This new offering is a testament to ESET's commitment to innovation and its dedication to supporting the growth and security of entrepreneurs, small businesses and home offices," said Brent McCarty, President of ESET North America. "Small businesses have long demanded the power of ESET in a right-sized offering. With this launch, we provide SOHO business owners with a simple yet powerful solution for their businesses that is easily manageable, highly reliable, and tailored to their needs, enabling them to focus on their growth without compromising on security."

The ESET Small Business Security solution supports up to 25 devices and offers an array of features tailored to safeguard online banking transactions and browsing, secure devices, manage passwords, protect Windows servers, encrypt sensitive data, guard against ransomware and counter phishing scams. Furthermore, the offering facilitates safe and anonymous browsing alongside unlimited VPN security where applicable, ensuring both work and personal devices are shielded from cyber threats. This new offering guarantees reliable security with a minimal system footprint, ensuring efficient protection across multiple operating systems, including Windows, Android, and macOS.

ESET Small Business Security includes ESET HOME, security management platform that enables users to have complete security management with information about security status, devices, subscriptions and features currently in use.

ESET HOME is available via a web portal and a mobile application, allowing users to have security of their devices under control anywhere they go.

For more detailed information about ESET Small Business Security, visit here.

About ESET  
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure, and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET's high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET's R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter (X).

ESET Launches a New Solution for Small Office/Home Office Businesses

PRESS RELEASE

WEST PALM BEACH, Fla., April 08, 2024 (GLOBE NEWSWIRE) -- Veriato released their next generation Insider Risk Management (IRM) solution, re-imagined from the ground up to deliver superior insider risk management and threat detection. With organizations of all sizes facing a more complex cybersecurity environment, Veriato IRM delivers unprecedented flexibility and scalability using the power of GenAI.

Veriato's IRM solution offers best-in-class technology for companies looking to improve their threat mitigation with AI enabled predictive analytics delivering better detection and predictability. According to IBM, the average cost of a single data breach has reached $4.45 million, a record high. Organizations need a holistic view of employee behavior to get ahead of threats and to reduce their exposure and costs. The new platform provides the agility and usability that make it a must-have in the fight against increasing insider threats. Features such as predictive risk intelligence, risk scoring, baselining and PII identification offer market-leading detection capabilities that are easy to deploy and manage.

Veriato IRM delivers:

*   Unparalleled risk detection capabilities with Generative AI.
    
*   Advanced behavior pattern identification across logon events, document activity, email activity, etc.
    
*   Complex dimensional analysis, including Risk Scoring.
    
*   Comprehensive language and sentiment analysis.
    
*   Automatic PII/PHI identification with RAG pre-trained models.
    
*   Flexible and scalable microservices architecture.
    
*   Multiple deployment options – cloud, on-premise, hybrid.
    

Veriato IRM is the product of close collaboration with Veriato’s global base of customers across a number of industries including financial services, healthcare and government. Designed with a deep understanding of today’s changing workforce and the technology and data needs of today’s modern organization, Veriato IRM is the most advanced and usable solution on the market today.

“Insider Risk Management has become essential for organizations committed to protecting customer data, IP and their employee bases now that the future of work is here. From board rooms to SMBs, IRM is at the top of security agendas. Applying behavioral analytics to cyber allows leaders to get ahead of breaches instead of just reacting to them when they occur,” said Elizabeth Harz, CEO of Veriato. “We are extremely excited to build upon our history as the category creator, and provide a new layer of control, transparency, confidence and perhaps most importantly, proactivity.”

About Veriato

Veriato is reinventing the category it created, using AI-based user behavior analytics to help companies prevent risks and increase productivity in their remote, hybrid and in-office environments. Veriato’s platform offers solutions for Insider Risk Management (IRM), behavioral analytics, user activity monitoring (UAM) and data loss prevention (DLP) in a single powerful platform. Veriato delivers monitoring, salient alerts, reporting and screenshots, allowing customers to be predictive and proactive rather than reactive, critical in cybersecurity. The platform helps global Enterprises, SMBs and Government entities become more engaged, productive and secure.

You May Also Like

Veriato Launches Next Generation Insider Risk Management Solution

Scans showed that 91,000 devices are exposed and at risk for unauthorized access and TV set takeover.

Source: Askar Karimullin via Alamy Stock Photo

Researchers at Bitdefender have discovered four vulnerabilities in LG webOS, the operating system for multiple models of its smart television line.

According to the researchers, even though the now vulnerable LG webOS service is supposed to be used in local area networks, scans show that there are reportedly roughly 91,000 exposed devices that are vulnerable to the bugs.

The bugs are a mix of command injection, privilege escalation, and bypass vulnerabilities and are tracked as CVE-2023-6317, CVE-2023-6318, CVE-2023-6319, and CVE-2023-6320. For instance, CVE-2023-6317 can allow an attacker to add an extra user to the TV set, and CVE-2023-6318 can allow a user to use the access "gained in the first step to root and fully take over the device."

They impact webOS 4.9.7-5.30.40 running on LG43UM7000PLA, webOS 5.5.0-04.50.51 running on OLED55CXPUA, webOS 6.3.3-442 (kisscurl-kinglake)-03.36.50 running on OLED48C1PUB, and webOS 7.3.1-43 (mullet-mebin)-03.33.85 running on OLED55A23LA.

The researchers reported their findings to LG in November 2023, but it was only last month that the vendor released security updates. Affected users who have not been alerted to the vulnerabilities or the updates to fix them should go to the TV "Settings," then "Support," and "Software Update," and then click on "Check for Update."

**About the Author(s)**

LG Smart TVs at Risk of Attacks, Thanks to 4 OS Vulnerabilities

As more electric vehicles are sold, the risk to compromised charging stations looms large alongside the potential for major cybersecurity exploits.

Source: Rosemary Roberts via Alamy Stock Photo

The increasing popularity of electric vehicles (EVs) isn't just a favorite for gas-conscious consumers, but also for cybercriminals who focus on using EV charging stations to launch far-reaching attacks. This is because every charging point, whether inside a private garage or on a public parking lot, is online and running a variety of software that interacts with payment systems and the electric grid, along with storing driver identities. In other words, they are an Internet of Things (IoT) software sinkhole.

"As EV charging becomes more widespread, they will become appealing targets to more sophisticated hacking groups," says Hooman Shahidi, the CEO of EVPassport, a charging network provider. "Providers need to think of their products as critical infrastructure and a critical component of our national security." There are 2.5 million electric vehicles operating in the US, and more than half of them require plug-in chargers. Acknowledging their popularity, back in 2022, the UK mandated charging stations be built in all new residential construction.

Charging stations face significant cybersecurity risks. "Issues include unprotected Internet connectivity, insufficient authentication and encryption, absence of network segmentation, unmanaged energy assets, and more," wrote researchers from Check Point Software and SaiFlow, the latter a cybersecurity specialist in distributed energy solutions. Compromised stations could damage the power grid, for example, or result in stolen customer data. “Chargers have personal and payment information and run a variety of protocols that aren't typically recognized by traditional firewalls," says Check Point Software's Aaron Rose, who works in the office of the CTO.

The early stages of cyberattacks on charging stations began a few years ago, when one Russian station was attacked in February 2022 in response to the Ukraine war and three more were compromised in the United Kingdom in April 2022. Both situations were more cyber pranks that displayed rude messages on the screens of the units. Shell patched a vulnerability last year in one database that could have exposed millions of charging logs from across its EV charging network.

New vulnerabilities continue to plague charging stations. Two of them could lead to remote code execution and potential data theft, discovered by SaiFlow earlier this year. The exploits take advantage of weak authentication routines among the various software modules that are used in the stations, according to their research. Charging station vendor Enel X Way lists a variety of other data compromises involving vehicle ID numbers, as well as exploits that could gain remote access to the vehicle controls.

Elias Bou-Harb is a computer scientist with the Louisiana State University who has long studied charging station security. He has found almost every charging product has major vulnerabilities, including well-known attack methods such as SQL injection and cross-site scripting. "What is particularly alarming is that some well-known protective measures haven't been implemented by most of the vendors, and that few of them have taken steps to improve their security even after we identified these weaknesses."

**IoT Devices Remain Attractive Targets**

Certainly, threats from charging stations aren't the only IoT devices that are targets of opportunity for cyberattackers. And the stations are just one of a multitude of IoT devices where exploits continue to increase. The combination of numerous smaller vendors with poor security design and practice and numerous automated tools such as botnets to locate and compromise various devices makes all IoT devices easy targets for hackers. Data from the US Federal Communications Commission (FCC) increased since then.

But the charging stations do represent a complex — and therefore very rich and potentially exploitable — combination of elements that can go beyond smart TVs and smart speakers. For example, Check Point's Rose says that "chargers have similar risk profiles but present a different attack surface to other smart devices."

What this means is that the chargers run management software tools "in between the EV user and the car and between the charging station and the power grid and coordinate billing, authentication, and supplied power," Bou-Harb says. "And adding to this complexity, all of this is also deployed by the charging vendors in the cloud." His research has found that some of the software run by these stations has been exploited for years, "and that vendors haven't yet realized they have been compromised, let alone fixed the problems."

Enel X Way's blog post lists a comprehensive eight-point framework for charging stations that covers identity access, risk management, emergency response, and other factors. 

**In Regulators' Crosshairs**

Both the US and Europe are making regulatory steps to try to rein in charging stations, both public and private. The UK has had an anti-tampering law in effect since 2022 relevant to the home-based charging stations. This resulted in security improvements from several vendors, as recently reported. Wallbox, a charging station vendor, added extra security safeguards to its equipment to comply with these regulations, while other vendors have dropped out of European markets rather than improve their products. 

The EU has proposed new cybersecurity safeguards for electric grid operators and IoT vendors in its NIS2 directive last year that will take effect in October. It includes stricter breach reporting requirements and levies higher fines, among other items. 

Another proposal is to have the charging station industry self-certify their devices, like what Underwriters Laboratories does for various electronics. European automotive safety vendor Dekra proposed a public charging station certification program that it claims is an industry first. It offers three different levels that range from providing basic security services to penetration testing of the equipment. 

The US is lagging in these efforts. Last summer, the Biden administration proposed a cybersecurity labeling program for smart home devices. Dubbed the Cyber Trust Mark, it would be administered by the FCC, based on work developed by the National Institute of Standards and Technology. "The Cyber Trust Mark is a great idea," Check Point's Rose says. "But execution is going to be key. The mark must be updated and based on doing continuous testing of devices."

Last year, the National Institute of Standards and Technology (NIST) also proposed a series of recommendations for public charging stations to improve their cybersecurity. However, one key element of the NIST, Cyber Trust, and Dekra initiatives is that they are all voluntary. "The charging stations' guidelines are a positive development," Ravi Lingarkar, vice president of product management at Akitra, wrote on LinkedIn. "Without uniform cybersecurity standards, EV charging stations can become easy targets for hackers. It's like enabling anyone to bring their own device to the grid. Given the rapid expansion of the EV charging infrastructure, cybersecurity is at the forefront of many potential problems." 

Still, these efforts are early and incomplete. "The government regulations have come too late," Bou-Harb says. "The market is already saturated with various charging products. These vendors don't really care about the security of their devices, which is often more of an afterthought. It's time for the charging vendors to come together, admit there is a problem, and start working on solutions and sharing threat data."

One potential roadblock is that EV chargers are under the purview of multiple regulatory agencies, such as the departments of Transportation, Energy, and Homeland Security. Getting them all to work cooperatively isn't going to be easy. "No one is taking leadership," Bou-Harb says. 

"A simple step that the government could take now would be to require SOC2 pending for EV charging providers. We need to raise the bar," EVPassport's Shahidi says. The SOC2 standard focuses on security controls and privacy, among other items.  

**About the Author(s)**

Contributing Writer

David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as cybersecurity, VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 35 years. He was the editor-in-chief of Network Computing print, Digital Landing.com, and Tom's Hardware.com. He has written two computer networking books and appeared on a number of TV and radio shows explaining technology concepts and trends. He regularly blogs at https://blog.strom.com, and is president of David Strom Inc.

EV Charging Stations Still Riddled With Cybersecurity Vulnerabilities

Distributed denial-of-service attacks still plague the enterprise, but adding preventive measures can reduce their impact.

Source: Aleksey Funtap via Alamy Stock Photo

In the security profession, controls are one of the main tools we use to reduce risk. In doing so, we leverage a mix of preventive and detective controls. As the name suggests, preventive controls are designed to reduce the potential that a given threat will negatively affect a given environment.

Of course, preventive controls don't always work as designed, and some threats will always get through them. To supplement this protection, detective controls are also used. Detective controls identify security issues soon after they occur, so that they can be remediated before too much damage has occurred.

Using preventive and detective controls in tandem is a routine practice that is applied across many areas in the security space, including network security, application security, endpoint protection, identity and access management, and cloud security.

That is by no means an exhaustive list — this practice is applied in myriad areas within the security space. You can imagine my surprise, then, that one area is noticeably lacking the powerful combination of preventive and detective controls: distributed denial-of-service (DDoS) protection.

**Why DDoS Is Still a Problem**

DDoS is a significant problem for most businesses. According to MazeBolt, a DDoS security company, 60% of businesses lose at least $120,000 due to DDoS attacks, while 15% of businesses lose at least $1 million. Even with the best DDoS protections in place, businesses still suffer from 30% to 75% exposure of their online services to DDoS, MazeBolt says. This means that DDoS is a serious problem confronting the industry — and one that is not getting the preventive controls it needs.

Perhaps that will surprise you, too. When it comes to DDoS, organizations focus mainly on detection and mitigation. They purchase DDoS mitigation solutions, but they don't give much thought to protecting the organization from attack in the first place. We as a profession don't seem to focus much on DDoS preventive controls, despite the fact that the US Cybersecurity and Infrastructure Security Agency (CISA) recommends doing so in its latest DDoS mitigation guidance.

It may seem odd, but historically, there are reasons for this, such as the difficulty in checking for vulnerabilities and susceptibility to DDoS in a nondisruptive manner.

**5 Steps to Round Out DDoS Protection**

So once an organization decides to take a more well-rounded approach to DDoS, what are some steps it should follow to ensure it is adequately protected? I've offered a few thoughts here.

1\. Check for vulnerabilities. Organizations should ensure that they check for vulnerabilities and susceptibility to DDoS at layers 3, 4, and 7 of the OSI model. This is easier said than done, of course. This requires being nondisruptive in identifying vulnerabilities. Taking down the infrastructure in the name of DDoS security would not be a good thing.

2\. Stay nondisruptive. No one needs their DDoS risk reduced at the cost of disrupting business operations and impacting revenue, uptime, and customer satisfaction. There is a better way — namely, new nondisruptive, nonintrusive methods to identify and enumerate infrastructure vulnerabilities that expose an organization to additional DDoS risk.

3\. Understand the environment. The best way to ensure that no infrastructure vulnerabilities are missed is to know the environment well. This is the case regardless of how complex the environment is, and even if that environment involves hybrid and multicloud environments. Understanding the environment is the best way to eliminate blind spots. That, in turn, makes the vulnerability identification and remediation process far more thorough and effective.

4\. Establish and follow a process. Organizations should have a process to document and prioritize vulnerabilities for remediation. This ensures that things do not fall through the cracks and reduces the potential for oversight and human error. Even with the best process, organizations will still need determination and follow-through to remediate the vulnerabilities they have identified. DDoS security is a marathon, not a sprint.

5\. Iterate your security steps. DDoS security, like many areas within the security field, is not a one-time activity. Organizations need to continually test for new or persistent vulnerabilities within the infrastructure. They need to ensure that they are continually aware of changes to the environment so that they can retain the requisite level of understanding and knowledge of the environment. Organizations will also need to continually stick to and follow their process to ensure that vulnerabilities are remediated in a timely manner. Simply put, DDoS security is an effort that requires continuous attention.

Like many areas in the security space, DDoS security leverages both preventive and detective controls — or at least it should. For a variety of reasons, our historical focus around DDoS has been primarily on detection and mitigation of DDoS attacks. We as a field are long overdue for leveraging preventive controls in the DDoS security area.

**About the Author(s)**

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Proper DDoS Protection Requires Both Detective and Preventive Controls

We are potentially encroaching on a water supply crisis if data center operators, utilities, and the government don't implement preventative measures now.

Mark Trump, IT/IoT Defense Adviser, Cybersecurity Center of Excellence, Capgemini

April 9, 2024

5 Min Read

Source: stockphoto-graf via Alamy Stock Photo

COMMENTARY

In our digitally driven world, data has become an invaluable asset to companies across sectors. Data enables intelligent products, services, and operations. Data is also the unsung hero in today's "age of AI." By 2030, the AI market will be worth more than $1.3 billion in revenue — growing 36.8% from 2023's market size of $150.2 billion, and data is arguably the catalyzer driving this immense growth.

**The Current State of Data Centers**

Data is not just an intangible asset that's stored in the virtual ether of "the cloud." In reality, data, and data storage, is very much tied to the physical world. With the increasing introduction of artificial intelligence models, more data will be needed, and therefore stored in data centers.

These centers allow for data to be kept secure, accurate, available, and, for all practical purposes, "alive." Using switches, storage systems, servers, routers, and other equipment, data centers can store essential data sets around the clock. However, the extreme warmth produced by the energy used to process and store data causes overheating concerns. Data centers therefore require energy-intensive cooling systems to ensure the equipment does not fail. Such failures can lead to data losses, and vital workload and service outages — which occurred at a major tech company's Australian-based data center when a regional utility's power outage shut down the center's cooling mechanism. 

Unfortunately, cooling comes at a steep price, accounting for nearly 40% of an average data center's electricity usage. Many operators recognize the strain traditional air-based cooling methods put on its finances and net-zero pledges, which is why some are opting for liquid cooling systems. Although liquid cooling is technically more energy efficient than air cooling, it can still negatively impact the environment — and opens other door for potential outages. 

**Data's Dependence on Water**

When we say "liquid" cooling systems, we're actually referring to water in most cases. Just like living beings, data needs water to survive — and, therefore, so do AI models, software, and countless other technologies that rely on data.

Most data centers in the United States use freshwater supplied by utilities — the same water supply that humans rely on. The average data center uses 1 million to 5 million gallons of water a day (paywalled article), and considering that 30% of the world's data centers are located in America, that means Americans are losing access to a significant amount of safe drinking water. 

The US is already experiencing alarming water shortages as a result of low precipitation fueled by climate change and increased demand from a growing population. Now, add the increased demand from data centers as operators try to cool facilities overrun with AI-associated data, and America could experience a water crisis.

To make matters worse, the American water supply is facing an additional threat: cybersecurity attacks. Bad actors are increasingly targeting US water infrastructure. The main concern is the health and safety of Americans, but these attacks also threaten data centers — and the technology that depend on data. Hackers have historically targeted cooling systems, and they will undoubtedly continue to do so by finding weak points in data centers' water infrastructure, as well as security gaps in the regional water utilities that serve data centers across the US.

**Two-Pronged Approach: Sustainability and Security**

So, how can data center operators effectively store data that is essential to the booming AI market and virtually every aspect of the digital world while limiting their water consumption and protecting their water infrastructure? 

From an environmental standpoint, it will mean utilizing other water sources beyond freshwater provided by American utilities. Some operators are exploring the use of wastewater, industrial water, and seawater to lessen their strain on the United States' depleting freshwater supply. Improving liquid cooling system monitoring tools to track water consumption is also key. And companies are wisely utilizing federal funds to explore efficient cooling options and should continue partnering with the public sector moving forward.

What's more, operators should consider introducing new liquid cooling systems entirely, as there are now more advanced designs that use less water. And as new data centers become necessary — which we know they will — companies should consider building these facilities in cooler climates as well as in areas with water basins that are not overstrained. 

From a cybersecurity standpoint, many operators will have to prioritize defensive measures that specifically protect water infrastructure — which arguably has not been a key security prerogative in previous years. This will require a strategic reset in which leaders identify water, energy, and other external dependencies and extend risk assessments to environmental and other resources beyond the "logistics-based supply chain" that could interrupt business or operations. If enterprises have not done so already, then they should also apply zero-trust principles to all water-based infrastructure that they are dependent upon. 

Organizations must prepare themselves for a variety of scenarios: What would happen if the data centers you rely on for business viability had a water shortage that forced a shut down? Does your crisis plan consider catastrophic loss of water, and therefore data? If water resources and infrastructure sit outside of your security programs, then chances are you could very well face these scenarios. 

To avoid such potential threats, keep in mind this simple mantra: Define. Protect. Defend. Assess your risk so you can mitigate it, and monitor and maintain your defenses.

That said, water utilities must also do their part to help prevent attacks that could severely impact critical data centers and compromise water supply. Experts point to a renewed focus on cyber resiliency through public-private partnerships, improved centralized patch management systems, risk assessments, and temporary controls to address immediate vulnerabilities in critical systems and legacy infrastructure.

**Change Is Needed Now **

Data center operators are faced with a considerable challenge. They must meet the demands of storing an astonishingly increasing quantity of data while utilizing a decreasing supply of water to cool their facilities. Business, technology, and sustainability leaders must work together to formulate strategies that not only protect the environment, but also protect their data.

There's no future for humans or the life-changing technology we've come to rely on without water. And make no mistake, we are potentially encroaching on a water supply crisis if data center operators, utilities, and the American government do not implement preventative measures now.

**About the Author(s)**

IT/IoT Defense Adviser, Cybersecurity Center of Excellence, Capgemini

Mark Trump is a physical security knowledge leader and defense adviser. He has more than 35 years’ experience with advanced technologies, cybersecurity and application of best defensive practices across industrial, commercial, governmental and defense industries specializing in cybersecurity modernizations for critical infrastructure and operational technologies OT/IoT and other infrastructure critical to business and safety.

Why Liquid Cooling Systems Threaten Data Center Security &amp; Our Water Supply

The company is asking users to retire several network-attached storage (NAS) models to avoid compromise through a publicly available exploit that results in backdooring.

Source: Tiny Ivan via Alamy Stock Photo

A critical flaw in several end-of-life (EOL) models of D-Link network-attached storage (NAS) devices can allow attackers to backdoor the device and gain access to sensitive information, among other nefarious activities.

More than 92,000 devices currently connected to the Internet are affected by a flaw tracked as CVE-2024-3273 in D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325, according to D-Link. As a result, the company is asking customers to sunset any and all affected devices, which will remain vulnerable as the devices no longer receive updates or support from the vendor.

A researcher who goes by the online name "netsecfish" identified the flaw and detailed it on GitHub and subsequently informed D-Link about it, which released its own advisory. The researcher also released an exploit for the flaw, in which attackers already are showing interest, according to a post on X (formerly Twitter) by Shadowserver.

"We have started to see scans/exploits from multiple IPs for CVE-2024-3273," according to the post. "This involves chaining of a backdoor and command injection to achieve RCE."

Flaws in NAS devices are serious business, as exploiting them has great potential to affect not only the device itself but myriad devices that connect to it, posing a dangerous threat that can expose enterprise networks to risk.

**Data Theft, Denial of Service & More**

The vulnerability exists in the nas\_sharing.cgi CGI script, leading to backdooring through username and password exposure as well as command injection through the system parameter, explained netsecfish.

"Affected is an unknown function of the file /cgi-bin/nas\_sharing.cgi of the component HTTP GET Request Handler," according to the listing for the flaw in the National Institute of Standards and Technology's (NIST's) National Vulnerability Database. "The manipulation of the argument system leads to command injection."

To get more granular, in terms of username and password exposure, the problem lies in the request, which "includes parameters for a username (user=messagebus) and an empty password field (passwd=)," according to netsecfish. "This indicates a backdoor allowing unauthorized access without proper authentication."

For command injection, attackers can exploit the "system" parameter within the request, "which carries a base64 encoded value that, when decoded, appears to be a command," according to netsecfish.

Attackers can chain the two issues together to obtain arbitrary command execution on the affected D-Link NAS devices, granting attackers potential access to sensitive information, system configuration alteration, or denial of service.

Netsecfish's exploit entails crafting malicious HTTP requests by preparing an HTTP GET request–GET /cgi-bin/nas\_sharing.cgi?user=messagebus&passwd=&cmd=15&system=<BASE64\_ENCODED\_COMMAND\_TO\_BE\_EXECUTED>–targeting the /cgi-bin/nas\_sharing.cgi endpoint.

**Replace & Retire Vulnerable D-Link Devices**

A report published last year found that companies in every industry continue to leave backup and storage platforms unsecured, making it crucial for them to ensure cybercriminals can't exploit vulnerable ones to enter corporate networks.

With no forthcoming patch for CVE-2024-3273, the only true remedy is not to use affected devices at all, so anyone with one still connected to a network should retire and replace the product immediately, according to D-Link. A complete list of devices can be found in D-Link's advisory.

Indeed, the company remained adamant that it has no plans to support or update the affected products as per its typical device EOL strategy. "Regardless of product type or sales channel, D-Link's general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease," according to D-Link.

If consumers in the US continue to use the device against the company's recommendation, they should "please make sure the device has the last know firmware," which can be located on a Legacy Website links included in the advisory, according to D-Link.

Anyone who wants to continue using the device also should ensure frequent updating of the device's unique password to access its Web configuration, as well enable Wi-Fi encryption with a unique password.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

92K D-Link NAS Devices Open to Critical Command-Injection Bug

We need more than "do-it-yourself" approaches to threats that clearly rise to the level of national security issues.

Jon Miller, CEO & Co-Founder, Halcyon

April 9, 2024

4 Min Read

Source: Christophe Coat via Alamy Stock Photo

COMMENTARY

The US government is ramping up efforts to stem the increasingly disruptive scourge of ransomware attacks. For example, the State Department recently offered up to $15 million for information on LockBit, and $10 million for information on the BlackCat/ALPHV or Hive ransomware gangs. 

Where these bounties might be most effective is in enticing operators to "out" rival threat actors, or disgruntled affiliates to exact some revenge if they are cheated out of their cut of a ransom. However, the conditions that need to be met in order to collect these bounties are rigorous, and the payouts represent a tiny fraction of the revenue ransomware operators and their partners are realizing, leaving little incentive to cooperate with authorities.

So, is the government doing enough? Is a criminal law enforcement approach to this threat really going to make a dent in attacks? Are adversarial nations taking advantage of this big gray area that is the nexus of cybercriminal and nation-state operations? 

**Ransomware Operators as Nation-State Proxies**

We know rogue nations like Russia support ransomware operations, and they provide a safe harbor for attackers. A recent report by Chainalysis assessed that 74% of all the illicit revenue generated by ransomware attacks during 2021 went to Russia-linked attackers, the lion's share of ransomware proceeds. 

We cannot discount the potential dual nature of many of today's ransomware attacks. There is plenty of overlap between cybercriminal activity and nation-state operations, as evidenced by shared tooling and attack infrastructure. Using ransomware gangs as proxies provides plausible deniability for nations like Russia, while leveraging them in a larger geopolitical strategy. 

Nations like Russia have zero interest in relinquishing such valuable assets to Western authorities. Don't let the faux "takedowns" the Russian government has touted fool you — they are purely a publicity stunt, and no more.

**Designating Some Ransomware Attacks as Terrorism**

Ransomware attacks targeting critical infrastructure providers like healthcare organizations have crossed the line from cybercriminal activity to a serious national security threat. It's no longer just speculation as to whether ransomware attacks are threatening lives. 

When remote attackers disrupt systems critical to care and hold dozens of healthcare providers and their patients to ransom, we simply call it an IT security event and the government response is to offer more guidelines and frameworks. But if hundreds of gunmen coordinating with an adversarial nation entered dozens of hospitals and held the staff and patients hostage, preventing the administration of care for days on end, would offering the hospital guidelines on how to detect gunmen be an acceptable government response?

A recent report by Ponemon found a direct link between ransomware attacks and negative patient outcomes: 68% of survey respondents said ransomware attacks disrupted patient care; 46% noted increased mortality rates; 38% noted more complications in medical procedures. Other research found that between 2016 and 2021, ransomware attacks contributed to between 42 and 67 patient deaths, as well a staggering 33% increase in death rates per month for hospitalized Medicare patients. There is definitely a case to be made to designate some of these attacks as acts of state-supported terrorism. 

Some might argue that the lack of a clearly stated political motive behind ransomware operations means that, while an attack on a hospital that disrupts patient care and leads to negative outcomes could be described as inflicting terror, it would not necessarily meet the definition of terrorism.

However, executive order 13224, issued by the George W. Bush administration in September 2001, does not support that conclusion, and seems to be clearly applicable to some ransomware attacks, such as those against healthcare providers:

"For the purpose of the Order, 'terrorism' is defined to be an activity that (1) involves a violent act or an act dangerous to human life, property, or infrastructure; and (2) appears to be intended to intimidate or coerce a civilian population; to influence the policy of a government by intimidation or coercion."

Cybercriminal activity is the purview of law enforcement. They investigate, collect evidence of a crime, indict, and prosecute when possible. So far this has only resulted in a few arrests, mostly of low-priority suspects. But if we designate these attacks as threats to national security, there are different rules of engagement that would go far beyond mere indictments, and can include offensive actions deemed appropriate and proportional, both cyber and kinetic. 

**The Hard Truth: Guidelines and Frameworks Are Not Enough**

Organizations that are the victims and potential victims of these attacks have largely been left to fight this battle on their own while getting little to no protection from the government. Unless and until the US and allied governments make this determination, there are few real consequences for these threat actors while targeted organizations are still left to fend for themselves. While guidelines and frameworks are useful, they are still "do-it-yourself" approaches to a threat that clearly rises to the level of a national security issue. 

We need more than vanilla government public relations programs to combat ransomware attacks. It is imperative that the US government and allied nations that are the targets of these attacks differentiate at least a portion of them by reclassifying them as terrorist acts so we can leverage some new tools in this fight. Otherwise, it will be a long, hard, lonely road ahead for ransomware victims.

**About the Author(s)**

CEO & Co-Founder, Halcyon

Jon Miller is the CEO & Co-founder of Halcyon with 25+ years working in the cybersecurity industry. Prior to Halcyon, Jon was the CEO & Co-founder of Boldend, a next-generation defense contractor focused on building offensive tools for the US Government. Previous to Boldend, Jon held the title of Chief Research Officer of Cylance (now Blackberry) where he focused on malware and product efficacy. Prior to Cylance, Jon was employee number 70 at Accuvant (now Optiv) where with a group of others he helped build and lead the largest technical consultancy at the time Accuvant LABS, working with over 95% of the Fortune 500 as an offensive security expert. Before Accuvant, Jon was a ten year veteran penetration tester, serving as one of the first in the industry working for the Internet Security Systems (now IBM) X-Force.

Frameworks, Guidelines &amp; Bounties Alone Won't Defeat Ransomware

Novacoast's Apex Program prepares individuals with visual impairments for cybersecurity careers.

Source: Sueddeutsche Zeitung Photo via Alamy Stock Photo

When David Mayne first started looking for a job in cybersecurity, the recruiter at his first-choice company told him no. With only one eye, how could Mayne spend all day looking at a computer screen?

But he didn't let that stop him. Mayne had already overcome tremendous hardship, losing his eye and his leg following a severe car accident, then finding a way to raise his four children on his own. He had earned a degree that qualified him for cybersecurity work, and he was not going to take no for an answer.

Mayne landed at Novacoast, a cybersecurity company specializing in IT services and software development. After the company moved from Santa Barbara, Calif., to Wichita, Kansas, Mayne reached out to state and city organizations to recruit for Novacoast's training program. That's how he met the team at Envision, a local organization that helps people who are blind or visually impaired (BVI) through employment, outreach, rehabilitation, education, and research.

"In meeting with them, light was shed on the employment situation for people who are blind or visually impaired," Mayne says. "I had no clue how bad that actually was."

According to Envision, 70% of people who experience low vision are unemployed. Mayne saw an opportunity.

**Curriculum Adapts to the Tools**

With the right tools — such as a computer with a screen reader and a Braille keyboard — BVI individuals can work in cybersecurity and IT roles, such as a SOC analyst, help-desk engineer, or network administration, Mayne realized. And organizations needed to broaden their search to address a national shortage in trained cybersecurity workers. So with the support of Novacoast CEO Paul Anderson, Mayne led the development of the Apex Program, an online, on-demand course to prepare VBI students for cybersecurity certification exams.

About 25 students have enrolled in the program since its inception in May 2023, and Mayne says he hopes to register 100 this year. While the course is designed to last 10 weeks, students can work at their own pace. Apex supports students through the course and exam processes, then helps them find work.

"We will stay with them until they get to the end," Mayne says.

The program is free, its $7,500 cost covered by state grants. So far, 16 states have partnered with the Apex Program, with Florida and Texas expected to join the fold this year, Mayne says.

The training materials are delivered in several different ways to accommodate student needs: audio-only, text-only, and PowerPoint and Word document versions that auto advance or advance manually (which is preferred by JAWS, or Job Access with Speech, a common screen-reader program that renders text as speech or in Braille). Content contains both text and video, and students participate in hands-on labs and quizzes.

Creating a curriculum that was accessible and still tackled the challenging topics completely was challenging, Mayne says.

"There's binary math in the class and subnetting, and it took me over a month to figure out how to teach that without using a blackboard," he says.

Mayne is currently updating the materials, as the exams will be updated in July. The course prepares students for CompTIA's Network+ or Security+ certification exam. Students can request accommodations for the exam, such as screen readers, extra time, or even human readers.

"All of our exams are computer-based, and we have gone through the effort with multiple versions to ensure 100% compatibility with JAWS," says Carl Bowman, senior vice president of exam services at CompTIA.

Because tests are taken in a locked-down browser, the software has to be configured to allow the screen readers to run. But Bowman says it's important to make sure that BVI individuals who want to take the exams have equal access.

"Fairness is one of the underlying themes across the board when you look at our entire operation," Bowman says.

**Training Pays Off for Students and Employers**

So far, four students have completed the Apex Program course. One of the first graduates, Curtis Jackson, recently joined Novacoast as a SOC 1 Analyst, the company's first direct hire from the program.

Finding the Apex Program through a Facebook ad was a game-changer for Jackson, who was born blind due to congenital glaucoma. The father of two, who had worked as a telemarketer for nearly two decades, dreamed of working in tech but felt locked out due to his disability.

Now, however, he not only has a new job, he has a career.

"I definitely have more earning potential," Jackson says. "But the real opportunities will come when accessibility comes and I have a chance to advance and move up in the company, just like everybody else."

For Mayne, bringing Jackson on board was important for both the company and the success of the Apex Program.

"We drink our own Kool-Aid," he says. "We don't want to be out there telling everyone they need to hire BVI employees but we do not."

Once graduates successfully pass the CompTIA exams, their resumes are given to Novacoast's staff augmentation arm, which helps companies hire tech professionals. So far, about 70 organizations have said they are willing to interview the program's graduates. They're from a variety of industries, including local businesses, federal agencies, vehicle manufacturers, and software firms. Graduates can work anywhere that "has an IT department," Mayne says.

**Cybersecurity Is a Career, Not Just a Job**

Mayne has been working with the White House's Office of the National Cyber Director to spread the word about the program, which also was featured in a recent short film from WorkingNation, a nonprofit media organization that explores the future of work in the US.

WorkingNation's Melissa Panzer, the short film's director, says that she hopes the film inspires business leaders to look to unlikely talent pools and expand who they consider for opportunities.

"I tell a lot of stories about people who are marginalized, and I always come back to the same thing: I believe that people who are marginalized, their work ethic is strong, their dedication is strong," she says. "They just want a chance."

The Apex Program plans to expand beyond its focus on BVI individuals to veterans and disabled veterans, which could open the program up to 500 to 800 students a year, Mayne says.

"We're bringing people to careers, not just to jobs. And we want them to be financially secure as well as have a career that they enjoy," Mayne says. "We're bringing students that are excited to get into this field, that are go-getters. We would like the people in the IT world to give these people a shot. That's what doesn't exist today."

**About the Author(s)**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Source

DARKReading