Likely China-linked adversary has blanketed the Internet with DNS mail requests over the past five years via open resolvers, furthering Great Firewall of China ambitions. But the exact nature of its activity is unclear.

Source: Mrinal Pal via Shutterstock

During an investigation into the activities of a threat group providing domain name system (DNS) infrastructure for illicit online gambling sites, threat researcher Renée Burton discovered something completely novel: Covert traffic immune to China's government-run firewall using open DNS resolvers and mail records to communicate.

The China-linked group — dubbed Muddling Meerkat — has demonstrated its ability to get specific DNS packets through the Great Firewall, one of the technologies separating China's Internet from the rest of the world, Burton, vice president of threat research at network security firm Infoblox, wrote in an analysis published this week.

While most requests for restricted domains return a seemingly random IP address, Muddling Meerkat is able to get DNS mail (MX) records with random-looking prefixes in response to certain requests, even when the domain has no mail service.

The goal of the capability remains unclear — most likely it's for reconnaissance or establishing the foundations of a DNS denial-of-service attack, Burton says — but the demonstrated expertise and ability to pierce the GFW deserves additional research, she says.

"We have a deliberate, very cunning use using very detailed knowledge of DNS — this is not your average cybercriminal; this is not your average teenager; these people are experts in DNS," Burton says. "So we have something that has been going on for four and a half years at this point, which isn't observable in any one location, but is deliberate and constant — and that combination of things, to me, is worrisome."

The threat research comes as the governments of the United States and other nations have warned that China's military has infiltrated critical infrastructure networks with a goal of pre-positioning their cyber operators for potential future conflicts. While many threat researchers have noted China-linked hacking groups' expertise in finding and exploiting zero-days in edge devices such as firewalls and virtual private network (VPN) appliances, the current research underscores their capabilities in utilizing the domain name system (DNS) for their own purposes.

**Great Chinese Firewall: "Operator on the Side"**

The Chinese Communist Party prevents its citizens from going to content that the government considers inappropriate or illegal — not by blocking the traffic, but by returning fake responses to DNS queries that prevent a user in China from connecting to the desired site. The approach, dubbed the Great Firewall (GFW), is not an inline traffic filter nor a platform that alters DNS responses on the fly, but rather an "operator on the side" that issues a response that competes with any packet from the original intended destination, says Burton.

While the Great Firewall does not intercept traffic, China does operate another system — often referred to as the Great Cannon (GC) — that takes the adversary-in-the-middle (AitM) approach, modifying packets en route to their destination, she wrote in the report.

"In combination, the GFW and GC create a lot of noise and misleading data that can hinder investigations into anomalous behavior in DNS," the report said. "Muddling Meerkat operations are complex and demonstrate that the actor has a strong understanding of DNS, as well as internet savvy."

Mail (MX) records from kb.com, even though the domain has no mail service. Source: Infoblox

Typically, researchers can see the Great Firewall in operation. When they send a DNS request to a domain considered to be out of bounds by the Chinese government, the GFW will return a seemingly random IP address. When they ask for a non-existent service for that domain, such as a mail (MX) record, the GFW still sends an IP address. However, Infoblox researchers and their industry partners instead saw mail records for domains that had no mail services, and each MX records had a seemingly random, albeit short, host name.

Kb.com, for example, has no MX records, but the researchers have seen a large number of mail responses, seemingly from the domain for servers with names such as "pq5bo\[.\]kb\[.\]com" and "uff0h\[.\]kb\[.\]com".

**Covert Widespread DNS Traffic**

The unexplained Internet traffic — which was initially detected as far back as Oct. 15, 2019 — could be some sort of reconnaissance that uses open resolvers and "super-aged" domains that foil many DNS block lists, says Burton.

"It's super under the radar, right? So that's kind of a recon-y looking thing," she says. "The other thing about it, though, is it has that DNS denial-of-service aspect. There are concerns that the Chinese are positioning themselves for operations against critical infrastructure, and here they've positioned themselves in DNS in a really weird way."

Combined with the recent announcement by the US Cybersecurity and Infrastructure Security Agency (CISA) that China is pre-positioning itself inside other organizations' infrastructures, Infoblox decide to go public with what the company and its anonymous partners had discovered.

Infoblox collaborated with other organizations, which the company declined to name due to worries of retribution and the potential loss of access to the DNS activity data. While the Muddling Meerkat operation appears similar to some "slow drip" DNS denial-of-service attacks, determining the purpose of the traffic will likely require more research participants, Burton says.

"I don't believe there's anyone who can see this operation in totality," she says. "Every single piece is seen individually, and then what we did was we brought a bunch of different pieces together, so we could see the whole thing. This is a complete mystery ... but it definitely is there."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

'Muddling Meerkat' Poses Nation-State DNS Mystery

By embracing a proactive approach to cyber-risk management, companies can better detect, prevent, and mitigate cyber threats while integrating the latest state-of-the-art technology.

Source: NicoElNino via Alamy Stock Photo

COMMENTARY

In today's fast-paced world, most businesses are racing to incorporate the latest technology and innovations to meet the demands of customers craving convenience and accessibility. After all, who doesn't love banking from their phone 24/7 or shopping from their couch?

To meet these demands, companies rush to implement new technology as quickly as it emerges, but while enhancing business operations is undeniably lucrative, it comes with a price: Risk. As we embrace all the luxuries of innovation, cybercriminals are poised to exploit the vulnerabilities that these changes expose. Industries like healthcare and financial services are especially attractive targets, due to the valuable data and assets they are entrusted to protect, but cybercrime poses a threat to all. As a result, taking a proactive approach to managing cyber-risk, which involves pre-emptive and continuous action to assess and address risks caused by innovation, is being emphasized as a strategic necessity.

Traditional cybersecurity practices are like playing a never-ending game of whack-a-mole, because just as soon as one risk or vulnerability is addressed, another one pops up, presenting a new challenge. This can be frustrating, time-consuming, and ineffective in the rapidly evolving threat landscape. This ever-changing complexity further highlights the dynamic landscape of cybersecurity. We know that risk is an inherent part of all change — whether opening a new physical location, merging with another company, or implementing an online bill pay system, any modifications open the door to new vulnerabilities. Sounds bleak, right? Yes, the warnings about risk are ominous, but there is a way for businesses to participate in innovation successfully and prepare for the inevitable risk … and it's all about embracing a new mindset.

In the latest annual Global CEO Survey by PwC, CEOs in the financial sector and capital markets reported a significant concern over the threat to profitability due to changing consumer demands and behaviors. As a way to tackle this possible problem, CEOs invest significantly in technology such as AI and cloud solutions by automating processes and systems to improve the customer experience — a proactive measure to mitigate a possible threat to their bottom line.

However, a lack of attention to cybersecurity during the implementation of these technology solutions poses a significant risk to organizations where trust is critical. Cybersecurity is often an afterthought as companies integrate new processes and, especially, new technologies. This mindset leaves your business and your customers vulnerable to threat actors, so it’s time to substantially shift how change, risk, and strategy are perceived.

**An Action Plan**

Integrating cybersecurity defenses in tandem with new technology — not as a reactive action because a threat suddenly popped up — is the most effective route. Put the mallet down and approach cyber-risk with real-time data so your company stays ahead of emerging threats, instead of standing poised and hoping your reaction is well-timed. The development of technologies should be designed and planned with possible exposure to risk at the forefront. This proactive method simultaneously addresses both challenges, improves their performance through technology, and bolsters security measures. To implement this approach, a cyber framework that integrates with new projects at every stage can be implemented, even if it means extending the development timeline. In that way, businesses can address both challenges in a complementary manner, enhancing performance through technology while becoming more cyber secure.

This approach not only protects against cyber threats but also improves customer experience, since customers often demand seamless, convenient, and secure services. By integrating cybersecurity in tandem with technology implementation, companies across all industries can improve their customer experience while retaining trust. 

It’s important for businesses to work with a trusted partner in cyber-risk management to evaluate new technology for risk as it is created, rather than reacting to the risk that the technology triggered. This approach allows your company to identify potential vulnerabilities in new technology early on and implement appropriate security measures to mitigate the risks rather than addressing them after your business and your customers are already at risk. This assessment can identify potential vulnerabilities in the technology and determine the level of risk associated with each vulnerability. Based on this assessment, a plan is developed to mitigate the risks and ensure the security of systems and data. The information can be leveraged to create and implement policies and procedures for managing and monitoring the new technology to ensure ongoing security.

These recommendations serve as a reminder that being proactive doesn't just involve addressing risk due to a new product or service offering. It also means being proactive in defining, adopting, and measuring the effectiveness of risk assessments, as well as implementing the best practices that can mitigate these risks before they occur.

By embracing a proactive approach to cyber-risk management as a whole, companies across all industries can better detect, prevent, and mitigate cyber threats while integrating the latest state-of-the-art technology. And the best part? You can put that mallet away, because your company will detect threats before they even have a chance to pop up.

**About the Author(s)**

CEO, DefenseStorm

Steve Soukup has served as Chief Executive Officer at DefenseStorm since 2020 and in that role is responsible for leading all aspects of the company’s business. He is passionate about building a community of trust among our teams and with our customers while also enabling our customers to do the same with their account holders. Steve joined DefenseStorm as Chief Revenue Officer in May 2017 with a charge to drive growth for the business while leveraging his extensive experience serving the banking vertical. He was promoted to President in October 2019 and then to CEO in April of 2020. Under his leadership, DefenseStorm has set the standard for enabling banks and credit unions to achieve cyber risk readiness. Steve is a graduate of Boston College and earned a Master of Business Administration degree from Boston University. A native of Cleveland, Ohio, Steve and his family have called the Atlanta area home for over 10 years.

Addressing Risk Caused by Innovation

Red teaming is a crucial part of proactive GenAI security that helps map and measure AI risks.

Source: josefotograf via Alamy

Generative artificial intelligence (GenAI) has emerged as a significant change-maker, enabling teams to innovate faster, automate existing workflows, and rethink the way we go to work. Today, more than 55% of companies are currently piloting or actively using GenAI solutions.

But for all its promise, GenAI also represents a significant risk factor. In an ISMG poll of business and cybersecurity professionals, respondents identified a number of concerns around GenAI implementation, including data security or leakage of sensitive data, privacy, hallucinations, misuse and fraud, and model or output bias.

For organizations looking to create additional safeguards around GenAI use, red teaming is one strategy they can deploy to proactively uncover risks in their GenAI systems. Here's how it works.

**Unique Considerations When Red Teaming GenAI**

GenAI red teaming is a complex, multistep process that differs significantly from red teaming classical AI systems or traditional software.

For starters, while traditional software or classical AI red teaming is primarily focused on identifying security failures, GenAI red teaming must account for responsible AI risks. These risks can vary widely, ranging from generating content with fairness issues to producing ungrounded or inaccurate information. GenAI red teaming has to explore potential security risks and responsible AI failures simultaneously.

Additionally, GenAI red teaming is more probabilistic than traditional red teaming. Executing the same attack path multiple times on traditional software systems is likely to yield similar results.

However, due to its multiple layers of nondeterminism, GenAI can provide different outputs for the same input. This can happen due to app-specific logic or the GenAI model itself. Sometimes the orchestrator that controls the output of the system can even engage different extensibility or plug-ins. Unlike traditional software systems with well-defined APIs and parameters, red teams must account for the probabilistic nature of GenAI systems when evaluating the technology.

Finally, system architectures vary widely between different types of GenAI tools. There are standalone applications, integrations with existing applications, and input and output modalities, like text, audio, images, and videos, for teams to consider.

These different system architectures make it incredibly difficult to conduct manual red-team probing. For example, to surface violent content generation risks on a browser-hosted chat interface, red teams would need to try different strategies multiple times to gather sufficient evidence of potential failures. Doing this manually for all types of harm, across all modalities and strategies, can be exceedingly tedious and slow.

**Best Practices for GenAI Red Teaming**

While manual red teaming can be a time-consuming, labor-intensive process, it's also one of the most effective ways to identify potential blind spots. Red teams can also scale certain aspects of probing through automation, particularly when it comes to automating routine tasks and helping identify potentially risky areas that require more attention.

At Microsoft, we use an open automation framework — known as the Python Risk Identification Tool for generative AI (PyRIT) — to red team GenAI systems. It is not intended to replace manual GenAI red teaming, but it can augment red teamers' existing domain expertise, automate tedious tasks, and create new efficiency gains by identifying hot spots for potential risks. This allows security professionals to control their GenAI red-teaming strategy and execution while PyRIT provides the automation code to generate potentially harmful prompts based on the initial dataset of harmful prompts provided by the security professional. PyRIT can also change tactics based on the GenAI system's response and generate its next input. 

Regardless of the method you use, sharing GenAI red-teaming resources like PyRIT across the industry raises all boats. Red teaming is a crucial part of proactive GenAI security, enabling red teamers to map AI risks, measure identified risks, and build out scoped mitigations to minimize their impact. In turn, this empowers organizations with the confidence and security they need to innovate responsibly with the latest AI advances.

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

How to Red Team GenAI: Challenges, Best Practices, and Learnings

PRESS RELEASE

London, UK. 24th April 2024: Performanta, the multinational cybersecurity firm specialising in helping companies move beyond security to achieve cyber safety, has uncovered a trend in how developing countries are being targeted by nation state actors.

The firm’s analysis explored the origins and characteristics of Medusa, a ransomware-as-a-service targeting organisations globally. The patterns suggest that developing countries are hit first with a trend that shows a rising impact on developed countries. It implies that ransomware activities are not entirely random and a strategy is in place to focus on organisations within developing countries as their initial targets.

Guy Golan, CEO and Executive Chairman of Performanta, states: “Our analysis suggests that BRICS nations, and particularly the African continent, have become a testing ground for nation-state attacks. In order to achieve a more cyber safe environment for all organisations globally, we need to increase awareness of this growing issue. It is only through understanding the trends and patterns of geopolitical cyber warfare that will enable us to bring clarity to the global threat landscape.”

Performanta’s research has delved into precisely how attackers are using Africa, and the extent to which the region is under major threat.

In South Africa, a 10-year review of the cyber threat landscape found that the most prevalent perpetrators of attackers were trained hackers, and the top three most likely targeted industries on the continent are finance, manufacturing and energy. This poses a serious problem, with the average successful nation-state-backed cyber attack costing an average of $1.6 million per incident.

Performanta’s report also reveals a large increase in financial/banking trojans with a 59% increase in Kenya and a 32% increase in Nigeria across a single quarter.

Golan continues: “Attackers likely perceive attacking Africa to have fewer risks to themselves than directly attacking the West, and as a bridge to the Western world, it’s likely that methods are tried and tested in Africa first, before being deployed across developed countries later. As an emerging economy, Africa may have become an entry point for attackers aiming to access and disrupt Western assets indirectly. No matter the reasoning, the West and Africa must implement long-term collaborative efforts to build a strong defence against this threat.”

With a strong foothold in both South Africa and the UK, Performanta is uniquely positioned to bridge the gap between nations to form a cyber safe defence against nation-state enemies.

For more information or to read Performanta’s full report, download here.

About Performanta

Performanta is a multinational company that specialises in cyber safety. Founded in 2010, we have grown to over 180 security professionals. We provide risk and resilience consulting, managed detection and response, and continuous threat exposure management services, with a human touch. Our focus extends beyond your security controls, to your wellbeing. We work tirelessly with clients to manage the cyber security risks.

Performanta is a leading Microsoft Solutions Partner. We have been nominated by Microsoft to join its Intelligent Security Association (MISA), a worldwide group comprising 300 of its most proficient partners.

 Performanta is approved to design, develop and operate security solutions for on-premises and cloud service users. We specialise in Managed Extended Detection & Response (MXDR), Identity and Access Management, and Threat Protection.

We work with enterprises across many industry sectors, that require a cyber safety service. Operating from the UK, South Africa, North America and continental Europe, our teams deliver global services with a local feel.

New Research Suggests Africa Is Being Used As a 'Testing Ground' for Nation State Cyber Warfare

PRESS RELEASE

McLean, Va. & Bedford, Mass., April 25, 2024 — MITRE’s Cyber Resiliency Engineering Framework (CREF) NavigatorTM now incorporates the US Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) so cybersecurity engineers for the Defense Industrial Base (DIB) can strengthen supply chain resilience against sophisticated cybersecurity attacks. The CREF Navigator aligns with NIST SP 800-171, the National Institute of Standards and Technology’s (NIST) publication designed to safeguard Controlled Unclassified Information (CUI) and the subset of NIST SP 800-172 that aligns with the proposed CMMC Level 3 model which has 24 of the 34 security requirements that address more sophisticated cybersecurity attacks.

“Our national security depends on the security of our defense systems and the supply chains to enable that defense,” said Wen Masters, vice president, cyber technologies, MITRE. “All along the supply chain, you need accountability in following the appropriate security requirements to build a resilient system. Resilience in the face of a cyber-attack is not a quick fix. Resiliency must be engineered before an incident.”

MITRE in partnership with NIST created the original cyber resiliency framework, NIST SP 800-160, Volume 2 (Rev. 1). The CREF Navigator, which debuted in early 2023, makes that NIST framework searchable and visualized. With the tool, engineers can make educated and informed choices while designing resilient cyber solutions. Beyond pairing with CMMC, the CREF Navigator also aligns with the MITRE ATT&CK® knowledge base of tactics and techniques and Cyber Model-Based Systems Engineering (MBSE) for cyber threat modeling.

“To allow cyber engineers to customize the tool for their individual needs, we enhanced the CREF Navigator so users can create their own scenarios and apply different parameters of threats and techniques,” said Shane Steiger, principal cybersecurity engineer, MITRE. “Regardless of how you keep your security data, you can import your data into the CREF Navigator via a .csv file, and the visualization of the data can be exported back out to a .csv file. Later this year, we’ll add enhancements for Zero Trust Architectures.”

As with many of MITRE’s resources for cyber defenders that are developed in the public interest, the CREF Navigator is freely available to the greater cyber community. See the CREF Navigator in action at https://CREFNavigator.mitre.org.

About MITRE  
MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and as an operator of federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation. Learn more at mitre.org.

You May Also Like

MITRE's Cyber Resiliency Engineering Framework Aligns With DoD Cyber Maturity Model Cert

The volume of malicious cyber activity against the Philippines quadrupled in the first quarter of 2024 compared to the same period in 2023.

Source: robertharding via Alamy Stock Photo

A recent massive spike in cyber misinformation and hacking campaigns against the Philippines coincides with rising tensions between the country and its superpower neighbor China.

The cyberattacks consist of a combination of hack and leak (55%), distributed denial-of-service (10%), and misinformation and influence campaigns (35%), according to researchers at Resecurity who have been following the campaigns. The main targets are government (80%) and educational institutions (20%) in the Philippines, and these attacks — on police agencies, government ministries, and universities — and associated data leaks are sowing discontent in the country, according to the researchers.

This represents a four-fold (325%) increase in what the researchers identify as malicious cyber-espionage activity targeting the Philippines in the first quarter of 2024 compared to the same period last year. "The goal of this activity is to discredit the government and create chaos via cyberspace, as the Philippine population also relies on digital media channels and is active on social media networks," says Shawn Loveland, COO of Resecurity.

Resecurity has worked with authorities in the Philippines to trace back the source of attacks to online infrastructures in China and Vietnam. These "false flag" and "other territories" could be allies of China in such campaigns or provide them infrastructure for it, according to Resecurity.

**Fake News**

The goal of the cyberattacks correlates with disinformation campaigns spinning Chinese narratives on topics such as regional disputes about territories in the South China Sea.

In a blog post this month, Resecurity detailed the myriad of different groups associated with this collective activity. In one notable attack, a threat actor going by the alias "KryptonZambie" claimed to have obtained from unnamed sources over 152 gigabytes of stolen data containing Philippine citizen identity cards. Resecurity investigated this claim, which related to a post on Breach Forums, a Dark Web site, but found it unsubstantiated. The threat actor did not respond to any messages Resecurity investigators sent to a Telegram account used to publicize the supposed breach.

Other elements of the campaign involved posting an "audio deepfake" of Philippine President Ferdinand Marcos Jr. supposedly ordering military action against China. No such directive exists, according to authorities in the Philippines.

It’s not all fakery, however. Several of the groups covered by Resecurity's report — including  Philippines Exodus Security and DeathNote Hackers — ran attacks that led to a confirmed data breach.

**Not Real Hacktivists**

While some of this activity might resemble that of hactivists, Resecurity believes nation state-backed hackers from China or possibly North Korea (another regional adversary to the Philippines) are really to blame.

Resecurity has reported over 12 government organizations in the Philippines being targeted in the same timeframe — hallmarks of a well-organised co-ordinated attack by nation-state actors rather than independent hacktivists.

"Leveraging hacktivist-related monikers allows threat actors to avoid attribution while creating the perception of homegrown social conflict online," according to Resecurity.

Last year a Chinese state-linked advanced persistent threat (APT) group known as Mustang Panda hacked a Philippine government target via a simple side-loading technique. "This group has a strong focus on Philippines and \[is\] still active," according to Resecurity. Hacks by the group on Philippine government entities have been actively promoted via social media.

In April 2023, more than 800 gigabytes of both applicant and employee records from multiple state agencies — including the Philippine National Police (PNP), National Bureau of Investigation (NBI), Bureau of Internal Revenue (BIR), and Special Action Force (SAF) — were compromised.

This was followed in September by a breach and ransomware attack on the Philippine Health Insurance Corporation (PhilHealth) that led to the exposure of hospital bills, internal memos, and identification documents. There remains an ongoing investigation into the full extent of the leak, according to cyber threat detection firm Gatewatcher.

**Why Spy?**

China (and to a lesser extent North Korea) is the prime suspect in much of this malfeasance, according to both Resecurity and other threat intel experts.

"China is a far more complex and nuanced territory than generally portrayed. Its internal pressures are likely to lead to increased cyber-espionage activity, rather than slowing it down,"  says Ian Thornton-Trump, CISO at threat intel firm Cyjax.

"The PRC's approach to cyberspace has always been to use it to advance its business interests, extracting technologies from Western companies and creating a protected domestic market for these industries, giving them an advantage in the global market," Thornton-Trump notes.

Relations between China and the Philippines have deteriorated over recent months. Beijing condemned Filipino President Ferdinand Marcos Jr.'s congratulations to Taiwanese President-elect Lai following the latter's recent election. China regards Taiwan as a renegade province.

The Philippines has recently reaffirmed its strong alliance with the United States, announcing plans for "more robust" military activities with the US and its allies, much to the chagrin of China. In addition, the Philippines and China are in dispute over territorial claims involving islands and waters in the South China Sea.

**Incident Response**

The US, Japan, and the Philippines recently entered a cyber threat-sharing arrangement in the wake of rising attacks by China, North Korea, and Russia, a development likely to help the Philippines stay on top of the growing tide of cyberthreats.

Understanding the pattern of upsurge in malign cyber activity is the first step towards combatting it, experts say. "\[With\] a better understanding of the country's internal forces, and how these relate to its cyber strategy, we can plan better defenses against PRC cyber espionage," Cyjax's Thornton-Trump says.

Resecurity offered recommendations to safeguard both the populace and Philippine business from cyberattacks:

*   Accelerate digital identity protection of Philippine citizens — as hack and leak activity is putting their personal data at risk of being exposed.
    
*   Tighten Web application security by implementing WAFs (web application firewalls) and ongoing vulnerability assessment and pen-testing automation procedures to detect and contain vulnerabilities before bad actors exploit them.
    
*   Create fact-checking services online to combat disinformation and influence campaigns. Citizens should be offered a process for reporting suspicious online activity.
    

**About the Author(s)**

John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo

Philippines Pummeled by Assortment of Cyberattacks &amp; Misinformation Tied to China

PRESS RELEASE

Montreal, Quebec, Canada – April 25, 2024 – Flare, a global leader in Threat Exposure Management, is pleased to announce that renowned cybersecurity expert Jason Haddix has joined the organization as Field CISO. 

Jason Haddix (aka @jhaddix) is CEO, hacker, and trainer for Arcanum Information Security, a world class and highly sought cybersecurity assessment and training company. Over his 20-year career in cybersecurity, Jason has held numerous high profile roles, including as CISO of Buddobot, CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin. 

Jason is well-known throughout the cybersecurity community, having authored a number of talks on offensive security methodology. Over the years he has spoken at many high profile security conferences, including DEFCON, BSides, BlackHat, RSA, OWASP, Nullcon, SANS, IANS, BruCon, and Toorcon.

"We are excited to welcome Jason to the Flare team as a strategic advisor. His exceptional background, depth of knowledge, and vision in cyber make him the perfect fit to help us accelerate our expansion and recognition as a leader in Threat Exposure Management,” said Flare CEO Norman Menz. “Jason’s appointment reaffirms our commitment to staying one step ahead in the continually evolving cyber threat landscape, and to maintaining the highest security standards for our clients." 

In his strategic advisory role as Field CISO, Jason will leverage his deep industry expertise to forge connections within the cybersecurity community, and will help guide Flare’s security strategies and product vision. Jason’s diverse background will bring fresh perspectives and help enrich Flare's approach to addressing critical security challenges and shaping strategic initiatives.

"Joining Flare offers me a unique opportunity to contribute to the company’s mission of excellence in Cyber Threat Exposure Management, while also continuing my commitment to Arcanum,” said Jason. “I’m excited to share my experience and work alongside Flare's talented team to drive forward-looking security initiatives and cutting-edge product features. I’m looking forward to being an integral part of Flare’s commitment to protecting customers and leveling the playing field for defenders in the cyber security realm.”

To learn more about the rest of the team driving Flare’s growth in the Threat Exposure Management space, visit https://flare.io/company/team/. 

About Flare

Flare is at the forefront of Threat Exposure Management, delivering AI-driven solutions that provide comprehensive, real-time threat analysis and remediation. With its advanced technology, Flare offers a proactive approach to cybersecurity, scanning the online world, including the clear and dark web, to identify, prioritize, and address potential threats swiftly and efficiently. For more information, visit https://flare.io.

Jason Haddix Joins Flare As Field CISO

The business intelligence servers contain vulnerabilities that Qlik patched last year, but which Cactus actors have been exploiting since November. Swathes of organizations have not yet been patched.

Source: S. Bonaime via Shutterstock

Nearly five months after security researchers warned of the Cactus ransomware group leveraging a set of three vulnerabilities in Qlik Sense data analytics and business intelligence (BI) platform, many organizations remain dangerously vulnerable to the threat.

Qlik disclosed the vulnerabilities in August and September. The company's August disclosure involved two bugs in multiple versions of Qlik Sense Enterprise for Windows tracked as CVE-2023-41266 and CVE-2023-41265. The vulnerabilities, when chained, give a remote, unauthenticated attacker a way to execute arbitrary code on affected systems. In September, Qlik disclosed CVE-2023-48365, which turned out to be a bypass of Qlik's fix for the previous two flaws from August.

Gartner has ranked Qlik as one of the top data visualization and BI vendors in the market.

**Continued Exploitation of Qlik Security Bugs**

Two months later, Arctic Wolf reported observing operators of Cactus ransomware exploiting the three vulnerabilities to gain an initial foothold in target environments. At the time, the security vendor said it was responding to multiple instances of customers encountering attacks via the Qlik Sense vulnerabilities and warned of the Cactus group campaign as being rapidly developing.

Even so, many organization appear not to have received the memo. A scan by researchers at Fox-IT on April 17 uncovered a total of 5,205 Internet-accessible Qlik Sense servers, of which 3,143 servers were still vulnerable to Cactus group's exploits. Of that number, 396 servers appeared to be located in the US. Other countries with a relatively high number of vulnerable Qlik Sense servers include Italy with 280, Brazil with 244 and Netherlands and Germany with 241 and 175 respectively.

Fox-IT is among a group of security organizations in the Netherlands — including the Dutch Institute for Vulnerability Disclosure (DIVD) — working collaboratively under the aegis of an effort called Project Melissa, to disrupt Cactus group operations.

Upon discovering the vulnerable servers, Fox-IT relayed its fingerprints and scan data to DIVD, which then began contacting administrators of the vulnerable Qlik Sense servers about their organization's exposure to potential Cactus ransomware attacks. In some instances, DIVD sent the notifications out directly to potential victims while in others the organization attempted to relay the information to them via their respective country computer emergency response teams.

**Security Orgs Are Notifying Potential Cactus Ransomware Victims**

The ShadowServer Foundation is also reaching out to at-risk organizations. In a critical alert this week, the nonprofit threat intelligence service described the situation as one where a failure to remediate could leave organizations at a very high likelihood of compromise.

"If you receive an alert from us on a vulnerable instance detected in your network or constituency, please also assume compromise of your instance and possibly your network," ShadowServer said. "Compromised instances are determined remotely by checking for the presence of files with .ttf or .woff file extension."

Fox-IT said it had identified at least 122 Qlik Sense instances as likely compromised via the three vulnerabilities. Forty-nine of them were in the US; 13 in Spain; 11 in Italy; and the rest scattered across 17 other countries. "When the indicator of compromise artefact is present on a remote Qlik Sense server, it can imply various scenarios," Fox-IT said. It could for instance, suggest that the attackers executed code remotely on the server, or it could simply be an artifact from a previous security incident.

"It's crucial to understand that 'already compromised' can mean that either the ransomware has been deployed and the initial access artifacts left behind were not removed, or the system remains compromised and is potentially poised for a future ransomware attack," Fox-IT said.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Thousands of Qlik Sense Servers Open to Cactus Ransomware

The semiconductor manufacturing giant's security team describes how hardware hackathons, such as Hack@DAC, have helped chip security by finding and sharing hardware vulnerabilities.

Source: kawin ounprasertsuk via Alamy Stock Photo

Ever since the first Hack@DAC hacking competition in 2017, thousands of security engineers have helped discover hardware-based vulnerabilities, develop mitigation methods, and perform root cause analysis of issues found.

Intel initially decided to organize the competition, which draws security professionals from academia and industry partners around the world, to raise awareness about hardware-based vulnerabilities and to promote the need for more detection tools, says Arun Kanuparthi, a principal engineer and offensive security researcher at Intel. Another goal behind Hack@DAC, capture-the-flag competitions, and other hackathonsis to draw the attention of chip designers, to motivate them to design silicon more securely, he says.

"There is very little awareness of hardware security weaknesses in general," says Kanuparthi, who spoke about lessons Intel learned from years running Hack@DAC at the recent Black Hat Asia conference in Singapore. "And we thought, really, how can we get this awareness amongst the security research community?"

"If you look at software, there are lots of tools for security, with software or firmware, but when you look at hardware, there are really only a handful of EDA or electronic design automation tools," Kanuparthi says.

These kinds of events are effective for bringing people together to find vulnerabilities and share their knowledge. CTFs are established methods for teaching and learning new skills and best practices. Intel also believes it is important to give students "an experience of what it feels like to be a security researcher at a design company," says Kanuparthi.

Intel is now accepting entries for the 2024 Hack@DAC, which will take place in June in San Francisco.

**Tackling Hard Problems**

When Intel first organized Hack@DAC, there was no standard design or open-source platform for discovering or sharing information on hardware vulnerabilities, says Hareesh Khattri, a principal engineer for offensive security research at Intel. That has changed with Intel’s collaboration with Texas A&M University and Technical University of Darmstadt in Germany. The professors and students took open-source projects and inserted existing hardware vulnerabilities to create a common framework for detecting them and new ones.

"And now a lot of hardware security research papers have also started citing this work," Khattri says.

In 2020, Intel joined other semiconductor manufacturers in aligning with MITRE’s Common Weakness Enumeration (CWE) team, which lists and classifies potential vulnerabilities in software, hardware and firmware to bring more focus to hardware.  It was an attempt to address a gap, since MITRE only maintained software weakness types, and CWE fell short of addressing root cause analyses of hardware vulnerabilities, Kanuparthi recalls.

"If a hardware issue was identified, \[the CWE\] would be tagged with some generic catch-all kind of \[alert that said\] there’s a problem or the system does not work as expected," Kanuparthi says. "But now there is a design view for hardware which you can root cause that this is specifically the problem. And that has largely been the output of some of the work that we have been doing that led to hack attack and the creation of the hybrid CWE."

As semiconductor manufacturers accelerate their focus on adding designs that can support new AI capabilities, security researchers are looking to identify weaknesses even closer to hardware design, Khattri adds. That has accelerated interest in new efforts like the Google-contributed OpenTitan Project, an open-source reference design and integration guidelines for securing root of trust RoT chips.

The efforts behind Hack@DAC and Intel’s work with MITRE on CWE have led to improved tooling, Khattri says. For example, hardware vulnerability assessment tool provider Cycuity (which uses OpenTitan as a benchmark for how its tool measures CWEs) claims its Radix can now identify 80% of known hardware weaknesses in the CWE database.

"We’ve seen a lot of progression in this space compared to when we started it," Khattri says. "Now, a lot of security research communities’ focus has gone towards trying to identify weaknesses that are closer to the hardware design."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Intel Harnesses Hackathons to Tackle Hardware Vulnerabilities

You can't thinking about inclusion in the workplace without first understanding what kinds of exclusive behaviors prevent people from advancing in their careers.

Source: Jose Luis Stephens via Alamy

Most of us do not want to be excluded at work – especially if we are trying to innovate, collaborate, and make a meaningful impact in our role. Making connections with colleagues, ensuring you are invited to key meetings, and getting face time with important executives in the company are all essential elements to learning and growing in an organization. But systemic exclusion is a troubling reality for many in the cybersecurity industry.

Olivia Rose, at IANS Research faculty member and CISO/founder of Rose CISO Group, is a 17-year CISO and industry veteran. She has experienced exclusionary practices based on her gender throughout her career.

"I believe the interference is rooted in making assumptions about women," Rose says. "When I got married years ago and was in cybersecurity consulting, a leader told my manager to keep my workload light for a few months as I would surely be planning my wedding. I've not been invited to happy hours and to company trips as I have kids and who would watch them? Whether it's intentional or not, making assumptions about women and the various roles we play puts us into a box where it's just another hurdle we need to overcome to be regarded equally."

Women are five times more likely to report exclusion from direct managers and peers, according to Women in CyberSecurity's (WiCyS) "2023 State of Inclusion Benchmark in Cybersecurity Report." But exclusion is not just limited to gender. Individuals with disabilities and intersectional identities experience levels of workplace exclusion comparable to, or even exceeding, those related to gender, emphasizing the compounded impact of multiple differing identity traits.

**Microaggressions Are Subtle**

It’s not just about being left out of the room. Being on the receiving end of disrespectful behaviors, sexually inappropriate advances, and a lack of appreciation for skills and experience can also make it hard to advance in the workplace. These kinds of microaggressions are difficult to pin down, Rose says.

"I don't personally believe research can help much when it comes to understanding microaggressions and how they are the silent killer for women's careers," she says. "I speak from experience when I say that these microaggressions are so slight and menial that women can't go to HR to report them."

Rose recalls a corporate leader at one point in her career who would attempt to undermine her regularly during meetings by sharply blowing air out of his nostrils whenever she spoke.

"By itself, this doesn't mean anything," Rose says. "\[But\] add it to the multiple instances where I had seen this individual trying to cut me out of the picture, by sending emails 'forgetting' to copy me, and not providing requested information to my team, and the puzzle starts to come together. How do you even start to explain this, though, to your manager or HR?"

Rose advises managers she works with to take what employees say seriously and write down every instance of reported discrimination and exclusion to form a larger picture of a pattern of problematic behavior.

**Pressure in the Room Where It Happens**

Umaimah Khan, founder and CEO of identity security company Opal Security, says cybersecurity is more asymmetrical than other tech sectors, largely due to the emphasis on product development processes and sales-driven culture, which often targets executives. This high-risk and high-pressure environment amplifies biases and is resistant to change, says Khan, whose background is in academia and research labs before founding Opal.

Women are also pressured to be both business-savvy and technically adept in their roles, and assertiveness can be misconstrued as aggressiveness. This dichotomy can deter many from entering or remaining in the cybersecurity field, Khan says, noting that "they are not willing to go through pain and frustration and having to be second-guessed."

For her part, Khan strives to build a diverse team at Opal. But even under the best circumstances, she thinks resilience is an essential attribute for women to thrive. Women often need to prove themselves repeatedly and must develop a thick skin, she says.

"I think there is truth to having to be twice as good," Khan adds. "I found myself in my early days having to prove myself in those rooms. You have this feeling that \[you\] have to be right 100% of the time."

**Steps to Change and Improve Inclusion**

Exclusion is intricately intertwined with career issues, such as inadequate compensation and being passed over for promotions. Combating these issues requires communicating clearly with both peers and management, says Larci Robertson, a senior sales engineer at Obsidian Security. Document accomplishments and have metrics to demonstrate success, she suggests.

"Talk about pay with your peers," Robertson says. "Have a clear path to promotions and raises for people from management. Expectations and a pathway clearly communicated will take care of the, 'Why didn’t I get promoted over someone else?'"

Finally, find an internal mentor who can help shepherd you along the right path and get the kudos you deserve.

"It's very hard to learn and grow without an advocate," Robertson says.

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Source

DARKReading