Cybersecurity startup Zest Security emerged from stealth with an AI-powered cloud risk resolution platform to reduce time from discovery to remediation.

Source: Peachshutterstock via Shutterstock

Organizations have plenty of tools to identify cloud risks, vulnerabilities, and misconfigurations, but not so much for remediating cloud risks. For most companies, significant collaboration is needed between DevOps and security teams to validate the risk, understand the root cause, and determine the best resolution.

Remediating risk usually involves a series of manual and time-consuming processes. Cybersecurity startup Zest Security wants to change that with its AI-powered platform designed to simplify and automate risk resolution. The platform correlates and pinpoints the root cause of cloud risks to craft resolution paths that eliminate cloud vulnerabilities and misconfigurations that attackers can exploit, Zest said in a statement.

On average, it takes 30 to 60 days to remediate a single cloud security risk, and 80% of resolved risks resurface after remediation, Zest said. The increase in known cloud attacks is directly the result of lack of efficient and effective remediation.

"Zest eliminates the back-and-forth typically required between security and DevOps teams to determine the best path to mitigation and remediation," said Matthew Hurewitz, director of platforms and application security at Best Buy, in a statement. "Zest shows security teams all of their options, so they can quickly and confidently resolve their vulnerabilities."

As part of the launch, Zest Security also raised $5 million in seed funding from Hanaco Ventures, Silvertech Ventures, and several angel investors. The company's co-founders have years of experience in cloud and product security. Uri Aronovici, Zest’s CTO, previously worked at Akamai Technologies and Check Point Software. Prior to founding Zest, Snir Ben Shimol, Zest's CEO, built the global cybersecurity platform and services organization at Varonis. Shimol was also the CSO of Cider Security before it was acquired by Palo Alto Networks.

**About the Author(s)**

Zest Security Aims to Resolve Cloud Risks

The threat group uses its "Stargazers Ghost Network" to star, fork, and watch malicious repos to make them seem legitimate, all to distribute a variety of notorious information-stealers-as-a-service.

Source: Miriam Doerr Martin Frommherz via Shutterstock

A threat actor known as "Stargazer Goblin" has found a new way to leverage GitHub to distribute malware and malicious links to unsuspecting users.

Instead of hosting malware on GitHub and then luring users to inadvertently download an infected code package (by getting them to click on a malicious link in a phishing email, for instance), the new tactic involves convincing victims that malicious repositories are legitimate via a socially engineered influence operation involving thousands of inauthentic accounts.

Researchers from Check Point Research (CPR) who uncovered the operation noted in a report this week that the adversary's end game is running a malware distribution-as-a-service (DaaS) network dubbed Stargazers Ghost Network, currently comprised of more than 3,000 active GitHub accounts.

**A Large Network of Rogue Accounts**

The threat group is using a relatively small number of these accounts to actually distribute the malware and malicious links, and the remaining ones are the inauthentic accounts that are being used to make the rogue repositories appear legitimate. Their tactics for doing so have included using the inauthentic accounts to star, fork, and subscribe to the malicious repos, in order to give them a veneer of innocence.

Starring, which gives the group its name, is a way to bookmark repositories on GitHub to make them easier to find in the future, and also as a way to show appreciation for a particular project. Forking is about creating an identical copy of another GitHub project as a way to propose changes to the project or to build on it for your own purposes; and watching is basically a way of keeping abreast of the latest developments in a project. Just as with applications on mobile app stores, users tend to perceive GitHub projects with more stars, forks, and watchers as being more credible — and trustworthy — than others.

"In the past, malware was hosted on GitHub, though the repositories that hosted malware never suggested that a normal user would land, trust, download, and execute the hosted sample," says Antonis Terefos, a researcher at CPR. "Currently, via the Stargazers Ghost Network, we are experiencing a new era of malware distribution utilizing accounts to act organically by starring \[and\] forking malicious repositories \[to make them appear\] as legitimate to normal users."

**Stargazer Goblin's Distribution-as-a-Service Play**

Since at least August 2022, and likely even earlier, Stargazer Goblin has used its rogue GitHub accounts to distribute a variety of malware families, including Atlantida Stealer, Rhadamanthys infostealer, RisePro, Redline, and Lumma Stealer. A Stargazers Ghost Network advertisement from July 2023 — in English and Russian — that CPR researchers found on a Dark Web forum showed the threat actor charging $10 to "star" a repository with 100 accounts, and $2 to provide an account with an empty "aged" repository, which generally is more trusted than a brand-new one.

CPR also said that the operation likely extends well beyond GitHub.

"We believe that Stargazer Goblin created a universe of Ghost Network accounts operating across various platforms such as GitHub, Twitter, YouTube, Discord, Instagram, Facebook, and many others," CPR said in its report. "Similar to GitHub, other platforms can be utilized to legitimize malicious phishing and distribute links and malware to victims through posts, repositories, videos, tweets, and channels, depending on the features each platform offers."

Terefos says the majority of repositories on the Stargazers Ghost Network use tags that ensure they surface at the top of GitHub searches when users are looking for something. The threat group has also used services, such as Discord, to promote the malicious repositories as places where users can get game mods, cracked software such as Adobe and VPN software, and free trading, AI, and coin-mining tools.

"Since last week's CrowdStrike event, which threat actors have been trying to take advantage of, we have been monitoring for CrowdStrike 'drive-fixes' repositories, on the Ghost Network. So far, there have been none," Terefos says. "\[But\] this could be an example of how a user could land on a malicious repository by searching on GitHub for how to perform the \[CrowdStrike\] fix. The user would see that the repository has been starred by multiple other accounts, indicating that the provided 'fix/repo' works. Instead, the user is being infected with malware."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Stargazer Goblin' Amasses Rogue GitHub Accounts to Spread Malware

The good news: Only organizations far behind on standard Windows patching have anything to worry about.

Source: dennizn via Alamy Stock Photo

A Microsoft Defender SmartScreen vulnerability that was patched in February is still being used in infostealing attacks across the globe.

CVE-2024-21412 — a "high" severity, 8.1 CVSS-scored security bypass bug in SmartScreen — was first disclosed and fixed on Feb. 13. Since then, it has been used in campaigns involving well-known infostealers like Lumma Stealer, Water Hydra, and DarkGate.

Now, five months later, Fortinet has flagged yet another campaign involving two more stealers: Meduza and ACR. Attacks thus far have reached the US, Spain, and Thailand.

Sometimes, organizations take their time updating third-party software. By contrast, "The attackers in this case are taking advantage of software that's native on Microsoft Windows, which would be updated in normal Microsoft patch cycles," notes Aamir Lakhani, global security strategist and researcher at Fortinet. "It's a little unclear and concerning when these vulnerabilities are not patched, because it could indicate there are other Microsoft vulnerabilities that are not being patched as well."

**A CVE-2024-21412 Attack Chain**

If you visit a website, or download a file or program that's known to be unsafe — or is suspicious for any number of other reasons — SmartScreen will step in and present you with that famous blue screen message: "Windows protected your PC." It's a simple, effective way to alert users to potentially dangerous cyber threats.

So consider how useful it would be to an attacker if they could simply disable that notification. This is what CVE-2024-21412 allows them to do.

In the latest campaign identified by Fortinet, the attackers are beating SmartScreen "through the combination of PowerShell trickery and hiding attacks in images and taking advantage of how those images are processed," Lakhani explains.

First, they lure victims with a URL that triggers the download of a shortcut (LNK) file. The LNK downloads an executable with an HTML Application (HTA) script with PowerShell code for retrieving decoy PDF files and malicious code injectors.

One of the injectors is more interesting than the other. After running anti-debugging checks, it downloads a JPG image file, then uses a Windows API to access its pixels and decode its bytes, wherein lies malicious code.

"These types of image-based attacks have been around a long time and, while they aren't as common as other types of attacks we typically observe, we still see them pop up over time because they are quite effective," Lakhani notes. "It's not surprising to see this attack, especially because \[steganography\] detection is often overlooked compared to other attack scenarios."

**Consequences to the Unpatched**

The stealers smuggled in through image files in this case get planted inside of legitimate Windows processes, at which point the gathering and exfiltration of data begins.

The kinds of information they aim for are broad. ACR, for example, steals from dozens of browsers (Google Chrome, Firefox), dozens of crypto wallets (Binance, Ledger Live), messenger apps (Telegram, WhatsApp), password managers (Bitwarden, 1Password), virtual private network (VPN) apps, email clients, file transfer protocol (FTP) clients, and more. 

Only organizations far behind on standard Windows patching have anything to worry about. Clearly, though, those organizations are out there.

"I would understand how individual software updates from smaller companies may be missed, but most organizations have regular Microsoft software patch updates, and this particular vulnerability remains open to attack," Lakhani says. To encourage better patching practices, he adds, "I think in all cases, software vendors need to give users alerts and notifications that critical security patches exist and should be installed when the software is launched or used."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cyberattackers Exploit Microsoft SmartScreen Bug in Stealer Campaign

Players can only access the game by first joining its Telegram channel, with some going astray in copycat channels with hidden malware.

Source: Science Photo Library via Alamy Stock Photo

Malicious actors are targeting users of a mobile currency game by using fake Android and Windows software that installs spyware and other malware.

Hamster Kombat launched in March and already has more than 250 million users, likely due to the promises of winning TON-based cryptocurrency. The game is for Android users, who can earn in-game currency by completing certain tasks within the game.

To play, users must join the game's Telegram channel, scan a QR code, and then launch a Web app on their device. When users first search for the game's Telegram channel, they are likely to come across other Hamster-branded channels attempting to distribute Android malware. One channel, named "HAMSTER EASY," even distributes Ratel Android spyware as an APK file.

This malware can allow the threat actors to subscribe the victim to different services and hide the notifications so that they remain unaware.

Other fake websites include "hamsterkombat-ua.pro" and "hamsterkombat-win.pro," which redirect visitors to advertisements to generate money instead of the real game. 

On the Windows platform, researchers discovered GitHub repositories that promise its victims Hamster Kombat farm bots and autoclickers but instead deliver cryptors that contain Lumma Stealer, info-stealer malware.

As the game continues to grow in popularity among users, it will continue to attract malicious actors, so users should be wary of being tricked by threat actors and copycat apps and remain vigilant when downloading software.

**About the Author(s)**

Hamster Kombat Players Threatened by Spyware &amp; Infostealers

Though the cybersecurity vendor has since reverted the update, chaos continues as companies continue to struggle to get back up and running.

Source: SOPA Images Limited via Alamy Stock Photo

This is a breaking news story and will be updated as new developments occur.

This morning, Microsoft servers across the world displayed the dreaded "blue screen of death," leading to mass IT outages that disrupted business, airlines and flights, healthcare providers, banks, and more. The cause: A defective update to CrowdStrike Falcon Sensor, a widely used cloud-based endpoint detection and prevention (EDR) software program.

CrowdStrike said its engineering team has identified the issue that caused the massive disruption to Windows-based systems: A bug in the Memory Scanning prevention policy, which was not identified during their testing stages, Callie Guenther, senior manager at Critical Start, noted in an emailed statement.

"While CrowdStrike likely performed standard regression and functionality tests, these were insufficient because they did not simulate the real-world deployment environment where the bug caused the Falcon sensor to consume 100% of a CPU core," she wrote. This ultimately led to system performance issues.

CrowdStrike has since reverted the flawed Falcon software update. Even so, some users are still experiencing system crashes or are unable to stay online to receive the new and fixed version. The cybersecurity vendor has provided workaround steps for this issue.

In a post on social platform X, Microsoft CEO Satya Nadella said the company is aware of the issue and is working closely with CrowdStrike to provide technical support to its customers and get their systems back online.

**Falcon Fallout**

The severity of the broken CrowdStrike update became increasingly painful as victim reports rolled in throughout the day: More than 1,300 flights have been canceled or delayed, trains, card payments in stores, pharmacies, and even general practitioner (GP) surgeries were stalled. 

The Department of Health in Belfast reported that two-thirds of GP practices in Northern Ireland have been affected, with patient records inaccessible as well as lab tests and routine prescriptions.

Delta flights have been paused as it "works through a vendor technology issue," the New York Times reported, and Turkish Airlines has canceled at least 84 flights. Employees at financial institutions like JPMorgan Chase and Instinet have had trouble accessing their corporate systems as operations began to stutter.

Even the Paris Olympics organizing committee reports that its IT operations have been affected, mainly affecting delivery of uniforms and accreditations.

Meanwhile, President Joe Biden has been briefed on the outage, according to the White House, and administration officials are reportedly in touch with affected entities as well as CrowdStrike, which is working with customers that have been impacted.

"Mac and Linux hosts are not impacted," George Kurtz, president and CEO of CrowdStrike, wrote online. "This is not a security incident or cyberattack. The issue has been identified \[and isolated,\] and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website."

**It's Not a Data Breach, but it's a Disaster**

In an industry where cybersecurity practices and services are meant to protect an enterprise without interrupting them, this outage proves that "even non-malicious cybersecurity failures can bring businesses to their knees," according to Maxine Holt, cybersecurity analyst at Omdia.

This massive incident underscores an over-reliance on cloud services, Holt noted in an online statement, and the outage may prompt organizations to reconsider moving their mission-critical applications to the cloud.

"Omdia's Cloud and Data Center analysts have long warned about over-reliance on cloud services," Holt said. "Today's outages will make enterprises rethink moving mission-critical applications off-premises. The ripple effect is massive, hitting CrowdStrike, Microsoft, AWS, Azure, Google, and beyond. CrowdStrike's shares have plummeted by more than 20% in unofficial pre-market trading in the US, translating to a staggering $16 billion loss in value."

As CrowdStrike will undoubtedly face scrutiny as it gets back on its feet, only time will tell how this outage could affect regulation and pressure on software vendors.

"We need stronger regulations and guidance on vendor responsibilities for functional testing," Josh Thorngren, security strategist at ForAllSecure, wrote in an emailed statement. "If you're not testing the behavior of your application under-expected (and unexpected) conditions with every update — this type of issue will always be a risk."

Buggy CrowdStrike EDR Update Crashes Windows Systems Worldwide

The Coalition for Secure AI is a consortium of influential AI companies aiming to develop tools to secure AI applications and set up an ecosystem for sharing best practices.

Source: ElenaBS via Alamy Stock Photo

The largest and most influential artificial intelligence (AI) companies are joining forces to map out a security-first approach to the development and use of generative AI.

The Coalition for Secure AI, also called CoSAI, aims to provide the tools to mitigate the risks involved in AI. The goal is to create standardized guardrails, security technologies, and tools for the secure development of models.

"Our initial workstreams include AI and software supply chain security and preparing defenders for a changing cyber landscape," CoSAI said in a statement.

The initial efforts include creating a secure bubble and systems of checks and balances around the access and use of AI, and creating a framework to protect AI models from cyberattacks, according to Google, one of the coalition's founding members. Google, OpenAI, and Anthropic own the most widely used large language models (LLMs). Other members include infrastructure providers Microsoft, IBM, Intel, Nvidia, and PayPal.

"AI developers need — and end users deserve — a framework for AI security that meets the moment and responsibly captures the opportunity in front of us. CoSAI is the next step in that journey, and we can expect more updates in the coming months," wrote Google's vice president of security engineering, Heather Adkins, and Google Cloud's chief information security officer, Phil Venables.

**AI Safety as a Priority**

AI safety has raised a host of cybersecurity concerns since the launch of ChatGPT in 2022. Those include misuse for social engineering to penetrate systems and the creation of deepfake videos to spread misinformation. At the same time, security firms, such as Trend Micro and CrowdStrike, are now turning to AI to help companies root out threats.

AI safety, trust, and transparency are important as results could steer organizations into faulty — and sometimes harmful — actions and decisions, says Gartner analyst Avivah Litan.

"AI cannot run on its own without guardrails to rein it in — errors and exceptions need to be highlighted and investigated," Litan says.

AI security issues could multiply with technologies such as AI agents, which are add-ons that generate more accurate answers from custom data.

"The right tools need to be in place to automatically remediate all but the most opaque exceptions," Litan says.

US President Joe Biden has challenged the private sector to prioritize AI safety and ethics. His concern was around AI's potential to propagate inequity and to compromise national security.

In July 2023, President Biden issued an executive order that required commitments from major companies that are now part of CoSAI to develop safety standards, share safety test results, and prevent AI's misuse for biological materials and fraud and deception.

CoSAI will work with other organizations, including the Frontier Model Forum, Partnership on AI, OpenSSF, and MLCommons, to develop common standards and best practices.

MLCommons this week told Dark Reading that in fall this year it will release an AI safety benchmarking suite that will rate LLMs on responses related to hate speech, exploitation, child abuse, and sex crimes.

CoSAI will be managed by OASIS Open, which, like the Linux Foundation, manages open source development projects. OASIS is best known for its work around the XML standard and for the ODF file format, which is an alternative to Microsoft Word's .doc file format.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Tech Giants Agree to Standardize AI Security

After an extended period underground, the Chinese hackers have added a more sophisticated infection chain and additional EDR evasion techniques.

Source: Rokas Tenys via Alamy Stock Photo

The mysterious and covert Chinese hacking group GhostEmperor has resurfaced after a two-year hiatus with even more advanced capabilities and evasion techniques.

Initially discovered by Kaspersky Lab in 2021, GhostEmperor was notorious for targeting telecommunications and government entities in Southeast Asia through sophisticated supply chain attacks.

The group's recent activities were uncovered by cybersecurity firm Sygnia, which detailed the group's evolved attack methods in a report released this week. 

A recent investigation by the security firm into a compromised network of an unidentified client revealed that GhostEmperor was behind the breach.

The attackers used the compromised network as a launchpad to infiltrate another victim's systems, an incident which marks the first confirmed activity from GhostEmperor since 2021.

Sygnia's investigation found GhostEmperor had updated its well-known Demodex rootkit, a kernel-level tool that grants the highest level of access to the victim's operating system while evading endpoint detection and response (EDR) software.

The updated variant includes a reflective loader to execute the Core-Implant and employs new obfuscation techniques, such as different file names and registry keys. Additionally, the variant analyzed appears to have been compiled in July 2021, indicating it might be a newer version than what Kaspersky originally documented.

**Infection Chain, Evasion Techniques**

The analysis also noted significant alterations in GhostEmperor's infection chain.

Traditionally, the group gained initial access by exploiting vulnerabilities such as ProxyLogon. A batch file was executed to initiate the infection, deploying various tools that communicated with a set of command-and-control (C2) servers.

In the most recent breach, GhostEmperor employed the WMIExec tool from the Impacket Toolkit to execute commands remotely via Windows Management Instrumentation (WMI), initiating the infection chain on the compromised machine.

The report noted the new infection chain is more sophisticated and stealthier, incorporating additional EDR evasion techniques.

“We are seeing, again and again — especially in this scenario, when we went into the customer's domain — that people are not aware of their environment,” Azeem Aleem, Sygnia's managing director, told The Record, cybersecurity firm Recorded Future's news site. 

**GhostEmperor Left a Global Trail**

When GhostEmperor was first identified in September 2021, Kaspersky described the group as a highly skilled and sophisticated threat actor, primarily targeting high-profile entities in Southeast Asia, including Malaysia, Thailand, Vietnam, and Indonesia. 

Additional victims included entities in Egypt, Ethiopia, and Afghanistan, indicating a broad and ambitious scope of operations.

The initial discovery by Kaspersky highlighted GhostEmperor's use of multistage malware designed for stealth and persistence, leveraging rootkits and other advanced tools to maintain a foothold in compromised networks.

The group's ability to evade detection and employ complex attack strategies led researchers to categorize them as a state-sponsored actor, given the resources and expertise required to develop and deploy such tools.

**Chinese Threat Actors Multiply **

This month alone Chinese threat actors have been discovered targeting Internet cafes in China that allow attackers to execute malicious code with the highest privileges. 

The Chinese state-sponsored actor APT40 was discovered exploiting newly discovered software vulnerabilities within hours targeting organizations globally, including repeated attacks on Australian networks. At the start of the month China-backed threat group Velvet Ant was discovered using targeted malware to exploit a vulnerability in Cisco's NX-OS software for managing a variety of switches.

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Notorious Chinese Hacker Gang GhostEmperor Re-Emerges After 2 Years

Private sector organizations are "hesitant" to seek guidance from the Coast Guard, which isn't sufficiently equipped to help them yet.

Source: Rick Pisio/RWP Photography via Alamy Stock Photo

The Coast Guard is struggling to secure the US maritime supply chain thanks to inadequate staffing, training, authority, and cyber expertise.

A new report from the Department of Homeland Security's Office of Inspector General paints a picture of an industry reluctant to seek cybersecurity support, and a military unable to adequately provide it.

Coast Guard "Cyber Protection Teams" (CPTs) have offered free cybersecurity help to organizations in the Maritime Transportation System (MTS) since 2021, yet only 36% of qualifying organizations have taken them up on it. The private sector is "hesitant," the report says, despite the many security vulnerabilities CPT assessments typically uncover.

Part of the blame lies with the Coast Guard itself. The DHS Inspector General's Office's found that CPT inspections of marine facilities and vessels don't always account for "the full scope of potential cybersecurity threats. This occurred because Coast Guard does not have the authority or training to enforce private industry compliance with standard cybersecurity practices."

Plus, the service branch lacks staff with cyber expertise, according to the DHS IG.

**Coast Guard Role in Private Sector Cybersecurity**

Earlier this year, the Biden administration issued an executive order that, among other things, empowered the Coast Guard to take an even greater role in private sector security.

The military branch now has the authority to quarterback response efforts after any facilities, harbors, ports, or individual vessels are impacted by cyber incidents, including by inspecting or even controlling the movement of vessels which might otherwise threaten US infrastructure. It was also assigned the task of creating a set of minimum cybersecurity requirements for the industry.

"You don't see the Air Force directly taking on transportation \[security\], but it makes sense here in this case due to their \[the Coast Guard's\] sector expertise," says Itay Glick, operational technology expert and vice president of products at Opswat. "They already have relationships with the different groups — ships, ports, etc. — because of their day- to-day work, and adding that layer of cybersecurity actually makes sense."

In some ways, the Coast Guard has been quite productive so far. Cyber incidents reported to, and reviewed by, the Coast Guard have risen 111% in the past few years. Its vulnerability assessments have uncovered hundreds of incidents involving dozens of vulnerabilities, more than half of "critical" or "high" severity, meaning they could cause complete network, application, or system compromise.

In other ways, though, the service branch has not seemed up to the task. The DHS observed some CPT inspectors ignoring cybersecurity entirely, and found that they "expressed a limited understanding of how to address cybersecurity" thanks to little to no cybersecurity training. And even when vulnerabilities were found, the branch had insufficient means to force companies to comply with its recommendations for remediation.

**Threats to Maritime**

If it wasn't obvious enough in years prior, the world learned just how valuable and sensitive the MTS is from COVID and the Ever Given incident in the Suez Canal. Hackers learned it, too, and now cyber threats to the system are far greater than they ever were before.

A report from the Coast Guard Cyber Command last year found an 80% rise in reported ransomware incidents, with ransom demands tripling on average. Cyber disruptions to marine industries can come in many other forms as well, and cyber espionage — particularly from capable nation-state adversaries — is a persistent risk.

A failure to account for the kinds of vulnerabilities uncovered by plenty of CPT assessments already could, in the worst-case scenarios, lead to physical danger for crew members or marine life, and major disruptions to the global supply chain.

"Years ago, you saw \[how\] you couldn't bring new supplies into countries across the world. This is something that can happen again," Glick Warns, "and this is what we need to fear. If you don't have produce coming in, that might terribly impact the commercial industry here in the US."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DHS Inspector General: Coast Guard Shortcomings Hinder US Maritime Security

As threat actors get smarter about how they target employees, the onus is on organizations to create a strong line of defense — and the human element is a critical component.

Masha Sedova, VP, Human Risk Strategy, Mimecast

July 19, 2024

4 Min Read

Source: Yuliya Volkovska via Alamy Stock Vector

COMMENTARY

As the stakes of cyberattacks continue to rise, organizations are throwing more and more money at innovative new services and equipment to thwart them. But, at the same time, many are still taking a customary, one-size-fits-all approach to securing perhaps the most critical threat vector: the human element. There's little to be gained by spending more on locks and security guards if someone unknowingly leaves the door open for robbers into the building.

Year after year, the human element consistently ranks among the greatest risk factors in cybersecurity — it is projected to play a central role in 68% to 90% of breaches in 2024 — and the standard practice of mandated security awareness trainings isn't driving improvement, as stolen credentials, data leaks, and targeted phishing emails remain prevalent. To address this critical vulnerability, chief information security officers (CISOs) must take a more data-driven, tailored approach to mitigating human risk that goes beyond just training — one that requires human-by-design cybersecurity.

**Quantifying Risk**

Security awareness training helps, but it doesn't complete the job, as it treats every employee the same. In reality, some users are highly adept at sniffing out threats, while others require additional support. Some subsets of users are targeted with great regularity, while others receive very few phishing attempts. As such, a human-centric security approach must begin with a detailed understanding of the organization's distribution of risk.

The first step is pinning down those at the company who are most at risk. Studies have found that just 8% of employees cause 80% of incidents, and many in this subset typically are repeat offenders. Certain individuals are also targeted more frequently, due to their prominence: Managers receive 2.5 times more phishing emails on average than non-managers, and the rate of attempts goes up for all employees the longer they remain at a company, nearly doubling every three years.

These figures can vary widely between organizations, so it's key for businesses to perform their own analysis. This can be done by analyzing data that's often overlooked — like the logs generated by security endpoints when they prevent employees from executing malware — and gathering patterns from it. In the ideal framework, security administrators should be able to pull data from all manner of security tools to understand what good or risky security decisions users make on an ongoing basis and build a profile on users' individual security risk.

**Managing Risk**

Much like financial institutions with credit scores or insurance companies with premiums, organizations can then begin leveraging these risk scores to create a personalized, adaptive approach to security, beginning with tailored training.

Rather than making all employees complete the same generic security awareness modules (which, let's be honest, most people will just blow through with little attention paid), individuals who have proven themselves a low risk can instead be served a light slate of policy reminders and checklists. Those on the opposite end of the spectrum, who are either frequently targeted or will be, can be mandated to take more rigorous training with a focus on the topics related to the risks they face.

With detailed insights into behavior patterns, organizations can also reward good security practices with recognition. They can then take steps to stem bad habits with interventions like adaptive nudges — personalized messages sent out at the right time, or context to prevent users from falling victim to attacks — or strategies like tighter email security filtering, stricter browsing permissions, or reducing the time that multifactor authentication tokens are valid on at-risk users' machines.

It's important that these practices are carried out with transparency so employees know how the security team plans on using this collected data. When security teams take a constructive stance — for example, by sending out report cards that affirm positive behavior and suggest areas to improve — employees almost universally respond with openness and appreciation. For the small percentage of users in the high-risk group, extra care should be taken to explain how the additional training and adaptive measures are designed to help them get better.

**Tracking Improvement**

Collecting and analyzing security events also allows administrators to take a more data-driven approach to measuring results and, ideally, improvement. By gauging their baseline, security teams can then track the number of risky behaviors occurring on the network over time and dial in the best methods of "bubble wrapping" subsets of the user base to reduce future occurrences.

This measurability stands in stark contrast to conventional human risk mitigation practices (i.e., simple awareness training), which can often take the form of a black hole in terms of understanding impact and, in turn, return on investment (ROI). With an objective, outcomes-first approach, CISOs can both deliver security improvement and clearly demonstrate the success of the investment to the rest of the C-suite.

As threat actors get smarter about how they target employees, the onus is on organizations and their cybersecurity partners to create a strong line of defense — and the human element is a critical component. Companies that take a more intelligent, personalized approach to curbing risky behavior will stand the best chance of safeguarding their organizations against cyberattacks, all while making more efficient use of their security budgets.

**About the Author(s)**

VP, Human Risk Strategy, Mimecast

Masha Sedova, co-founder of Elevate Security, has made her mark in cybersecurity through her practical and human-centered approach to the field. Under her leadership, Elevate Security's innovative platform significantly reduced user-related risks for enterprises. This led to its acquisition by Mimecast in 2024 where she now serves as VP of human risk strategy.

In Cybersecurity, Mitigating Human Risk Goes Far Beyond Training

According to Mandiant, among the many cyber espionage tools the threat actor is using is a sophisticated new dropper called DustTrap.

Source: Travel mania via Shutterstock

One of China's more prolific threat groups, APT41, is carrying out a sustained cyber espionage campaign targeting organizations in multiple sectors, including global shipping and logistics, media and entertainment, technology, and the automotive industry.

The advanced persistent threat (APT) actor appears to have launched the new campaign sometime in early 2023. Since then, the group has successfully infiltrated multiple victim networks and maintained prolonged access on them, Google's Mandiant security group said this week in a joint analysis with Google's Threat Analysis Group (TAG). Most of the affected organizations are located in the United Kingdom, Italy, Spain, Taiwan, Thailand, and Turkey.

APT41 is sort of an umbrella descriptor for a collective of China-based threat actors engaged in cyber espionage, supply chain attacks, and financially motivated cybercrime around the globe since at least 2012. Over the years security researchers have identified multiple subgroups as being part of the APT41 collective, including Wicked Panda, Winnti, Suckfly, and Barium. These groups have stolen trade secrets, intellectual property, healthcare related data and other sensitive information from US organizations and entities around the word on behalf of the Chinese government. In 2020, the US government indicted five members of APT41 for participating in or contributing to attacks on more than 100 companies worldwide. Those charges have done little to deter the group's activities so far, however.

**APT41's Widespread Geographic Impact**

Nearly all but one of the targeted organizations in the shipping and logistics sector were based in the Middle East and Europe, while all organizations that APT41 targeted in the media and entertainment sector were located in Asia. Many victims within the shipping and logistics sectors have operations across multiple continents, either as subsidiaries or affiliates of large multinational companies in the same sector, Mandiant researchers said.

"An analysis of victim organizations within specific sectors reveals a notable geographic distribution," Mandiant researchers said in its blog post.

Further, "Mandiant has detected reconnaissance activity directed towards similar organizations operating within other countries such as Singapore," the security vendor wrote. "At the time of the publication, neither Mandiant nor Google TAG have any indicators of these organizations being compromised by APT41, but it could potentially indicate an expanded scope of targeting."

**Custom Cyber Espionage Tools**

Mandiant researchers also said it had observed APT41 actors using a range of custom tools in its ongoing campaign, including those for dropping malware on target systems, establishing backdoors, moving laterally in compromised networks, and exfiltrating data from them. The tools include two Web shells for persistence, called AntsWord and BlueBeam, which the threat actor has been using to download a dropper called DustPan, which in turn attempts to load the Beacon post-compromise tool on victim systems.

In addition to this, Mandiant said it observed APT41 use a hitherto unseen multi-stage plugin framework called DustTrap for decrypting malicious payloads and executing them in memory so as to enable communication between the compromised system and APT-41 controlled systems and infrastructure. "DustPan has been used by APT41 as far back as 2021, but DustTrap was first seen in this activity," says Ben Read, head of cyber espionage analysis at Mandiant.

Other tools that APT41 actors have effectively deployed in the current campaign include malware dubbed SQLULDR2 for copying data from Oracle Databases and PineGrove for exfiltrating large volumes of data from a compromised network to a OneDrive account for subsequent analysts.

"APT41 has always had a global mandate, so while their targeting in this campaign likely reflects current PRC priorities, the widespread nature is consistent with what we have seen previously from them," Read says.

So far, Mandiant has found no evidence to suggest that APT41 are seeking to monetize their attacks in the current campaign in any way. "However, we do not have full insight into the post compromise activity, so can't say for sure."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading