Attackers are more likely to target critical infrastructure industries and, when they do, they cause more disruption and ask higher ransoms, with the median payment topping $2.5 million.

Source: Have a nice day Photo via Shutterstock

When ransomware targeted the city of Dallas, Texas last year, it took down city services, the municipal water utility's ability to bill and read meters, and emergency services. The city required more than a month to bring all its systems back online.

Dallas is not alone. In 2023, two-thirds of critical infrastructure operators (67%) in the oil, energy, and utility sectors suffered a ransomware attack, compared to 59% of all industries, according to a survey by Sophos. In addition, attacks on those critical-infrastructure sectors affected an average of 62% of systems, far higher than the 49% of systems across all industries impacted during a ransomware attack.

In fact, the groups collectively tie healthcare as the second-most impacted sectors, with only federal government agencies impacted more often, says Chester Wisniewski, global field CTO at Sophos.

"This sector needs to recognize this as a serious risk and position themselves to not be so vulnerable to ransom demands," he says. "This isn't impossible work. Ultimately it's about getting the basics right, just like in previous years."

Critical infrastructure sectors have been perennial favorites of ransomware gangs, dating back to the Colonial Pipeline incident and even earlier. Ransomware cases in the industrial sector almost doubled between 2022 and 2023 to 1,484 attacks, from 804 incidents, according to data from the NCC Group, a cybersecurity consultancy.

The industrial sector — under which critical-infrastructure companies fall — manages essential services, and disruptions can have severe consequences, prompting quick ransomware payments, says Ian Usher, associate director of threat intelligence operations and service innovation for the NCC Group.

"Organizations that provide a public service or support critical infrastructures are more attractive for ransomware attacks because they face external pressure to restore operations," he says.

**What Makes a Successful Industrial Ransomware Attack?**

Most ransomware attacks against companies in the critical-infrastructure sectors of oil, energy and utilities succeeded through exploiting software vulnerabilities, which accounted for 49% of successful attacks versus 35% the previous year, according to Sophos's report. Compromised credentials (27%) and malicious emails (14%) rounded out the top-3 vectors.

A critical measure is how often an attack led to data being encrypted. In 2023, eight in 10 attacks resulted in encrypted data, the same as the previous year, but significantly higher than the previous two years, says Sophos' Wisniewski.

"This is worrying," he says. "These numbers should be improving as the adoption of extended detection and response (XDR) and managed detection and response (MDR) is becoming increasingly common."

The impact of ransomware attacks are often brutal for businesses. The average respondent in Sophos's survey required more than a month to recover. For the first time, more companies paid the ransom (61%) than used backups for recovery, even while the median payment jumped to $2.54 million. The average cost of recovery from an incident topped $3 million in 2023, matching the previous year. (Note, while Sophos's report is labeled 2024, the data is from 2023, so Dark Reading uses the latter year.)

**Don't Be The Low-Hanging Cyber Fruit**

Organizations that fail to adopt simple technologies, such as multi-factor authentication (MFA), and fail to keep up with software updates, will likely find themselves targeted not just once, but multiple times, says Sophos' Wisniewski.

While the high rate of ransom payments really stood out this year, organizations should no longer consider paying cybercriminals as a solution, he says.

"There isn't a way to buy your way out of situations like a ransomware attack," Wisniewski says. "In rare cases, the payment can expedite recovery, but it is the exception, not the rule ... You are almost guaranteed not to get all of your files back, and you will still need to rebuild ... your systems."

The government needs to help set cybersecurity standards for the critical infrastructure sectors, says NCC Group's Usher. Currently, under the Cyber Incident Reporting for Critical Infrastructure Act passed in 2022, critical-infrastructure operators are required to report significant cyber events within 72 hours and disclose ransom payments within 24 hours, he says.

"The government can...ensure consistent cybersecurity standards across critical infrastructure," he says. "A continued lack of alignment will only serve to create an ever more complex Web of rules. This will likely be counterproductive to delivering better cyber resilience, and contribute to the problem of cybersecurity compliance becoming a 'tick box' exercise."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware Has Outsized Impact on Gas, Energy &amp; Utility Firms

The latest version of the Cloud Security Alliance's certification provides a comprehensive catalog of essential skills that cybersecurity professionals need to master.

Source: Ronald Candonga via Pixabay

The Cloud Security Alliance (CSA) has released the Certificate of Cloud Security Knowledge (CCSK) v5, the latest version of its vendor-neutral, cloud security training and certificate.

Designed for security analysts, compliance managers, security engineers, architects, and administrators, the CCSK provides training on topics including cloud incident response, application security, and data encryption. Certification is widely regarded as a benchmark for demonstrating cloud security knowledge and skills.

The "program provides a survey of the most important topics cybersecurity professionals will face day in and day out and is complementary to virtually any other education available," the CSA said.

The CCSK v5 is a "substantial update to CCSK v4," according to CSA. It includes in-depth information, recommendations, and best practices to secure cloud architecture, cloud native security, workloads, virtual networking, data protection, DevSecOps, zero trust, and generative artificial intelligence (GenAI). The CCSK also covers serverless/function-as-a-service, application security, continuous integration and continuous delivery (CI/CD), automation, identity and access management, and incident response.

In addition, CSA has published corresponding security guidance material for the CCSK v5. Students also have access to a variety of training modules, the CCSK v5 Prep Kit, an online self-paced option (which can be completed in 10 hours) and instructor-led classes. Security pros have 120 minutes long to take the exam — a half hour more than the older program's 90 minutes. It is expected to cost $445, though the fee is waived for veterans, according to the CSA.

The CCSK v5 includes "vital information" about managing risks, achieving compliance, optimizing organizational cloud security strategies, and understanding the shared responsibility model between the cloud provider and customer. The GenAI tool CCSK Orb is included in CCSK v5, as well.

CSA Updates Cloud Security Certificate, Training

The manual provides guidance on how to improve the resiliency of critical infrastructure.

Source: Jochen Tack via Alamy Stock Photo

The Cybersecurity and Infrastructure Security Agency (CISA) has published a supplemental manual to its infrastructure resilience planning framework, providing guidance on improving critical infrastructure security and resiliency. The "IRPF Playbook" provides state, local, tribal, territorial (SLTT) government planners and private-sector stakeholders with processes to help reduce the risk of disruption to critical services during a cyberattack on critical infrastructure, as well as to keep recovery and restoration costs low.

The manual also provides "fictional scenarios like a recipe" to help understand how to implement the guidance, CISA said. It outlines key actions for resilience planning, such as establishing incident-response groups, identifying critical infrastructure and dependencies, creating mitigation strategies, and integrating solutions into existing protocols. The narrative hypotheticals illustrate how a community might conduct resilience planning or incorporate resilience into existing planning efforts.

"Reading through the Playbook process, not only are the IRPF steps articulated with clear inputs and outputs, but the additional guidance on resilience concepts will help communities increase their readiness and bounce back quickly after a disaster," said David Mussington, CISA's executive assistant director for infrastructure security, in a statement.

The new playbook is a voluntary planning resource; it does not carry "any regulations, define mandatory practices, provide a checklist for compliance, or carry statutory authority," according to CISA.

**About the Author(s)**

CISA Publishes Resiliency Playbook for Critical Infrastructure

Judge dismisses claims against SolarWinds for actions taken after its systems had been breached, but allows the case to proceed for alleged misstatements prior to the incident.

Source: Tetra Images via Alamy Stock Photo

A judge has dismissed a major portion of the Securities and Exchange Commission (SEC) litigation against SolarWinds and its chief information security officer (CISO), Tim Brown, ruling that they cannot be held liable for statements and filings made after the breach of the company's flagship Orion product.

However, the SEC can proceed with its charge against SolarWinds and Brown for misrepresentations made about the company's cybersecurity posture leading up to the cyberattack, according to the ruling from US District Court Judge Paul A. Engelmayer released on July 18. Court filings refer to the cyber incident as "Sunburst."

The ruling is in response to SolarWinds' motion to dismiss the SEC lawsuit filed in January of this year.

**SolarWinds Information-Sharing "Vindicated"**

Legal and cybersecurity experts say the ruling is a positive move toward providing guidance to other publicly traded companies on how to deal with cybersecurity incident disclosure regulations.

"For public companies rushing both to investigate an incident and make a materiality disclosure, the court's opinion allows the totality of the disclosure to prevail over the nitty-gritty details," says cyber attorney Beth Burgin Waller of Woods, Rogers, Vandeventer, Black PLC. "This decision vindicates SolarWinds' information sharing with the cybersecurity community post-incident."

While the ruling removes many of the charges against SolarWinds and Brown, the SEC will be allowed to pursue action for statements and other claims made about the cybersecurity posture of the company prior to its compromise. Disclosures and statements made about the company's security posture prior to the breach are "viably pled as materially false and misleading in numerous aspects," the judge wrote.

After joining SolarWinds in 2017, Brown internally highlighted deficits in the company's defenses while delivering more rosy assessments to customers, the ruling explained. Notably, the SolarWinds "Security Statement" falsely claimed compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

A SolarWinds spokesperson said the company was "pleased" with the ruling in a statement.

"We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate," the statement said. "We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed."

**CISO Hot Takes**

Jessica Sica, CISO with Weave, was especially encouraged by the court's decision to toss out internal communications evidence among SolarWinds employees.

"Internally, you need to be able to discuss the state of security — for better or for worse — and not have that get out as if you weren’t doing your job," Sica says. "The SEC keeping that portion in could have led to more companies having a sort of 'don’t ask, don’t tell' policy on security, and that would make things much worse."

The court ruling also loosens some constraints on CISOs, according to Fred Kwong, Ph.D., vice president, and CISO of DeVry University.

"Holding CISOs personally liable, especially those CISOs that do not hold a position on the executive committee, is deeply flawed and would have set a precedent that would be counterproductive and weaken the security posture of organizations," Kwong says. "While not out of the woods, I'm happy to see that the court has dismissed most of the charges, especially those post-Sunburst."

Regardless of the ultimate outcome of the SEC's action against SolarWinds and Brown, Sica urges fellow CISOs to continue to be transparent.

"I think this doesn’t change the fact that you need to be honest about your security posture, and that’s a good thing," Sica says. "If you are promising publicly that you are doing it."

Sizable Chunk of SEC Charges Against SolarWinds Tossed Out of Court

Though the number of victims has risen, the actual number of breaches has gone down, as fewer, bigger breaches affect more individuals.

Source: B Christopher via Alamy Stock Photo

At the end of the second quarter of 2024, the number of US data breach victims has increased by more than 1,000% over the entire previous year, according to new analysis of publicly reported data breaches in the country.

The analysis, conducted by Identity Theft Resource Center (ITRC), determined that the increase in the number of victims in the second quarter of the year was due to the impact of a small number of very large breaches. So, though the number of victims has increased exponentially, there has been a 12% decrease in the actual number of incidents that occurred during that time frame. 

These large breaches include Prudential Financial and the Infosys McCamish System leaks, which affected Fidelity and Bank of America, among others. Together, these sent the victim count into the millions.

The data breach victim count for the first six months of 2024 was more than 1 billion (1,078,989,742), which is a 490% increase compared to the first half of 2023, which had a victim count of 182.6 million. This tally, however, does not include the Change Healthcare breach, which affected a huge swath of US victims.

"The takeaway from this report is simple," said Eva Velasquez, ITRC president and CEO. "Every person, business, institution and government agency must view data and identity protection with a greater sense of urgency."

**About the Author(s)**

US Data Breach Victim Numbers Increase by 1,000%, Literally

The vulnerability was given the highest CVSS score possible, though few details have been released due to its severity.

Source: designer491 via Alamy Stock Photo

Cisco has released a patch for a maximum-severity vulnerability, tracked as CVE-2024-20419, that allows threat actors to change any user or admin password.

The vulnerability carries a CVSS rating of 10, however, the company has not released many details about the bug, likely due to how high risk it is.

The attack complexity was deemed low, as no privileges or user interaction is necessary to complete the action, but the impact on the product's integrity, availability, and confidentiality are all deemed high.

"An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device," Cisco said in a statement. "A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user."

This vulnerability affects SSM On-Prem and SSM Satellite. There are no workarounds for the vulnerability, so it's recommended that users apply patches for the bug as soon as possible. 

Cisco has not released any additional information regarding this vulnerability in the wild or how many users have been potentially impacted. SSM On-Prem is primarily used by "financial institutions, utilities, service providers, and government organizations," according to the vendor, so organizations in these sectors should be especially wary. 

**About the Author(s)**

High-Severity Cisco Bug Grants Attackers Password Access

Three newly discovered SMTP smuggling attack techniques can exploit misconfigurations and design decisions made by at least 50 email-hosting providers.

Source: Maksim Kabakou via Adobe Stock Photo

Three novel attack techniques that chain together vulnerabilities found in numerous email-hosting platforms are allowing threat actors to spoof emails from more than 20 million domains of trusted organizations.

The flaws — discovered by several security researchers at PayPal — allow attackers to use simple mail transfer protocol (SMTP) smuggling to bypass SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) security protocols to deliver malicious emails from domains owned by reputable Fortune 500 companies and government agencies.

The findings include vulnerabilities in email verification processes used by numerous large email service providers, specifically domain-authentication issues, request for comments (RFC) violations, and the abuse of valid DKIM signatures and SPF records.

**Email-Hosting, Vulnerable by Default**

The researchers — Hao Wang, offensive security senior manager; Caleb Sargent, offensive security engineer; and Harrison Pomeroy, lead threat detection engineer — plan to disclose how chaining these vulnerabilities together creates the new attack patterns in a session at the forthcoming Black Hat USA conference during first week in August, entitled "Into the Inbox: Novel Email Spoofing Attack Patterns."

They also will reveal the affected vendors, which could number more than 50. The lag is due to the responsible disclosure timeline, as the researchers allow time for the issues to be addressed, Wang says.

"The issue we want to emphasize is that email gateway vendors remain vulnerable to SMTP smuggling in their default configuration," Wang tells Dark Reading in an interview. "This vulnerability can have a significant impact, especially if the outbound SMTP server of large email or hosting providers is permitted to send emails on behalf of multiple domains."

While some email gateway vendors include a setting to reject spoofed emails and thus mitigate the issue, enabling this feature may inadvertently block legitimate emails. "Consequently, many large customers continue to use the default, vulnerable setting," he says, creating a wide avenue for attacker abuse.

**Novel Attack Techniques**

The team's research was informed by two previous works from other researchers: a "SpamChannel" talk presented by Marcello Salvati at DefCon 2023, and an innovative SMTP smuggling attack unveiled by Timo Longin in December, Wang says.

The first attack technique involves SPF abuse and is due to the fact that several large email and hosting service providers fail to verify domains properly when sending emails, which violates RFC requirements.

"Their domains often have overly permissive SPF records, enabling attackers to bypass SPF/DMARC security controls and deliver fraudulent emails," Wang explains, adding that the attack has a "high success rate" due to the large number of affected domains and the broad reach of email spoofing.

The second attack pattern abuses DKIM due to improper domain verification when utilizing feedback loop (FBL) features from major mailbox providers, allowing large-scale email spoofing campaigns.

The third attack pattern is one that expands upon Longin's SMTP smuggling attack discovery, and will be revealed in more detail during the Black Hat USA session. Longin discovered that attackers can exploit SMTP on vulnerable servers to send scores of malicious emails with fake sender addresses based on the exploit of existing flaws on messaging servers from Microsoft, GMX, and Cisco.

"Most of the attacks do not directly circumvent SPF, DKIM, and DMARC controls in place, but instead leverage misconfigurations and design decisions made by the affected vendors," Wang says. "The result of these attacks are emails with valid SPF and DKIM records that will pass the DMARC check."

**SMTP Smuggling Detection and Mitigation **

As part of their session, the researchers plan to reveal a method for detecting SMTP smuggling attacks that involves the Message-ID identifier that email servers add when they send someone's email. The method correlates the difference between the Message-IDs added by the outbound and inbound SMTP servers when an attacker attempts to send multiple emails within a short period through a single SMTP connection.

"This difference would serve as a strong indicator of an SMTP smuggling attack, enabling the development of custom detection rules," Wang says. "At the very least, organizations can incorporate this technique as part of their compensating controls for mitigating this type of attack."

Indeed, while the attack patterns discovered can allow email spoofing by bypassing DMARC, DKIM, and SPF security controls, the researchers still highly recommended that organizations enforce these measures for their domains as a foundational security baseline.

"Implementing these controls significantly enhances email security by providing mechanisms for verifying the authenticity of email messages, reducing the risk of phishing and email spoofing attacks," Wang says.

Organizations also should use email-filtering solutions that leverage heuristic and content-based analysis in addition to validating messages through DMARC, DKIM, and SPF security controls for a multilayered approach that helps identify and block potential spoofing and phishing emails more effectively, he says.

Wang adds that enforcing RFC standards for authentication and authorization across all email service providers also "is critical for maintaining the security and reliability of email communications," and preventing various forms of email-based attacks."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

20 Million Trusted Domains Vulnerable to Email Hosting Exploits

An official stamp of approval might give the impression that a purported "HotPage" adtech tool is not, in fact, a dangerous kernel-level malware — but that's just subterfuge.

Source: Bruno Rodrigues Baptista da Silva via Alamy Stock Photo

Researchers have stumbled upon a fake ad blocker marketed to Internet cafés in China that, in fact, conceals sophisticated, multifaceted, kernel-level malware.

"HotPage.exe," present on VirusTotal since at least late last year, was approved and signed by Microsoft and developed by what seemed to be a real corporation. Still, security products flag it as adware, and, in truth, it is even worse than that.

Instead of removing ads, it introduces many more of them by intercepting web traffic and redirecting and manipulating content in victims' browsers. Meanwhile, it drops a vulnerable system-level driver that could allow any attacker wandering by to execute malicious code with the highest possible privileges.

According to its new report, ESET reported HotPage to Microsoft on March 18. Microsoft removed it from the Windows Server Catalog on May 1.

**HotPage Can Be Weaponized Easily**

It's unclear as yet how HotPage is delivered to victims. Its product documentation indicates that it's marketed as a security product, which makes sense, seeing as it requires significant privileges to drop its vulnerable driver to the disk.

That driver is the source of all kinds of trouble. It injects libraries into targeted browser applications, and hooks network-based Windows API functions in order to intercept and modify browser activity, redirecting or opening new ad-stuffed web pages on the victim's screen. It connects with a command-and-control (C2) server to send back information about the victim, and retrieve relevant data for the attack.

Worse, though, is that this kernel-mode component lacks proper access restrictions, in effect allowing any running process to communicate with it. It's not clear whether this was designed intentionally or not, but either way, the result is the same: Any attacker could weaponize HotPage for their own purposes.

It's worth noting, then, how HotPage hooks the Windows API function "SetProcessMitigationPolicy," which is used for applying security policies to processes. In so doing, the malware blocks any security policies that might otherwise be applied to it, enabling arbitrary code injection at the system level.

**How HotPage Malware Got its Veneer of Legitimacy**

According to its official signature, HotPage was developed by Hubei Dunwang Network Technology Co. Ltd. The company was first registered on Jan. 6, 2022, with the stated purpose of providing technology-related services, including development, consulting, and advertising. Its website — a barebones form with three fields and a QR code — is no longer live.

How could Microsoft's code signing process be so lax as to allow through such a shady company and its blatant malware? Dark Reading reached out to Microsoft for comment on this point, but the reality is that code signing is regularly abused in any number of ways.

"In a rather simple scenario," explains Romain Dumont, malware researcher for ESET, "a shady company would develop a legitimate computer software, which would go through the driver-signing requirements. Later on, the editor could covertly introduce a backdoor, either through new functionalities or by intentionally introducing a vulnerability."

Similarly, he adds, "HotPage (or DWAdsafe), posed as a security product to block ads, and so possesses interception functionalities. Here, the problem lies in the way the software can be configured and misused."

Microsoft, for its part, can only do so much. "I don’t think a bulletproof process exists," Dumont says. "A naive approach would be to do a background check on companies and verify that the advertised functionalities correspond to the actual functionalities through a security assessment. Microsoft could ask for a certain level of transparency regarding the intended purpose of the software and the required functionalities to achieve it. The more functionalities an editor needs, the more tests they should pass. But let’s face it, it’s a difficult and time-consuming task."

Users, then, cannot blindly trust even the programs Microsoft deems trustworthy. Instead, Dumont says, "I think using computer software from renowned companies is a start. Also, turn to open source software and companies with bug-bounty programs, who are transparent about their functionalities and have history sharing security advisories or vulnerability announcements. ... If possible and as a rule of thumb, companies and users should isolate programs and restrict their privileges as much as possible."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft-Signed Chinese Adware Opens the Door to Kernel Privileges

Digital literacy and protective measures will be key to detecting disinformation and deepfakes as AI is used to shape public opinion and erode trust in the democratic processes, as well as identify nefarious content.

Source: Enrico01 via Alamy Stock Photo

COMMENTARY

Disinformation — information created and shared to mislead opinion or understanding — isn't a new phenomenon. However, digital media and the proliferation of open source generative artificial intelligence (GenAI) tools like ChatGPT, DALL-E, and DeepSwap, coupled with mass dissemination capabilities of social media, are exacerbating challenges associated with preventing the spread of potentially harmful fake content. 

Although in their infancy, these tools have begun shaping how we create digital content, requiring little in the way of skill or budget to produce convincing photo and video imitations of individuals or generate believable conspiratorial narratives. In fact, the World Economic Forum places disinformation amplified by AI as one of the most severe global risks over the next few years, including the possibilities for exploitation amid heightened global political and social tensions, and during critical junctures such as elections. 

In 2024, as more than 2 billion voters across 50 countries have already headed to the polls or await upcoming elections, disinformation has driven concerns over its ability to shape public opinion and erode trust in the media and democratic processes. But while AI-generated content can be leveraged to manipulate a narrative, there is also potential for these tools to improve our capabilities to identify and protect against these threats. 

**Addressing AI-Generated Disinformation**

Governments and regulatory authorities have introduced various guidelines and legislation to protect the public from AI-generated disinformation. In November 2023, 18 countries — including the US and UK — entered into a nonbinding AI Safety agreement, while in the European Union, an AI Act approved in mid-March limits various AI applications. The Indian government drafted legislation in response to a proliferation of deepfakes during elections cycle that compels social media companies to remove reported deepfakes or lose their protection from liability for third-party content. 

Nevertheless, authorities have struggled to adapt to the shifting AI landscape, which often outpaces their ability to develop relevant expertise and reach consensus across multiple (and often opposing) stakeholders from government, civil, and commercial spheres. 

Social media companies have also implemented guardrails to protect users, including increased scanning and removal of fake accounts, and steering users toward reliable sources of information, particularly around elections. Amid financial challenges, many platforms have downsized teams dedicated to AI ethics and online safety, creating uncertainty as to the impact this will have on platforms' abilities and appetite to effectively stem false content in the coming years. 

Meanwhile, technical challenges persist around identifying and containing misleading content. The sheer volume and rate at which information spreads through social media platforms — often where individuals first encounter falsified content — seriously complicates detection efforts; harmful posts can "go viral" within hours as platforms prioritize engagement over accuracy. Automated moderation has improved capabilities to an extent, but such solutions have been unable to keep up. For instance, significant gaps remain in automated attempts to detect certain hashtags, keywords, misspellings and non-English words.  

Disinformation can be exacerbated when it is unknowingly disseminated by mainstream media or influencers who have not sufficiently verified its authenticity. In May 2023, the Irish Times apologized after gaps in its editing and publication process resulted in the publication of an AI-generated article. In the same month, while an AI-generated image on Twitter of an explosion at the Pentagon was quickly debunked by US law enforcement, it nonetheless prompted a 0.26% drop in the stock market. 

**What Can Be Done?**

Not all applications of AI are malicious. Indeed, leaning into AI may help circumvent some limitations of human content moderation, decreasing reliance on human moderators to improve efficiency and reduce costs. But there are limitations. Content moderation using large language models (LLMs) is often overly sensitive in the absence of sufficient human oversight to interpret context and sentiment, blurring the line between preventing the spread of harmful content and suppressing alternative views. Continued challenges with biased training data and algorithms and AI hallucinations (occurring most commonly in image recognition tasks) have also contributed to difficulties in employing AI technology as a protective measure. 

A further potential solution, already in use in China, involves "watermarking" AI-generated content to help identification. Though the differences between AI and human-generated content are often imperceptible to us, deep-learning models and algorithms within existing solutions can easily detect these variations. The dynamic nature of AI-generated content poses a unique challenge for digital forensic investigators, who need to develop increasingly sophisticated methods to counter adaptive techniques from malicious actors leveraging these technologies. While existing watermark technology is a step in the right direction, diversifying solutions will ensure continued innovation which can outpace, or at least keep up with, adversarial uses. 

**Boosting Digital Literacy**

Combating disinformation also requires addressing users' ability to critically engage with AI-generated content, particularly during election cycles. This requires improved vigilance in identifying and reporting misleading or harmful content. However, research shows that our understanding of what AI can do and our ability to spot fake content remains limited. Although skepticism is often taught from an early age in the consumption of written content, technological innovations now necessitate the extension of this practice to audio and visual media to develop a more discerning audience. 

**Testing Ground**

As adversarial actors adapt and evolve their use of AI to create and spread disinformation, 2024 and its multitude of elections will be a testing ground for how effectively companies, governments, and consumers are able to combat this threat. Not only will authorities need to double down on ensuring sufficient protective measures to guard people, institutions, and political processes against AI-driven disinformation, but it will also become increasingly critical to ensure that communities are equipped with the digital literacy and vigilance needed to protect themselves where other measures may fail.

**About the Author(s)**

Associate, Strategic Intelligence, S-RM

Erin Drake is an associate in S-RM’s Strategic Intelligence team, where she leads on case management of regular and bespoke consulting projects. She joined the firm in 2017 and has worked on a variety of projects ranging from threat assessments to security risk assessments across several markets. This often entails the development of client-specific approach and methodological framework for high-level and detailed bespoke projects, to support clients in understanding and monitoring the security, political, regulatory, reputational, geopolitical, and macroeconomic threats present in their operating environment. Erin’s expertise includes global maritime security issues, political stability concerns in the commercial sector, and conflict analysis. Erin holds a master's degree in international relations with a focus on global security issues like nuclear proliferation and multilateral diplomacy.

Global Cyber Threat Intelligence Lead, S-RM

Melissa DeOrio is Global Cyber Threat Intelligence Lead at S-RM, supporting clients on a variety of proactive cyber and cyber-threat intelligence services. Before joining S-RM, Melissa worked on US Federal Law Enforcement cyber investigations as a cyber targeter. In this role, Melissa utilized numerous cyber-investigative techniques and methodologies to investigate cyber threat actors and groups including open source intelligence techniques, cryptocurrency asset tracing as well as identifying and mapping threat actor tactics, techniques, and procedures (TTPs) to provide tactical and strategic intelligence reports. Melissa began her career in corporate intelligence, where she specialized in Turkish regional investigations, managed a global team of researchers, and played a role in the development and implementation of a new compliance program at a leading management consulting firm.

AI Remains a Wild Card in the War Against Disinformation

The group — which has targeted Israel, Saudi Arabia, and other nations — often uses spear-phishing and legitimate remote management tools but is developing a brand-new homegrown tool set.

Source: Muhammad Toqeer via Shutterstock

Iranian cyber-espionage group MuddyWater is pivoting from controlling infected systems with legitimate remote-management software to instead dropping a custom-made backdoor implant.

As recently as April, the group infected systems by targeting Internet-exposed servers or through spear phishing, ending with the installation of the SimpleHelp or Atera remote management platforms, security-operations provider Sekoia said in an advisory. Yet, in June, the group switched to a different attack chain: sending out a malicious PDF file with an embedded link leading to a file on stored on the Egnyte service, which installs the new backdoor, dubbed MuddyRot by Sekoia.

Check Point Software noted the shift to the new tool as well. MuddyWater has been using the backdoor implant, which the firm calls BugSleep, since May, and has quickly been improving it with new features and bug fixes, says Sergey Shykevich, threat intelligence group manager at Check Point Software.

Often, they also introduce new bugs into the malware, however. "They likely realized that their tactic of utilizing remote management tools as a backdoor was not effective enough and decided to swiftly transition to homemade malware," Shykevich says. "Probably due to pressure for a rapid change, they released an incomplete version."

Iran has become a significant cyber-threat actor in the Middle East. Since at least 2018, the MuddyWater threat group has targeted a variety of government agencies and critical industries with malicious attacks, stated a 2022 advisory published jointly by US and UK government agencies. The MuddyWater group is part of the Iranian Ministry of Intelligence and Security (MOIS), with other cybersecurity firms referring to the group as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros, according to the joint advisory.

**An Attack Tool Under Construction**

The BugSleep backdoor uses typical anti-analysis tactics, such as delaying execution — that is, going to "sleep" — to avoid being detected or running in a sandbox. The backdoor also employs encryption, but in many instances the encryption was not properly executed.

The encryption issues are not the only bugs in the code. In other samples, the program creates a file — "a.txt" — and then later deletes it, apparently for no reason. These issues, plus the frequent updates, suggests the code is still under development, stated Check Point Software's advisory.

MuddyWater previously had created its own backdoor programs, such as one called Powerstats, written in PowerShell, but later shifted to using remote management (RMM) software, Sekoia's advisory noted.

"We don’t yet know why MuddyWater operators have reverted to using a homemade implant for their first infection stage in at least one campaign," the advisory stated. "It is likely that the increased monitoring of RMM tools by security vendors, following their rise in abuse by malicious threat actors, has influenced this change."

The use of a file sharing service such as Egnyte to host malicious documents has become more popular among attackers. The trial period is often sufficient enough time to give the attackers a platform to use during an attack, Check Point Software's Shykevich says.

"Numerous file-sharing platforms are utilized by attackers within their infection chains," he says. "In theory, emulating and scanning the uploaded files can reduce the malicious use, but it is quite complicated from operational and cost perspectives for the file-sharing services operators."

**"Umbrella of APTs" in the Middle East**

The lures used in the group's phishing campaigns have become simpler — focusing on "generic themes such as webinars and online course," which allows them to send out a higher volume of attacks, Check Point Software's advisory stated.

"Their sophistication level is medium, but they are a highly persistent and aggressive group from the standpoint of phishing campaigns and targeting of specific sectors or organizations," Shykevich says. "They send hundreds of malicious emails to multiple recipients in the same organization or the same sector, also doing it across different days."

MuddyWater may not be a single group, however. In 2022, Cisco's threat intelligence group, Talos, described them as an "umbrella of APT groups." The US Cybersecurity and Infrastructure Security Agency (CISA) describes the group as "a group of Iranian government-sponsored advanced persistent threat (APT) actors," in its advisory.

The group employs "spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks," CISA stated, adding, "MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors."

While the group focuses on attacking organizations in Israel and Saudi Arabia, they have also hit other nations, including India, Jordan, Portugal, Turkey, and even Azerjaiban, the advisories said.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading