Cyberattacks on logistics are becoming increasingly common, and the potential impact is enormous.

Chahak Mittal, Cybersecurity GRC Manager, Universal Logistics Holdings, Inc.

April 25, 2024

5 Min Read

Source: Rawf8 via Alamy Stock Photo

COMMENTARY

Imagine you're standing in a bustling city, surrounded by the symphony of commerce. The exchange of goods and the flow of transportation are all around you. This is the heartbeat of our global economy. But what would happen if this heartbeat were to be disrupted? If the very lifeblood of our interconnected world were to falter — or worse, come to a grinding halt?

The consequences would be catastrophic. Imagine empty shelves in grocery stores, gas stations running out of fuel, and hospitals unable to get the supplies they need. Imagine widespread panic and social unrest.

This is not just a hypothetical scenario. It's a real threat we need to take seriously. Cyberattacks on logistics are becoming increasingly common, and the potential impact is enormous. Logistics is the backbone of our global economy. It's the process that keeps the world's shelves stocked and the wheels of commerce turning.

**Cyberattacks on Logistics May Have Severe Ramifications**

Let's first discuss why cyberattacks on logistics are so concerning.

Remember back to the haunting early days of the pandemic. Lockdown measures paralyzed entire nations, factories fell silent, and transportation came to a grinding halt. The repercussions were profound, as essential goods faced severe delays, and shortages left many in dire straits. The fabric of our interconnected world was put to the test, and the challenges were immense.

Four years later, we see news headlines about cyberattacks on Ukraine's logistics and its global impact. Think for a moment about the unimaginable consequences if a cyberattack were to disrupt logistics on a larger scale than COVID-19 or even exceed its impact.

It is unsettling that a nation could be brought to its knees not by an army or weapons but by code on a computer. This prospect cannot be ignored, especially given that the transport and logistics industry is undergoing a digital transformation.

Companies are increasingly using digitalization tools to streamline all processes, from warehouse inventory management to vehicle tracking. This is a good thing, of course. Digitalization can help to improve efficiency, reduce costs, and improve customer service. But there is a dark side to digitalization. The more digitized a company is, the more vulnerable it is to cyberattacks.

**An Expanded Battlefield**

Let's now delve into the second part of our journey: understanding how cyberattacks on logistics can be weaponized. Throughout history, proper logistics have always been the secret weapon behind any victorious endeavor, whether in war or other ventures. From the days of the Civil War, where horses, mules, and wagons provided armies the food, equipment, and ammunition they needed, to the modern era with colossal military operations with intricate supply chains, logistics have always been the beating heart of success.

Now the battlefield has expanded into the digital realm. The logistics that have propelled economies and nations forward are now vulnerable to a new kind of adversary –— one that wields not swords and shields, but lines of code and malicious intent.

But let's go even deeper. What if these cyberattacks on logistics were not just the work of lone hackers seeking chaos? What if they were orchestrated by state actors with strategic intent? The Russia-Ukraine conflict has demonstrated the potential of such scenarios. The cyber offensive aimed at Ukraine reached far beyond its borders, affecting global supply chains and sending shockwaves through economies. 

In this ever-evolving digital landscape, a new kind of arsenal is being amassed in the shadows: stockpiled zero-day vulnerabilities. Just as nations once accumulated weapons to safeguard their sovereignty, they now amass vulnerabilities as digital ammunition. These zero-day vulnerabilities, arcane exploits unknown even to software creators, have become potent tools of cyber warfare.

Imagine the power of a nation armed with a stockpile of these vulnerabilities. It can strike silently, crippling logistical infrastructures without firing a single shot. This reality becomes more tangible as each day passes. The Russia-Ukraine conflict showcases this new arsenal's alarming potential, serving as a reminder that our reliance on interconnected logistics is both a strength and a vulnerability.

**Fortifying Our Defenses**

So, where do we go from here? How can we fortify our logistical arteries against these emerging threats? Just as the strength of a nation's military once depended on its ability to ensure a steady flow of supplies to the frontlines, today's battles are won by safeguarding the flow of data, goods, and services.

The lessons of history remain relevant — a robust logistics network is not only essential for prosperity, but it is also a fundamental pillar of security. We must invest in cyber-defense strategies that mirror the importance we place on physical defense. Collaboration between governments, industries, and international partners is paramount. The private sector, too, holds a pivotal role.

As we embrace digitalization, we must do so with cybersecurity at the forefront. Companies must not only prioritize efficiency but also fortify their digital infrastructure against potential attacks. 

Strong alliances, collaborative diplomacy, and international cooperation are essential to our defense strategy. Just as alliances between nations bolster our military might, alliances between industries and governments can fortify cybersecurity. By harnessing the power of cyber and soft power in harmony, we can navigate the intricate dance of modern warfare.

The time to act is now. We stand at a crossroads where the path of progress intersects with the shadows of uncertainty. The interconnectedness that has fueled our global economy is also its Achilles' heel. Cyberattacks on logistics are not a distant possibility; they are a sobering reality.

The disruption of our supply chains, the paralysis of our economies — these are the stakes we face. But history has shown us that challenges can become catalysts for innovation. We can forge a new paradigm, one where technology and diplomacy converge to safeguard our way of life.

It is a future where alliances are not just forged on battlefields, but in virtual boardrooms and digital summits, and where the strength of a nation's cybersecurity is as integral to its defense strategy as its military might.

**About the Author(s)**

Cybersecurity GRC Manager, Universal Logistics Holdings, Inc.

Chahak Mittal is a Certified Information Systems Security Professional (CISSP) and Cybersecurity Governance, Risk, and Compliance Manager at Universal Logistics. She is a cybersecurity leader deeply committed to knowledge sharing and community engagement. Through her roles as a Judge at Globee Awards, Major League Hacking (MLH) Hackathons, and as a dedicated cybersecurity instructor volunteer in the Microsoft TEALS Program, she has actively contributed to the cybersecurity ecosystem. Chahak's active involvement in organizations such as the Information Systems Security Association and SecureWorld's Detroit Advisory Council has been instrumental in her pursuit of staying at the forefront of industry trends and challenges. Furthermore, she has channeled her insights into thought-provoking cybersecurity articles, published on SecureWorld.io, ISC2, and CyberDefense Magazine, making a meaningful contribution to the field's intellectual discourse.

Digital Blitzkrieg: Unveiling Cyber-Logistics Warfare

Attacks by a previously unknown threat actor leveraged two bugs in firewall devices to install custom backdoors on several government networks globally.

Source: Znakki via Shutterstock

A state-sponsored threat actor has exploited two Cisco zero-day vulnerabilities in firewall devices to target the perimeter of government networks with two custom-built backdoors, in a global cyber-espionage campaign.

Dubbed "ArcaneDoor," the campaign by the previously unknown actor — which researchers from Cisco Talos track as UAT4356 — has targeted Cisco Adaptive Security Appliance (ASA) firewall devices of several Cisco customers since at least December 2023, Cisco Talos researchers revealed in a blog post.

While the actor's initial access vector remains unknown, once it occurs, UAT4356 used a "sophisticated attack chain" involving exploit of the two vulnerabilities — a denial-of-service flaw tracked as CVE-2024-20353 and a persistent local execution flaw tracked as CVE-2024-20359 that have since been patched — to implant malware and execute commands across a small set of Cisco customers. Cisco Talos also flagged a third flaw in ASA, CVE-2024-20358, that was not used in the ArcaneDoor campaign.

The researchers also found evidence that the actor has interest in and potentially will attack devices from Microsoft and other vendors, making it crucial that organizations ensure that all perimeter devices "are properly patched, logging to a central, secure location, and configured to have strong multifactor authentication (MFA)," Cisco Talos wrote in the post.

**Custom Backdoor Malware for Global Governments**

The first sign of suspicious activity in the campaign came in early 2024 when a customer reached out to Cisco's Product Security Incident Response Team (PSIRT) and Cisco Talos about security concerns with its ASA firewall devices.

A subsequent several-months-long investigation conducted by Cisco and intelligence partners uncovered threat actor-controlled infrastructure dating back to early November 2023. Most of the attacks — all of which targeted government networks globally —occurred between December and early January. There is also evidence that the actor — which Microsoft also is now tracking as STORM-1849 — was testing and developing its capability as early as last July.

The primary payloads of the campaign are two custom backdoors— "Line Dancer" and "Line Runner" — which were used together by UAT4356 to conduct malicious activities on the network, such as configuration and modification; reconnaissance; network traffic capture/exfiltration; and potentially lateral movement.  

Line Dancer is a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads. In the campaign, Cisco Talos observed the malware being used to execute various commands on an ASA device, including: disabling the syslog; running and exfiltrating the command show configuration; creating and exfiltrating packet captures; and executing commands present in the shellcode, among other activities.

Line Runner meanwhile is a persistence mechanism deployed on the ASA device using functionality related to a legacy capability that allowed for the pre-loading of VPN clients and plugins on the device during booting that can be exploited as CVE-2024-20359, according to Cisco Talos. In at least one case, the threat actor also abused CVE-2024-20353 to facilitate this process.

"The attackers were able to leverage this vulnerability to cause the target ASA device to reboot, triggering the unzipping and installing" of Line Runner, according to the researchers.

**Protect the Perimeter From Cyberattackers**

Perimeter devices, which sit at the edge between an organization's internal network and the Internet, "are the perfect intrusion point for espionage-focused campaigns," providing threat actors a way to gain a foothold to "directly pivot into an organization, reroute or modify traffic, and monitor network communications into the secure network, according to Cisco Talos.

Zero-days on these devices are an especially attractive attack surface on these devices, notes Andrew Costis, chapter lead of the Adversary Research Team at MITRE ATT&CK testing firm AttackIQ.

"We've seen time and time again critical zero and n-day vulnerabilities being exploited with all of the mainstream security appliances and software," he says, noting previous attacks on bugs in devices from Ivanti, Palo Alto Networks, and others.

The threat to these devices highlights the need for organizations to "routinely and promptly" patch them using up-to-date hardware and software versions and configurations, as well as maintain close security monitoring of them, according to Cisco Talos.

Organizations also should focus on post-compromise TTPs of threat actors and test known adversary behaviors as part of "a layered approach" to defensive network operations, Costis says.

**Detecting ArcaneDoor Cyberattack Activity**

Indicators of compromise (IoCs) that customers can look for if they suspect they may have been targeted by ArcaneDoor include any flows to/from ASA devices to any of the IP addresses present in the IOC list included in the blog.

Organizations also can issue the command "show memory region | include lina" to identify another IOC. "If the output indicates more than one executable memory region … especially if one of these memory sections is exactly 0x1000 bytes, then this is a sign of potential tampering," Cisco Talos wrote.  

And, Cisco provided two sets of steps that network administrators can take to identify and remove the ArcaneDoor persistence backdoor Line Runner on an ASA device once the patch is applied. The first is to conduct a review of the contents of disk0; if a new file (e.g., "client\_bundle\_install.zip" or any other unusual .zip file) appears on the disk, it means that Line Runner had been present but is no longer active due to the update.

Administrators also can follow a series of commands provided that will create an innocuous file with a .zip extension that will be read by the ASA at reboot. If it appears on disk0, it means that Line Runner likely was present on the device in question. Administrators can then delete the "client\_bundle\_install.zip" file to remove the backdoor.

If administrators find a newly created .zip file on their ASA devices, they should copy that file off the device and email \[email protected\] using a reference to CVE-2024-20359 and including the outputs of the "dir disk0:" and "show version" commands from the device, as well as the .zip file that they extracted.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cisco Zero-Days Anchor 'ArcaneDoor' Cyber-Espionage Campaign

How the CISO of Kenvue, a consumer healthcare company spun out from Johnson & Johnson, combined tools and new ideas to build out the security program.

Source: Timon Schneider via Alamy Stock Photo

As a longtime information security professional at Johnson & Johnson, Mike Wagner helped shape the Fortune 100 company's security approach and security stack. Wagner recently became the first CISO of Kenvue, J&J's year-old spin-off, which was previously J&J's consumer healthcare division. In his new role, Wagner aims to combine the best of J&J with an efficient and modern approach that fits the new standalone company.

"We wanted to create a streamlined and cost-effective architecture with maximum security," Wagner explains.

The first step was defining key roles required to build an effective security program. That included architects and engineers to implement tools, identity and access management (IAM) experts to enable secure authentication, risk management leaders to align security with business priorities, security operations staff for incident response, and dedicated staff for each cyber function.

To ensure maximum effectiveness and future scalability for the cyber architecture, the newly created cyber team knew it wanted to embed machine learning and artificial intelligence (AI). That included automating IAM, streamlining supplier assessments through automated questionnaires, implementing AI for behavioral analysis, and using machine learning to improve threat detection.

**Deciding Which Cyber Tools to Keep or Replace**

With the basics ironed out, the next step was choosing which tools and processes should be retained from J&J and which should be replaced. While J&J's cybersecurity architecture was solid, it was a patchwork of systems created by decades of acquisitions.

To make their determinations, Wagner's team first inventoried J&J's tools, mapping them to Kenvue's operating model and choosing the ones with capabilities Kenvue would need. In many cases, the team found that J&J's security tools were more full-featured than the smaller spin-off needed. In other cases, J&J's technology was duplicative. In still others, existing J&J technology wasn't affordable or didn't provide the maximum security footprint for Kenvue's mission.

And, sometimes, it simply came down to how well-integrated J&J's security architecture was.

"Take something like endpoint detection and response," Wagner says. "Where J&J may have had two to three pieces of software on the endpoint to accomplish that mission due to different acquisitions over time, we consolidated it into one more modern solution."

The ultimate decision for each type of security function also depended on the number and types of dependencies. For example, applications tend to be dependent on IAM, which meant that for the time being, Kenvue is going to stick with J&J's IAM systems. Over time, though, Wagner plans to migrate to a more modern IAM system.

In the end, Kenvue chose to adopt about half of its tech stack from J&J.

Choosing what to retain and what to replace can be tricky, notes Scott Crawford, research director for the 451 Research Information Security channel with S&P Global Market Intelligence. Typically, though, it comes down to weighing the tool's functionality and how well it will fit into the new company's architecture against other options that might be a better fit. In some cases, new investments may be required, while in others, subscription or licensing terms will have to be determined as part of spin-off costs, he says.

**The Right People, Working Together**

Another challenge Wagner faced was assembling the right combination of expertise for his cyber team. After evaluating the capabilities of existing J&J employees along with external candidates, he chose a combination of former J&J employees with deep business knowledge and new hires with modern technical and cyber skills. They included architects and engineers to implement defense controls, IAM experts, risk management leaders, and SecOps staff.

Wagner also chose to add one other type of personnel to his team: business information security officers (BISO), who act as intermediaries between the cyber organization and different business units. Wagner says that the BISO role is critical to his team's success.

"They focus on scouting what's new, the direction it's going, and how we can make sure the business is going about it securely," he explains.

With the tools and team in place, the final challenge was maintaining security for both J&J and Kenvue during the transition. It required constant communication among different functions, with daily meetings that included J&J leaders, Kenvue leaders, and suppliers to ensure that everything went smoothly.

With the foundation in place, Kenvue's security team is operating steadily, but Wagner says there is more to do. Next, he plans to lean into modern security strategies, including adoption of zero trust and enhancement of technical controls.

Continuing to improve cybersecurity programs is critical to helping ensure scalability and adaptability over the long term, Crawford says. That means making greater use of automation to handle overwhelming volumes of data at speed and scale.

"Automation will have to become even more trusted to handle problems at the scale and level of detail," he said. "Forward-thinking CISOs are, without doubt, looking at these opportunities seriously."

**About the Author(s)**

Contributing Writer, Dark Reading

Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including ITProToday, CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek, and Government Executive.

J&amp;J Spin-Off CISO on Maximizing Cybersecurity

Get updated advice on how, when, and where we should disclose cybersecurity incidents under the SEC's four-day rule after SolarWinds, and join the call to revamp the rule to remediate first.

Tom Tovar, CEO & Co-Creator, Appdome

April 25, 2024

4 Min Read

Source: Vladimir Zuev via Alamy Stock Photo

COMMENTARY

In an earlier article, I covered what the Securities and Exchange Commission's (SEC) SolarWinds' indictments and four-day rule mean for DevSecOps. Today, let's ask a different question: Where do cyber disclosures go from here?

Before I joined the cybersecurity industry, I was a securities lawyer. I spent a lot of time navigating the SEC rules and worked with the SEC on a regular basis. This article isn't legal advice. It's practical advice from someone with real, albeit distant, familiarity with the SEC.

**The SEC Indictment in a Nutshell**

On Oct. 30, 2023, the SEC filed a complaint against SolarWinds and its chief information security officer, charging "fraud and internal control failures" and "misstatements, omissions, and schemes that concealed both the Company's poor cybersecurity practices and its heightened —  and increasing — cybersecurity risks," including the impact of an actual attack on its systems and customers. 

**Putting the "Should" Question Aside **

I want to put aside whether the SEC should have taken action. There are a lot of voices on this topic already. Some argue that SolarWinds’ public cybersecurity statements were aspirational, not factual. Others take the position that the CISO shouldn’t be targeted because his department could not deliver the required defenses. He relied on others to do so. Finally, the amicus briefs filed in support of SolarWinds and its CISO argued that the case will have a chilling effect on hiring and retention of CISO roles, internal communication, efforts at improving cybersecurity, and more. 

**The Cyber-Disclosure Problem **

The SEC began its complaint by pointing out that the company filed its IPO registration statement in October 2018. That document had a boilerplate and hypothetical cybersecurity risk-factor disclosure. The same month, the SEC's complaint reads, "Brown wrote in an internal presentation that SolarWinds' 'current state of security leaves us in a very vulnerable state for our critical assets.'"

This discrepancy is a big one, and the SEC said it only got worse. Even though SolarWinds employees and executives knew about the increasing risks, vulnerabilities, and attacks against SolarWinds' products over time, "SolarWinds' cybersecurity risk disclosures did not disclose them in any way." To illustrate its point, the SEC listed all the public SEC filings following the IPO that included the same, unchanged, hypothetical, boilerplate cybersecurity risk disclosure. 

To paraphrase the SEC's complaint: "Even if some of the individual risks and incidents discussed in this Complaint did not rise to the level of requiring disclosure on their own … collectively they created such an increased risk …" that SolarWinds' disclosures became "materially misleading." Worse still, according to the SEC, SolarWinds repeated the generic boilerplate disclosures even as an accumulating number of red flags piled up. 

One of the first things you learn as a securities lawyer is that disclosures, risk factors, and changes to risk factors in a company's SEC filings are vastly important. They're used by investors and securities analysts in evaluating and recommending stock purchases and sales. I was surprised to read in one of the amicus briefs that "CISOs are not typically responsible for drafting or approving" public disclosures. Maybe they should be. 

**Proposing a Remediation Safe Harbor **

I want to propose something different: a remediation safe harbor for cybersecurity risks and incidents. The SEC wasn't blind to the question of remediation. In this regard, it said:

"SolarWinds also failed to remediate the issues described above ahead of its IPO in October 2018, and for many of them, for months or years afterwards. Thus, threat actors were able to later exploit the still unremediated VPN vulnerability to access SolarWinds' internal systems in January 2019, avoid detection for nearly two years, and ultimately insert malicious code resulting in the SUNBURST cyberattack."

In my proposal, if any company remediates the deficiencies or attack within the four-day time frame, it should be able to (a) avoid a fraud claim (i.e., nothing to talk about) or (b) use the standard 10Q and 10K process, including the Management Discussion and Analysis section, to disclose the incident. This may not have helped SolarWinds. When it disclosed the situation, its 8K said that the company's software "contained malicious code that had been inserted by threat actors" without any reference to remediation. Still, for countless other public companies facing the never-ending battle between attacker and defender, a remediation safe harbor would allow them the full four-day time frame to evaluate and respond to the incident. Then, if remediated, take the time to disclose the incident properly. The other benefit of this "remediate first" approach is that there will be more emphasis on cyber response and less impact to a company’s public stock. 8Ks could still be used for unresolved cybersecurity incidents. 

**Conclusion**

No matter where you come out on the question of whether the SEC should have acted or not, the question of how, when, and where we disclose cybersecurity incidents is going to be a big one for all cyber professionals. For my part, I think the CISO should control or, at the very least, approve the company's disclosures when cybersecurity incidents arise. More than that, the CISO should look for platforms that provide a single pane of glass to "see it and solve it" fast, with the least dependencies as possible. If we can encourage the SEC to embrace a remediate-first mindset, we just might open the door to better cybersecurity disclosure for everyone. 

**About the Author(s)**

CEO & Co-Creator, Appdome

Tom Tovar is the co-creator and CEO of Appdome, a one-stop shop for mobile app defense. He's a self-taught product creator, mobile app coder, hacker. He's serves as product advisor on several venture funded cyber companies, and previously as executive chairman of Badgeville, an enterprise digital motivation platform acquired by CallidusCloud, in several executive positions, including CEO, of Nominum, an intelligent-DNS security and services provider that was acquired by Akamai, and chief compliance officer, and operational executive in charge of business and corporate development, legal and channel at Netscreen Technologies acquired by Juniper Networks for $5B. He began his career as a corporate and securities attorney with Cooley Godward LLP. Tovar holds a JD from Stanford Law School and a BBA in finance and accounting from the University of Houston.

SolarWinds 2024: Where Do Cyber Disclosures Go From Here?

PRESS RELEASE

Tampa Bay, FL (April 24, 2024) – KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today announced it has entered into a definitive agreement to acquire Egress, a leader in adaptive and integrated cloud email security. Egress’ Intelligent Email Security suite provides a set of scaled, AI-enabled security tools with adaptive learning capabilities to help prevent, protect and defend organizations against sophisticated email cybersecurity threats. Further terms of the transaction were not disclosed.

Organizations globally struggle to contain behavioral-based data breaches, with 74 percent of incidents involving the human element according to Verizon’s Data Breach Investigations Report. By acquiring Egress, KnowBe4 plans to deliver a single platform that aggregates threat intelligence dynamically, offering AI-based email security and training that is automatically tailored relative to risk. 

“The future of security is personalized AI-driven controls and real-time coaching. By providing a single platform from KnowBe4 and Egress, our customers will benefit from differentiated aggregate threat detection to stay ahead of evolving cyber threats and foster a strong security culture,” said Stu Sjouwerman, CEO, KnowBe4. “As integration partners for over a year with strong philosophical and cultural alignment, this acquisition is a natural progression for both companies to take human risk management and cloud email security to the next level.”

“KnowBe4 and Egress have a shared vision of delivering tailored and relevant security to each employee,” said Tony Pepper, CEO, Egress. “One of the biggest challenges organizations face is accurately identifying who the next source of compromise is – and why. By combining intelligence and analytics from integrated applications, companies can gain valuable insights across their entire cyber ecosystem, allowing them to focus on the risks that matter most.”

The announcement comes on the heels of significant achievements for both companies thus far in 2024. KnowBe4 recently announced its AI-native platform, Artificial Intelligence Defense Agents (AIDA), which incorporates advanced AI agents to power efficacy and speed. Recent notable awards include being recognized as a Top Software Winner by G2 and a winner of Energage’s Top Workplaces USA for 2024. Meanwhile, Egress launched its AI-powered Automated Abuse Mailbox in early April and received several award recognitions, including Security Innovation of the Year (Computing Security Excellence Awards), Best Email Security Solution, Best Data Leak Prevention Solution (SC Awards Europe) and Best Place to Work in the UK (Great Places to Work 2024).

The transaction is expected to close in the coming months subject to customary closing conditions and regulatory approvals.

Egress is backed by FTV Capital and AlbionVC. Citi served as exclusive financial advisor to Egress and Orrick, Herrington & Sutcliffe LLP served as legal counsel to Egress.

For more information on KnowBe4, visit www.knowbe4.com. For more information on Egress, visit www.egress.com. 

About KnowBe4   
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 65,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. The late Kevin Mitnick, who was an internationally recognized cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Organizations rely on KnowBe4 to mobilize their end users as their last line of defense and trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

About Egress

As advanced persistent threats continue to evolve, we recognize that people are the biggest risk to organizations’ security and are most vulnerable when using email. 

Egress is the only cloud email security platform to continuously assess human risk and dynamically adapt policy controls, preparing customers to defend against advanced phishing attacks and outbound data breaches before they happen. Leveraging contextual machine learning and neural networks, with seamless integration using cloud-native API architecture, Egress provides enhanced email protection, deep visibility into human risk, and instant time to value.

KnowBe4 to Acquire Egress

PRESS RELEASE

Houston, Texas – Black Girls Do Engineer recently signed an Education Partnership Agreement (EPA) with the National Security Agency in an effort to continue playing a key role in developing science and technology talent for possible national security challenges.

The National Security Agency (NSA) partners with select universities and nonprofit organizations as part of the Agency’s Minority Serving Institution (MSI) Hacking 4 Intelligence (H4I) program. It is a program where the U.S. Government and industry partners, collaborate to solve national security problems. The program engages HBCU students and college bound students studying STEM disciplines.

Black Girls Do Engineer, a 501c3 nonprofit organization that provides access, education and resources to Black students K-12 in STEM was selected to participate because of its stellar reputation in hosting cohorts of students through various STEM subjects including co-ed HBCU and High School programs, utilizing Microsoft technology to do so.

The NSA’s collaborative H4I program is for students to have the opportunity to cultivate essential skills by deconstructing and analyzing NSA and Microsoft problem sets, all while collaborating and networking with government and industry partners. Students will form interdisciplinary teams and work to solve real-world NSA and Microsoft problem sets. At the end of a 12-week cohort, students exit the program with a minimum viable product ready for deployment.

“This partnership with NSA will allow our program to provide our cybersecurity resources and curriculum to Higher Education institutions through our developed BGDE digital infrastructure enhanced by Microsoft tools,” states Kara Branch the Founder and CEO of Black Girls Do Engineer.

Black Girls Do Engineer’s licensed STEM curriculum is committed to excellence in cyber defense education and research. Some of its programs include cybersecurity, artificial intelligence, data science and a host of technical training. Higher education programs include their design Badge A Thon event offered for college students.

“This collaboration will allow our national impact to reach new heights with higher education students,” concludes Kara Branch, Founder and CEO of Black Girls Do Engineer.

About Black Girls Do Engineer

As the fastest growing nationwide program for Black girls in STEM., BGDE has been dubbed “The Ivy League of Nonprofits.” The program is application-based and offers full-time membership-based STEM camps and workshops to Black girls in grades K through 12, with mentorship and individual workshops offered to college students up through age 21. The program currently has a 100% college acceptance rate and 100% job placement rate among its members. Since its launch in 2019, BGDE has served 4,000 girls though its program. The nonprofit has also helped secure its members $44,000 in STEM-related college scholarships.

BGDE futuristic programs of study include: A.I., Energy, Audio/Visual, Aerospace, Engineering, Medical, Robotics and Coding. Mentoring includes: College Prep, Financial Literacy, Upskilling, and Mentorship from professionals working in these fields offering real life experience.

Black Girls Do Engineer Signs Education Partnership Agreement With NSA

Unlike the SolarWinds and CodeCov incidents, all that it took for an adversary to nearly pull off a massive supply chain attack was some slick social engineering and a string of pressure emails.

Source: Mongta Studio via Shutterstock

An adversary doesn't need sophisticated technical skills to execute a broad software supply chain attack like the ones experienced by SolarWinds and CodeCov. Sometimes, all it takes is a little bit of time and ingenius social engineering.

That appears to have been the case with whoever introduced a backdoor in the XZ Utils open source data compression utility in Linux systems earlier this year. Analysis of the incident from Kaspersky this week, and similar reports from others in recent days, identified the attacker as relying almost entirely on social manipulation to slip the backdoor into the utility.

**Social Engineering the Open Source Software Supply Chain**

Ominously, it may be a model that attackers are using to slip similar malware into other widely used open source projects and components.

In an alert last week, the Open Source Security Foundation (OSSF) warned of the XZ Utils attack likely not being an isolated incident. The advisory identified at least one other instance where an adversary employed tactics similar to the one used on XZ Utils to take over the OpenJS Foundation for JavaScript projects.

"The OSSF and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects," the OSSF alert said.

A developer from Microsoft discovered the backdoor in newer versions of an XZ library called liblzma while investigating odd behavior around a Debian installation. At the time, only unstable and beta releases of Fedora, Debian, Kali, openSUSE, and Arch Linux versions had the backdoored library, meaning it was virtually a non-issue for most Linux users.

But the manner in which the attacker introduced the backdoor is especially troubling, Kasperksy said. "One of the key differentiators of the SolarWinds incident from prior supply chain attacks was the adversary’s covert, prolonged access to the source/development environment," Kaspersky said. "In this XZ Utils incident, this prolonged access was obtained via social engineering and extended with fictitious human identity interactions in plain sight."

**A Low and Slow Attack**

The attack appears to have begun in October 2021, when an individual using the handle "Jia Tan" submitted an innocuous patch to the single-person XZ Utils project. Over the next few weeks and months, the Jia Tan account submitted multiple similar harmless patches (described in detail in this timeline) to the XZ Utils project, which its sole maintainer, an individual named Lasse Collins, eventually began merging into the utility.

Starting in April 2022, a couple of other personas — one using the handle "Jigar Kumar" and the other "Dennis Ens" — began sending emails to Collins, pressuring him to integrate Tan's patches into XZ Utils at a faster pace.

The Jigar Kumar and Dennis Ens personas gradually ratcheted up the pressure on Collins, eventually asking him to add another maintainer to the project. Collins at one point reaffirmed his interest in maintaining the project but confessed to being constrained by "long-term mental health issues." Eventually, Collins succumbed to the pressure from Kumar and Ens and gave Jia Tan commit access to the project and the authority to make changes to the code.

"Their goal was to grant full access to XZ Utils source code to Jia Tan and subtly introduce malicious code into XZ Utils," Kaspersky said. "The identities even interact with one another on mail threads, complaining about the need to replace Lasse Collin as the XZ Utils maintainer." The different personas in the attack — Jia Tan, Jigar Kumar, and Dennis Ens — appear to have deliberately been made to look like they were from different geographies, to dispel any doubts about their working in concert. Another individual, or persona, Hans Jansen, surfaced briefly in June 2023 with some new performance optimization code for XZ Utils that ended up being integrated into the utility.

**A Wide Cast of Actors**

Jia Tan introduced the backdoor binary into the utility in February 2024 after gaining control of the XZ Util maintenance tasks. Following that, the Jansen character resurfaced — along with two other personas — each pressuring major Linux distributors to introduce the backdoored utility into their distribution, Kasperksy said.

What's not entirely clear is if the attack involved a small team of actors or a single individual who successfully managed several identities and manipulated the maintainer into giving them the right to make code changes to the project.

Kurt Baumgartner, principal researcher at Kaspersky’s global research and analysis team, tells Dark Reading that additional data sources, including login and netflow data, could help aid in the investigation of the identities involved in the attack. "The world of open source is a wildly open one," he says, "enabling murky identities to contribute questionable code to projects that are major dependencies."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attacker Social-Engineered Backdoor Code Into XZ Utils

The city is stymied in efforts to pinpoint the issue since its IT systems were shut down in the wake of the cyberattack.

Source: Jim Monk via Alamy Stock Photo

In the wake of a cyberattack that led to operational troubles, the city council for Leicester City, England, is still struggling with its city's streetlights failing to shut off.

Roger Ewens, a resident of Beaumont Leys, was among those who noticed the streetlights in Leicester were on day and night.

"I noticed that down Anstey Lane they're all on along one side but off on the other side," he said.

After reaching out to city council for a reason, Ewens was told that the cyberattack the city council suffered from was affecting the "central management system," causing the streetlights to "misbehave."

This latest development in the cyberattack fallout is of concern to locals because of the amount of energy the lights use, which likely is driving up the cost of electricity. Ewens was told in an email that the light issue should be resolved by the end of the first week of May.

A city council spokesperson reported that they are aware of the issue, which they attributed to a recent cyberattack. Because the city also had to shut down IT systems, it remains unable to "remotely identity faults in the street lighting system."

"The default mode for faults is that the lights stay on to ensure that roads are not left completely unlit and become a safety concern," said the spokesperson. "There are a number of steps required to resolve the problem, and we are working through these as quickly as we can."

**About the Author(s)**

Lights On in Leicester: Streetlights in Disarray After Cyberattack

Lazarus, Kimsuky, and Andariel all got in on the action, stealing "important" data from firms responsible for defending their southern neighbors (from them).

Source: Steve Allen Travel Photography via Alamy Stock Photo

North Korea's premiere advanced persistent threats (APTs) have been quietly spying on South Korean defense contractors for at least a year and a half, infiltrating some 10 organizations.

South Korean police this week released the findings of an investigation that uncovered concurrent espionage campaigns carried out by Andariel (aka Onyx Sleet, Silent Chollima, Plutonium), Kimsuky (aka APT 43, Thallium, Velvet Chollima, Black Banshee), and the broader Lazarus Group. Law enforcement did not name the victim defense organizations nor provide details on the stolen data.

The announcement comes one day after North Korea conducted its first-ever drill simulating a nuclear counterattack.

**DPRK APTs Persist**

Few countries are so aware of cyber threats from foreign nation-states as South Korea, and few industries so aware as military and defense. And yet, Kim's best always seem to find a way.

"APT threats, particularly those driven by state-level actors, are notoriously difficult to fully deter," laments Mr. Ngoc Bui, cybersecurity expert at Menlo Security. "If an APT or actor is highly motivated, there are few barriers that can't eventually be overcome."

In November 2022, for instance, Lazarus targeted a contractor which was cyber aware enough to operate separate internal and external networks. However, the hackers took advantage of their negligence in managing the system connecting the two. First, the hackers breached and infected an external network server. While defenses were down for a network test, they tunneled through the network connection system and into the innards. They then began harvesting and exfiltrating "important data" from six employee computers.

In another case beginning around October 2022, Andariel obtained login information belonging to an employee of a company that performed remote IT maintenance for one of the defense contractors in question. Using the hijacked account, it infected the company's servers with malware and exfiltrated data relating to defense technologies.

Police also highlighted an incident that lasted from April to July 2023, in which Kimsuky exploited the groupware email server used by one defense firm's partner company. A vulnerability allowed the unauthorized attackers to download large files that'd been sent internally via email.

**Snuffing Out Lazarus**

Of use to authorities, Bui explains, is that "DPRK groups such as Lazarus frequently reuse not only their malware but also their network infrastructure, which can be both a vulnerability and a strength in their operations. Their OPSEC failures and reuse of infrastructure, combined with innovative tactics such as infiltrating companies, make them particularly intriguing to monitor."

The perpetrators behind each of the defense breaches were identified thanks to the malware they deployed post-compromise — including the Nukesped and Tiger remote access Trojans (RATs) — as well as their architecture and IP addresses. Notably, some of those IPs traced to Shenyang, China, and a 2014 attack against the Korea Hydro & Nuclear Power Co.

"North Korea's hacking attempts targeting defense technology are expected to continue," the Korean National Police Agency said in a statement. The agency recommends that defense companies and their partners use two-factor authentication and periodically change passwords associated with their accounts, cordon off internal from external networks, and block access to sensitive resources for unauthorized and unnecessary foreign IP addresses.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

North Korea APT Triumvirate Spied on South Korean Defense Industry For Years

A state-sponsored hacking team employed a clever masquerade and elaborate back-end infrastructure as part of a five-year info-stealing campaign that compromised the US State and Treasury Departments, and hundreds of thousands of accounts overall.

Source: Joe Quinn via Alamy Stock Photo

An elite team of Iranian state-sponsored hackers successfully infiltrated hundreds of thousands of employee accounts at US companies and government agencies, according to the Feds, as part of a multiyear cyber espionage campaign aimed at stealing military secrets.

The US Departments of Treasury and State are among those compromised in the elaborate campaign, which lasted from 2016 to 2021 according to a US Justice Department indictment unsealed this week. Various defense contractors with high-level security clearances, a New York-based accounting firm, and a New York-based hospitality company were also affected, according to the documents.

In all, more than a dozen entities and hundreds of thousands of employee accounts were compromised in the attacks, including more than 200,000 accounts at the hospitality victim.

**Iran's State-Sponsored, Elaborate Social Engineering Efforts**

Four Iranian nationals — including one alleged member of the government's Islamic Revolutionary Guard Corps (IRGC) Electronic Warfare division — have been indicted for the attacks. The defendants are accused of posing as an Iran-based company that purported to provide "cybersecurity services" in a series of spearphishing overtures to their targets. Their aim was to trick email recipients into clicking on a malicious link that executed an unnamed custom malware and allowed account takeover.

In one case, they managed to allegedly take over an administrator email account at a defense contractor, which they then used to create other unauthorized accounts in order to send spearphishing emails to employees of a different defense contractor and a consulting firm.

In some cases, they also successfully posed as women interested in romantic connections, targeting victims through social media connections. This gambit was also aimed at eventually deploying malware onto victim computers, according to the indictment (PDF).

Both approaches align with Iran's long-standing MO of creating clever social-engineering campaigns to gain targets' confidence. A recent Charming Kitten effort for example involved the creation of an entire phony webinar platform to compromise its targeted victims. In general, Iran-nexus threat actors are "more advanced and more sophisticated by a significant margin" in their social-engineering efforts, according to Steven Adair, co-founder and president of Volexity, speaking after disclosing the Charming Kitten campaign. "It's a level of effort and dedication ... that is definitely different and uncommon."

**The Extent of Data Compromise Is Unclear**

In the campaign revealed this week, once the accounts were compromised, the hacking team allegedly used a complex back-end infrastructure and a custom application called "Dandelion" to manage the attack. Dandelion provided a dashboard that enumerated the victims, their IP addresses, physical locations, Web browsers, and OS; whether they clicked on the malicious spearphishing links; and whether the accounts should be targeted for further activity.

The Justice Department did not publicize many other details on the effort; nor did it reveal whether the state-sponsored attackers were able to access and steal classified data. Thus, the level of compromise they were able to achieve in the five years they lurked within the high-value networks remains unclear.

Unfortunately, jailtime will likely not be on offer in the event of a conviction in the case: Hossein Harooni (حسین هارونی), Reza Kazemifar (رضا کاظمی فر), Komeil Baradaran Salmani (کمیل برادران سلمانی), and Alireza Shafie Nasab (علیرضا شفیعی نسب) all remain at large. The State Department is offering a reward of up to $10 million for information that could help with their apprehension.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Source

DARKReading