What cybersecurity professionals around the world can do to defend against the scourge of online disinformation in this year's election cycle.

Shamla Naidoo, Head of Cloud Strategy & Innovation, Netskope

April 3, 2024

5 Min Read

Source: Feng Yu via Alamy Stock Photo

COMMENTARY

In recent global election cycles, the Internet and social media have facilitated the widespread dissemination of false news, misleading memes, and deepfake content, overwhelming voters. Given that it is difficult to directly compromise election systems used to vote and count votes, adversaries turn to the age-old psychological manipulation technique to get the desired outcomes: no hacking needed. With the emergence of generative artificial intelligence (AI) tools, the impact of disinformation campaigns is expected to escalate further. This has led to increased uncertainty and ambiguity regarding reality, with personal biases often shaping perceptions of truth.

In a sense, disinformation is like a cyber threat: As security leaders, we realize that malware, phishing attempts, and other attacks are a given. But we put controls in place to minimize the impact, if not prevent it entirely. We develop defense strategies based on decades of historical knowledge and data to gain the best advantage.

Today's disinformation campaigns, however, are essentially a product of the last decade, and we have not yet designed a mature series of controls to counter it. But we need to. With 83 national elections in 78 countries taking place in 2024 — a volume not expected to be matched until 2048 — the stakes have never been higher. A recent wave of troubling incidents and developments illustrate the many ways that adversaries are attempting to deceive the hearts and minds of the world's voters:

*   In Europe, the French Foreign Minister accused Russia of setting up a network of more than 190 websites intended to spread disinformation to "destroy Europe's unity" and "make our democracies exhausted" in seeking to discourage support for Ukraine. The network, codenamed "Portal Kombat," has also sought to confuse voters, discredit certain candidates, and disrupt large sporting events like the Paris Olympics.
    
*   In Pakistan, voters have been exposed to false Covid-19 and anti-vaccination propaganda, online hate speech against religious groups, and attacks on women's movements.
    
*   The World Economic Forum ranks foreign and domestic entities' or individuals' use of misinformation and disinformation as the "most severe global risk" for the next two years — over extreme weather events, cyberattacks, armed conflicts, and economic downturns.
    

Let's be clear here about the difference between disinformation and misinformation: The latter is information that is wrong, but not intended for mass distribution. The "fake news" distributor may not even be aware of its inaccuracies.

Disinformation, on the other hand, occurs when an entity (such as an adversarial nation-state) knowingly leverages misinformation with the intent of viral distribution.

The psychological manipulation jeopardizes the stability of democratic institutions. Think of disinformation farms as a large office floor with hundreds or even thousands of people doing nothing but making up authentic-looking blogs, articles, and videos to target candidates and positions that contradict their agendas. Once unleashed on social media, these falsehoods spread rapidly, reaching millions and masquerading as real events.

How can citizens best protect themselves from these campaigns to maintain a firm grasp on what's real and what isn't? How can cybersecurity leaders help?

Here are four best practices.

**DYOV: Do Your Own Vetting**

A meme or GIF doesn't stand alone as a credible source of information. Not all professional-looking publications are credible or accurate. Not every statement from a trusted source may be their own. It’s too easy to create fake videos using AI-generated images. There are few arbiters of truth on the Internet, so buyer beware. Moreover, we can't depend on social media platforms to monitor and eliminate disinformation — regardless of whether we agree or embrace it. Section 230 has established immunity for online companies serving as publication resources for third-party content.

It's critical to look at different platforms and reconcile those with what government websites, real news outlets, and respected organizations such as the National Conference of State Legislatures (NCSL) are reporting. Inconsistencies should serve as a warning sign. Also, when seeking out biases from the information source, always ask, "Why should I believe this? Who is the author? What is their interest in this position?"

**2\. Avoid Becoming Part of the Problem**

Social media makes it too easy to run with a post or video that presents a version of "truth" that is anything but. Architects of disinformation campaigns depend upon individual users to spread their messages, i.e., "It came from my sibling/boss/neighbor, so it must be true." Again, DYOV before passing anything along. Be judicious about clicking on "forward" and "like" buttons to avoid being an engine of these campaigns.

**3\. Follow Watchdogs**

Organizations like the Netherlands-based Defend Democracy, the University of Pennsylvania-based FactCheck.org and Santa Monica, Calif.-based RAND Corp. offer resources to better help distinguish fact from fiction. In the academic community, San Diego State University's University Library and Stetson University's duPont-Ball Library maintain a list of watchdog groups, databases, and other resources.

**4\. Take a Leadership Stand**

As cybersecurity professionals, we recognize that threats like brand impersonation and phishing occur beyond our controlled technology environments. We cannot block every email, and our controls won't block or even detect impersonations on technology that we don't control. Instead, we must actively promote cyber education and awareness so employees can learn about the latest phishing attempts and the dangers of clicking on unfamiliar links.

We should take a similar, education-focused approach with disinformation campaigns. We can create employee awareness programs so they understand what to look for, even when the attempts do not involve our technology. We can even promote this knowledge through various platforms — internal company communications, public-facing blogs, articles — where we have a prominent voice. Offer credible and contextual resources against which they can vet information.

Unfortunately, disinformation — especially during political seasons — cannot be avoided, forcing us to field all relevant "facts" through appropriate vetting. However, tools enable everyone to do this while educating employees and the public as cybersecurity leaders. If they do so, 2024 may be remembered as the year when the global community decided that the truth matters.

**About the Author(s)**

Head of Cloud Strategy & Innovation, Netskope

Currently the head of cloud strategy & innovation at Netskope, Shamla Naidoo is a technology industry veteran with experience helping businesses across diverse sectors and cultures use technology more effectively. She has successfully embraced and led digital strategy in executive leadership roles such as Global CISO, CIO, VP, and Managing Partner, at companies like IBM, Anthem (Wellpoint), Marriott (Starwood), and Northern Trust.

Shamla has helped organizations in over 20 countries recognize the impact of digital transformation globally and advise their stakeholders on predicting and navigating the necessary changes in laws and regulations. In addition, she has worked with intelligence communities to use digital and cyber within their organizations to protect businesses and society from technology misuse.

Shamla remains actively engaged in the industry, with organizations like the Security Advisor Alliance, the Shared Security Assessments Group, Institute for Applied Network Security (IANS), Executive Women’s Forum (EWF), HMG Strategy Group, and the Round Table Network. In addition, she is an influential member of the legal community, creating and teaching courses on law, technology, and privacy for the University of Illinois Chicago School of Law. She frequently speaks at the American Bar Association and formerly served as the Committee Chair on Legal Technology for the Illinois State Bar Association. As a practitioner, teacher and coach, she enjoys the opportunity to help seasoned professionals to take their careers to the next level.

'Unfaking' News: How to Counter Disinformation Campaigns in Global Elections

An economic success story in Asia, Vietnam is seeing more manufacturing and more business investment. But with that comes a significant uptick in cybercrime as well.

Source: Jose Vilchez via Alamy Stock Photo

For one week last month, Vietnamese brokerage VNDirect Cyber Systems shut down its securities trading systems and disconnected from the country's two stock exchanges after a ransomware attack encrypted critical data. VNDirect was offline recovering until eight days later when the Ho Chi Minh and Hanoi stock exchanges allowed it to restart trading on April 1.

VNDirect Cyber Systems is just the latest Vietnamese company whose operations have been severely disrupted by a cyberattack.

In 2023, nearly 14,000 organizations across Vietnam suffered a cyberattack, an increase of 10% from the prior year, according to the country's National Cyber Security Centre (NCSC). While estimated damages caused by malicious software declined for the second year in a row to 17.3 trillion VND, or about US $690 million, a variety of other cybersecurity metrics continue to worsen, according to regional experts.

Overall, the country's economic picture is in flux. And that has led to a rise in cybercrime, says Ngoc Bui, a cybersecurity expert at Menlo Security, a provider of secure enterprise browser technology.

"Economic conditions, particularly in regions with limited job opportunities and low wages for high-skilled roles, can drive individuals to turn to cybercrime," he says. "This trend, fueled by the allure of cybercrime's rewards and digital anonymity, emphasizes the need for creating legitimate tech sector jobs to stimulate economic growth and counter cybercrime."

Vietnam is one of the fastest-growing economies in Asia, making the most of its connections to both China and the United States. The country's digital economy is expected to top US $43 billion by 2025, in part because of its focus on technology including initiatives in e-government, smart cities, and artificial intelligence, according to consulting giant PricewaterhouseCoopers. As a result, in mid-March, a delegation of nearly 60 US companies — including giants such as Meta and Boeing — visited the country to seek out investment opportunities.

**Cracked Software, Junk Bank Accounts**

The success has brought rapid technology adoption and significant cybercrime.

Nearly 750,000 systems were attacked by credential-stealing malware in 2023, an increase of 40% compared to the previous year, according to regional cybersecurity firm Bkav Technology Group. Online financial fraud has taken off due to a problem specific to the country: Bank account owners selling access to unused accounts. These so-called "junk accounts" make it difficult to track cybercriminals by following the money, says Nguyen Van Cuong, director in charge of cybersecurity at Bkav.

"Many people simply think that selling accounts they don't use won't be a problem," he said in a statement. "But in reality, bad guys have taken advantage of these bank accounts to carry out illegal transactions, hiding their origin, causing difficulties for investigation agencies."

Pirated or cracked software is another major issue. Fifty-three percent of computers are thought to be using pirated software, according to Bkav.

While the government has issued decrees to increase cybersecurity awareness, citizens continue to participate in these risky digital behavior, such as junk bank accounts and the use of cracked software, says Sarah Jones, a cyber threat intelligence research analyst at Critical Start.

"Vietnam's rapid digital growth creates a larger target for cybercriminals, and a lack of cybersecurity awareness among users makes them more susceptible," she says. "The widespread use of cracked software further exposes individuals and organizations to malware and exploitable weaknesses."

**Countering Cybercrime**

Vietnam's ruling Communist Party has strived to keep pace with cybercrime, issuing a number of directives to strengthen laws around the prevention and investigation of cybercrimes in 2021, and in 2020 launched efforts to raise public awareness of cybersecurity. Another directive, passed in 2019, required public sector organizations to spend at least 10% of their IT budget on cybersecurity. The sustained efforts has boosted Vietnam's ranking in the Global Cybersecurity Index to 25th out of 194 countries in the 2020 report (the latest available), up from 100th in 2017.

The country is already working with the United Nations Office on Drugs and Crime (UNODC) to strengthen the technical skills of law enforcement to tackle money laundering and other crimes.

Yet, divisions within the country are also driving the creation of dark platforms to escape increasing surveillance and Internet censorship by the government. A military group consisting of thousands of service members, known as Force 47, monitors communications and manages censorship in accordance with the government mandates, but also has resulted in the creation of several anonymity-as-a-service groups.

Such efforts will likely result in stronger Dark markets and platforms such as VietCredCare and DarkGate, both created by home-grown APT groups like Ocean Lotus and Lotus Bane, says Ken Dunham, cyber threat director at Qualys's threat research group.

"The threatscape in Vietnam is complicated with APT groups targeting companies for the benefit of the country, \[as well as\] Internet censorship, monitoring, and blocking of content by the Force 47 group," he says.

The next two years will be uncertain for Vietnam in many ways.

The leadership of the Community Party is expected to change by 2026, and economists wonder if the country can continue to deliver strong economic gains. Both uncertainties could breed more cybercrime in the future there.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware, Junk Bank Accounts: Cyber Threats Proliferate in Vietnam

UNAPIMON works by meticulously disabling hooks in Windows APIs for detecting malicious processes.

Source: Panchenko Vladimir via Shutterstock

Researchers have spotted Earth Freybug, a China-linked threat actor, using a new malware tool to bypass mechanisms organizations might have put in place to monitor Windows application programming interfaces (APIs) for malicious activity.

The malware, which researchers at Trend Micro discovered and named UNAPIMON, works by disabling hooks in Windows APIs for inspecting and analyzing API-related processes for security issues.

**Unhooking APIs**

The goal is to prevent any processes that the malware spawns from being detected or inspected by antivirus tools, sandboxing products, and other threat detection mechanisms.

"Looking at the behavior of UNAPIMON and how it was used in the attack, we can infer that its primary purpose is to unhook critical API functions in any child process," Trend Micro said in a report this week.

"For environments that implement API monitoring through hooking, such as sandboxing systems, UNAPIMON will prevent child processes from being monitored," the security vendor said. This allows malicious programs to run without being detected.

Trend Micro assessed Earth Freybug as being a subset of APT41, a collective of Chinese threat groups variously referred to as Winnti, Wicked Panda, Barium, and Suckfly. The group is known for using a collection of custom tools and so-called living-off-the-land binaries (LOLbins) that manipulate legitimate system binaries such as PowerShell and Windows Management Instrumentation (WMI).

APT41 itself has been active since at least 2012 and is linked to numerous cyber espionage campaigns, supply chain attacks, and financially motivated cybercrime. In 2022, researchers at Cybereason identified the threat actor as stealing large volumes of trade secrets and intellectual property from companies in the US and Asia for years. Its victims have included manufacturing and IT organizations, governments, and critical infrastructure targets in the US, East Asia, and Europe. In 2020, the US government charged five members believed to be associated with the group for their role in attacks against more than 100 organizations globally.

**Attack Chain**

In the recent incident that Trend Micro observed, Earth Freybug actors used a multistaged approach to delivering UNAPIMON on target systems. In the first stage, the attackers injected malicious code of unknown origin into vmstools.exe, a process associated with a set of utilities for facilitating communications between a guest virtual machine and the underlying host machine. The malicious code created a scheduled task on the host machine to run a batch script file (cc.bat) on the host system.

The batch file's task is to collect a range of system information and initiate a second scheduled task to run a cc.bat file on the infected host. The second batch script file leverages SessionEnv, a Windows service for managing remote desktop services, to side-load a malicious dynamic link library (DLL) on the infected host. "The second cc.bat is notable for leveraging a service that loads a nonexistent library to side-load a malicious DLL. In this case, the service is SessionEnv," Trend Micro said.

The malicious DLL then drops UNAPIMON on the Windows service for defense evasion purposes and also on a cmd.exe process that quietly executes commands. "UNAPIMON itself is straightforward: It is a DLL malware written in C++ and is neither packed nor obfuscated; it is not encrypted save for a single string," Trend Micro said. What makes it "peculiar" is its defense evasion technique of unhooking APIs so that the malware's malicious processes remain invisible to threat detection tools. "In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case," Trend Micro said.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China-Linked Threat Actor Taps 'Peculiar' Malware to Evade Detection

Fortanix is working on technologies to build a security wall around AI search.

The inner functioning of AI-powered search is more complex than plain-text search via Google when it comes to extracting answers from websites and databases. Fortanix is trying to build a security wall to protect the search query and the extraction of data from artificial intelligence (AI) systems.

Generative AI technologies will ultimately provide fine-grained responses based on associativity of information and retrieve information from sources users may not be aware of, says Richard Searle, vice president of confidential computing at Fortanix.

"What we're finding ... is that there is a deeper focus happening in the AI domain around privacy, consent, and permissioning of information," Searle says. "These are obviously the core cases."

Essentially, Fortanix is building a security wall around the way AI search queries are handled. More specifically, it is building security around prompts, where users provide AI search queries. The security wall extends to data retrieval from large language models, which are delivered to customers.

"We think there's a significant market there," Searle says. "The partners that we're working with within the AI space are talking about search to their customers already today."

Fortanix's private AI search is pinned on confidential computing, which creates secure vaults that are accessible to authorized parties only via keys. The data is processed inside, without leaving the vault.

"Data is going to be subject to not only the data protection regulations that we have today, but also these emerging AI regulations," Searle says.

Fortanix's technology is a component in the emerging field of confidential AI. Confidential AI is extended to AI scenarios typically associated with GPUs and accelerators, said Mark Russinovich, chief technology officer for Microsoft Azure, during a panel discussion at the Open Confidential Computing Conference in March.

**Protecting Vector Databases**

Private search with AI relies on data extraction from knowledge graphs or vector databases, which could draw information from a wide range of sources, including static conventional databases.

At Nvidia's GPU Technology Conference, also in March, the company's CEO, Jensen Huang, defined vector databases as a new style of database that takes structured data or unstructured data that can be reindexed by encoding the meaning of data.

"Now this becomes an AI database, and that AI database in the future, once you create it, you can talk to it," Huang said.

Fortanix's goal is to initiate privacy for the search initiator — a human or machine user — and protect the privacy and integrity of the information that might be within the vector embeddings.

"Confidential computing, I think, has a very important role to play," Fortanix’s Searle says.

**Private Search Differs From Conventional Search**

Confidential AI prevents the leak of AI information, which helps meet regulatory requirements. The layer also anonymizes the information so a user's intent or identity is protected. That is the opposite of conventional search, where user information and motives drive Google Ads and analytics.

A higher level of AI privacy is a cornerstone for industries such as healthcare and banking, which are tied to regulatory issues.

"Imagine that you want to do search in a scientific domain — you might want to be able to use data from a different institution to the one you're working in that has some specific expertise in a particular field. Showing the privacy of that data and the accuracy of this research is important," Searle says.

**State of Confidential AI**

Confidential AI is an emerging concept, and search fits into that profile. Intel and AMD have chips with hooks for secure enclaves. Microsoft, Google, and Amazon are providing confidential computing virtual machines in their cloud services.

Companies can bring data sets together to train a foundational model effectively, and these data sets are becoming high-value assets for top corporations, said Ian Buck, vice president and general manager of Nvidia's hyperscale and high-performance computing division, during the panel discussion.

The IT industry is rapidly approaching the deployment of confidential computing in data centers, edge computing, and PCs, but there's a lot more to do with confidential AI, said Greg Lavender, Intel's chief technology officer, during the panel.

"Privacy and safety and responsible AI are going to be big forcing functions for this as the government adopts AI technologies from the industry," he said.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Fortanix Builds Private Search for AI

The National Vulnerability Database can't keep up, and the agency is calling for a public-private partnership to manage it going forward.

Source: GK Images via Alamy Stock Photo

After warning it can't keep up with the exploding number of bugs being submitted to the National Vulnerability Database (NVD), the National Institute of Science and Technology (NIST) has asked for additional resources from the US government and the private sector.

The agency said in February it was experiencing delays updating the NVD. This week, it admitted the delays have ballooned into a bona fide backlog. NIST said it is working to address the highest priority vulnerabilities first.

"This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support," NIST said in a statement regarding its NVD backlog.

Staff at NIST are being shuffled around to triage the vulnerability analysis delays, but longer-term solutions are required, the agency explained. One specific suggestion NIST highlighted was the creation of a public-private consortium to support the NVD, made up of "industry, government, and other stakeholder organizations that can collaborate on research."

**NIST Needs a New Approach**

NIST's NVD is foundational to security operations, according to Jason Soroko, senior vice president of product at Sectigo. And getting additional analysts working through the backlog is critical, he added.

"The problem is scale," Soroko says. "NIST is going to open up the program to a consortia of vetted organizations from the industry in order to deal with the backlog of vulnerabilities that need to be analyzed and understood before being put into the NVD database. The move is a good one."

NIST needs a new approach if the agency is going to be able to keep up with the explosion in CVEs, explains Saumitra Das, vice president of engineering at Qualys.

"NIST NVD has been a cornerstone of vulnerability management for a long time," Das says. "However, the exponential growth in CVE issuance has created pressure which will necessitate a different and prioritized approach as mentioned in this statement. Budget cuts happening for the first time in a decade are possibly part of this issue as well, apart from the sheer volume."

Because NIST and the NVD have been so important to cybersecurity in the past, John Bambenek, president at Bambenek Consulting, says he's hopeful that with an assist from the cybersecurity industry, NVD can get back on track.

"The NVD is a major success story for NIST and cybersecurity, and hopefully a pivot to a private-public sector partnership can be reached quickly to scale up the program," Bambenek says. "This announcement illustrates that the explosion in vulnerability possibilities has grown so large that not even the US government can adequately keep their hands around the problem."

NIST Wants Help Digging Out of Its NVD Backlog

The initiative is meant to provide more resources and better strategies for healthcare entities that face an increasing amount of cybersecurity challenges.

Source: Olekcii Mach via Alamy Stock Photo

The Department of Health and Human Services (HHS) has begun an initiative to better organize and equip its healthcare cybersecurity programs through a one-stop shop.

This latest resource is created through the HHS Administration for Strategic Preparedness and Response (ASPR), which leads the US during disasters and public health emergencies relating to health and medical preparation.

This initiative comes after a United Healthcare subsidiary was targeted by BlackCat ransomware group in February, causing days of outages and chaos across the healthcare supply chain. The cyberattack was considered one of the most serious of its kind within the healthcare sector, and led to United paying the ransom demanded by the threat actors. 

The incident prompted a letter from the chairman of the Senate's Homeland Security and Governmental Affairs Committee, Sen. Gary Peters (D-Mich.). He asked HHS what steps it was taking to prevent such a catastrophe from happening again. The ASPR said it will create new cybersecurity strategies for the healthcare sector and inform healthcare entities of best practices and resources.

"There's too many doors into cybersecurity when engaging with the federal government generally, let alone HHS," said Brian Mazanec, the deputy director for ASPR's Office of Preparedness, in a statement. "Within HHS, there are a lot of different players. So we're in the process now of really establishing this front door through ASPR to all of those resources."

**About the Author(s)**

HHS Plans for Cyber 'One-Stop Shop' After United Healthcare Attack

Campaign distributes malware disguised as legitimate installers for popular workplace collaboration apps by abusing a traffic-tracking feature.

Source: Bits and Splits via Shutterstock

Attackers are once again abusing Google Ads to target people with info-stealing malware, this time using an ad-tracking feature to lure corporate users with fake ads for popular collaborative groupware such as Slack and Notion.

Researchers from AhnLab Security Intelligence Center (ASEC) discovered a malicious campaign that uses a statistical feature to embed URLs that distribute malware, including the Rhadamanthys stealer, they revealed in a blog post published this week. The feature lets advertisers insert external analytic website addresses into ads to collect and use their visitors' access-related data to calculate ad traffic.

However, instead of inserting a URL for an external statistics site, attackers are abusing the feature to enter sites for distributing malicious code, the researchers found.

Ads related to the campaign have already been deleted. But when they were still active, "clicking on the banner would take unsuspecting users to the address that would trick them into downloading a malicious file," according to ASEC.

In the campaign, Rhadamanthys is disguised as an installer for popular groupware often used by corporate teams for workplace collaboration. Once the malware is installed and executed, it downloads malicious files and payloads from the attacker's server.

**Redirects to Stealer Downloads**

The ASEC post breaks down how attackers crafted the campaign to show banner ads that contain tracking URLs invisible to the end user that redirect users to an attacker-created and -controlled URL. This ultimate landing page is similar to the actual website of a groupware tool such as Slack or Notion, and it prompts visitors to download and execute the malware, which is distributed in an installer form.

Typical installers used by the campaign are the Inno Setup installer or Nullsoft Scriptable Install System (NSIS) installer; specifically, attackers used the following executable files: Notion\_software\_x64\_.exe Slack\_software\_x64\_.exe; Trello\_software\_x64\_.exe; and GoodNotes\_software\_x64\_32.exe.

"Once it is executed, the malware uses websites that can save texts such as textbin or tinyurl to access the malicious payload addresses," ASEC said in its blog post, which lists the URLs attackers used to fetch these addresses, which are subsequently delivered to users.

The ultimate payload of the campaign is the Rhadamanthys stealer, which gets injected into legitimate Windows files via the "%system32%" path, according to ASEC. This allows the stealer to exfiltrate users' private data without their knowledge, the researchers noted.

Rhadamanthys is popular with attackers and is available for purchase on the Dark Web under a malware-as-a-service model. It acts as a typical stealer to collect system information, such as computer name, username, OS version, and other machine details. It also queries the directories of installed browsers — including Brave, Edge, Chrome, Firefox, Opera Software — to search for and steal browser history, bookmarks, cookies, auto-fills, login credentials, and other data.

**Pay Attention to Ad-Delivered URLs**

The campaign is certainly not the first time that attackers have abused Google Ads and its associated features to deliver Rhadamanthys and other malware, and it likely won't be the last. In fact, a campaign identified in January 2023 also used website redirects from Google Ads and fake-download lures for popular remote-workforce software, such as Zoom and AnyDesk to deliver Rhadamanthys.

Attackers have even abused the "dynamic search ads" feature of the service to amplify the effect of malicious campaigns by creating targeted ads to deliver a flood of malware.

Indeed, as "all search engines that provide tracking to calculate ad traffic can be used to distribute malware," users must stay vigilante when accessing links from ads delivered by Google, ASEC warned. Specifically, they should "pay attention to the URL that is seen upon accessing the website, not the URL that is shown on the ad's banner" to avoid falling for a malicious campaign, according to the post.

ASEC also posted a comprehensive list of URLs associated with various stages of the campaign to help administrators identify if any corporate users have been affected by it.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

It's critical for security teams to stay vigilant not only when it comes to major security issues, but also with minor lags in security best practice.

Tim Chase, Global Field CISO, Lacework

April 2, 2024

3 Min Read

Source: Anna Berkut via Alamy Stock Photo

COMMENTARY

The saying "put yourselves in the shoes of a hacker" has long been part of defensive security strategies. Today, in the fast-paced and evolving threat landscape, this statement is truer than ever for chief information security officers (CISOs) and security teams at scale.

As cyber threats continue to evolve in 2024, CISOs and security teams must be prepared for everything from supply chain risks to zero-day exploits to deepfakes to cloud targeting and more. By ensuring visibility across your infrastructure, encouraging employee training, and supporting bug bounty programs, your organization will harden its security posture and be better prepared to fend off rising threats this year. Let's dive a bit deeper into each: 

**Creating Security Allies Out of Your Team**

Recent cyberattacks have shown us that the level of sophistication and damage caused by malicious actors is not slowing down. The MOVEit data breach that leaked the personal information of more than 11 million people shows the raw scale of modern attacks. Similar breaches at MGM and Caesars were exacerbated by the FBI struggling to stop the cyber gang behind the incident. 

While the security team can't befriend everyone in an organization, they can focus on education internally in order to train staff on risks and create clear communication that covers important issues. If hackers are staying up to date and getting educated on the latest threats and risks, we should as well. Creating a "security champions" program across the organization is a great way to embed security. One team member from marketing, finance, legal, etc., can plug in to your team and be a liaison for security that helps push pertinent cybersecurity information out across the company.

**Supporting Bug Bounty Programs**

Rather than being anxious and shunning bug bounty programs, CISOs and security teams should reward good behavior. I encourage employees to attend hackathons — even if it's only to observe or learn at first. It's one step in the right direction for security education. For more hands-on cybersecurity learning, I also like to arrange company-wide competitions and games that encourage employees to figure out how cybercrime could potentially happen.

There is no better way to prepare for a real breach than with a simulation. It forces the team to work together, strategize, and agree on a solution. The increased need for internal cybersecurity education and support for bug bounty programs is only going to continue growing in order to keep up with rising threats.

**If All Else Fails, Focus on Visibility**

Visibility is a foundational principle that suggests you can't secure what you don't know about. Lack of a security team's visibility is a gold rush for hackers because they typically infiltrate an organization's network via hidden or sneaky entry points. If you don't have visibility, there will undoubtedly be a way in. Without visibility into all traffic within an organization's infrastructure, threat actors can continue to lurk in the network and grant themselves access to the organization's most sensitive data.

With 93% of malware hiding behind encrypted traffic but only 30% of security professionals claiming to have visibility, it's no wonder that there were more ransomware attacks in the first half of 2023 than in all of 2022. Once a cybercriminal has made their way into the network, time is limited. Only with visibility can the cybercriminal be stopped from wreaking havoc and gaining access to company data.

When cybersecurity professionals can better understand the mysterious nature of hackers and how they work, they can better protect their own systems and valuable customer data. It's critical to stay vigilant not only when it comes to major security issues, but also with minor lags in security best practice. We saw this with the recent breach of Hewlett Packard, which was undertaken by the same group behind 2020's SolarWinds breach. Some of the most sophisticated cybercriminals are also incredibly opportunistic, taking advantage of any split-second lapse in otherwise-tight security plans. Ensure you take the steps above to stay ahead of looming threats. 

**About the Author(s)**

Global Field CISO, Lacework

Tim Chase is the Global Field CISO at Lacework and has worked in information security for over 15 years in various roles, including leading security teams focusing on Cloud and AppSec. He has extensive experience working at the board and executive level to promote security and guide decision-making.

Instilling the Hacker Mindset Organizationwide

Ransomware groups tore into manufacturing other parts of the OT sector in 2023, and a few attacks caused eight- and nine-figure damages. But worse is yet to come in 2024.

Source: Imagebroker via Alamy Stock Photo

At least 68 cyberattacks last year caused physical consequences to operational technology (OT) networks at more than 500 sites worldwide — in some cases causing $10 million to $100 million in damages.

Unsurprisingly, these weren't Stuxnet-like events, but the opposite.

According to a new report from industrial control system (ICS) vendor Waterfall Security Solutions, which studied real-world cyberattacks on OT organizations, most of the hackers known to be targeting the OT sector these days are hacktivists. And the majority of disruptions are not caused by such direct manipulation of OT systems but are downstream consequences of IT-based attacks, most often involving ransomware.

That doesn't mean, though, that the impacts are any less severe. Incidents involving Johnson Controls and Clorox last year ended up costing those companies around $27 million and $49 million, respectively. One cyberattack that led to the temporary suspension of operations at MKS Instruments in Massachusetts cost $200 million, and one of its suppliers — California-based Applied Materials Inc. — reported losing another $250 million as a result.

The number of attacks with physical consequences increased by nearly 20% last year, according to the report.

**IT Attacks With OT Consequences**

In the past decade and a half, only around a quarter of cyberattacks with OT consequences were caused by actually hitting the OT network, according to the report Waterfall published in collaboration with OT incident threat database ICS STRIVE.

"A large fraction of attacks that caused OT consequences did so by compromising machines in the IT network exclusively," explains Andrew Ginter, vice president of industrial security for Waterfall, and a co-author of the report. "OT was often shut down in 'an abundance of caution' because the business was not willing to keep running powerful, dangerous physical processes with compromise only one or two network hops away."

After its attack last March, for example, the German manufacturer Hahn Group GmbH switched off all of its systems as a safety precaution. A full, clean restoration of its systems took weeks thereafter. A number of other manufacturers last year followed that same playbook, even when safety wasn't at risk, in order to contain damage to further systems, sites, and customers.

"OT was also often shut down because physical operations needed facilities on IT networks that ransomware had crippled — e.g., container-tracking systems for shipping or passenger signage for large rail stations," Ginter points out.

One prime case occurred last January, when UK Royal Mail printers were disabled and hijacked to print LockBit ransom notes. Mail export services were briefly suspended nationwide, in an event that ended up costing £42 million.

"These dependencies are something many OT practitioners do not think about," Ginter explains. An IT network compromise can also affect physical operations, even if an OT network is secured, if the OT process rely on processes in the IT network.

**Cyber Threat to Water Treatment**

More than half of publicly reported cyberattacks with OT consequences in 2023 affected the manufacturing sector. But if there's one sector to worry about more than the rest it's, arguably, water.

Late last November, around 180 households in the Irish villages of Binghamstown and Drum lost water for two days, thanks to a loss of water pressure at a local pumping station. The cause was a cyberattack likely carried out by Iran's Cyber Av3ngers, part of a wider campaign targeting Unitronics pump controllers.

Though such stories are still rare, water facilities combine a dangerous mix of low difficulty and high impact for hackers.

"In the USA, the vast majority of the more than 20,000 drinking water treatment utilities are tiny. Minute. The vast majority of the more than 200,000 wastewater treatment systems — same thing. And realistically, with whatever budget these utilities have, almost all of it goes to people with trucks and backhoes digging holes in the ground," Ginter explains. "Couple that with continued pressure to automate those water systems to reduce costs — a lot of these systems are regulated \[because they're local monopolies\], and every regulator wants to reduce costs and reduce rates, so there is constant pressure to automate. All modern automation involves computers, meaning more targets for cyberattacks."

These systems have no security budget, so with the increased threat of hacktivist attacks and pressure to automate their operations, they are in peril, he notes, creating "a growing problem for all of the small communities in the nation."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cyberattacks Wreaking Physical Disruption on the Rise

How security teams in the region fortify their defenses amid short-staffing — and increased DDoS, phishing, and ransomware campaigns — during the Muslim holy month.

Source: MQ Naufal via Alamy Stock Photo

The holy month of Ramadan is a period where Middle East-based companies step up cybersecurity with extra vigilance and outsourced support amid shortened working hours and increased e-commerce activity.

The ninth month of the Muslim calendar is observed around the world as followers take the time to reflect and practice fasting, and cybersecurity teams often operate with skeletal staffing. Ramadan is also a period where Muslim shoppers tend to up their spending on speciality foods, gifts, and special offers.

All of this also creates a perfect storm for bad actors to conduct fraudulent activities and scams.

Endpoint protection firm Resecurity has observed a significant increase in cyber malevolence during Ramadan, which began on March 10. The company estimates the total financial impact from these cyberattacks and cyberscams against the Middle East has reached up to $100 million so far during this year's Ramadan. This figure accounts for fraud perpetrated against expatriates, residents, and foreign visitors and includes wire fraud, fraudulent campaigns, e-commerce fraud, and phishing. 

In particular, Resecurity notes a rising trend where cybercriminals impersonate local shipping companies like Aramex, SMSA Express, and Zajil Express to deceive Internet users. They target victims through SMS, iMessage, and WhatsApp with phony parcel delivery messages that pressure the victim to pay immediately for their "delivery."

"\[Users\] are strongly advised to refrain from sharing personal and payment information on questionable sites or with individuals posing as bank or government employees," Resecurity warned in its report.

Shilpi Handa, associate research director of security, Middle East, Turkey, and Africa (META) at IDC, agrees there is a "noticeable increase" in DDoS, phishing, and ransomware attempts during the holy month.

**Cyber Risk Preparation**

Even so, cybersecurity professionals in the region are well-versed on the cyber risk escalation during Ramadan. Security preparations typically begin well in advance of Ramadan, Handa notes.

"Many organizations proactively enhance their outsourced contracts during this period, particularly focusing on bolstering 24/7 security operations," she says, adding that deploying a remote and diverse workforce is particularly advantageous during Ramadan as around-the-clock security shifts can be fully covered by a mix of Muslim fasters and non-Muslim staff.

Organizations that expect to be short-staffed during Ramadan should prioritize their critical infrastructure to ensure operational continuity and lessen the frequency of active threat hunting if resources are stretched, Handa says. Companies also should enhance security measures for email and corporate networks because those historically have been targeted in the Middle East, she adds.

In the last few years, the UAE Cybersecurity Council has taken to issuing special advisories during Ramadan. On March 4 this year, the UAE launched its National Campaign for Cybersecurity, aimed at raising awareness and promoting cybersecurity best practices among the public.

Ezzeldin Hussein, regional senior director, solution engineering, META at SentinelOne, advises companies to prioritize cross-training within cybersecurity teams to ensure that essential tasks can be handled by multiple team members. And set clear protocols for incident response and escalation paths to streamline decision-making processes amid possible reduced staffing levels, he adds. 

Ali Haider, a New York-based senior security consultant at Secureworks, says companies should take extra steps to promote a culture of vigilance and awareness among employees and encourage them to report any suspicious activities or security concerns. 

Haider, who worked in the UAE and Saudi Arabia for over a decade, recommends that companies coordinate with the relevant law enforcement agencies. "Maintain open communication channels and coordinate security efforts as needed. Collaborating with authorities can enhance security effectiveness and facilitate a coordinated response to security incidents," he says.

**Ramadan and Year-Round**

Of course, robust cybersecurity measures should be deployed all-year round, not just for Ramadan, Haider cautions.

"Attackers may exploit potential vulnerabilities, such as reduced staffing or distracted teams. However, businesses should maintain vigilance and strengthen cybersecurity measures year-round," he says. "Ultimately, a proactive approach is key to safeguarding against cyberattacks, regardless of the time of year."

**About the Author(s)**

Alicia Buller is a London-based business and technology journalist with several years' experience working in Dubai. She specialises in cybersecurity and Middle Eastern affairs.

Source

DARKReading