Cybersecurity is not "one size fits all." Employers, recruiters, and managers need to embrace neurodiversity through inclusive hiring practices, tailored training programs, and adaptive management styles.

Source: Tomertu via Adobe Stock Photo

Megan Roddie-Fonseca, a senior security engineer at Datadog, recalls a pivotal moment during her job interview that swayed her decision to join the company.

"During the interview process, the manager asked me, 'How can I manage you? What's your ideal way of working?'" Roddie-Fonseca says. "'What can I do in order to make you the employee that you need to be and that you want to be?'"

For Roddie-Fonseca, a neurodivergent individual, this willingness to adapt management styles based on individual needs was a key factor in her decision to accept Datadog's offer.

"That's a big thing for me, instead of a manager saying, 'This is my management style,'" she says, noting that a tailored management approach can create an environment where neurodiverse workers feel understood and supported.

Roddie-Fonseca was diagnosed with autism when she was 12 years old and with ADHD later in life. While she has personally had overall positive experiences in the cybersecurity industry, she's also aware — by networking with other neurodivergent individuals — of the challenges that many face in their careers.

Neurodiversity includes individuals with conditions such as autism, ADHD, and dyslexia. While neurodivergent individuals can bring a wealth of unique skills to the workplace, they often face unnecessary challenges in the hiring process, training, and overall workplace environment.

**Align the Interview With the Job**

One issue is the current structure of the hiring process in many organizations. Rigid interviews, vague expectations, and unaccommodating environments can create barriers for neurodivergent candidates. Roddie-Fonseca says that typical interview setups, where candidates sit in front of a hiring manager or panel to answer rapid-fire questions, are not designed for those who may struggle with social anxiety or sensory-processing issues.

"Sitting in a room answering questions, especially when you're seeking a job that is going to have less social interaction, is not the way to do it," she says. "When it comes to showing my skill set, I'm going to be doing that on a computer, in an environment I'm comfortable with."

Performance-based interviews, where candidates demonstrate their skills in a simulated work environment, are a better alternative. Dr. Jodi Asbell-Clarke, a senior researcher in neurodiversity in STEM education at the nonprofit TERC and author of Reaching and Teaching Neurodivergent Learners in STEM, says it is essential to allow candidates to show their abilities under conditions they’re comfortable with.

“Many neurodivergent employees I have spoken with tell me they are at their best when they have time and mental space to solve a problem on their own, in their own way, and then bring it back to the team,” she says.

Rather than focusing on quick thinking under pressure, performance-based assessments allow candidates to demonstrate their problem-solving talents without the added stress of rigid, high-pressure conditions.

**Supporting Neurodivergent Employees on the Job**

Hiring neurodivergent candidates is just the first step; ensuring they are supported once on the job is equally important. Neurodivergent professionals often thrive in environments where accommodations are made to help them succeed, from flexible working conditions to individualized communication styles.

Universal design principles — where workplace accommodations are made available to everyone, regardless of whether they disclose a neurodivergent condition — can make a big difference, says Liz Green, an occupational therapist and business consultant who specializes in neurodiversity and inclusive design and often works with cybersecurity.

"Neurodivergence is already present in about 20% of the workforce, but not everyone will disclose it. So it's important to have support systems in place that everyone can access," she says.

Creating employee manuals, where workers outline their preferred communication and work styles, is a simple and inclusive solution that can benefit all employees, neurodivergent or not, Green adds.

Once neurodivergent employees are onboarded, providing appropriate training is essential. The traditional approach to training, where all new hires undergo the same program without considering individual learning needs, can leave neurodivergent employees struggling. Asbell-Clarke points out that giving neurodivergent employees space for "autonomy of thought" during training can be beneficial. For example, instead of bombarding new hires with information in a classroom setting, consider self-paced training modules that allow individuals to learn at their own speed.

Meghan Maneval, senior director of product marketing at LogicGate and also a neurodivergent individual, says clear communication — in multiple formats — during both interviewing and training is essential for her.

"Due to my auditory processing disorder, I often rely on written communication to fully process information," she says.

Employers can also create mentorship opportunities, pairing neurodivergent hires with more experienced employees who understand their challenges. These mentors can offer guidance and help them navigate the nuances of company culture and expectations.

**Creating a Culture of Inclusion**

Building an inclusive culture goes beyond just offering accommodations. It requires a shift in mindset across the organization.

"It's a culture shift because a lot of people are afraid to bring up those things because people think they're silly or they'll feel like, you know, they're going to get fired or not be a candidate for hire because they made a request like this," says Roddie-Fonseca.

Green emphasizes the need for open dialogue and the willingness to learn.

"Opening up the conversation is the first step. Silence doesn't help,” she says. By engaging in conversations about neurodiversity, employers can begin to dismantle the biases that prevent neurodivergent individuals from succeeding.

Another key component is establishing employee resource groups (ERGs) for neurodivergent individuals, says Green. These groups can provide a platform for employees to voice their needs and advocate for changes that improve the workplace for everyone.

“The most important thing is bringing forth the voices of the population," Green says. "It's about making an effort to listen and then act on what neurodivergent employees are saying."

An opportunity exists to rethink traditional hiring practices and embrace a more inclusive approach in cybersecurity hiring. As Datadog's Roddie-Fonseca points out, neurodivergent individuals often possess unique problem-solving abilities and strong attention to detail — skills that are highly valuable in technical fields. Yet the current hiring landscape remains inaccessible for many. By adopting flexible, inclusive hiring and training practices, cybersecurity employers can not only tap into the neurodiverse talent pool but also create a more dynamic and innovative workforce.

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Breaking Barriers: Making Cybersecurity Accessible for Neurodiverse Professionals

Without DMARC, campaigns remain highly susceptible to phishing, domain spoofing, and impersonation.

Source: Saphiens via Alamy Stock Photo

Nearly 75% of US Senate campaign websites are lacking when it comes to DMARC protections, otherwise known as Domain-based Message Authentication, Reporting, and Conformance safeguards.

DMARC tools are used to prevent phishing and spoofing attacks by ensuring that the domains from which emails are sent get authenticated.

Without these protections, campaign websites are left vulnerable to cyberattacks, a critical issue given that these campaigns are emailing voters, donors, and staff frequently.

This could lead to compromised voter information, donor data, strategic campaign plans, and other sensitive data, furthering a lack of public trust in US elections, an issue that has become increasingly prominent in the past few years. In 2016, Russian state actors tried to influence the presidential election by disrupting the election process and hacking emails. 

According to the study, conducted by Red Sift, campaigns will remain highly susceptible to phishing, domain spoofing, and impersonation attacks without DMARC, ultimately leading to slower campaign operations, leaks in confidential information, and worse.

The report calls for immediate prioritization of DMARC implementation across US Senate and presidential campaigns, and insuring that these implementations are properly configured.

**About the Author**

Most US Political Campaigns Lack DMARC Email Protection

GoDaddy flagged a ClickFix campaign that infected 6,000 sites in a one-day period, with attackers using stolen admin credentials to distribute malware.

Source: Primakov via Shutterstock

Threat actors have taken a campaign that uses fake browser updates to spread malware to a new level, weaponizing scores of WordPress plug-ins to deliver malicious infostealing payloads, after using stolen credentials to log in to and infect thousands of websites.

Domain registrar GoDaddy is warning that a new variant of malware disguised as a fake browser update known as ClickFix infected more than 6,000 WordPress sites in a one-day period from Sept. 2 to Sept. 3.

Threat actors used stolen WordPress admin credentials to infect compromised websites with malicious plug-ins as part of an attack chain unrelated "to any known vulnerabilities in the WordPress ecosystem," GoDaddy principal security engineer Denis Sinegubko wrote in a recent blog post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators, but contain embedded malicious scripts that deliver fake browser update prompts to end users," he wrote.

The campaign leverages fake WordPress plug-ins that inject JavaScript leading to ClickFix fake browser updates, which use blockchain and smart contracts to obtain and deliver malicious payloads. Attackers use social engineering strategies to trick users into thinking they are updating their browser, but instead they are executing malicious code, "ultimately compromising their systems with various types of malware and information stealers," Sinegubko explained.

Related:Samsung Zero-Day Vuln Under Active Exploit, Google Warns

**Related, Yet Separate Campaigns**

It should be mentioned that ClearFake, widely identified in April, is another fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript. Initially it targeted Windows systems, but later spread to macOS as well.

Researchers have linked ClickFix to ClearFake, but the campaigns as described by various analysts have numerous differences and are likely separate activity clusters. GoDaddy claims to have been tracking ClickFix malware campaign since August 2023, spotting it on more than 25,000 compromised sites worldwide. Other analysts at Proofpoint detailed ClickFix for the first time earlier this year.

The new ClickFix variant as described by GoDaddy is spreading fake browser update malware via bogus WordPress plug-ins with generic names such as "Advanced User Manager" and "Quick Cache Cleaner," according to the post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end users," Sinegubko wrote.

Related:Bad Actors Manipulate Red-Team Tools to Evade Detection

All information in the plug-in metadata is fake, including the plug-in name, URL, description, version, and author, but appears plausible at first glance and wouldn't raise suspicion immediately, according to GoDaddy.

**Automation Used to Scale Campaign**

Further analysis detected automation in the naming convention of the plug-ins, with researchers noting a JavaScript file naming pattern consisting of the first letter of each word in the plug-in name, appended with "-script.js."

For example, the Advanced User Manager plug-in contains the aum-script.js file, according to the researchers, who used this naming convention to detect other malicious plug-ins related to the campaign, such as Easy Themes Manager, Content Blocker, and Custom CSS Injector.

The plug-in and author URIs also frequently reference GitHub, but analysis showed that repositories associated with the plug-in don't actually exist. Moreover, the GitHub usernames followed a systematic naming convention linked to the plug-in names, which "indicates an automated process behind the creation of these malicious plugins," Sinegubko wrote.

Indeed, the researchers eventually discovered that the plug-ins are systematically generated using a common template, allowing "threat actors to rapidly produce a large number of plausible plugin names, complete with metadata and embedded code designed to inject JavaScript files into WordPress pages," Sinegubko wrote. This allowed attackers to scale their malicious operations and add an additional layer of complexity for detection.

Related:The Lingering 'Beige Desktop' Paradox

**Credential Theft as Initial Entry?**

GoDaddy isn't clear on how attackers acquired WordPress admin credentials to initiate the latest ClickFix campaign, but it noted that potential vectors include brute-force attacks and phishing campaigns aimed at acquiring legitimate passwords and usernames. 

Moreover, as the payloads of the campaign itself are the installation of various infostealers on compromised end-user systems, it's possible that the threat actors are collecting admin credentials in this way, Sinegubko observed.

"When talking about infostealers, many people think about bank credentials, crypto-wallets and other things of this nature, but many stealers can collect information and credentials from a much wider range of programs," he noted.

Another possible scenario is that the residential IP addresses from which the fake plug-ins were installed could belong to a botnet of infected computers that the attackers use as proxies to hack websites, according to GoDaddy.

Because the campaign includes the theft of legitimate credentials to log in to WordPress sites, people are urged to follow general best practices for protecting their passwords as well as avoid interacting with any unknown websites or messages that ask them to divulge private credentials.

GoDaddy also included a long list of indicators of compromise (IoCs) for the campaign — including names of plug-ins and malicious JavaScript files, endpoints to which smart contracts in the campaign connect, and associated GitHub accounts — in the blog post, so defenders can identify if a website has been compromised.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Swarms of Fake WordPress Plug-ins Infect Sites With Infostealers

The persistent infostealer's latest campaign inserts fake CAPTCHA pages into legitimate applications, fooling users into executing the malicious payload, researchers find.

Source: Oleksandr Hruts via Alamy Stock Photo

Lumma Stealer stars in a new campaign that uses malicious CAPTCHA pages to scam targets into clicking through the "verification" process — triggering the initial malware download.

Malware-as-a-service (MaaS) Lumma Stealer is commonly used by threat actors to steal sensitive information like passwords and crypto-wallet data, researchers at Qualys, who recently detailed the latest attack chain, explained.

"When the user clicks the 'I'm not a robot' button, verification steps are presented," Qualys threat researcher Vishwajeet Kumar wrote in a blog post detailing the latest Lumma Stealer find. "Completing these steps triggers the execution of a PowerShell command that initiates the download of an initial stager (malware downloader) on the target machine."

**Lumma Stealer's Easy Adaptability**

This latest CAPTCHA-based tactic is new, Kumar added in the Lumma Stealer campaign analysis. Previous campaigns have relied on a wide array of cybercrimes to spread the infostealer, ranging from basic phishing to far more exotic gambits.

Just a handful of examples from just this year include a Lumma Stealer campaign from January 2024 that used YouTube channels disguised as content to offer workarounds for eluding Web filters and cracking popular applications.

By the summer, another Lumma Stealer effort popped up on Facebook, this time trying to lure victims into downloading a legitimate artificial intelligence (AI) photo editor. Even Hamster Kombat wasn't spared. The more than 250 million estimated players of the game were targeted and lured into downloading Lumma Stealer by multiple simultaneous scams, it was discovered last July.

"The investigation into Lumma Stealer reveals an evolving threat landscape characterized by the malware’s ability to adapt and evade detection," Kumar wrote. "It employs a variety of tactics, from leveraging legitimate software to utilizing deceptive delivery methods, making it a persistent challenge for security teams."

Protecting from ongoing Lumma Stealer threats requires close collaboration between threat intelligence, security operations centers (SOCs), and incident-response teams, according to Sarah Jones, a cyber-threat intelligence research analyst at Critical Start.

"Given the rapid evolution of threats like Lumma Stealer, security teams must adopt a stance of continuous monitoring and adaptation, regularly updating detection rules, indicators of compromise, and security controls," Jones says. "This campaign exemplifies the sophisticated threats organizations face today, requiring a multilayered defense approach that combines advanced technical controls with proactive threat hunting and ongoing adaptation to effectively combat evolving malware campaigns."

Tricky CAPTCHA Caught Dropping Lumma Stealer Malware

There are more similarities between developing a professional athlete and developing a cybersecurity pro than you might expect.

Mike Mitchell, Vice President, Threat Hunt Intelligence, Intel 471

October 22, 2024

5 Min Read

Source: Augustas Cetkauskas via Alamy Stock Photo

COMMENTARY

What do professional sports and security operation centers (SOCs) have in common? Before I became a cybersecurity professional and after my baseball career with the Colorado Rockies, I would have said nothing at all. As I've navigated the cybersecurity industry over the past 10-plus years, I've identified three core tenets that form the foundation of successful SOCs and championship baseball teams: leadership, preparation, and collaboration. 

Early in my baseball career, my high school coaches taught me valuable lessons about the importance of leadership, and showed me one of the most effective ways I've seen it applied. Managers of a baseball team are much like managers of a SOC, in that they both must build and manage effective teams consisting of wildly different personnel, personalities, and challenges. It's how they choose to lead their teams that truly sets them apart from a "day-to-day" manager.  

The best managers I've had in cybersecurity and in baseball were all prior practitioners who led by example and used every opportunity as a teachable moment. In baseball terminology, these leaders were "player's coaches," meaning they had a visceral understanding, knowledge, and passion for the game based on their own experiences but still demanded excellence from each of us. SANS Institute recently published a blog post about becoming a leader in the SOC, stating, "A leader doesn't necessarily need to be able to perform all the specialized activities covered by the team, they should understand the responsibilities of each team member and know what it's like to walk in their shoes."  

Managers that take this approach allow team members to succeed, fail, and learn from their mistakes, while knowing their leadership can commiserate with their shared experiences. Being a leader takes more than just setting a lineup or creating a SOC process; it's about ensuring the team knows you are invested in their growth, and can be an example of the time, effort, and skills it takes to be an effective SOC analyst. 

**The Importance of Team Building**

The University of Virginia (UVA) baseball program changed my perspective on the significance of team building and what it means to create a culture that embodies teamwork and preparation as a foundational focus. These experiences drilled home the concept of "battling" for each other, knowing everyone's strengths and weaknesses, and allowed us to overprepare for the actual game. SOC managers, leveraging well-designed tabletops exercises, can offer the same level of "game-like" intensity, high-pressure situations, and team-building atmosphere. By engaging the security analysts, threat intelligence analysts, engineers, and incident responders, tabletop exercises enable SOCs to battle test their playbooks, effectively communicate, and validate their processes, all while developing teamwork and bolstering their trust in one another. The Cybersecurity and Infrastructure Security Agency (CISA) offers some amazing resources that can be used to build effective tabletops centered around a variety of different generic scenarios. However, organizational-specific scenarios allow SOCs to design tabletops that are unique to their risk profile, infrastructure, and protected assets. For example, if the company is in the financial industry, it may practice and drill on scenarios related to information stealers or ransomware groups targeting access for monetary gain. When it's "game time" and a real-world incident affects that organization, the SOC will be ready to tackle anything the threats throw at them. 

After my fourth year at UVA, I was extremely fortunate to be drafted by the Colorado Rockies, and during my career, I witnessed how collaboration can foster championship teams. Communication and information sharing between team members or departments are integral for successful collaboration. In a highly skilled environment like professional baseball or a mature SOC, everyone wants to be the one the manager leans on to get the job done. This competitive nature can sometimes lead individuals to isolate themselves so that their abilities and knowledge stay wholly unique to their skill set. However, I've experienced on the field and in the SOC individuals who put their pride aside and continually took time out of their day to share their knowledge to help upskill and provide guidance to their fellow teammates. 

**Working Together**

SOCs that encourage interpersonal communication between their analysts, threat hunters, engineers, or incident responders develop a team that understands the roles and responsibilities of every other team member, and can use that knowledge to help streamline or assist in more effective ways during an incident. SOCs can also establish collaborative environments by creating and executing a collective game plan against their opponents. Professional baseball organizations have advanced scouting groups that collect as much information as possible about the opposing team, including pitching/hitting tendencies (behaviors), and who and how they are going to pitch to hitters (tactics). By leveraging an intelligence-driven approach, the SOC can also achieve an effective collaborative environment. Cyber threat intelligence (CTI) acts like the advanced scouting group by gathering as much information about the threats, actors, tactics, techniques, and procedures (TTPs), and behaviors to effectively profile their organizational risk and priorities. Those priorities are then communicated to different teams like threat hunting, detection engineering, and security engineers, allowing them to work as a collaborative unit and communicate based on actionable intelligence.  

Reflecting on my time in baseball and in cybersecurity, there are more similarities than I expected between developing into a professional athlete and a cyber professional. Through my journey in both careers, I've worked with amazing individuals that led by example and were more than just a manager. They instilled in me the importance of preparation and the significance of building a culture of teamwork. These collaborative environments have allowed me to not only learn from my managers but also establish long-lasting relationships with my peers and teammates. 

**About the Author**

Vice President, Threat Hunt Intelligence, Intel 471

Mike Mitchell is Vice President, Threat Hunt Intelligence, of Intel 471. Prior to joining Intel 471, he was a co-founder of recently acquired threat hunting provider Cyborg Security. While at Cyborg, he was a cross-functional founder focused on technical implementation, sales, product architecture, and managing the content development team and its deliverables. Mike has more than 12 years of diverse cybersecurity experience in roles including senior solutions and security engineer, director of sales engineering to co-founder of Cyborg Security. Before his career in cybersecurity, Mike spent a number of years in pro baseball with the Colorado Rockies.

What Today's SOC Teams Can Learn From Baseball

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Need a push? A day for a cybersecurity professional can be full of adrenaline-pumping moments. Come up with a clever cybersecurity-related caption for the cartoon above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Nov. 13, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

A round of congratulations goes to Chris Potter, whose caption for September's "Tug of War" contest nailed first place:

Thanks to all who participated. Some noteworthy contenders included "…And here we have the top contenders for our CAPTCHA the flag tournament," "AI Race Condition," and "Artificial or Human, I’m not seeing any intelligence."

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: The Big Jump

Russia-linked hackers have taken aim at Japan, following its ramping up of military exercises with regional allies and the increase of its defense budget.

Source: StudioProX via Shutterstock

Two Russian hacking groups leveled distributed denial-of-service (DDoS) attacks at Japanese logistics and shipbuilding firms — as well as government and political organizations — in what experts believe are attempts to pressure the Japanese government. The attacks came after lawmakers boosted the nation's defense budget, and its military conducted exercises with regional allies.

The two pro-Russian cyberthreat groups — NoName057(16) and the Russian Cyber Army Team — started attacking Japanese targets on Oct. 14, with more than half of the attacks targeting logistics, shipbuilding, and manufacturing firms, according to network-monitoring firm Netscout. The groups, especially NoName057(16), have made a name for themselves by attacking Ukrainian and European targets following Russia's invasion of Ukraine.

In the latest spate of attacks, the groups targeted Japanese industry and government agencies after the Ministry of Foreign Affairs of the Russian Federation expressed concern over the ramp-up of Japan's military, says Richard Hummel, director of threat intelligence for Netscout.

"Japan had their elections last week, and the leader that took over is no fan of Russia and, in fact, has been very vocal about supporting Ukraine and sending aid," he says. "Japan is also working with the US military on joint exercises and ballistics missiles testing — these are the \[regional events\] that NoName057 will go after."

Related:Hong Kong Crime Ring Swindles Victims Out of $46M

With geopolitical rivalries with China and Russia heating up, Japan is in the midst of its largest military buildup since World War II. In December 2022, the nation unveiled a five-year $320 billion plan that includes long-range cruise missiles that could hit targets in China, North Korea, and Russia. The move marked a significant shift away from Japan's self-defense-only policy, with the government continuing the move by increasing military spending by 16% this year.

On Oct. 17, Japan's Deputy Chief Cabinet Secretary Kazuhiko Aoki said the government is investigating the DDoS attacks.

More than half of the attacks targeted the logistics and manufacturing sector, while nearly a third targeted government agencies and political organizations in Japan, Netscout stated in its analysis.

The Russian group "has leveraged every attack capability of the DDoSia botnet, employing a wide range of direct-path attack vectors against multiple targets," the analysis stated. "As of this writing, approximately 40 targeted Japanese domains have been identified. On average, each domain is hit by three attack waves, utilizing four distinct DDoS attack vectors, utilizing approximately 30 different attack configurations to maximize attack impact."

Related:Iran's APT34 Abuses MS Exchange to Spy on Gulf Gov'ts

**Hacktivists and the Resurgence of DDoS**

The attacks mark the latest shift in DDoS attacks. In the past, 85% to 90% of such attacks originated in the gaming world, with players targeting other players, Netscout's Hummel says. Over the past few years, while many hacktivism attacks amounted to little more than PR stunts, cybercriminals have increasingly used DDoS attacks to cause outages in business operations to support a cause or monetize a botnet — sometimes, both.

US authorities recently charged two Sudanese brothers — 22-year-old Ahmed Salah Yousif Omer and 27-year-old Alaa Salah Yusuuf Omer — following more than 35,000 DDoS attacks during the past 18 months, which targeted government agencies, a major Los Angeles-area hospital, and technology companies. The US Department of Justice charged one of the two brothers with three counts of damage to a protected computer, and the indictment included his message taking credit for "any damage to the hospital ... and their health systems + any collateral damage," according to a federal indictment.

The impact of a DDoS attack on the ability of connected medical devices to operate means that increasingly they will have physical impacts, Hummel says.

Related:DPRK's APT37 Targets Cambodia With Khmer, 'VeilShell' Backdoor

The brother was "charged with essentially attempted murder, because they were taking down hospital infrastructure where people needed life-saving technology," he says. "If the Internet goes down, then \[these connected medical devices\] stop functioning, they stop checking in."

**Definitively Russian? Nyet**

Both NoName057 and the Russian Cyber Army Team obviously pursue priorities expressed by the Russian government, but that does not necessarily mean they are a military or intelligence agency operation, Hummel says.

Overall, the groups have claimed 60 attacks against 19 different targets in the weeks following the criticism of Japan's accelerated military buildup by Russia's Minister of Foreign Affairs. In a Telegram post, NoName057(16) confirmed the link.

"Particular discontent was caused by the participation of non-regional NATO member countries in the maneuvers, which, in Russia's opinion, increases the threat and is unacceptable," they stated in the Telegram post (machine translated from Russian). "We punish Russophobic Japan and remind you that any measures directed against Russia may end badly."

The groups' attacks against Japan match with previous targeting against any critic of Russia or its strategy, Hummel says.

"I can't say definitively if they are part of the Russian government ... or if any agency is giving them direct instructions," he says. "What I can tell you is that all of the targeting is against groups that are anti-Russia or anti-Muslim. And oftentimes, it's usually going to be in that political sphere when people are vocal about their support of anybody against Russia."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia-Linked Hackers Attack Japan's Govt, Ports

These types of "long-lived" credentials pose a risk for users across all major cloud service providers, and must meet their very timely ends, researchers say.

Source: Artur Marciniec via Alamy Stock Photo

Almost half of organizations have users with "long-lived" credentials in cloud services, making them more likely to be victimized in a data breach.

Long-lived credentials are authentication tokens or keys in the cloud that remain for a long period of time — sometimes valid and sometimes not — ultimately causing major data breaches where attackers have a lengthy open window to compromise credentials.

In Datadog's 2024 "State of Cloud Security" report, the researchers found that long-lived credentials are a widespread issue across all major cloud services, including Google Cloud, Amazon Web Services (AWS), and Microsoft Entra. Not just that, but many of these are even unused, and often are leaked in source code, where they can open access to images and build logs and application artifacts, never expiring and becoming major security risks. 62% of Google Cloud service accounts, 60% of AWS IAM users, and 46% of Microsoft Entra ID applications have an access key older than one year, the researchers found.

Ultimately, organizations struggle to manage these types of credentials, especially at scale, so the researchers at Datadog recommend that long-lived credentials be avoided altogether in order to mitigate this issue. 

"The findings from the State of Cloud Security 2024 suggest it is unrealistic to expect that long-lived credentials can be securely managed," said Andrew Krug, head of security advocacy at Datadog. "To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use."

**About the Author**

Unmanaged Cloud Credentials Pose Risk to Half of Orgs

The networking company confirms that cyberattackers illegally accessed data belonging to some of its customers.

Source: Sergiy Palamarchuk via Shutterstock

Cisco has disabled public access to one of its DevHub environments after threat actors downloaded some customer data from the site and put it up for sale on a cybercrime forum.

The compromised data included source code, API tokens, hardcoded credentials, certificates, and other secrets belonging to some large companies, including Microsoft, Verizon, T-Mobile, AT&T, Barclays, and SAP.

**Data Heist From Public-Facing Environment**

News of the breach first surfaced a week ago, when researchers spotted three threat actors using the monikers IntelBroker, EnergyWeaponUser, and zjj, putting up the data for sale on BreachForums. IntelBroker is a known Serbian entity that began operations in 2022 and is linked to several major data heists, including ones at Europol, General Electric, and DARPA (Defense Advanced Research Projects Agency).

Cisco announced it was investigating the incident on Oct. 15. Three days later, the company confirmed the security incident in an update that offered little detail on the kind of data that the attackers managed to access and download.

Cisco's own systems appear not to have been affected in the incident. "We have determined that the data in question is on a public-facing DevHub environment — a Cisco resource center that enables us to support our community by making available software code, scripts, etc. for customers to use as needed," Cisco's advisory noted. "At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published."

The company said that, at the moment, there is no evidence the attackers illegally accessed any personal identity data or financial information, but it added that it was still investigating that possibility. "Out of an abundance of caution, we have disabled public access to the site while we continue the investigation," the company said.

In their BreachForums post, the threat actors claimed the data they downloaded from Cisco's DevHub site included GitHub and GitLab projects, source code, Jira tickets, container images, data from AWS storage buckets, and at least some confidential Cisco information.

**Reminder: The Need to Secure Public-Facing Assets**

The Cisco incident is a reminder why organizations need to protect public-facing environments with measures like input validation to protect against injection attacks, strong authentication tools and processes, and regular vulnerability assessments, says Jason Soroko, senior fellow at Sectigo.

Common mistakes organizations make when it comes to securing their public-facing assets include neglecting OWASP guidelines, underestimating security risks, failing to update systems regularly, and not prioritizing secure coding practices, Soroko says: "Don't forget to back up your website code and practice restoring it. Malware detection tools are available that make it easy to regularly scan."

Organizations can sometimes tend to perceive their public-facing assets as less critical when, in reality, they can expose sensitive information that attackers could use for future intrusions, he adds. The data that the attackers obtained in the Cisco incident, for instance, included source code, API tokens, certificates, and credentials that attackers could potentially leverage in a significant way in a future campaign.

Eric Schwake, director of cybersecurity strategy at Salt Security, says various factors contribute to sensitive data ending up on an organization's public-facing environments. "This can occur due to accidental misconfigurations of access controls, human errors in code or file management, inadequate security testing before deployment, or the compromise of third-party services," he says. These oversights can lead to the exposure of sensitive data and create potential entry points for attackers.

Schwake recommends that organizations implement a multilayered security strategy to reduce this risk. "This involves enforcing strict access controls, promoting secure coding practices, conducting thorough security testing, building posture governance standards, and performing regular security assessments," he says. "Using secrets management solutions and continuous monitoring tools can further improve security and protect against unauthorized access to sensitive information."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cisco Disables DevHub Access After Security Breach

This latest breach was through Zendesk, a customer service platform that the organization uses.

Source: Postmodern Studio via Alamy Stock Photo

Just a few days after the Internet Archive told the public it was getting back on its feet after a data breach and a barrage of distributed denial-of-service (DDoS) attacks forced it to go offline, the digital library website is once again in trouble.

Unknown bad actors have allegedly claimed access tokens to the archive's Zendesk implementation, using them to send a mass email on Oct. 20 to those who tried to interact with the archive's platform.

The email began as follows:

"It's dispiriting to see that even after being made aware of the breach two weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their GitLab secrets," the hacker stated. “As demonstrated by this message, this includes a Zendesk token with perm\[ission\]s to access 800K+ support tickets sent to \[email protected\] since 2018." 

The email continued, "Whether you were trying to ask a general question or requesting the removal of your site from the Wayback Machine — your data is now in the hands of some random guy. If not me, it'd be someone else."

Though it can’t be said for certain, Chris Hickman, chief security officer (CSO) of Keyfactor, said the hacker may not have serious malicious intent, but instead wants to prove a point: that those in charge of the Internet Archive must be more proactive in protecting its network from those who would do much worse.

"This is a security oversight as tokens that are not rotated regularly have longer lifespans, increasing the window of opportunity for attackers to steal and misuse them," Hickman wrote in an emailed statement to Dark Reading. "If a token is not rotated correctly, it might expire, leading to authentication failures for legitimate users. If a malicious actor obtains an unrotated token, they could use it to gain unauthorized access to systems or services, leading to service disruptions and customer frustration, damaging a company's reputation and bottom line."

The organization hasn't made any public comments regarding the latest breach, but it did request donations last week to help support its endeavors of promoting open access to knowledge resources.

Source

DARKReading