The popular LiteSpeed Cache plug-in is vulnerable to unauthenticated privilege escalation via a dangerous XSS flaw.

Source: Primakov via Shutterstock

A WordPress plug-in installed more than 6 million times is vulnerable to a cross-site scripting flaw (XSS) that allows attackers to escalate privileges and potentially install malicious code to enable redirects, ads, and other HTML payloads onto an affected website.

A security researcher who goes by the online name "TaiYou" discovered the flaw, tracked as CVE-2024-47374, in LiteSpeed Cache, known as the most popular caching plug-in for the WordPress content management system (CMS). TaiYou reported the flaw on Sept. 24 to Patchstack via the Patchstack Bug Bounty Program for WordPress; it affects LiteSpeed Cache through version 6.5.0.2, and users should update immediately to avoid being vulnerable to attack.

LiteSpeed Cache is described by its developers as an "all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features." It supports WordPress Multisite and is compatible with the most popular plug-ins, including WooCommerce, bbPress, and Yoast SEO.

The flaw that requires immediate attention is an unauthenticated stored XSS vulnerability that "could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," according to Patchstack.

XSS is one of the most oft-exploited and oldest Web vulnerabilities, allowing an attacker to inject malicious code into a legitimate webpage or application to execute malicious scripts that affect the person visiting the site.

**Three WordPress Plug-in Flaws, One Dangerous**

TaiYou actually found three flaws in the plug-in, including another XSS flaw as well as a path-traversal vulnerability. However, only CVE-2024-47374 is considered dangerous and expected to be exploited by attackers, according to Patchstack.

Upon notification by Patchstack, the developers of LiteSpeed cache plug-in sent back a patch for validation on the same day. Patchstack published an update that fixes all three flaws in LiteSpeed cache version 6.5.1 on Sept. 25, and added the flaws to its vulnerability database five days later.

CVE-2024-47374 is characterized as creating "Improper Neutralization of Input During Web Page Generation," according to its listing on CVEdetails.com. "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users," according to the listing.

The vulnerability occurs because the code that handles the view of a queue in a particular piece of the plug-in doesn’t implement sanitization and output escaping, according to Patchstack.

"The plugin outputs a list of URLs that are queued for unique CSS generation and with the URL another functionality called 'Vary Group' is printed on the Admin page," according to the blog post.

In this output, the "Vary Group" functionality combines the concepts of "cache varies" and "user roles." "The vulnerability occurs because Vary Group can be supplied by a user via an HTTP Header and printed on the admin page without sanitization," according to Patchstack.

**Update & Mitigate CVE-2024-47374**

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to target singular plug-ins with large install bases, which makes vulnerable versions of LiteSpeed Cache a likely target.

The patch for CVE-2024-47374 is "fairly simple," sanitizing the output using esc\_html, according to Patchstack. The company issued a virtual patch to mitigate the flaw by blocking any attacks until its customers have updated to a fixed version. Meanwhile, all administrators of WordPress sites that use LiteSpeed Cache are advised to update to fixed version 6.5.1 immediately.

Patchstack also recommends that WordPress website developers working with the plug-in apply escaping and sanitization to any message that will be displayed as an admin notice to mitigate the vulnerability.

"Depending on the context of the data, we recommend using sanitize\_text\_field to sanitize value for HTML output (outside of HTML attribute) or esc\_html," according to the post. "For escaping values inside of attributes, you can use the esc\_attr function."

Patchstack also recommends that site developers working with LiteSpeed Cache also apply a proper permission or authorization check to the registered rest route endpoints to avoid exposing a site to XSS vulnerability.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Single HTTP Request Can Exploit 6M WordPress Sites

The collaboration with industry partners will improve collective AI defenses. Trusted contributors receive protected and anonymized data on real-world AI incidents.

Source: Myron Standret via Alamy Stock Photo

MITRE’s Center for Threat-Informed Defense announced the launch of the AI Incident Sharing initiative this week, a collaboration with more than 15 companies to increase community knowledge of threats and defenses for AI-enabled systems. 

The incident sharing initiative falls under the purview of the center’s Secure AI project, and aims to enable quick and secure collaboration on threats, attacks and accidents involving AI-enabled systems. It expands the reach of the MITRE ATLAS community knowledge base, which has been collecting and characterizing data on anonymized incidents for two years. Under this initiative, a community of collaborators will receive protected and anonymized data on real-world AI incidents. 

Incidents can be submitted via web (at https://ai-incidents.mitre.org/) by anyone. Submitting organizations will be considered for membership with the goal of enabling data-driven risk intelligence and analysis at scale. 

Secure AI also extended the ATLAS threat framework to incorporate information on the generative AI-enabled system threat landscape, adding several new generative AI-focused case studies and attack techniques, as well as new methods to mitigate attacks on these systems. In November 2023, in collaboration with Microsoft, MITRE released updates to the ATLAS knowledge base focused on generative AI. 

"Standardized and rapid information sharing about incidents will allow the entire community to improve the collective defense of such systems and mitigate external harms," said Douglas Robbins, vice president, MITRE Labs, in a statement.

MITRE operates a similar information-sharing public private partnership with the Aviation Safety Information Analysis and Sharing database for sharing data and safety information to identify and prevent hazards in aviation.

Collaborators on Secure AI span industries, with representatives from financial services, technology, and healthcare. The list includes AttackIQ, BlueRock, booz Allen Hamilton, CATO Networks, Citigroup, Cloud Security Alliance, CrowdStrike, FS-ISAC, Fujitsu, HCA Healthcare, HiddenLayer, Intel, JPMorgan Chase Bank, Microsoft, Standard Chartered, and Verizon Business.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

MITRE Launches AI Incident Sharing Initiative

CVE-2024-44204 is one of two new Apple iOS security vulnerabilities that showcase an unexpected coming together of privacy snafus and accessibility features.

Source: Aleksey Boldin via Alamy Stock Photo

Apple has patched two quirky bugs that might have offended privacy-oriented iPhone and iPad owners.

The first — an issue with Apple's VoiceOver accessibility feature — could have caused iPhones or iPads to announce sensitive passwords out loud. The other issue — affecting voice messages on new iPhone models — could have recorded users for brief seconds before they knew they were being recorded.

New operating system versions are available for both iOS and iPadOS (18.0.1), fixing each bug with improved validation and checks, respectively. Users should update their devices to avoid being vulnerable.

As Michael Covington, vice president of portfolio strategy for Jamf points out, "The good news is that neither of these highlighted issues involve remote exploits. They are, in fact, issues that will arise with use of the device, and it's user privacy that is ultimately at risk."

Still, he says that "for businesses that use mobile in any capacity for work, I recommend they pay close attention to both of the security issues and take appropriate action to update devices as soon as possible."

**Bug #1: Reading Passwords Aloud**

The first issue involves VoiceOver, the accessibility feature that provides visually impaired users with audible descriptions of the various elements on their screens — text, buttons, images, etc. VoiceOver also allows users to navigate their devices using voice commands and gestures.

Perhaps not everything on a device should be read aloud, though, like passwords. Last month, as part of iOS and iPadOS 18, Apple released a brand new app, "Passwords," allowing users to easily store and manage logins on their devices. CVE-2024-44204 is a logic issue that could have allowed VoiceOver to read out such a user's passwords. It affected essentially every model of iPhone and iPad released since 2018.

VoiceOver is off by default, meaning that only select iPhone users were potentially affected.

Covington notes, "This is not the first time we've seen accessibility features misused. Previous instances include screen reader technology being used by misbehaving apps to capture on-screen details and exfiltrate data from the device. Fortunately, most accessibility features go through extensive security and privacy testing, so these scenarios do not tend to arise often."

**Bug #2: Beginning Audio Messages Too Early**

If iPhone users are on the go, have a lot to say, or maybe just have tired thumbs, they might choose to record an audio message in iMessage, instead of a regular text. After they hit that plus sign on the left side of the message box and choose "Audio," the device will indicate that it has started recording with a red-highlighted sound wave in place of the message box, and a little orange dot in the pill-sized Dynamic Island at the top of the screen.

A security researcher recently discovered though that audio messages could have captured a few seconds of audio before users were made aware that their microphone was hot. The issue has been labeled CVE-2024-44207, and affects all models of the new iPhone 16.

Though it might seem — and, in most cases, would be — a relatively minor issue, Covington points out, "this disconnect between device function and the associated visual indicators is something that Jamf’s own threat research team has connected to persistence techniques used by attackers to maintain a presence on the device following a successful exploit. Addressing this bug before it can be misused is a big win for Apple."

Neither the VoiceOver nor the audio message vulnerability has received a rating in the Common Vulnerability Scoring System (CVSS) yet, nor are any further details public at this time.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

iPhone 'VoiceOver' Feature Could Read Passwords Aloud

A growing number of organizations are taking longer to get back on their feet after an attack, and they're paying high price tags to do so — up to $2M or more.

Source: Panther Media GmbH via Alamy Stock Photo

Organizations are seeing staggering increases in cyberattacks that stem from insider threats, with price tags for remediation reaching eyewatering heights of up to $2 million per incident.

According to research from Gurucul — which surveyed more than 400 IT and cybersecurity professionals — organizations are seeing a rising tide when it comes to insider threats. In 2023, 60% of organizations reported insider attacks, but in 2024 this number jumped to 83%. And in a dramatic shift, the number of organizations experiencing six to 10 attacks in the year doubled from 13% to 25%. Overall, almost half of organizations in the Gurucul study said that the occurrence of inside attacks has become more frequent over the past 12 months.

"Cybersecurity professionals define insider threats as risks originating from individuals within an organization who have authorized access to systems and data but misuse that access, either maliciously or unintentionally," Jason Soroko, senior fellow at Sectigo, wrote in an emailed statement to Dark Reading. "This definition encompasses employees, contractors, or partners who, due to complex IT environments, hybrid work models, or the adoption of advanced tools like GenAI, might exploit vulnerabilities."

This could mean a situation in which an employee steals sensitive data, accidentally leaking data after falling for a phishing scam, or ignoring security updates and protocols, ultimately leading to a security breach, he added.

Related:Dark Reading News Desk Live From Black Hat USA 2024

The Gurucul researchers found that the biggest driver of insider attacks are the growing IT complexities that organizations are faced with, which create visibility gaps that are hard to close. Technology is becoming more complex, and more employees are accessing system networks, extending the attack surface and making it more difficult to cybersecurity staff to safeguard. Not just this, but the adoption of new technologies like Internet of Things (IoT), artificial intelligence (AI), cloud services, and software-as-a-service (SaaS) applications play a role as well in the rapid growth rate that is difficult for organizations to keep pace with. 

With the implementation of new technology, these added "layers of complexity" create challenges for existing staff to combat threats, causing IT staff to become overworked and burned out. Nearly 30% of respondents noted that there is insufficient staff to implement and maintain tools and, if there are enough employees to go around, many lack the training and expertise to effectively manage the tools to safeguard networks. The researchers recommended that organizations that struggle with this cut their losses and transition to more intuitive tools that "reduce alert triage and false positives by providing a complete case of evidence with context and advanced behavior analytics."

Related:MITRE Launches AI Incident Sharing Initiative

Gurucul also pointed out that gaps in insider risk management are also to blame. "Weak enforcement policies, including a lack of consequences for employees and insufficient monitoring, were identified by 31% as contributing factors," according to the report. A fifth (20%) of respondents also cited executive management and policy issues as being one of the major obstacles to combating insider threats and implementing effective management tools and strategies.

Ultimately, it's a story that many in the cybersecurity industry have heard before: Executives need to give cyber threats the attention they deserve and support policy frameworks to help combat it; enforcing this mentality on a companywide level is also essential to strengthen mitigation.

**From Insider Attacks to Financial Spiral**

Insider attacks don't just compromise an organization's safety and information — they come with a high price tag, too. 

According to the study, after dealing with an attack of this kind, the cost of remediation for many organizations (32%) ranges from $100,000 to $499,000. And for others, it’s even more costly: 27% of organizations estimate the cost of remediation to range between $500,000 to $1 million, while 21% say that the costs range from $1 million to $2 million.

Related:Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

And that's just the financial impact for each individual insider attack an enterprise faces. With many experiencing roughly six to 10 attacks a year, these numbers multiply to a price that is likely just too costly to cough up. 

Those high price tags usually add up due to a variety of activities, such as system restoration, data recovery, legal fees, regulatory fines, and reputational damage control. 

And even if organizations can put money into remediation, their recovery is still slow. Roughly 45% of organizations take a week or longer to get back on their feet after an insider attack. The lengthy recovery time is usually due to the technical challenges that cybersecurity teams face when trying to restore intricate systems, a lack of unified visibility, and siloed security tools. Limited resources, regulatory compliances, and ongoing investigations also play a role in dragging out remediation efforts, keeping companies down while they’re most vulnerable. 

"It's essential for organizations to leverage advanced incident-response solutions that go beyond basic automation," according to the Gurucul researchers. "These solutions integrate dynamic risk-based prioritization, machine learning, and comprehensive contextual analysis to ensure that security teams can focus on the most critical threats, thereby reducing recovery times."

But in the end, prevention is better than reaction: That means educating existing employees (who complain of technical challenges, limited resources, compliance and privacy concerns, among other issues as leading to inadvertent mistakes), while also bringing in new cybersecurity talent so that security teams can effectively do their jobs and safeguard and mitigate against threats.

"Investing in ongoing training and development for cybersecurity teams to build the necessary expertise is crucial to address this challenge," the researchers wrote. "Managed security services can supplement internal capabilities, ensuring that tools are effectively implemented and maintained without overburdening existing staff."

Insider Threat Damage Balloons as Visibility Gaps Widen

The successful disruption of notorious Russian hacker group Star Blizzard's operations arrives one month out from the US presidential election — one of the APT's prime targets.

Source: Enik via Alamy Stock Photo

Microsoft and the US Department of Justice joined forces this week to take down more than 100 domains linked to a Russian-sponsored hacker group known as Star Blizzard.

The advanced persistent threat (APT), active since 2017, has targeted journalists, non-governmental organizations (NGOs), and Russia experts, particularly those supporting Ukraine.

The operation, which dismantled the group’s server infrastructure in the West, is expected to delay the cyberattackers' ability to regroup and operate.

"Today's seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action — using all tools to disrupt and deter malicious, state-sponsored cyber actors," Deputy Attorney General Lisa Monaco said in a statement issued by the DoJ.

Star Blizzard, also referred to as "Cold River" and "Callisto," uses primarily phishing emails to steal login credentials from its targets, and had recently developed its first custom backdoor.

In a partially unsealed indictment, the DoJ also revealed that two FSB officers, Ruslan Peretyatko and Andrey Korinets, were charged last December for their involvement in Star Blizzard espionage campaigns, which have extended to the UK, NATO countries, and Ukraine. The government's affidavit reveals that in the US, the group targeted military contractors, intelligence community personnel, and government agencies, among others.

The Kremlin-sponsored APT is known for its sophisticated evasion techniques, although Microsoft has been following it, and disrupted the group's activities in 2022 and again last year.

"Rebuilding infrastructure takes time, absorbs resources, and costs money," Microsoft noted in a blog post on the most recent takedown. "Today's action is an example of the impact we can have against cybercrime when we work together."

**A Step in Protection as US Election Nears**

The disruption comes at a crucial time, as US officials are on high alert for foreign interference ahead of the upcoming presidential election. With Star Blizzard's status as a tool for advancing Russian interests, including election disruption, Microsoft emphasized that the takedown action directly impacts efforts to protect the US democratic process from external threats.

"Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations — journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive — by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities. While we expect Star Blizzard to always be establishing new infrastructure, today's action impacts their operations at a critical point in time when foreign interference in US democratic processes is of utmost concern."

**Russian Threat Likely to Persist**

Sean McNee, head of threat research at DomainTools, says he anticipates a dramatic increase in nation-state backed groups turning toward purchasing domains to carry out cyberespionage, and to seed misinformation and disinformation around the US election as well — so the combined DoJ/Microsoft action might just be a drop in the ocean.

"\[The Star Blizzard takedown is a\] huge step in protecting the Internet," he says, but adds it is likely only "scratching the surface" when it comes to FSB or other groups who have purchased domains to seed malignant websites.

"We have found that some domain hosting services sell domain registrations indiscriminately and are not always responsive when notified about malicious content or coordinated misinformation," he explains.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, warns Russia has "ratcheted up the cyber insurgency" in American cyberspace.

"Russia is cognizant that the soft underbelly of the US is our dependence on technology," he says, pointing out that the Star Blizzard revelations show that "the GRU and a few cybercrime cartels are collaborating in widespread campaigns of infiltration."

He says he is concerned that the resultant backdoors will be used to deploy destructive malware in the coming days, adding threat hunting must be expanded and runtime security must be activated to blunt the Russian campaign.

"Something wicked this way comes," Kellerman says. "The private sector must take this warning seriously."

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

Thoughtfully applied, humor breaks through security fatigue, increases engagement, and fosters a culture of security awareness.

Akhil Mittal, Senior Manager, Synopsys Software Integrity Group

October 4, 2024

5 Min Read

Source: M-SUR via Alamy Stock Photo

COMMENTARY

In the high-pressure world of cybersecurity, daily headlines about breaches, ransomware, and phishing threats create a sense of urgency and tension. But what if one of the most effective tools for defense wasn't just technology, but humor? While it may seem unexpected, humor is emerging as a powerful asset in security training and culture-building. It boosts employee engagement, improves retention of key security concepts, and fosters a resilient security culture — ultimately strengthening an organization's defenses. 

However, humor isn't just about laughs — it's about combating challenges like security fatigue and ineffective training. As cyber threats evolve, the human element remains one of the weakest links. Humor can address that, but it must be carefully navigated. 

**Why Humor Works in Security Training**

According to a study from CompTIA, the human element accounts for the root cause of 52% of data breaches. Despite this, traditional cybersecurity training often fails to engage employees, resulting in low retention and inconsistent application of critical security behaviors. Dry, repetitive sessions packed with jargon cause employees to tune out — this is where humor comes in. 

According to TrainSmart, humor in training can boost retention and create a more relaxed learning environment. Research by Edutopia supports this, showing humor activates dopamine pathways, essential for motivation and memory retention. 

Imagine a monotonous security session versus a phishing simulation email from "IT Support" asking for your password to "upgrade the Internet." Humor transforms routine tasks into memorable learning experiences. 

**Real-World Examples**

Financial institutions and organizations are increasingly turning to gamification to enhance cybersecurity awareness. For example, some organizations have launched superhero-themed phishing campaigns where employees help fictional heroes identify threats, making training more interactive and fun. According to the Gamification at Work Survey by Talent LMS, 83% of participants reported feeling more motivated with gamified training, while 87% saw improvements in productivity and engagement. Additionally, 82% mentioned they felt happier at work due to these engaging methods. Similarly, some organizations use "bad password hall of fame" competitions, where employees guess the worst passwords ever used. These humorous contests make lessons about password strength more memorable, reinforcing security practices. Notably, 80% of organizations that implemented awareness training reported a reduction in phishing susceptibility, showcasing the effectiveness of these innovative approaches. 

**Reducing Security Fatigue**

Security fatigue is a growing issue in corporate environments. Employees face constant alerts, password updates, and phishing warnings, which can lead to negligence. 

Injecting humor into routine security tasks — like humorous phishing emails or lighthearted reminders — provides much-needed relief, keeping employees engaged without overwhelming them.

**Humor as a Solution for Remote Work**

The shift to remote work has highlighted the importance of engaging employees in security practices. Isolated from their IT teams, remote workers have become both the first and last lines of defense. However, 60% of remote employees feel disconnected from their company's cybersecurity efforts, according to Ponemon. In this environment, humor helps combat burnout, while reinforcing critical cybersecurity behaviors. 

**Risks and Challenges**

While humor can be effective, it also carries risks. If not implemented carefully, humor may trivialize serious threats, leading employees to view cybersecurity risks as less critical. Balance is key — humor should engage without undermining the importance of vigilance. 

Moreover, not all humor works in every context, particularly across diverse cultures. A cartoon-style phishing simulation may succeed in one region but be inappropriate elsewhere. To avoid alienating employees, it's crucial to test humor-based campaigns with different cultural groups before deployment. 

It's also critical to measure the effectiveness of humor in security training. Organizations should track phishing reporting rates, training completion, and quiz scores to assess engagement and overall security posture. 

**Learning From Mistakes **

Not all humor-based campaigns are successful. For instance, one company used sarcastic dark humor in its training sessions, which led to complaints from employees who felt the tone was dismissive of real security risks. The lesson? Humor that fails to take security seriously can do more harm than good. 

**Actionable Takeaways**

For organizations looking to enhance cybersecurity training with humor, here are some practical steps: 

*   Incorporate humor in training: Introduce humor into phishing simulations and training exercises to boost engagement and retention. 
    

*   Gamify security awareness: Create competitions or leaderboards where employees race to spot phishing attempts, using humor to reduce monotony. 
    

*   Test for cultural sensitivity: Ensure humor resonates globally by testing content with various employee groups before rolling it out. 
    

*   Track key metrics: Monitor phishing reporting rates, training completion, and engagement metrics to assess the effectiveness of humor in cybersecurity efforts.
    

**Conclusion**

Cybersecurity is serious, but it doesn't have to be boring. Thoughtfully applied, humor breaks through security fatigue, increases engagement, and fosters a culture of security awareness. By balancing humor and seriousness, organizations can strengthen their defenses while keeping employees alert and engaged. Now is the time to inject levity into cybersecurity efforts — without losing sight of vigilance. 

**About the Author**

Senior Manager, Synopsys Software Integrity Group

Akhil Mittal is a recognized cybersecurity leader with more than two decades of experience in application security, cloud security, and DevSecOps. As a Gartner Cybersecurity ambassador and senior manager at Synopsys, he leads key security initiatives, helping global organizations strengthen their defenses against advanced cyber threats. Akhil has worked closely with chief information security officers (CISOs) and executive leadership to align security strategies with business goals, ensuring robust protection across industries. He also contributes his expertise through leading cybersecurity publications and serves as a judge for top industry awards and hackathons. Certified in CISSP and CCSP, his work continues to shape the future of cybersecurity, driving innovation and resilience worldwide.

Cybersecurity Is Serious — but It Doesn't Have to Be Boring

The booming economies of Africa, rich in natural resources and brimming with potential, are attracting not just investors but also cybercriminals.

Source: Skorzewiak via Alamy Stock Photo

The industry consensus about ransomware is that it's not going away anytime soon, evidenced by the consistent growth of ransomware attacks over the past decade. We've seen some of the biggest ransomware attacks in history — including the JBS, Colonial Pipeline, and Equifax breaches — over the past five years. What's more, between 2023 and 2024, there was an 81% year-on-year jump in the number of recorded ransomware attacks, according to cybersecurity research firm Black Kite.

And according to a report earlier this year by cybersecurity research firm Performanta, ransomware gangs have a new strategy: Ransomware-as-a-service (RaaS) organizations are focusing on African nations as initial targets for nation-state attacks before launching malicious campaigns in more developed climes.

But what makes Africa a choice destination for these so-called "RaaS gangs," and what does this mean for the burgeoning economies on the continent?

**Why Africa?**

The booming economies of Africa, rich in natural resources and brimming with potential, are attracting not just investors but also cybercriminals. Performanta's report, which shows that Africa is increasingly becoming a testing ground for ransomware attacks, raises serious concerns for the continent's future and underscores the urgent need for collaboration among African states, corporations, and the West.

One draw for the cybergangs is the continent's overall low levels of cybersecurity strategy at the national level. In the 2024 edition of the International Telecommunication Union's Global Cybersecurity Index, only nine out of 44 countries in Africa qualified for the first or second tier of cybersecurity maturity. While this is an improvement over the previous report's rankings, that still leaves swathes of the continent less prepared.

Funsho Richard, a senior cybersecurity analyst and consultant, agrees with Performanta's findings.

"Africa's potential for profitable attacks amidst its digital growth is a magnet for cybercriminals," he says. Ransomware gangs and nation-state actors are exploiting the continent's weaker cybersecurity defenses to refine their methods in a "lower-risk environment" before launching attacks on better-secured developed nations.

This approach makes perfect sense from the attackers' perspective, as Gal Nakash, co-founder and CPO at identity-based SaaS security company Reco, explains.

"Building a sophisticated testing environment for a campaign is challenging," Nakash says. "Leveraging less interesting or poorly secured victims is more effective and increases the likelihood of remaining undetected by security tools."

In June, South Africa's National Health Laboratory Service (NHLS) confirmed it was dealing with a ransomware attack that significantly affected the dissemination of lab results as the country was responding to an outbreak of mpox (previously known as monkeypox). The NHLS runs 265 laboratories across South Africa that provide testing services for public healthcare facilities in the country's nine provinces. The spokesperson declined to say which ransomware group was behind the incident or whether a ransom was paid.

**Signs and Guardrails**

So how can African businesses identify these potential "ransomware testing" campaigns? Richard points out that, unlike traditional ransomware attacks that target specific industries like finance or energy, these campaigns might target a wider range of businesses.

Traditionally, ransomware gangs have a well-defined appetite: high-value sectors like finance, manufacturing, and energy. A recent surge in attacks targeting a wider range of businesses across various industries in Africa could be a red flag, indicating a testing campaign in progress.

Performanta's research also validates this concern. The report reveals a "large increase in financial/banking trojans with a 59% increase in Kenya and a 32% increase in Nigeria across a single quarter," suggesting gangs are casting a wider net.

Performanta's report suggests African organizations may not be fully prepared for this shift in attack tactics. While Nakash expresses confidence in the capabilities of modern cybersecurity solutions like extended detection and response/endpoint detection and response (XDR/EDR), he acknowledges a lack of widespread adoption. But he says that businesses that regularly update their cybersecurity controls and policies can stop attackers dead in their tracks.

"This includes maintaining visibility into their entire network environment, encompassing cloud, SaaS \[software-as-a-service\], on-premises infrastructure, and all the applications they use daily," Nakash says. "Critical applications should be mapped, and robust policies and alert notifications should be set up to identify and address any violations or misconfigurations that could create potential security vulnerabilities."

However, to spot the wider trend of test campaigns requires national coordination and strategy, as well as regional cooperation. The Africa Center for Strategic Studies cites several regional initiatives, such as Afripol, but warns that only 17 countries on the continent even have a national cybersecurity strategy.

**Building a Strong Defense**

What businesses on the continent need to stay cybersafe is a foundational approach — doing the basic things the right way. Ensuring that all configurations adhere to best security practices and setting up alert notifications for any suspicious activity are essential steps to prevent potential threats.

"Organizations need thorough visibility into their entire network environment, including cloud and on-premises infrastructure," Nakash says.

The fight against cybercrime requires a united front, says Guy Golan, executive chairman and CEO at Performanta.

"The West and Africa must implement long-term collaborative efforts to build a strong defense against this threat," he says. By sharing knowledge, resources, and best practices, both continents can work together to create a more secure digital landscape for all.

Building resilience against these attacks isn't just about protecting individual businesses; it's about safeguarding the future of Africa's booming digital economy.

"The solution lies in long-term collaborative efforts. Only then can we effectively combat this growing threat," says Richard.

**About the Author**

Contributing Writer

Kolawole Samuel Adebayo is a Harvard-trained tech entrepreneur, tech enthusiast, tech writer/journalist, and an executive ghostwriter. He has 10+ years of experience covering various tech news stories, writing thought leadership blogs, reports, datasheets, and case studies. His areas of expertise include cybersecurity, AI, ML, DevOps, blockchain, metaverse, and big data for C-level executive audiences. He has written for several publications, including VentureBeat, RSI Security, NWTechs, WATI Security, Draft.dev, Codecov, Teleport, Doppler, HotCars, and many more. He is also an award-winning poet, with works published in several journals around the world.

Criminals Are Testing Their Ransomware Campaigns in Africa

It's North Korea versus Cambodia, with Windows default settings and sheer patience allowing the bad guys to avoid easy detection.

Source: motioncenter via Alamy Stock Photo

The North Korean state-sponsored threat actor known as APT37 has been carefully spreading a novel backdoor, dubbed "VeilShell." Of note is its target: Most North Korean advanced persistent threats (APTs) have a history of targeting organizations in South Korea or Japan, but APT37's latest campaign seems to be directed at a nation Kim Jong-Un has more complex relations with: Cambodia.

While Pyongyang still maintains an embassy in Phnom Penh and the two nations share a history of Soviet ties in the region, the modern-day relationship between the two is far from cozy. The DPRK's nuclear weapons program, ongoing missile tests, cyber activities, and general aggression towards its neighbors contradicts Cambodia's stance on weapons of mass destruction (WMDs) and its call for meaningful diplomatic dialogue between all countries in the region, observers in the region have noted.

That wariness has drawn the attention of the North Korean regime, according to Securonix, which has flagged a new campaign called "Shrouded#Sleep" circulating against Cambodian organizations.

Securonix did not share detailed victimology, but to lure in targets, APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima) has been spreading malicious emails relating to Cambodian affairs, and in Cambodia's primary language, Khmer. One lure for instance offers recipients access to a spreadsheet related to annual income in US dollars across various sectors in the country, such as social work, education, health, and agriculture.

Related:China-Backed APT Group Culling Thai Government Data

Hidden in these emails are maliciously crafted shortcut files concealing the backdoor, used to establish quiet persistence in targeted networks.

**Shrouded#Sleep's Stealthy Shortcuts**

In terms of the infection routine, a Shrouded#Sleep infection begins, like many others do, with a .ZIP archive containing a Windows shortcut (.LNK) file.

"It's incredibly common — if you were to throw a dart at the threat actor dartboard, a shortcut file is probably going to be hit," says Tim Peck, senior threat researcher at Securonix. "It's easy, it's effective. It pairs really well with phishing emails. And it's easy to mask."

Windows hides the .LNK file extension by default, substituting it with a little arrow in the bottom left hand corner of a file's icon, making for an overall cleaner user interface. The upshot is that attackers like APT37 can swap a .LNK's default icon with another of their choosing, and use double extensions to hide the true nature of the file.

APT37 gives its shortcut files PDF and Excel icons, and assigned them double extensions like ".pdf.lnk," or ".xls.lnk," so that only the .PDF and .XLS parts of the extension show up for users.

Related:UAE, Saudi Arabia Become Plum Cyberattack Targets

In the end, Peck notes, "Unless you're looking for the little arrow that Microsoft adds on shortcut files, odds are you might miss that." An unreasonably eagle-eyed victim might also have noticed that unlike typical shortcut files — which tend to be just a few kilobytes in size — these were anywhere from 60 to 600 kilobytes.

Contained within those kilobytes was APT37's malicious payload, which Securonix has named "VeilShell." 

**VeilShell's Patient Persistence**

The SHROUDED#SLEEP campaign is notable for its state-of-the-art blend of living-off-the-land and proprietary tools, plus impressive persistence and stealth mechanism.

"It represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems," according to the Securonix analysis. "Throughout this investigation, we have shown how the threat actors methodically crafted their payloads and made use of an interesting combination of legitimate tools and techniques to bypass defenses and maintain access to their targets."

Related:China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

VeilShell for instance is a multifunctional, PowerShell-based backdoor-plus-remote-access-trojan (RAT). It's capable of all the things RATs tend to do: download and upload files, modify and delete existing files on the system, modify system settings, create scheduled tasks for persistence, etc.

Notably, APT37 also achieves persistence via AppDomainManager injection, a rarer technique involving the injection of malicious code into .NET applications.

All of these malicious functions and techniques might otherwise make a lot of noise on targeted systems, so APT37 uses some tricks to provide counterbalance. For example, it implements long sleep timers to break up different stages of the attack chain, ensuring that malicious activities don't occur in obvious succession.

As Peck tells it, "The threat actors were incredibly patient, slow, and methodical. They used a lot of long sleep timers — we're talking, like, 6,000 seconds in between different attack stages. And the main goal \[of the shortcut file\] was to set the stage. It didn't actually execute any malware. It dropped the files into a location that would allow them to execute on their own on the next system reboot. That reboot could be the same day, or a week from now, depending on how the user uses their PC."

It was emblematic, perhaps, of a threat actor with confidence and patience to spare. "A lot of times we see these dive in, dive out types of campaigns. But this was definitely designed with stealth in mind," he says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK's APT37 Targets Cambodia With Khmer, 'VeilShell' Backdoor

Several of the flaws enable remote code execution and denial-of-service attacks while others enable data theft, session hijacking, and other malicious activity.

Source: PeterPhoto123 via Shutterstock

Potentially tens of thousands of DrayTek routers, including models that many businesses and government agencies use, are at heightened risk of attack via 14 newly discovered firmware vulnerabilities.

Several of the flaws enable denial-of-service and remote code execution (RCE) attacks, while others allow threat actors to inject and execute malicious code into webpages and the browsers of users who visit compromised websites.

**A Wide Range of Flaws**

Two of the new flaws are critical, meaning they need immediate attention: CVE-2024-41592, a maximum-severity RCE bug in the Web UI component of DrayTek routers, and CVE-2024-41585, an OS command execution/VM escape vulnerability with a CVSS severity score of 9.1. Nine of the vulnerabilities are medium-severity threats, and three are relatively low-severity flaws. The vulnerabilities are present in 24 DrayTek router models.

Researchers at Forescout's Vedere Labs discovered the vulnerabilities during an investigation of DrayTek routers, prompted by what the security vendor described as signs of consistent attack activity targeting the routers and a rash of recent vulnerabilities in the technology.

They found over 704,000 Internet-exposed DrayTek routers — mostly in Europe and Asia — many of which likely contain the newly discovered vulnerabilities.

"Since 75% of these routers are used in commercial settings, the implications for business continuity and reputation are severe," Forescout researchers warned in a report that summarized the findings from their investigation, which they dubbed Dray:Break. "A successful attack could lead to significant downtime, loss of customer trust, and regulatory penalties, all of which fall squarely on a CISO's shoulders."

**Patching May Not Be Enough**

DrayTek has issued patches for all the vulnerabilities via different firmware updates. However, organizations should not stop with just applying the patches, says Daniel dos Santos, the head of security research at Forescout Vedere Labs. To lower risk from similar vulnerabilities in DrayTek routers in the future, security teams should also proactively implement longer-term mitigation measures, he adds. "Our report shows there's a long history of critical vulnerabilities affecting those routers, and many have been weaponized by botnets and other malware," he says. "Taking a proactive security approach ensures that even when new vulnerabilities are found, the risk to an organization will be low."

Attackers will likely find it relatively easy to find DrayTek routers that contain the new vulnerabilities using search engines such as Shodan or Censys, dos Santos says. But "exploitation is more difficult because we did not provide a detailed working proof-of-concept, only the overall description of the vulnerabilities," he adds. "If another researcher or an attacker builds and publishes a working exploit, then mass exploitation could happen — like how it has happened for other DrayTek CVEs in the past."

The mitigations that DrayTek and Forescout have recommended include disabling remote access if not needed, verifying that no unauthorized remote access profiles have been added, enabling system logging, and using only secure protocols such as HTTPS. Forescout also recommends that DrayTek customers ensure proper network visibility, change default configurations, replace end-of-life devices, and segment their networks.

**A Popular Attack Target**

The advice comes amid signs of growing threat actor activity — including by nation-state actors — targeting vulnerabilities in routers and other network devices from DrayTek and a variety of other vendors, including Fortinet, F5, QNAP, Ivanti, Juniper, and Zyxel.

In a September advisory, the FBI, the US National Security Agency, and Cyber National Mission Force warned of Chinese threat actors compromising such routers and Internet of Things devices in widespread botnet operations. "The actors may then use the botnet as a proxy to conceal their identities while deploying distributed denial-of-service (DDoS) attacks or compromising targeted US networks," the advisory warned. Two weeks prior to the advisory, the US Cybersecurity and Infrastructure Security Agency added two DrayTek vulnerabilities from 2021 (CVE-2021-20123 and CVE-2021-20124) to its known exploited vulnerabilities list citing active exploitation activity. In 2022, a critical RCE in DrayTek's Vigor brand of routers put numerous small and medium-size businesses at risk of zero-click attacks.

The relatively high number of critical vulnerabilities in DrayTek products in recent years is another concern because many organizations don’t appear to be addressing them quickly enough, Forescout said. The security vendor's report highlighted 18 vulnerabilities going back to 2020, most of which have near maximum severity scores of 9.8 on the CVSS scale. Yet 38% of more than 704,000 DrayTek devices that Forescout discovered didn't have patches for disclosed vulnerabilities from two years ago.

"Many organizations don't have the right level of visibility into unmanaged devices such as routers, so they may be unaware of these issues on their networks," dos Santos says. "They rely on endpoint telemetry and security agents to provide information about software versions and apply patches. But when it comes to firmware — which doesn't support agents — they might not know that vulnerabilities exist in their network or may not have manually applied the patches."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Thousands of DrayTek Routers at Risk From 14 Vulnerabilities

Ivanti reports that the bug is being actively exploited in the wild for select customers.

Source: Kristoffer Tripplaar via Alamy Stock Photo

One of the latest vulnerabilities that the Cybersecurity and Infrastructure Security Agency has added to the Known Exploited Vulnerabilities Catalog is CVE-2024-29824, found in the Ivanti Endpoint Manager.

The vulnerability is described as an SQL Injection vulnerability in the core server of Ivanti EPM 2022 SU5 and its prior models. It allows an unauthenticated attacker within the network to execute arbitrary code. 

Because of its high risk, its CVSS score is a critical 9.6.

On Oct. 1, Ivanti updated its security advisory to reflect that the vulnerability had been exploited in the wild.  "At the time of this update, we are aware of a limited number of customers who have been exploited," according to Ivanti's advisory.

Ivanti released security updates to patch this flaw in May, alongside several other bugs found in EPM's core server.

"Exploiting this flaw could have serious consequences, such as data breaches, disruption of business operations, and further compromise of internal systems," Eric Schwake, director of cybersecurity strategy at Salt Security, wrote in an emailed statement. "Organizations using Ivanti EPM should prioritize patching their systems immediately and conduct thorough security assessments to detect and mitigate potential compromise. This situation emphasizes the critical importance of proactive vulnerability management and timely patching to protect against evolving threats."

Customers can find information to patch the vulnerability on Ivanti’s website.

**About the Author**

Source

DARKReading