Poor permission controls and user input validation is endemic to the platforms that protect Americans' legal, medical, and voter data.

Source: Xinhua via Alamy Stock Photo

A veritable laundry list of high- and critical-severity bugs have been uncovered in software platforms used by government agencies across the US.

Govtech systems are some of the most critical out there, responsible for storing the most sensitive personally identifying information (PII) US citizens own: Social Security numbers (SSNs) and IDs; legal and medical records; voter registrations; and much more. It will surprise few and comfort no one that these systems also happen to be riddled with vulnerabilities. 

Security researcher Jason Parker uncovered issues in 19 such platforms this year, disclosing more than a handful of them late last week. There was the bug in the state of Georgia's portal for canceling voter registrations, the access control issue that exposed court documents in counties across Florida, and the many critical vulnerabilities bogging down a public records request management platform used by hundreds of city, county, and state governments nationwide.

**Case Study: A Voter Registration Issue**

Some might be old enough to remember when government bugs were cool and inventive. "The Thing," for example — a listening device embedded into a wooden seal, which hung in the residence of the US ambassador to Moscow for seven years before it was discovered.

Today's government bugs are rather banal — access control flaws or improper validations of user input. The kinds of things hackers can use them for, however, are not at all dull.

At the end of July, for example, Georgia launched a voter cancellation request portal. Within days, researchers discovered multiple issues with the site. Parker, for example, found that anyone could submit a cancellation request using only the information easily gleaned from public sources — names, dates of birth, counties of residence — while skipping any requirement for more serious PII, like a driver's license or SSN. The issue earned a "high" Common Vulnerability Scoring System (CVSS) score of 8.6 out of 10, and was fixed shortly after initial disclosure.

It turned out that members of the public had attempted to take real advantage of these issues in the meantime, though, most notably by unsuccessfully deregistering Rep. Marjorie Taylor Greene, and Georgia's Secretary of State Brad Raffensperger, two prominent Republicans in the state.

**A Panoply of GovTech Bugs**

This kind of basic lack of authentication was emblematic of the security flaws Parker has stumbled upon.

Besides the Georgia bug, for example, were the trio of bugs in Granicus' GovQA. GovQA is a public records management system that is used by more than one-third of the largest US cities, more than 80 state agencies, and nearly half of the "top" US counties, according to GovQA's website.

Another series of bugs in Granicus' electronic filing system allowed for the leakage of sensitive information, the ability to block user logins or modify accounts without authorization, and privilege escalation. The "critical," 9.8 CVSS-rated bugs were reportedly patched back in April.

A similar platform, Thomson Reuters' C-Track eFiling, allowed attackers to escalate from regular user accounts to those saved for court administrators by manipulating certain fields in the registration process. A patch for the "critical" 9.1-rated bug was confirmed last week.

More issues of similar severity were uncovered in court record systems used in counties in Florida, Arizona, Georgia, South Carolina, and others.

**Why GovTech Is So Flawed**

Government technologies tend to be flawed for all the reasons one might guess.

"A lot of their systems that I've seen are quite literally 20 years old," Parker explains. "They're just adding whatever on top of these legacy platforms for years and years."

Besides standard bureaucracy, outdated and unloved tech is kept alive thanks to a lack of sufficient funding for new systems, services, and security solutions to protect them. And vendors aren't always held to account for the ways in which they fall short on their ends of the bargain.

If anything's going to change, Parker says, it will start with the Federal Risk and Authorization Management Program (FedRAMP) — a governmentwide program for cloud security assessment, authorization, and continuous monitoring — and StateRAMP — a nonprofit offering a similar program for state and local governments. "These are minimum requirements for cybersecurity," Parker says, "and they're being adopted by more and more states, and counties, too."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Gov't, Judicial IT Systems Beset by Access Control Bugs

PRESS RELEASE

CAMBRIDGE, UK, Oct. 1, 2024 /PRNewswire/ -- Darktrace, a global leader in cybersecurity AI, has today announced the completion of its acquisition by Thoma Bravo, a leading software investment firm, for $5.3bn. The recommended cash acquisition was announced on 26 April 2024 and the Scheme of Arrangement has now become effective. 

Jill Popelka, CEO of Darktrace, said: "Thoma Bravo will be a hugely valuable partner as we pursue further scale and innovation for our next stage of growth. Darktrace's position at the cutting edge of cybersecurity AI coupled with Thoma Bravo's deep strategic and sector expertise will be a powerful combination. Protecting businesses and organisations with best-in-class AI-powered, proactive cybersecurity will remain at the absolute core of what we do. Together, we can take this even further, investing in our people to enhance our technical capabilities and delivering exceptional service and value for our customers."

Seth Boro, Managing Partner at Thoma Bravo, said: "Darktrace holds a unique position at the forefront of cybersecurity technology. As one of the early adopters of AI, the value of its capabilities is evident to businesses, governments and society across the world. We are excited to work alongside Jill and the Darktrace team to build on their success, supporting their ambitions to protect the world from the most advanced cyber threats." 

About Darktrace  
Darktrace is a global leader in AI for cybersecurity that keeps organizations ahead of the changing threat landscape every day. Founded in 2013, Darktrace provides the essential cybersecurity platform protecting organizations from unknown threats using its proprietary AI that learns from the unique patterns of life for each customer in real-time. The Darktrace ActiveAI Security Platform™ delivers a proactive approach to cyber resilience with pre-emptive visibility into security posture, real-time threat detection, and autonomous response – securing the business across cloud, email, identities, operational technology, endpoints, and network. Breakthrough innovations from our R&D teams in Cambridge, UK, and The Hague, Netherlands, have resulted in over 200 patent applications filed. Darktrace's platform and services are supported by over 2,400 employees around the world who protect nearly 10,000 customers across all major industries globally. To learn more, visit http://www.darktrace.com. 

SOURCE Darktrace

You May Also Like

Darktrace Announces Formal Completion of its Acquisition by Thoma Bravo

PRESS RELEASE

New York City, NY. September 30, 2024 – Apono, the leader in privileged access for the cloud, today announced the successful completion of its Series A funding round, raising $15.5 million. The funding round was led by New Era Capital Partners, with participation from Mindset Ventures, Redseed Ventures, Silvertech Ventures, initial seed investors, and more.  

The newly secured funds will be used to advance Apono’s mission of providing AI-driven, simple, innovative, and secure solutions that organizations need to manage access in complex, distributed cloud environments. Additionally, these newly secured funds will be used to accelerate product development and enable Apono to continue its growth, deliver unparalleled value to its customers, and solidify its position as a leader in the identity security space. This latest round brings the total investment from new and current investors to $20.5 million, underscoring strong investor confidence in Apono’s vision and capabilities. 

Apono is a next-gen solution for cloud access governance. The company is committed to delivering capabilities that meet the dynamic needs of modern enterprises and support the development, operations and security teams responsible for securing and maintaining cloud environments they depend on. Apono’s innovative approach provides organizations with a deep understanding of privileged access within their cloud environments, enforces robust security guardrails, and leverages AI-driven least privilege and anomaly detection capabilities to enhance security measures while providing a frictionless experience for end-users. 

“Today, more than ever, we are seeing a shift in the identity space,” said Apono’s Co-Founder and CEO Rom Carmel. “Privileged access management and identity governance are converging, driving the need for more holistic identity and access security solutions, particularly within today’s dynamic cloud environments in which modern businesses operate. As we continue our rapid growth, this funding will enable us to maintain our momentum and continue delivering cutting-edge solutions to our clients. Our investors were drawn to Apono’s unique AI-driven product offering, innovative approach, and its swift adoption by enterprises, recognizing the company’s potential to lead the identity security market.” 

With this investment, Apono is set to significantly expand its US sales and marketing teams, while also expanding investments in research and development. After the company recorded a 300% increase in revenue the last 3 quarters, Apono has welcomed several key industry executives, further bolstering its market position and enhancing its ability to support a rapidly growing customer base. Customers can anticipate new AI-based access product offerings and improved support from Apono’s sales engineering and customer success teams, which have tripled in size in the US. Additionally, to meet the needs of new enterprise customers, the company has added enterprise support teams who will deliver the scale of service today’s enterprises require. These strategic developments will ensure seamless onboarding and continuous support for Apono’s expanding clientele. 

“We are thrilled to support Apono in their mission to revolutionize identity and access security,” said Ziv Conen, Partner at New Era Capital Partners. “Apono’s innovative solution addresses critical challenges in the cloud access management space, providing organizations with robust, scalable solutions. This investment reflects our confidence in Apono’s vision and their ability to lead the market with cutting-edge technology and exceptional customer focus. We look forward to supporting Apono’s continued growth and success as they redefine how businesses manage and secure access in today’s dynamic environments.” 

 “We were able to self-service Apono in minutes, which significantly enhanced customer trust in our global multi-cloud platform. This seamless integration allows our teams to work without friction, ensuring efficiency and productivity. Moreover, it helps us maintain a least-privilege cloud environment, which is crucial for our security and compliance standards,” said Arthur Goren, Director of Cloud Engineering at Hewlett Packard Enterprise.   

Apono is devoted to addressing the evolving needs of the identity and access security landscape, particularly as it has grown to play a more significant role in today’s modern cloud environment. Apono’s solution was built from the ground up to empower organizations to deliver just-in-time, just-enough access management at scale by bridging the security-operational gap in identity and access management. With a focus on innovation and customer success, Apono is poised to redefine how organizations manage and secure access, ensuring robust protection and seamless operations in an ever-changing digital world. 

“In response to the growing complexity and security threats associated with cloud adoption, forward-thinking organizations are increasingly aligning the goals and workflows of their security and engineering teams," said Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC. "Cloud identity and privilege management are central to these alignment efforts. Apono’s approach to cloud privileged access management aligns with these goals and helps bridge the gap between security and engineering teams.” 

For more information visit the Apono website here: www.apono.io.

Apono Raises $15.5M Series A Funding for AI-driven, Least Privilege Solution Set

PRESS RELEASE

NEW YORK and SANTA CLARA, Calif., Oct. 1, 2024 /PRNewswire/ -\- Palo Alto Networks (NASDAQ: PANW) and Deloitte today announced an expansion of their strategic alliance into EMEA and JAPAC regions, making Palo Alto Networks® AI-powered cybersecurity solutions and joint offerings available to Deloitte clients globally. The new agreement builds on the long-standing collaboration between the two organizations, accelerating the adoption of leading cybersecurity capabilities and helping clients realize the benefits of platformization.

Many organizations struggle to manage an increasing number of cybersecurity products to secure their business. This can create a heterogeneous environment that may increase operational complexity and difficulty to achieve essential security outcomes. Platformization, the shift to an integrated platform as opposed to incompatible point solutions, helps reduce the boundaries of these disparate solutions to help organizations enhance security posture while driving operational efficiencies. Embracing this, Deloitte has consolidated multiple point solutions by adopting Palo Alto Networks Cloud and Network Security platforms.

"True transformations require a solution that unites AI-powered platforms with deep industry insights and managed services - what Palo Alto Networks and Deloitte provide clients through our alliance," said Kristy Friedrichs, chief partnerships officer, Palo Alto Networks. "By significantly expanding the availability for our joint offerings and helping mutual customers move to unified platforms, we're addressing their evolving needs and helping them achieve better security outcomes."

"We are focused on helping our clients solve their most complex cybersecurity challenges, which requires ongoing innovation and distinct approaches to technology integration leading to cyber transformation," said Emily Mossburg, Deloitte Global Cyber Leader and a principal, Deloitte & Touche LLP. "Expanding our alliance with Palo Alto Networks enhances our global ability to deliver integrated and platformed security solutions to help global clients improve their security posture through harnessing efficiency and integrating the power of AI to combat the evolving threat landscape."

Deloitte will offer Palo Alto Networks security solutions across its network, cloud, and security operations platforms in order to help clients drive toward consolidation and realize the benefits of AI-powered solutions that ingest integrated data, creating better outcomes and actionable AI insights, including the following:

*   Cyber Detection & Response: Helps enable clients to transform their security operations through the Precision AI-powered Cortex XSIAM® platform that combines the capabilities of  SIEM, SOAR and XDR to simplify operations and accelerate response to cyber threats. Deloitte's intellectual property (IP) can accelerate SOC modernization through consolidation of a heterogeneous tech stack, adoption of complex incident response playbooks, integration with leading IT Service Management (ITSM) platforms and event log aggregation and orchestration, to assist clients in reducing technical complexity while enhancing operational efficiency.
    
*   Cloud Security: Helps to create a more proactive security posture for clients to safeguard their environments, from code to cloud. Deloitte and Palo Alto Networks joint cloud security offerings, launched a year ago, can help enhance the security of ever-changing, cloud-native applications and infrastructure. Deloitte's IP and industry-specific knowledge helps clients mitigate risk and promotes "shift left" security where Deloitte's harmonized cloud security framework, operational workflows and AI-powered automation and orchestration capabilities are deployed to enhance the native capabilities of Palo Alto Networks Prisma® Cloud.
    
*   Zero Trust Adoption: Helps organizations strategize, design, implement, operate and accelerate Zero Trust adoption with the combination of Palo Alto Networks integrated, innovative Network Security platform and Deloitte's IP, workflow integrations and managed services.
    

Learn more about the Palo Alto Networks and Deloitte alliance here.   
Follow Palo Alto Networks on X (formerly Twitter), LinkedIn, Facebook and Instagram.

About Palo Alto Networks   
Palo Alto Networks is the global cybersecurity leader, committed to making each day safer than the one before with industry-leading, AI-powered solutions in network security, cloud security and security operations. Powered by Precision AI, our technologies deliver precise threat detection and swift response, minimizing false positives and enhancing security effectiveness. Our platformization approach integrates diverse security solutions into a unified, scalable platform, streamlining management and providing operational efficiencies with comprehensive protection. From defending network perimeters to safeguarding cloud environments and ensuring rapid incident response, Palo Alto Networks empowers businesses to achieve Zero Trust security and confidently embrace digital transformation in an ever-evolving threat landscape. This unwavering commitment to security and innovation makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021-2024), with a score of 100 on the Disability Equality Index (2024, 2023, 2022), and HRC Best Places for LGBTQ+ Equality (2022). For more information, visit www.paloaltonetworks.com.

Palo Alto Networks, Cortex, Cortex XSIAM, Prisma Cloud and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available.

About Deloitte   
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including nearly 90% of the Fortune 500® and more than 8,500 U.S.-based private companies. At Deloitte, we strive to live our purpose of making an impact that matters by creating trust and confidence in a more equitable society. We leverage our unique blend of business acumen, command of technology, and strategic technology alliances to advise our clients across industries as they build their future. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Bringing more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte's approximately 460,000 people worldwide connect for impact at www.deloitte.com.

Palo Alto Networks and Deloitte Expand Strategic Alliance Globally

A global operation cuffed four LockBit suspects and offered more details into the org chart of Russia's infamous Evil Corp cybercrime gang.

Source: M4OS Photos via Alamy Stock Photo

In another phase of Operation Cronos, Europol and Eurojust have taken more action against the LockBit ransomware gang by making four arrests and seizing devices used as part of the ransomware's infrastructure. In addition, Aleksandr Ryzhenkov (aka Beverley), who was once second-in-command for the infamous Evil Corp cybercrime organization, was sanctioned and named as an affiliate for LockBit, indicating ties between the two groups.

The arrests were of a suspected developer for the group in France; two LockBit affiliates apprehended by the British authorities; and a bulletproof hosting service administrator cuffed by Spanish police, which also confiscated nine servers. 

Meanwhile, the US, the UK, and Australia imposed sanctions against Ryzhenkov, who the UK's National Crime Agency identified as a top lieutenant to Evil Corp leader Maxim Yakubets. The US unsealed an indictment against him, and sanctioned 16 other individuals linked to the infamous gang.

Russia-based Evil Corp, the outfit behind the Zeus and Dridex banking Trojans, largely disappeared from the cybercrime scene following US sanctions in 2019, which included the outing of Yakubets, his relationship with an FSB agent who is his father-in-law, and the exposure of Evil Corp's inner workings.

Related:Dark Reading News Desk Live From Black Hat USA 2024

According to the NCA, Ryzhenkov was key to the development of Evil Corp's post-sanctions WastedLocker ransomware, which was a ransomware-as-a-service (RaaS) offering circulating in 2020. But in 2022, he turned up as a LockBit affiliate. Meanwhile, LockBit has denied having any working relationship with Evil Corp.

"The exposure of Evil Corp's ties to LockBit is a major blow to the ransomware affiliate market," said Ferhat Dikbiyik, head of research at Black Kite, in an emailed statement to Dark Reading. "February 2024 saw Operation Cronos take down LockBit's main infrastructure. Since then, LockBit has been using back-up Dark Web blogs to maintain its presence. Today, law enforcement agencies have taken further action — exposing critical ties between LockBit and Evil Corp, a group long associated with large-scale ransomware and financial crime operations."

LockBit ransomware has been deployed across a variety of sectors, including financial service, food and agriculture, education, energy, government and emergency services, and healthcare, among others. Because there are so many independent affiliates involved, there are a wide array of different attack tactics used by the threat actors. However, the Japanese Police, National Crime Agency, and FBI are focusing their expertise on developing decryption tools to recover files encrypted and lost to LockBit ransomware, according to Europol.

Related:Darktrace Announces Formal Completion of its Acquisition by Thoma Bravo

LockBit Associates Arrested, Evil Corp Bigwig Outed

The FIN6 group is the likely culprit behind a spear-phishing campaign that demonstrates a shift in tactics, from targeting job seekers to going after those who hire.

Source: Kay Roxby via Alamy Stock Photo

A long-active threat group known for targeting multinational financial organizations has been impersonating job seekers in order to target talent recruiters. The method is a spear-phishing campaign spreading the "more\_eggs" backdoor, which is capable of executing secondary malware payloads.

Researchers from Trend Micro discovered campaign distributing the JScript backdoor, which is part of a malware-as-a-service (MaaS) toolkit called Golden Chickens, they revealed in analysis published this week published this week. They believe that the campaign is likely the work of FIN6, which is known for using the backdoor to target their victims. However, Trend Micro emphasized that the nature of the malware being a part of an MaaS package "blurs the lines between different threat actors" and thus makes precise attribution difficult.

FIN6 has been known in the past to pose as recruitment officers to target job seekers, but it appears to be "moving from posing as fake recruiters to now masquerading as fake job applicants" in a shift in tactics, Trend Micro researchers wrote in a blog post about the attacks.

Trend Micro identified the campaign when an employee who works as a talent search lead at a customer in the engineering sector downloaded a fake resume from a purported job applicant for a sales engineer position. The downloaded file executed a malicious .lnk file that resulted in a more\_eggs infection.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

"A spear-phishing email was initially sent from allegedly from 'John Cboins' using a Gmail address to a senior executive at the company," the researchers wrote. That email contained no attachments or URLs but instead was a social engineering ploy demonstrating "that the threat actor was attempting to gain the user's confidence," they wrote.

Soon after that communication, a recruitment officer downloaded what was supposed to be a resume, John Cboins.zip, from a URL using Google Chrome, though "it was not determined where this user obtained the URL," the researchers noted.

Further investigation of the URL revealed what appeared to be a typical website of a job applicant that even utilizes a CAPTCHA test and would not likely raise suspicions, thus capable of easily deceiving an unsuspecting recruiter into thinking he or she was corresponding with a legitimate candidate, they said.

**Same Payload, Different Nesting Methods**

Various security researchers have observed more\_eggs being used in attacks as early as 2017 against a variety of targets, including Russian financial institutions and mining firms, and other multinational organizations. As mentioned, more\_eggs is part of the Golden Chickens toolkit, which is distributed by Venom Spider, an underground MaaS provider also known as badbullzvenom, according to Trend Micro.

Related:Zimbra RCE Vuln Under Attack Needs Immediate Patching

While the backdoor is historically a common denominator among different threat campaigns by Venom Spider, the methods used for distributing the malware vary. Some attacks involved phishing schemes with malicious documents that contained JavaScript and PowerShell scripts, while others used LinkedIn and email to lure employees with fake job offers, leading them to malicious domains that host malicious .zip files, the researchers noted.

Attackers also have used phishing emails to distribute .zip files disguised as images to initiate a more\_eggs infection, while a June campaign again leveraged LinkedIn to trick recruiters into accessing a fake job resume site that distributed the malware as a malicious .lnk file.

There appear to be two active campaigns currently spreading the malware that target victims who "are in roles that attackers could leverage to identify valuable assets and have higher potential for financial gain," the researchers wrote.

**Prevent Hatching of "More\_Eggs"**

Traditional anti-malware solutions should immediately detect and eliminate an infection by more\_eggs on a corporate network. However, factors such as an organization’s operational needs, human fallibility, and potential misconfigurations can pose a risk of the malware slipping past these detections, according to Trend Micro.

Related:Retail & Hospitality ISAC Announces Pam Lindemoen As New CSO and VP

"The advanced social engineering techniques employed — such as using a convincing website and a malicious file disguised as a resume to start the infection — underscore the critical need for organizations to maintain continuous vigilance," the researchers wrote. "It is imperative that defenders implement robust threat detection measures and foster a culture of cybersecurity awareness to effectively combat these evolving threats."

Trend Micro shared various indicators of compromise (IoCs) related to the campaigns in the post. Organizations with managed detection and response (MDR) systems in place can use them to set up custom filters and models tailored to detect a specific threat like more\_eggs that then can be fed to a security playbook to automate response to an alert, according to the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Use HR Targets to Lay More_Eggs Backdoor

Amid the noise of new solutions and buzzwords, understanding the balance between securing infrastructure and implementing runtime security is key to crafting an effective cloud strategy.

Han Cho, Founder, HC Consulting

October 1, 2024

4 Min Read

Source: Bob Venezia via Alamy Stock Photo

COMMENTARY

Each year, while attending the Black Hat conference, I gain fresh insights into the cybersecurity landscape, particularly from my interactions with new companies and passionate startup founders. My role as an executive adviser to various cybersecurity startups provides me with a unique perspective, allowing me to observe companies at different stages — from stealth startups validating their ideas to later-stage companies striving to secure a Series B round of funding and expand their market presence.

However, the emergence of new threat vectors and exposures in cloud security often results in significant overlap in solutions, leading to confusion and making it challenging for practitioners to determine the best investment. This is especially true when evaluating cloud security solutions like CNAPP (cloud-native application protection platform) and CSPM (cloud security posture management).

The cybersecurity industry is constantly evolving, inundated with new acronyms, buzzwords, and purportedly revolutionary solutions, all vying for attention. Yet many of these solutions fail to deliver on their promises, leaving organizations questioning their security priorities. Should the focus be on securing infrastructure, or is runtime security the key to safeguarding operations?

**The Impact of Cloud Technology on Security Strategies**

The rapid expansion of cloud technology has fundamentally altered the security landscape. Traditional network engineers are being replaced by cloud-focused engineers, driven by the cloud's promise of scalability and flexibility. However, this shift has introduced new security challenges that many businesses are still grappling with.

Drawing from my experiences, I've tried to gain a deeper understanding of the challenges large enterprises face in securing their cloud platforms. While the cloud offers significant advantages, it also necessitates a new approach to security — one that many organizations find difficult to maintain in the face of a dynamic and ever-evolving threat landscape.

CSPM solutions are now central to cloud security strategies, ensuring secure configurations and compliance with industry standards. However, as the market has matured, it has become saturated with new acronyms and marketing terms, adding layers of complexity and confusion for customers.

Securing infrastructure is fundamental. It involves ensuring that your cloud environment is securely configured, vulnerabilities are effectively managed, and compliance requirements are consistently met. Without this foundation, other security efforts are compromised. However, as cyber threats become more sophisticated, runtime security — which addresses threats as applications and services are actively running — has become equally critical.

**The Rising Importance of Runtime Security**

Effective runtime security goes beyond reactive measures. It requires deep integration with the customer's business logic to offer informed security recommendations, such as adopting a least-privilege model. This involves comparing the runtime state against the desired state, detecting traffic patterns for managed cloud services like S3 or RDS, and controlling provisions or restrictions for modern agents like eBPF (extended Berkeley Packet Filter). These capabilities are essential for anticipating and mitigating threats before they cause significant harm.

An effective runtime solution allows two opposing teams to work more effectively to achieve shared goals, which makes me want to understand whether new vendors hyperfocused on solving runtime security have these challenges in their solutions. To succeed in offering runtime security, solution providers must demonstrate, with unquestionable evidence, that their solutions are superior to existing cloud-native offerings like AWS GuardDuty, Azure Sentinel, or GCP Security Command Center. If these leading platforms, backed by top-class engineers, can't fully secure the runtime environment, why should customers believe an external solution could do better? This credibility challenge is significant, and solution providers must bring more than promises — they need proven, demonstrable superiority.

Data normalization also remains a critical obstacle. Effective comparative analysis requires all data to be normalized, yet the industry lacks a public standard for this process — one that even the Cloud Security Alliance (CSA) hasn't published. This absence makes it exceedingly difficult to create a reliable comparative model that can be trusted across the industry.

Enterprises with concentrated engineering resources often develop homegrown strategies, frequently leveraging open source tools like OpenQuery. These custom approaches add another layer of complexity, making it harder for external solutions to prove their worth.

**Identifying the Right Focus**

So, where should your focus lie? Securing your infrastructure and implementing runtime security are vital components of a comprehensive cloud security strategy. Organizations must invest in building a secure infrastructure while also developing robust runtime security measures that can detect and respond to threats in real-time.

To navigate this complex security landscape effectively, it's crucial to understand your organization's specific needs and craft a security strategy that addresses all aspects of cloud security. Whether transitioning from a legacy system to the cloud or operating within a cloud-native environment, the ultimate goal remains the same: protecting your operations against the myriad threats of today's digital world.

Infrastructure vs. Runtime — Where Are Your Priorities?

Hacktivism-related DDoS attacks have risen 70% in the region, most often targeting the public sector, while stolen data and access offers dominate the Dark Web.

Source: Bernhard Klar via Alamy Stock Photo

Cyberattackers and hacktivists are increasingly targeting the United Arab Emirates, the Kingdom of Saudi Arabia, and other nations in the Gulf Cooperative Council (GCC) region. The region is likely a favored target because it's a hub for commerce and trade, full of rich economies; and because of regional nations' stance on certain geopolitical issues.

That's according to 18 months of Dark Web data compiled by Moscow-based threat research firm Positive Technologies. The report stated that the first half of the year, the number of distributed denial-of-service (DDoS) attacks in the region rose 70%, compared with the same period in the previous year.

Hacktivists use forums as both a way to call like-minded hackers to action and to publish evidence of their success against specific targets, says Anastasiya Chursina, a threat analyst with Positive Technologies.

"We believe that this trend may continue and the number of attacks carried out by hacktivists will go up," she says. "At the same time, the level of other attacks will increase, which will entail an increase in the number of risks and negative consequences for companies in the region."

Both Saudi Arabia and the UAE topped the chart of targeted nations in a March analysis of two years of attacks in the region. The UAE alone faces an average of 50,000 cyberattacks every day, the head of cybersecurity for the UAE government said earlier this year, while the country also has a rapidly growing attack surface.

Related:China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

More attacks are also being publicly disclosed: In July, pro-Palestinian hacktivist group BlackMeta targeted a bank in the United Arab Emirates with a DoS campaign that lasted more than 100 hours over six days. And in April, Saudi Arabia was added to the list of organizations targeted by the suspected China-linked group Solar Spider.

**More Cyber Threat Actors Coming Online?**

The increase of DoS attacks — rather than Web defacements or system breaches — may indicate an influx of new threat actors. The attackers' tactics of choice depend upon their skills and knowledge, and DDoS attacks can be accomplished by novice hackers, says Positive Technologies' Chursina.

"The main goal of hacktivists is to draw public attention to certain political, social, and religious issues," she says. "DDoS attacks are the most popular, as they do not require high professional knowledge and resources, and they can be performed by any novice hacker."

Positive Technologies' trove of forum posts and text messages totals 277 million items from 380 Telegram channels and Dark Web forums. For its GCC report, the company focused on six major nations in the region: the UAE, Saudi Arabia, Bahrain, Oman, Qatar, and Kuwait.

Related:Phishing Espionage Attack Targets US-Taiwan Defense Conference

Nearly two-thirds of discussions between GCC cyberthreat actors focus on the UAE and Saudi Arabia. Source: Positive Technologies

Stolen data and illicit access accounted for the topic of more than half (54%) of the posts, with the vast majority of of users selling or buying access. These posts focused on five sectors: trade, services, manufacturing, IT, and government agencies.

About 12% of the posts included a call to action for hacktivism or evidence of a successful hacktivist attack, according to the report. About 9% of hacktivist posts also advertised free credentials for use in attacks.

"Access giveaways represent a new trend for the region that first appeared in H2 2023," the report stated. "Most access giveaways (70%) contained the credentials of government agency employees."

**Cyber Domain Favored for Attacks, Espionage**

Cyberattacks have become the preferred battlefield for many groups — both nation-state and dissent organizations — in the region. The stakes are rapidly escalating as well, from Iran's increasing pace of cyber espionage to Israel's cyber-physical attacks using compromised supply chains to the compromise of naval information systems in the region.

With the UAE and Saudi Arabia increasingly invested in digitization, AI development, and shifting to a knowledge-based economy, organizations in the two nations — and the Middle East at large — need to focus on strengthening their cybersecurity posture, Positive Technologies says.

Related:As Geopolitical Tensions Mount, Iran's Cyber Operations Grow

"Dark Web forums are full of offers and services tailored to this region," the company's report stated. "The abundance of posts related to the sale of access, often low-cost, makes it easier for attackers to gain initial access to a company and carry out an attack without wasting time looking for new entry points into the infrastructure. Access giveaways are a new trend on the part of haсktivists allowing low-grade hackers to carry out attacks and raise public awareness about social and political issues."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

UAE, Saudi Arabia Become Plum Cyberattack Targets

Critics viewed the bill as seeking protections against nonrealistic "doomsday" fears, but most stakeholders agree that oversight is needed in the GenAI space.

Source: CoreDESIGN via Shutterstock

California Gov. Gavin Newsom (D) has vetoed SB-1047, a bill that would have imposed what some perceived as overly broad — and unrealistic — restrictions on developers of advanced artificial intelligence (AI) models.

In doing so, Newsom likely disappointed many others — including leading AI researchers, the Center for AI Security (CAIS), and the Screen Actors Guild — who perceived the bill as establishing much-needed safety and privacy guardrails around AI model development and use.

**Well-Intentioned but Flawed?**

"While well-intentioned, SB-1047 does not take into account whether an AI system is deployed in high-risk environments, or involves critical decision-making or the use of sensitive data," Newsom wrote. "Instead, the bill applies stringent standards to even the most basic functions — so long as a large system deploys it. I do not believe this is the best approach to protecting the public from real threats posed by the technology."

Newsom's veto announcement contained references to 17 other AI-related bills that he signed over the past month governing the use and deployment of generative AI (GenAI) tools in the state, which is a category that includes chatbots such as ChatGPT, Microsoft Copilot, Google Gemini, and others.

"We have a responsibility to protect Californians from the potentially catastrophic risks of GenAI deployment," he acknowledged. But he made clear that SB-1047 was not the vehicle for those protections. "We will thoughtfully — and swiftly — work toward a solution that is adaptable to this fast-moving technology and harnesses its potential to advance the public good."

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

There are numerous other proposals at the state level, seeking similar control over AI development amid concerns about other countries overtaking the US on the AI front.

**The Need for Safe & Secure AI Development**

California State senators Scott Wiener, Richard Roth, Susan Rubio, and Henry Stern proposed SB-1047 as a measure that would impose some oversight over companies like OpenAI, Meta, and Google, which are all pouring hundreds of millions of dollars into developing AI technologies.

At the core of the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act are stipulations that would have required companies that develop large language models (LLMs) — which can cost more than $100 million to develop — to ensure their technologies enable no critical harm. The bill defined "critical harm" as incidents involving the use of AI technologies to create or use chemical, biological, nuclear, and other weapons of mass destruction, or those causing mass casualties, mass damage, death, bodily injury and other harm.

Related:Reachability Analysis Pares Down Static Security-Testing Overload

To enable that, SB-1047 would have required covered entities to comply with specific administrative, technical, and physical controls to prevent unauthorized access to their models, misuse of their models, or unsafe modifications to their models by others. The bill included a particularly controversial clause that would have required the OpenAIs, Googles, and Metas of the world to implement nuclear-like failsafe capabilities to "enact a full shutdown" of their LLMs in certain circumstances.

The bill won broad bipartisan support and easily passed California's state Assembly and Senate earlier this year. It headed to Newsom's desk for signing in August. At the time, Weiner cited the support of leading AI researchers such as Geoffrey Hinton (a former AI researcher at Google), professor Yoshua Bengio, and entities such as CAIS.

Even Elon Musk, whose own xAI company would have been subjected to SB-1047, came out in support of the bill in a post on X saying Newsom should probably pass the bill given the potential existential risks of runaway AI, which he and others have been flagging for many months.

Related:Sloppy Entra ID Credentials Attract Hybrid Cloud Ransomware

**Fear Based on Theoretical, Doomsday Scenarios?**

Others, however, perceived the bill as based on unproven doomsday scenarios about the potential for AI to wreak havoc on society. In an open letter, a coalition that included several entities including the Bay Area Council, Chamber of Progress, TechFreedom, and Silicon Valley Leadership Group called the bill fundamentally flawed.

The group claimed that the harms that SB-1047 sought to protect against were completely theoretical, with no basis in fact. "Moreover, the latest independent academic research concludes, large language models like ChatGPT cannot learn independently or acquire new skills, meaning they pose no existential threat to humanity." The coalition also took issue with the fact that the bill would hold developers of large AI models responsible for what others do with their products.

Arlo Gilbert, CEO of data-privacy firm Osano, is among those who views Newsom's decision to veto the bill as a sound one. "I support the governor's decision," Gilbert says. "While I'm a great proponent for AI regulation, the proposed SB-1047 is not the right vehicle to get us there."

As Newsom has identified, there are gaps between policy and technology, and the balance between doing the right thing and supporting innovation is one that merits a cautious approach, he says. From a privacy and security perspective, small startups or smaller companies that would have been exempt from this rule can actually present a greater risk of harm due to their relative access to resources to protect, monitor, and disgorge data from their systems, Gilbert notes.

In an emailed statement, Melissa Ruzzi, director of artificial intelligence at AppOmni, identified SB-1047 as raising issues that need attention now: "We all know AI is very new and there are challenges in writing laws around it. We cannot expect the first laws to be flawless and perfect — this will most likely be an iterative process, but we have to start somewhere."

She acknowledged that some of the biggest players in the AI space, such as Anthropic and Google, have put a big focus on ensuring their technologies do no harm. "But to make sure all players will follow the rules, laws are needed," she said. "This removes the uncertainty and fear from end users about AI being used in an application."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Calif. Gov. Vetoes AI Safety Bill Aimed at Big Tech Players

CISOs for US states face the same kinds of challenges those at private companies do: lots of work to handle, but not necessarily enough money or people to handle it sufficiently well.

Source: Timothy Swope via Alamy Stock Photo

Chief information security officers (CISOs) of US states are being stretched thin by widening responsibilities and insufficient resources to achieve them.

Today, and for some time now, every state and the District of Columbia has had its own, dedicated CISO office.

"In the early 2000s, the advent of the Internet and the desire to develop citizen-facing applications accessible from the Internet really started that trend," explains Srini Subramanian, co-author of the newly released biennial cybersecurity report from Deloitte and the National Association of Chief Information Officers (NASCIO). State governments, he notes, are as attractive as cyber targets as any company.

"States collect, share, and use data of residents from birth, including school, driving records, health records, and more," he explains. "So they do have very comprehensive information about people in very large volumes, which makes them attractive targets."

Like CISOs of corporations, these individuals are responsible for building and managing statewide IT security programs and policies, managing cyber-risks and incident response efforts, ensuring compliance with relevant regulations and standards, and more. Also like CISOs of corporations, state CISOs face the same hindrances to their jobs.

Related:Dark Reading Confidential: The CISO and the SEC

Among all 51 US state CISOs surveyed in the Deloitte/NASCIO report, many report an expansion of their responsibilities with regard to protecting data privacy, risk management, and more. At the same time, plenty report having insufficient funds and personnel for actually handling those responsibilities.

"State systems don't have as many resources as the private sector," Subramanian says. For example, "When we make a comparison to a financial services institution — they have thousands of full-time \[cybersecurity employees\]. In this report, 80% of states report anywhere from five to 50 people. States are being asked to do a lot more with very few resources, and it is a real challenge in terms of how they can accomplish their goals."

**More Work for State CISOs**

Meanwhile, state CISOs are doing more today than ever before. More CISO's offices now provide support to stage agencies in the realms of strategy, governance, and risk management (up 17%), security management and operations (up 8% over 2022), incident response (up 17%), and network and infrastructure (up 7%).

Most starkly: 86% of CISO's offices now handle data privacy, up from 60% just two years ago, thanks, perhaps, to new data privacy rules spreading across the nation.

Related:FERC Outlines Supply Chain Security Rules for Power Plants

The lone counterpoint is that state CISOs today have markedly less to worry about when it comes to physical security, providing a kind of counterbalance.

In 2020 (52%) and 2022 (54%), a majority of CISO's offices handled physical security for data centers and other pertinent facilities, but in 2024 that number plummeted to 35%. Today, just six state cybersecurity budgets allocate anything toward physical security. That, Deloitte posited, may indicate that states have been consolidating their data centers, or outsourcing to third-party providers.

**Budgets, Staffing Lag Behind**

Compared to their increased workloads, however, state CISOs offices are not being financed and staffed with equivalent fervor.

Most respondents didn't even know what percentage of their states' IT budgets were allocated to cybersecurity, specifically. Among those who did, four reported that it made up somewhere between 0% and 1% of their states' funding for IT. On the flip side, just one in five reported rates of 3% and above.

For a sense of just how low those figures are, consider that out of the $75 billion in IT spend that the White House proposes for civilian agencies in the 2025 fiscal year, $13 billion — about 17% — is set aside for cybersecurity-related activities.

Related:Shadow AI, Data Exposure Plague Workplace Chatbot Use

"The rigor and emphasis on cyber has always been greater in the federal government," Subramanian notes. As a result, "State CISOs have to go and seek resources from the CIOs as part of their technology budget. Whereas in the federal government, all federal agencies have had to, for the last several years, submit a cyber budget request, and really outline how they are going to spend that money on cyber."

Budget constraints and a talent shortage help explain why nearly four in five state CISOs cite staffing as a challenge. Though the number of scarily understaffed offices has dropped — just two respondents reported having one to five full-time employees, down from six in 2022 — more than half of state CISOs report that their staff lack the competencies necessary to deal with the demands of the job.

**Why the Same CISO Issues Keep Cropping Up**

Whether it be a private company or a government organization, large or small, the issues that face CISOs today are pretty consistent across the board, because the underlying gap between security leaders and their colleagues always tends to take a similar shape.

"Until the security program is not perceived as a 'cost' but rather a 100 times unplanned-for-cost-avoiding department, CISOs will struggle with budget and relevance," says Pete Nicoletti, global field CISO at Check Point Software. "CISOs and security practitioners typically have a hard time justifying their programs to leadership. We are too technical and are worried that the sky is falling 24/7. We can usually get the minimum budget approved based on compliance mandates, but we all know that is not enough."

To close that gap, he suggests, security leaders need to get more people whose jobs don't involve security involved in the security process: "Involve your directors and leaders in every tabletop exercise, share every report on external threats, and teach them all the terms they need to know, so they can see it your way!”

Some states, actually, are already employing this tactic to interesting effect. Subramanian recalls how, "in Texas, there is a regional security operations center that has been set up with a combination of a university, private sector, and the government. The first level of triaging is done by students who are working part time, as they are doing cybersecurity studies. So this can address both the talent issues facing CISOs, as well as getting things done for states and local governments."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading