The cyberattackers allegedly stole information from US campaign officials only to turn around and weaponize it against unfavored candidates.

Source: Hakan Gider via Alamy Stock Photo

The US Justice Department has announced charges against three members of Iran's Islamic Revolutionary Guard Corps (IRGC).

The individuals — known as Masoud Jalili, 36; Seyyed Ali Aghamiri, 34; and Yaser Balaghi, 37 — are accused of running a cyber campaign targeting the upcoming US presidential election, and conducting hacks against political campaigns, current and former US officials, nongovernmental organizations, and members of the media. They have been charged with conspiracy to commit identity theft, aggravated identity theft, unauthorized access to computers, access device fraud, and wire fraud.

The activity, according to a DoJ press release, "was part of Iran's continuing efforts to stoke discord, erode confidence in the US electoral process, and unlawfully acquire information relating to current and former US officials that could be used to advance the malign activities of the IRGC," including retribution on behalf of the death of former commander of the IRGC-Qods Force, Qasem Soleimani.

The DoJ alleges the attackers focused on compromising accounts of former US government officials for several years for shifting their focus and targeting campaign officials in May, using their access to campaign accounts to steal information, non-public campaign documents, and emails.

The attackers then broadened their operation, engaging in a "hack-and-leak" operation to weaponize stolen materials from a US presidential campaign in order to undermine certain candidates, according to the announcement.

"The conduct laid out in the indictment is just the latest example of Iran's brazen behavior," said FBI Director Christopher Wray. "So today the FBI would like to send a message to the government of Iran — you and your hackers can't hide behind your keyboards."

In tandem, the DoJ and the Department of State issued a reward of up to $10 million through the Rewards for Justice Program for information leading to the identification or location of any foreign person or entity engaging in interference in US elections.

**Spear-Phishing for Malicious Opportunities**

The indictments come on the heels of a joint warning with the UK's National Cyber Security Centre of continued malicious cyberactivity by threat actors working on behalf of the Iranian government, especially in the realm of spear-phishing.

Potential targets include current and former senior government or political officials, journalists, activists, and lobbyists, among others, which have been hit with social engineering messages tailored to the individual. The threat actors may impersonate family members or professional contacts to trick their victims; and heir lures could be a request for an interview, a public speaking event, or generally offering an opportunity to discuss policy.

"The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials," the advisory stated. "Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors."

It's recommended that individuals who think they may be targeted be suspicious of unsolicited contact from any individual they do not know personally, unsolicited requests to share files, or attempts to share links.

DoJ Charges 3 Iranian Hackers in Political 'Hack &amp; Leak' Campaign

The US Federal Energy Regulatory Commission spells out what electric utilities should do to protect their software supply chains, as well as their network "trust zones."

Source: Rudmer Zwerver via Alamy Stock Photo

Attacks targeting SolarWinds and MOVEit in recent years have spotlighted supply chain risks in cybersecurity. In the wake of recent high-profile incidents at utilities, including one last week in Kansas, the US Federal Energy Regulatory Commission (FERC) called for updating standards for supply chain safety to improve the resilience of the US bulk power system.

At its September meeting, FERC asked the energy industry consortium North American Electric Reliability Corporation (NERC) to create a better supply chain security standard for power plants. Such utilities would have to:

*   Identify supply chain risks to electrical grid-related cybersecurity systems at regular intervals.
    
*   Assess and validate the information vendors submit during procurement.
    
*   Document, track, and respond to those risks.
    

The commission also directed NERC to add protected cyber assets (PCAs) to the systems subject to this supply chain scrutiny.

**Internal Network Security Monitoring on the Docket**

At that same meeting, FERC also addressed a new reliability standard for critical infrastructure protection that mandates monitoring of network traffic inside an electronic security perimeter.

Internal network security monitoring (INSM) monitors communication between devices inside the "trust zone" of a network, providing a backstop for detecting malicious activity that slipped through the security perimeter. In addition to allowing an early warning about intrusions, this east-west visibility provides a more complete picture of the scope of an attack.

At the meeting, FERC "proposed to approve" Reliability Standard CIP-015-1 but asked NERC to extend INSM to systems outside of the electronic security perimeter, such as physical and electronic access control systems.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

FERC Outlines Supply Chain Security Rules for Power Plants

For development teams awash in vulnerability reports, reachability analysis can help tame the chaos and offer another path to prioritize exploitable issues.

Source: Photon Photo via Shutterstock

AI assistants are a double-edged sword for developers. On one hand, code-generation assistants have made creating barebones applications easier and led to a surge in code pushed to GitHub. Yet just as easy? Generating code with defects and vulnerabilities.

As a result, application security teams serving large development groups are seeing growing application vulnerability reports — a large portion of which are false positives. In fact, nearly a third of teams (31%) find the majority of reported vulnerabilities are false positives, according to software security firm Snyk's "2023 State of Open Source Security" report.

In the face of growing volumes of code submissions and continuing problems with false positives, application security teams are relying on reachability analysis as an important way to prioritize their remediation requests. Because only 10% to 20% of imported code is typically used by a specific application, determining whether the code is reachable by an attacker — and thus likely exploitable — can dramatically reduce the number of vulnerabilities that need to be patched, says Joseph Hejderup, technical staff member at Endor Labs, who presented on the topic at SOSS Community Day Europe 2024 in September. This makes it possible to prioritize vulnerability reports, he says.

"With software composition analysis — without looking into the code — we are essentially assuming that if you use this library, you're using all this functionality, where in reality we know that you're only using part of the library," Hejderup says. "By going down to the source code, you can see whether this particular vulnerable part of the code is used or not used."

Static application security testing (SAST) tools continue to evolve and have a proven return on investment (ROI), especially if they are used to catch software defects during development time, when the cost of fixing a bug is lower. However, false positives reduce the benefits of SAST tools and undermine developer trust in the tools.

**False Positives, Lack of Context Remain Problems**

Overall, 61% of developers believe the faster cadence of development with automation has increased the number of false positives, according to Snyk's report. For application security teams, finding ways to reduce the volume of vulnerabilities discovered in dozens or hundreds of projects into a more manageable burden is critical, says Randall Degges, head of developer relations at Snyk.

"Each of those projects has hundreds — maybe thousands of vulnerabilities — and a lot of them look scary, like these critical RCE vulnerabilities," he says. "Reachability is really a nice way to kind of calm yourself down as a security team and not stress your teams out because, if you're able to successfully filter the vulnerabilities that you see based on, 'Are they even being executed, like in our code base or not,' that's a really big benefit to security teams."

Overall, companies can reduce their remediation work by 60%, just by excluding unreachable code. One study found that, while 71% of Java applications consist of open source code, applications used only about 12% of that code.

Combining reachability with other contextual information — such as exploitability and business impact — reduces the workload even further. In an analysis of 106 million alerts from 900 organizations, or an average of about 118,000 alerts per organization, reachability analysis reduced the workload by 99.5% — or down to about 660 alerts per organization, according to application security firm OX Security.

Reporting fewer vulnerabilities back to developers can help reduce friction between the two groups, says Katie Teitler-Santullo, cybersecurity strategist with OX Security.

"A lot of the frustration happens because tools aren't able to reduce the noise and focus on the prioritization that developers need \[in order\] to move at the speed of development versus the speed of security," she says.

**Source Code Analysis or Instrumentation**

Typically, there are two approaches to reachability analysis. One is static code analysis focused on building graphs of the function calls in the applications and determining whether specific code can be executed. The determination is not always simple: A conditional statement may be executed only once in hundred or thousands calls — or never — and so application security tools have to determine whether that constitutes a threat.

Snyk, for example, errs on the side of work reduction. If there is a conditional statement, the company's tools will ignore the minor branches and just focus on the likely outcome, says Snyk's Degges.

"We look for things where we can 100% definitively trace it down there, and say that, 'Yes, this is reachable,'" he says. "The trade-off for that is that some things may be marked as not reachable, even though they are. But the benefit is that people aren't getting a bunch of false alerts."

Another approach is to instrument the application and the code, determining at runtime what functions are being executed and label that code as reachable.

Whether a vulnerability in the code can be exploited is another level of investigation. Endor Lab's Hejderup expects companies to be able to filter down to code that is reachable and provably exploitable as the next step.

"This type of more advanced, sophisticated analysis would likely be the next level within reachability analysis," he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Reachability Analysis Pares Down Static Security-Testing Overload

Microsoft warns that ransomware group Storm-0501 has shifted from buying initial access to leveraging weak credentials to gain on-premises access before moving laterally to the cloud.

Source: Vitali Gulenok via Alamy Stock Photo

Adversaries have caught on to the complexity that cybersecurity teams face in securing hybrid cloud environments — the latest of which is a particularly odious group tracked as "Storm-0501," a cash-grab operation that regularly targets the most vulnerable organizations, including schools, hospitals, and law enforcement across the US.

Storm-0501 has been around since 2021, according to a new report from Microsoft Threat Intelligence, operating as affiliates of a variety of ransomware-as-a-service (RaaS) strains including BlackCat/ALPHV, LockBit, and Embargo.

Notably, Microsoft has observed a shift in approach by the ransomware group. Once reliant on buying initial access from brokers, Storm-0501 has more recently found success exploiting hybrid cloud environments with weak passwords and overprivileged accounts. They first crack into the on-premises environment at a target, then pivot to burrow into the cloud, as seen in one campaign that successfully targeted Entra ID credentials.

**Microsoft Entra Connect Credential Crack**

The Microsoft team detailed a recent attack from Storm-0501 threat actors that used compromised credentials to access Microsoft Entra ID (formerly Azure AD). This on-premises Microsoft application is responsible for synching passwords and other sensitive data between objects in Active Directory and Entra ID, which essentially allows a user to sign in to both on-premises and cloud environments using the same credentials.

Once Storm-0501 was able to move laterally into the cloud, it was able to tamper with and exfiltrate data, set up persistent backdoor access, and deploy ransomware, the report warned.

"We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts," Microsoft reported. "Following the compromise of the cloud Directory Synchronization Account, the threat actor can authenticate using the clear-text credentials and get an access token to Microsoft Graph."

From there, an attacker can freely change the Microsoft Entra ID passwords of any hybrid, synced account.

But that's not the only way these slippery cybercriminals have found to vault from a compromised Entra ID account into the cloud. The second strategy is more complicated, as Microsoft detailed, and relied on breaching a domain admin account with a correlating Entra ID that is designated with global admin permissions. Additionally, the account needs to have multifactor authentication (MFA) disabled for the attackers to be successful.

"It is important to mention that the sync service is unavailable for administrative accounts in Microsoft Entra, hence the passwords and other data are not synced from the on-premises account to the Microsoft Entra account in this case," Microsoft said. "However, if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. Web browsers' passwords store), then the pivot is possible."

Once it was in, Storm-0501 got busy setting up persistent backdoor access for later, working to achieve network control, and ensuring lateral movement to the cloud, Microsoft reported. Once that was done, they exfiltrated the files they wanted and deployed Embargo ransomware across the entire organization.

"In the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the Embargo ransomware via a scheduled task named 'SysUpdate' that was registered via GPO on the devices in the network," according to the Microsoft report.

The two separate versions of attacks against Microsoft's Entra ID application demonstrate that cybercriminals of opportunity have focused in on hybrid cloud environments, and their big, fat attack surfaces, as easy wins.

**Securing the Hybrid Cloud Against Storm-0501 Attacks**

"As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations," Microsoft's Threat Intel team warned.

Enterprise cybersecurity teams can achieve this by continuing to move toward a zero-trust framework, according to a statement from Patrick Tiquet, vice president, security and architecture, at Keeper Security.

"This model restricts access based on continuous verification, ensuring that users only have access to the resources essential for their specific roles, minimizing exposure to malicious actors," Tiquet explained via email. "Weak credentials remain one of the most vulnerable entry points in hybrid cloud environments, and groups like Storm-0501 are likely to exploit them."

Centralizing endpoint device management (EDM) is also "essential," he said. "Ensuring consistent security patching across all environments — whether cloud-based or on-premises — prevents attackers from exploiting known vulnerabilities."

Advanced monitoring will help teams spot potential threats across hybrid cloud environments before they can become a breach, he added.

Stephen Kowski, field CTO at SlashNext Security echoed many of the same recommendations in an emailed statement.

"This report highlights the critical need for robust security measures across hybrid cloud environments," Kowski said. "Security teams should prioritize strengthening identity and access management, implementing least privilege principles, and ensuring timely patching of Internet-facing systems."

In addition, he suggested shoring up security to protect against initial access attempts.

"Deploying advanced email and messaging security solutions can help prevent initial access attempts through phishing or social engineering tactics that often serve as entry points for these sophisticated attacks," he added.

Sloppy Entra ID Credentials Attract Hybrid Cloud Ransomware

The threat actors managed to gain access to Sen. Ben Cardin (D-Md.) by posing as a Ukrainian official, before quickly being outed.

Sen. Ben CardinSource: B Christopher via Alamy Stock Photo

Earlier this month, Senator Ben Cardin (D-Md.), who serves as the Democratic chair of the Senate Foreign Relations Committee, was targeted in an advanced deepfake operation that managed to in part succeed in duping the politician.

The operation was centered around Cardin's professional association with Dymtro Kuleba, the former Ukrainian Minister of Foreign Affairs. Cardin's office reportedly received an email from someone they believed to be Kuleba, who Cardin already knew from past meetings.

Kuleba and Cardin met via Zoom through what seemed to be a live audio-video connection "that was consistent in appearance and sound to past encounters," according to a notice issued by the Senator’s security office.

But it was here that things began to go awry for the threat actors. "Kuleba" began to ask Cardin questions such as, "do you support long-range missiles into Russian territory? I need to know your answer," and other "politically charged questions in relation to the upcoming election" according to the notice. 

At this point, Cardin and his staff knew something was wrong.

The malicious actor on the other side of the call continued on, attempting to bait the senator into commenting on a political candidate and other things.

"The Senator and their staff ended the call, and quickly reached out to the Department of State who verified it was not Kuleba," said Nicolette Llewellyn, the director of Senate Security, in the notice.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

**Deepfake Scams Are on the Rise**

On Sept. 25, Cardin commented on the encounter, describing the person on the other side of the screen as a malign actor that engaged in a deceptive attempt to try to have a conversation with him.

"After immediately becoming clear that the individual I was engaging with was not who they claimed to be, I ended the call and my office took swift action, alerting the relevant authorities," Sen. Cardin said. "This matter is now in the hands of law enforcement, and a comprehensive investigation is underway."

However, how far these threat actors managed to get was impressive — and concerning. Had they not revealed their scheme by acting out of character for the person they were impersonating, they may have gleaned sensitive or important information.

"On an individual level, \[deepfakes\] can lead to blackmail and extortion," says Eyal Benishti, CEO of Ironscales. "For businesses, deepfakes pose risks of significant financial loss, reputational damage, and corporate espionage. On a governmental level, they threaten national security and can undermine the democratic processes" — no doubt referencing a deepfake robocall that was created to impersonate President Joe Biden with the goal of getting Biden supporters to stay home for a lower voter turnout.

Related:Zimbra RCE Vuln Under Attack Needs Immediate Patching

It's clear that deepfake schemes are becoming a bigger threat and more widely used by malicious actors. In a July report that Trend Micro shared with Dark Reading, the researchers found that 80% of the consumers involved a survey had seen deepfake images, and 64% had seen deepfake videos. Roughly half of consumers surveyed had heard of deepfake audio clips. And concerningly, 35% of the respondents said they had experienced a deepfake scam themselves, with even more saying that they know someone who has.

These types of scams come in all kinds of varieties, such as the deepfake videos of UK Prime Minister Keir Starmer and Prince William that were circulating on Meta platforms earlier this year to promote a cryptocurrency platform called Immediate Edge. The platform was fraudulent and aimed to dupe potential victims by making it seem as though it was backed by reputable public figures. According to researchers who studied the disinformation campaign, the deepfake ads reached nearly 900,000 people who spent more than £20,000 on the platform.

Related:Retail & Hospitality ISAC Announces Pam Lindemoen As New CSO and VP

"The rise of deepfakes — be it through images, videos, or audio — is hard to deny," Benishti says. "These attacks are becoming increasingly sophisticated and often indistinguishable from reality, thanks to the accessibility of generative AI tools."

And that means that defenses need to shift, Benishti says. 

"Currently, there are no foolproof methods to easily detect deepfakes," he says. "Until technology catches up, we must prioritize awareness, education, and training to equip individuals and organizations with the skills and strategies needed to act on their suspicions, implement effective verification processes, and ultimately improve their ability to discern what is real and what is not."

These recommendations apply to anyone, not just high-ranking or high-profile individuals such as Cardin.

"Cybercriminals capitalize on opportunity, regardless of status, which means that anyone could be a target," Benishti adds. "It's crucial for everyone, not just prominent figures, to stay alert and skeptical of any urgent or unexpected requests. Vigilance and verification are key defenses against these evolving threats."

Elaborate Deepfake Operation Takes a Meeting With US Senator

By combining agility with compliance, and security with accessibility, businesses will treat their data as a well-prepared traveler, ready for any adventure.

Source: Lucie Konecna via Alamy Stock Photo

COMMENTARY

The post-pandemic need for "anywhere connection" is fueling not only borderless business but also the rise of digital nomads. Surprisingly, the two face similar issues.

Consider that both international enterprises and location-independent workers must be prepared for travel, follow local rules, and carry only the essentials. For a digital nomad, this might mean a laptop, a handful of essential apps, and a reliable VPN. For an enterprise and its data, it's multicloud databases, robust encryption, and a zero-trust posture. In both cases, excess baggage only slows you down and increases vulnerability. And, in both cases, not following the rules can result in legal headaches.

Indeed, enterprises today walk a data tightrope. Their information ecosystems must be adaptable across diverse environments, navigating tightening regulations, heightened security requirements, and complex data rules.

Let's explore how enterprises can become data nomads by balancing compliance, security, and agility — all while seeing the world without getting in trouble.

**From Home Bases to Global Expeditions**

Mastering travel is crucial for digital and data nomads. Like savvy travelers navigating international borders, enterprises must maneuver a varied data landscape — especially with the likes of the European Union's General Data Protection Regulation (GDPR) acting as a stringent "passport control" for information. Therefore, understanding what's required is key to moving data from point A to B while abiding by the law.

Enterprises must first map their data — their digital luggage — to know what they have, how it's regulated, and where it's stored. Like nomads with a home base, many adopt a hybrid cloud approach. This home-and-away strategy blends on-premises infrastructure with public cloud services, offering flexibility, cost benefits, and resilience. It ensures data resides in jurisdictionally appropriate locations while enabling global reach. 

However, moving data between specific regions brings additional complications, especially between Europe and the US. For years, the "visa requirements" governing acceptable data transfers between these two superpowers have been in flux, with the EU-US Data Privacy Framework being the latest attempt to streamline cross-border data. Organizations still need to secure the right "travel permits" with a combination of approaches. This might involve keeping sensitive data in EU-based systems, using standard contractual clauses for US transfers, or applying new framework principles where relevant. However, given the turbulent history of previous agreements like Privacy Shield and Safe Harbour, enterprises should watch this space.

Another way to travel without falling afoul of the authorities is isolated connectivity. Google's Distributed Cloud latest configuration exemplifies this balance, with its air-gapped appliance allowing users to access cloud applications without jeopardizing data security — a blend of home comfort and travel flexibility for enterprise data.

**A Nomad's Security Toolkit**

But moving from place to place exposes both digital and data nomads to security risks. Just as globe-trotting workers must stay vigilant against pickpockets and scams, enterprises must be wary of bad actors — a growing concern with the rise of distributed workloads and global hackers.

The good news is that enterprises can and must fight back. End-to-end encryption acts like an unbreakable luggage lock, protecting information at every step. Multifactor authentication serves as a biometric passport, ensuring only authorized personnel gain access. Regular security audits flag potential risks, much like travel advisories. And, by embracing distributed storage, companies avoid keeping all their eggs in one basket, reducing the impact of any single breach.

Adopting a zero-trust architecture — comparable to a cautious security detail — further ensures verification regardless of origin. This "trust nothing, verify always" mindset treats every network as hostile and scrutinizes each access request, thereby reducing the risk of data breaches and unauthorized access.

**Lessons From the Road**

By now I've done this metaphor to death, but the parallels between digital nomads and enterprise data are too striking to ignore — and the challenges will only continue to evolve.

Emerging technologies like edge computing and AI will create new destinations for our data to explore. And don't expect regulations to slow down, further shaping digital travel requirements. This demands IT leaders have their finger on the pulse and think about their data journey from door to door.

The most successful enterprises will be those that can turn potential data pitfalls into opportunities for growth and innovation. By combining agility with compliance, and security with accessibility, they will treat their data as a well-prepared traveler, ready for any adventure.

The lesson from our digital nomad cousins is clear: Pack light, comply right.

**About the Author**

Founder & CEO, Hexnode

Apu Pavithran is the founder and CEO of Hexnode. Recognized in the IT management community as a consultant, speaker, and thought leader, Apu has been a strong advocate for IT governance and information security management.

Treat Your Enterprise Data Like a Digital Nomad

Productivity has a downside: A shocking number of employees share sensitive or proprietary data with the generational AI platforms they use, without letting their bosses know.

Source: Marcos Alvarado via Alamy Stock Photo

Generational AI chatbots are popping up in everything from email clients to HR tools these days, offering a friendly and smooth path toward better enterprise productivity. But there's a problem: All too often, workers aren't thinking about the data security of the prompts they're using to elicit chatbot responses.

In fact, more than a third (38%) of employees share sensitive work information with AI tools without their employer's permission, according to a survey this week by the US National Cybersecurity Alliance (NCA). And that's a problem.

The NCA survey (which polled 7,000 people globally) found that Gen Z and millennial workers are more likely to share sensitive work information without getting permission: A full 46% and 43%, respectively, admitted to the practice, as opposed to 26% and 14% of Gen X and baby boomers, respectively.

**Real-World Consequences From Sharing Data With Chatbots**

The issue is that most of the most prevalent chatbots capture whatever information users put into prompts, which could be things like proprietary earnings data, top-secret design plans, sensitive emails, customer data, and more — and send it back to the large language models (LLMs), where it's used to train the next generation of GenAI.

And that means that someone could later access that data using the right prompts, because it's part of the retrievable data lake now. Or, perhaps the data is kept for internal LLM use, but its storage isn't set up properly. The dangers of this — as Samsung found out in one high-profile incident — are relatively well understood by security pros — but by everyday workers, not so much.

ChatGPT’s creator, OpenAI, warns in its user guide, "We are not able to delete specific prompts from your history. Please don't share any sensitive information in your conversations." But it's hard for the average worker to constantly be thinking about data exposure. Lisa Plaggemier, executive director of NCA, notes one case that illustrates how the risk can easily translate into real-world attacks.

"A financial services firm integrated a GenAI chatbot to assist with customer inquiries," Plaggemier tells Dark Reading. "Employees inadvertently input client financial information for context, which the chatbot then stored in an unsecured manner. This not only led to a significant data breach, but also enabled attackers to access sensitive client information, demonstrating how easily confidential data can be compromised through the improper use of these tools."

Galit Lubetzky Sharon, CEO at Wing, offers another real-life example (without naming names).

"An employee, for whom English was a second language, at a multinational company, took an assignment working in the US," she says. "In order to improve his written communications with his US based colleagues, he innocently started using Grammarly to improve his written communications. Not knowing that the application was allowed to train on the employee's data, the employee sometimes used Grammarly to improve communications around confidential and proprietary data. There was no malicious intent, but this scenario highlights the hidden risks of AI."

**A Lack of Training & the Rise of "Shadow AI"**

One reason for the high percentages of people willing to roll the dice is almost certainly a lack of training. While the Samsungs of the world might swoop into action on locking down AI use, the NCA survey found that 52% of employed participants have not yet received any training on safe AI use, while just 45% of the respondents who actively use AI have.

"This statistic suggests that many organizations may underestimate the importance of training, perhaps due to budget constraints, or a lack of understanding about the potential risks," Plaggemier says. And meanwhile, she adds, "This data underscores the gap between recognizing potential dangers and having the knowledge to mitigate them. Employees may understand that risks exist, but the lack of proper education leaves them vulnerable to the severity of these threats, especially in environments where productivity often takes precedence over security."

Worse, this knowledge gap contributes to the rise of "shadow AI," where unapproved tools are used outside the organization's security framework.

"As employees prioritize efficiency, they may adopt these tools without fully grasping the long-term consequences for data security and compliance, leaving organizations vulnerable to significant risks," Plaggemier warns.

**It's Time for Enterprises to Implement GenAI Best Practices**

It's clear that prioritizing immediate business needs over long-term security strategies can leave companies vulnerable. But when it comes to rolling out AI before security is ready, the golden allure of all those productivity enhancements — sanctioned or not — may often prove too strong to resist.

"As AI systems become more common, it's essential for organizations to view training not just as a compliance requirement but as a vital investment in protecting their data and brand integrity," Plaggemier says. "To effectively reduce risk exposure, companies should implement clear guidelines around the use of GenAI tools, including what types of information can and cannot be shared."

Morgan Wright, chief security adviser at SentinelOne, advocates starting the guidelines-development process with first principles: "The biggest risk is not defining what problem you're solving through chatbots," he notes. "Understanding what is to be solved helps create the right policies and operational guardrails to protect privacy and intellectual property. It's emblematic of the old saying, 'When all you have is a hammer, all the world is a nail.'"

There are also technology steps that organizations should take to shore up AI risks.

"Establishing strict access controls and monitoring the use of these tools can also help mitigate risks," Plaggemier adds. "Implementing data masking techniques can protect sensitive information from being input into GenAI platforms. Regular audits and the use of AI monitoring tools can also ensure compliance and detect any unauthorized attempts to access sensitive data."

There are other ideas out there, too. "Some companies have restricted the amount of data input into a query (like 1,024 characters)," Wright says. "It could also involve segmenting off parts of the organization dealing with sensitive data. But for now, there is no clear solution or approach that can solve this thorny issue to everyone's satisfaction."

The danger to companies can also be exacerbated thanks to GenAI capabilities being added to third-party software-as-a-solution (SaaS) applications, Wing's Sharon warns — this is an area that is too often overlooked.

"As new capabilities are added, even to very reputable SaaS applications, the terms and conditions of those applications is often updated, and 99% of users don't pay attention to those terms," she explains. "It is not unusual for applications to set as the default that they can use data to train their AI models."

She notes that an emerging category of SaaS security tools called SaaS Security Posture Management (SSPM) is developing ways to monitor which applications use AI and even monitor changes to things like terms and conditions.

"Tools like this are helpful for IT teams to assess risks and make changes in policy or even access on a continuous basis," she says.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Shadow AI, Data Exposure Plague Workplace Chatbot Use

The vulnerability is the latest discovered in connected vehicles in recent years, and it points out the cyber dangers lurking in automotive APIs.

Source: Jonathan WeissI via Shutterstock

Car buyers typically have many questions when purchasing a new automobile, but few are likely to consider whether an attacker could remotely control their vehicle using just license plate information.

Yet that's exactly what millions of Kia vehicles allowed until mid-August, when the automaker fixed a flaw that enabled such access, after independent security researchers alerted them to the issue.

**Remote Control of Kia Cars & SUVs**

The glitch is similar to those that the same group of researchers and others have discovered in recent years, and is sure to stoke already high concerns over the vulnerability of modern connected vehicles to cyberattacks.

In a Sept. 26 report, independent researcher Sam Curry said he discovered the Kia vulnerability when doing some follow-up research on multiple flaws he and colleagues discovered a couple of years ago in vehicles from Kia, Honda, Infiniti, Nissan, Acura, BMW, Mercedes, and others.  

At the time, the researchers showed how anyone could take advantage of the vulnerabilities to issue commands for remotely locking and unlocking vehicles, starting and shutting down the engine, and activating a vehicle's headlight and horn. Some of the flaws allowed an adversary to remotely take over an owner's account and lock them out of managing their own vehicle, while others enabled remote access to a vehicle's camera, with the ability to view live images from inside the vehicle. Some of the hacks required an adversary to have little more than a vehicle identification number, and sometimes even just an owner's email address.

**An Issue With Automotive API Protocols**

As with many of the previous flaws, the new issue that Curry and his fellow researchers discovered had to do with the application programming interface (API) protocols that enable Internet-to-vehicle commands on Kia automobiles.

The researchers found that it was relatively easy to register a Kia dealer account and authenticate it to the account. They could then use the generated access token to call APIs reserved for use by dealers, for things like vehicle and account lookup, owner enrollment, and several other functions.

After some poking around, the researchers found that they could use their access to the dealer APIs to enter a vehicle's license-plate information and retrieve data that essentially allowed them to control key vehicle functions. These included functions like turning the ignition on and off, remotely locking and unlocking vehicles, activating its headlights and horn, and determining its exact geolocation.

In addition, they were able to retrieve the owner's personally identifying information (PII) and quietly register themselves as the primary account holder. That meant they had control of functions normally available only the owner. The issues affected a range of Kia model years, from 2024 and 2025 all the way back to 2013. With the older vehicles, the researchers developed a proof-of-concept tool that showed how anyone could enter a Kia's vehicle license plate info and in a matter of 30 seconds execute remote commands on the vehicle.

"The recent discovery underscores the intricate challenges posed by the complex API protocols — such as gRPC, MQTT, and REST — used in connected cars," says Ivan Novikov, CEO of API security firm Wallarm. "Automakers must prioritize enhancing their cybersecurity measures by implementing stronger authentication methods and securing communication channels to protect against unauthorized access."

Akhil Mittal, senior manager of cybersecurity strategy and solutions at Synopsys Software Integrity Group, says the new discovery highlights how the biggest vulnerabilities in connected vehicles often have to do with systems that communicate with the outside world. He points to always-connected vehicle telematics systems as one example of such a component.

"Infotainment systems are another concern, as they connect to smartphones, apps, and other services, creating more entry points for hackers into the car's internal network," Mittal says. "The recent Kia hack really highlights how APIs and cloud services can be weak spots; if the APIs that control critical functions aren't secured properly, they become easy targets for attackers."

**A Troubling Pattern of Cars' Cyber Insecurity**

News of the Kia hack adds to growing concerns over connected vehicles — and not just about their security either. Earlier this year, two senior US lawmakers slammed General Motors, Honda, and Hyundai for collecting extensive data from connected vehicle about owners and their movement. The two lawmakers, Sens. Ron Wyden (D-Ore.) and Edward Markey (D-Mass.) called the data collection by the three automakers of a symptomatic industry-wide problem that highlighted the need for greater oversight and scrutiny of automaker practices.

"Automotive vendors have proven irresponsible at security again and again, and I wonder how much more we are going to see before action is taken," says David Brumley, CEO of software security firm ForAllSecure. "Yesterday the average driver worried about \[the theft of their\] key fob. Today, they have to worry about whether their dealer or manufacturer has an unprotected API. Where is the \[National Transportation Safety Board\] on this?"

Kia Motors did not respond immediately to a Dark Reading request for comment.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Millions of Kia Vehicles Open to Remote Hacks via License Plate

Companies that commit to risk management have a strong cybersecurity foundation that makes it easier to comply with the SEC's rules. Here is what you need to know about 8K and 10K filings.

Source: Louisa Svensson via Alamy Stock Photo

Question: How should security leaders navigate the SEC's cybersecurity and disclosure rules? What do they need to do in order to ensure compliance?

Michael Gray, CTO, Thrive: While the Securities and Exchange Commission's (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules went into effect toward the end of 2023, many organizations still have questions when it comes to filings and disclosures. Under these rules, organizations have to disclose significant cybersecurity incidents and provide annual updates on their cybersecurity posture. Being able to accurately share cybersecurity updates, sometimes within short time frames, requires teams to have a deep understanding of 8-K and 10-K filings, and to implement new processes that simplify compliance.

**The Difference Between an 8-K and 10-K Filing**

8-K filings, in general, are periodic reports that public companies use to share information about major events that investors would likely want to know when making investment decisions. The SEC's cybersecurity rules now explicitly require that companies disclose material cybersecurity incidents via Item 1.05 of Form 8-K.

10-K filings, on the other hand, are detailed annual reports that summarize a public company's financial and operational performance over the past year. Part of a company's responsibility is to disclose the inner happenings of the business with stakeholders, and 10-K filings help to educate investors so that they can make informed decisions about their investments. Public companies must now include information about their cybersecurity strategy, governance, perceived threats, and material events that happened throughout the year within their yearly 10-K filings.

**The 8-K: Define Materiality**

A common question among cybersecurity teams today is how to determine whether a cybersecurity incident is "material" — incidents that have a significant impact on financial outcomes, as well as implications on the company's operations, reputation, compliance, and customer or stakeholder relations — and deserving of an 8-K filing. The SEC's guidance is that a cybersecurity incident is material if a rational investor would want to know about the event, such as incidents that result in substantial revenue losses, operational interruption or downtime, negative media coverage, legal risk, and customer data loss. For example, the Change Healthcare ransomware attack was material —patients' data was compromised, and it negatively affected hospitals, clinics, and healthcare professionals relying on the company. On the other hand, a phishing scheme targeted at an individual through a work email would not be considered material, as it most likely would not result in substantial revenue loss for the business or impact company stakeholders — especially if only personal information was given.

Companies must file an 8-K within four business days of identifying an incident, not within four business days of the incident occurring. If additional material information is identified that needs to be disclosed, companies would file an amendment to the original 8-K that disclosed the incident. In many cases, cybersecurity teams will uncover additional details about the incident that they can then share in subsequent reports to the SEC. Companies also have a duty to correct a prior disclosure that is found to be untrue as additional facts are determined.

**The 10-K: Disclosing Too Much and Too Little Information**

10-K filings are where cybersecurity teams share details on the current state of the company's cybersecurity program and strategy. The SEC's disclosure rules require that organizations identify who has oversight over cybersecurity activity and describe how they evaluate, discover, and mitigate material risks from cybersecurity threats. Item 106 of the 10-K is also where teams can revisit material incidents over the past year and provide additional commentary on the company's response and performance since the event. Item 106 also requires organizations to describe the board of directors' oversight of risks and management's role in assessing material risks. 10-K filings are not necessarily “new” in terms of information about an incident previously reported in an 8-K filing, but rather information about the resultant impact to the business and any identified cyber-risks the company faces that could result from a previous incident.

Again, the rule of thumb on how much information to disclose is that companies should give enough information for shareholders to be able to make sound investment decisions. A few details to consider include whether your company has a CISO, what cyber training programs are implemented for the board and employees at large, and if anyone on the board has detailed cybersecurity knowledge or expertise. More often than not, this means leaning into transparency rather than hiding critical details.

**Make Compliance Simpler**

Outside of 8-K and 10-K filings, employees should understand the company's overarching cybersecurity framework. This framework should cover how the organization approaches cybersecurity overall, document incident response procedures, and summarize how the enterprise improves over time.

Modern organizations have to be able to mitigate risk before and after cybersecurity incidents. Cybersecurity leaders should frequently audit their cybersecurity capabilities, as threats are evolving constantly. This involves identifying potential vulnerabilities and implementing effective risk management strategies, running real-time tests on your network and endpoints, and continuously communicating and training staff on cybersecurity policies. The SEC provides readiness assessments that can help in this area.

After an incident occurs, leaders should reflect on how well the organization responded and ensure key details are thoroughly documented within the 8-K. Companies should also engage with legal experts to review their compliance posture on a regular basis. Furthermore, employees need dedicated training on the SEC's cybersecurity disclosure rules, so that they are aware of the company's reporting obligations and understand their roles when it comes to incident response and annual readouts.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

How Should CISOs Navigate the SEC Cybersecurity and Disclosure Rules?

Adversaries can exploit CVE-2024-6769 to jump from regular to admin access without triggering UAC, but Microsoft says it's not really a vulnerability.

Source: Panther Media GmbH via Alamy Stock Photo

Researchers have flagged a weakness they're tracking as CVE-2024-6769, calling it a combination user access control (UAC) bypass/privilege escalation vulnerability in Windows. It could allow an authenticated attacker to obtain full system privileges, they warned.

That's according to Fortra, which assigned the issue a medium severity score of 6.7 out of 10 on the Common Vulnerability Scoring System (CVSS) scale. Its proof-of-concept exploit demonstrates that "you have the ability to shut down the system," stressed Tyler Reguly, associate director of security R&D at Fortra. "There are certain locations on the drive where you can write and delete files that you couldn't previously." That includes, for example, C:\\Windows, so an attacker could take ownership over files owned by SYSTEM.

For its part, Microsoft acknowledged the research but said it does not consider this an actual vulnerability, because it falls under its concept of acceptability to have "non-robust" security boundaries.

**Understanding Integrity Levels in Windows**

To understand Fortra's findings, we have to go back to Windows Vista, when Microsoft introduced the model of Mandatory Integrity Control (MIC). Simply put, MIC assigned every user, process, and resource a level of access, called an integrity level. Low integrity levels were afforded to all, medium for authenticated users, high for administrators, and system for only the most sensitive and powerful.

Alongside those integrity levels came UAC, a security mechanism that runs most processes and applications at the medium level by default, and requires explicit permission for any actions that require greater privileges than that. Typically, an admin-level user can upgrade simply by right-clicking a command prompt and selecting "Run as Administrator."

By combining two exploit techniques, Fortra researchers demonstrated in their proof of concept how an already-authorized user could slither through this system, jumping across the security boundary imposed on the medium integrity level to obtain full administrative privileges, all without triggering UAC.

**Using CVE-2024-6769 to Jump Across User Boundaries**

To exploit CVE-2024-6769, an attacker first must have a foothold in a targeted system. This requires the medium integrity-level privileges of an average user, and the account from which the attack is triggered must belong to the system's administrative group (the type of account that could level up to admin privileges, if not for UAC being in its way).

The first step in the attack involves remapping the targeted system's root drive — such as "C:" — to a location under their control. This will also shift the "system32" folder, which many services rely on to load critical system files.

One such service is the CTF Loader, ctfmon.exe, which runs without administrator privileges at a high integrity level. If the attacker places a specially crafted, copycat DLL in the copycat system32 folder, ctfmon.exe will load it and execute the attacker's code at that high integrity level.

Next, if the attacker wishes to obtain full administrative privileges, they can poison the activation context cache, which Windows uses to load specific versions of libraries. To do this, they craft an entry in the cache pointing to a malicious version of a legitimate system DLL, contained in an attacker-generated folder. Through a specially crafted message to the Client/Server Runtime Subsystem (CSRSS) server, the fake file is loaded by a process that has administrator privileges, granting the attacker full control over the system.

**Microsoft: Not a Vulnerability**

Despite the potential for privilege escalation, Microsoft refused to accept the issue as a vulnerability. After Fortra reported it, the company responded by pointing to the "non-boundaries" section of the Microsoft Security Servicing Criteria for Windows, which outlines how "some Windows components and configurations are explicitly not intended to provide a robust security boundary." Under the pertinent "Administrator to Kernel" section, it reads:

> Administrative processes and users are considered part of the Trusted Computing Base (TCB) for Windows and are therefore not strongly isolated from the kernel boundary. Administrators are in control of the security of a device and can disable security features, uninstall security updates, and perform other actions that make kernel isolation ineffective.

Essentially, Reguly explains, "They see the admin-to-system boundary as a nonexistent boundary, because admin is trusted on a host." In other words, Microsoft doesn't consider CVE-2024-6769 a vulnerability if an admin user could ultimately perform the same system-level actions anyway, subject to UAC approval.

In a statement to Dark Reading, a Microsoft spokesperson highlighted that "The method requires membership in the Administrator group, so the so-called technique is just leveraging an intended permission or privilege which does not cross a security boundary."

Reguly and Fortra disagree with Microsoft's perspective. "When UAC was introduced, I think we were all sold on the idea that UAC was this great new security feature, and Microsoft has a history of fixing bypasses for security features," he says. "So if they're saying that this is a trust boundary that is acceptable to traverse, really what they're saying to me is that UAC is not a security feature. It's some sort of helpful mechanism, but it's not actually security related. I think it's a really strong philosophical difference."

**Windows Shops Should Still Beware UAC Bypass Risk**

Philosophical differences aside, Reguly stresses that businesses need to be aware of the risk in allowing lower-integrity admins to escalate their privileges to attain full system controls.

At the end of a CVE-2024-6769 exploit, an attacker would have full reign to manipulate or delete critical system files, upload malware, establish persistence, disable security features, access potentially sensitive data, and more.

"Thankfully, only administrators are impacted by this, which means that most of your standard users are unaffected," Fortra noted in an FAQ to reporters. "For administrators, it is important to ensure that you are not running binaries whose origins cannot be verified. For those admins, however, vigilance is the best defense at the moment."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading