The cybersecurity industry faces a growing crisis in attracting and retaining SOC analysts.

Source: Dragos Condrea via Alamy Stock Photo

COMMENTARY

When I began my career, the security operations center (SOC) analyst role seemed like an exciting entry point into a promising career. And for me, it was. However, the job is increasingly perceived as thankless and high-stress, filled with repetitive tasks, high stakes, and limited opportunities for professional growth. 

High turnover and talent shortages are common, so if businesses want to retain skilled analysts and appeal to the next generation of talent, the SOC role needs a serious rebrand. 

**Why SOC Roles Are Losing Their Appeal**

I won't sugarcoat it: The SOC Tier I analyst role is incredibly challenging. In a typical day, analysts receive thousands of alerts, many of which are false positives. 

This constant flood of data leaves analysts struggling to sift through the noise and focus on real threats, a task that demands both accuracy and a clear rationale for every action taken. Dismissing an alert too quickly risks missing a critical event, while escalating a low-risk alert could divert resources away from more urgent priorities. This pressure, coupled with the fear of making mistakes that could affect the team or your own credibility, often leads to burnout. The pressure, the sheer volume of alerts, and the feeling of always being under scrutiny make this role uniquely taxing.

Another significant issue I've encountered is the lack of growth opportunities. With so much time dedicated to the constant alerts, analysts rarely have time to develop new skills. Despite the extensive training and certifications many analysts bring, they're often stuck with monotonous tasks like reviewing phishing emails, limiting exposure to broader infrastructure or skills required for senior roles. 

This lack of growth and evolution leads to disengagement and, eventually, many talented analysts leave the role entirely.

**Leveraging AI and Career Development to Transform SOC Jobs**

The key to transforming the status quo for SOC analysts lies in reimagining these positions to make them more dynamic, rewarding, and sustainable. 

One solution is thoughtfully integrating AI to enhance — not replace — human expertise. By doing so, organizations can:

*   Automatically resolve false positives, allowing SOC analysts to focus on more critical, actionable alerts
    
*   Automate repetitive tasks that can be time consuming, like threat intelligence enrichment, false positive filtering, and alert triage prioritization 
    
*   Provide 24/7 monitoring to alleviate the strain of on-call shifts and cover gaps by allowing AI to investigate and escalate alerts
    
*   Triage the flood of alerts to surface only the most critical and relevant issues, empowering SOC analysts to proactively threat hunt rather than only react to alerts 
    

These applications of AI not only reduce the workload but help prevent human error, which is more likely when analysts are overwhelmed by large volumes of data. 

But AI alone doesn't fix everything. While AI can free up analysts' time by automating many entry-level tasks, businesses must then provide the appropriate structure and growth opportunities to align with these changes. 

To help SOC analysts grow and avoid stagnation, while also providing the necessary support, businesses should do the following:

*   Provide mentorship opportunities after taking steps to ensure senior analysts aren't bogged down with the same repetitive tasks as junior analysts. In many cases I found that no one on the team had bandwidth for anything beyond alert response. 
    
*   Invest in training and upskilling so analysts can perform more sophisticated tasks and advance in their careers rather than becoming pigeonholed in low-level tasks.
    
*   Implement regular evaluations to assess the well-being and development needs of SOC analysts. These evaluations are commonplace in the public sector, but I've rarely encountered them in the corporate world. 
    
*   Foster a culture of continuous improvement throughout the organization, empowering all team members to seek out new skills and opportunities.
    
*   Secure a permanent seat for security in strategic decision-making. SOC teams are often seen as blockers and are typically the last to learn about key business changes. By integrating security early, security teams can influence strategies, ensuring that protocols are built in from the start and reducing future risks.
    

**Investing in Tools, Training, and the Future of SOC Roles**

Budget constraints and organizational inertia often prevent companies from investing in the tools and training needed to make analyst roles more meaningful and sustainable. 

However, the cost of not investing is far greater — high turnover leads to gaps in security coverage, increased vulnerability to cyberattacks, lost institutional knowledge, and longer incident response times. Plus finding, hiring, and training replacements only consumes more time and resources.

The solution lies in rethinking the SOC analyst role — embracing AI to reduce stress and improve efficiency while providing better support and growth opportunities. Forward-thinking businesses that face these challenges head-on will be better equipped with the highly skilled, motivated analysts ready to tackle the threats of the future.

I want to see SOC analysts succeed. These days, I love that I'm able to help SOC analysts as a solutions engineer, working with them to implement and adopt tools to alleviate the stress and alert fatigue that can come from working in a SOC. 

Companies that fail to address these issues risk losing not only their analysts but also their security edge against attackers.

**About the Author**

Solutions Engineer, Intezer

Jessica Belt is solutions engineer at Intezer, a leading provider of AI-powered technology for autonomous security operations. With five years of experience in cybersecurity and 10 years in event coordination, Jessica brings a unique combination of technical expertise and operational excellence. In her current role as a solutions engineer, Jessica leverages her experience as a former security engineer at a security operations center (SOC) to help teams optimize their workflows and enhance their security operations. In her previous roles, Jessica specialized in vulnerability management, threat intelligence, container security, incident response, and identity security.

Why SOC Roles Need to Evolve to Attract a New Generation

The "Census of Free and Open Source Software" report, which identifies the most critical software projects, sees more cloud infrastructure and Python software designated as critical software components.

Source: Photon Photo via Shutterstock

Open source components aimed at connecting applications to cloud resources and those written in Python have jumped up the list of critical packages, according to the latest rankings of the open source software ecosystem — a reordering that underscores the projects that need to be well-funded to improve the security of the software ecosystem.

The data-collection effort — known as the "Census of Free and Open Source Software" — classifies the open source projects into eight top 500 lists, depending on their ecosystem, whether version information is included, and whether direct and indirect dependencies are taken into account. The latest survey of software, known as Census III, found that packages for Python software and those meant to connect developers with specific cloud services — such as a toolkit for Amazon's Elastic Computing Cloud (EC2) or the API for connecting Go programs to Google Cloud — have become much more popular and, thus, critical to software development.

While cloud-native and hybrid development are by no means new, cloud providers have created an increasing number of software development kits (SDKs) for developers. Their widespread use has boosted those tools in the rankings of critical software, says David Wheeler, director of open source supply chain security for the Linux Foundation, which collaborates with Harvard Business School to produce the census.

"Cloud providers offer a lot of specialized services, but the early uses of cloud were a lot of lift-and-shift moves," he says. "Increasingly, we're seeing people write software specifically intended to be run on a cloud, \[and there is a\] rising level of these kinds of packages — it's something that is dramatically increasing."

The third "Census of Free and Open Source Software" report comes more than two years after the official publication of Census II in March 2022 — an initial version of that report was released in 2020 — and nine years after the original census report. The data-collection exercises aim to identify the most critical open source software so that the public and private sectors can effectively invest in the projects as a path to improve software security. Each software package is scored using data from software supply chain firms FOSSA, Snyk, Sonatype, and the Black Duck Cybersecurity Research Center.

The resilience of the software supply chain has become a major concern of the software industry and national governments. The Biden administration, for example, released a National Cybersecurity Strategy that firmly emphasized finding ways to improve the security of software and the open source ecosystem on which most applications rely.

**Critical Connections to the Cloud**

The Amazon Web Services (AWS) software development kit for Python, known as Boto3, rose to fifth place on the list of critical software on the "Non-npm, Direct, Version Agnostic Packages" list. The library was not ranked in the previous Census II. A similar package — aws-sdk — rose to the seventh spot on the JavaScript-ecosystem "npm, Direct, Version Agnostic Packages" list, from 307th in the previous census.

Other cloud-focused packages saw similar jumps: The software development kit to connect Go programs to Google Cloud ranked eighth, while the AWS kit for .NET rose to number 30. Neither were ranked in the previous census.

Because the Node Package Manager (npm) ecosystem sees a significant volume of JavaScript downloads — 4.5 trillion in 2024, compared to 530 billion for Python, according to Sonatype — the data overwhelms measurements of popularity. As a result, the census breaks out npm downloads from those for other software ecosystems.

The data underscores the criticality of open source software to the infrastructure underpinning cloud services, says Brian Fox, CTO and co-founder of Sonatype, a software supply chain management firm.

"Open source across the board just continues to see 'hockey stick' growth year after year, which is shocking — we're starting to see really, really big numbers," he says. "That's the reason why they're doing the census, because it is so important to be shining a light on these things."

**Perils of Python 2 Boost Compatibility Library**

Replacing or patching outdated software has become a central focus of efforts to eliminate vulnerabilities from software. Over the past decade, for example, Python developers have only slowly moved to use Python 3, which was originally introduced in 2006. Last year, 1% of Python developers used Python 2 as their primary programming language, down from 13% in 2019, according to data from JetBrains' annual "Developer Ecosystem" report.

As a result, a project designed to allow compatibility between software written in Python 2 and code in Python 3 — the "Six" project — has become a critical software component, according to Census III. Typically, Python versions are supported for five years. Python 3.11 — currently used by 27% of developers as their primary programming language, making it the most popular version at present — will reach its end of life in October 2027. The final version of Python 2 — version 2.7 — passed its end of life in January 2020.

The data does not address how often developers encounter — and interact with — components written in Python 2. The overwhelming shift to Python 3 is driving the use of Six, as developers need to use older code with programs written in the latest version of Python. In addition, certain groups of developers — such as 29% of data scientists and 19% of Web developers — continue to use some Python 2 code, according to data from JetBrains, a maker of development tools.

"If you look at the raw numbers, Python 3 is far more common, but in various specific domains Python 2 is still widely, widely used, which is why Six is showing up more," the Linux Foundation's Wheeler says. "I would argue it's why we're finally able to get so many more Python 3 users is because the bridge to move from 2 to 3 is easier."

While Census III is available to download from the Linux Foundation, companies should be automating their package management and regularly testing and updating their software, says Sonatype's Fox. The real lesson from the census is not which packages should be given the most attention, but which projects need additional funds and paid maintainers.

"The sustainability of the \[open source ecosystem\] is something that should be top of mind," he says. "We're dependent more and more on largely an aging and unpaid workforce for maintaining critical software — those two things together don't end well."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Open Source Security Priorities Get a Reshuffle

New Fortress Information Security research shows 90% of software products used by critical infrastructure organizations contain code developed in China.

PRESS RELEASE

ORLANDO, FL — December 5, 2024 — The code that makes up the software now powering U.S. utilities is rife with vulnerabilities, including hundreds that are “highly exploitable,” a new research report released by Fortress Information Security today finds. Researchers studied thousands of products and found troubling risk patterns.

The report, Beyond the Bill of Materials: The Silent Threat Lurking in Critical Infrastructure Software, also shows that 25 percent of software components and 90 percent of software products contained code from developers in China.

Compromised software code can provide threat actors with a “backdoor” into power grids, oil and gas pipelines, and communication networks. In similar research last year, Fortress discovered that code developed in China was 1.4 times more likely to contain vulnerabilities than code developed elsewhere.

“China is an existential threat to U.S. economic and physical security,” said Alex Santos, CEO of Fortress. “Software products with China-born code must be identified and weeded out from our nation’s critical infrastructure. We developed and then examined the Software Bill of Materials (SBOM) for the most widely used products managing the U.S. electric power grid. The next step is to take action to eliminate these systemic risks, and we look forward to working with utilities to do just that.”

Using the North American Energy Software Assurance Database (NAESAD) to review Software Bills of Materials (SBOMs) for more than 2,000 software products, researchers found:

More than 9,000 unique vulnerabilities – including 855 highly exploitable vulnerabilities that attackers can exploit with minimal effort.

Twenty components that account for more than 80% of critical vulnerabilities.

3,841 instances of Known Exploited Vulnerabilities (KEVs) across products. KEVs are a subset of vulnerabilities actively exploited by threat actors in the wild.

The Most Common Dependencies were 1) The Linux kernel, 2) zlib (a compression library), and 3) OpenSSL (an open-source cryptographic library). 

"Once again, we found that just a small number of common components, used across hundreds of products, were responsible for the bulk of critical vulnerabilities,” said Bryan Cowan, lead researcher for Fortress. “These are vulnerabilities that can be detected and software flaws that can be corrected. Addressing those 20 components would make our power plants, oil and gas refineries, and chemical companies much more secure.”

Brief Methodology

Fortress created a Software Bill of Materials (SBOM) for each product version using binary analysis. Researchers reviewed the SBOMs stored in NAESAD. Fortress analyzed more than 9,535 unique vulnerabilities identified across 8,758 unique components associated with 2,233 products across 243 vendors. This included information technology (IT) products, used for network management, and operational technology (OT) products, used for business functions. The team used the Exploit Prediction Scoring System (EPSS) as a proxy for exploitability. 

About Fortress. Securing critical supply chains and cyber assets from evolving threats.

Compromised Software Code Poses New Systemic Risk to U.S. Critical Infrastructure

Researchers testing generative AI systems can use prompt injection, re-register after being banned, and bypass rate limits without running afoul of copyright law.

Source: Vitalii Vodolazskyi via Shutterstock

In a net positive for researchers testing the security and safety of AI systems and models, the US Library of Congress ruled that certain types of offensive activities — such as prompt injection and bypassing rate limits — do not violate the Digital Millennium Copyright Act (DMCA), a law used in the past by software companies to push back against unwanted security research.

The Library of Congress, however, declined to create an exemption for security researchers under the fair use provisions of the law, arguing that an exemption would not be enough to provide security researchers safe haven.

Overall, the triennial update to the legal framework around digital copyright works in the security researchers' favor, as does having clearer guidelines on what is permitted, says Casey Ellis, founder and adviser to crowdsourced penetration testing service BugCrowd.

"Clarification around this type of thing — and just making sure that security researchers are operating in as favorable and as clear an environment as possible — that's an important thing to maintain, regardless of the technology," he says. "Otherwise, you end up in a position where the folks who own the \[large language models\], or the folks that deploy them, they're the ones that end up with all the power to basically control whether or not security research is happening in the first place, and that nets out to a bad security outcome for the user."

Security researchers have increasingly gained hard-won protections against prosecution and lawsuits for conducting legitimate research. In 2022, for example, the US Department of Justice stated that its prosecutors would not charge security researchers with violating the Computer Fraud and Abuse Act (CFAA) if they did not cause harm and pursued the research in good faith. Companies that sue researchers are regularly shamed, and groups such as the Security Legal Research Fund and the Hacking Policy Council provide additional resources and defenses to security researchers pressured by large companies.

In a post to its site, the Center for Cybersecurity Policy and Law called the clarifications by the US Copyright Office "a partial win" for security researchers — providing more clarity but not safe harbor. The Copyright Office is organized under the Library of Congress's purview.

"The gap in legal protection for AI research was confirmed by law enforcement and regulatory agencies such as the Copyright Office and the Department of Justice, yet good faith AI research continues to lack a clear legal safe harbor," the group stated. "Other AI trustworthiness research techniques may still risk liability under DMCA Section 1201, as well as other anti-hacking laws such as the Computer Fraud and Abuse Act."

**Brave New Legal World**

The fast adoption of generative AI systems and algorithms based on big data have become a major disruptor in the information-technology sector. Given that many large language models (LLMs) are based on mass ingestion of copyrighted information, the legal framework for AI systems started off on a weak footing.

For researchers, past experience provides chilling examples of what could go wrong, says BugCrowd's Ellis.

"Given the fact that it's such a new space — and some of the boundaries are a lot fuzzier than they are in traditional IT — a lack of clarity basically always converts to a chilling effect," he says. "For folks that are mindful of this, and a lot of security researchers are pretty mindful of making sure they don't break the law as they do their work, it has resulted in a bunch of questions coming out of the community."

The Center for Cybersecurity Policy and Law and the Hacking Policy Council proposed that red teaming and penetration testing for the purpose of testing AI security and safety be exempted from the DMCA, but the Librarian of Congress recommended denying the proposed exemption.

The Copyright Office "acknowledges the importance of AI trustworthiness research as a policy matter and notes that Congress and other agencies may be best positioned to act on this emerging issue," the Register entry stated, adding that "the adverse effects identified by proponents arise from third-party control of online platforms rather than the operation of section 1201, so that an exemption would not ameliorate their concerns."

**No Going Back**

With major companies investing massive sums in training the next AI models, security researchers could find themselves targeted by some pretty deep pockets. Luckily, the security community has established fairly well-defined practices for handling vulnerabilities, says BugCrowd's Ellis.

"The idea of security research being being a good thing — that's now kind of common enough ... so that the first instinct of folks deploying a new technology is not to have a massive blow up in the same way we have in the past," he says. "Cease and desist letters and \[other communications\] that have gone back and forth a lot more quietly, and the volume has been kind of fairly low."

In many ways, penetration testers and red teams are focused on the wrong problems. The biggest challenge right now is overcoming the hype and disinformation about AI capabilities and safety, says Gary McGraw, founder of the Berryville Institute of Machine Learning (BIML), and a software security specialist. Red teaming aims to find problems, not be a proactive approach to security, he says.

"As designed today, ML systems have flaws that can be exposed by hacking but not fixed by hacking," he says.

Companies should be focused on finding ways to produce LLMs that do not fail in presenting facts — that is, "hallucinate" — or are vulnerable to prompt injection, says McGraw.

"We are not going to red team or pen test our way to AI trustworthiness — the real way to secure ML is at the design level with a strong focus on training data, representation, and evaluation," he says. "Pen testing has high sex appeal but limited effectiveness."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Library of Congress Offers AI Legal Guidance to Researchers

Cloudflare Tunnels is just the latest legitimate cloud service that cybercriminals and state-sponsored threat actors are abusing to hide their tracks.

Source: Classic Image via Alamy Stock Photo

NEWS BRIEF

BlueAlpha, a Russian state-sponsored advanced persistent threat (APT) group, has recently evolved its malware delivery chain to abuse Cloudflare Tunnels — with the goal of ultimately infecting victims with its proprietary GammaDrop malware.

Cloudflare Tunnels is, as its name suggests, a secure tunneling software. It can be used to connect resources to Cloudflare's network without using a publicly routable IP address, with the goal of protecting Web servers and applications from distributed denial-of-service (DDoS) and other direct cyberattacks, by hiding their origins.

Unfortunately, this obfuscation mechanism, like other legitimate cloud tools, can also be used by the likes of BlueAlpha, which uses Cloudflare Tunnels to conceal its GammaDrop staging infrastructure from traditional network detection mechanisms, according to Recorded Future's Insikt Group.

"Cloudflare offers the tunneling service for free with the use of the TryCloudflare tool," according to an analysis published this week from Insikt. "The tool allows anyone to create a tunnel using a randomly generated subdomain of trycloudflare.com and have all requests to that subdomain proxied through the Cloudflare network to the Web server running on that host."

The APT then uses the concealed infrastructure to mount HTML smuggling attacks that bypass email security systems, along with employing DNS fast-fluxing, which makes it more difficult to disrupt BlueAlpha’s command-and-control (C2) communications, Insikt Group researchers noted — and in the end, deliver the GammaDrop malware, which enables data exfiltration, credential theft, and backdoor access to networks.

BlueAlpha, which shares DNA with other Russian threat groups like Trident Ursa, Gamaredon, Shuckworm, and Hive0051, first emerged in 2014, and has lately targeted Ukrainian organizations via spearphishing campaigns. The APT has used the custom VBScript malware GammaLoad since at least October 2023.

To protect against such attacks, Insikt Group recommended several mitigations, including:

*   Beef up email security to block HTML smuggling techniques
    
*   Flag attachments with suspicious HTML events
    
*   Use application control policies to block malicious use of mshta.exe and untrusted .lnk files
    
*   Set up network rules to flag requests to trycloudflare.com subdomains
    

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Russia's 'BlueAlpha' APT Hides in Cloudflare Tunnels

A single barrier prevented attackers from exploiting a critical vulnerability in an enterprise collaboration platform. Now there's a workaround.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Two new vulnerabilities in Mitel's MiCollab unified communications and collaboration (UCC) platform could help expose gobs of enterprise data.

MiCollab is a cross-platform application on mobile devices and desktops that combines instant messaging, SMS, phone calls, video calls, file sharing, remote desktop sharing — really any form of collaboration that occurs within an organization, save talking out loud. Organizations rely on it heavily for day-to-day business operations and, invariably, to house large amounts of personal and communications data.

That's what made CVE-2024-35286 so inconvenient when it was discovered earlier this year. This SQL injection vulnerability, resulting from a lack of user input sanitization, earned a "critical" 9.8 score in the Common Vulnerability Scoring System (CVSS) for how it allowed attackers to access important business data, and execute database and management operations at will. It came with a catch, though: A specific configuration was required to reach the vulnerable endpoint, where the treasure lay.

In a new blog post, researchers from watchTowr noted that "No sensible admin would do this" — referring to the undisclosed configuration — so the risk to reliable organizations was low. However, the researchers went on to discover a path traversal vulnerability in MiCollab — not to mention a third, arbitrary file-read vulnerability — which rendered that one lone defense moot.

**The New MiCollab Exploit Chain**

At Black Hat six years ago, a researcher going by the moniker Orange Tsai presented research exposing issues with how Web applications handle path normalization. Using special characters in URLs, attackers could trick Web servers into giving them access to files and directories they shouldn't be able to access.

Researchers from watchTowr put this logic to the test while toying with CVE-2024-35286. Working with an Apache configuration for MiCollab published to the Web back in 2009, they discovered that they could use the input "..;/" to bypass all roadblocks on the way to the vulnerable endpoint — "/npm-admin" from the NuPoint Unified Messaging (UM) component of the platform — with no authentication required. This stacked vulnerability was acknowledged as CVE-2024-41713, and given a "high" CVSS score of 7.5.

CVE-2024-41713 gave new life to the older CVE-2024-35286, and then the researchers discovered yet another zero-day allowing for arbitrary file read, which hasn't been assigned a CVE label or CVSS score. The three work best in combination: CVE-2024-41713 lubricating initial access, the arbitrary file-read issue providing visibility into files across the system, and CVE-2024-35286 enabling any number of malicious operations thereon. For its part, watchTowr published a proof-of-concept (PoC) exploit to GitHub that combines the first two.

"Based on public sources, there are over 10,000 publicly exposed Mitel MiCollab devices," notes Mayuresh Dani, manager of security research at the Qualys Threat Research Unit. "Provided that NuPoint Unified Messaging (NPM) is enabled, a remote threat actor can use CVE-2024-41713 and the \[file-read\] zero-day to access arbitrary files on affected devices."

Which is exactly what the proof-of-concept code does, he adds. "It does so by accessing the npm-pwg directory and invoking the Reconcile Wizard, which is normally used to generate system reports. If the attacker gets ahold of sensitive files containing authentication information on the device, this could be used to gain access to the device and possibly snoop on conversations flowing through the vulnerable instance."

**Hacking Enterprise Communications**

An email arrives in an employee's inbox from their boss. "Hi, please wire a payment to our contractor at \[bank account number\] immediately." The number one thing employees are told, to screen scams like this, is to call their boss to confirm the legitimacy of the email. But what if their phone system itself is breached?

"The vulnerabilities in Mitel MiCollab highlight a growing trend of attackers targeting communication platforms to gain access to sensitive systems," says Callie Guenther, senior manager of cyber threat research at Critical Start. Besides intercepting or blocking an organization's central lines of communication, snooping on employees, or simply causing a general havoc, attackers can also use a platform like MiCollab to facilitate any number of other kinds of cyberattacks. "Similar issues have been exploited in the past, such as the 2022 Mitel MiVoice Connect vulnerability (CVE-2022-29499), which ransomware groups used to deploy Web shells and move laterally through networks," she notes.

Both named CVEs have been patched as of Oct. 9. Mitel acknowledged the arbitrary file-read bug, but hasn't yet patched it at the time of publication. Organizations with MiCollab up to date are covered most of the way, though, as this last issue requires authentication to exploit.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Bypass Bug Revives Critical N-Day in Mitel MiCollab

At least 17 affiliate groups have used the "DroidBot" Android banking Trojan against 77 financial services companies across Europe, with more to come, researchers warn.

Source: baosheng feng via Alamy Stock Photo

NEWS BRIEF

A fierce Android remote access Trojan (RAT), dubbed "DroidBot," is using spyware features like keylogging and monitoring, as well as inbound and outbound data transmission, to steal data from banks, cryptocurrency exchanges, and other national organizations. But the real concern cybersecurity analysts have about the DroidBot banking Trojan is its apparent expansion into a full-on malware-as-a-service operation.

Researchers behind the discovery warned the DroidBot RAT has been active since mid-2024 and is already in heavy rotation among at least 17 affiliate groups, and has been used in 77 cyberattacks on organizations in France, Italy, Portugal, and Spain, according to a report from Cleafy. Further, evidence indicates the DroidBot Android banking Trojan is being continuously updated and is possibly on the precipice of spilling over into Latin America.

Analysis showed the developers are native Turkish speakers but have started to expand into Spanish-speaking countries, which researchers said was a sign of the operation's intent to expand into Central and South America.

"Inconsistencies observed across multiple samples indicate that this malware is still under active development," the report said. "These inconsistencies include placeholder functions, such as root checks, different levels of obfuscation, and multi-stage unpacking. Such variations suggest ongoing efforts to enhance the malware's effectiveness and tailor it to specific environments."

**Android Banking Trojan-as-a-Service Emerges**

In order to drop DroidBot, adversaries hide the malware in malicious banking applications and other ubiquitous applications, the researchers said, which is hardly new.

The RAT's novelty, according to the researchers, is the use of surveillance tools including SMS message interception, keylogging, and periodically capturing screen shots of the victim device. The malware also leverages accessibility services to allow threat actors to remotely execute commands and operate the victim's device.

"Moreover, it leverages dual-channel communication, transmitting outbound data through MQTT and receiving inbound commands via HTTPS, providing enhanced operation flexibility and resilience," the report explained. "Recent examples of Android banking Trojans adopting this protocol include Copybara and BRATA/AmexTroll."

Technical specs aside, Cleafy researchers raised the alarm that the rise of what appears to be a new banking RAT-as-a-service business model is a significant shift in the threat landscape.

"\[W\]hile the technical difficulties are not so high, the real point of concern lies in this new model of distribution and affiliation, which would elevate the monitoring of the attack surface to a whole new level," the report said. "This could be a critical point, as changing the scale of such an important data set could significantly increase the cognitive load."

**About the Author**

Senior Editor, Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Trojan-as-a-Service Hits Euro Banks, Crypto Exchanges

AI-powered tools are making cybersecurity tasks easier to solve, as well as easier for the team to handle.

Security professionals say adding large language model (LLM) and generative artificial intelligence (GenAI) capabilities to security programs improves efficiency in threat detection and increases productivity of analysts, according to Dark Reading's latest research on enterprise security. Efficiency and effectiveness were recurring themes.

In Dark Reading's Artificial Intelligence and Machine Learning in Cybersecurity Survey, the top three benefits of using GenAI and LLMs in a cybersecurity program were more efficient threat detection (28%), improved analyst productivity and efficiency (27%), and better threat intelligence analysis (23%).

The promise of AI tools is enhancing the analysts' performance. Almost one-fifth (19%) of respondents said they appreciated how AI helped generate reports faster, while the same number (19%) liked how AI-infused technologies learn and adapt from new information. Fifteen percent felt the pressure lift from AI's ability to analyze security alerts to reduce false positives, while another 15% appreciated how the technology helped them discover and reduce misconfigurations.

Cybersecurity practitioners also saw value in active uses for AI, such as proactive threat hunting (16%), greater user behavior analysis (15%), improved incident response (15%), and a better security posture (11%).

There are also benefits to the business side. LLM tools can optimize resources (13%) to help make an organization's network more efficient and reduce costs (9%). Respondents also see ways GenAI can scale up their operations (12%), as well as improve cybersecurity response by supplementing the skills of the current team (12%). On the budgeting side, LLM use can reduce both the need for additional headcount (11%) and costs of operation (9%).

For more on the impact of AI and ML on cybersecurity, download the Dark Reading report "The State of Artificial Intelligence and Machine Learning in Cybersecurity."

**About the Author**

Karen joined Dark Reading in January 2022 as features editor. She's been in tech editing since before the img tag was introduced, working for outlets such as the IEEE Computer Society, CNET Download.com, and TechTV. She lives in Los Angeles with her husband, son, and two cats. Find her on Mastodon.

LLMs Raise Efficiency, Productivity of Cybersecurity Teams

The emerging threat actor, potentially a Chinese state-sponsored APT, is using the known exploit kit Moonshine in cross-platform attacks that deliver a previously undisclosed backdoor called "DarkNimbus" to ethnic minorities, including Tibetans.

Source: BeeBright via Shutterstock

A newly identified cyber-threat operation is using a known exploit kit to target security vulnerabilities in the popular WeChat app, to deliver previously unreported spyware to both Android and Windows devices belonging to the Tibetan and Uyghur ethnic-minority communities in China.

A group that researchers at Trend Micro are tracking as Earth Minotaur is wielding the Moonshine exploit kit, which first surfaced in 2019, to deliver a backdoor called DarkNimbus. The malware can steal data and monitor device activity, they revealed in a blog post published today, while Moonshine typically targets vulnerabilities in instant messaging apps on Android devices to deliver the malware. It also exploits multiple known vulnerabilities in Chromium-based browsers. The latest version of the kit discovered by Trend Micro has been upgraded with "newer vulnerabilities and more protections to deter analysis of security researchers," the researchers wrote.

The attacks begin as carefully crafted messages aiming to lure victims into clicking on an embedded malicious link, which typically claims to be related to government announcements; relevant Chinese news topics, such as COVID-19, religion, or stories about Tibetans or Uyghurs; or Chinese travel information. Attackers "disguise themselves as different characters on chats to increase the success of their social engineering attacks," the researchers wrote.

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

The ultimate payload, DarkNimbus, is "a comprehensive Android surveillance tool" that starts by collecting basic information from the infected device, installed apps, and geolocation systems. It goes on to steal personal information, including contact lists, phone call records, SMS, clipboard content, browser bookmarks, and conversations from multiple messaging apps. DarkNimbus also can record calls, take photos and screenshots, file operations, and execute commands, the researchers added.

**Novel Cyberattack Actor, Familiar Tools & Targets**

The researchers believe Earth Minotaur is a new threat actor, though the group isn't the first to use the Moonshine toolkit, they wrote.

"In the first report of Moonshine exploit kit in 2019, the threat actor using the toolkit was named Poison Carp," according to the post. However, the researchers did not find connections between Earth Minotaur and that group, they said.

"The backdoor DarkNimbus had been developed in 2018 but was not found in any of Poison Carp's previous activity," the researchers wrote. "Therefore, we categorize them as two different intrusion sets." At this time, there are at least 55 Moonshine exploit kits being actively used by threat actors in the wild, they said.

Related:CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat

Moonshine was first discovered as part of a malicious campaign against the Tibetan community, and it's also associated with previous malicious activity against Uyghurs. Both groups are ethic minorities in China that face discrimination and surveillance by the Chinese government, and both are the key targets of Earth Minotaur, the researchers said. While it's likely the group is an advanced persistent threat (APT) backed by China, the researchers did not have enough evidence to make a definitive connection, they said.

**Defending Against Persistent Threats**

Earth Minotaur's activities and use of Moonshine share similarities with two previously identified threat campaigns. One, identified in 2002, spread an Android malware called BadBazaar along with Moonshine via Uyghur-language sites and social media.

BadBazaar then resurfaced later in broader attacks against users in several countries that delivered the malware via Trojanized versions of the Signal and Telegram messaging apps, in an attack vector similar to the one Earth Minotaur was seen employing.

To prevent similar attacks, Trend Micro suggested some basics. One, that people exercise caution when clicking on links embedded on suspicious messages, "as these may lead to malicious servers like those of Moonshine compromising their devices," the researchers wrote.

Related:Venom Spider Spins Web of New Malware for MaaS Platform

They also recommended regularly updating applications to the latest versions, as Moonshine takes advantage of flaws to conduct its malicious activities.

"These updates offer essential security improvements to protect against known vulnerabilities," the researchers wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Earth Minotaur' Exploits WeChat Bugs, Sends Spyware to Uyghurs

By understanding the unique challenges of protecting IoT and OT devices, organizations can safeguard these critical assets against evolving cyber threats.

Malleswar Reddy Yerabolu, Senior Security Engineer, North Carolina Department of Health and Human Services

December 5, 2024

4 Min Read

Source: Nicholas Klein via Alamy Stock Photo

COMMENTARY

As Internet of Things (IoT) andoperational technology (OT) devices proliferate across critical infrastructure, manufacturing, healthcare, and other sectors, they bring with them unique and significant security challenges. These devices are increasingly woven into the fabric of everyday business operations, making them essential, yet difficult to secure. While vulnerability management is a well-understood practice in traditional IT environments, IoT and OT introduce complexities that render many of these traditional practices less effective, if not completely obsolete. Here are some of the key challenges, along with strategies for tackling them.

**1\. Device Diversity and Legacy Systems**

IoT and OT environments consist of an eclectic mix of devices that vary greatly in age, functionality, and design. For example, a manufacturing plant might have sensors and controllers that are 20 years old sitting alongside cutting-edge IoT devices. Each device often has a unique operating system and set of protocols, which complicates vulnerability assessments and patch management. Furthermore, many of these legacy systems were designed without security in mind, and their manufacturers may no longer support them.

Solution: Given the heterogeneous nature of these devices, it's crucial to take a risk-based approach. Prioritize the most critical systems and those with the highest vulnerability impact. In some cases, implementing compensating controls, such as network segmentation or increased monitoring, can mitigate risks when patching is not an option.

**2\. Resource Constraints and Limited Patching Options**

Unlike IT systems, many IoT and OT devices have limited processing power, memory, and storage, which makes it challenging to run security software or apply frequent updates. Additionally, many OT devices can't be easily patched or updated without downtime, which can be costly in critical industries like healthcare or manufacturing.

Solution: To mitigate the limitations of patching, consider adopting lightweight vulnerability scanning tools that are specifically designed for IoT and OT environments. Moreover, focus on securing device access by implementing strict authentication controls and isolating critical devices in dedicated network segments.

**3\. Operational Disruption and Downtime**

The need to keep OT systems operational 24/7 is often at odds with the requirements of effective vulnerability management. For instance, in a power plant or factory, even a brief downtime for patching could result in significant financial losses and potential safety risks.

Solution: Careful planning and collaboration between IT and OT teams are essential to manage these trade-offs. Schedule updates and vulnerability scans during maintenance windows and consider redundancy strategies to minimize impact. Additionally, organizations can implement patch-testing in lab environments to ensure compatibility before deploying to production.

**4\. Inadequate Security Protocols and Access Controls**

Many IoT and OT devices lack robust security protocols, making them prime targets for attackers. For example, default passwords and insecure network protocols are common in legacy OT systems, and many IoT devices lack strong encryption or authentication mechanisms. This lack of security leads to increased risk of unauthorized access and exploitation.

Solution: Start by enforcing strict access control policies, such as unique credentials and multifactor authentication. Implementing network segmentation to isolate vulnerable devices from other parts of the network can further limit exposure. Adopting a zero-trust model for IoT and OT environments can also help mitigate the risks associated with inadequate authentication and access controls.

**5\. Limited Security Visibility**

Gaining visibility into IoT and OT environments is challenging, due to their complex and often isolated nature. Many traditional IT security tools are not equipped to monitor these environments effectively, leaving security teams with blind spots that attackers can exploit.

Solution: Organizations should invest in IoT/OT-specific monitoring and security solutions. These tools can provide real-time alerts on suspicious activity and give security teams the visibility they need to identify potential vulnerabilities. Integrating these solutions with security information and event management (SIEM) systems can also help provide a comprehensive view of the entire network.

**Conclusion**

Vulnerability management in IoT and OT environments is not a simple matter of applying traditional IT security practices. These devices require tailored approaches that take into account their unique constraints and critical roles. By adopting a risk-based approach, enforcing strict access controls, and investing in specialized monitoring tools, organizations can begin to address these challenges effectively. While IoT and OT environments may not achieve the same level of security as traditional IT systems, these strategies can help reduce risk and build a more resilient security posture.

Managing vulnerabilities in IoT and OT is a complex but increasingly necessary task. By understanding the unique challenges and implementing targeted solutions, organizations can safeguard these critical assets against evolving cyber threats. After all, security isn't just about what you protect, but how you adapt your strategies to the changing landscape. 

**About the Author**

Senior Security Engineer, North Carolina Department of Health and Human Services

Malleswar Reddy Yerabolu is a senior security engineer with more than seven years of experience in vulnerability management, threat analysis, and security architecture across financial, hospitality, government, and communication sectors. He specializes in leveraging AI, machine learning (ML), and natural language processing (NLP) to enhance threat detection and automate security processes. His research focuses on integrating AI and NLP to optimize cybersecurity solutions. Malleswar’s innovative approach helps organizations reduce risks and strengthen their defenses against evolving cyber threats. He holds a master’s degree in computer engineering from California State University.

Source

DARKReading