There will be four major categories in the 2025 retread of the hacking competition, with prizes ranging for each challenge, from $20,000 to half a million.

Source: Zoonar GmbH via Alamy Stock Photo

The Pwn20wn Automotive contest will be returning to Tokyo in 2025 for its second year, offering a new set of challenges and winnings of more than $1 million in cash and prizes.

A random drawing will determine the schedule of attempts the day before the contest begins, focusing on four categories: Tesla, in-vehicle infotainment (IVI), electric vehicle chargers, and operating systems.

Each of these categories have individual targets and vary in prize amounts. In the Tesla category, the highest prize is half a million dollars for the Autopilot target in the "full remote with unconfined root" subcategory. The other three categories have fewer targets and smaller prize offerings, ranging from $20,000 to $60,000. Points are accumulated for each successful attempt on each target, and the participant with the most points by the end of the competition will earn the Master of Pwn crown and instant Platinum status in 2026.

The rules of the contest can be found on the Zero Day Initiative (ZDI) website, and can change without notice, so participants should regularly update themselves on the guidelines. Registration closes on Jan. 16, 2025, at 5 p.m. Japanese Standard Time.

**About the Author**

Pwn2Own Auto Offers $500K for Tesla Hacks

The state-sponsored advanced persistent threat (APT) is going after high-value communications service provider networks in the US, potentially with a dual set of goals.

Source: BSIP SA via Alamy Stock Photo

A freshly discovered advanced persistent threat (APT) dubbed "Salt Typhoon" has reportedly infiltrated Internet service provider (ISP) networks in the US, looking to steal information and potentially set up a launchpad for disruptive attacks.

Citing "people familiar with the matter," the Wall Street Journal broke the news on Sept. 25 that the Chinese-sponsored state hackers have successfully targeted "a handful" of cable and broadband service providers during the campaign.

Other details are scant, but Salt Typhoon's efforts highlight China's priorities when it comes to geopolitical realities, researchers note.

**A Sprinkle of Espionage, A Dash of Pre-Positioning**

For instance, a position within the service provider network would offer valuable reconnaissance for how to further target high-value marks working for the federal government, law enforcement, manufacturers, military contractors, and Fortune 100 companies. 

"Obtaining access to ISPs would make it easier to survey those users of the ISPs for information on their location and what kinds of services are being accessed," says Sean McNee, vice president of research and data at DomainTools. "Bad actors could get information about the ISP's users, where they live and billing information, and what kind of access or usage they have, \[who they call, and\] text messages."

But the concern doesn't stop there. Given China's desire to control Taiwan and other assets in the region, there's very likely a military component to the campaign as well.

"Based on the recent history of Chinese-sponsored cyber campaigns and warnings from \[the Cybersecurity and Infrastructure Security Agency\] and FBI, China has escalated from surveillance-only goals toward installing an offensive capability to disrupt critical US civilian and military infrastructure," warns Sean Deuby, principal technologist at Semperis. "This could potentially range from 'blinking the lights' to dissuade US intervention to actively delaying or crippling a US response to Chinese activities."

There's precedent for that assessment. Microsoft outed Volt Typhoon in January and its alarming efforts to plant itself inside military bases, critical infrastructure assets, and telecom infrastructure — all with the goal of being able to cause outages, disrupt communications, and sow panic in the event of a kinetic conflict with the US in the South China Sea. Since then, China has denied the allegations, while the APT has been actively expanding its efforts despite its cover being blown.

**China's Recipe: Targeting Telecom, ISPs, Critical Infrastructure**

The development is the latest in a string of Chinese-sponsored efforts to subvert critical infrastructure in the US and destabilize Pacific Rim allies, many flagged by Microsoft using hurricane-related names.

For instance, a Chinese threat actor known as Flax Typhoon emerged a year ago, using legitimate tools and utilities built into the Windows operating system to carry out an extremely stealthy and persistent spy operation against entities in Taiwan. Last week, news emerged that the APT had built a 200,000-device Internet of Things (IoT) botnet in order to gain a foothold in government, military, and critical manufacturing targets in the US.

There's also the APT that Microsoft calls Brass Typhoon (aka APT41, Earth Baxia, and Wicked Panda) that recently attacked Taiwanese government agencies, Filipino and Japanese military, and energy companies in Vietnam, installing backdoors for cyberespionage purposes.  

On top of that, other China-linked groups have made a name for themselves in specifically targeting communications service providers, such as Mustang Panda, especially in Taiwan and other countries of interest.

"Chinese-backed threat actors have been conducting attacks against telcos for as long as I can remember," Semperis' Deuby says. "Historically, their goals are to create 'persistence' in the carrier. By that I mean they will infiltrate a target, gain a foothold, and then move laterally with the goal of maintaining persistence and extracting data from strategic targets as needed."

He adds that lurking and listening is a specialty: "While Chinese government actors were behind the infamous Operation Soft Cell campaign in 2019, where the threat actor stole call data records, they had infiltrated some of the telcos more than five years before being discovered."

**Communications Service Provider Defenses Need Seasoning**

The ongoing targeting of communications infrastructure should put carriers and service providers on notice to harden their defenses.

Aside from phishing and social engineering of employees, Terry Dunlap, chief security strategist at NetRise, notes that firmware and supply chain attacks using core network gear could both be attack avenues against ISPs.

"ISPs' blind spots are the firmware running their devices. Most firmware contains insecure or sloppy code that can be easily exploited, if discovered," he notes. "Another attack vector would be the supply chain. For example, if the Ethernet controller in a router or switch is supplied by a Chinese company, there are scenarios where malicious code or backdoors could be integrated into that Ethernet controller, providing an adversary easy access to that important piece of networking equipment."

In 2020, the World Economic Forum and its global partners developed a set of best practices for ISPs (PDF), including principles such as sharing threat intelligence between peers, working more closely with hardware manufacturers to increase minimum levels of security, and improving routing security, Deuby says.

Still, "as someone that's talked to many organizations about the well-understood security steps they should be taking versus their actual security posture, I'm sure plenty of gaps remain."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs

Though the critical vulnerability was patched in August, Ivanti is reminding customers to update as soon as possible as attacks from unauthenticated threat actors start circulating.

Source: Kristoffer Tripplaar via Alamy Stock Photo

The Cybersecurity and Infrastructure Security Agency (CISA) has added a third Ivanti vulnerability to the agency's Known Exploited Vulnerabilities (KEV) Catalog in as many weeks.

CVE-2024-7593 is a virtual traffic manager authentication bypass vulnerability that could be exploited by a remote unauthenticated attacker to bypass the admin panel and create their own admin accounts. The vulnerability stems from incorrect implementation of an authentication algorithm in older versions of Ivanti vTM.

The bug was given a high-severity core of 9.8 and was patched with the release of vTM versions 22.2R1, 22.3R3, 22.5R2, 22.6R2, and 22.7R2 in August. 

At the time, Ivanti noted that a proof-of-concept was available and that customers should upgrade to the latest patched version of vTM as soon as possible. However, it's unclear whether the vulnerability is being exploited in the wild and, if so, who might be behind it.

As noted, this wouldn't be the first Ivanti vulnerability to come under active exploitation in recently; two flaws affecting the vendor's Cloud Service Appliance — CVE-2024-8963 and CVE-2024-8190 — have also been exploited by malicious actors.

**About the Author**

Third Ivanti Bug Comes Under Active Exploit, CISA Warns

While these threats remain a valid concern, US government agencies have doubled down on their assurances to the American public that election infrastructure is secure.

Source: Tetra Images via Alamy Stock Photo

COMMENTARY

Adversaries of the United States have been hard at work in advance of the 2024 presidential election. Rather than direct attacks against infrastructure such as voting machines, these nation-state actors — primarily from Russia, China, and Iran — are using cyber operations to stoke discord and influence election outcomes.

The good news is, US leaders have been preparing for these threats for years — and adversaries' efforts have largely been ineffective, despite significant resources invested. Even new artificial intelligence-powered tactics have resulted only in "incremental" productivity and content-generation gains, according to Meta.

Nevertheless, nation-state attacks are a concern. Covert influence campaigns are underway, attempting to: exploit university protests related to the Israel-Hamas conflict in order to erode Americans' trust in US institutions; reduce domestic support for providing military and financial aid to US allies like Ukraine; support and/or undermine political candidates based on whether their policies are perceived as favorable; and more.

**Russia Continues to Dominate Disruption**

Employing a whole-of-government strategy, the Russian government has been the most prolific adversary attempting to disrupt and influence US elections. Operations have increased since 2022, with Russia remaining the top source of disinformation networks disrupted on Facebook and Instagram. Russia recently attempted to impersonate US citizens and media organizations, and Meta has removed more than 5,000 accounts and pages linked to Russian propaganda network Doppelgänger since May 2024. Generative AI (GenAI) is also boosting Russia's capabilities, scaling campaigns via content creation, translation capabilities, and image creation.

Russian operatives have stood up several inauthentic news portals, taking advantage of the increasing trend among Americans to seek news from alternative sources. Fake news websites now outnumber legitimate local news sites, in large part thanks to Russia.

The war in Ukraine has not slowed these efforts, though the Kremlin has outsourced some cyber operations to private contractors.

Russia likely will promote candidates who oppose aid to Ukraine, attack those who support Ukraine, and undermine popular support for Ukraine in swing states.

Due to increased government and researcher scrutiny — such as the Department of Justice's criminal investigation into Americans who have collaborated with Russia's state television networks — Russia-backed campaigns have responded by significantly changing their tactics. Meta reported "notable shifts" in Doppelgänger's operational tactics in response to "aggressive enforcement." But these efforts are unlikely to impact Russia's long-term operations, given its deep pockets and near-unlimited resources. 

**Iran Rises in Prominence**

The government of Iran has emerged as a more significant threat this year than in previous election cycles. The US-Iranian relationship remains tense, and Iran's cyber activities are likely to continue as a tool of statecraft. Like Moscow, Tehran undoubtedly views the election as consequential for its own interests and will attempt to shape the outcome.

Iran's objective is to undermine confidence in democratic institutions and carry out aggressive cyber activities on multiple fronts to gather intelligence. Iranian cyberattacks recently attempted to access sensitive US election information. Other recent attacks targeted the Trump and Biden-Harris presidential campaigns, and breached the email of Roger Stone, a longtime Trump ally and political adviser.

Separate reporting indicates Iranian actors have also spent recent months creating fake news sites and impersonating activists, laying the groundwork to stoke division and potentially sway American voters this fall, especially in swing states.

**China Works to Divide Voters**

The Chinese government continues to amplify polarizing domestic issues ahead of the US elections, increasingly targeting specific candidates and parties. However, China's interference likely will remain limited compared with Russia and Iran, in order to avoid risking its diplomatic relations with the US government.

Nevertheless, Chinese influence campaigns have grown more sophisticated, including Spamouflage Dragon. China has also increased its use of AI-generated content. Chinese operatives use fake social media accounts to poll voters to identify and better understand the most divisive issues in American society. The number of these sock-puppet accounts, likely run by the Chinese Communist Party (CCP), have continued to steadily grow since their emergence in 2023. These operations have achieved very little organic engagement, despite thousands of assets being deployed. Still, there appears to be a clear effort to improve China's understanding of the American political landscape and become more effective at future interference.

**The US Retaliates With Disruption**

Disruption is the name of the game when it comes to defending against these threats. US government agencies continue to name and shame these activities, taking some wind out of adversaries' sails.

In the private sector, some companies are taking a more active approach to identifying influence operations, countering bogus accounts, and taking down infrastructure. Some of these efforts seem effective, with adversaries scrambling to stay operational.

However, tech layoffs have hampered teams responsible for trust and safety, and some social media platforms are retreating from the misinformation fight. The most dramatic pullback has been from social platform X, where misinformation now proliferates under the banner of free speech. The impact on US elections remains to be seen. 

Russia, China, Iran, and other adversaries will continue to target US elections because they know that a united, strong America is not in their own national interest. Thankfully, while these threats remain a valid concern, US government agencies have doubled down on their assurances to the American public that election infrastructure is more secure than ever.

**About the Author**

Cyber Threat Intelligence Analyst, LastPass

Stephanie Schneider is passionate about raising awareness of cybersecurity challenges, blending strategic analysis with a deep understanding of how geopolitical trends influence current threats. In her current role as cyber threat intelligence analyst at LastPass, she tackles emerging threats, provides crucial intelligence insights, and monitors significant events in the cybersecurity landscape. Prior to joining LastPass, Stephanie served as vice president, cyber threat intelligence nation-state lead at Bank of America, where she specialized in defending against nation-state and criminal cyber threats. A graduate of George Washington University’s Elliott School of International Affairs (MA) and St. Edward’s University (BA), Stephanie currently lives in Washington, DC.

How Russia, China &amp; Iran Are Targeting US Elections

The advanced Python-based PysSilon malware can steal data, record keystrokes, and execute remote commands. The attackers behind it are promising to leak details of deleted X posts related to accused rapper and music producer Sean Combs.

Source: Photo 12 via Alamy Stock Photo

Threat actors are using the public's interest in a current scandal surrounding celebrity rapper Sean "Diddy" Combs to spread spyware, via files promising to reveal details of deleted posts related to Combs from the X social media platform.

Researchers have uncovered a version of the open source PySilon RAT, a remote access Trojan called "PdiddySploit" hiding in files posted online and then submitted to VirusTotal, according to analysis from Veriti Research published Sept. 24.

PySilon RAT is an advanced Python-based malware that can steal sensitive information, record keystrokes, capture screen activity, and execute remote commands, posing "serious threats to personal and organizational security," according to the post by Veriti.

Combs (aka P. Diddy), a rapper, record producer, and entrepreneur who has been in the public eye since the 1990s, is facing multiple charges of sexual assault and misconduct in New York, which has thrust him into the recent media spotlight. One area of acute public interest are controversial posts related to Combs and alleged illicit activity on X by fellow celebrities and musicians, such as Usher and Pink, as well as Combs himself that have since been deleted, according to Veriti.

"One of the most concerning aspects of this trend is the use of files related to Combs' social media activity, particularly from X.com," according to the post.

Related:Security Concerns Plague Emerging Chip Architecture

Specifically, the researchers uncovered files containing posts and replies from Combs' now-deleted account on VirusTotal, where they were uploaded by a user named @lamps\_apple. "These files are part of an automated process of 'collecting posts and replies,' but they pose a high risk because they can be easily armed with malicious payloads," according to Veriti.

**Taking Advantage of Current Events**

The activity demonstrates how attackers are quick to take advantage of current events or media stories of interest to the public to spread malware by weaponizing content related to them. One clear example of this activity was during the COVID-19 pandemic, when multiple phishing and other malicious campaigns leveraged public interest in the virus and other health-related topics to spread malware.

"Given the intense media coverage surrounding P. Diddy and other public figures, attackers are using these files to lure curious users into downloading them, only to be infected with malware," according to Veriti. "The fact that P. Diddy and others have deleted their social media content adds an additional layer of intrigue, tempting users to open these files to see what was deleted."

Related:How to Establish & Enhance Endpoint Security

PsySilon RAT — discovered in 2022 — also has seen a surge in recent use by multiple threat actors, with more than 300 samples reported on VirusTotal since June 2023, according to Cyble Research and Intelligence Labs (CRIL). Attackers use the malware to infiltrate systems, steal information, and even control devices remotely, according to Veriti.

PsySilon RAT is currently in version 3.6 and has been detected in numerous samples that imitate software, tools, and cracks, which likely originate from phishing websites, free software-downloading websites, and the like, according to Cyble.

Given the discovery of the RAT lurking behind the cover of PdiddySploit, it's likely that as the related scandal continues to attract attention, even more attackers will "leverage this malware to exploit public interest," according to Veriti.

**Don't Let Curiosity Cloud Safe Judgment**

It's perfectly natural for people to take an interest in trending topics and celebrity scandals, the researchers noted. However, that doesn't mean people should throw caution to the wind when interacting with any related files or content online.

"Curiosity can be dangerous," Veriti researchers warned, especially as attackers are well-versed in social engineering and "are always looking for ways to exploit human nature."

Related:RansomHub Rolls Out Brand-New, EDR-Killing BYOVD Binary

To avoid falling prey to attackers aiming to capitalize on this and other news of public interest, Veriti advised that people avoid downloading suspicious files, especially if they encounter files claiming to contain deleted posts or exclusive content related to a celebrity scandal. They should always verify the source of these or any files before downloading something from the Internet, the researchers noted.

People also should be wary of email attachments because phishing emails remain a primary way that attackers spread malware. "If you receive an email with attachments related to the P. Diddy scandal, think twice before opening it," according to Veriti. Using up-to-date antivirus software and other protections to secure email accounts also effectively can delete malware or malicious files before they even reach someone's inbox.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Sophisticated RAT Hides Behind P. Diddy Scandal Lures

To maintain AI leadership, Congress and regulatory agencies must recognize that our foreign competitors are working to surpass us.

Haiman Wong, Fellow, Cybersecurity & Emerging Threats, R Street Institute

September 25, 2024

3 Min Read

Source: NicoElNino via Alamy Stock Photo

COMMENTARY

As a global leader in artificial intelligence (AI) innovation, the United States currently enjoys a significant competitive advantage economically, militarily, and technologically. To maintain this leadership, Congress and federal regulatory agencies must avoid complacency and recognize that our foreign competitors are diligently working to surpass us.

According to a recent report by the United Nations World Intellectual Property Organization, China filed more than 38,000 generative AI patents between 2014 and 2023, demonstrating its aggressive push to dominate AI advancement. This surge in patent activity underscores the critical need for the United States to accelerate its ongoing research and development efforts to maintain our global AI leadership.

To meet the demands of this moment, the US federal government must focus on three strategic AI research and development priorities that enhance our cyber resilience and national defense:

**1\. Clarifying the Definitions of Key AI-Related Terms**

Ambiguity and inconsistency in AI terminology continue to pose significant risks and challenges. Without precise and consistent definitions for key AI-related terms like "open source AI," "AI security," and "trustworthy AI," our country faces challenges in ensuring the responsible use of AI. Focused research and development efforts toward closing this gap can help create a more comprehensive and nuanced taxonomy, mapping out potential varying definitions and detailing parameters. For example, standardizing the term "AI security" could not only help promote secure development practices but also address emerging challenges like prompt injections and ensuring visibility into AI usage across organizations to prevent data leaks.

By systematically analyzing and standardizing terminology through collaborative efforts across academia, industry, and government stakeholders, the United States can lay a foundation for developing robust strategies that protect our national security and promote cyber resilience.

**2\. Developing a Scientific Understanding of AI**

A comprehensive scientific understanding of AI's limitations and capabilities is vital for assessing its impact and countering adversarial threats. The recent Private and Civil Liberties Oversight Board (PCLOB) AI Forum emphasized the importance of continuous research to measure AI's safety and reliability throughout its life cycle. To address this need, focused and strategically aligned research and development efforts are essential.

By developing ways to measure, test, audit, and evaluate AI capabilities, we can establish reliable methods to quantify AI's performance. These methods are critical for conducting accurate risk assessments and for our ability to continually improve AI systems and uses. Building a scientific understanding of AI, led by agencies like the National Institute of Standards and Technology (NIST) in collaboration with industry, academia, and other federal partners, will bolster our national and cybersecurity defenses by ensuring that AI systems are safe, reliable, and effective under various conditions and adversarial scenarios.

**3\. Developing AI Standards Adhering to US Mission and Values**

Establishing AI standards that reflect our mission and values, such as transparency and accountability, is crucial for maintaining national security. The PCLOB AI Forum also highlighted the importance of developing clear standards that guide acceptable and non-acceptable uses of AI, particularly in the intelligence community.

Research and development can support this effort by identifying best practices and creating robust frameworks that ensure AI technologies are deployed ethically and securely. By focusing on these priorities, we can ensure that AI advancements align with American values and strengthen our national security and cybersecurity. This makes the development of AI standards an urgent and essential aspect of AI research and development.

Recognizing AI's pivotal role in national security, policymakers have already made significant investments in its advancement. To ensure these efforts remain focused and strategically aligned, Congress must consider targeted legislative measures while empowering federal agencies to facilitate coordination, promote public-private partnerships, and set actionable research and development priorities that encourage innovation within these established guidelines.

By prioritizing the clarification of key AI-related terms, building a scientific understanding of AI, and establishing AI standards that adhere to our mission and values, the United States can maintain the momentum of our advancements in AI and meet our cyber resilience and national defense imperatives.

**About the Author**

Fellow, Cybersecurity & Emerging Threats, R Street Institute

Haiman Wong is a fellow for the R Street Institute’s Cybersecurity and Emerging Threats team. Outside of R Street, she serves as a co-chair in the AI Safety, Cybersecurity, and Inclusion Through Advanced Text Analytics minitrack at the Hawaii International Conference on System Sciences (HICSS). 

Before joining R Street, Haiman was a cyber threat intelligence associate and data scientist at Northern Trust, where she used NLP techniques to analyze more than a million cybersecurity logs. She also advised executive leadership on emerging cyber threat activities to shape the firm’s global cyber defense strategy. 

Haiman is a doctoral candidate at Purdue University, exploring the intersection of technology leadership in innovation and the influence of emerging technologies on the democratic exchange of digital information. She holds a master’s degree in data science with a cybersecurity concentration, and a bachelor’s degree in interdisciplinary studies (communications, legal institutions, economics, and government) from American University.

US May Be Losing the Race for Global AI Leadership

Crafty bad actors can infect all of an organization's virtual machines at once, rendering tier-one applications useless.

Morey Haber, Chief Security Officer, BeyondTrust

September 25, 2024

5 Min Read

Source: Panther Media via Alamy Stock Photo

COMMENTARY

For at least the past 20 years, virtual machines and enterprise-ready hypervisors were marketed, sold, and adopted as the future of server-based computing. Dedicated power-hungry servers sitting in racks on a raised floor were replaced by systems architected to host multiple virtual servers simultaneously and to optimize resources based on load. The time of idle RAM, underutilized networks, and free hard disk storage was transformed by load-balancing technology, shared resources, and CPU prioritization to minimize costs, energy, and footprint. The goals were achieved, and the technology worked.

When organizations began shifting their tier-one mission-critical servers to virtual machines, the need to provide redundancy and high availability to meet uptime service-level agreements became paramount. Virtual machine hypervisors introduced redundancy technology, mirroring, real-time backups, cold spares, and myriad other solutions to mitigate the risks of an outage both in hardware and software. This technology even included mitigations for the hypervisor itself, just in case it became fully unavailable.

However, what happens if all of your hypervisors become unavailable — in essence, if all of your virtual data centers went offline, including all redundancy? This risk was not a consideration in the past, based on the maturity of virtualization, but today it poses a real threat and is why tier-one applications should no longer be virtualized. Why? Read on.

**Hypervisor Attacks on the Rise**

In the past few years, hypervisors have been targeted in high-profile malware and ransomware attacks. Instead of just attacking the data on a server, or a server or workstation operating system, threat actors have become brazen in attacking hypervisors and encrypting all the virtual machines hosted by the system. And if the attack vector is crafty enough, it can infect all virtual machines and hypervisors, regardless of their geolocation and backup status, simultaneously. This essentially renders all technology hosted as a virtual machine — including your tier-one applications — useless and unable to complete their mission.

So how did this change come about? Vulnerabilities, exploits, poor identity security, malware, social engineering, and, of course, ransomware. To understand this risk, let us look at some exploits that affected VMware, a leading enterprise virtualization technology, and some of its key components.

According to CVE Details, since Jan. 1, 2020, there have been 334 reported vulnerabilities for all VMware solutions. Of those, 19% were critical and, if exploited, could lead to a compromise of the affected VMware solution.

However, at least two are especially important to this discussion, despite their age: CVE-2021-21974 and CVE-2020-3992. Each could lead to a full hypervisor outage if exploited. The obvious answer from many security professionals is to patch. However, when patching these vulnerabilities, the entire hypervisor generally needs to be taken offline and all virtual machines paused or stopped to complete the upgrade. If the environment is large, potentially dozens or even hundreds of virtual machines may need to come offline. That type of outage is typically lengthy and unacceptable for tier-one applications.

**Migrate to a More Fitting Solution**

Most organizations will avoid patching due to the downtime alone, instead using other mitigations to avoid exploitation. This, however, does not solve the problem. If the hypervisor or any of its components are exposed to the Internet, these vulnerabilities are ticking time bombs. Not patching critical vulnerabilities will lead to exploitation at some point. The rise in hypervisor-based vulnerabilities is increasing and will continue to escalate, as shown by CVE Details data.

Therefore, organizations have four potential solutions:

1.  Continue to include tier-one applications as virtual machines but ensure maintenance is up to date, accept downtime, and continue running as originally designed.
    
2.  Do not include tier-one applications in virtual environments. Deploy them as physical hardware and plan to patch them regularly as physical implementations to remediate the risks.
    
3.  Stop hosting tier-one applications in virtual environments and using dedicated hardware on-premises altogether. Move them to the cloud and let the provider maintain the application and hypervisor, as well as manage back-end risks like upgrades, for you.
    
4.  Modernize your ecosystem and migrate the tier-one application to a software-as-a-service (SaaS) solution.
    

Choosing your path requires some analysis and decisions before taking down your unpatched virtualized tier-one applications. First, categorize all applications by mission criticality. Is it a tier-one application, where any outage is unacceptable to the business, or a tier-two application, where downtime is acceptable (if it's minimal) for hypervisor patching? Next, which tier-one applications can be cloud-washed — that is, directly moved to a hypervisor in the cloud and maintained by the provider — or replaced by a modern SaaS solution? Most organizations prefer a SaaS solution because it does not need virtual machine maintenance like their on-premises counterparts. That is one of the biggest benefits of SaaS.

Once you have made these decisions, your organization needs to separate tier-one applications from on-premises hypervisors. Like any other technology migration, document all planning, testing, requirements, service-level agreements, and so forth so that you can measure success. In the end, however, the risk mitigation is priceless, since the business no longer has to accept the risk of unpatched hypervisors and the potential for mass exploitation of ransomware.

In my opinion, tier-one applications should not depend on hypervisors to ensure availability. Points of failure for such applications should be minimized. In recent years, attacks against hypervisors have proved that the risks are real and may no longer be acceptable to a business. This is why I believe tier-one applications should no longer be implemented using on-premises virtual machines.

**About the Author**

Chief Security Officer, BeyondTrust

With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology encompassing intelligent identity and access security solutions, as well as BeyondTrust's own internal information security strategies.

Keep Tier-One Applications Out of Virtual Environments

Leaders in professional athletics lament the realities and risks of growth in connected stadium environments, social networks, and legalized gambling.

Source: Robert Landau via Alamy Stock Photo

Professional sporting events have long been prime targets for violent attacks and terrorism, given their vast audiences. In recent years, these events have become targets of cyberattacks as adversaries exploit venue operations to disrupt events, abuse payment systems for fraud, breach networks to steal data, and take advantage of how athletes interact with fans.

While game time is pivotal, there are many other vulnerabilities to which sports franchise operators and event organizers must apply resources, including a growing and increasingly fragmented ecosystem of stakeholders like broadcast and streaming partners, ticket distributors, and legalized gambling platforms.

"We've done pretty well so far," said Betsy Cooper, director of the Aspen Institute tech policy hub, during a panel at the 2024 Aspen Cyber Summit in Washington, DC. Despite the expanded threat, operators of major franchises, leagues, and international events (such as the Olympic games in Paris) believe their proactiveness has prevented devastating events that other industries have faced.

**1\. Athletes Need More Training**

Athletes are increasingly relying on social media and technology platforms to engage with fans and develop their brand. "I represent a lot of athletes, and a lot of them depend heavily on social media to build their brand and build their audience," Jaia Thomas — founder of Diverse Representation, a group of African American agents, attorneys, managers, PR reps, and financial advisors for athletes and entertainers — said during the panel discussion. "A lot of mistakes happen along the way, and they're not always the most tech-savvy people."

These athletes are also quite young and may be unaware that using these platforms exposes them to potential ransomware attacks or increased risks of being doxxed. "You're talking about kids, for the most part, that make up these teams, and the education piece needs to be strengthened," Eric Tysarczyk, senior vice president of the National Hockey League, said on the panel.

**2\. Event Attendees Are Vulnerable**

Now that most events only accept e-tickets, almost all attendees have phones with them. The NHL says fans need to take precautions with their mobile devices.

"Imagine if everyone that was in that arena is walking around with all their personal data taped to their back on a piece of paper, and how attractive that arena would be to a malicious actor to get in and just start cultivating all that data," Tysarczyk said.

**3\. Partnerships Are Critical for Major Events**

Reynold Hoover, the CEO of Los Angeles 2028 Olympic & Paralympic Games, told panel attendees that one of the reasons there were no disruptive cyberattacks during the Summer Olympics in Paris was due to information sharing across law enforcement and partners. The most notable activity leading up to the games was influence campaigns waged by Russian threat actors. "The Russians were very active in Paris, trying to disrupt," said Hoover, a former Army and National Guard lieutenant general with a background in military intelligence.

The Los Angeles Olympic Games in 2028 is expected to draw as many as 15 million visitors, 15,000 athletes, and 25,000 broadcasters across 800 different sporting events. Hoover said the committee is preparing for threat actors ranging from "goobers in their basements trying to do something stupid, all the way to nation-state actors."

The Los Angeles 2028 committee has partnered with the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency, and the Federal Communications Commission, among other US agencies.

"We cannot do it alone," Hoover said. "It requires a public-private partnership and open and honest information sharing."

**4\. New Streaming Models Create New Challenges**

As all the major leagues expand their broadcast distribution rights to streaming providers, they can reach new audiences and gain new revenues. However, an attack that even briefly interrupts a broadcast could be costly in terms of lost advertising revenue, Tysarczyk said. "We're putting a lot of faith in those third-party operating techniques and what their cyber protections are," he said.

**5\. Legal Sports Betting Puts Premium on Inside Data**

Further, now that sports gambling is now legal in 38 US states, including Washington, DC, and Puerto Rico, stealing data is more lucrative for threat actors than ever. Non-public information, including health records and other proprietary statistics, is especially valuable. "\[It's\] the data that people use to develop trends and see where the wagers go and things like that," Tysarczyk said.

**6\. Expanded Partnerships Require Advanced Data Protection**

A broader ecosystem that shares increasing amounts of data needs to ensure that information is air-gapped, which was the focus in Paris this summer, Hoover said. "It really requires a partnership effort, and it was an all-hands-on-deck effort in Paris to defend the networks," he said. "It's a closed network, and so we are very concerned about the integrity of the sport, the safety of our athletes, and the safety of our fans that attend, and making sure that we can protect the data and keep that inbound and the right people are getting the right data."

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

6 Cybersecurity Headaches Sports Organizations Have to Worry About

The RISC-V chip architecture is gaining popularity worldwide, but the fact that it is easy to modify the processor design means it is also easy to introduce hard-to-patch vulnerabilities in the chips.

Source: Science Photo Library via Alamy Stock Photo

An emerging chip architecture gaining traction in smartphones, automotive technologies, and other electronics may find adoption stymied by security concerns.

Using x86 and ARM processors for hardware development can get expensive because of royalties that have to be paid to the owners (Intel and Arm). RISC-V is an instruction set on which customers can personalize silicon chips to meet their needs, much like how Lego blocks are put together. RISC-V is open and free to license, so anyone can design, manufacture, and sell RISC-V chips and software.

RISC-V is drawing interest among companies in the auto, critical infrastructure, and industrial sectors. For example, NASA is creating chips based on RISC-V that it intends to use in its space programs. Omdia estimates RISC-V shipments could tally 17 billion processors in 2030, improving 50% every year starting in 2024.

"46% of those processors are expected to be found in industrial applications, although the biggest growth over the forecast period will come in the automotive segment," Omdia said.

**Vulnerabilities in Designs**

RISC-V's open-source ethos is its biggest advantage, but also a liability: bad actors could introduce backdoors in the chip designs. Vulnerabilities in RISC-V chips used in automotive technology or critical infrastructure could be disastrous.

At Black Hat USA in August, researchers disclosed Ghostwrite, which allows users to bypass memory protection and access privileged memory in a RISC-V chip design called Xuantie C910. The Xuantie C910, designed by T-Head, a subsidiary of China-based Alibaba Group, received a lot of publicity when it was launched three years ago. It was one of the earliest RISC-V processors with a vector extension, which helps CPUs run demanding applications that include AI.

The vulnerability is particularly concerning because it affects the chip's proprietary vector extension, which wasn't properly implemented, says Fabian Thomas, a researcher in the group at CISPA Helmholtz Center for Information Security that discovered GhostWrite. Chip makers can patch the C910 by disabling the vector extension, but it will still be difficult to implement.

"People bought it and built 64-core machines because of that, and now we have to tell them to disable it," Thomas says.

**Shared Designs, Hard to Patch**

The issue is not in the RISC-V architecture itself, but in a faulty silicon implementation. Chip designers are enthusiastic about sharing RISC-V designs, but this means that designs with vulnerabilities may potentially be replicated and used in various areas. Resulting devices could be vulnerable to attack, and may be difficult to patch with microcode updates.

"The digital transformation happening in these sectors means they're all connected now, creating potential to exploit across all these very safety-critical systems," says Margaret Schmitt, a hardware security consultant.

It's already difficult to fix hardware vulnerabilities with firmware updates. The open nature of this chip architecture means it will be difficult to fix them in the field. "The silicon vulnerability is worse because you can't really fix them in the field in many cases... if it connects to critical infrastructure, this could be seen forever," says Alex Matrosov, CEO at Binarly.io.

There are hundreds of RISC-V designs available on GitHub to pick up, but security teams need to consider the risks of winding up with malicious chip designs with backdoors. "This is similar to open-source software projects where people \[make\] changes, saying 'I'm making it better,' but it's actually a backdoor or malware," Schmitt says.

The concern is especially heightened as the RISC-V architecture has become a priority for Russia and China, which are investing heavily in the technology to build homegrown chips. China and Russia ramped up RISC-V adoption after the U.S. banned the export of advanced chips to these countries amid trade and political hostilities.

The U.S. government has already talked about limiting RISC-V access to China, though that may be hard to do as the architecture is open source.

"You're seeing a potential basis for China to use this, a potential for unintended or intentionally added weaknesses to be a serious concern," says Schmitt.

**Working With Security Partners**

Organizations working with RISC-V chips on a shoestring budget may make the decision to sacrifice security, says Mike Eftimakis, vice president of strategy and ecosystem at Codasip, a software company.

"To be able to find a bug, you have to have the infrastructure behind you. It's very expensive and requires specialized knowledge, so it naturally shrinks the base of people who could potentially help with the verification of these devices," Eftimakis says.

Hardware security experts recommended going to established RISC-V companies with solid security processes, a strong customer base, and a good track record of designing chips. One example is Santa Clara, Calif.-based SiFive, which handles security analysis and rigorous compliance testing in its cores. The company has a large customer base that includes Google and NASA, a spokesman said in an email.

Another RISC-V company, Cupertino, Calif-based Ventana Micro Systems, uses the Caliptra specification to put security features directly in computing chips. Caliptra was developed by the Open Compute Project, a coalition which includes Google, Microsoft, AMD, and Nvidia.

Ventana Micro leaders have extensive experience working with x86 and ARM architectures, and are using that experience to secure RISC-V chips. "We applied these learnings during our ground-up development and have many patented features targeted at making our microarchitecture resilient to attacks," a company spokesperson said in an email.

**About the Author**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Security Concerns Plague Emerging Chip Architecture

A water treatment facility in a small city took serious precautions to prevent any bad outcomes from a hazy cyber incident.

Source: Dmitry Kaminsky via Alamy Stock Photo

The water treatment facility for a small city in Kansas experienced a "cybersecurity incident" on the morning of Sept. 22.

Arkansas City — population 12,000, a two-hour drive north of Oklahoma City — sits at the junction of the Walnut and Arkansas Rivers, the latter of which supplies the town's drinking water. A notice from the city's Environmental Services Administration revealed that on Sept. 22, its treatment facility experienced a "cybersecurity incident." Authorities were contacted and precautionary measures taken. Most notably, the facility moved to fully manual operations — a temporary decision made "out of caution," according to city manager Randy Frazer in the notice.

"Despite the incident, the water supply remains completely safe, and there has been no disruption to service," Frazer wrote. "Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period."

The administration added that "Cybersecurity experts and government authorities are working to resolve the situation and return the facility to normal operations. Enhanced security measures are currently in place to protect the water supply, and no changes to water quality or service are expected for residents."

Dark Reading has reached out to Arkansas City for more information about the incident. In lieu of details, Shawn Waldman, CEO and founder of Secure Cyber, points out that a switch to manual operations could indicate some degree of seriousness.

"In a breach that we investigated last November, we actually never went to manual mode," he recalls. "We were able to isolate the human-machine interfaces (HMIs) and keep the Russian malware contained, and we let the plant operate as normal. There's a lot of strain on employees when you put a plant in manual mode. That's the last case scenario — you don't want to go into manual mode unless you have to."

**The Problem With State-of-the-Art Systems**

Industrial control systems have long struggled to match old, legacy equipment to the demands of modern day cybersecurity.

Less often spoken of is the opposite problem: newer facilities designed with greater connectivity in mind, which introduce attack surfaces that the dinosaur, often analog machines, didn't have.

The new 5.4 million-gallon-per-day water treatment facility in Arkansas City opened in February 2018. It cost $22 million to build, and sports "advanced technology" estimated to save the city up to 20% on operational and maintenance costs. The exact nature of its cybersecurity posture is unknown. 

"Just because a city comes out and says: 'We just upgraded everything, and it's all new, and we should be good' — well, that's great, but what about cybersecurity?" asks Waldman. "Some cities are not making a proper investment into securing their critical infrastructure.

"My city did that exact thing: I know for a fact that they did not upgrade cybersecurity, but they spent around $14 million or more to upgrade all the infrastructure."

To ensure that cities don't leave security out of their budgets, Waldman says, "The EPA and Congress need to step up and get that new EPA standard for cybersecurity passed. They tried to do it before, and then they got sued. And what did we give up? Weeks after that, Iran launched a bunch of attacks on the water systems in the United States. Because, big surprise, Iran reads the US news."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading