The $2.65B buy validates the growing importance of threat intelligence to enterprise security strategies.

Source: incamerastock via Alamy Stock Photo

Mastercard's $2.65 billion acquisition of Recorded Future has focused attention on the increasing value of cyber-threat intelligence (CTI) to enterprise security strategies.

Security experts in the space perceive the deal as validating the business criticality of CTI and accelerating its mainstream adoption.

**A Multibillion-Dollar Bet**

Mastercard on Sept. 12 announced it had agreed to acquire Recorded Future for $2.65 billion — nearly equivalent to the cumulative amount it paid in nine previous purchases of cybersecurity vendors. Mastercard has said it will leverage Recorded Future's threat intelligence capabilities to bolster its own anti-fraud capabilities and to strengthen the third-party services it delivers via previous acquisitions such as RiskRecon.

The deal is expected to close in Q1 of 2025.

Fernando Montenegro, an analyst with Omdia, says Mastercard's acquisition aligns with the financial firm's efforts to integrate multiple capabilities around its suite of anti-fraud services. "One of the key components of successful anti-fraud initiatives is accurate threat intelligence, so it makes sense for Mastercard to improve their capabilities there," Montenegro says. "I think the deal shows that threat intelligence can be immensely valuable not only to pure-play cybersecurity efforts, but to broader anti-fraud initiatives as well."

The Business Research Company expects demand for cyber-threat intelligence services to hit some $11.5 billion in revenue in 2024, and to more than double to $25.68 billion in 2028, at a compound annual growth rate (CAGR) of 21.7%. The analyst firm identified the primary growth drivers as an increase in the volume and sophistication of cyberattacks, cloud adoption, a constantly expanding attack surface, and increasing regulatory pressures. Others, like Statista think the market is currently even larger — $14.59 billion in 2023 — but have a more modest annual growth rate expectation of 14.7% between now and 2030.

**Validation for CTI?**

Beenu Arora, CEO and co-founder of Cyble, sees the pending transaction as further cementing the role of threat intelligence in business strategies. The rapidly changing and increasingly sophisticated threat landscape has increased the importance of intelligence on emerging threats, threat groups, and their tactics, techniques, and procedures, Arora says. Now perceived as a highly technical component of SecOps, CTI has moved to front and center of security strategy at a growing number of organizations.

"If you speak to any seasoned CTO, CISO, or chief executive, there’s always concern about how they can make the right decisions" around what assets to protect, how, and against whom, Arora says. "Over the last 10 to 15 years, I think there has been much greater awareness with regard to how threat intelligence can sit at the center of day-to-day decision making for the business, whether that’s managing risk, safeguarding assets, or using external intelligence to help guide business decisions."

Analyst firm IT-Harvest, which maintains a dashboard tracking the performance of more than 4,050 cybersecurity vendors globally, counts 123 vendors as currently engaged in the cyber-threat intelligence space. Of that number, 63 have experienced headcount growth this year. Mastercard's recent acquisition underscores the value these vendors can bring to enterprise security strategies, says Richard Stiennon, chief research analyst at IT-Harvest.

"I think the acquisition is good for the 122 other threat intelligence vendors whose prospects will improve in the eyes of investors," Stiennon says.

The $2.65 billion that Mastercard has agreed to pay for Recorded Future is roughly 6.5 times the latter's annual revenue run rate. While that valuation is less than the 10-times valuations that cybersecurity firms garnered back in 2021 and 2022, it still is a healthy number, Stiennon says.

Many of the organizations that deliver CTI services, such as Recorded Future, Group-IB Flashpoint, and Digital Shadows, are what might be regarded as pure-play vendors in the space. Others, such as Mandiant, CrowdStrike, Kaspersky, IBM X-Force, Cisco Talos, and Palo Alto Networks, deliver threat intelligence as part of a broader portfolio of security services. All these vendors use a combination of open source intelligence (OSINT) and information from proprietary sources to deliver their CTI feeds.

"The acquisition validates the widespread, growing recognition that threat intelligence is no longer a complement to an organization's security posture," says Josh Lefkowitz, founder and CEO of Flashpoint. Organizations and government agencies are using threat intelligence to combat ransomware, protect data, lock down supply chains, prioritize critical vulnerabilities, and protect their people and assets.

"I’m constantly speaking with security leaders at organizations that consider these applications of threat intelligence critical to their daily operations," Lefkowitz notes.

He adds that Mastercard's Recorded Future purchase is bringing attention to the board level of the business criticality of CTI.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Mastercard's Bet on Recorded Future a Win for Cyber-Threat Intel

Cyber ranges are a great way for cyber professionals to keep up on emerging threats and new technologies — while having a little fun.

Source: dpa picture alliance via Alamy Stock Photo

Staying on top of the evolving cyber threat landscape can be a challenge for cybersecurity professionals. The daily grind of the job leaves little time for mastering the latest threats and tools, but cyber ranges offer a way to keep skills fresh — and maybe have a little bit of fun at the same time.

Governments, universities, and workplace training organizations have been running these simulated training environments, which give users a place to practice using the networks, systems, tools, and applications they will encounter on the job, for more than two decades. Yet cyber ranges remain a vital tool in the arsenal of the cyber professional looking to stay on top of emerging threats and new technologies.

Most recently, last month the National Aviation University in Ukraine launched the Cyber Range UA, a virtual platform dedicated to simulating real-world attacks, as part of an effort to provide cybersecurity training in Ukraine. And last October the US Navy announced the opening of the Department of Defense's fourth cyber range, the National Cyber Range at Naval Air Station Patuxent River, dedicated to testing and training initiatives for aircraft, their subsystems, and supportive technologies. Its other cyber range facilities focus on the Air Force, submarines and ships, and mission-force training.

"On top of being the most capable, defense technology is also required to be cyber-resilient," said John Ross, deputy director of the National Cyber Range, part of the Naval Air Warfare Center Aircraft Division (NAWCAD), in a statement. "We harden warfighter systems by performing vulnerability assessments and recommending mitigations — ultimately preventing adversaries from stealing our data or defeating our technology."

**Cyber Ranges as a Business**

But cyber ranges aren't all wargames. In the private sector, the SANS Institute has been running its NetWars cyber range competition since 2009 for the wider cybersecurity community, and its free Holiday Hack Challenge has about 20,000 participants annually. SANS holds a variety of cyber range competitions for individuals and teams, all focused on making sure cybersecurity professionals are at the top of their game.

"How do you maintain mission preparedness? How do you make sure that you're ready on a continuing basis? That's where ranges come in," says Ed Skoudis, president of the SANS Technology Institute, who leads the team that develops cyber ranges for SANS.

The organization designs its ranges to build real-world skills in a gaming environment. Some of the ranges are designed to be completed in three to six hours, while others can be accessed over the course of four months, depending on the complexity and time commitment users and companies are able to make. SANS also builds custom ranges for clients who are looking to bolster specific skill sets or experience business-relevant training simulations.

"Sometimes customers will come to us with a very specific need," Skoudis says. "They need something with certain specific content, maybe a particular mix of cloud providers, a particular SIEM solution, or particular challenges associated with certain applications or SaaS offerings. They'll come to us, and we will create custom ranges for them."

The team members make sure they're up-to-date on the current threat and technology environments by working as cybersecurity consultants or range designers.

"We'll learn things from the real world, build it in the range, see people attacking it and dissecting it, and doing all kinds of things with it, and then we can take that and apply it in our consulting services," Skoudis says. "So it's this virtuous cycle of consulting and range building."

At the same time, the designers are working to make participation as entertaining as it is practical, no matter how well they do, he adds.

"We try to make our ranges fun," Skoudis says. "I want the person who came in 92nd place ... to say, 'I really enjoyed that. I learned from it. I had a good time. I am a better cybersecurity professional for having participated in that range, even though I came in 92nd place.'"

**Gamification for National Security**

Singapore's Home Team Science & Technology (HTX) agency recently commissioned a custom cyber range from SANS to help boost the skills of its practitioners in an engaging way.

"The gamification of cybersecurity helps to raise awareness of new attack surfaces from emerging technologies, such as artificial intelligence (AI), in a more engaging manner," says Tay Sze Ying, head of cyber threat intelligence and hunting, xCybersecurity, at HTX. "It also allows the participants to better understand how such emerging technologies are used in the field of homeland security and the potential impact they have on daily lives. We also hoped that the participating teams could, through this initiative, explore how AI is useful in investigating cyber incidents on Internet of Things (IoT) devices, such as drones and networked cameras."

Leadership at the agency was looking for innovative ways to benchmark the team's cybersecurity competency on both a local and international level, and senior management was excited by the idea of gamification when it came to homeland security use cases, Tay says.

The team's biggest struggles came from finding ways to complete the project in the tight time frame.

"During this journey, we had to quickly adapt to the dynamics of organizing a large-scale physical event, articulate homeland security contexts to the challenge developers, and even validate each of the technical challenges within the cyber range," Tay says. "This was a truly enriching and memorable experience. Now that we have experience in doing this, we will explore creating more innovative competition formats in the future."

**Cyber Ranges Built Right In**

Companies are also dreaming up new ways to leverage cyber ranges for training and to differentiate their offerings from the competition. For example, managed detection and response provider Critical Start has worked a cyber range feature into its dashboard so that customers can practice responding to system alerts in real time. The cyber range feature is available to all of Critical Start's managed service customers for free, but it's also a valuable sales and onboarding tool, says Chris Carlson, chief product officer at Critical Start.

"While we hook them up to the security tools, and while we onboard their MDR service, their analysts now can start looking at curated and anonymized real-world alerts and get started right away," Carlson says. "Now they can start to practice and be prepared when these alerts start happening."

The offering is something the company hopes will be a highlight for customers, as it gives an easy way to keep training and learning how to combat emerging threats while on the job. The company will continue to update the range as threats develop in the wild.

"There's not a lot of training that kind of happens to cybersecurity professionals, right? They have certain credentials, they get the job, and they're doing the job 50 hours a week, and there's no time to learn," Carlson says. "This is now a built-in capability in the same platform where they do their day job."

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Target Practice: Honing Critical Skills on Cyber Ranges

After launching an investigation in February into vehicles made by foreign adversaries, the Biden administration is finally making its move in the name of national security.

Source: Daniren via Alamy Stock Photo

The US Department of Commerce (DoC) today announced a proposed ban on the software and hardware made by foreign adversaries, particularly that of China and Russia, used in connected vehicles on US roads.

"Connected" vehicles are those with onboard network hardware that allows for Internet access, permitting them to share data with devices both inside and outside the vehicle.

This move is reportedly due to national security concerns and would ban nearly all Chinese vehicles from the US market. It would also prohibit the testing of self-driving cars in the US by foreign adversaries as well as force American automakers to remove the software and hardware from these adversaries in their vehicles.

"When foreign adversaries build software to make a vehicle, that means it can be used for surveillance, can be remotely controlled, which threatens the privacy and safety of Americans on the road," Commerce Secretary Gina Raimondo said in a briefing, noting that foreign adversaries could cause crashes and block roads in extreme circumstances. 

This isn't the first time automotive cybersecurity concerns have brought up by the Biden administration, however. Back in February, the White House launched an investigation into whether Chinese vehicle imports were a threat to national security — it's now clear that the administration found its answer. 

A senior administration official reportedly confirmed that while nearly all Chinese cars and trucks will be banned, foreign automakers of concern will be allowed to seek out special authorizations to be exempted from such regulations.

The proposal is expected to make the software ban effective in the 2027 model year and the hardware ban in the 2030 model year or January 2029. The public will have 30 days to comment on the proposal, and the Commerce Department expects to have it finalized by Jan. 20.

**About the Author**

Commerce Dept. Proposes Ban on Automotive Software &amp; Hardware From China, Russia

Data discovery and classification are foundational for data security, data governance, and data protection.

Todd Thiemann, Senior Analyst, Enterprise Strategy Group

September 23, 2024

3 Min Read

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

When it comes to your sensitive data, not knowing where your crown jewels are located and ensuring they are adequately secured can have catastrophic consequences. Data resilience is the subset of cyber resilience focused on an organization's data assets. Security teams need a strategic approach to data resilience — understanding where their sensitive data stores are located and what's inside — to effectively secure their data. 

Data discovery and classification are foundational for data security, data governance, and data protection (backup and recovery). You can't secure what you don't know exists (discovery), and you need to know what is inside a data store (classification) to take appropriate action to mitigate your risk. 

My latest Enterprise Strategy Group research, conducted with my colleague Jon Brown, explores how enterprises are ensuring data resilience, which is the intersection of data security posture management (DSPM), data security (hardening data with encryption, masking, etc.), data protection (backup and recovery), and data governance. We surveyed 370 IT and cybersecurity professionals from midmarket and enterprise companies about data resilience and DSPM. In the fast-evolving DSPM space, the research found that the first phase of a DSPM deployment to locate, categorize, and establish policies around sensitive data took less than six months for 76% of the respondents, with the largest cluster being four to six months for more than 40% of those responding. 

DSPM vendors differentiate themselves on the time to value (TTV) for their offerings, and the different technologies probably have a significant impact on TTV. Implementing DSPM is like any other project in combining people, process, and technology. Much of the time required to operationalize a technology deployment comes from the people and process side of the equation. While the TTV varies, in talking to various chief information security officers (CISOs) and vendors, we found that the typical steps in a project are:

*   Align stakeholders and plan.
    
*   Identify exposed data stores and mitigate.
    
*   Identify data stores with critical data.
    
*   Classify data (cardholder data for PCI DSS, protected health information, personally identifiable information, information covered by GDPR) to your organization's categories (public, internal, sensitive, restricted.
    
*   Identify/delegate data owners.
    
*   Identify users with access to sensitive/restricted data and validate access is needed (the stale access problem).
    
*   Restrict access to need to know, least privilege.
    
*   Identify misconfigurations and mitigate.
    

*   Determine necessary security controls to protect data based on classification.
    

In speaking to both security leaders and DSPM vendors, the initial step of achieving stakeholder alignment and planning for the rollout is probably the most important to project success. Here are all the steps:

*   Engage key stakeholders: Start by aligning key stakeholders, such as GRC (governance, risk, and compliance), data teams, IT data protection, cloud architects, and security teams. Ensure that everyone understands the objectives, benefits, and their respective roles in the DSPM deployment process. Focus on the win-win. 
    
*   Define goals, definitions, and metrics: Collaboratively establish the goals of the DSPM initiative, such as reducing data exposure, achieving compliance, improving overall data security posture, or facilitating generative AI deployment. Arrive at what data is sensitive to the business and data classification definitions. Agree on key performance indicators (KPIs) to measure progress and success. Planning upfront avoids or minimizes friction as the project progresses. 
    
*   Secure executive buy-in: Present a clear case to constituents, highlighting the importance of DSPM in mitigating data risks, achieving regulatory compliance, and supporting business goals. Ensure top-down support for resource allocation and prioritization. DSPM has many constituents, and getting executive buy-in ensures adequate resourcing and team responsiveness. 
    
*   Assign roles and responsibilities: Clearly define the responsibilities of each team. For example, GRC will focus on compliance and policy alignment, data teams will manage data classification and ownership, and security teams will oversee the implementation of security controls and monitoring. 
    

Getting off on the right foot and achieving alignment at project inception will increase your chances of overall DSPM project success. 

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Senior Analyst, Enterprise Strategy Group

Todd Thiemann is a senior analyst at the Enterprise Strategy Group, researching data security and identity and access management (IAM). He is an information security veteran with more than a decade of information security experience across a range of subjects including encryption, key management, IAM/authentication, identity security, and security operations at leading cybersecurity companies including Arctic Wolf Networks, Trend Micro, Vormetric/Thales, and Nok Nok Labs. He graduated from Georgetown University with a bachelor of science degree, and earned an MBA from the Anderson School at UCLA. He enjoys cybersecurity because it is ever-changing and continually challenges us to simply explain things while not losing essential nuance.

Data Security Posture Management: Accelerating Time to Value

The APT group uses spear-phishing and a vulnerability in a geospatial data-sharing server to compromise organizations in Taiwan, Japan, the Philippines, and South Korea.

Source: kb-photodesign via Shutterstock

A China-linked cyber-espionage group has attacked Taiwanese government agencies, the Philippine and Japanese military, and energy companies in Vietnam, installing either the Cobalt Strike client or a custom backdoor known as EagleDoor on compromised machines.

Dubbed Earth Baxia by cybersecurity firm Trend Micro, the group primarily uses spear-phishing to compromise victims, but it has also exploited a vulnerability (CVE-2024-36401) in the open source GeoServer software used to distribute geospatial data. The group uses public cloud services for hosting malicious files, and appears not to be connected to other known advance persistent threat (APT) groups, although at least one analysis has found overlap between APT41 — also known as Wicked Panda and Brass Typhoon.

The majority of the group's infrastructure is based in China, and its attacks target nations of Chinese national interest, says Ted Lee, a threat researcher with Trend Micro.

"In recent campaigns, their primary targets are government agencies and other critical infrastructures — \[such as\] telecommunication — in the APAC region," he says. "In addition, we also found the decoy documents they used to lure victims are related to some significant conferences or international meetings."

The attack comes as China appears to be ramping up its attacks on governments and companies in the Asia-Pacific region. Operation Crimson Palace, a collection of three Chinese APT groups working in concert, has successfully compromised more than a dozen targets in Southeast Asia, including government agencies. In another recent case, a Chinese espionage group used a malicious fake document in an attempt to compromise systems at the US-Taiwan Business Council, prior to its 23rd US-Taiwan Defense Industry Conference.

**Spear-Phishing, With a Side of GeoServer**

The latest attacks primarily employ spear-phishing, either sending a file or a link, using regional conferences as a lure.

"Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand," Trend Micro stated in its analysis. "Notably, we also discovered a decoy document written in simplified Chinese, suggesting that China is also one of the impacted countries. However, due to limited information, we cannot accurately determine which sectors in China are affected."

In a limited number of cases, Trend Micro has noticed that the threat group uses a known flaw in the open source geospatial sharing service GeoServer to gain a beachhead within an organization. The GeoServer attacks appear to have started at least two months ago, with the Shadowserver Foundation noting that the attack first appeared in its logs on July 9. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability (KEV) catalog on July 15.

Whether it uses a vulnerability or spear-phishing, the next step is to use one of two techniques, dubbed GrimResource and AppDomainManager injection, to further compromise targeted systems.

Discovered in June, GrimResource uses a cross-site scripting (XSS) flaw to execute JavaScript on the victim's machine and, together with a second exploit, gain arbitrary code execution. AppDomainManager injection is an older — but still not widely known — technique that can be used to load run malicious code and is starting to be abused by state-backed groups, NTT Security stated in an analysis (via Google Translate).  
"Since this method is not widely known at this time, it is clear that it is a unilateral advantage for the attackers," the translated analysis stated. "As a result, there is concern about the possibility that such attacks will expand in the future."

**All Roads Lead to Cobalt Strike?**

Compromise in any case leads either to a custom backdoor known as EagleDoor, or the installation of an implant by a pirated version of the red-team tool Cobalt Strike, whose use is common among cybercriminal and cyber-espionage groups because of its powerful lateral movement and command-and-control (C2) capabilities.

In addition, the commonness of the tool means investigators gain no attribution information from its use, Trend Micro's Lee says.

"While its use can be a red flag, attackers often modify its components to evade detection," he says. "On the other hand, it’s difficult for analysts to finish group attribution based on Cobalt Strike because it is a shared tool used by many different groups."

The Cobalt Strike component drops two executables, Hook and Eagle, which make up the EagleDoor backdoor, which allows communication over DNS, HTTP, TCP, and Telegram. The commands are used to exfiltrate data from the victim's system and installing additional payloads, Trend Micro stated in its analysis.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

The FOCAL plan outlines baselines to synchronize cybersecurity priorities and policies across, as well as within, agencies.

Source: ronstik via Alamy Stock Photo

The US Cybersecurity and Infrastructure Security Agency released a plan to align the “collective operational defense capabilities” of federal agencies to reduce their cyber-risk. The plan’s focus is to have more synchronized and robust cyber defenses, improved communications, and better agility and resilience in the federal government.

For the most part, federal agencies built out their own defense capabilities based on the threats they are facing. As a result, the agencies vary widely in how effectively they manage risks, and there is no “no cohesive or consistent baseline security posture," CISA said. This discrepancy means despite investing in cybersecurity, the agencies are still vulnerable to threats.

“Collective operational defense is required to adequately reduce risk posed to more than 100 FCEB agencies and to address dynamic cyber threats to government services and data,” CISA said.

In the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) plan, CISA sets out both “broad organizing concepts for federal cybersecurity” and tactical guidance agencies should implement. The plan covers daily activities and processes organizations should be using to defend their data and information systems, and spans five areas: asset management, vulnerability management, defensible architecture, cyber supply chain risk management, and incident response. It also sets collective security goals for the enterprise and provides a framework for coordinated support and services.

It is not intended to provide a comprehensive or exhaustive list of everything that an agency has to accomplish.

“The actions in the FOCAL plan orient and guide FCEB agencies toward effective and collaborative operational cybersecurity and will build resilience,” Jeff Greene, CISA’s executive assistant director for cybersecurity, said in a statement.

The essential components of FOCAL are “solid,” says John Vecchi, security strategist at Phosphorus Security. There are “very wide disparities” between agencies from a cyber maturity and culture perspective, but these agencies can achieve a “more consistent cybersecurity posture and baseline security hygiene” if FOCAL’s basics are implemented, Vecchi says.

However, accomplish a task of this magnitude can be challenge, Vecchi notes. Agency IT teams still need the staff, knowledge, and skills to actually deploy and implement the technologies and processes. The sheer number of security tools needed to accomplish the various elements in the plan could pose problems for agency security teams. While the focus on patching and vulnerability management is essential, these two areas are difficult to implement at scale.

It's also important to remember that about a third of the assets across these agencies represent smart devices, Internet of Things , operational technology, and embedded devices, Vecchi says. These types of systems are often out of compliance in terms of security hygiene.

“Resource allocation will most certainly be an issue here, but my guess is that the vast number of disparate teams and cultural differences across all of the agencies will present an even bigger and more immediate challenge,” Vecchi says. “It can be quite challenging for different teams within a single agency to collaborate effectively, let alone across so many unique, independent agencies and networks.”

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

CISA Releases Plan to Align Cybersecurity Across Federal Agencies

The critical bug, CVE-2024-8963, can be used in conjunction with the prior known flaw to achieve remote code execution (RCE).

Source: Kristoffer Tripplaar via Alamy Stock Photo

Less than two weeks after patching one flaw, Ivanti announced on Sept. 19 that a second, critical Cloud Services Appliance (CSA) vulnerability is being exploited in the wild.

The vulnerability (CVE-2024-8963, CVSS 9.4) is a path traversal in Ivanti CSA that allows a remote, unauthenticated attacker to access restricted functionalities. Attackers have chained it to the previously disclosed flaw, CVE-2024-8190, which is a high-severity OS command injection flaw that can allow unauthorized access to devices. The chain can be exploited for remote code execution (RCE), if the attacker has admin-level privileges.

"If CVE-2024-8963 is used in conjunction with CVE-2024-8190 an attacker can bypass admin authentication and execute arbitrary commands on the appliance," the enterprise said.

The news comes during an ongoing series of security issues Ivanti has faced since 2023.

**Not First & Likely Not the Last**

Just this year alone, Ivanti has faced flaw after flaw; in February, the Cybersecurity and Infrastructure Security Agency (CISA) ordered Ivanti VPN appliances be disconnected, rebuilt, and reconfigured in 48 hours, after there were concerns that multiple threat actors were exploiting security flaws found in the systems.

In April, foreign nation-state hackers took advantage of vulnerable Ivanti gateway devices and attacked MITRE, breaking its 15-year streak of being incident free. And MITRE wasn’t alone in this, as thousands of Ivanti VPN instances were compromised due to two unpatched zero-day vulnerabilities.

And in August, Ivanti's Virtual Traffic Manager (vTM) harbored a critical vulnerability that could have led to authentication bypass and creation of an administrator user without the patch that the enterprise provided.

"These known but unpatched vulnerabilities have emerged a favorite target for attackers because they are easy to exploit and oftentimes organizations have no idea that devices with EOL systems are still running in their network," Greg Fitzgerald, co-founder of Sevco Security, said in an emailed statement to Dark Reading.

**Protection in an Ongoing Storm**

To mitigate this threat, Ivanti recommends that its customers upgrade the Ivanti CSA 4.6 to CSA 5.0. They can also update CSA 4.6 Patch 518 to Patch 519; however, this product has entered end of life, so it's recommended to upgrade to CSA 5.0 instead. 

In addition to this, Ivanti recommends that all customers ensure dual-homed CSA configurations with eth0 as an internal network.

Customers should review the CSA for modified or newly added administrators if they are concerned that they may have been compromised. If users have endpoint detection and response (EDR) installed, it's recommended to review those alerts as well. 

Users can request help or ask questions by logging a case or requesting a call through Ivanti's Success Portal.

Ivanti's Cloud Service Appliance Attacked via Second Vuln

A North Korean advanced persistent threat (APT) actor (aka Gleaming Pisces) tried to sneak simple backdoors into public software packages.

Source: Chronicle via Alamy Stock Photo

One of North Korea's most sophisticated threat groups has been hiding remote access malware for macOS and Linux inside of open source Python packages.

North Korean advanced persistent threats (APTs) have become notorious for certain characteristic types of cyberattack in recent years. There's the cryptocurrency scam, which can come in many forms — often a fake trading platform, where victims are lured into divulging their wallet information or downloading malware. Supply chain attacks are common, particularly via poisoned packages typosquatting on public repositories. An impish recent trend involves contracting actual, honest labor to Western companies under false pretenses, then sending the salaries earned back to Kim's state. The reverse — agents posing as tech recruiters, convincing developers to download malware — is also common.

The group, which Palo Alto's Unit 42 tracks as Gleaming Pisces (and Microsoft as Citrine Sleet), seems to have supplemented category one with category two. Active since 2018, the financially motivated, DPRK Reconnaissance General Bureau (RGB)-linked group is known for attacks weaponizing fake crypto platforms. Unit 42 now assesses with medium confidence that it was responsible for uploading a handful of malicious packages to the Python Package Index (PyPI) back in February. The packages have since been taken down.

**DPRK-Poisoned PyPI Packages**

Most packages uploaded to open source repositories are simple by nature. As Louis Lang, co-founder and chief technology officer (CTO) at Phylum recalls, "What was interesting about these packages was that there was a higher order of complexity than you typically find among benign packages."

Phylum had identified four packages worth taking a second look at: real-ids, minisound, coloredtxt, and beautifultext. The innocuous names seemed to allude to legitimate functionality, like syntax highlighting for terminal outputs.

In reality, the packages contained malicious code that would be decoded and executed upon download. The code would then run bash commands in order to retrieve and download a remote access Trojan (RAT) called "PondRAT."

PondRAT is an entirely simple backdoor, capable of just a few functions: uploading and downloading files, checking to see that an implant is active or instructing it to sleep, and executing commands issued by the operator. It is, in essence, a "light" version of PoolRAT. PoolRAT is a known Gleaming Pisces backdoor for macOS that has a half dozen more standard capabilities than its successor, like listing directories, deleting files, etc.

**No Need for Windows**

More notable than the malware itself may be the fact that its authors wrote it only for macOS and Linux systems.

Forgoing hackers' long preferred Windows operating system makes sense, though, when one considers Gleaming Pisces' typical audience. As Lang explains, "They're targeting the actual builders, CI/CD infrastructure, developer workstations — environments that are overwhelmingly going to be Linux or macOS based. Very few people are doing development on straight Windows. So if you are targeting developers, it makes sense to ship variants for these systems, because that's where your target population lives."

Developers, then, need to be alert to phishing attacks, like those fake crypto platforms and job recruitment scams. Because while it's rare that anyone might pull an unpopular, ultra-generic package from PyPI, it's entirely likely that that same package could be quietly integrated into a broader infection chain.

"If you add a package, it could have downstream impacts, where you're actually pulling in 30, 40 other packages it may \[be connected to\]. So if I was a developer, I'd be very cognizant of what I'm installing, and try to minimize the attack surface by minimizing the number packages I'm pulling in. And then, obviously, scan the packages — look for these zombies, look for high-entropy strings, look for code obfuscation," Lang suggests.

"Like we always say," he adds, "you're one update away from malware."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Citrine Sleet Poisons PyPI Packages With Mac &amp; Linux Malware

Critical-rated CVE-2024-20017 allows remote code execution (RCE) on a range of phones and Wi-Fi access points from a variety of OEMs.

Source: Ros Drinkwater via Alamy Stock Photo

A nearly max-critical zero-click vulnerability is impacting MediaTek Wi-Fi chipsets and driver bundles used in routers and smartphones from various manufacturers, including Ubiquiti, Xiaomi, and Netgear.

According to SonicWall Capture Labs researchers who found the issue (CVE-2024-20017, CVSS 9.8), exploitation would open the door to remote code execution (RCE) without user interaction, making the bug a conduit for easy device takeover. Making matters worse, a public proof-of-concept exploit (PoC) recently became available, they warned.

The issue affects MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02, and affected users should apply the available MediaTek patches as soon as possible.

In terms of the technical details, the vulnerability is an out-of-bounds write issue that resides in wappd, a network daemon responsible for configuring and managing wireless interfaces and access points.

"The architecture of wappd is complex, comprising the network service itself, a set of local services that interact with the device's wireless interfaces, and communication channels between components via Unix domain sockets," the researchers explained in a blog post on the issue this week. "Ultimately, the vulnerability is a buffer overflow as a result of a length value taken directly from attacker-controlled packet data without bounds checking and placed into a memory copy."

**About the Author**

Zero-Click MediaTek Bug Opens Phones, Wi-Fi to Takeover

The company announced an update to its privacy policy, acknowledging it is using customer data to train its AI models.

Source: Chris Batson via Alamy Stock Photo

Professional social networking site LinkedIn allegedly used data from its users to train its artificial intelligence (AI) models, without alerting users it was doing so.

According to reports this week, LinkedIn hadn't refreshed its privacy policy to reflect the fact that it was harvesting user data for AI training purposes.

Blake Lawit, LinkedIn's senior vice president and general counsel, then posted on the company’s official blog that same day to announce that the company had corrected the oversight.

The updated policy, which includes a revised FAQ, confirms that contributions are automatically collected for AI training. According to the FAQ, LinkedIn's GenAI features could use personal data to make suggestions when posting.

**LinkedIn's AI Data-Gathering Is Automatic**

"When it comes to using members' data for generative AI training, we offer an opt-out setting," the LinkedIn post read. "Opting out means that LinkedIn and its affiliates won't use your personal data or content on LinkedIn to train models going forward, but does not affect training that has already taken place."

Shiva Nathan, founder and CEO of Onymos, expressed deep concern about LinkedIn's use of prior user data to train its AI models without clear consent or updates to its terms of service.

Related:Dark Reading Confidential: The CISO and the SEC

"Millions of LinkedIn users have been opted in by default, allowing their personal information to fuel AI systems," he said. "Why does this matter? Your data is personal and private. It fuels AI, but that shouldn’t come at the cost of your consent. When companies take liberties with our data, it creates a massive trust gap."

Nathan added this is not just happening with LinkedIn, pointing out many technologies and software services that individuals and enterprises use today are doing the same.

"We need to change the way we think about data collection and its use for activities like AI model training," he said. "We should not require our users or customers to give up their data in exchange for services or features, as this puts both them and us at risk."

LinkedIn did explain that users can review and delete their personal data from past sessions using the platform's data access tool, depending on the AI-powered feature involved.

**LinkedIn Faces Tricky Waters**

The US has no federal laws in place to govern data collection for AI use, and only a few states have passed laws on how users' privacy choices should be respected via opt-out mechanisms. But in other parts of the world, LinkedIn has had to put its GenAI training on ice.

Related:An AI-Driven Approach to Risk-Scoring Systems in Cybersecurity

"At this time, we are not enabling training for generative AI on member data from the European Economic Area, Switzerland, and the United Kingdom," the FAQ states, confirming that it has stopped the data collection in those geos.

Tarun Gangwani, principal product manager, DataGrail, says the recently enacted EU AI Act has provisions within the policy that require companies that trade in user-generated content be transparent about their use of it in AI modeling.

"The need for explicit permission for AI use on user data continues the EU's general stance on protecting the rights of citizens by requiring explicit opt-in consent to the use of tracking," Gangwani explains.

And indeed, the EU in particular has shown itself to be vigilant when it comes to privacy violations. Last year, LinkedIn parent company Microsoft had to pay out $425 million in fines for GDPR violations, while Facebook parent company Meta was slapped with a $275 million fine in 2022 for violating Europe's data privacy rules.

The UK's Information Commissioners Office (ICO) meanwhile released a statement today welcoming LinkedIn's confirmation that it has suspended such model training pending further engagement with the ICO.

"In order to get the most out of generative AI and the opportunities it brings, it is crucial that the public can trust that their privacy rights will be respected from the outset," ICO's executive director, regulatory risk, Stephen Almond said in a statement. "We are pleased that LinkedIn has reflected on the concerns we raised about its approach to training generative AI models with information relating to its UK users."

Related:How Shifts in Cyber Insurance Are Affecting the Security Landscape

Regardless of geography, it's worth noting that businesses have been warned against using customer data for the purposes of training GenAI models in the past. In August 2023, communications platform Zoom abandoned plans to use customer content for AI training after customers voiced concerns over how that data could be used. And in July, smart exercise bike startup Peloton was slapped with a lawsuit alleging the company improperly scraped data gathered from customer service chats to train AI models.

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Source

DARKReading