The lack of abundant data on AI-enabled attacks in official reports shouldn't prevent us from preparing for and mitigating potential future threats.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

The Verizon "Data Breach Investigations Report" (DBIR) is a highly credible annual report that provides valuable insights into data breaches and cyber threats, based on analysis of real-world incidents. Professionals in cybersecurity rely on this report to help inform security strategies based on trends in the evolving threat landscape. However, the 2024 DBIR has raised some interesting questions, particularly regarding the role of generative AI in cyberattacks.

**The DBIR Stance on Generative AI**

The authors of the latest DBIR state that researchers "kept an eye out for any indications of the use of the emerging field of generative artificial intelligence (GenAI) in attacks and the potential effects of those technologies, but nothing materialized in the incident data we collected globally."

While I have no doubt this statement is accurate based on Verizon's specific data collection methods, it is in stark contrast to what we are seeing in the field. The main caveat to Verizon's blanket statement on GenAI is in the 2024 DBIR appendix, where there is a mention of a Secret Service investigation that demonstrated GenAI as a "critically enabling technology" for attackers who didn't speak English.

However, at SlashNext, we've observed that the real impact of GenAI on cyberattacks extends well beyond this one use case. Below are six different use cases that we have seen "in the wild."

**Six Use Cases of Generative AI in Cybercrime****1\. AI-Enhanced Phishing Emails**

Threat researchers have observed cybercriminals sharing guides on how to use GenAI and translation tools to improve the efficacy of phishing emails. In these forums, hackers suggest using ChatGPT to generate professional-sounding emails and provide tips for non-native speakers to create more convincing messages. Phishing is already one of the most prolific attack types and, even according to Verizon's DBIR, it takes only, on average, 21 seconds for a user to click on a malicious link in a phishing email once the email is opened, and only another 28 seconds for the user to give away their data. Attackers leveraging GenAI to craft phishing emails only makes these attacks more convincing and effective.

**2\. AI-Assisted Malware Generation**

Attackers are exploring the use of AI to develop malware, such as keyloggers that can operate undetected in the background. They are asking WormGPT, an AI-based large language model (LLM), to help them create a keylogger using Python as a coding language. This demonstrates how cybercriminals are leveraging AI tools to streamline and enhance their malicious activities. By using AI to assist in coding, attackers can potentially create more sophisticated and harder-to-detect malware.

**3\. AI-Generated Scam Websites**

Cybercriminals are using neural networks to create a series of scam webpages, or "turnkey doorways," designed to redirect unsuspecting victims to fraudulent websites. These AI-generated pages often mimic legitimate sites but contain hidden malicious elements. By leveraging neural networks, attackers can rapidly produce large numbers of convincing fake pages, each slightly different to evade detection. This automated approach allows cybercriminals to cast a wider net, potentially ensnaring more victims in their phishing schemes.

**4\. Deepfakes for Account Verification Bypass**

SlashNext threat researchers have observed vendors on the Dark Web offering services that create deepfakes to bypass account verification processes for banks and cryptocurrency exchanges. These are used to circumvent "know your customer" (KYC) guidelines. This alarming trend shows how AI-generated deepfakes are evolving beyond social engineering and misinformation campaigns into tools for financial fraud. Criminals are using advanced AI to create realistic video and audio impersonations, fooling security systems that rely on biometric verification. 

**5\. AI-Powered Voice Spoofing**

Cybercriminals are sharing information on how to use AI to spoof and clone voices for use in various cybercrimes. This emerging threat leverages advanced machine-learning algorithms to recreate human voices with startling accuracy. Attackers can potentially use these AI-generated voice clones to impersonate executives, family members, or authority figures in social engineering attacks. For instance, they might make fraudulent phone calls to authorize fund transfers, bypass voice-based security systems, or manipulate victims into revealing sensitive information. 

**6\. AI-Enhanced One-Time Password Bots**

AI is being integrated into one-time password (OTP) bots to create templates for voice phishing. These sophisticated tools include features like custom voices, spoofed caller IDs, and interactive voice response systems. The custom voice feature allows criminals to mimic trusted entities or even specific individuals, while spoofed caller IDs lend further credibility to the scam. The interactive voice response systems add an extra layer of realism, making the fake calls nearly indistinguishable from legitimate ones. This AI-powered approach not only increases the success rate of phishing attempts but also makes it more challenging for security systems and individuals to detect and prevent such attacks.

While I agree with the DBIR that there is a lot of hype surrounding AI in cybersecurity, it's crucial not to dismiss the potential impact of generative AI on the threat landscape. The anecdotal evidence presented above demonstrates that cybercriminals are actively exploring and implementing AI-powered attack methods.

**Looking Ahead**

Organizations must take a proactive stance on AI in cybersecurity. Even if the volume of AI-enabled attacks is currently low in official datasets, our anecdotal evidence suggests that the threat is real and growing. Moving forward, it's essential to do the following:

*   Stay informed about the latest developments in AI and cybersecurity
    
*   Invest in AI-powered security solutions that can demonstrate clear benefits
    
*   Continuously evaluate and improve security processes to address evolving threats
    
*   Be vigilant about emerging attack vectors that leverage AI technologies
    

While we respect the findings of the DBIR, we believe that the lack of abundant data on AI-enabled attacks in official reports shouldn't prevent us from preparing for and mitigating potential future threats — particularly since GenAI technologies have become widely available only within the past two years. The anecdotal evidence we've presented underscores the need for continued vigilance and proactive measures.

**About the Author**

Field CTO, SlashNext

J. Stephen Kowski is an experienced global technical leader with a demonstrated history in the cybersecurity, design, engineering, information technology, and manufacturing industries. In his current role as field chief technology officer (CTO) of SlashNext, he provides sales enablement for internal and external partners, and he represents the “Voice of the Customer” to senior leadership and product and engineering teams. Stephen has a background in information technology, Web development, engineering, robotics, sales, and software development. He is a graduate of the Stetson University College of Law, the University of South Carolina College of Engineering and Computing, and the University of South Florida College of Engineering. When he isn’t helping companies fight threat actors, he helps run two high school K-12 education charities focused on getting kids excited about STEM career pathways through the vehicle of competitive robotics in his community, and was one of the charities' original founders 20 years ago.

GenAI in Cybersecurity: Insights Beyond the Verizon DBIR

How the Kimsuky nation-state group and other threat actors are exploiting poor email security — and what organizations can do to defend themselves.

Dr. Sean Costigan, Managing Director, Resilience Strategy, Red Sift

September 20, 2024

5 Min Read

Source: Brian Jackson via Alamy Stock Photo

COMMENTARY

With heightened geopolitical tensions, a surge in cyberattacks on US and allied organizations by a North Korean cyber-espionage group is hardly unexpected. What is disquieting, however, is that an advanced persistent threat (APT) group known as Kimsuky has seen remarkable success by turning a defensive strength into a weakness — exploiting poorly configured Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to carry out spear-phishing campaigns to secure advantage.

A May 2 advisory from the FBI, the National Security Agency (NSA), and the US State Department stated that Kimsuky, acting as an arm of North Korea's Reconnaissance General Bureau (RGB), has been sending spoofed emails to individuals in high-profile think tanks, media outlets, nonprofits, academia, and other organizations. The emails are part of an intelligence campaign to troll for information on geopolitics and foreign policy plans, particularly related to nuclear policies, sanctions, and other sensitive concerns involving the Korean peninsula.    

With sanctions biting, North Korea has developed a formidable cybercrime capability to generate liquidity for the regime. However, in this case, we see Kimsuky threat actors alter their focus to intelligence operations, targeting troves of information held by trusted parties and prominent organizations. Although the ongoing campaign has complex geopolitical implications, effectively defending against these attacks fundamentally relies on robust, actionable, and properly executed cyber-hygiene practices.

Related:Singapore Arrests 6 Suspected Members of African Cybercrime Group

**DMARC Misconfigurations Are Too Common**

Kimsuky is using trusted networks with improperly configured or missing DMARC to spoof legitimate domains and impersonate trusted personalities and organizations. The DMARC protocol was created to stop the compromise of user accounts and hinder the very types of social engineering at work here.

This is how it's supposed to work: DMARC allows email recipients to verify an email's origin through the Domain Name System (DNS), ensuring that threat actors cannot spoof legitimate domains. DMARC checks the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records for an incoming email and, if it does not appear to be legitimate, tells the receiving email server what to do next.

But as Kimsuky's attacks have shown, that only works if DMARC services are properly configured. As the IC3 advisories detail, misconfigurations are far too common or policies are poorly defined by the domain owners. For some organizations, self-managing DMARC may seem cost-effective, but it can also lead to significant oversights, including increasing vulnerabilities, failing to pay heed to evolving threats, missing sound compliance reporting, and creating a false sense of security.  

Related:Indian Army Propaganda Spread by 1.4K AI-Powered Social Media Accounts

**What North Korea's Attack Looks Like**

Kimsuky's spear-phishing campaigns may begin with an innocuous email from a seemingly credible source, building trust before sending a subsequent email with a malicious link or attachment. The group then uses successful compromises to escalate attacks with more credible spear-phishing emails aimed at higher-value targets.

The group focuses its intelligence-gathering activities against South Korea, Japan, and the United States, targeting individuals identified as experts in various fields. According to a subsequent advisory from the Cybersecurity and Infrastructure Security Agency (CISA), think tanks and South Korean government entities have also been targeted.  

One real-world example from the FBI-NSA advisory had a subject line reading: "\[Invitation\] US Policy Toward North Korea Conference." The message, seemingly from a known university, begins: "I hope you and your family are enjoying a lovely holiday and a restful season. It is my privilege to invite you to provide a keynote address for a private workshop, hosted by the \[legitimate think tank\] to discuss the U.S. policy toward North Korea." As further inducement, the email also offers a $500 speaker's fee.

Related:Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection

Another email had the subject line "Questions about N. Korea," with the writer posing as a journalist from a legitimate media outlet and requesting an interview, followed by a broad outline of North Korea's nuclear activities.

In the university example, the email received a "pass" from SPF and DKIM checks, suggesting the attacker gained access to the university's legitimate email client. And although DMARC returned a "fail" because the sender's email domain differed from SPF and DKIM records for the legitimate source, the organization's DMARC policy was not set to take filtering action, so the message was delivered. In the second case, no DMARC policy was present, allowing the attacker to spoof the journalist's name and the news organization's email domain.

**Why DMARC Matters**

The US government's advisories offer compelling reasons for organizations to secure their digital estates. Kimsuky is not alone among APTs nor, more broadly, cybercriminals who work for profit: Lessons are shared and all are becoming increasingly savvy at targeting misconfigurations and weaknesses.

Securing and properly configuring DMARC is key since it improves organizational cyber hygiene and broadly protects against ubiquitous threats like business email compromise and ransomware email attacks.

Notably, industry or regulatory requirements may already make DMARC a requirement for your organization. As of February 2024, Google and Yahoo have required DMARC for organizations sending large volumes of email, and Microsoft is reportedly planning to follow suit. Additionally, the PCI DSS 4.0 requires implementation of DMARC. According to BIMI Radar, since the FBI's May 2 advisory, DMARC adoption globally has grown from 3.74 million organizations to 5.71 million organizations, as of June 17. 

There's a business imperative at work as well. Organizations must prioritize cyber hygiene to safeguard their digital assets, prevent data breaches, and protect against evolving cybersecurity threats. DMARC should be part of your organization's cyber posture. When properly managed, not only does it ensure better deliverability, provide protection against phishing and business email compromise (BEC), and enable the deployment of Brand Indicators for Message Identification (BIMI), but it can help close doors against nation-state espionage and cybercrime.

**About the Author**

Managing Director, Resilience Strategy, Red Sift

Sean Costigan is an expert in emerging security challenges and a highly sought-after speaker on technology and national security. He is the lead for NATO’s cybersecurity curriculum and is widely published on national security matters relating to information security and hybrid threats. He is also a Professor at the George C. Marshall Center, where he educates on global cybersecurity, hybrid warfare, crime, and national security.

North Korean APT Bypasses DMARC Email Policies in Cyber-Espionage Attacks

Mastercard's $2.65 billion deal to acquire the threat intelligence provider will boost the credit-card company's AI-based cybersecurity protection capabilities.

Source: SOPA Images Limited via Alamy Stock Photo

The largest credit-card providers have made sizeable investments in advanced cybersecurity capabilities in recent years, but Mastercard is upping the ante with last week's agreement to buy Recorded Future from Insight Partners for $2.65 billion.

The deal, scheduled to close in the first quarter of 2025, would mark the second-largest acquisition in Mastercard's 58-year history. The price tag also nearly equals the $3 billion Mastercard is estimated to have previously spent on nine cybersecurity-related companies since launching its cybersecurity business unit in 2017, Strategy of Security analyst Cole Grolmus wrote on LinkedIn.

Recorded Future says it has 1,900 customers worldwide, including governments and half of the Fortune 100. According to a recent Frost & Sullivan report, the Recorded Future Intelligence Cloud hosts one of the largest threat repositories in the world. Recorded Future's Collective Insights integrates broadly with governance, risk, and compliance; third-party risk management; attack surface management; and other analytics tools, a May 2024 Forrester Research report noted.

"Combining Recorded Future's threat intelligence capabilities with Mastercard's extensive insight and knowledge of and partnership with merchants and financial institutions should provide greater protection to digital payment transactions," says Forrester principal research analyst Brian Wrozek. "This also gives Mastercard more direct control over a critical cybersecurity capability: threat intelligence."

Last year, Recorded Future added OpenAI's GPT model to the threat intelligence platform to enhance its real-time analytics capabilities. Using the pretrained transformer model, Recorded Future AI includes 10 years of threat analysis from its Insikt Group threat research subsidiary, which is integrated with the Recorded Future Intelligence Graph.

**Expanding Threat Intelligence Capabilities**

Mastercard has been investing in threat and risk intelligence capabilities for over a decade. In 2014, Mastercard launched SafetyNet, a tool to detect risks based on activity throughout its network. SafetyNet thwarted $20 billion in fraud attempts directed at its network in 2023, says Johan Gerber, Mastercard's EVP of security solutions.

"It's our AI-enabled Decision Intelligence \[solution\] that provides a score to banks, helping them identify and stop fraudulent transactions," he says.

Last year, Mastercard added AI-based risk management capabilities by acquiring Baffin Bay Networks, a threat protection provider based in Sweden. Mastercard integrated Baffin Bay's automated threat protection service to prevent attackers from penetrating or disabling cybersecurity systems through ransomware and distributed denial-of-service (DDoS) attacks.

Mastercard is not alone in its focus on threat and risk intelligence. Visa has invested more than $9 billion in cybersecurity over the past few years in new tools and services to help address fraud and account security in its payment services. The credit card company has embedded AI and analytics in more than 60 different services to stop and block payment fraud. The Visa Account Attack Intelligence (VAAI) offering uses generative AI components to identify and score enumeration attacks. The VAAI Score tool assigns each transaction with a risk score in real time to detect and prevent enumeration attacks in card-not-present transactions.

**Building on Mastercard's AI Capabilities**

Gerber says Recorded Future promises to build on Mastercard's AI-enabled Decision Intelligence capability, which gives scores to its member banks.

"Recorded Future has pioneered the use of AI in analyzing and reporting cyber threat intelligence," he says. "The ability to draw these trends from a wide range of sources will allow our customers to quickly access relevant insights and safeguard their critical operations and infrastructure. It allows us to quantify risk more accurately and simulate attacks based on the latest trends."

Gerber also sees the potential for adding Recorded Future's AI capabilities to RiskRecon, the third-party threat scanning and rating provider Mastercard acquired in 2020 that provides enterprise security monitoring and measures third-party and supply chain risk. Similarly, Recorded Future can boost two Mastercard service offerings launched in 2022: Cyber Front, which provides a threat simulation, and Cyber Quant, a service that identifies and prioritizes risks.

"The insights allow us to quantify risk more accurately," Gerber says. "Our customers will see benefits from the real-time threat insights that Recorded Future brings to the table."

Recorded Future will enhance the intelligence and security of all its products, he adds.

"It will help us create smarter models and anticipate emerging threats before cyberattacks can take place — in payments and beyond," Gerber notes.

Forrester's Wrozek says that Recorded Future promises to give Mastercard more direct control over critical threat intelligence, now a critical cybersecurity capability.

"This aligns perfectly with Mastercard's journey towards leading the defense of the global digital economy," he says.

Citing a 2024 Forrester survey, Wrozek notes that improving threat intelligence capabilities is consistently a top tactical security priority for companies, which typically purchase, on average, over half a dozen threat intelligence feeds.

"Companies need more threat intelligence to improve decision-making, expedite incident remediation, and shift from a reactive to a more proactive security posture," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Mastercard's Recorded Future Deal Furthers Its AI Security Goals

PRESS RELEASE

AUSTIN, Texas and Fal.Con 2024, Las Vegas – September 16, 2024 — CrowdStrike (NASDAQ: CRWD) today announced the launch of its second annual Cybersecurity Startup Accelerator with Amazon Web Services (AWS). NVIDIA also joins in supporting the Accelerator program, powering the next generation of artificial intelligence (AI) and cloud security startups. Targeting cybersecurity’s next market-defining disruptors across the U.S. and EMEA, AWS and CrowdStrike with NVIDIA through its Inception program, will provide mentorship, technical expertise, funding and go-to-market opportunities.  
Applications for the AWS and CrowdStrike Cybersecurity Startup Accelerator with NVIDIA are open from September 16, 2024 to January 10, 2025. Selected startups will be enrolled in a free eight-week program developed by AWS, CrowdStrike and NVIDIA that offers mentorship and guidance from industry experts and executives. Startups will also have access to top-tier global cybersecurity investors, enablement sessions, and up to $25,000 in AWS Activate credits, among other exclusive benefits.

At the end of the program, participants can present their innovations at an in-person Demo Day at the AWS Startup Loft in San Francisco, which will take place during the RSA Conference in April 2025. Winning presentations may be eligible to receive funding from the CrowdStrike Falcon® Fund. 

“CrowdStrike and AWS created the Cybersecurity Startup Accelerator as a formative, value creation experience for innovative startups to learn, create and grow. Since participating in the Accelerator, last year’s cohort participants raised over $150 million from leading global VCs,” said Daniel Bernard, chief business officer, CrowdStrike. “We’re proud to welcome NVIDIA as a supporter of the Accelerator program – bringing together market-leading cybersecurity, cloud and AI expertise to cultivate tomorrow’s great innovators.”

“For startups seeking to tackle the most pressing security challenges, the Cybersecurity Startup Accelerator provides the AI technologies, accelerated computing resources and technical expertise they need,” said Bartley Richardson, director of cybersecurity engineering at NVIDIA.

To apply, visit this website. Startups are encouraged to review the terms and conditions here.

You May Also Like

CrowdStrike Expands Cybersecurity Startup Accelerator With AWS and NVIDIA

PRESS RELEASE

SAN FRANCISCO, Sept. 18, 2024 /PRNewswire/ -- Abstract Security, building the future of AI-enabled security operations, today announced it has added support for deployments within Google Cloud Platform (GCP).

The support for GCP follows Abstract Security's existing support for AWS and Azure. Abstract enables multi-cloud deployments of its SOC platform, deploying multiple instances of Abstract Security around the world to support data localization requirements and eliminate data transfer costs. Additionally, Abstract supports transactions through both AWS and Azure marketplaces with GCP coming soon.

"Abstract's ability to offer customers a true multi-cloud offering with three different cloud platforms in AWS, Azure and now GCP is something we're very proud of for this growing startup," said Colby DeRodeff, co-founder and CEO of Abstract Security. "Because we deploy directly into our customers' cloud environment, we enable those customers to truly own their own data, which separates us from most of our competitors."

Abstract Security's SOC platform offers:

*   Seamless integration with local GCP services - Ensuring strong security coverage and visibility into GCP services.
    
*   Abstract Intel Gallery - As part of Abstract's data fabric, organizations can leverage no-code ETL to enrich events with real-time threat intelligence, enhancing detection accuracy and relevancy.
    
*   Real-time streaming threat detection - Security analytics are powered by AI, enabling enterprises to stay ahead of rapidly evolving cyber threats.
    
*   Compliance and data sovereignty - Providing a single search and reporting view across regional deployments, enabling compliance with data localization requirements.
    

Abstract has seen growing demand since emerging from stealth and announcing its Seed funding in March 2024. In April, Abstract announced the opening of its first Middle East office. In May, the company announced the addition of Christopher Key to its Board of Directors and was selected as a "Pioneering Cybersecurity Startup" winner, as part of the 2024 Global Infosec Awards.

About Abstract Security

Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

The leadership team of Colby DeRodeff, Ryan Clough, Aaron Shelmire, Chris Camacho, and Stefan Zier bring a unique set of experiences and backgrounds in product development and company-building expertise, at companies such as ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and Sumo Logic. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

You May Also Like

Abstract Security Expands Multi-Cloud Security Operations

Company urges organizations using self-hosting GitLab instances to apply updates for CVE-2024-45409 as soon as possible.

Source: T. Schneider via Shutterstock

Organizations with self-hosted GitLab instances configured for SAML-based authentication might want to update immediately to new versions of the DevOps platform that the company released this week.

The update addresses a maximum severity bug in GitLab Community Edition (CE) and Enterprise Edition (EE) that allows an attacker to bypass authentication checks and log in as an arbitrary user in an affected system. Depending on the level of access, an attacker could then steal leak or modify source code, inject malicious code into production systems, steal secrets and sensitive data, and execute a variety of other malicious actions.

**Maximum Severity Threat**

The bug, identified as CVE-2024-45409, has a severity score of 10.0, which is as critical as it gets on the CVSS rating scale. The bug has garnered the rating because of its high impact and also because exploiting it involves low-attack complexity, no special privileges, and no user interaction.

CVE-2024-45409 affects both GitLab Dedicated, the fully managed cloud-hosted version, and also self-managed instances of GitLab. The company already has updated all instances of GitLab Dedicated and says that customers of the managed version are already protected against the vulnerability. However, those running self-managed GitLab installations must patch now, the vendor advised. "We strongly recommend that all installations running a version affected by the issues … are upgraded to the latest version as soon as possible."

GitLab has recommended that organizations enable two-factor authentication for all user accounts for self-managed GitLab installations to mitigate against exploits targeting CVE-2024-45409. "Enabling identity provider multifactor authentication does not mitigate this vulnerability," GitLab cautioned. The company also recommends that organizations not allow the SAML two-factor bypass option in GitLab. In addition, GitLab's advisory provides detailed guidance on how to hunt for and detect signs of exploit activity tied to the flaw.

CVE-2024-45409 is present in versions 12.2 and older and versions 1.13.0 to 1.16.0 of Ruby SAML, a library which is a part of GitLab's SAML-based authentication feature. Ruby SAML is what allows organizations to authenticate users to GitLab via external identity providers.

**Improper Signature Verification**

The National Vulnerability Database's description of the flaw shows that affected Ruby SAML versions either aren't verifying or are incorrectly verifying the cryptographic signature in a SAML response. This allows an attacker with access to any signed SAML document from an identity provider to forge a SAML response. "This would allow the attacker to log in as \[an\] arbitrary user within the vulnerable system," the NVD said.

In its advisory, GitLab said that in order to craft a successful exploit for the flaw, an attacker would need to find a way to craft SAML assertions that are identical to those from an organization's legitimate identity provider. This would involve having the information needed to accurately replicate key fields like username, role, identity, and privileges.

"When crafting an exploit, there are many SAML assertions an attacker would need to craft to perfectly replicate a legitimate login," GitLab said. "These include both the key and value fields that you specify at your \[identity provider\] and may be unknown to unauthorized individuals — especially if you have customized these attributes."

**Particularly Troubling on Dev Platforms**

Researchers consider vulnerabilities in DevOps platforms like GitHub to be particularly troublesome because of the opportunities they provide attackers to compromise application development environments in multiple ways.

"The ability to bypass authentication checks is a huge threat, as it gives attackers the window of opportunity to easily enter development environments and cause tremendous damage — all without triggering any alerts," says Katie Teitler-Santullo, cybersecurity strategist at OX Security. "Presumably, and hopefully, organizations are using strong authentication — MFA least privilege, and zero-trust principles — to ensure that all access is fully authorized."

Jeff Williams, founder and CTO at Contrast Security, stresses the importance of addressing authentication bypass flaws. "In this case, a forged SAML assertion can be created to log on as any user and take any actions that a user can do," he says. "This might include tampering with pipelines, embedding malicious code in software products, stealing intellectual property, installing malware, or just about any other bad thing you can imagine."

CVE-2024-45409 is the most critical among 18 vulnerabilities that GitHub disclosed this month as part of its regular security updates. GitHub assessed one of the other 17 vulnerabilities as critical. The flaw (CVE-2024-6678), with a CVSS severity score of 9.9, affects multiple GitLab CE and EE versions. It is one of several in recent months that allows an unauthenticated, remote attacker to run a pipeline in the context of any user within a GitLab environment.

The vulnerability is similar to flaws that GitLab disclosed in May, June, and July and suggests a pattern of not taking security seriously, Williams says. "Critical vulns month after month. Maybe they're doing better testing? Good. Or maybe they aren't being proactive. We need transparency."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

GitLab Warns of Max Severity Authentication Bypass Bug

PRESS RELEASE

SAN FRANCISCO, Calif., September 16, 2024 – c/side, a cybersecurity company with tools for monitoring, optimizing, and securing vulnerable browser-side third-party scripts, today announced $6 million in seed funding. The round is led by Uncork Capital, with participation from Mantis VC, Scribble Ventures, Roar Ventures, and PrimeSet. c/side’s total funding is now $7.7 million, following a pre-seed round announced earlier this year. Scribble and Roar also participated in the pre-seed, along with strategic angel investors.

  
As headlines have continued to show since the infamous British Airways breach, the third-party code scripts that businesses add into their websites are often poorly monitored and undersecured. While these scripts are necessary for critical site functions such as analytics, chatbots, and error handling, the scripts change frequently without a business’ knowledge—posing significant risks. Malicious actors exploit vulnerabilities within the scripts to redirect website visitors, steal sensitive information, or manipulate website content. As a result of increased security awareness on the infrastructure and open source supply chain, malicious actors increasingly seek to weaponize the browser as the place of execution—yet most sites have nothing in place to monitor client-side behavior.

  
With an advanced proxy service and an AI-driven detection engine, c/side offers a comprehensive toolkit to identify and neutralize malicious scripts in real-time. The innovative solution not only bolsters website security, but also significantly enhances website performance. Beyond safeguarding organizations from cyberattacks, c/side’s technology also simplifies compliance with stringent industry regulations like PCI DSS 4.0, making it a critical and particularly timely tool for businesses accepting digital payments via their sites.

  
“Even in the few short months since we launched, major browser supply chain attacks like polyfill\[.\]io and regulatory breach incidents like the one at Kaiser Permanente have underscored just how significant and rapidly-escalating this attack vector has become,” said Simon Wijckmans, CEO and founder, c/side. “Security and IT teams cannot take a ‘set it and forget it’ approach to the third-party web scripts that run through their organization’s website. We understand what’s required to ensure ongoing visibility and protection, and offer an end-to-end solution that’s simple to deploy. We’re thrilled to bring on new investors with our seed funding, and look forward to our next stage.”

  
“c/side is addressing client-side app security, one of the most challenging threats to digital organizations and a problem that has been largely overlooked until now,” said Andy McLoughlin, Managing Partner at Uncork Capital. “Their AI-driven solution not only identifies these threats but acts swiftly to neutralize them, ensuring robust client-side web security. We’re thrilled to lead this round and support the c/side team as they develop solutions to protect businesses from costly and damaging browser-executed attacks."

  
“We’re impressed by c/side’s AI-driven approach and its potential to revolutionize client-side security at scale,” said Alex Pall, General Partner, Mantis VC. “This team has the expertise and vision to make a significant and lasting impact across the cybersecurity landscape, making web security more accessible to all. Whether you’re an early-stage grinding entrepreneur or a large established brand, c/side will grow to have your back. Simon and the team will make things rock!”

  
The seed funding will enable c/side to accelerate the development of its flagship product, the powerful proxy solution for securing third-party web scripts. The company will also deepen its vulnerability detection engine’s capabilities and grow its team to support customer service, sales, partnership, and marketing functions.

  
c/side’s free tier is now fully operational and available — anyone can sign up and begin securing their site in minutes. Business, Enterprise, and Partner tiers are in development; those interested can contact c/side here. 

  
About c/side  
c/side is a forward-thinking cybersecurity startup focused on browser-side detection and protection. Led by industry expert Simon Wijckmans, c/side is pioneering technologies to shield against sophisticated cyber threats, ensuring unparalleled security standards for users across the web.

c/side Lands $6M to Combat Rising Browser Supply Chain Attacks

Inc ransomware — one of the most popular among cybercriminals today — meets healthcare, the industry sector most targeted by RaaS.

Source: Photo 12 via Alamy Stock Photo

Inc ransomware is on the rise, with one well-known threat actor recently using it to target American healthcare organizations.

Vice Society, which Microsoft tracks as Vanilla Tempest, has been active since July 2022. In that time, the Russian-speaking group has made use of various families of ransomware to aid its double extortion attacks, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin — including its own variant — and its own, eponymous program.

In a series of posts on X, Microsoft Threat Intelligence Center (MSTIC) flagged the group's latest weapon: Inc ransomware.

"Vanilla Tempest is one of the most active ransomware operators MSTIC tracks," says Jeremy Dallman, senior director of threat intelligence for MSTIC. "While we've seen them targeting healthcare for quite a while, the notable shift here is their use of an Inc ransomware payload as they leverage the larger ransomware-as-a-service ecosystem."

**Vice Society's Latest Foray into Healthcare**

Vice Society flirts with various industries, including IT and manufacturing, but it's best known for its campaigns against the education and healthcare sectors.

In that sense, it's in line with the broader threat landscape. According to Check Point Research, healthcare is the industry most frequently targeted by ransomware actors. Other kinds of cybercriminals like it too, evidently, with global healthcare organizations experiencing an average of 2,018 attacks per week, a 32% rise over last year.

It only makes sense, warns Cindi Carter, Check Point's CISO for the Americas. Besides being hamstrung by outdated legacy technology and bureaucracy, "The type of data that healthcare organizations capture, create, and share is of high value to cybercriminals," she says. "Your medical record is the single most identifiable piece of digital information about you besides your own fingerprint," she says.

In recent activity leveraging the healthcare sector's inherent weaknesses, Vice Society received initial access to victims that previously had been infected with the Gootloader backdoor-loader. Then it deployed tools including the Supper backdoor, AnyDesk's remote monitoring and management (RMM) solution, and MEGA's data synchronization tool, the latter two of which are legitimate commercial products. The group used Remote Desktop Protocol (RDP) to perform lateral movement in affected networks, and abused the Windows Management Instrumentation (WMI) provider host to drop Inc ransomware.

**The Rise of Inc Ransomware**

Active since last summer, the Inc ransomware-as-a-service (RaaS) operation has earned plenty of headlines for its compromises of particularly large organizations — Xerox and Scotland's National Health Service (NHS), among others. And its modus operandi fits the scope of its ambition, says Jason Baker, threat intelligence consultant for GuidePoint Security.

"The aspect of Inc affiliates in particular that makes them stand out is that they have a very structured way of working through the negotiations process. There's no winging it. There are no off-the-cuff remarks. Agitation and threats are kept relatively minimal," he recalls from dealing with them firsthand.

"It's like the difference between somebody robbing a bank and somebody sticking somebody up in an alley. You can tell when somebody's put thought into \[an attack\] and knows what they're doing," he says.

As Dark Reading reported last month, Inc's malware leaked information about the nature and success of its data encryption. Though this could potentially lend defenders a leg up in remediation and potential negotiations with its affiliates, Baker warns that the reality is more complicated, especially when it comes to healthcare.

"If an organization knows that they can recover, and that they don't need a decryptor, that substantially decreases the feeling that they need to pay a ransom," he notes. "But where it's complicated is in modern double extortion, particularly if there's sensitive personally identifiable health information (PHI), or if there's sensitive intellectual property involved. There's a reason why the double extortion methodology has stuck around for as long as it has: It does, to some extent, overcome even an ability to recover."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Vice Society Pivots to Inc Ransomware in Healthcare Attack

US ports rely on cranes manufactured by a Chinese state-owned company, many with unmonitored cellular connections, causing cybersecurity concerns.

Source: GreenOak via Shutterstock

As the United States looks to shore up the cyber-resilience of its critical infrastructure, a congressional report has highlighted that the nation's maritime shipping and port operations rely too much on Chinese-made cranes and other systems whose software is often vulnerable and can be communicated with remotely.

Last week, the House of Representatives' Select Committee on the Chinese Communist Party released a report on the potential threats to the US port infrastructure, revealing that 80% of the ship-to-shore (STS) cranes at US ports are manufactured by a single Chinese government-owned company, Shanghai Zhenhua Heavy Industries (ZPMC). While the committee did not turn up evidence that the company used its access maliciously, the firm failed to address software vulnerabilities and retained the ability to remotely access the crane's systems via a cellular modem, often without explicit notification.

Even though the report does not find a smoking gun, the concerns are reasonable, says John Terrill, chief information security officer (CISO) at extended Internet-of-Things (IoT) security firm Phosphorus Cybersecurity.

"There could be legitimate purposes for \[a cellular modem\], but I think the general sentiment — because it's a Chinese-owned company — the \[committee\] is concerned that allowing access is setting up a ticking time bomb," he says. "If something happens geopolitically, the ports may, all of a sudden, not be able to operate the cranes."

Related:Name That Toon: Tug of War

The supply chains for critical economic sectors are attracting intense scrutiny from policymakers and security organizations. When Russia invaded Ukraine, the military targeted cyberattacks at infrastructure, such as satellite communications and nuclear power generation. The recent attacks on Lebanon-based Hezbollah militants — considered a terrorist organization by the US government — using pagers likely compromised through a supply-chain attack by Israel demonstrated the potential of cyber-physical attacks.

**Sea Change in Supply-Chain Focus**

Port facilities are often overlooked, but critically important, especially as drivers of the economy. US port facilities handle about 40% of the value of all international freight, with the top 12 ports processing about 47 million twenty-foot equivalent units (TEUs) of cargo in 2023. Cyber-physical attacks on such facilities could significantly disrupt the US economy. Cybersecurity experts have already warned that China-linked cyber-espionage groups are compromising critical infrastructure systems at facilities — such as ports — in preparation for future conflicts.

Related:SCADA Market Is Set to Reach $18.7B by 2031

The long-term risks outweigh the short-term gains of purchasing inexpensive port equipment, the House Select Committee stated in its report.

"The evidence gathered during our joint investigation indicates that ZPMC could, if desired, serve as a Trojan horse capable of helping the CCP and the PRC military exploit and manipulate US maritime equipment and technology at their request," the lawmakers stated. "This vulnerability in our critical infrastructure has the potential to affect Americans from coast to coast."

While historically overlooked, maritime supply-chain security and cybersecurity has become an increasing issue. In February, the US Department of Transportation warned that port facilities' over-reliance on Chinese vendors allowed China's government to collect information on trade and could lead to potential compromises if Sino-American relations worsen.

**Rough Seas for Cybersecurity**

Attacks on ports and ships are not unheard of. In February, the US reportedly hacked an Iranian military ship aiding Houthi rebels in the Red Sea and disrupting communications. An Indian nation-state cyber-operations group attacked maritime facilities and ports around in the Indian Ocean and as far away as the Mediterranean Sea. And spoofing of GPS signals have enabled rogue nations to cause problems for freighters and other shipping near their shores.

Related:Remote Access Sprawl Strains Industrial OT Network Security

Because so much of the infrastructure has integrated communications connected to software controlling physical equipment, cybersecurity is a significant issue, says Ron Fabela, strategic advisor to ICS/OT security firm Xona.

"Everything is remotely accessible now," he says. "If you haven't been in the industry, you might think our super-critical stuff isn't accessible from the Internet, surely, right? And oftentimes, that is not the case."

Port operators are looking to buy inexpensive port equipment, such as cranes, but then rely on the manufacturer to provide service, which leads to remote communications and data collection. In addition, numerous vulnerabilities have been found in ZPMC equipment, but bug reports disappear and are never publicized, and likely never fixed. Given China's law that forces disclosure of vulnerabilities to the government, it's likely that those vulnerabilities are being used or are being stockpiled for use, says Phosphorus' Terrill.

"A known vulnerability that is not patched is a backdoor by any other definition," he says.

**Protecting Untrusted Infrastructure**

The House CCP Committee's report recommends that the Department of Homeland Security and US Coast Guard make recommendations to disable the cellular modems in the ZPMC cranes, install technology to monitor and ensure the security of the cranes during operation, and focus extra security measures on critical ports, such as the seaport in Guam — a resupply point for the US military in the Pacific Ocean — and those designated by the Department of Defense as critical.

Port operators, however, may push back on mandates to disable the cellular devices. Turning off the cellular modems will likely mean hobbling the maintenance of the cranes and other equipment, says Xona's Fabela.

"In critical infrastructure, what I've seen is the asset owner — the purchaser of this equipment — doesn't want to maintain it," he says. "They want to have someone on the hook, if something goes wrong ... they want to ensure that the OEM or the manufacturer is the one supporting it, and being that a lot of our heavy industry is still being manufactured outside of our borders, it becomes a difficult problem."

Instead, operators should treat digital access like physical access, he says. Any session should be tightly controlled and scheduled, keeping devices offline at all other times.

"We'll monitor, and we'll over-the-shoulder their access — this is how they do it with physical access," he says. "A vendor can't just walk into a port and walk around. You have to have a reason to be there, usually a job order; you have to have a background check; and someone will escort you. So just extending those best practices to the cyber domain is often all that's needed."

In the long term, the House CCP Committee's report recommends that the US Department of Commerce study whether building cranes is the United States is feasible, as well as ways to improve US manufacturing competitiveness.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Concerns Over Supply Chain Attacks on US Seaports Grow

The first patch lets threat actors with low-level credentials still exploit the vulnerability, while the second fully resolves the flaw.

Source: Postmodern Studio via Alamy Stock Photo

A researcher has released a proof-of-concept (PoC) exploit and analysis for a critical vulnerability, tracked as CVE-2024-40711, used in Veeam's backup and replication software.

As an unauthenticated remote code execution (RCE) flaw, the vulnerability has a CVSS score of 9.8 and threatens environments that are running versions 12.1.2.172 and below.

Initially reported for its high potential for exploitation, the vulnerability possesses an aging communication mechanism that makes it vulnerable to deserialization attacks. And it has an exploitation path that enables threat actors to create malicious payloads that bypass the protective measures Veeam has put in place.

While assessing the vulnerability, the security teams discovered 1,900 file modifications, 700 of which were deemed non-security related, indicating that Veeam's patching process went beyond just CVE-2024-40711 and likely involved addressing a variety of other security flaws as well.

Veeam released two recommendations to address different components of the vulnerability. The first patch, version 12.1.2.172, made it so that low-level credentials were still required in order for threat actors to exploit the vulnerability. The second patch, version 12.2.0.334, fully resolves the flaw. It's possible that the vulnerability was more severe than Veeam initially let on, and that the first patch did not fully mitigate the RCE threat, leaving systems exposed and prompting a second attempt to patch.

Dark Reading has contacted Veeam for more information about its approach.

In the meantime, it's recommended that enterprises apply the latest patch as soon as possible, since a PoC exploit for the vulnerability has been made publicly available on GitHub, giving attackers tools to launch their next attacks. 

**About the Author**

Source

DARKReading