Once a user's device is infected as part of an ongoing Flax Typhoon APT campaign, the malware connects it to a botnet called Raptor Train, initiating malicious activity.

Source: Science Photo Library via Alamy Stock Photo

The Justice Department today announced a court-authorized operation to disrupt a botnet affecting 200,000 devices in the United States and abroad.

According to unsealed documents, the botnet, known as Raptor Train, is operated by People's Republic of China (PRC) state-sponsored hackers working for a company based in Beijing. Known publicly as Integrity Technology Group, it is also known as the advanced persistent threat (APT) group Flax Typhoon in the private sector.

A variety of connected and Internet of things (IoT) devices have been affected by the botnet malware, including small-office/home-office (SOHO) routers, Internet protocol cameras, digital video recorders, and network-attached storage (NAS) devices.

According to the Justice Department, the malware connected each of these affected devices to the botnet, which then conducted malicious cyberactivity designed as routine Internet traffic.

Integrity Technology Group, which is responsible for the malicious activities conducted by Flax Typhoon hackers, developed and controlled the botnet. In the past, Flax Typhoon has targeted government agencies, critical manufacturing, and information technology organizations in Taiwan as well as other countries. Not only this, but it has also attacked US and foreign universities, corporations, government organizations, and media organizations, among others. 

Related:Dark Reading Confidential: Pen Test Arrests, Five Years Later

"The Justice Department is zeroing in on the Chinese government-backed hacking groups that target the devices of innocent Americans and pose a serious threat to our national security," said US Attorney General Merrick B. Garland. "As we did earlier this year, the Justice Department has again destroyed a botnet used by PRC-backed hackers to infiltrate consumer devices here in the United States and around the world. We will continue to aggressively counter the threat that China's state-sponsored hacking groups pose to the American people."

The takedown was a joint effort between the FBI, the US Attorney's Office for the Western District of Pennsylvania, and the National Security Cyber Section of the Justice Department’s National Security Division, with collaboration of French authorities, Lumen Technologies, and Black Lotus Labs, the group that first identified the botnet.

Should a user believe that their device is compromised, they can contact an FBI field office directly, report online to CISA, or visit the FBI's Internet Crime Complaint Center (IC3).

FBI Leads Takedown of Chinese Botnet Impacting 200K Devices

By enhancing threat detection, enabling real-time risk assessment, and providing predictive insights, AI is empowering organizations to build more robust defenses against cyber threats.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

Traditional cybersecurity measures are increasingly inadequate against sophisticated threats in the rapidly evolving digital security landscape. Artificial intelligence (AI) has emerged as a transformative force to revolutionize risk assessment and management in the cybersecurity domain. As organizations grapple with an increasing array of cyber threats, AI-driven approaches to risk scoring are becoming more important and essential tools in the modern security arsenal.

At the forefront of this technological revolution is the development of AI-driven risk assessment models tailored specifically to cybersecurity threats. These systems are designed to identify vulnerabilities that often elude traditional methods by offering a more comprehensive and nuanced approach to risk scoring. Leveraging machine learning algorithms and deep neural networks, these AI models can analyze vast amounts of unstructured data, uncovering complex patterns and insights that might otherwise remain hidden from human analysts. These threats can range from univariate anomalies, like a user logging in from a different IP address, to more complex multivariate risks that involve deviations in user behavior patterns and anomalies in their typical sign-on activities.

A simple one-dimensional risk assessment approach is insufficient in real-life scenarios; instead, a weighted average risk system capable of detecting and evaluating these multivariate risks is essential. Each of these threat detection methodologies can and very well be independent of each other, assessing risks on different (combinations) of variables in play.

**An AI Advantage**

An important advantage of AI in cybersecurity is its ability to process and analyze data at a scale and speed far beyond human capabilities. These advantages enable real-time threat detection and dynamic risk scoring, which allows security teams to prioritize and respond to threats incredibly efficiently. By continuously analyzing network traffic, user behavior, and external threat intelligence, AI-driven systems can update risk scores in real time, providing a constantly evolving picture of an organization's security posture.

The integration of AI into risk-scoring systems also enhances the overall security strategy of an organization. These systems are not static, but rather learn and adapt over time, becoming increasingly effective as they encounter new threat patterns and scenarios. This adaptive capability is crucial in the face of rapidly evolving cyber threats, allowing organizations to stay one step ahead of potential attackers. An example of this in action is detecting anomalies during user sign-on by analyzing physical attributes and comparing them to typical behavior patterns. This approach helps prevent unauthorized access by identifying and blocking suspicious sign-ins before the user can enter the system.

**AI Is Not a Cure-All**

It's important, however, to realize that AI is not a cure-all for every cybersecurity challenge. The most impactful strategies combine the analytical power of AI with human expertise. While AI excels at processing vast amounts of data and identifying patterns, human analysts provide critical contextual understanding and decision-making capabilities. It's crucial for AI systems to continuously learn from the input of small and medium-sized enterprises (SMEs) through a feedback loop to refine their accuracy and minimize alert fatigue; this collaboration between human and artificial intelligence creates a robust defense against a wide range of cyber threats.

The application of AI in cybersecurity extends beyond threat detection. Advanced AI models are also being used to simulate potential attack scenarios, allowing organizations to proactively identify and address vulnerabilities before they can be exploited. This predictive capability represents a significant shift from reactive to proactive security measures, potentially saving organizations millions in breach-related costs.

AI's role in cybersecurity is expected to grow exponentially as AI technology continues to advance. Future developments may include more sophisticated predictive models, enhanced automation of threat response, and even AI systems capable of autonomously patching vulnerabilities. These advancements promise to create more resilient and adaptive security infrastructures, better equipped to handle the challenges of an increasingly digital world.

The integration of AI into cybersecurity risk-scoring systems represents a significant leap forward in the field of digital security. By enhancing threat detection, enabling real-time risk assessment, and providing predictive insights, AI is empowering organizations to build more robust defenses against cyber threats. As the digital landscape continues to evolve, embracing AI-driven approaches to cybersecurity will be crucial for organizations seeking to protect their assets and maintain their competitive edge in an increasingly interconnected world.

**About the Author**

AI and Data Science Leader, Cybersecurity Expert

Venkat Gopalakrishnan is an accomplished AI and data science leader with extensive experience driving AI initiatives in high-impact industries. The holder of two patents in AI and cybersecurity, Venkat has expertise in integrating traditional AI and generative AI into complex systems, having successfully led global teams and delivered innovative AI solutions across various domains, including cybersecurity, finance, and sales.

An AI-Driven Approach to Risk-Scoring Systems in Cybersecurity

The Coalition for Secure AI (CoSAI) expanded its roster of members with the addition of threat intelligence management, collaboration and response orchestration vendor Cyware this week.

Source: ElenaBS via Alamy

The Coalition for Secure AI is a collaborative open-source initiative that seeks to aid those looking to create secure-by design AI technologies. Its network of stakeholders in business and academia work together to develop holistic approaches and best practices, tools and methodologies to secure AI development and deployment. 

This week, threat intelligence management, collaboration and response orchestration vendor Cyware became a member of CoSAI. Google is one of the founding members. Existing members include OpenAI, Anthropic, Microsoft, IBM, Intel, Nvidia, and PayPal.

The coalition has established three work streams that focus on different areas: software supply chain security for AI systems, preparing defenders for a changing cybersecurity landscape, and AI risk governance. In the future it expects to expand into additional areas. Cyware will contribute as an expert in AI-enabled security solutions to help develop industry standards that prioritize safety, ethics and transparency in AI development, the company said.

CoSAI operates under OASIS Open, an international standards and open source consortium that seeks to help members advance projects in areas including cybersecurity, blockchain, IoT, emergency management, cloud computing and legal data exchange.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Coalition for Secure AI Promotes Safe, Ethical AI Development

What happened to KnowBe4 also has happened to many other organizations, and it's still a risk for companies of all sizes due to a sophisticated network of government-sponsored fake employees.

Source: DD Images via Shutterstock

A postmortem on the accidental hiring of a North Korean threat actor at a security firm reveals a sophisticated, industrial-like network of fake IT workers carefully groomed to fool US companies into giving them employment for the financial gain of the North Korean government.

In July, security awareness training firm KnowBe4 was transparent in revealing how a software engineer the company hired turned out to be a North Korean threat actor who immediately began loading malware onto his company-issued workstation.

Though administrators managed to detect and shut down the malicious operation before any harm was done, the incident served as a wake-up call about the sophistication of a North Korean state-sponsored program that sends operatives posing as credible IT workers out into the workforce.

Within weeks of the company's public revelation, KnowBe4 heard from more than a dozen other organizations that had similar stories of either hiring or being solicited for work by North Korean actors, the company revealed in a white paper (PDF) released this week.

Companies from the size of Fortune 500 organizations to small businesses with only 12 employees accidentally hired North Korean fake employees, with organizations with largely remote workforces being at the highest risk.

Related:Dark Reading Confidential: Pen Test Arrests, Five Years Later

"It turns out that the North Korean fake employee problem is a complex, industrial, scaled nation-state operation, and it is likely that thousands of organizations around the world have or are now involved in accidentally hiring North Korean fake employees," Roger Grimes, KnowBe4 data-driven defense evangelist, wrote in the report.

**Anatomy of a State-Sponsored Fake Employee Program**

The fact that the fake worker scheme is much more widespread than initially believed and that the people taking part in them are "exceptionally skilled" are the greatest lessons learned from KnowBe4's experience, Erich Kron, security awareness advocate at KnowBe4, tells Dark Reading.

"The ability to pass background checks, combined with the willingness and ability to interview on several Zoom calls is indicative of just how polished their program is," he says. "They seem to have processes in place that work exceptionally well on organizations both large and small."

The program takes advantage of a cultural shift in employment among US organizations over the past several years that has made companies more susceptible to placing workers with malicious intent in legitimate positions, Kron says.

This shift is a combination of organizations embracing the remote-work model, and the modern interest in hiring people from around the globe based on their knowledge and abilities rather than geographical location, he says.

Related:FBI Leads Takedown of Chinese Botnet Impacting 200K Devices

"This is extremely challenging when many of the best candidates and people knowledgeable with cutting-edge technology are not US-born and may have strong accents that may have been a barrier to hiring in the past," Kron says. "Multicultural workforces are not only common in the modern business world but are critical if organizations wish to hire the top talent in their fields."

**A Look Behind the Curtain**

KnowBe4 learned much about how the various aspects of the North Korean program operate in the wake of the company's own incident. The company discovered that the chief goal of this program is financial gain, though operatives also to a lesser extent engage in cyber espionage and even corporate sabotage activities, once joining an organization.

Overall, there are four parts that are integral to making the fake employee scheme work: North Korean-based program leaders; North Korean employees and managers based in other countries; non-Korean scheme assisters that are usually based in the country where the job is located; and infrastructure to assist with accepting payments, generating fake identities or stealing real identities, creating fake employee websites and projects, giving references, money laundering, document forgery services, and other supporting activities.

Related:Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data

The employees are often skilled IT workers and developers trained at North Korean universities, and are usually located in foreign countries, such as China, in shared living spaces and workspaces. They usually work in busy call-center-like spaces; in fact, organizations that interviewed or hired these fake employees often noted the noisy background, Grimes observed.

KnowBe4 described the employees ensnared in the program as themselves unfortunate victims of a type of human trafficking. They receive very little of the earned revenue, with most of it benefiting the North Korean government. Moreover, close family members stay back in North Korea "to be used as personal leverage to force the employee to toil long hours for very little wages," Grimes wrote.

**How to Spot a North Korean Fake Employee**

KnowBe4 offered substantial guidance for organizations during the hiring process to help them spot a North Korean threat actor before taking that person on board, as well offered after-hiring advice in case an operative makes it onto an IT team.

Some characteristics and behaviors in a candidate to look out for include the person being of Asian decent who is not highly skilled in English, though he or she claims to have always lived in the US. The person will be using a fake identity, a fake ID credential, and a fake work history that will all fail an secondary verification.

The candidate also will supply personal websites, profiles, or GitHub sites that seem overly basic, "often saying something and nothing at the same time, or you can find very similar sites and profiles," Grimes wrote. These sites and profiles also will have been posted only very recently and will have no Internet presence outside of the properties supplied by the candidate.

After hiring, organizations may detect unnecessary logins by the employee on the remote device provided by the company, from an IP address that doesn't match the claimed geographical location, or other unusual behavior. Employees also may work hours inconsistent with the time zone where they claim to be located.

Because the motivation for the threat actors is financial, another red flag after hiring is a request to be paid in unusual or strange payment schemes, including the demand for virtual currency.

**Protecting Your Organization**

If an organization suspects a person is a threat actor during the hiring process, it should be reported immediately to senior management for support in vetting the person's legitimacy. KnowBe4 also advised that organizations "threat model" their hiring process and make updates to mitigate the risk of hiring fake employees, such as sharing the warning signs for these actors with those in the direct hiring process.

Indeed, "reviewing hiring processes and reworking them around lessons learned from the experience has been critical" to KnowBe4's incident recovery, and "well worth the investment" to ensure the scenario doesn't repeat itself, Kron says.

If a company does suspect that one of its employees is a North Korean actor, KnowBe4 advised that any device supplied to the person by the company is immediately locked down to the bare minimum access, and monitored for unusual activity, malware, log modifications, or unexpected language changes. The company also should take further steps to monitor employee activity and, of course, remove the person from the job if suspicions prove true.

In retrospect, KnowBe4 has learned that even though it already had a strong security culture with many controls in place that allowed the company to mitigate the situation quickly, "there is always room for improvement," Kron says.

"Having been through this has allowed us to become even more secure than we were previously," he says, "and by sharing the lessons we learned, we hope it will help others."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Security Firm's North Korean Hacker Hire Not an Isolated Incident

By accessing the MSSQL, threat actors gain admin-level access to the application, allowing them to automate their attacks.

Source: ADDICTIVE STOCK CREATIVES via Alamy Stock Photo

Threat actors have been targeting Foundation accounting software commonly used by general contractors in the construction industry, leveraging active exploits within the plumbing, HVAC, and concrete sub-industries, among others.

Researchers at Huntress initially discovered the threat when tracking activity on Sept. 14. "What tipped us off was host/domain enumeration commands spawning from a parent process of sqlservr.exe," the researchers wrote in their advisory.

The software that the application uses includes a Microsoft SQL Server (MSSQL) instance for handling its database operations. According to the researchers, while it's common to keep database servers on an internal network or behind a firewall, Foundation software contains features that allow access through a mobile app. Because of this, "the TCP port 4243 may be exposed publicly for use by the mobile app. This 4243 port offers direct access to MSSQL."

In tandem, Microsoft SQL Server has a default system admin account, known as "sa," which has full administrative privileges over the entire server. With such high privileges, these accounts can enable users to run shell commands and scripts.

The threat actors targeting the application have been observed brute-forcing the application at scale as well as using default credentials to gain access to victim accounts. In addition, threat actors appear to be using scripts to automate their attacks.

It's recommended that organizations rotate their credentials associated with Foundation software and keep installations disconnected from the Internet to prevent falling victim to these attacks.

**About the Author**

Contractor Software Targeted via Microsoft SQL Server Loophole

Thought to be Brazilian in origin, the remote access Trojan is the "perfect tool for a 21st-century James Bond."

Source: Valentin Valkov via Shutterstock

"SambaSpy," a recently surfaced remote access Trojan (RAT), is loaded up with a Swiss Army knife-like set of functions for spying on victims and stealing data from them. Its creators, thought to be Brazilian, have also made the versatile RAT hard to detect and analyze by obfuscating it with Zelix KlassMaster, a legitimate Java obfuscation tool that developers often use to protect their code against reverse engineering and unauthorized modification.

**The Perfect Tool?**

Researchers at Kaspersky first spotted SambaSpy in May. "The malicious campaign we uncovered was exclusively targeting victims in Italy," Kaspersky said in a report this week. "It's likely that the attackers are testing the waters with Italian users before expanding their operation to other countries." More recent evidence suggests the attackers may be expanding to targets in Spain, Brazil, and potentially other countries, Kaspersky said.

SambaSpy is a RAT that an attacker can use to download and upload files, manage the file system and processes, load additional plug-ins, and take complete remote control of a compromised system. Among other functions, the RAT can also take screenshots, steal passwords, control webcams, and log keystrokes. It's a combination of capabilities that Kaspersky assessed would make the malware "the perfect tool for a 21st century James Bond villain."

Threat actors use remote access Trojans like SambaSpy for a variety of reasons. Some common use cases include targeted information stealing, dropping other malware, credential stealing, and cyber espionage.

**Testing the Waters**

SambaSpy's feature set appears to make the malware suitable for any of these purposes. Like most other RATs — and indeed any malware for that matter — the alleged Brazilian threat group behind it is distributing the malware via phishing emails spoofed to appear like they are from a real estate company.

Users who click on the call-to-action in the email are redirected to a website that checks the victim's operating system language and the browser. If the OS is in Italian and if the browser is Edge, Chrome, or Firefox, the malicious site injects a malicious PDF file containing either a dropper or a downloader that each do the same thing: install SambaSpy on the victim system. As is common with most modern malware, the SambaSpy dropper/downloader first checks if it has landed on a virtual system, before installing the malware. Interestingly, if the OS language is not Italian, the malicious website redirects the potential victim to a legitimate website for online invoices.

Though the tactic of using email to deliver SambaSpy might seem low-tech, it remains the most effective vector for initial access. A Trend Micro study conducted earlier this year showed email to be among the top initial access vectors; Trend Micro claims that 73.8 billion of the more than 161 billion threats that it blocked in 2023 used email as the initial access vector. The company expects such attacks are going to continue with generative AI tools that let attackers craft phishing lures that will also get progressively harder to spot.

"For the attackers, it doesn't really matter who they hit, nor are the particulars of the phishing bait important," Kaspersky said. "Today, it might be an invoice from a real estate agency; tomorrow, a tax notification; and the day after that, airline tickets or travel vouchers."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Packed With Features, 'SambaSpy' RAT Delivers Hefty Punch

Criminal actors are finding their niche in utilizing QR phishing codes, otherwise known as "quishing," to victimize unsuspecting tourists in Europe and beyond.

Source: Westend61 GmbH via Alamy Stock Photo

In what seems to be an increasingly popular method of attack, two threat groups have been identified as utilizing QR code parking scams in the UK and throughout the world.

The researchers at Netcraft believe that one of the groups is active across Europe, especially in France, Germany, Italy, Switzerland, and the UK. According to initial reports of the threat, threat actors trick unsuspecting victims into scanning malicious QR codes and entering their personal information. And the damage doesn't stop there — ultimately, because the QR codes are fake, users aren't registering their cars for parking, meaning that they're likely to be hit with a double whammy: potential financial fraud and a parking ticket.

The threat first came to public notice in August when British car insurer RAC published a warning advising drivers to be vigilant and only pay with card, cash, or official parking apps already installed on their phones. The potential victim count so far is roughly 10,000 within just a two-month span, according to their report released today.

The scams are gaining so much traction that they're stretching beyond Europe, to Canada and the United States, prompting the FBI to issue alert number I-011822-PSA, "Cybercriminals Tampering with QR Codes to Steal Victim Funds," to bring awareness to an issue they suspect will only continue to grow.

**No-Parking Zone**

In the United Kingdom, it first began with what the researchers called a "wave of malicious QR codes appearing across the city center" of London. The fake QR codes would be found printed on adhesive stickers and posted on parking meters. After scanning the QR code, the user turned victim would be directed to a phishing website impersonating a legitimate parking payment app, PayByPhone.

The scams spread across Britain, and peaked from June to September, with the threat actors were getting traction with, or perhaps specifically targeting, tourists in areas such as Blackpool, Brighton, Portsmouth, Southampton, Conwy, and Aberdeen.

With roughly 30 parking apps currently being used in the UK, these criminals are likely to find success preying on tourists who need to access public parking with easy and accessible payment options. 

And though the current research focuses on how these schemes impact parking and tourists in particular, Robert Duncan, vice president of product strategy at Netcraft, stresses to Dark Reading that the threats carry risk in business context, pointing out a rash of corporate Microsoft 365 "quishing" attempts that exploited corporate users who used their own devices, thus excluding them from the enterprise's security perimeter and leaving them open to any potential threats. 

**PayByQuish?**

One criminal group using these methods is specifically impersonating PayByPhone, and follow a series of steps to execute their scam.

First, the threat actor "deploys boots on the ground resources" to set up the attack and affix the QR codes to parking payment machines, Duncan explains. Next, the victims scan the malicious, fake QR code and are unknowingly directed to a phishing website. The victim then follows the steps to enter their personal details: the parking lot location code, their vehicle details, parking duration, and lastly — and most damaging — their payment-card details.

Once this is completed, the website will display a "processing" page to simulate the legitimate user experience. The payment is then "accepted," and the phishing website confirms the entered details before directing the victim to the real PayByPhone website. 

According to the researchers, in some cases the phishing group sends the victim to a failed payment page, asking them for an alternative payment method. This only exacerbates the issue by collecting more card info and further adding to the funds that the threat actors can steal from.

Evading criminal groups' schemes seems a difficult task when it presents itself so well as a legitimate operation. But the researchers have found that there are certain markers that can help potential victims detect a scam. For instance, 32 domain names with the same scam all displayed the following characteristics:

1.  Registered with NameSilo.
    
2.  Using .info, .click, .live, .online, and .site top-level domains (TLDs) rather than .com or common country-specific TLDs.
    
3.  The sites appeared to be protected by Cloudflare.
    

**How Businesses Can Avoid the Quish Hook**

As these kinds of threat continue to grow, and possibly develop into new business sectors (such as quishing threats infiltrating restaurants or retail stores), Duncan notes that it won't be easy to defend against. 

"It's quite difficult for businesses to defend against rogue QR codes being placed over existing ones," he says. "It's also harder to protect customers using mobile devices who may not have as many built-in security measures as on desktop devices. In this case, an online brand protection platform with broad URL-based threat intelligence with QR code support can help."

Ultimately, Duncan says, there is no foolproof solution to preventing these threats as "both fake and legitimate QR codes often use URL shorteners, which makes it very hard to tell apart." Instead, he recommends that users avoid scanning QR codes and instead look up parking apps in official app stores.

"There's a lot of potential for QR code misuse," he adds. "You're often on a mobile device, where controls can be weaker. Watch this space."

QR Phishing Scams Gain Motorized Momentum in UK

The 12-member group will compete at the first all-women's capture-the-flag competition this November at the Kunoichi Cyber Games in Tokyo.

Source: Dmytro Sidelnikov via Alamy Stock Photo

Do they have what it takes to capture the flag? 

The 12 members of a new cyberteam will find out this fall, when four international teams meet at the Kunoichi Cyber Games to see whose cybersecurity athletes have what it takes to win in an intense cyberskills tournament. These cyber athletes will have to demonstrate their mastery of forensics, Web security, reverse engineering, binary exploitation, and cryptography in competition at the 2024 Code Blue Conference, Nov. 14 to 15, in Tokyo.

The cyber athletes come from across the United States. Some are college students, participating in their first cyber-gaming competitions. Others are cybersecurity professionals, who have been working in the industry. All of them are women. 

The Women's Cyber Team will be officially commissioned at Cybersecurity Career Week, an event sponsored by the House Cybersecurity Caucus, NICE, and SANS, in Washington, DC, on Sept. 19, kicking off the cyber season of competition for the fledgling team.

The US team will take on the teams from Japan, the United Kingdom, and the European Union during the competition. Five members and two substitutes will compete for eight hours in a capture-the-flag (CTF) contest, as well as an attack-and-defense competition. Each team member has a specialty area of focus and a subspecialty. 

**Developing Skills, Confidence**

The team is helmed by cybersecurity gaming veteran Ken Jenkins, CTO of Cymonix. A participant in many CTF and cyber tournaments held over the years, Jenkins was the head coach of the co-ed US Cyber Team in season 2 and the assistant head coach in season 3. The co-ed team is preparing for season 4's international competition later this year in Chile. 

For Jenkins, cyber gaming gives athletes the ability to flex their cyber muscles while developing skills and confidence – without their activities posing a threat to any actual business operations. 

"I think it really helps overcome imposter syndrome. It's also very validating of skills. They help you identify gaps and weaknesses. It also brings you together in a very safe place where you can make mistakes, and it doesn't cause a business outage, he says. "I remember days of defending a network where I did the same 30 things, right? I logged into this system, checked these alerts, did this, analyzed this file. Wash, rinse, repeat, for weeks on end."

Gamers, however, get the ability to reverse engineer a piece of malware or participate in red-team engagements that give them a plethora of new skills that they don’t get to exercise every day. 

**How the Team Came Together**

Choosing the 12 competitors for the team was no easy task, notes Chelsie Cooper, the team's assistant head coach and a senior intelligence analyst at CrowdStrike. 

Around 50 hopeful athletes participated in season IV of the US Cyber Open CTF in June. This initial pool was then culled to a smaller group based on an assessment that included scores from participating in any of the National Cyber League or US Cyber Open competitions. A smaller pool of candidates were interviewed, and their soft skills were as important as their cybersecurity chops, focusing on leadership and communication skills. 

"All of that came together in a very, very, very hard decision to only pick 12 of them because of all of them, they are very talented – well beyond their years," Cooper says. "They are going places."

Cooper's role as assistant head coach isn't to motivate the team, she says, because they're already incredibly driven. Rather, the focus is on strengthening existing skills and identifying knowledge and skills gaps.

"It's more so of a mentoring opportunity for us than it is anything else because they have the talent and they have the drive," she says. "We're just there to help guide them along the way to the competition."

Leading up to the November competition, the team has been holding biweekly virtual office hours with the coaches, discussing logistics and working on competition skills. Each team member also has a buddy. The older, more experienced players who have competition experience are mentoring younger members to bolster their weak spots and build confidence. 

**Building a Talent Pipeline**

While the co-ed US Cyber Team is for players ages 18 to 25, this new team recruited women ages 18 to 29 for the first year in an effort to build a pipeline of experienced women who could serve as coaches and mentors for future teams, says US Cyber Games Commissioner Jessica Gulick.

"In our field, with cyber games, even though you know cybersecurity and you're a cybersecurity professional, it doesn't automatically make you a good player for the game," Gulick says. "So having that experience is incredibly valuable."

The US Cyber Games program is in its fourth year; the co-ed team has 30 athletes, three of whom are women. Two of those women are also on the US Women's Cyber Team, including Shiloh Smiles, 24, a graduate of The Citadel in Charleston, SC. Smiles is pursuing a graduate degree in computer and electrical engineering at George Mason University, while also working as a penetration tester for the US Navy. 

For Smiles, the women's cybersecurity team offers a unique opportunity to combine a skill-building competition with social ambassadorship – and a way to make friends who share a common interest and will face some of the same workplace challenges. Women make up less than a quarter of the cybersecurity workforce. 

"Working in the military community, there are not many women, so it's very rare that I meet another woman who is technical," Smiles says. "That's been the best part of the team so far – to meet 11 other women who are highly technical. I just think it is super-duper cool. And we have the upcoming competition in November, which is going to be an all-women competition. So that's another opportunity to meet women from all over the world that are, again, highly technical. That's definitely what I'm most excited for – the networking in the community."

For 19-year-old Sarah Ogden, a student at Northern Kentucky University and one of the team's younger athletes, the opportunity to learn and develop her cybersecurity skills has been a motivating factor. She had participated in CTFs in the past, so she jumped at the chance to join the team – and travel internationally. Ogden says she is looking forward to checking out the variety of vending machines in Tokyo, but when it comes to the games itself, she is keeping her expectations in check.

"What I'm most looking forward to is trying to learn as much as I can," Ogden says. "I feel like my expectations are kind of low, so I'm not trying to stress myself out too much, just doing our best."

Head coach Jenkins would love for his team to come in first place in Tokyo, but winning isn't the only focus.

"We're really more focused on bringing the countries together, bringing the women together, having them share their experiences," Jenkins says. "I used to be dead-set on, 'We have to win, right?' But it's not the only thing that matters in this inaugural year."

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Ready to Rumble: US Women's Cyber Team Preps for Global CTF Contest

Regulators fine AT&T $13 million for failing to protect customer information held by a third-party vendor, and extend consumer data protections to the cloud.

Source: B Christopher via Alamy Stock Photo

The Federal Communications Commission fined AT&T $13 million and ordered it to tighten up its privacy and security practices in the wake of a catastrophic third-party compromise.

The commission also used its authority under the Communications Act of 1934 to extend consumer protections to the cloud, finding AT&T failed to maintain proper oversight of a third-party provider.

That vendor, data warehousing provider Snowflake, reportedly was compromised in January 2023, exposing a host of organizations' sensitive data, among them AT&T's. In the weeks that followed the breach, AT&T acknowledged "nearly all" its customers were affected by exfiltrated call and text records, phone numbers, and other personally identifiable information.

Following an investigation, the FCC ruled on Sept. 16 that Snowflake should have been required to "destroy or return" the information years prior to the incident, and finding AT&T responsible for failing to appropriately protect its customer data.

"The Commission expects carriers to meet the requirement of the \[Communications Act of 1934\] and the Commission's rules, including to take 'every reasonable precaution' to protect customers' proprietary or personal information," the agency said in its ruling. "That includes reasonable practices as they relate to cloud security, data retention, and disposal."

In addition to the fine, the FCC ordered AT&T to improve its overall information security controls and practices, including "multifaceted vendor controls and oversight."

**About the Author**

FCC: AT&amp;T Didn't Adequately Protect Customers' Cloud Data

Hackers sent a convincing lure document, but after 20 years of similar attacks, the target organization was well prepared.

Source: elifbayraktar via Alamy Stock Photo

A meeting of influential figures in and around the US and Taiwanese defense industries has been targeted by a phishing attack carrying fileless malware.

The 23rd US-Taiwan Defense Industry Conference will be held next week in Philadelphia's Logan Square neighborhood. Closed to the press, it will feature speakers from government, defense, academia, and commercial sectors in the US and Taiwan. The focus, according to its website, will be "addressing the future of US defense cooperation with Taiwan, the defense procurement process, and Taiwan's defense and national security needs."

Recently, the US-Taiwan Business Council — the organization behind the event — was sent a malicious forgery of its own registration form. The form was paired with information-stealing malware designed to execute entirely in memory, making it more difficult to detect with traditional antivirus software. Thanks to diligent anti-phishing preparations, however, the council quickly rebuffed the attack.

**Threats to a Taiwan Defense Conference**

Eight years ago, a Chinese phishing email was sent to members of Taiwan's defense industry, including some attendees of the 15th US-Taiwan Defense Industry Conference. Even by then, though, it was old hat.

"In the period from 2003 to 2011, we were heavily targeted with spear-phishing emails constantly," reports Lotta Danielsson, vice president of the US-Taiwan Business Council. "There was an uptick in 2016-2017, but it has been very quiet for the last several years. Usually, it increases in the leadup to and right after the annual defense conference, then it subsides again."

In the leadup to this year's conference, rather than attendees, the attack seemed to target the council itself. It came in an email, from an individual posing as a potential attendee. Rather than use the event's online form, the impersonator sent a filled out copy of the registration form as a PDF, which attendees can do if they experience technical issues with the site.

Source: Cyble

The document, according to analysis from Cyble, came with a ZIP file that was supposed to drop a malicious Windows shortcut (LNK) file. If opened, the LNK would have established persistence on its targeted machine by placing an executable file in the Windows startup folder. Upon reboot, the executable would download additional payloads to be executed directly in the machine's memory, without saving any files to disk. Ultimately, the malware could exfiltrate data back to an attacker-controlled server through Web requests designed to blend with normal network traffic.

Cyble researchers were unable to tie the attack to any specific threat actor. They noted, however, that Chinese entities in particular have a long history of targeting Taiwan.

"We've seen very clearly in the last few years that there are a lot of problems in East Asian geopolitics — military-related movements in the South China Sea, very sharp comments coming from Taiwan and China. And it looks like nation states are interested in US-Taiwan defense cooperation," says Kaustubh Medhe, head of research and intelligence for Cyble.

This latest phishing attempt fits neatly into that picture. "We have a strong suspicion that this could be used as a stealthy technique to perform long-term surveillance of people with a specific interest in this particular topic," he says.

**A Textbook Case of How to Prevent Phishing**

As Danielsson recalls, "We have been targeted by these types of spear phishing emails for a long time — more than 20 years — so we flagged it as suspicious right away. We did not open the file. Instead, we submitted it to VirusTotal and confirmed that it was malicious. Then we deleted it, and that was pretty much it."

She highlights a few keys to success that have helped the Council easily swat away its many phishing attacks over the years. "One is educational, so the entire staff is well educated on these types of attacks. Nobody clicks links in emails, or opens documents sent via email, unless we have talked to people directly and are expecting them. Even then, we often scan them before opening, unless the presumed content is very sensitive, in which case we will call people to double-check that they sent them," she says.

Besides that, she adds, "We keep our email clients text-only so it's easy to see any obfuscation of links right away. I log all traffic in and out of our system and keep an eye out for anomalies. We also take our entire system offline at night and on weekends, air-gapping our computers and internal IT systems. This is doable because we are a small office with three people, something that might be harder for a larger organization. I also have some relationships with people who work in the cybersecurity industry, and they have helped us think through what to do if we do end up failing to prevent an issue. We want to be prepared if it does."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading