The Apple iOS 18.3 update fixes 28 other vulnerabilities identified by the tech company, though there is little information on them.

Source: Shahid Jamil via Alamy Stock Photo

NEWS BRIEF

In its latest security update for users, Apple has released a patch for a zero-day vulnerability tracked as CVE-2025-24085 (no CVSS score assigned yet).

The vulnerability, not yet added to the National Vulnerability Database (NVD), can be found in iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. As a privileged escalation security flaw, it is located in Apple's Core Media framework. The bug is being actively exploited in the wild.

The Core Media framework, according to Apple, is "the media pipeline used by AVFoundation and other high-level media frameworks found on Apple platforms." It allows users to process media samples as well as manage queues of media data.

This patch comes in the form of iOS 18.3, which fixes 28 other vulnerabilities as well. Apple has yet to divulge many details about any of the issues that have been patched by this update, likely to prevent attackers from exploiting them before users can apply the necessary fix.

Impacted devices from this bug include:

*   Apple Watch Series 6 and later
    

*   Apple TV HD and Apple TV 4K (all models)
    
*   iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
    

Though the tech giant has disclosed that "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2," it has not published any details of the attacks nor attributed its discovery to a researcher.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Apple Patches Actively Exploited Zero-Day Vulnerability

PRESS RELEASE

BIRMINGHAM, Mich., Jan. 15, 2025 /PRNewswire/ -- IT-Harvest, the premier data-driven industry analyst firm, is excited to announce the launch of HarvestIQ.ai, a groundbreaking platform featuring two cutting-edge AI assistants designed to redefine how professionals navigate the complex cybersecurity landscape.

The Analyst AI provides unparalleled access to IT-Harvest's comprehensive database of 4,070 cybersecurity vendors, offering users instant insights into market players, trends, and innovations. Meanwhile, the Architect AI empowers users with tailored guidance on cybersecurity products, leveraging IT-Harvest's in-depth analysis of over 11,300 products to help organizations make informed decisions about their cybersecurity strategies.

"HarvestIQ.ai is a game-changer for cybersecurity professionals. By combining our vast database with the power of AI, we're equipping analysts, architects, and decision-makers with tools that provide instant, actionable insights," said Richard Stiennon, Chief Research Analyst at IT-Harvest. "Whether you're evaluating vendors or designing a security architecture, HarvestIQ.ai ensures you're making data-driven decisions."

Key Features:

*   Analyst Assistant: Instant access to detailed information on 4,070 cybersecurity vendors through a familiar chat interface. A user holds a conversation with a powerful industry analyst with full vendor knowledge, including funding, security rating & health, headcount growth, and more.
    
*   Architect Assistant: Expert guidance on 11,300 cybersecurity products to streamline decision-making. Hold a conversation with a product-oriented assistant with in-depth technical knowledge of all cybersecurity solutions, compliance frameworks, capabilities, and more.
    
*   User-Friendly Platform: Get immediate access at harvestiq.ai.
    

"At IT-Harvest, we understand the critical need for precision and speed in cybersecurity decision-making," said Maximillian Schweizer, Chief Technology Officer. "HarvestIQ leverages the latest AI technology to deliver not just data, but actionable intelligence, enabling our users to stay ahead of evolving demands on their teams."

HarvestIQ is available now at harvestiq.ai. Monthly subscriptions are priced at $179 for the Architect Assistant and $159 for the Analyst Assistant, making it an accessible solution for enterprises, cybersecurity professionals, and consultants alike. Trial users can sign up for free answers to ten questions a month.

About IT-Harvest: IT-Harvest is a data-driven industry analyst firm specializing in cybersecurity market intelligence. With a mission to provide actionable insights and foster informed decision-making, IT-Harvest delivers unparalleled analysis and data-driven solutions to clients worldwide. The IT-Harvest Dashboard is the only platform for researching the entire cybersecurity industry. Data on 4,070 vendors and 11,300 products are continuously updated. Enterprise subscribers use the Dashboard for industry analysis, product discovery and selection, gap analysis, and acquisition hunting.

For more information, visit www.it-harvest.com or contact IT-Harvest at \[email protected\].

You May Also Like

IT-Harvest Launches HarvestIQ.ai

PRESS RELEASE

SEATTLE, Jan. 15, 2025 /PRNewswire/ -- Spectral Capital Corporation (OTCQB: FCCN), a pioneer in providing its deep quantum technology platform, is pleased to announce the filing of a critical patent in quantum cybersecurity.

"Over the past three decades, I have been deeply involved in the cybersecurity industry, including founding a leading-edge company that addressed some of the most complex challenges in the field," said Sean Michael Brehm, chairman of Spectral. "Quantum computing elevates cybersecurity risks to an entirely new level. With its potential to break RSA encryption—the foundation of global data security—quantum technology presents an unprecedented threat. In response, our team has developed a solution to ensure RSA encryption remains secure, even in the quantum era," concluded Spectral chairman Sean Michael Brehm.

"Out of the 104 patentable innovations acquired in the Vogon Cloud acquisition, the patent application around protecting RSA encryption from quantum hacking could be one of our most important. According to Allied Market Research, the global RSA encryption market, primarily measured within the broader "hardware encryption" category, is estimated to hold a significant share, with some reports stating that the RSA segment represents around 50% of the hardware encryption market, which is projected to reach a size of approximately $1.2 trillion by 2031, indicating a substantial market for RSA encryption alone. We are proud to be a part of protecting that market, even as new technologies for encryption emerge, like Spectral's unhackable distributed quantum ledger database technology," said Spectral's Chief Executive Officer, Jenifer Osterwalder. 

Spectral has a portfolio of patents and trade secrets designed to meet the enormous demand for hybrid computing systems which combine current classical computing technologies with emerging quantum computing technologies as these are made commercially available. An entire ecosystem of hardware and software will be needed to support hybrid and quantum computing and Spectral has ambitious plans to build one of the largest intellectual property portfolios in the industry, including its previously announced goal of filing for more than 500 patents by the end of 2025.

About Spectral Capital  
Spectral Capital (OTCQB: FCCN) is a quantum technology platform company at the forefront of innovation. Focusing on sustainable green cloud computing, quantum databases, and advanced quantum chip technology, Spectral Capital is revolutionizing industries such as telecommunications, AI, and green technology. With flagship offerings like the Vogon Cloud and Vogon DQLDB, the company is pioneering a future of decentralized, secure, and scalable computing.

Forward-Looking Statements

This press release contains forward-looking statements (as defined in Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended) concerning future events and FCCN's growth and business strategy. Words such as "expects," "will," "intends," "plans," "believes," "anticipates," "hopes," "estimates," and variations on such words and similar expressions are intended to identify forward-looking statements. Although FCCN believes that the expectations reflected in such forward-looking statements are reasonable, no assurance can be given that such expectations will prove to have been correct. These statements involve known and unknown risks and are based upon a number of assumptions and estimates that are inherently subject to significant uncertainties and contingencies, many of which are beyond the control of FCCN. Actual results may differ materially from those expressed or implied by such forward-looking statements. Factors that could cause actual results to differ materially include, but are not limited to, changes in FCCN's business; competitive factors in the market(s) in which FCCN operates; risks associated with operations outside the United States; and other factors listed from time to time in FCCN's filings with the Securities and Exchange Commission. FCCN expressly disclaims any obligations or undertaking to release publicly any updates or revisions to any forward-looking statements contained herein to reflect any change in FCCN's expectations with respect thereto or any change in events, conditions or circumstances on which any statement is based.

Spectral Capital Files Quantum Cybersecurity Patent

One of the largest data breaches in history was apparently twice as impactful as previously thought, with PII belonging to hundreds of millions of people sitting in the hands of cybercriminals.

Source: Pavel Kapish via Alamy Stock Photo

New evidence suggests that more than half of the US population was touched by the ransomware attack(s) against UnitedHealth subsidiary Change Healthcare.

One of the largest data breaches ever recorded struck Change Healthcare last year. Change's technology services reach hundreds of vendors and laboratories, thousands of hospitals, tens of thousands of pharmacies, and hundreds of thousands of physicians and dentists, including "nearly all government and commercial payers," according to company documentation. These services necessarily sweep up loads of patients' personally identifying information (PII), which ended up in the hands of multiple ransomware actors.

Later last year, it was reported that the incident affected around 100 million Americans. Now, UnitedHealth has updated that number to approximately 190 million. A company spokesperson confirmed this in an emailed statement to Dark Reading, adding, "the vast majority of those people have already been provided individual or substitute notice."

**Change's Changing Cyberattack Story**

Last February, in concert, pharmacies around the US experienced significant delays to prescription orders. Behind it all was Change Healthcare, which processes billions of transactions every year, representing trillions of dollars worth of medical claims.

Related:Actively Exploited Fortinet Zero-Day Gives Attackers Super-Admin Privileges

The company first stated that it had suffered a nation-state cyber intrusion. In fact, it was a regular old ransomware attack (for which it would later pay a whopping $22 million ransom). And this wasn't the only crucial detail it got wrong.

In June, Change Healthcare finally sent out notices of data compromise, revealing that affected customers totaled around 100 million. On Friday, however, UnitedHealth Group publicly adjusted that figure to include 90 million more.

In its updated online notice of data breach, the company admitted that hackers may have obtained a variety of personally identifying information (PII) about patients and guarantors, including their first and last names, dates of birth, phone numbers, home addresses, and email addresses. Social security numbers, it noted, were only lost in "rare instances," and in an email to Dark Reading, a spokesperson claimed that Change Healthcare "has not seen electronic medical record databases appear in the data during the analysis."

The spokesperson also emphasized that "Change Healthcare is not aware of any misuse of individuals' information as a result of this incident."

However, Paul Bischoff, consumer privacy advocate at Comparitech, warns that "every press release I ever see about a data release says 'there's no evidence that your information has been abused or misused in any way.' But, obviously, they're not really looking for that for those instances of abuse, and they would never know if it actually happened. And the people that it happens to can't attribute the identity theft that they're suffering back to the data breach that caused it."

Related:For $50, Cyberattackers Can Use GhostGPT to Write Malicious Code

**When Data Breach Disclosures Go Wrong**

The Securities and Exchange Commission (SEC) data breach disclosure rules require that publicly traded companies disclose "material" cybersecurity incidents within four days of becoming alerted to them. The same rule applies to material updates to breach disclosures, such as when an attack is found to have affected nearly twice as many victims as once thought.

Despite these rules, companies have managed to take extensive time in investigating and addressing critical aspects of their breaches. For instance, it took Change Healthcare four months to notify customers of its incident, nine months to admit that 100 million people were affected, and nearly a year to update that figure to 190 million.

Bischoff hesitates, though, before suggesting that what's needed is even stricter regulation. "It's a complicated subject, because it gets to a point where you put such a burden on companies. Companies are also victims in these situations, so I don't want to penalize them for reporting things incorrectly," he says.

Related:The Case for Proactive, Scalable Data Protection

At the same time, he adds, "What we see a lot is that these companies take way too long to finish their investigations and notify victims. Sometimes it's up to a year or more before we're notified that people's data is out there on the Dark Web, being used for who knows what. And that's after they're most likely to get hit with identity fraud, and other sorts of fraud, because cybercriminals want that information when it's as fresh as possible. That's when it's most valuable. So I think we do need more strict standards about the timeliness of these notifications."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Change Healthcare Breach Impact Doubles to 190M People

Attackers aim to steal people's personal and payment-card data in the campaign, which dangles the threat of an undelivered package and has the potential to reach organizations in more than 50 countries.

Source: Francis Vachon via Alamy Stock Photo

Attackers impersonating the US Postal Service (USPS) are striking again, this time in a widescale mobile phishing campaign that taps people's trust in PDF files. This time it uses a novel evasion tactic to steal credentials and compromise sensitive data in SMS phishing (smishing) attacks.

Discovered by researchers at Zimperium zLabs, the smishing campaign uses malicious SMS messages informing people that their package can't be delivered because of "incomplete address information," they revealed in a blog post published Jan. 27. The messages direct people to click on a PDF file that contains a malicious phishing link, leading them to a landing page that asks them to provide personal details, including name, address, email, and phone number. A further redirection collects people's payment-card data, claiming to require service fees for successful delivery of the package.

"This tactic leverages the perception of PDFs as safe and trusted file formats, making recipients more likely to open them," Zimperium researcher Fernando Ortega wrote in the post.

ZLabs researchers uncovered more than 630 phishing pages, 20 malicious PDF files, and a malicious infrastructure of landing pages related to the campaign, demonstrating a significant scale that potentially could impact organizations across more than 50 countries, he said.

Related:Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

Moreover, attackers use "a complex and previously unseen technique to hide clickable elements" of the campaign, making it difficult for most endpoint security solutions to properly analyze the hidden links and thus detect the threat, Ortega wrote.

"This strategy highlights the evolving tactics of cybercriminals, who exploit both trusted file formats and advanced evasion methods to deceive users and compromise their data," he wrote.

**Manipulating PDFs to Escape Detection**

Attackers use their knowledge of the back-end composition of PDF files to create a novel evasion tactic that makes the malicious campaign harder for automated security systems to detect as suspicious, the researchers found.

In PDF files, links are typically represented using the /URI tag, which is part of an Action Dictionary object, specifically within a Go-To-URI action, Ortega explained in the post. This instructs a PDF viewer to navigate to a uniform resource identifier (URI), which is usually a Web address (URL).

The PDFs used in this campaign embed clickable links without utilizing the standard /URI tag, "making it more challenging to extract URLs during analysis," Ortega wrote.

"Our researchers verified that this method enabled known malicious URLs within PDF files to bypass detection by several endpoint security solutions," he added. In contrast, these solutions detect the same URLs when the standard /URI tag was used.

Related:Mirai Variant 'Aquabot' Exploits Mitel Device Flaws

"This highlights the effectiveness of this technique in obscuring malicious URLs," Ortega explained.

**Package-Themed Phishing Not New, But Evolving**

Campaigns that impersonate the USPS and other trusted brands are hardly new, as attackers often leverage the urgency that comes with a person waiting for a package or piece of mail as a convincing lure for phishing attacks. One USPS-anchored campaign in October 2023 was linked to Iranian attackers and used close to 200 different domains as infrastructure for the attacks, as an example.

However, the scale and sophisticated evasion tactic used in the latest USPS impersonation effort makes it a notable threat, and part of a disturbing trend to take advantage of "limited mobile device security worldwide," threatening corporate users, one security experts says.

"While organizations have robust email security, the critical tension between finance, HR, and technology teams around mobile devices has created a significant and dangerous gap in protection, leading to underinvestment in web and mobile messaging security despite these becoming primary attack vectors," says Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+.

Related:Super Bowl LIX Could Be a Magnet for Cyberattacks

Indeed, organizations need to get a handle on the issue of unsecured mobile devices in the workplace, another expert says. To do this, notes Darren Guccione, CEO and co-founder at Keeper Security, they should adopt a layered security approach that combines employee education with the use of multifactor authentication (MFA) to prevent credential compromise even if a corporate user falls for an attack.

As far as enterprise security goes, he explains, employing zero-trust security frameworks that use privileged access management (PAM) solutions can serve to further mitigate risks "by restricting access to sensitive systems, ensuring only authorized users can interact with critical data."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

USPS Impersonators Tap Trust in PDFs in Smishing Attack Wave

CISOs are planning to adjust their budgets this year to reflect their growing concerns for cybersecurity preparedness in the event of a cyberattack.

Source: Irina Guzovataya via Alamy Stock Photo

NEWS BRIEF

In 2025, chief information security officers (CISOs) will be directing their attention to becoming more cyber prepared in the event of an attack, by enhancing their crisis simulation capabilities.

That's according to a study conducted by researchers at Hack The Box, which found that out of 200 US- and UK-based CISOs, 74% said they plan to up their crisis simulation budgets this year.

These changes likely stem from rising concerns about the growing number of cyberattacks, the lack of incident-response planning, and inadequate stress-testing of crisis scenarios. Major cyberattacks and cyber incidents have impacted organizations such as NHS, 23andMe, and a host of businesses impacted by the CrowdStrike faulty update in 2024, affecting enterprises on a global level. CISOs are trying to reassess their organizations' capabilities in order to manage the chaos when it inevitably arises.

A full 77% of those surveyed said they would allocate greater budgets for cyber-crisis simulations if the exercises themselves were more realistic and actionable. 

"Preparedness is the foundation of resilience, and crisis simulations play a crucial role in testing organizations security and workforce performance when it's most critical," said Haris Pylarinos, CEO and founder at Hack The Box, in a statement. "Organizations are right to prioritize crisis simulation, and must ensure that these are implemented in the right way."

Also, 73% of survey respondents reported that crisis simulations and incident-response exercises for both their technical and non-technical teams were their top business priority this year.

Pylarinos highlighted that crisis simulation will continue to evolve, pairing artificial intelligence with expert knowledge in order to provide tailored and realistic scenarios that reflect challenges that security teams and management will face on digital front lines. "It will unite previously disparate business units as one," he said, "and allow real-world performance to be benchmarked in a controlled environment."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Crisis Simulations: A Top 2025 Concern for CISOs

Whether you're facing growing data demands and increased cyber threats, or simply looking to future-proof your business, it's time to consider the long-term benefits of transitioning to a cloud-first infrastructure.

Tom Ferrucci, Chief Information Officer, Natco Home Group

January 27, 2025

4 Min Read

Source: MR3D via Alamy Stock Photo

COMMENTARY

Cyber threats have never held greater risk to digital business operations than they do today. At Natco Home Group, we received a wake-up call when outdated backup systems exposed critical vulnerabilities, jeopardizing decades of business data. This realization set the stage for a sweeping overhaul of the company's data protection strategy, transitioning from legacy infrastructure to a modern cloud-first solution. This shift bolstered our ability to respond to evolving cyber-risks and stay resilient during all-important periods like the holiday season. In today's rapidly changing digital landscape, cloud-based data security is an essential component to improving business continuity and long-term success.

**The Legacy Challenge**

Our journey to modernizing data protection began with a grave realization. When I settled into my role as chief information officer (CIO), I encountered a first in my 30-plus years of experience: If Natco Home were to have a significant data breach, decades of data could not be recovered. This is an issue many organizations face when they hold onto legacy solutions. In retail, the stakes are raised even higher during the holidays and into the new year.

During my first month at Natco, I found the company's existing environment lacked the necessary protections and data security best practices. Unfortunately, we had lost a significant amount of email data in a software incident and were unable to recover the data. Existing data protection infrastructure, relying heavily on outdated technologies like tape backups, was not sufficient to meet today's digital needs.

Older backup systems, especially tape, can be clunky and prone to failure. They require significant manual oversight and management, and often fail to scale effectively as the business grows. Additionally, performing a data restore from tape is a slow and error-prone process. Agile solutions are necessary to enter a new era of resiliency, with the ability to scale up and better serve customers. 

This was not just a technical problem, but a business continuity problem. For a company like ours that provides home décor to major US retailers, we needed to fortify ourselves against cyber threats and potential downtime — without burdening our lean IT team with tedious tasks. The stakes were too high to ignore, especially when downtime has a major impact on company reputation and customer service. Our old infrastructure became a bottleneck, and we had to rethink our entire approach to data security. 

**The Benefits of a Cloud-First Approach**

Ultimately, we decided to shift to a cloud-first infrastructure to both strengthen the company's data protection and future-proof our data security strategy. Cloud-based solutions offer a range of advantages over legacy systems, including scalability, automation, and streamlined management. What was most important for my team was the ability to simplify deployment and reduce the complexities of managing legacy backup storage. This freed up time for the IT team while providing the ability to better manage and protect from evolving data threats. 

After evaluating several options, we moved to software-as-a-service (SaaS) data security with Druva, which supports VMware, Microsoft SQL Server, and Windows workloads while ensuring the protection of Microsoft 365 applications. This provided the cloud-based security features necessary to safeguard critical business applications and handle increased demand during peak periods.

At first, migrating to the cloud did come with some initial challenges, such as system integration and staff training. However, the long-term benefits far outweighed the growing pains. By moving away from legacy systems, we created a more resilient and agile data security infrastructure that is better prepared for potential disasters, including cyber and ransomware threats.

**Embracing Cloud-First Security for Long-Term Resiliency**

The evolving threat landscape demands that businesses adapt quickly and effectively. Modern business environments require agility and resiliency in the face of a growing list of data vulnerabilities. Our decision to embrace a cloud-first data protection strategy has improved our ability to manage and secure critical data while positioning us for continued success. By reassessing our legacy infrastructure and adopting a forward-thinking security approach, we've been able to mitigate risks, improve operational efficiency, and prepare for future challenges.

Our modernization serves as a prime example of how organizations can safeguard mission-critical data with a cloud-first approach. By improving our security posture and simplifying data management, we addressed immediate data and cyber resiliency concerns, and laid a secure foundation for the future.

This transformation goes beyond technology — it's about ensuring business continuity and customer trust. As companies increasingly turn to cloud infrastructure to navigate peak business seasons, the lessons learned from our experience highlight the importance of proactive, strategic investments in data security. The shift to modern, cloud-first solutions is no longer optional. It is essential for ensuring long-term resiliency in the face of evolving threats.

Let this serve as a reminder to reassess your data protection strategy before this year's peak season. Whether you're facing growing data demands, increased cyber threats, or simply looking to future-proof your business, it's time to consider the long-term benefits of transitioning to a cloud-first infrastructure. By taking the necessary steps now, you can protect your business from potential risks and ensure that you're prepared for whatever the future may hold.

**About the Author**

Chief Information Officer, Natco Home Group

Tom Ferrucci is an information technology executive with more than 30 years of experience in leading global IT operations and digital transformation initiatives. Currently serving as the chief information officer at Natco Home Group since November 2020, Tom provides technical and strategic direction, overseeing all IT operations, including development, programs, infrastructure, and service desk. His leadership ensures that IT resources are allocated to priority objectives while maintaining high reliability.  Before joining Natco Home Group, Tom spent almost 23 years at Hope Global, where he was the VP of information technology and later promoted to chief information officer. While there he spearheaded digital transformation projects that enhanced collaboration, increased revenue, and improved operational efficiency. His initiatives involved integrating enterprise-class collaboration systems. His expertise spans project management, application development, network infrastructure, and telecommunications. Tom has a proven history of driving IT innovation and delivering strategic solutions that align with business goals.

The Case for Proactive, Scalable Data Protection

The number of CISOs who report directly to the CEO is up sharply in recent years, but many still say it's not enough to secure adequate resources.

Source: TongRo Images vial Alamy Stock Photo

After years of leaning into learning the ethos of business leadership and risk management, chief information security officers (CISOs) have gotten their seat at the boardroom table and the power to make decisions. But even so, many say their jobs are more arduous than ever, and that's not how it was supposed to happen.

A full 82% of CISOs who responded to a recent survey from Splunk said they report directly to the CEO, up from just 47% in 2023. In addition, 83% said they participate regularly in board meetings. For their part, CISOs have had to skill up in kind, honing communications skills and learning the boardroom lingo of KPIs and ROI, not to mention become more familiar with legal and compliance concerns. In other words, the scope of the CISO role has expanded far beyond just IT security.

Source: Splunk, the CISO Report 2025

It's a big change; for years, CISOs were relegated further down the org chart, receiving mandates without any opportunity to provide context to the business. They also became the ones to take the blame for major breaches, landing some in legal entanglements. And that status quo was leading to massive burnout, with the average CISO tenure standing at just two to four years in 2020. By 2023, there was widespread consensus the CISO role needed a rethink.

Related:DoJ Busts Up Another Multinational DPRK IT Worker Scam

Hence, more CISOs gaining a seat in the C-suite. And theoretically, putting a CISO in the middle of high-level decision making should help push the case for more cyber investment. But that hasn't been the experience for many, who find that board buy-in is still a challenge. In fact, only 29% of the CISO survey respondents reported they have the necessary budget to keep up with the current threat environment; in contrast, 41% of non-CISO board members said they're satisfied with cybersecurity investment levels.

In all, 53% of CISO respondents in the Splunk survey said their job has actually become "more difficult since they took the job," seat at the table or no.

**CISOs With Board Buy-In Do Better**

The data also points to a clear-cut solution: Boards with members with cybersecurity backgrounds make a huge difference. Board members with CISO experience work better with cybersecurity teams on setting strategy, goal setting, and critically, budgeting.

Those results mirror the experience of Jessica Sica, CISO at software company Weave. Although she says her role reports to the chief legal officer rather than the CEO, she "regularly" meets with the whole C-team, as well as the board and audit teams. But rather than bogging her down, Sica says her relationship with leadership has made her job easier. But, she adds, Weave's board is cybersecurity savvy.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

"I have a very security-conscious boss, and we have a security-concerned board," Sica says. "Having their support and voice makes it easier to get my job done."

Her experience, however, is a minority one: The survey showed only 29% of CISOs had a board with at least one cyber expert.

Progress requires CISOs to keep pushing cyber into the C-suite conversation, and boards to recognize the need to add more cybersecurity experts to their ranks, according to Michael Fanning, CISO of Splunk.

"As cybersecurity becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment, and better understand each other to drive digital resilience," Fanning said in a statement. "Bringing these groups together requires educating boards on the details of cybersecurity, and for CISOs to understand the language and needs of the business while also making security a business-enabler."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

CISOs Are Gaining C-Suite Swagger, but Has It Come With a Cost?

A departmentwide initiative has now led to five major law enforcement actions, in an attempt to curb the increasingly common trend of North Korean hackers posing as IT job applicants.

Source: Sean Hawkey via Alamy Stock Photo

Two Americans, two North Koreans, and a Mexican man have been indicted for their roles in an IT worker scam.

According to the Department of Justice (DoJ), Pak Jin-Song, Jin Sung-Il, and other North Korean co-conspirators secured IT jobs with at least 64 different American companies. They managed it using fake identities facilitated by Pedro Ernesto Alonso De Los Reyes, a Mexican citizen living in Sweden, and carried out their jobs with the help of laptop farms maintained by US citizens Emanuel Ashtor and Erick Ntekereze Prince.

The ruse lasted from April 2018 to last August. For a sense of how lucrative it was, the DoJ noted that earnings from just 10 of the 64 affected companies yielded the scammers $866,255.

**Breakdown of a North Korean IT Scam**

The IT worker scam, now tried and true, developed as a workaround for trade and economic sanctions imposed by the US on the Democratic People's Republic of Korea (DPRK). North Koreans under the employ of sanctioned DPRK government ministries, under assumed identities and relocated in places like China and Russia, apply for remote jobs in America's lucrative tech industry. They perform their jobs adequately enough, but funnel their earnings back to their shriveled government. And some portion of that money, inevitably, ends up funding its notorious nuclear and missile development programs.

Related:CISOs Are Gaining C-Suite Swagger, but Has It Come With a Cost?

But getting a high-paying tech job is no simple, overnight process. To facilitate these scams, by trick or by trade, North Korea recruits Americans and other foreign nationals to help them implement the plan. In this case, the help came from a few central individuals.

In some cases, Alonso lent the hungry job seekers his identity, which they presented as their own in job applications and interview processes. In other cases, the North Koreans stole real US citizens' government identification documents, then superimposed their own headshots on them. In other cases, they solicited help with forgeries from the Web.

After securing sometimes six-figure gigs, the North Korean workers would have company laptops delivered to Ashtor or Prince. By a certain point, the Americans were running full-on laptop farms from their homes in North Carolina. To enable North Koreans in China to work from laptops on the US East Coast, they covertly downloaded and installed remote access software onto these corporate devices. And to conceal where the salaries were actually going, they used their own registered companies to invoice employers. Payments would then be laundered through Chinese bank accounts.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

Ashtor and Prince were arrested in North Carolina, and Alonso in the Netherlands. All five men are now charged with conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents. The two named North Koreans have earned a bonus charge of conspiracy to violate the International Emergency Economic Powers Act. Convictions could entail prison sentences of up to 20 years.

**Are Recent Arrests Having an Impact on Cybercrime?**

Last March, the DoJ launched its DPRK RevGen: Domestic Enabler Initiative, focused on shutting down the laptop farms crucial to facilitating North Korean IT worker scams. In the time since, authorities have made notable arrests and seizures on four separate occasions.

"They've been warned about this for two years, and we're finally just now starting to see the United States government starting to form a defensive policy, \[with\] routine arrests and sanctions," says Roger Grimes, data-driven defense evangelist at KnowBe4, a company that accidentally hired a North Korean employee last year.

Grimes hasn't yet observed any noticeable decline in these scams since the DoJ initiative began. In fact, he reports, KnowBe4 has received applications from fake IT workers even since its first, widely publicized incident. Any Americans joined up with Kim might consider, though, that besides the threat of arrest, the gig isn't always as lucrative as it seems.

Related:84% of Healthcare Organizations Spotted a Cyberattack in the Late Year

"A lot of them have been cheated," Grimes notes. While cases have varied widely, he claims, "Many \[Americans have been\] promised a lot more, and either only got paid partially, or some of them didn't get paid at all. So they were really cheated."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

DoJ Busts Up Another Multinational DPRK IT Worker Scam

The MITRE framework's applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.

In 2025, an international fintech firm will face attacks through its hybrid cloud infrastructure by some of the most sophisticated cyber operators on the Internet, targeting the company's Active Directory instance, employees' LinkedIn profiles, and shared code repositories to further their compromises.

A prediction? Not quite.

The scenario is the premise of the latest MITRE ATT&CK Evaluations test, an annual assessment gauntlet that pits cybersecurity firms against the techniques and tactics of the latest cyber threats actors. For vendors, the exercises — conducted by government contractor MITRE — allow them to test their detection, protection, and response capabilities in real-world scenarios to see what can be improved. For cybersecurity professionals, the results of the assessments can help them determine whether they are prepared to defend against sophisticated attacks.

While some vendors tout their detection ratings in the evaluations, the point is less about grades for security software and more about improving companies' defenses and vendors' products, says Lex Crumpton, principal cybersecurity engineer at MITRE.

"ATT&CK Evaluations is more of an adversary-emulation, purple-teaming, collaboration effort, if you will — we assess the vendors tooling on an environment that we build in-house," she says. "They don't know which techniques we are going to choose, or what we're not going to choose, based off of that techniques and scope document."

The MITRE ATT&CK Framework is well-known as a taxonomy of tactics and techniques used by cyberattackers, but every year MITRE also conducts testing of security products against the latest threats targeting organizations. In 2024, for example, the exercise mimicked attacks by the LockBit ransomware-as-a-service group, the Cl0p ransomware gang, and North Korean state-sponsored threat groups, which have commonly used ransomware to fund national goals.

A variety of ransomware attacks were emulated in the test environment, including those targeting Windows and MacOS, MITRE said in a December 2024 statement.

For 2025, one part of the evaluation — known as the Managed Services Evaluation — will focus on "cloud-based attacks, response/containment strategies, and post-incident analysis," according to the organization's scenario outline.

Companies can use the ATT&CK Evaluations in two ways, says Greg Young, vice president of cybersecurity at Trend Micro, which participated in the 2024 Evaluations along with 18 other companies.

"For \[a company's\] purchase decisions, this is one sort of data input — it should not be the only data input because the testing for MITRE is exceptionally narrow against a few techniques and tactics," he says. "For the second part, the tests \[can inform\] companies' own security ops centers and their own red teaming behavior — looking at it and saying, 'Well, what are adversaries using today?'"

**Developing More Realistic Adversaries**

The ATT&CK evaluations use cybersecurity observations and threat reporting from analysts worldwide, collected from both MITRE's in-house cyber threat intelligence team and from the CTI community at large. The group collects information on attacks and selects the adversaries for the evaluations. A red development team creates a set of tools to emulate current techniques used by selected adversaries, while the detection team — the blue team — confirms whether those approaches are legitimate in terms of the evaluation.

MITRE conducts two distinct rounds of testing. One is a managed-service round, in which the organization creates a black-box testing environment, giving no information about the attack to the vendor being evaluated except for the general category of threat. In an enterprise round, the vendor is given the technical scope and potential information about the adversaries, such as whether they are a nation-state, such as China or the DPRK, or using some other tactics.

Like many testing organizations, MITRE has faced some pushback on aspects of its scenarios, Crumpton says.

"One of the biggest comments we had this year is — because we brought in false-positive noise \[such as\] benign user activity — some vendors argued that, 'Hey, this could be deemed malicious activity'," she says. "I think one of the benign use cases was disabling the firewall. One vendor said, 'Hey, the sys admins from our companies would never disable the firewall.'"

**Evaluations Push for Improvement**

Vendors get graded on how they perform, but the focus is on giving information to both the vendors and businesses about how they can improve their defenses, Crumpton says.

"Ultimately, we are there to improve the tools," she explains. "If we're emulating this adversary and we find this technique that your tool can't detect, can we help you improve your tool so that you can now detect that technique? That's something that I think also the customers or the community should look at."

Defenders can take a page from the ATT&CK evaluations as well, creating playbooks to detect and protect against the tested threats, says Trend Micro's Young. During the ATT&CK Evaluation, MITRE logs activity and takes screenshots, giving organizations a detailed picture of the attack unfolding and mapping the steps against the ATT&CK Framework.

"Knowing that adversaries are now using this kind of technique — say, this kind of lateral movement, or they're going to go after this kind of resource — that's exceptionally helpful for \[a company\] designing their defenses," he says. "I almost think there's more value in looking at the \[ATT&CK\] framework than the evaluations, but it depends on your purpose."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading