It is imperative to develop robust policies for new tech and future-proofing by favoring investments in security.

Sébastien Cano, Senior Vice President, Cloud Protection & Licensing Activities, Thales

September 17, 2024

5 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

From economic turbulence to a relentless surge in cyber threats, today's cybersecurity landscape requires enterprises to remain resilient by adapting to security risks. Many organizations have chosen to adapt to these risks by embracing modern technology such as generative artificial intelligence (GenAI), which can present new risks if not implemented properly.

The speed at which companies innovate and adopt new technology is far outpacing the security measures that must be addressed first. This issue is compounded by the fact that innovation is moving faster than ever before, emphasizing go-to-market over producing secure technology.

Recent insights gleaned from the "2024 Thales Data Threat Report" ("DTR") shed light on the intricate challenges facing organizations today. Almost all (93%) respondents report an uptick in attacks such as malware, ransomware, and phishing among the many pressing concerns presented by emerging technologies. There is a critical need for a proactive and comprehensive approach to cybersecurity. Amid the backdrop of technological advancement, three prominent focal points for effective cybersecurity arise in the modern era.

**Keep Compliance Top of Mind in the Race to AI**

The rise of AI yields a new era of innovation, with 22% of enterprises planning to integrate AI into their products and services within the next 12 months. An additional 33% are gearing up to experiment with this transformative technology. However, with this innovation comes unknown vulnerabilities to a company's security posture.

Because large language models (LLMs) are trained by data, the input information potentially could be stored and resurfaced if prompted by a certain query. Should employees enter confidential information into an AI platform, it runs the risk of this form of extraction. Additionally, prompt injection is a proven threat to AI, where hackers trick chatbots by inputting deceptive triggers to override their instructions. This exploits the predictive nature of LLMs, which drive AI responses.

Ultimately, facing the pressure to innovate quickly, companies rushing to implement AI could strain operational systems, making them more susceptible to cyberattacks or abuse. This is a probable scenario for many, despite numerous industry examples showing the dangers of prioritizing adoption speed over security. 

It is essential for organizations to create robust policies or adhere to published guidance from organizations like the Cybersecurity and Infrastructure Security Agency (CISA) to ensure the LLMs being leveraged or developed internally don't have access to sensitive data. Otherwise, pausing to focus on compliance as regulations come down the pipeline is a strong course of action, as the DTR found that companies with better compliance are 10 times less likely to experience a breach.

**PQC Prototyping as a Cybersecurity Cornerstone**

Since the National Institute of Standards and Technology (NIST) approved four cipher suites in July 2022, post-quantum cryptography (PQC) has become increasingly relevant in tackling a looming threat that is gradually becoming more immediate. Despite the absence of any verified or recurring quantum computing attacks on conventionally encrypted data, there is still cause for proactive measures. Though quantum computing is not yet a threat to cryptographic standards, the data encrypted using traditional methods today potentially could be gathered now with the intention of decrypting it in the future in "harvest now, decrypt later" attacks.

For these threats, PQC presents itself as the primary defense against the looming threat of quantum computing. Almost half (48%) of respondents have not recognized PQC as the cornerstone of future cryptographic strategies. Consequently, many companies aren't investing in PQC because it seems years away from tangible adoption, but the reality is, data is presently being harvested.

Businesses can future-proof their technology by making the proper investments. Soon, customers will be looking for products built only with PQC to thwart sophisticated cyberattacks or elevate their cybersecurity efforts otherwise. While we still may be a few years out from quantum, the organizations that will be ready when that innovation comes are preparing now.

**Adding Security to Secrets Management**

Given the adoption of new technologies, the need for security to be integrated seamlessly into digital products and/or services has never been higher. Specifically, when assessing cloud and DevOps environments, secrets management was the greatest security concern for 56% of DTR respondents, followed by workforce identity and access management (IAM) and authorization.

For developers, these three challenges are closely related, as they all require tasks for both privileged users and the workload lifecycle that they manage. However, the common difficulty with secrets is that they are designed as "bearer tokens," granting access to whoever possesses said token, password, API (application programming interfaces) key, encryption key, or any other credential. When secrets are "lost" — for instance, included in code as plain, readable text — hackers won't need to impersonate internal users to gain access. Thus, the consequences are severe. 

Adopting a data-centric security architecture is key to improving security across these environments. Organizations can mature their DevSecOps practices by leveraging new frameworks such as the NIST "Guide to Operational Technology (OT) Security" standards to improve the quality and resilience of overall engineering performance. Security champions are also crucial to the development team and should provide clear, practical security guidance to better manage privileges and store secrets.

**Meeting Old and New Threats With Upgraded Security Tricks**

The pace of technological development is astounding, with innovation emerging rapidly through recent years. While enthusiasm to adopt the latest technology is understandable, this excitement can't overshadow critical security considerations. Despite the variety of new threats that invariably accompany modern technology, many of the mistakes being encountered are recurring issues.

It is imperative to develop robust policies for new tech and future-proofing by favoring investments in security. Trusting device security out of the box is no longer viable; evaluation and strong security practices should precede adoption. The industry can and should continue to embrace innovation, but with the understanding to remain vigilant against evolving vulnerabilities by demonstrating security as priority.

**About the Author**

Senior Vice President, Cloud Protection & Licensing Activities, Thales

As the senior vice president of cloud protection and licensing activities at Thales, Sébastien Cano leads a global business focused on helping organisations and the most respected brands in the world protect their most sensitive data, secure the cloud, and create more value for their software in the devices and services used by billions of consumers every day. He is responsible for the business and strategy for the company’s industry-leading data encryption, identity and access management, and software monetizations solutions. Over the past 20 years Sébastien has proved himself as a global leader of high growth businesses in the highly competitive cybersecurity, telecommunications, and financial services industries. Previously, he served as executive vice president of Gemalto’s enterprise and cybersecurity business unit. Before that he was president of Gemalto North America, responsible for all business operations across the region, and previously, he managed the company’s telecommunications business unit in North America.

The Current Cybersecurity Landscape: New Threats, Same Security Mistakes

Hacktivists love to target financial services companies, and their attacks are growing both larger and longer.

Source: Daniren via Alamy Stock Photo

Financial services organizations have faced nearly twice as many distributed denial of service (DDoS) attacks this year as any other industry, thanks in part to a rise in hacktivism.

According to a new report from Akamai, between Jan. 1 and June 30, there were nearly 3,000 Layer 3 and 4 DDoS attack events in the financial services sector (Layer 3 and 4 attacks occur at the network and transport layers of Internet communication). The next most-targeted industries — gaming, then high tech, then manufacturing — suffered around 1,000 to 1,500 events each.

A number of factors contribute to the sheer scale of the threat, experts say, including a general rise in DDoS across the board, a surge in hacktivist activity in association with high-profile geopolitical conflicts, emerging threats to application programming interfaces (APIs), and more.

And at the end of the day, it's just easy. "They don't have to find a vulnerability. They don't have to find that gap in your armor. They can just literally sit there and hit a button," says Richard Hummel, director of threat intelligence for Netscout.

**Hacktivism Drives DDoS**

On July 15, beginning at 10:05 a.m. local time, the full weight of a globally distributed botnet was turned against a major financial services company in Israel.

The vectors of attack were numerous: UDP flooding, UDP fragmentation, DNS reflection, PUSH and ACK floods, and more. At its peak, the flood of data registered at 789GB per second — equivalent to millions of documents, or hundreds of thousands of photos, streaming in with each passing moment.

The peak of the event lasted until around 1 p.m. local time, but activity persisted for around 24 hours. "This attack was very exceptional in terms of total duration," Akamai researchers wrote, after helping abate the attack. "This requires significant resources and is an indication of a very sophisticated aggressor."

Remarkably, despite that aggressor dedicating so much power to one attack, a number of other Israeli financial institutions experienced outages that same day, in what researchers assessed was likely a politically motivated campaign.

It wasn't the only politically motivated DDoS campaign that happened around this time, nor was it the worst. Those Israeli companies might have considered themselves lucky compared to a UAE bank, whose website was attacked by the pro-Palestinian group BlackMeta (aka DarkMeta). In a six-day romp, the group sent 10 waves of Web requests lasting between four and 20 hours each, averaging 4.5 million per second and peaking at 14.7 million.

DDoS has surged in correlation with the wars in Gaza and Ukraine, Akamai says, particularly against European banks with connections to Ukraine. Even if a financial institution doesn't consider itself political in any way, they nonetheless serve as a useful punching bag for hackers to achieve their dogmatic goals.

**Why Hacktivists Target Finserv**

Being so central to, and interconnected with, wider society, attacks against finance tend to cause more harm and panic than those against other industries.

Plus, more so than in the US, "in European countries or Asian countries, oftentimes government and finance go hand-in-hand, so you will often see that adversaries will walk the stack of what they perceive as government-affiliated," Hummel explains.

As an example, he points to Moldova, a country with manifold conflicts with Russia. "Moldova has been hammered over and over for the past six, seven months now by NoName057 and various other groups. They started with government targets, but then they started looking at finance, at commercial banking, education, public transportation. It's a natural extension."

And as if DDoS weren't already easy enough, in Europe, it's become easier in recent years thanks to Payment Services Directive 2 (PSD2), which came into effect in January 2016. Among other things, the European Union (EU) directive required that financial services providers offer open APIs to third-party services.

PSD2 was designed to better integrate the EU payments market but, Akamai points out, it also widened the surface through which attackers could attack affected companies. APIs offer yet another opening for more sophisticated, application-layer DDoS attacks, particularly when they're poorly accounted for.

"What we're finding is that many financial institutions don't know the expanse of their API ecosystem," says Cheryl Chiodi, industry strategy manager for financial services at Akamai. "There could be developers that were working on a project and left what we call a 'rogue' API, or 'shadow' APIs that are connected to the network but aren't really doing anything. And the cybercriminal can find those entry points and use them to do their infiltration of the network."

In its report, Akamai noted "sharp increases" in DDoS attacks targeting APIs. For this reason, Chiodi urges financial services companies to perform API discovery. "That then opens up the aperture, the visibility, so that you know what the API ecosystem \[in your organization\] is in the first place," she says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Ukraine, Gaza Wars Inspire DDoS Surge Against Finservs

Attackers could have exploited a dependency confusion vulnerability affecting various Google Cloud services to execute a sprawling supply chain attack via just one malicious Python code package.

Source: Aleksia via Alamy Stock Photo

Google has patched a flaw in its Google Cloud Platform (GCP) that attackers could have exploited to execute a supply chain attack on millions of customer cloud servers, simply by deploying a single malicious code package.

Researchers from Tenable discovered the remote code execution (RCE) vulnerability, dubbed "CloudImposer," that attackers could have used to hijack an internal software dependency affecting GCP services, they revealed in analysis published Sept. 16.

Specifically, the flaw was found in GCP's Cloud Composer service for orchestrating software pipelines, but it also affected the Google services App Engine and Cloud Function. The flaw created a scenario called a dependency confusion, a technique discovered several years ago but widely misunderstood even by cloud platform providers, according to Tenable.

A dependency confusion attack, first discovered by security researcher Alex Birsan in 2021, starts when an attacker creates a malicious software package, gives it the same name as a legitimate internal package, and publishes it to a public repository.

"When a developer's system or build process mistakenly pulls the malicious package instead of the intended internal one, the attacker gains access to the system," Tenable senior security researcher Liv Matan explained in the analysis. "This attack exploits the trust developers place in package management systems and can lead to unauthorized code execution or data breaches."

He added: "There’s a surprising and concerning lack of awareness about it and about how to prevent \[dependency confusion\], even among leading tech vendors like Google. And unfortunately, this type of dependency can be exploited to execute supply chain attacks in the cloud that "are exponentially more harmful than on-premises."

"For example, one malicious package in a cloud service can be deployed to — and harm — millions of users," Matan observed. In essence, then, one single faulty command in GCP could potentially have created a ripple affect across myriad cloud deployments, giving attackers access to customers' enterprise cloud environments.

Tenable's findings were first presented in a session by Matan at Black Hat USA in August called "The GCP Jenga Tower: Hacking Millions of Google's Servers With a Single Package (and More)," — one a Dark Reading expert advised not to miss at the conference. However, he published his full analysis on Tenable's blog only this week.

**Risky Documentation Leads to Flaw**

The first sign of the flaw was Google documentation regarding GCP and the Python Software Foundation that introduced the possibility of dependency confusion in cloud deployments, according to Tenable. The researchers dug further and found that Google itself applied the same risky implementation advice to GCP, introducing the flaw.

Specifically, Google advised users who want to use private Python packages in the GCP services App Engine, Cloud Function and Cloud Composer services to use what's called the "--extra-index-url" argument.

"This argument looks for the public registry (PyPI) in addition to the specified private registry from which the application or user intends to install the private dependency," Matan explained. "This behavior opens the door for attackers to carry out a dependency confusion attack."

The researchers inferred that there are "numerous GCP customers" who followed Google's risky guidance, as well as ultimately discovered that Google itself took its own advice when installing private packages in their own internal services.

Specifically, Tenable researchers found that Google used the risky --extra-index-url argument to install a private code package missing from the public registry in a way "that allows attackers to upload a malicious package to the public registry, and take over the pipeline," Matan wrote.

**Google Fix & Other Mitigations**

The researchers responsibly disclosed both the documentation and the CloudImposer RCE vulnerability to Google, which promptly responded and took action, according to Tenable. Specifically, Google fixed the vulnerable script in Google Cloud Composer that was utilizing the --extra-index-url argument when installing a private package from a private registry.

The company also inspected the checksum of vulnerable package instances and notified Tenable that, as far as Google knows, there is no evidence that the CloudImposer was ever exploited, Matan noted.

Google also acknowledged that while the exploit code that Tenable developed ran in Google's internal servers, it's likely that it would not have run in customers' environments because it wouldn't pass the integration tests.

Further, the company fixed the risky documentation, now recommending that GCP customers use the --index-url argument instead of the --extra-index-url argument, and the tech giant has adopted Tenable's suggestion to recommend that GCP customers use the GCP Artifact Registry's virtual repository to safely control the Python package manager search order, Matan noted.

GCP customers should analyze their environments for their package installation process to prevent breaches, specifically searching for the use of the --extra-index-url argument in Python to ensure they are not vulnerable to a dependency confusion attack.

Matan concluded: "A combination of responsible security practices by both cloud providers and cloud customers can mitigate many risks associated with cloud supply chain attacks."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'CloudImposer' Flaw in Google Cloud Affected Millions of Servers

Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.

Source: Anucha Cheechang via Shutterstock

Microsoft has recategorized a bug that the company fixed in this month's Patch Tuesday update as a zero-day vulnerability, which the "Void Banshee" advanced persistent threat group has been exploiting since before July.

The bug, identified as CVE-2024-43461, is a remotely exploitable platform-spoofing vulnerability in the legacy MSHTML (Trident) browser engine that Microsoft continues to include in Windows for backward compatibility purposes, and it's one of two very similar issues that Void Banshee is using in its attacks.

**Affects All Supported Windows Versions**

The vulnerability affects all supported versions of Windows and gives remote attackers a way to execute arbitrary code on affected systems. An attacker, however, would need to convince a potential victim to visit a malicious Web page or to click on an unsafe link for any exploit to work.

Microsoft assigned the flaw a severity rating of 8.8 on the 10-point CVSS scale when it initially disclosed the bug on Sept. 10. At that time, the company's advisory made no mention of the vulnerability being a zero-day bug. Microsoft revised that assessment on Sept. 13 to indicate attackers had, in fact, actively been exploiting the flaw "as part of an attack chain \[related\] to CVE-2024-38112," a MSHTML platform spoofing vulnerability that the company patched in July 2024.

"We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain," Microsoft said in its updated advisory.

The company wants customers to apply its patches from both the July 2024 update and the September 2024 update to fully protect themselves against exploits targeting CVE-2024-43461. Following Microsoft's Sept. 13 update, the US Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 16 added the flaw to its known exploited vulnerabilities database with a deadline of Oct. 7 for federal agencies to implement the vendor's mitigations for it.

CVE-2024-43461 is similar to CVE-2024-38112 in that it allows an attacker to cause a user-interface — in this case, the browser — to display erroneous data. Check Point Research, which Microsoft has credited with discovering CVE-2024-38112, has described the flaw as allowing an adversary to send a crafted URL or Internet shortcut file that when clicked would trigger Internet Explorer — even when disabled — to open a malicious URL. Check Point said it had observed threat actors also use a separate novel trick for dressing up malicious HTML application (HTA) files as innocuous-looking PDF documents when exploiting the flaw.

Trend Micro's Zero Day Initiative (ZDI), which has also claimed credit for discovering CVE-2024-38112 — and has a beef with Microsoft for not acknowledging them — later reported Void Banshee as exploiting the vulnerability to drop the Atlantida malware on Windows systems. In the attacks that Trend Micro observed, the threat actor lured victims using malicious files spoofed as book PDFs that they distributed via Discord servers, file-sharing websites and other vectors. Void Banshee is a financially motivated threat actor that researchers have observed targeting organizations in North America, Southeast Asia, and Europe.

**A Two-Bug Microsoft Attack Chain**

According to Microsoft's updated advisory, it turns out that attackers have been using CVE-2024-43461 as part of an attack chain also involving CVE-2024-38112. Researchers at Qualys previously noted that exploits against CVE-2024-38112 would work equally well for CVE-2024-43416, because both are near-identical flaws.

Peter Girnus, senior threat researcher at ZDI who Microsoft has credited for CVE-2024-43461, says the attackers used CVE-2024-38112 to navigate to an HTML landing page through Internet Explorer using the MHTML protocol handler inside of a .URL file. "This landing page contains an <iframe> which downloads an HTA file where the HTA extension is spoofed using CVE-2024-43461" to make the file appear to be a PDF to the victim, he says.

Girnus says ZDI was aware that the attackers were exploiting CVE-2024-43461 but assumed the patch for CVE-2024-38112 fixed the issue. "We however reversed this patch to realize that the spoofing vulnerability was not fixed. We promptly alerted Microsoft," he says.

In its July report on Void Banshee exploiting CVE-2024-38112, Trend Micro said the flaw is a prime example of how organizations can get tripped up by "unsupported Windows relics" such as MSHTML, and end up having attackers drop ransomware, backdoors, and other malware on their systems. The attack surface is significant, too: A study that Sevco conducted of 500,000 Windows 10 and Windows 11 systems in the immediate aftermath of Microsoft's disclosure of CVE-2024-38112 showed that more than 10% are missing any kind of endpoint protection control and nearly 9% are missing controls for patch management, leaving them completely blind to threats.

“Environmental vulnerabilities such as missing endpoint security or patch management controls on devices combined with CVE vulnerabilities compound the risk that companies will leave paths to data exposed and allow malicious actors to exploit vulnerabilities like \[CVE-2024-43461\]," says Greg Fitzgerald, co-founder of Sevco. "It's critical for enterprises to take the first step of patching this vulnerability, but it can't stop there."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Void Banshee' Exploits Second Microsoft Zero-Day

The sanctions are unlikely to affect the growing network of criminals who lure victims into working for cybercrime sweat shops around the world.

Source: Feng Yu via Alamy Stock Photo

Cambodian business tycoon and senator Ly Yong Phat, along with the business conglomerate he runs and O‑Smach Resort, have been sanctioned for using forced labor to run a center perpetuating cryptocurrency scams.

According to a report from the US Treasury Department's Office of Foreign Assets Control (OFAC), workers from countries including China, India, Thailand, and Vietnam have been lured to the O-Smach resort under the pretense of legitimate work.

Upon arrival, their passports are confiscated, and victims are forced to work up to 15-hour days perpetuating online scams.

"People who called for help reported being beaten, abused with electric shocks, made to pay a hefty ransom, or threatened with being sold to other online scam gangs," the report noted. "There have been two reports of victims jumping to their death from buildings within O‑Smach Resort." 

As a result of the sanctions, which designate the L.Y.P. Group conglomerate, O-Smach, and three other hotels as being "directly or indirectly engaged in, serious human rights abuse," Ly's properties and interests are blocked and any transactions must be reported to OFAC.

US citizens, financial institutions, and businesses that deal with L.Y.P. could themselves face sanctions.

**Cyber Scam Forced-Labor Rings Difficult to Root Out**

Stephen Kowski, field chief technology officer at SlashNext Email Security+, says sanctions send a "strong message" that the international community is acting against human trafficking and forced labor in cybersecurity scams.

"However, their effectiveness will ultimately depend on rigorous enforcement and cooperation from other countries and financial institutions, particularly given the endemic corruption that has hindered previous investigations," he says.

He added that the phenomenon is challenging to combat due to its transnational nature, the use of sophisticated technology, and the involvement of corrupt officials.

"Cyber-scam operations often exploit jurisdictional gaps and rapidly evolve their tactics to evade detection, while victims are isolated and coerced, making it difficult for authorities to identify and rescue them," Kowski explains.

Robert Duncan, security strategist at Netcraft, says that while the US sanctions will affect Ly's business dealings in the US, it is unlikely to turn the tide by itself on the problem of scams emanating from that corner of the world.

From his perspective, cross-border cooperation is truly essential — the victim is often in the developed world, and the scammer is not.

"However, others throughout the world are often involved in these scams, including those enabling money laundering through cryptocurrencies or mule bank accounts in the same jurisdiction as the victim — not just in Southeast Asia," Duncan adds.

**Southeast Asia Teeming With Cyber Trafficking**

Southeast Asia is a global hotspot for forced-labor camps running cyber scams akin to the ones run by L.Y.P.

It's an issue that has also caught the attention of the United Nations, which estimates that 100,000 people in Cambodia alone are being forced to work for cybercrime syndicates.

International law enforcement agencies including Interpol have been working on multiple cases involving human trafficking run by cyber-fraud operators, with a recent five-month investigation leading to the arrest of 281 perpetrators.

The scale of the problem prompted the FBI to issue a warning in May 2023 to US citizens traveling or living in Southeast Asia to be aware of scam advertisements posing as legitimate work offers.

In February, Myanmar authorities handed over 10 suspects to China who were accused of running cyber-fraud and money-laundering operations in Myanmar.

John Bambenek, president at Bambenek Consulting, notes that while sanctions might seem toothless overall, for someone with the level of assets that Ly has, they can be very problematic.

"There are only a few places that handle that kind of wealth, and if any mistakes are made, the assets can be frozen or seized by regulators," he explains. "That said, it's a consolation prize from the sanction that really needs to be levied — a jail cell."

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Cambodian Tycoon Sanctioned for Forced Cyber Labor, Trafficking

Three days after Ivanti published an advisory about the high-severity vulnerability CVE-2024-8190, threat actors began to abuse the flaw.

Source: NicoElNino via Alamy Stock Photo

Just days after Ivanti released an advisory regarding a high-severity vulnerability in its Cloud Service Appliance (CSA), the company is alerting customers that the flaw is now being exploited in the wild. 

Ivanti initially disclosed the vulnerability, tracked as CVE-2024-8190, on Sept. 10, warning customers that it could allow unauthorized access to their devices. With a CVSS score of 7.2 out of 10, the attacker must have administrator-level privileges in order to exploit the vulnerability.

To remediate the bug, Ivanti recommended that users upgrade from Ivanti CSA 4.6 to CSA 5.0. In addition, CSA 4.6 Patch 518 customers can update to Patch 519, however, upgrading to CSA 5.0 remains the best option, the company noted.

On Sept. 13, Ivanti updated its advisory, making its customers aware that it knew of the active exploitation of the vulnerability.

"At the time of the September 13 update, exploitation of a limited number of customers has been confirmed following public disclosure," said the advisory.

Users should update to the latest version of the appliance as soon as possible.

If users find that they have been compromised before they can apply the recommended patch, according to the company, they can log a case or request a call through the Ivanti Success Portal.

**About the Author**

Ivanti Cloud Bug Goes Under Exploit After Alarms Are Raised

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Are the robots really taking over? Come up with a clever cybersecurity-related caption for the cartoon above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Oct. 16, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

A round of congratulations goes to Vanilla Cyber's Renen Wasserman, whose caption for August's "Security Games" contest nailed first place:

Thanks to all who participated. Some noteworthy contenders included "This new threat detection method is 10% better than our old one," "Blindfolded and Breached: The Modern Cybersecurity Nightmare," and "This 5th level of multi-authentication may be taking things too far."

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: Tug of War

While the 2024 election may see various cyber threats, existing security measures and coordination across all levels of government aim to minimize their impact.

Mike Kosak, Senior Principal Intelligence Analyst, LastPass

September 16, 2024

4 Min Read

Source: Saphiens via Alamy Stock Photo

COMMENTARY

As the 2024 US presidential election approaches, cybersecurity is a frequent topic of conversation. From my time in the intelligence community supporting the Department of Defense, I'm familiar with government planning around elections. While the most discussed threats for 2024 are nation-state misinformation and disinformation, this election season, I'm also following cybersecurity threats to municipal election systems. 

The good news is the threat of an actual impactful disruption is low. As the US has funneled significant resources into securing elections over the past decade, US Cybersecurity and Infrastructure Security Agency (CISA) lead Jen Easterly said election infrastructure "has never been more secure." However, that doesn't mean threat actors aren't likely to attempt some sort of attacks, such as website defacements or distributed denial of service (DDoS) attacks against municipal election websites.

Here are the four threats against local election systems we will most likely hear about in 2024:

**Voting Machine Hacking**

The most high-profile threat to US elections is voting machine hacking. However, voting machines are rarely connected directly to the Internet, which aligns with current cybersecurity guidelines. This means the most realistic threat vector would require physical access to the machines, according to F5 Labs, a concern addressed through anti-tampering and physical security guidelines around the country. While cyber vulnerabilities within voting machines exist — as demonstrated annually at the DEFCON Voting Village hacking event — to date, there have been no reports of cyberattacks taking voting machines offline or changing votes, despite the clear value of such a capability to US adversaries.

**DDoS Attacks**

DDoS attacks are a less disruptive but more frequent threat to US elections. Election monitoring and information websites leveraging Google's Project Shield DDoS protection services experienced a 400% increase in weekly attacks during the 2022 midterms. While several companies like Cloudflare offer free DDoS protection services to election-related websites, some sites are still going down. Mississippi's election websites were briefly taken offline in 2022 by a DDoS attack claimed by a pro-Russia hacking group. However, the attack did not impact voting results or availability.

Given the increased profile of the presidential election, we can expect to see DDoS on a larger scale in 2024. However, as CISA and the FBI stated in a July 31 alert, these attacks would not prevent voters from casting their ballots.

**Ransomware**

The FBI and CISA released a similar alert on Aug. 15 related to ransomware disruptions, reassuring the public that any attack along these lines would not compromise the security or accuracy of voting. Ransomware groups will likely target municipalities — already a common target — in the run-up to the elections. 

For instance, a ransomware attack in April forced a Georgia county to temporarily disconnect from the state's voter registration system as a precautionary measure — highlighting disruptions that could occur around access to voter data or other election information. However, the FBI and CISA noted, "Any successful ransomware attack on election infrastructure tracked by FBI and CISA has remained localized and successfully managed with minimal disruption to election operations and no impact on the security and accuracy of ballot casting or tabulation processes or systems." Similar to DDoS attacks, no reporting suggests ransomware attacks have ever prevented a vote from being cast.

**Website Defacement and Email Access**

Website defacements are another common threat, where attackers take over election-related sites to alter data or images. These attacks can either aim to embarrass the site owner or subtly manipulate information, such as polling results or polling station hours.

In 2020, a threat actor briefly took over the campaign website for then President Trump, posting a derogatory message and seeking payment in return for not releasing data they claimed to have stolen. While these attacks may occur and could cause local disruptions, they would not impact the ability to vote or tally votes.

Hybrid cyber-physical threats, such as the increasing use of emails or spoofed phone numbers to deliver fake bomb threats or conduct swatting attacks, also present a concern, where false scenarios are reported to provoke a large police response. In 2018, a months-long campaign targeting US schools and businesses caused evacuations, police responses, and major disruptions. Similar attacks on election day could target polling stations, election offices, or ballot-counting sites.

Finally, threat actors (particularly nation-states) will continue to target email accounts of political operatives and organizations. The US intelligence community has already attributed social engineering attacks targeting both major US political parties to Iran. These attacks aimed to access sensitive or embarrassing information to influence the US election, highlighting the frequency of politically motivated social engineering attacks and the importance of secure, unique passwords and multifactor authentication. 

**Safeguarding the Vote**

While cyberattacks will undoubtedly target US election infrastructure over the next few months, it's important to place these events in the context of the protections put in place. Federal, state, local, and tribal governments, as well as international allies, have all been tracking these threats and implementing mitigations and contingencies to help ensure a secure and smooth election. 

While the 2024 election may see various cyber threats, existing security measures and coordination across all levels of government aim to minimize their impact. Voters should stay informed and rely on official sources to ensure their participation is not disrupted.

**About the Author**

Senior Principal Intelligence Analyst, LastPass

Mike Kosak is a former US Department of Defense (DoD) counterterrorism intelligence officer with more than 20 years of experience as a threat intelligence analyst. While with the DoD, he served in several senior intelligence officer roles, including leading the Pentagon office responsible for providing intelligence updates to the chairman of the Joint Chiefs of Staff, and was deployed to Iraq three times in support of Operation Iraqi Freedom. He also served as the acting senior command representative to the Joint Special Operations Command for the Defense Intelligence Agency. During his deployments, he led intelligence teams in support of both conventional and special forces. Following his government service, Kosak held private sector cyber intelligence positions at Bank of America, where he led the Strategic Cyber Intelligence and Threat Evaluation teams, and TIAA, where he led the Cyber Threat Intelligence team. He currently serves as the senior principal intelligence analyst at LastPass.

Cybersecurity &amp; the 2024 US Elections

PRESS RELEASE

Burlingame, Sept. 13, 2024 (GLOBE NEWSWIRE) -- CoherentMI published a report, titled, South Korea Digital Forensics Market is estimated to value at US$ 1.64 Billion in the year 2024 and is anticipated to reach US$ 3.52 Billion by 2031, at a CAGR of 11.5% during forecast period 2024-2031. With rising digitalization across various industry verticals in South Korea, incidents of cybercrimes have also increased exponentially over the years. Organizations across banking, finance, healthcare and other sectors are increasingly focusing on protecting sensitive data and investigating cyber threats. This has propelled the demand for professional digital forensics services that can retrieve hidden electronic data from computers, mobiles and other devices to solve cybercrime cases.

Market Dynamics: 

The South Korea digital forensics market is expected to witness significant growth, owing to increasing number of cybercrimes in the country. According to statistics, the number of cybercrimes reported in South Korea increased from 78,385 cases in 2018 to 95,172 cases in 2019. With rapid digitalization and increasing internet penetration, the cases of cyberbullying, hacking, data theft, and financial fraud have increased sharply. As a result, the demand for digital forensics solutions to collect, examine, and analyze digital evidence from computing devices such as smartphones, laptops, and servers is growing significantly. Moreover, increasing investments by law enforcement agencies to strengthen their digital investigation capabilities is also fueling the market growth.

Key Market Takeaways:

*   On the basis of forensic type, the computer forensics segment is expected to hold a dominant position, owing to a large volume of electronic evidence involving computers in cybercrime investigations.
    
*   On the basis of component, the services segment is expected to hold the largest share due to increasing demand for forensic consulting, investigation, training and education from law enforcement agencies and enterprises. 
    
*   On the basis of verticals, the government and defense segment is expected to hold the major market share due to initiatives towards strengthening cybersecurity and increasing reliance on digital forensics solutions.
    
*   Regionally, South Korea is expected to hold a dominant position over the forecast period due to stringent cyber regulations, robust law enforcement agencies and digital infrastructure in the country.
    
*   Key players operating in the South Korea digital forensics market include AhnLab, FireEye, IBM Corporation., Guidance Software, Inc., OpenTextCorp. These players are focusing on developing innovative forensic solutions and adopting organic and inorganic growth strategies to strengthen their market presence.
    

Market Trends:

Mobile device forensics and cloud forensics are the major trends witnessed in the South Korea digital forensics market. With increasing usage of smartphones and tablets, mobile device forensics solutions that can extract, recover, analyze and preserve deleted data from mobile devices are gaining more importance. Additionally, as more data is being stored on cloud systems, cloud forensics solutions are being increasingly used to investigate data breach incidents involving cloud applications and services. Major players in the market are focusing on developing advanced mobile and cloud forensics solutions to leverage lucrative business opportunities.

Recent Developments:

*   On April 22 2021, Plainbit Co., Ltd., has signed a memorandum of understanding with FRONTEO Inc. FRONTEO Inc. is an overseas subsidiary of FRONTEO Korea, Inc., based in Minato-ku, Tokyo. The partnership aims to strengthen digital forensic services through collaborative business initiatives, facilitating mutual exchange and cooperation between the two companies. FRONTEO specializes in digital forensic services, while Plainbit focuses on enhancing digital forensic capabilities through collaborative business initiatives.
    

Get a detailed analysis on regions, market segments, and companies: https://www.coherentmi.com/industry-reports/south-korea-digital-forensics-market

South Korea Digital Forensics Market Opportunities:

Computer Forensics: The computer forensics segment held the largest market share in 2024 owing to increasing cases of cybercrimes involving computers. Computer forensics aids in investigating computer related crimes by analyzing data stored on computers and recovering digital evidence. It allows examination of digital media in a forensically sound manner and law enforcement agencies heavily rely on computer forensics for examining digital devices seized from crime scenes.

Network Forensics: Network forensics is anticipated to witness substantial growth during the forecast period due to rising network intrusions and data breaches. It involves monitoring and analyzing network traffic for potential security issues and policy violations. Network forensics provides insights into network security incidents, data leakage and helps identify compromised accounts. The technology assists in conducting post-intrusion analysis and network traffic reconstruction to gather digital evidence from network infrastructure.

South Korea Digital Forensics Market Segmentation:

*   By Verticals:
    
    *   Banking, Financial Services, and Insurance (BFSI)
        
    

The research provides answers to the following key questions:

1.  What is the estimated growth rate of the market for the forecast period 2024-2031?
    
2.  What will be the market size during the estimated period?
    
3.  What are the key driving forces responsible for shaping the fate of the South Korea Digital Forensics market during the forecast period?
    
4.  Who are the major market vendors and what are the winning strategies that have helped them occupy a strong foothold in the South Korea Digital Forensics market?
    
5.  What are the prominent market trends influencing the development of the South Korea Digital Forensics market across different regions?
    
6.  What are the major threats and challenges likely to act as a barrier in the growth of the South Korea Digital Forensics market?
    
7.  What are the major opportunities the market leaders can rely on to gain success and profitability?
    

Purchase Latest Edition of this Research Report @ https://www.coherentmi.com/industry-reports/south-korea-digital-forensics-market/buynow

Key insights provided by the report that could help you take critical strategic decisions?

*   Regional report analysis highlighting the consumption of products/services in a region also shows the factors that influence the market in each region.
    
*   Reports provide opportunities and threats faced by suppliers in the South Korea Digital Forensics industry around the world.
    
*   The report shows regions and sectors with the fastest growth potential.
    
*   A competitive environment that includes market rankings of major companies, along with new product launches, partnerships, business expansions, and acquisitions.
    
*   The report provides an extensive corporate profile consisting of company overviews, company insights, product benchmarks, and SWOT analysis for key market participants.
    
*   This report provides the industry's current and future market outlook on the recent development, growth opportunities, drivers, challenges, and two regional constraints emerging in advanced regions.
    

Browse Related Reports:

United States Racing Drones Market: The United States Racing Drones Market is estimated to be valued at USD 353.01 Mn in 2024 and is expected to reach USD 1,333.19 Mn by 2031, growing at a CAGR of 18.1% from 2024 to 2031.

New Zealand Power Tool Market: New Zealand Power Tool Market is estimated to be valued at US$ 167.2 million in 2024 and is expected to reach US$ 286.1 million by 2031, exhibiting a compound annual growth rate (CAGR) of 8% from 2024 to 2031.

Philippines Robot as a Service Market: Philippines robot as a service market is estimated to be valued at US$ 298.9 Million in 2024, and is expected to reach US$ 918.8 Million by 2031, growing at a compound annual growth rate (CAGR) of 17.4% from 2024 to 2031.

UAE Dark Kitchens/Ghost Kitchens/Cloud Kitchens Market: The UAE Dark Kitchens/Ghost Kitchens/Cloud Kitchens market size was valued at US$ 330.3 million in 2023 and is expected to reach US$ 821.5 million by 2030, grow at a compound annual growth rate (CAGR) of 13.9% from 2023 to 2030.

Author of this marketing PR:

Ravina Pandya, PR Writer, has a strong foothold in the market research industry. She specializes in writing well-researched articles from different industries, including food and beverages, information and technology, healthcare, chemical and materials, etc. With an MBA in E-commerce, she has an expertise in SEO-optimized content that resonates with industry professionals.

About Us:

At CoherentMI, we are a leading global market intelligence company dedicated to providing comprehensive insights, analysis, and strategic solutions to empower businesses and organizations worldwide. Moreover, CoherentMI is a subsidiary of Coherent Market Insights Pvt Ltd., which is a market intelligence and consulting organization that helps businesses in critical business decisions. With our cutting-edge technology and experienced team of industry experts, we deliver actionable intelligence that helps our clients make informed decisions and stay ahead in today's rapidly changing business landscape.

South Korea Digital Forensics Market to Hit US $3.52B by 2031

PRESS RELEASE

September 11, 2024—Tampa, Fla— Cyber Florida at USF, in partnership with Cisco and WiCyS (Women in Cybersecurity), proudly hosted the premiere of the Do We Belong Here? documentary last night at the historic Tampa Theatre. The cybersecurity community showed strong support, with more than 200 attendees, including Cyber Florida at USF partners and documentary participants who traveled from out of town, gathering in person to watch the production. The event culminated nearly 18 months of planning, interviews, and relationship-building.

The 90-minute documentary, inspired by the popular Do We Belong Here? podcast, highlights the experiences of women and other underrepresented groups in the cybersecurity industry. Attendees were moved by the inspirational stories of perseverance and success shared by leading female cybersecurity practitioners, executives, and CISOs from top companies and organizations who generously contributed to the project.

While women's participation in the cybersecurity industry is growing, women still only representation about 20-25% of the cybersecurity workforce, according to ISC2. 

“This film represents the heart of what we’re striving for in cybersecurity—diversity, inclusion, and the understanding that everyone belongs here,” said Sarina Gandy, co-producer of the documentary and a key voice in its creation.

Following the screening, a lively Q&A panel with the podcast team took place, featuring:

·    Pam Lindemoen, Chief Information Security Officer Advisor, Cisco

·    Tashya Denose, Reality Labs Security Program Manager, Meta

·    Sarina Gandy, Cyber Communications & Marketing Analyst and Do We Belong Here Podcast Producer, Cyber Florida at USF

·    Rex Wilson, Brand Manager, Cyber Florida at USF

The documentary is available to watch on the Cyber Florida at USF YouTube channel.

Interviews with documentary participants and the podcast team can be arranged with Cyber Outreach Manager Jennifer Kleman, APR, CPRC at \[email protected\].

ABOUT CYBER FLORIDA AT UF  
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate both current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

Source

DARKReading