As attacks on satellites rise with nation-state conflicts, the South Asian nation joins other space-capable countries in doubling down on cybersecurity.

Source: NicoElNino via Shutterstock

A year ago, India landed a spacecraft — the Chandrayaan-3 — on the moon, becoming only the fourth nation to accomplish such a feat.

Yet, while the country continues to invest in its space capability and ground-based support infrastructure, a greater focus on cybersecurity is necessary to protect the software and hardware on which the systems rely, Dr. Sreedhara Panicker Somanath, chairman of the Indian Space Research Organization, said in a speech last week at the groundbreaking for a cybersecurity training center.

With nearly five dozen satellites in orbit, large nationwide networks for collaboration, and command-and-control networks that connect across the globe for 24-hour access to space-based assets, India needs to focus on cybersecurity for the entire system, he said.

"When the Chandrayaan-3 was landing, our data was coming from Australia and Spain and South Africa and many other places, and we have been coordinating to work with all of this during the landing process," he said. "You should all realize that such command and control of satellites from across the globe could be very, very vulnerable, and ... many of our satellites can become ... easily targets of such attacks."

India is one of perhaps a dozen nations with space ambitions. The competition between nations has bred threats to ground- and space-based infrastructure, and attacks on space systems have increased as nation-state conflicts have heated up. In 2022, Russian attacks on Ukraine's connection to the Viasat KA-SAT network caused communications outages as the Russian army invaded the country. Soon after, Russia cyber-operators attempted to hack and jam the Starlink network, SpaceX CEO Elon Musk stated at the time, while hackers claimed responsibility for delivering malware to a host of satellite terminals, taking communications offline in 2023.

The attacks demonstrated to the world that the cyberthreat to satellites is real, although attackers to date have mostly focused on disrupting communications. However, an emerging space effort, such as India's, could attract regional attackers, says Patrick Lin, director of the Ethics + Emerging Sciences Group at California Polytechnic State University in San Luis Obispo, which received a grant in 2022 from the National Science Foundation to study cybersecurity for space systems.

"India doesn't have as many adversaries as the United States does — its main competitor and sometimes adversary is China, but it also has tense relations with Pakistan," he says. "China has advanced cyber capabilities as well as a strong space program, and it doesn't like regional competition much, so it's not a stretch to think that China and others might target India's rise as a major space power."

**Space: The Next Frontier for Cyberattacks**

India's current effort aims to develop the cybersecurity tools and expertise to protect its space-focused systems and software, much of which are created in-house or by domestic firms. India already sees more than 3,300 attacks per week per organization, which is 81% higher than the global average of 1,830 attacks, according to data from Check Point Software.

Rapid digitization makes India a growing target, says Omer Dembinsky, data research group manager at Check Point Software.

"Indian organizations face double the global average of cyberattacks due to rapid digitalization, which has outpaced the implementation of robust cybersecurity measures, creating a large attack surface," he says. "A fast-growing Internet user base, underdeveloped cybersecurity infrastructure not able to keep up with the growing sophistication of cyberattacks, and lack of cybersecurity awareness within organizations also make them attractive targets."

The aerospace and defense sector is ranked as the fifth most-attacked industry, and India's space agency reportedly faces more than 100 attacks daily.

Other space-based nations are rapidly researching the potential of cyberattacks targeting space assets and how to defend against those attacks. The US National Institute of Standards and Technology (NIST) has teamed up with MITRE Corp. to create a version of its NIST Cybersecurity Framework for the space sector, while The Aerospace Corp. has created the Space Attack Research and Tactics Analysis, or SPARTA, matrix. The Aerospace Corp. also worked with the US military to create a satellite that can act as a testbed for real-world cyberattacks on space assets, called "Moonlighter."

**India Needs Cybersecurity Training**

Space is not the only industry that needs cybersecurity professionals, so government initiatives such as Atmanirbhar Bharat — or "Self-Reliant India" — hope to create more startups and a larger ecosystem of homegrown software. Indian organizations have more than 40,000 openings for skilled cybersecurity workers, according to tech staffing firm TeamLease. The country had only about 100,000 cybersecurity professionals in 2021, which tripled to 300,000 in two years.

The need for increased cybersecurity expertise is acute, says Check Point Software's Dembinsky. The country needs to support more training for cybersecurity professionals and emphasize a focus on cyber-awareness training programs.

"The demand for proficient cybersecurity professionals surpasses the qualified talent pool, creating a significant industry void," Dembinsky says. "Currently, a lot of focus on skilled cybersecurity professionals burnout is being reported on, due to the consistent nature of managing these evolving threats."

In addition, the focus on research and development in space technology means that most projects are novel and lack rigorous security testing. The reality of these obscure technologies is that they both benefit — and suffer — from their uniqueness, says CalPoly's Lin.

"Many space projects today are ... one-of-a-kind prototypes in this new era of experimentation with space technologies," he says. "This provides a 'security by novelty' layer of protection, but the flip side of that is, if your technology is under-studied by threat actors, that means you don't know where your system's vulnerabilities are, either."

The lesson for India should be that critical infrastructure — whether it supports scientific research, corporate intellectual property, or financial transactions — is not safe, says ISRO's Somanath.

"Nothing is safe in the world — I think anybody can hack or create havoc in our system," he said. "The data that we have collected, especially the design data, or the personal data or the scientific data that we are created over the years, could all be very vulnerable."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

India Needs Better Cybersecurity for Space, Critical Infrastructure

The combination of immutability, indelibility, centralized governance, and user empowerment provides a comprehensive backup strategy, Google said.

Source: Aleksei Gorodenkov via Alamy Stock Photo

Google has announced three enhancements to its Google Cloud Backup and Disaster recovery service to enhance customers' ability to manage backups simply and securely, while boosting agility and reducing the workload on IT teams.

Backup and disaster recovery technologies are key components of ransomware defense. The first enhancement allows users to create backup vault storage systems that cannot be modified or accidentally deleted. Backup vault data is stored in Google-managed projects and "logically air-gapped" from Google Cloud projects, the company stated in a blog post. Compute Engine virtual machines (VMs), VMware Engine VMs, Oracle databases, and SQL Server databases are supported.

Backup vault storage isn’t visible to users inside the organization, preventing direct attacks, and Google manages access through its Google Cloud Backup and DR service application programming interfaces (APIs) and user interface (UI). Users can set vault backup rules on modification and deletion when creating vaults. The backups are fully self-contained, giving users the opportunity for recovery when a source resource is no longer available, helping teams keep production applications online.

Google is also making updates to its centralized backup management system. Its new fully managed service is an integrated, developer-centric, self-service model that allows app developers to back up their VMs while the teams managing storage and backup systems retain governance and oversight. Monitoring and reporting capabilities include scheduled backup jobs and restore jobs, customizable reporting, and alerts and notifications. 

The system, integrated with Google Cloud Identity and Access Management (IAM), lets developers create backups during the creation of Compute Engine VMs so that users have correct data protection policies deployed from the outset of project creation. 

Both products are currently available in preview, Google said. The backup vault feature will be generally available in the coming months. During preview, users will be able to access these features through the UI and Google Cloud CLI to protect Compute Engine VMs. Once it is generally available, users will have access to APIs and Terraform.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Google Updates Cloud Backup, Disaster Recovery Service

Wiz Code identifies and flags cloud risks in code to help improve collaboration between security and development teams.

Source: peachshutterstock via Shutterstock

Cloud security provider Wiz has announced Wiz Code, its new cloud application security product to help security and development teams identify and fix cloud risks directly in code before they become critical issues. Wiz Code helps improve collaboration between security and development teams, the company said.

Wiz Code integrates with developer environments and traces cloud issues back to their source in code, the company said. This way, it can identify issues in code and continuous integration and continuous delivery/continuous deployment (CI/CD) pipelines. It aligns security issues with the developer who introduced the issue, giving companies insight into their security posture and helping eliminate potential threats faster.

In addition, Wiz Code provides developers with fix suggestions in the tools they're using and gives real-time security feedback. 

Wiz Code joins a fairly crowded marketplace of plug-ins and other tools that provide security information directly in developer environments. The idea is to provide security context and proposed fixes right where developers are working. Other tools put the information in pull requests and other parts of the development process.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Wiz Launches Wiz Code Application Security Tool

This month's Patch Tuesday contains a total of 79 vulnerabilities — the fourth largest of the year.

Source: CHIEW via Shutterstock

Attackers are already actively exploiting four of the 79 vulnerabilities for which Microsoft issued a patch this week as part of its monthly security update.

Two of the zero-day bugs give attackers a way to bypass critical security protections in Windows and therefore should be at the top of any organization's priority list for remediation.

One of the remaining zero-days is an elevation of privilege flaw that enables access to system-level privileges; the other is a bug that rolled back, or reintroduced, vulnerabilities in certain versions of Windows 10 for which Microsoft had previously issued patches.

In total, Microsoft's September update contained seven critical remote code execution (RCE) and elevation of privilege vulnerabilities. The company assessed 19 of the CVEs in its latest updates as vulnerabilities that attackers are more likely to exploit because they enable remote code execution, involve attacks that are low in complexity, require no user interaction, and exist in widely deployed products, as well as other factors.

**Security Bypass Zero-Days**

One of the security bypass vulnerabilities, tracked as CVE-2024-38226, affects Microsoft Publisher. It allows an attacker with authenticated access to a system to bypass Microsoft Office macros for blocking untrusted and malicious files. "An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer," Microsoft said. The company gave the vulnerability a moderate CVSS severity score of 6.8 of 10, presumably because an attacker would need to convince a user to open a malicious file in order for any exploit to work.

The other security bypass zero-day bug in Microsoft's September update is CVE-2024-38217, in the Windows Mark of the Web (MoTW) feature that is designed to protect users against potentially harmful files and content downloaded from the Web. The vulnerability allows an attacker to sneak malicious files past MoTW defenses and cause what Microsoft described as "limited loss" of integrity and availability of application reputation checks and other security features. Microsoft assigned CVE-2024-38217 a severity rating of 5 because to exploit it an attacker would need to convince potential victims to visit an attacker-controlled site and then download a malicious file from there.

"Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running," Satnam Narang, senior staff research engineer at Tenable, said in a statement. "In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226," he said.

**RCE and Privilege Escalation Zero-Days**

The two other bugs in Microsoft's latest update that attackers are already actively exploiting are CVE-2024-38014 and CVE-2024-43491. CVE-2024-38014 is an elevation of privilege vulnerability in Windows Installer that attackers can use to gain system-level privileges. As with the other zero-days, Microsoft's advisory offered no details on the exploit activity targeting the bug or when it might have started. Despite the ongoing attacks targeting CVE-2024-38014, Microsoft assessed the flaw as only moderately severe (7.8 on 10 on the CVSS scale) because an attacker would already need to have compromised an affected system to exploit the vulnerability.

CVE-2024-43491, meanwhile, is a high-severity (CVSS score 8.5) RCE in Microsoft Windows Update. The vulnerability rolls back fixes that Microsoft issued in March for certain versions of Windows 10. According to Microsoft, the vulnerability gives attackers a way to exploit vulnerabilities that Microsoft previously mitigated in Windows 10, version 1507, between March and August. "Customers need to install both the servicing stack update (KB5043936) AND security update (KB5043083), released on September 10, 2024, to be fully protected from the vulnerabilities that this CVE rolled back," Microsoft said.

Kev Breen, senior director of threat research at Immersive Lab, advocated that administrators pay close attention to Microsoft's Official Notes for CVE-2024-43491. "There are a lot of caveats to this one," Breen said in emailed comments. "The short version is that some versions of Windows 10 with optional components enabled was left in a vulnerable state," since March.

This is the second month in a row where Microsoft has given administrators multiple zero-days to contend with. In August, the company disclosed six of them — equal to the total for the entire year up to that point.

**Other High-Priority Bugs**

Other bugs of note in the latest update according to security researchers include CVE-2024-43461, a Windows spoofing vulnerability; CVE-2024-38018, a Microsoft SharePoint Server RCE; and CVE-2024-38241 and CVE-2024-38242, two elevation-of-privilege vulnerabilities in Kernel Streaming Service Driver.

CVE-2024-43461 affects all supported versions of Microsoft Windows. It is similar to CVE-2024-38112, a zero-day bug that Microsoft patched in July after at least two threat groups had been exploiting it for 18 months. Attackers could leverage the exploits for CVE-2024-38112 in attacks against the new CVE-2024-43416, according to Saeed Abbasi, manager of vulnerability research at Qualys. "There exists a high likelihood of exploitation, as this vulnerability enables attackers to spoof legitimate web content, leading to unauthorized actions such as phishing and data theft," Abbasi said in emailed comments.

Organizations need to prioritize patching the Microsoft SharePoint Server RCE vulnerability (CVE-2024-38018) because no mitigations or workarounds are available for it, said Tom Bowyer, director IT security of Automox, in emailed comments. "The potential impact of this CVE is significant, especially given the business-critical nature SharePoint servers play in organizations that utilize them," and the ease of exploitation.

Ben McCarthy, lead cybersecurity engineer at Immersive Labs, identified the Kernel Streaming Service Driver flaws (CVE-2024-38241 and CE-2024-38242) as important to address because they are present at the kernel level and give attackers a way to bypass security controls, escalate privileges, execute arbitrary code, and take over the whole system.

So far this year, Microsoft has disclosed a total of 745 vulnerabilities across its products, according to numbers maintained by Automox. Microsoft has identified just 33 of them as critical.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft Discloses 4 Zero-Days in September Update

In this case study, a 180-year-old life and pension insurer brought its security infrastructure into the modern age.

Source: M-Production via Alamy Stock Photo

LV=, the leading pension, savings, insurance, and retirement company in the UK, has a long and storied history. Over the years, the 180-year-old company has expanded its portfolio to provide every type of insurance, investment, pension, and retirement offering imaginable. It has continued to push the boundaries of what's possible, investing in new technology.

By 2021, much of the new infrastructure and other digital modernization was complete. At the same time, company leaders suspected that its approach to security wasn't as effective as it could be. To find out, the company hired one of the Big 4 accounting firms to assess the situation by comparing it to the NIST cybersecurity framework.

What came back was sobering.

"It became apparent how low the maturity was," says Dan Baylis, the chief information security and data officer LV= hired to fix the situation. "That's when they realized that they needed to invest and address the sins of the past."

**Assessing the Existing Security Stack**

As soon as Baylis was hired, he assessed the entire security stack, along with processes and procedures.

He found plenty of issues. Most importantly, the infrastructure lacked modern security controls. For example, the system still had signature-based antivirus controls, and the email gateway wasn't aware of modern threats.

Baylis also determined that there was no way to measure the effectiveness of security controls. In addition, each individual security control, such as anti-malware, wasn't fully connected to the entire infrastructure. Instead, it could monitor only what it was directly connected to. And because there was no central view, the security team could only be reactive to things like vulnerability disclosures.

The relatively rudimentary security infrastructure also prevented company executives from making data-driven security decisions.

"Being data-driven takes the emotion out of things. For example, if we're telling someone that they don't have the right patching levels or are missing security controls in a certain area, the data should back it up," Baylis says.

Baylis also believed that LV= needed the protection of continuous security validation but that it couldn't get there with its legacy security controls.

"Continuous security validation would enable us to have the evidence to underpin the investments and improvements we needed," he says. "So I could explain, 'This is how attacks happen, and this is how resilient we are to them.' So instead of asking them to trust me, I could show them."

**Overhauling the Security Infrastructure**

With his assessment complete, Baylis started rebuilding the company's security infrastructure from the ground up.

The first order of business was implementing a breach attack and detection system (BAS) to help monitor for security blind spots and provide continuous security testing.

More organizations than ever are using security tools that provide attack path management and security control validation like BAS, pen testing as a service (PTaaS), and continuous automated red teaming (CART). In a recent survey (subscription required), Omdia found that 71% of 400 security decision-makers consider these tools important or extremely important.

BAS is a methodology for determining how well security tools are working so they can be optimized, explains Andrew Braunberg, principal analyst at Omdia. BAS tools do this by simulating attacks, often using established threat models such as the MITRE ATT&CK framework. BAS tools can also typically perform automated simulations, threat model mapping, and continuous testing.

Baylis started by implementing Cymulate's BAS solution. The most important features to him were the ability to test emergent threats, continuous security validation, and a consolidated view of the company's security posture.

"I wanted a tool that could not only help me demonstrate our risk exposure but tell the story of how resilient we are to cyber threats," he explains.

Using the tool, Baylis says he has been able to show decision-makers active attacks and demonstrate the company's new resiliency to them, along with the health of endpoint controls and gateways.

Next up was choosing a tool for continuous control monitoring. Baylis chose Axonius, which monitors data from different sources — like Active Directory, anti-malware controls, and patching — and provides a holistic view. With that information, the team was able to build dashboards that show the company's security-control coverage gaps.

Baylis also chose SecurityScorecard, a tool that calculates the health and effectiveness of an organization's cybersecurity infrastructure. This addition enabled the organization to benchmark its security posture against its peers.

This led to another watershed moment, when LV= received a "C" on its security rating from SecurityScorecard. As a result, the team made hundreds of changes related to issues like expired certificates and weak ciphers. The company now has an "A" rating.

Rounding out the new security infrastructure were next-generation anti-malware controls, a new email gateway, a new Web gateway, and a password manager.

**Supporting the Human Side of Security**

Now that LV='s security tooling has been modernized, Baylis is turning his attention to the human risk side of the security equation. He implemented a dedicated phishing test and training for employees. He's also thinking about hardening the company's email infrastructure.

"While we will have a continued focus on cyber resilience, we also want to encourage good security awareness," he said. "Both are critical for effective security."

**About the Author**

Contributing Writer, Dark Reading

Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including ITProToday, CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek, and Government Executive.

How a Centuries-Old Company Reached Security Maturity

Besides operational issues connected to a talent shortage, the cost of running security platforms — and their training costs — also keeps CISOs up at night.

Source: Eddie Gerald via Alamy Stock Photo

While SecOps leaders face a variety of challenges in their roles, the two biggest standouts are the difficulty navigating the skills gap in the cyber field and the challenge of operating and investigating commonly used tools.

Researchers at Command Zero have released a report on challenges that chief information security officers (CISOs) and other leaders face, with data collected through hundreds of detailed interviews with cybersecurity professionals from 15 industries. The researchers argue that over the past 40 years, certain innovations have been markers for waves of "digital innovation," such as the creation of the Internet, cellphones, and cloud computing. Now, the latest wave of innovation comes in the form of artificial intelligence (AI). In all of these arenas, the advantages they provide come with deep security challenges.

**Where's the Talent When You Need It?**

The primary and seemingly obvious challenge is the skills shortage in cybersecurity, for all disciplines, but especially in the area of cyber investigations, according to the report.

This is likely because the average cyber investigator must meet extensive requirements to be qualified for such a position. According to the researchers, these kinds of analysts need to be "subject matter experts" when it comes to analysis and have administrator-level knowledge of data sources.

Given the ongoing shortage of cyber professionals who meet that high bar of qualifications and knowledge, existing teams are stretched thin, some working the equivalent of two jobs to keep up with the latest threats. While this may keep a business afloat, it can also lead to burnout, oversights and, ultimately, a decrease in overall effectiveness of mitigating potential threats.

In addition, part of building such a substantial wealth of knowledge to be this kind of analyst is working in an environment that stresses and fosters the importance of continuous learning. However, "this is challenging when teams are constantly in fire-fighting mode" according to the researchers.

Because of this shortage, 88% of individuals interviewed expressed concerns regarding operational issues because of the lack of staffing while threats continue to grow. Not only this, but 74% of respondents said that they felt their team lacked sufficient public cloud skills to perform "high-quality investigations."

Command Zero recommends companies prioritize and resolve these issues by investing in analysts as well as improving job satisfaction to reduce turnover and improve talent retention.

**No Absolutes Within SecOps Tools**

Three tools are amongst the most widely used SecOps tools by SOC and IR teams in the industry: endpoint and other detection and response (EDR/XDR); security information and event management (SIEM); and security orchestration, automation, and response (SOAR). All three pose their own challenges for cyber professionals.

EDR/XDR, according to the researchers, is the most heavily relied upon investigation tool, but, it has its limits when it comes to correlating network and cloud telemetry. It's also expensive — it can be costly to use EDR/XDR "at scale in cloud environments," meaning that when it is used, it's not to its full potential leading to gaps in visibility.

Some 59% of respondents pointed to the staffing costs that come with using SIEM for investigations. Three-quarters report that they have a "lack of resources and skills required for integrating data sources into SIEM and SOAR," with some of them employing the services of a third party to keep the systems operational.

There's likely a correlation between the two, as deploying, customizing, and maintaining a SIEM requires highly specialized skills; training for these skills is costly, making them expensive to grow and cultivate, even moreso to staff when they're seemingly so high in demand.

Unfortunately, none of these three tools wallow for 100% coverage of all IT systems. The researchers recommend that companies invest in conceptual and technology-based training for security operations and identify the gaps in security they might have.

**Staffing Shortage vs. Job Openings: Which Is It?**

The cyber industry has been complaining for years of a staffing shortage, encouraging individuals to apply to jobs in an industry that claims it has much to offer. But is anyone actually hiring? Apparently so, but applicants have to be well qualified.

"Most cyber roles require cross-disciplinary experience and capabilities in IT," the researchers of the report tell Dark Reading, noting that hiring is difficult. "Unlike a system administrator role, which requires specialization in only one kind of system, cyber roles require a fundamental understanding of networking, endpoint, applications, and systems. This makes these roles hard to fill."

There's also a high demand from many competitive companies for the same qualified individuals. This means that these individuals have a lot of options, creating heavy turnover in an endless vicious cycle.

Their recommendations for landing a role? Look for cyber internships and part-time jobs while in school, or aim for adjacent roles to help gain experience.

"Your path into cyber can be networking, systems engineering, or software development," the researchers say. "While this may sound counter-intuitive, a lot of security professionals started their careers as non-security professionals in IT. So, starting out as a network associate or systems engineer can give you some of the cross-disciplinary experience you need to break into cyber."

And the learning never stops. "Because of how quickly cyber evolves," they added, "you need to continue investing into professional growth throughout your career."

Cyber Staffing Shortages Remain CISOs' Biggest Challenge

A fresh wave of attacks on APAC government entities involves both self-propagating malware spreading via removable drives and a spear-phishing campaign.

Source: Chris Willson via Alamy Stock Photo

One of China's most prolific and well-known state-sponsored threat actors is back on the scene with new self-propagating malware that spreads through USB drives (along with other tools), to extend its cyber-espionage goals of system control and data exfiltration.

Mustang Panda also is using spear-phishing to spread multistage downloaders that deliver malware in its recent targeting of various government entities in the Asia-Pacific (APAC) region, Trend Micro researchers revealed in a blog post on Sept. 9.

Using malware-loaded USB drives is a strategy that experienced a revival during and in the wake of the COVID-19 pandemic, and Mustang Panda (aka Camaro Dragon, Bronze President, Luminous Moth, Red Delta, Stately Taurus, and, for Trend Micro, Earth Preta) is known for using it as a primary infection vector. The advanced persistent threat (APT) is mainly in the business of cyber espionage and has been known to collaborate with other Chinese actors on coordinated attacks. In fact, Trend Micro has recently reported a spate of fresh activity from Chinese threat actors in general, which may or may not be related.

**Mustang Panda's Quick Attacks, Custom Malware**

This time around, Mustang Panda is using the vector to deliver malware called PUBLOAD via a self-propagating variant of the worm HIUPAN, as well as other tools such as FDMTP and PTSOCKET to control systems and exfiltrate data. A concurrent spear-phishing campaign by the threat actor also is targeting the same victim demographic, using malicious attachments to distribute backdoors and other malware.

Specific targets in the campaigns include people in various government organizations: military, police departments, foreign affairs and welfare agencies, executive branches, and public education. Victims are often hit by a fast-paced approach that infiltrates their system and steals data before they have a clue as to what's happening, according to Trend Micro.

"Earth Preta’s attacks are highly targeted and time-sensitive, often involving rapid deployment and data exfiltration, with a focus on specific countries and sectors within the APAC region," Trend Micro researchers Lenart Bermejo, Sunny Lu, and Ted Lee wrote in the post.

**Evolution of Previous APT Tactics**

The new campaigns observed by Trend Micro have two distinct vectors for initial entry that show evolution in the group's typical tactics. The first is the deployment of the HIUPAN worm via USB drives to propagate PUBLOAD, which acts as a stager that can download the next-stage payload from a command-and-control (C2) server.

In previous campaigns, Mustang Panda used spear-phishing emails to deliver PUBLOAD, making the use of a self-propagating worm a novel tactic for the group. The ultimate goal of the USB campaign is to deliver end-stage malware to achieve control on a targeted environment for persistent data exfiltration.

"This HIUPAN variant has differences with the previously documented variant, which was used to propagate ACNSHELL, although its main utility within the attack chain stays the same," the researchers noted in the post.

The version of PUBLOAD used in the new campaigns is similar to ones previously delivered through spear-phishing and documented by Trend Micro. In this case, Mustang Panda is using PUBLOAD to introduce supplemental tools into the targets' environment, such as FDMTP to serve as a secondary control tool, and PTSOCKET, a which is used as an alternative exfiltration option.

**Spear-Phishing Delivers Multistage Attack**

Separately, a "fast-paced" spear-phishing campaign that researchers observed in June is delivering a chain of malware that ultimately delivers a backdoor called CBROVER, which supports file download and remote shell execution, the researchers said.

Along the way, malicious .url attachments download and execute other malware, including DOWNBAIT, a first-stage downloader for downloading a decoy document and shellcode component, and PULLBAIT, straightforward shellcode that downloads and executes CBROVER. Trend Micro also has found evidence of Mustang Panda exploiting Microsoft's cloud services for data exfiltration.

The spear-phishing campaign uses decoy documents related to foreign affairs to lure victims into continuing the attack chain. Countries likely targeted in the attacks include Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan, the researchers said.

"The quick turnover of decoy documents and malware samples on the WebDAV server hosted at 16\[.\]162\[.\]188\[.\]93 suggests that Earth Preta is executing highly targeted and time-sensitive operations, focusing on specific countries and industries within APAC region," they wrote.

The researchers included a list of indicators of compromise (IoCs) for the attacks in the post and advise "continuous vigilance" and "updated defensive measures" in the face of increasingly more sophisticated tactics by Mustang Panda and its cohorts. "Earth Preta has remained highly active in APAC," they wrote, "and will likely remain active in the foreseeable future."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mustang Panda Feeds Worm-Driven USB Attack Strategy

For modern applications built on Kubernetes and microservices, platform engineering is not just about building functional systems but also about embedding security into the fabric of those systems.

Michelle Ensey, Senior Manager of Product Management, NGINX

September 10, 2024

4 Min Read

Source: Brian Jackson via Alamy Stock Photo

Platform engineering is the rising star of the operations firmament. But squint hard and you'll quickly see that the foundation of any serious platform engineering program is operational and application security. By designing a platform through a "security-first" lens, platform engineering leaders can set up their DevOps and AppDev teams for success and make them more efficient by minimizing the toil and cognitive load required to properly execute security policies and practices.

**Designing Platform Assets From "Least Privilege": A Lockdown Mindset**

Every component within your platform — be it a virtual machine, a container, or even a service account — should operate with the bare minimum number of permissions. This is native to security and secure by design, but it should also be a core part of platform design, too. This limits the blast radius if an attacker does compromise a part of your system. Platform engineering teams should design their tools and services for application developers and DevOps practitioners accordingly. Doing this well requires attention to detail and a deep understanding of developer workflows. It also means that platform designs should, if possible, accommodate just-in-time access that elevates permissions only when necessary and revokes them after the required action. Sounds hard, but everything is moving faster in application development, so permissioning systems should meet the challenge, too. This means keeping developers in their workflows and making sure they get what they need when they need it, while also maintaining proper security. 

**Secure Defaults in Configuration Management: No Room for Sloppiness**

When your infrastructure is defined as code (IaC), the default settings for critical components (load balancers, database access, API gateways) become the foundation of your security posture. Developers want to spend as little time as possible on configurations. Yet a shockingly high percentage of security incidents are attributed to misconfigurations of security controls or access policies. Configuration management isn't sexy, but platform engineering for security means putting real muscle-building default configs and scanning behind it to ensure those configs are enforced in testing and deployment. Closely related to security configuration management is hardening IaC templates (Terraform, CloudFormation, etc.). These templates define your infrastructure deployments. Attackers know this and are paying more and more attention to IaC as an avenue of attack. Regular security reviews and IaC scanning can help uncover potential weaknesses. For their part, developers just want to grab a template and run with it. Inline suggestions where developers deploy infrastructure are becoming essential. New AI systems are particularly helpful in analyzing configurations and suggesting changes to harden or improve them.

**Automated Security Testing in CI/CD Pipelines: Fail Fast, Fail Safe**

Platform engineering must integrate security checks directly into your continuous integration and continuous delivery (CI/CD) pipelines so they run automatically whenever developers test code (and often before it is pushed to the main branch). This spots vulnerabilities early in the development cycle. Running static application security testing (SAST) and software composition analysis (SCA) to detect code vulnerabilities and risky open source components is the bare minimum.

More comprehensive practices entail container image scanning for known vulnerabilities and IaC scanning for misconfigurations. Better yet, deploying runtime scanners can detect problems that might appear only when processes are running. Properly done, security automation increases policy enforcement and reduces human error. However, heavy-handed automation can become problematic. For example, enforcing broad, automated code scanning of an entire application before every commit may result in scanners calling out known but irrelevant issues and slowing down CI/CD pipelines for no good reason. Scanning should be integrated with the developer experience using in-line tooling and scanners that never move the dev out of their comfort zone. Scanning can also focus on code that changes to reduce alert fatigue.

**GitOps for Version and Control**

Adopting GitOps for managing infrastructure and container images can help platform engineering better manage fast-changing configurations and create more transparent and accountable infrastructure engineering. Version control, deployment of configurations as code, and the use of a central repository are simple paths to improving application and infrastructure security by removing human errors, streamlining workflows, and eliminating unfamiliar additional IT orchestration systems. SecOps teams can even share Git access to GitOps workflows so that during a security incident everyone is in the same repo and able to root-cause together. For developers and DevOps, GitOps feels more native than trying to learn new environments like Ansible or other IT deployment and configuration engines.

**Conclusion: Platform Security is Job No. 1**

These are just some of the ways smart platform engineering can actually boost security while still improving developer experience, code velocity, and DevOps performance. Any assumption that enhancing platform security will necessarily slow down and hinder application development is a false trade-off. In fact, the two can be highly complementary, and platform engineers are probably better suited to delivering security while improving developer experience than security engineers themselves. For modern applications built on Kubernetes and microservices, platform engineering is not just about building functional systems but also about embedding security into the fabric of those systems, making it an integral part of security engineering.

**About the Author**

Senior Manager of Product Management, NGINX

Michelle Ensey is an accomplished product management professional with extensive experience across diverse industries. She currently serves at NGINX, where she plays a pivotal role in developing and delivering cutting-edge solutions to enhance application delivery and security. Known for her unwavering dedication to continuous learning and innovation, Michelle stays ahead of technological trends and is always enthusiastic about tackling new challenges and seizing opportunities to drive progress. Her commitment to excellence and her passion for technology make her a standout in her field.

Platform Engineering Is Security Engineering

Episode 3: On September 11, 2019, two cybersecurity professionals were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their jobs. Gary De Mercurio and Justin Wynn. Despite the criminal charges against them eventually being dropped, the saga that night five years ago continues to haunt De Mercurio and Wynn personally and professionally. In this episode, the pair and Coalfire's CEO Tom McAndrew share how the arrest and fallout has shaped their lives and careers as well as how it has transformed physical penetration tests for the cybersecurity industry as a whole.

Dark Reading Confidential: Pen Test Arrests, Five Years Later

Researchers flagged a pair of Gallup site XSS vulnerabilities.

Source: Kristoffer Tripplaar via Alamy Stock Photo

UPDATE

Editor's Note: Dark Reading has become aware that a portion of the original Checkmarx research on these vulnerabilities is in dispute, prompting us to retract sections of our reporting below.

As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the company's website that left it vulnerable to misuse by malicious actors.

Cybersecurity researchers with Checkmarx explained in a report on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report the XSS flaws — the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.

The flaws do not impact any of Gallup’s internal data or polling.

**Gallup's Cross-Site Scripting Vulnerabilities**

In the case of the first reflected XSS flaw, the researchers found that "the /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page."

In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page.

To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.

This post was updated at 11:30AM ET on Sept. 11, 2024, to reflect that the bugs affected the website, not the Gallup Poll itself.

Another update was made at 4:53PM ET on Sept. 11, 2024 to clarify that neither vulnerability could have allowed attacker access to Gallup.com infrastructure and did not put internal data at risk of compromise.

A third update was made at 1:03PM ET on Sept. 12, 2024, to remove sections of the article that were based on now-disputed portions of the original Checkmarx blog.

Source

DARKReading