Researchers flagged a pair of Gallup polling site XSS vulnerabilities that could have allowed malicious actors to execute arbitrary code, access sensitive data, or take over a victim account.

Source: Kristoffer Tripplaar via Alamy Stock Photo

UPDATE

As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the company's website that left it vulnerable to malicious actors.

Both flaws presented the opportunity for adversaries to perform actions on behalf of users.

These weaknesses are particularly concerning heading into a US election season that is already being widely targeted by misinformation. Just this week, for instance, the US Department of Justice accused Russia of a $10 million disinformation campaign that sought to barrage social media with enough bad information to sway the presidential election in November.

Cybersecurity researchers with Checkmarx explained in a report on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report the XSS flaws — the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.

Cross-scripting flaws allow an attacker to use the URL address bar to insert unauthorized script into a page. For this attack, a target would be sent a malicious URL that looks exactly like a Gallup.com page. Once the victim clicks on the link, they are taken to a page indiscernible from the real thing֫—except in this instance the attacker controls the content displayed.

While these flaws do not impact any of Gallup’s internal data or polling, the bugs could be used by bad actors to spoof convincing looking Gallup.com site pages with misleading information. At scale, a convincing Gallup-branded page could be used spread misinformation to millions of people at once. Of particular concern to the Checkmarx team is that with a trusted name like Gallup behind the bad information, the campaign could appear incredibly convincing—a particularly dangerous risk during election season.

"In an era where misinformation and identity theft pose significant threats, the security of survey platforms is crucial, particularly during pivotal global election cycles," the Checkmarx team wrote. "Gallup, the leading survey company, quickly addressed security vulnerabilities that could be exploited to facilitate the dissemination of false information and compromise the personal data of users."

**Gallup's Cross-Site Scripting Vulnerabilities**

In the case of the first reflected XSS flaw, the researchers found that "the /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page."

Exploitation of the vulnerability could allow malicious actors to execute code in the targeted user's navigation session to perform various actions on their behalf, the researchers added.

"It's important to note that this endpoint is commonly used to access Gallup surveys, which may make users more susceptible to exploitation," the Checkmarx team wrote. "This could lead to unauthorized access to personally identifiable information (PII), manipulation of user preferences, and other detrimental actions."

In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page, giving a malicious actor another opportunity to perform tasks disguised as the target users and even take over the account altogether.

To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.

"The prevalence of misinformation was identified as the top global risk in 2024 by the World Economic Forum’s 'Global Risks Report 2024,'" Checkmarx vice president of security research Erex Yalon says. "\[It's important to\] secure software that is prone to exploits of malicious actors, educate and close the knowledge gap, and hopefully safeguard the integrity of the election process."

This post was updated at 11:30AM ET on Sept. 11, 2024, to reflect that the bugs affected the website, not the Gallup Poll itself.

Another update was made at 4:53PM ET on Sept. 11, 2024 to clarify that neither vulnerability could have allowed attacker access to Gallup.com infrastructure and did not put internal data at risk of compromise.

Gallup.com Bugs Open Door to Election Misinformation

A PRC threat cluster known as "Crimson Palace" is demonstrating the benefits of having specialized units carry out distinct stages of a wider attack chain.

Source: Pictorial Press Ltd via Alamy Stock Photo

A trio of threat clusters working in service of the People's Republic of China (PRC) have compromised at least a dozen new targets, including one Southeast Asian government organization.

Operation Crimson Palace has been around since March 2023, but been particularly active in 2024, as the threat actors fight against cybersecurity analysts to stay alive. In fact, despite being outed and actively hunted, Crimson Palace's three arms have managed to continue breaching public and private organizations in Asia, and stealing potentially sensitive strategic data and materials from what Sophos described in a new report as "a prominent agency within the government of a Southeast Asian nation."

**The Ocean's 11 of the Cyber-Threat World**

Every heist movie has a team, where each team member has a unique specialty. You've got your getaway driver, your hacker or safecracker, the weapons expert, the muscle, the silver-tongued vixen.

Operation Crimson Palace uses this team-based approach for cyber heists. Instead of operating as a monolithic advanced persistent threat (APT), three independent teams — tracked by Sophos as Alpha, Bravo, and Charlie — each have a unique, though partly overlapping role in the wider attack chain. This setup allows each cluster to hyperfocus on specific tasks, and allows different clusters to work on different compromises simultaneously.

Cluster Alpha typically handles initial access: performing network reconnaissance and mapping, moving laterally and establishing persistence in a targeted system, deploying backdoors, interrupting security software, and so on.

Broadly speaking, Cluster Bravo is the infrastructure specialist. It further entrenches and spreads in target networks, prepares the field for malware deployment, and establishes command-and-control (C2) communications channels, often by using one Crimson Palace victim as a relay point through which to attack another. From January to June, Sophos identified a number of organizations — including one government agency — whose infrastructure Bravo borrowed for purposes of malware staging.

"It's obscuring the command-and-control in places where you might already be expecting to see traffic," explains Chester Wisniewski, global field chief technology officer (CTO) at Sophos. "If you see HTTPS traffic directly with one of your primary telecommunications providers — or perhaps with another government agency or business entity in the country that's commonly engaging with people in your environment — it's going to be a lot harder to determine if that's \[coming from a malicious\] C2, or if it's just normal business operations."

Though Bravo hasn't always featured heavily in Crimson Palace attacks, it has come to life in more recent cases. Sophos newly identified Bravo activity in at least 11 Asian organizations and agencies, including government contractors.

"It's very possible Cluster Alpha \[and Bravo\] doesn't even know what they're after, other than that this is the target environment that they must keep the door open to, to allow someone else in who's aware of what the goal is," Wisniewski notes.

That someone else is Cluster Charlie.

**Cluster Charlie: An Unstoppable Threat**

Cluster Charlie is the cleanup hitter, responsible for whatever is necessary to maintain system access and exfiltrate sensitive data. Befitting its role, it appears to be the most active and sophisticated of the three clusters.

Its story took shape following its first run-in with researchers in August 2023. After Sophos blocked its custom C2 tool, PocoProxy, the Charlie cluster went quiet for a few weeks. Then, beginning that September and continuing ever since, it has constantly bounced back with a new tactic, technique, or procedure (TTP) for every one its adversaries have blocked.

In response to having its custom malware blocked, Charlie turned to the open source community, making use of at least 11 tools for C2 (e.g. Cobalt Strike), shellcode loading (e.g. Donut), evasion of EDR software (e.g. RealBindingEDR), and more. "When they had custom C2 access to the environment and we successfully blocked it, they pivoted to some open source tools," Wisniewski recalls. "And then when that didn't work, they came back with new custom tooling."

Charlie's creativity came through the most in its means of malware delivery. In the period between last November and this past May, Charlie deployed C2 implants using no less than 28 unique combinations of sideloading chains, execution methods, and shellcode loaders. On multiple occasions during the month of February, the group even conducted a kind of A/B testing, deploying its malicious files using slightly varying means to test which method would work best.

As Wisniewski warns, "If you have something they want — even if you're successful in figuring out their current approach to how they're attacking the network — they're not going to stop. They will continue to innovate and iterate."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese Tag Team APTs Keep Stealing Asian Gov't Secrets

It takes more than technical knowledge to write about cybersecurity in a way people want to read. It takes creativity, discipline, and other key skills.

Source: Inga via Alamy Stock Photo

COMMENTARY

In a recent piece, I explained why I do all my own writing and steadfastly refuse to use AI or ghostwriters. I thought it would make sense to follow up that piece by discussing my writing process.

There are so many quality cybersecurity experts in this field, but aspiring writers among them might not be getting published as often as they'd like. To help security professionals expand their impact, I'd like to offer 10 tips on how to write pieces that will get published on a regular basis.

**1\. Put in the Effort**

Simply put, writing takes work, and writing well takes a lot of work. Writing well on a regular basis takes even more work. There is no shortcut. Someone who wants to publish regularly needs to set aside time to put in the effort required to do so.

**2\. Write Regularly**

Security professionals aren't interested in seeing the same stale content linger for weeks and weeks. Publishing regularly requires coming up with fresh, new material on a regular basis. This is easier said than done, of course. So how can an aspiring writer write quality pieces on a regular basis? See the next few points for ideas.

**3\. Exercise Your Creativity**

Creativity is a gift everyone gets at various levels, but we often don't adequately leverage the creativity that we do have. Digging down deep to find creative angles to approach and discuss security topics is sorely needed. Readers are eager for this type of material, and the writer who brings creative perspectives will not disappoint their audience.

**4\. Find Inspiration Around You**

Don't be afraid to take inspiration from a variety of things. When we open our eyes to the whole of the world around us, we can find inspiration in many places.

**5\. Stock a Warehouse of Stories**

Readers enjoy stories from the trenches. This is likely because there is really no substitute for insight gained through real-world experience. In my opinion, it is helpful to have material you can draw on, like a warehouse. Of course, this material needs to change and evolve over time to suit what audiences are interested in hearing or reading. Perhaps it is helpful to think of it like a comedian having their "tight 10" — a ready and relevant 10 minutes of material that they can go to at a moment's notice.

**6\. Know Your Audience**

I can't stress enough the importance of knowing your audience. When writing for a security audience, the entire nature and demeanor of your piece will be vastly different than if you were writing for the general public, a business audience, an IT audience, or whoever. Tailoring and targeting what you write to the audience that will receive it is an ever-evolving art. It is a skill that serves a writer well, though, and it is well worth the investment in time and energy for you to work on your audience understanding.

**7\. Speak the Language of Your Readers**

A big part of knowing your audience is understanding what issues are relevant to them and how they best understand and internalize discussions around those issues. This requires understanding and speaking the language of the reader. This is an extremely important skill for a writer, and one that takes conscious effort to hone and develop.

**8\. Be Practical**

Too often, I see people writing about, suggesting, discussing, and/or presenting topics that are not particularly practical. There are a lot of interesting ideas out there, but you need to understand what is practical and actionable for the audience. When writing, it is important to ask ourselves the question, "What actionable items will the audience take away from this?"

**9\. Stay Focused**

Not surprisingly, writing takes a tremendous amount of discipline. As I write this piece, I am having to block out several distractions around me. This is a constant theme — life and work are full of distractions. I cannot stress enough the importance of staying focused when working on a piece.

**10\. Follow Through**

Lots of people come up with all kinds of ideas but follow through on few or none of them. While writing takes a number of skills, including focus and discipline, following through is no less important. Starting 10 articles and finishing none of them benefits no one. Suggesting 10 project ideas and seeing none of them through is a fool's errand. Throwing out 10 presentation topics but creating the content for none of them produces no value. It's better to pick your battles carefully, methodically, and strategically. That gives a writer the best chance of producing a finished product that people will want to read.

**And Finally...**

When it comes to writing, there is no secret recipe. Like many things in both our personal and professional lives, it takes creativity, hard work, focus, discipline, and follow-through, among other things. If writing to be published is something you would like to do, go for it. But be strategic and deliberate about it for the best chance at positive results. Happy writing!

**About the Author**

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

10 Writing Tips for Cybersecurity Professionals

CISA has added CVE-2024-40766 to its Known Exploited Vulnerabilities catalog.

Source: Michael Vi via Shutterstock

Threat actors, including Akira ransomware affiliates, have begun exploiting a critical remote code execution (RCE) vulnerability that SonicWall disclosed — and patched — in its Gen 5, Gen 6, and some versions of its Gen 7 firewall products last month.

The attack activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability, identified as CVE-2024-40766, to its Known Exploited Vulnerabilities (KEV) database. The vulnerability is one of the three that CISA added to its KEV catalog this week and wants federal civilian executive branch (FCEB) agencies to address by Sept. 30.

**Improper Access Control Bug**

CVE-2024-40766 is an improper access control bug in the management access component of SonicWall SonicOS running on the company’s SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older. It lets attackers gain complete control of affected devices and in some cases cause the firewall to crash entirely.

SonicWall first disclosed the bug on Aug. 22 and assigned it a severity rating of 9.3 out a possible maximum of 10 on the CVSS scale. On Sept. 6, the network security vendor updated the advisory to include the local SSLVPN accounts as being vulnerable to CVE-2024-40766 as well. The advisory also warned customers about attack activity targeting the vulnerability and urged organizations to immediately apply the company's recommended mitigations for it.

Artic Wolf on Friday said it had observed Akira ransomware affiliates abusing the vulnerability to compromise SSLVPN accounts on SonicWall devices. "In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory," Arctic Wolf said.  "Additionally, MFA was disabled for all compromised accounts."

SonicWall wants customers of affected appliances to update to fixed versions of the technology as soon as possible. The company also recommends that organizations limit firewall management functions to trusted sources and to disable WAN management via the Internet. "Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet," SonicWall advised.

The company is also "strongly" advocating that administrators of the company's Gen 5 and Gen6 firewalls ensure that SSLVPN users with locally managed accounts change their passwords immediately to protect against unauthorized access. Additionally, SonicWall has recommended that organizations enable multifactor authentication (MFA) for all SSLVPN users.

**SonicWall: A Popular Target**

SonicWall's firewall products, like routers, VPNs and other network security technologies are an attractive attack target because of the elevated privileges threat actors can gain on a target network by compromising one of these products. Many network security products give attackers access to all traffic flowing in and out of a network and also to the valuable assets and data that are behind the devices. In recent years, security vendors such as Cisco and entities like CISA and the UK's National Cyber Security Center (NCSC) have warned repeatedly about attackers targeting vulnerabilities in network devices as a means to gain an initial foothold on target devices.

Earlier this year, CISA, for instance, identified China's notorious Volt Typhoon group as routinely targeting networking appliances from vendors such as Fortinet, Ivanti, NetGear, Cisco, and Citrix to obtain initial access. In a 2023 report, Cisco said it had observed continuous malicious activity, including traffic manipulation and copying, infrastructure reconnaissance, and active attempts to weaken network defenses, by state sponsored actors and intelligence agencies around the world. The company assessed that attackers like targeting network technologies such as routers and switches because of the deep visibility they enable on a victim network and because organizations often fail to keep the devices properly secured and patched.

Concerns over heightening government exposure to such attacks prompted CISA to issue a binding operational directive in late June that required FCEB agencies to implement strong measures to protect management interfaces for specific network devices such as firewalls, routers, switches, VPN concentrators, load balancers, and proxies.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Akira Ransomware Actors Exploit SonicWall Bug for RCE

Though the company reports that data was exfiltrated in the breach, it has been remained tightlipped regarding the kind of data that was exposed.

Source: Kumar Sriskandan via Alamy Stock Photo

Avis Car Rental is notifying nearly 300,000 individuals of a data breach it fell victim to in early August.

According to the letter it is sending out to those who have been affected, a threat actor gained unauthorized access to its business applications. The company took steps to end the access and launched an investigation alongside third-party experts, as well as alerted the authorities and notified the Maine Attorney General's Office.

The investigation has led the company to believe that the access was gained between Aug. 3 and Aug. 6, and that some personal identifiable information (PII) was exfiltrated, though the scope of the breach remains unclear.

"While details of the recent Avis intrusion are scant and we're not privy to how disruptive this attack was to Avis corporate employees and the nearly 300,000 customers apparently impacted, I am encouraged by the company's quick response and its implementation of additional safeguards to its systems and customer data," Sean Deuby, principal technologist at Semperis, wrote in an emailed statement to Dark Reading.

Avis is providing complimentary one-year memberships to those who were affected, but they must enroll by Dec. 31. Still, the company recommends that its customers remain vigilant against fraud and identity theft and review their financial statements often, as it works to bolster its cybersecurity protections.

**About the Author**

300K Victims' Data Compromised in Avis Car Rental Breach

Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.

Source: Dzmitry Skazau via Alamy Stock Photo

Because of their large attack surface made up of different sets — including laptops, desktops, mobile devices, and servers — endpoints are becoming the primary targets of increasingly sophisticated attacks. This diversity is further complicated by the variety of operating systems (OSs) being run on those devices. In addition, the location of these devices is often no longer tied only to company networks, due to the increase in hybrid and remote work, and more server workloads moving to the cloud.

To meet the growing needs of security teams, the endpoint security market is constantly evolving, albeit at an incremental rate recently. Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.

Below are four areas for security professionals to focus on to establish and enhance their endpoint security. While not a comprehensive list, this should help security experts, both new and established, understand the core concepts around endpoint security.

**Baseline Security**

Endpoint protection starts with strong baseline security. Organizations must make optimal use of all of the features their OSes and applications provide that can help with endpoint protection. To do this, security experts should:

*   Use consistent application deployment methods: Restrict application deployments to known sources. Layer on a workflow for updating and maintaining approved applications.
    
*   Perform configuration management: Configure OSes and applications for security. For example, use hardening guidelines and manage browser add-ons and client applications' security capabilities.
    
*   Use auditing and logging: Understanding events on an endpoint starts with auditing and logging the right security events, and with having a process in place to monitor for security events. Aim to establish a single source of truth for endpoint status.
    

While providing a foundation for baseline security, this list is not exhaustive. Security leaders should also look into actions that include managing vulnerabilities for all OSs and managing backups.

**Endpoint Detection and Response**

Endpoint detection and response (EDR) tools store and monitor endpoint events to detect and hunt for suspicious behaviors, and also provide response capabilities to those events. Common events that are monitored include, but are not limited to, execution events, registry events, file events, and network events.

EDR, in its purest form, does not interrupt running processes; instead, it analyzes the resulting events to search for known indicators of compromise or patterns that indicate malicious behavior.

EDR tools can be likened to a data recorder, or "black box," for the endpoint devices on which they are installed. These tools gather telemetry data about the activity happening on those devices and make it available for examination later. Of course, storing the recorded data is not nearly enough — an EDR tool must also be able to present the data to an administrator in a way that enables further analysis using both automated and human-driven means.

**Automated Moving Target Defense**

Automated moving target defense (AMTD) is an emerging technology that focuses on constantly changing the attack surface of a system or network. AMTD makes it harder for attackers to identify and exploit vulnerabilities by dynamically modifying the process structure, memory space, system configurations, software stack, or network characteristics. This proactive approach helps to improve cyber defense and mitigate the risk of successful attacks.

Endpoint defense with AMTD can include:

*   Enhancing memory defense through morphing or enhanced randomization
    
*   Augmenting confidential computing enclaves with AMTD proactive defense
    
*   Enhancing runtime software hardening (polymorphism of code or inputs)
    
*   Automatic endpoint self-healing from known good files storage
    
*   Applying AMTD to file storage or storage access channels (command and storage polymorphing)
    

AMTD for endpoints and endpoint software is a set of technologies that make it harder for attackers to reverse engineer and exploit endpoint OSes and software technologies. AMTD works by introducing unpredictable and frequent changes in the attack surface of the applications and OSs on which it is used.

**Mobile Threat Defense**

The mobile attack landscape has continued to grow and change with the increase of smartphone and tablet sales, and with the proliferation of bring-your-own-device arrangements in enterprises. Every year, we see new statistics claiming hundreds of percentage points of growth in mobile malware.

The MTD market includes vendors that use some combination of the following mobile protection methods for Android and iOS:

*   Behavioral anomaly and configuration detection
    

*   Protection against device attacks, network attacks, and malicious and leaky apps
    
*   Mobile anti-phishing protection
    
*   OS-, hardware- and application-based vulnerability assessment, monitoring, and compliance
    
*   Crowdsourced threat intelligence
    

Baseline security, EDR, AMTD, and MTD are just a few crucial tools security leaders can use to improve their endpoints' resilience against attacks. There continue to be many other layers of security designed to contribute to the protection of endpoints, and security leaders must take a holistic approach, as this topic is foundational for enterprises who will need to adjust their strategy for changing and increased variation in devices, agile work environments, and increasingly sophisticated security threats.

**About the Author**

Director Analyst, Gartner

Eric Grenier is a Director Analyst at Gartner working in the Technical Professionals Security Technology and Infrastructure team, focusing on Endpoint Security including endpoint protection and endpoint detection and response.

How to Establish &amp; Enhance Endpoint Security

The Chinese-speaking group is launching sophisticated malware towards military and satellite targets globally.

Source: ZUMA Press, Inc. via Alamy Stock Photo

A threat actor dubbed "TIDrone" by researchers is actively going after military- and satellite-related industrial supply chains, particularly drone manufacturers in Taiwan.

That's according to Trend Micro, which linked TIDrone to other Chinese-speaking groups and noted that it uses enterprise resource planning (ERP) software or remote desktop tools to deploy advanced, proprietary malware.

"Since the beginning of 2024, we have been receiving incident response cases from Taiwan," according to an analysis from the firm. "\[However\], telemetry from VirusTotal indicates that the targeted countries are varied; thus, everyone should stay vigilant of this threat."

The specialized toolsets include "CXCLNT," which can upload and download files, collect victim information such as file listings and computer names, and comes complete with stealth capabilities. Another weapon is "CLNTEND," a remote access tool (RAT) first seen last April that supports a wide range of network protocols for communication.

Once TIDrone has compromised a target, it deploys user account control (UAC) bypass techniques, credential dumping, and hacktool usage to disable antivirus products, according to the analysis.

"The threat actors have consistently updated their arsenal and optimized the attack chain," the researchers noted. "Notably, anti-analysis techniques are employed in their loaders, such as verifying the entry point address from the parent process and hooking widely used application programming interfaces (APIs) like GetProcAddress to alter the execution flow."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

'TIDrone' Cyberattackers Target Taiwan's Drone Manufacturers

In the past, Putin's Unit 29155 has utilized malware like WhisperGate to target organizations, particularly those in Ukraine.

Source: vchal via Alamy Stock Photo

The United States, alongside several of its allies including the UK, are accusing the Russian military of attacking global critical infrastructure units through malicious cyber operations bent on espionage, sabotage, and reputational damage.

The FBI, NSA, and CISA have published a joint advisory assessing the cyber actors affiliated with the Russian GRU 161st Specialist Training Center, otherwise known as Unit 29155. The group has been active since 2020, but began deploying WhisperGate malware against Ukrainian organizations in January 2022.

In addition to leveraging the malware against Ukrainian victims, the group has also conducted network operations against numerous members of NATO in North America and Europe, as well as targets in Latin America and Central Asia. These operations include website defacements, infrastructure scanning, data exfiltration, and data leaking.

According to the advisory, "Unit 29155 cyber actors are known to target critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors."

Though overt attacks on critical infrastructure are concerning, the issue goes further than that.

"While cyberattacks against critical infrastructure are certainly concerning, it is even more concerning to imagine that adversaries could gain access to systems without our knowledge and remain hidden until an issue occurred, and could then be used to take down critical tools, utilities, or communication systems," said Erich Kron, security awareness advocate at KnowBe4. Kron cited "vendors providing services to these critical infrastructure partners" as being at high risk for related attacks as well.

Organizations can mitigate against these kinds of threats by prioritizing routine system updates and remediating known exploited vulnerabilities; segmenting networks to prevent the spread of malware or malicious activity; and enabling phishing-resistant multifactor authentication, especially for webmail, VPNs, and critical system accounts.

Feds Warn on Russian Actors Targeting Critical Infrastructure

The vulnerabilities affect industrial control tech used across the healthcare and critical manufacturing sectors.

Source: PopTika via Shutterstock

This week the US Cybersecurity and Infrastructure Security Agency (CISA) warned about two new industrial control systems (ICS) vulnerabilities in products widely used in healthcare and critical manufacturing — sectors prone to attract cybercrime.

The vulnerabilities affect Baxter's Connex Health Portal and Mitsubishi Electric’s MELSEC line of programmable controllers. Both vendors have issued updates for the vulnerabilities and recommended mitigations that customers of the respective technologies can take to further mitigate risk.

**Baxter Connex Vulnerabilities**

CISA's advisory contained information on two vulnerabilities in Baxter's Connex Health Portal (formerly Hillrom and Welch Allyn) that it described as remotely exploitable and involving low attack complexity. One of the vulnerabilities, assigned as CVE-2024-6795, is a maximum severity (CVSS score of 10.0) SQL injection issue that an unauthenticated attacker can leverage to run arbitrary SQL queries on affected systems. CISA described the flaw as giving attackers the ability to access, modify, and delete sensitive data and take other admin level actions, including shutting down the database.

The other vulnerability in Baxter's Connex Health Portal, tracked as CVE-2024-6796, has to do with improper access control and has a CVSS severity rating of 8.2 on 10. The flaw gives attackers a way to potentially access sensitive patient and clinician information and to modify or delete some of the data. As with CVE-2024-6795, the improper access vulnerability in Baxter Connex Health Portal is also remotely exploitable, involves low attack complexity, and does not require the threat actor to have any special privileges.

Baxter has fixed the issues, but CISA has recommended that affected organizations also minimize network exposure for all control system devices and to make sure they are not accessible from the Internet. CISA also wants organizations to stick firewalls in front of control system networks and to use secure remote access methods such as VPNs where remote access is a requirement.

So far, there is no sign of exploit activity targeting either vulnerability, CISA said. But healthcare technologies have become a major target for cybercriminals in recent years. This year alone, there have been multiple incidents involving major healthcare players. Among the most notable of them was a ransomware attack on health insurance firm Change Healthcare earlier this year that knocked critical-claims-related services offline for days. Though Change Healthcare paid a $22 million ransom to the BlackCat ransomware group following the attack, the threat actor leaked sensitive health information on millions of Americans on the Dark Web anyway. In another incident, attackers — believed to be the Rhysida ransomware group — knocked systems offline at Chicago’s Lurie Children's Hospital and compromised records belonging to more than 790,000 patients.

Multiple factors have contributed to the healthcare sector becoming a major target for cybercriminals. These include the fact that healthcare organizations usually hold a lot of valuable data and are particularly vulnerable to any kind of operational disruptions and degradation in their ability to serve patients.

**Mitsubishi MELSEC Flaws**

Meanwhile CISA's advisory on Mitsubishi Electric's MELSEC programmable controllers for industrial automation and control applications have to do with vulnerabilities the vendor announced previously. One of the advisories involves a #denial of service of vulnerability that Mitsubishi first disclosed in 2020 (CVE-2020-5652) and has kept updating through the years as new issues related to the flaw have continued to crop up. The latest advisory adds more Mitsubishi MELSEC products to the list of affected technologies and provides new information on mitigating against the threat. The other vulnerability, identified as CVE-2022-33324, is also a denial-of-service issue, but one resulting from what CISA described as improper resource shutdown or release. Mitsubishi first disclosed the flaw in December 2022 and has kept updating its advisory with new information. The latest update, which adds new products to the list of affected technologies and provides new mitigation advice, is the company's third just this year for CVE-2022-33324.

Vulnerabilities in ICS and other Information technology products in the manufacturing sector are a particular concern for two reasons: More than 75% of manufacturing companies have unpatched high-severity vulnerabilities in their environment; and attacks against manufacturing companies have surged in recent years. A report that Armis released earlier this year showed a 165% increase in attacks on manufacturing companies in 2023, making it the second-most targeted sector after utilities.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CISA Flags ICS Bugs in Baxter, Mitsubishi Products

Vendors of mercenary spyware tools used by nation-states to track citizens and enemies have gotten savvy about evading efforts to limit their use.

Source: Robert Brown via Alamy Stock Photo

Efforts by the US and other governments to curb the development, use, and proliferation of powerful spyware tools like NSO Group's Pegasus and Intellexa Consortium's Predator have largely been unsuccessful. Rather, they appear to have encouraged these espionage retailers to improve their ability to evade detection and do business in the shadows.

Spyware could arguably have some legitimate law enforcement or intelligence gathering use case, however, human-rights-abuse watchers have soundly established tools like Pegasus and Predator as tools employed by authoritarian governments to spy on journalists, dissidents, and citizens, and to police their activity. Western governments (including the US, the UK, and others across Europe) recognize these spyware tools as a threat to human rights and basic freedoms, and have joined to try and stop their use through sanctions and other enforcement actions.

In 2021, the US Department of Commerce sanctioned NSO Group, Candiru Ltd., and two suppliers. In 2023, it added Intellexa Consortium to the list for "trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide," according to a Sept. 4 report from The Atlantic Council DFRLab.

Further in 2023, the US proposed blocking government agencies from using commercial spyware and joined with several other countries to pledge to work against the misuse and spread of commercial spyware, DFRLab's report noted. In March of 2024, the US Department of the Treasury also levied sanctions against seven spyware entities. And the following month, the US government also issued Visa restrictions to "promote the accountability for the misuse of commercial spyware," the report added.

It worked for a time. But the market for governments who want to use spyware against their citizens proved too big of a prize for these vendors to miss out on: the Atlantic Council report also highlighted the subsequent return of sanctioned spyware sellers.

"Most available evidence suggests that spyware sales are a present reality and likely to continue," the Atlantic Council admitted. "Proliferation heedless of its potential human rights harms and national security risks, however, is not a stable status quo."

**Predator Spyware Claws Back With Location Obfuscation**

Take Predator as an example. In 2024 Predator spyware use dropped sharply after the company was sanctioned, according to researchers at Insikt Group. But recently, new and improved Predator infrastructure has been detected in more countries, including the Democratic Republic of Congo and Angola.

Updates to the new and improved Predator tool anonymizes customer operations, which obscures which countries are using the spyware, Insikt Group reported in a Sept. 5 report on Predator.

"This change makes it more difficult for researchers and cybersecurity defenders to track the spread of Predator," the report added.

But Predator is hardly the only spyware tool gaming its location to evade oversight. The Atlantic Council's report identifies several ways spyware vendors have adapted to take advantage of jurisdictional gaps, including simply by structuring their businesses with subsidiaries, partners, and other relationships scattered across different areas. Spyware vendors also play games with naming and re-naming their companies and legal entities in an effort to get around sanctions and other regulation.

"The most persistently shifting identity is that of the firm originally known as Candiru Ltd., which changed its name four times over the ensuing nine years, and is known at the time of this writing as Saito Tech Ltd," the Atlantic Council's report noted.

The strategy goes beyond business operations; this jurisdictional shell game also allows these vendors to court investors from a wider range of countries.

"These relocations may offer a variety of location-specific benefits, from facilitating sales to the EU market with an EU-domiciled firm to situating branches in states with more forgiving laws," the Atlantic Council report said.

The good news is, these loopholes could be closed, according to the Atlantic Council, with more controls and scrutiny on spyware investment.

"Improving corporate transparency requirements, such as the US’ recent move to compel companies to report their beneficial owners in line with policies in other countries, will support improved investor due diligence and deal review inside the United States," according to the report. "For vendors located outside the US, a recent notice of proposed rulemaking to extend US security review over some forms of outbound investment could provide the basis to catalog and potentially block investment."

**Spyware Vendors Concentrated in Three Countries**

The Atlantic Council report said the current spyware vendor landscape is heavily concentrated in three areas: Israel, India, and Italy. While there has been a lot of focus on Israeli spyware firms like NSO Group, the Atlantic Council report encourages Western governments to expand their sanctions focus to companies working out of India and Italy as well, two countries that were recently left out of the high-profile international sanctions from the UK and France against cyber intrusion tools, called the Pall Mall Process.

India is home to five prolific spyware vendors, including Aglaya Scientific Aerospace Technology Systems Private Limited and Appin Security Group, and Italy has six, including Memento Labs, Movia SPA, the report points out.

More needs to be done to bring transparency to the spyware market, the Atlantic Council report urged.

"Nascent steps by a handful of countries demonstrate that a more vigorous approach to shape the behavior of spyware vendors, their supply chain, and their investors is possible," its report said. "However, much more remains to be done."

Source

DARKReading