In the cloud, patches disseminate automatically. On your computer, you get notified. IoT devices, meanwhile, can escape attention for years on end.

Source: Nirbokphoto.com via Alamy Stock Photo

Tens of thousands of small office/home office (SOHO) devices sold by Ubiquiti Inc. are vulnerable on the open Internet to a five-year-old bug, researchers are warning.

In January 2019, broadband Internet expert Jim Troutman warned that an exposed port in dozens of Ubiquiti Internet of Things (IoT) gadgets was being exploited in denial-of-service (DoS) attacks. The underlying vulnerability, CVE-2017-0938, was assigned a "high" 7.5 score on the CVSS scale.

Seven months after that, researchers from Rapid7 were still able to find nearly 500,000 vulnerable devices. And now, even though Ubiquiti has long since acknowledged and patched the issue, around 20,000 devices remain vulnerable, Check Point Research noted in a new blog post.

"We can see that some of them were compromised," says Radoslaw Madej, vulnerability research team leader at Check Point Software. "Also, I've only done pretty rudimentary fingerprinting of the devices. It's quite possible that there are more of them \[compromised\] too."

Check Point also warned that besides being used in a SOHO botnet for DoS attack amplification, compromised devices can leak potentially sensitive data, too.

**Exposed Cameras & Routers Can Leak Data**

In probing Ubiquiti gadgets like the G4 Instant Camera — an Internet-enabled camera with two-way audio — Check Point homed in on port 10001, where the exposed process was first identified five years ago. The service at issue: Ubiquiti's discovery protocol, used to communicate between the device and its CloudKey+ controller.

Using spoofed packets, the Check Point researchers discovered that communicating with neither the CloudKey+ nor its connected devices required any sort of authentication. Further, the messages they received in response to their pings included specific information about the devices, plus their owners' names and locations.

"In a few instances, actually, there was a first name and the last name of a person, and what turned out to be a location where a Ubiquiti router was located," Madej recalls. "All this information … it took only one packet from me to receive that response.

"If I wanted to attack this entity, it would be easy for me, knowing the type of router they have, the name of the person, the exact software version, and their business address. \[I could\] find their contact details, and call them up saying: 'Hey, I'm calling from your Internet provider. I need to do some maintenance work. Provide me with access to the admin panel.' Because I can validate myself to this person by giving them all the information they need."

**The Issue with IoT**

Patched Ubiquiti products have a safeguard against Internet-based attacks: They do not respond to pings coming from the wider Web, only from internal IP addresses.

Despite the easy availability of such a simple fix, tens of thousands affected products in the wild remain unpatched. This seems to have a lot less to do with Ubiquiti itself than IoT security in general.

"We got used to patching our Windows machines and MacBooks and mobile phones and whatnot, but we're still not really used to the fact that we should also take care about our IoT devices, be it Wi-Fi routers, cameras, vacuum cleaners, fridges, and washing machines," Madej says.

"Of course," he adds, "the question is: To what extent an end user should even be bothered about it. We live in a time when all devices should have automatic updates enabled by default. I don't think that should be a concern of the end user."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

20K Ubiquiti IoT Cameras &amp; Routers Are Sitting Ducks for Hackers

Though TikTok is expected to adhere to certain COPPA-outlined measures, the social media giant has failed to meet those expectations, the Feds allege.

Source: Wachiwit via Alamy Stock Photo

The Justice Department, alongside the Federal Trade Commission (FTC), filed a civil lawsuit against TikTok on Aug. 2, due to allegations that the popular social media app and its parent company, ByteDance, violate children's online privacy protections.

In 2019, Musical.ly, TikTok's predecessor, was sued for violating the Children's Online Privacy Protection Act (COPPA), which prohibits website operators from knowingly collecting, using, or disclosing personal information from children under the age of 13 unless express consent is obtained from the child's parents. The company was then court ordered to adhere to certain measures in compliance with COPPA.

Since that time, TikTok allegedly has continued to allow children to create TikTok accounts as well as content on the platform, and has collected and retained personal information from these accounts without notifying the children's parents or obtaining consent, according to the Department of Justice (DoJ) and FTC. They also said that the company has failed to honor deletion requests from parents of those underage profiles.

"TikTok knowingly and repeatedly violated kids' privacy, threatening the safety of millions of children across the country," said FTC chair Lina Khan in a DoJ announcement. "The FTC will continue to use the full scope of its authorities to protect children online — especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data."

**About the Author**

FTC Slams TikTok With Lawsuit After Continued COPPA Violations

The enterprise resource planning platform bug CVE-2024-38856 has a vulnerability-severity score of 9.8 out of 10 on the CVSS scale and offers a wide avenue into enterprise applications for cyberattackers.

Brian Jackson via Alamy Stock Photo

A critical pre-authentication remote code execution (RCE) security vulnerability in Apache OFBiz could open organizations to data theft, lateral movement by threat actors into various applications and parts of their networks, and more.

The bug, tracked as CVE-2024-38856, carries a notably high CVSS score of 9.8, given how impactful exploitation could be. Apache OFBiz is an open source enterprise resource planning (ERP) system that has highly privileged access to various business processes for the purpose of single-pane management and automation; these can include accounting, human resources, customer relationship management, order management, manufacturing and e-commerce.

CVE-2024-38856 exists in the override view functionality, and can allow threat actors to access critical endpoints using a crafted request, according to the SonicWall Capture Labs threat research team, which discovered the vulnerability and shared its details with Dark Reading.

To protect their organizations, admins should upgrade their implementations to version 18.12.15 or newer.

OFBiz customers number around 170 and include some heavy hitters, such as Atlassian JIRA, Home Depot, United Airlines, and Upwork Global, according to SonicWall.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Critical Apache OFBiz Vulnerability Allows Preauth RCE

The APT used DNS poisoning to install the Macma backdoor on targeted networks and then deliver malware to steal data via post-exploitation activity.

Source: Pawel Opaska via Alamy Stock Photo

Researchers have found that a China-linked advanced persistent threat (APT) group compromised an Internet service provider (ISP) to exploit software vendor update mechanisms using DNS poisoning. The attacks delivered new variants of the Macma backdoor, as well as post-exploitation malware to exfiltrate sensitive data from compromised networks.

Researchers at Volexity discovered the attack by Evasive Panda, a threat group they track as StormBamboo and that also goes by DaggerFly, when they detected multiple systems becoming infected with malware in mid-2023, they revealed in a recent blog post. The researchers eventually tracked the attacks to the highly active Chinese APT, which they found altering DNS query responses for specific domains tied to automatic software update channels for software vendors, they said.

"StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers," Volexity researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster wrote in the post. "Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to Macma and Pocostick (aka MGBot)."

Macma is a backdoor that's often used by Evasive Panda and was first detailed by Google TAG in 2021, though it was used for a number of years before discovery. The latest variant demonstrates the group converging development of both Macma and Gimmick MacOS malware, according to Volexity. The researchers also detected post-exploitation activity to deploy the malicious browser extension Reloadext to exfiltrate victim mail data, they said.

**Poisoning DNS Requests**

Volexity outlined one of several incidents that researchers investigated in which Evasive Panda used DNS poisoning to deliver malware via an HTTP automatic update mechanism. The attack poisoned responses for legitimate hostnames that were then used as second-stage command-and-control (C2) servers, the researchers said.

DNS poisoning is a type of DNS abuse in which an attacker poisons DNS records to reroute network communications to a server under their control to steal and manipulate information transmitted to users. In this case, the APT used the poisoned DNS records to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130.107, which was at the ISP level of the targeted organization.

The logic behind the abuse of automatic updates is the same for all the applications targeted, the researchers noted. The legitimate application performs an HTTP request to retrieve a text-based file containing the latest application version and a link to the installer.

"Since the attacker has control of the DNS responses for any given DNS name, they abuse this design, redirecting the HTTP request to a C2 server they control hosting a forged text file and a malicious installer," the researchers wrote.

In the attacks, the APT targeted multiple software vendors with "insecure update workflows" that use varying levels of complexity in their steps for pushing malware. For example, one of the vendors, 5Kplayer, uses a workflow, the binary of which automatically checks if a new version of YoutubeDL is available for each time the application is started.

If a new version is available, the process downloads it from the specified URL, and then the legitimate app executes it. In its attack, Evasive Panda used DNS poisoning to host a modified config file indicating a new update was available, which resulted in the YoutubeDL software downloading an upgrade package from the APT's server that had already been backdoored with malicious code.

**Beware: "Highly Skilled" APT at Work**

Volexity notified and worked with the ISP whose network was being used for DNS poisoning. The ISP investigated and took various network components offline, which stopped the malicious activity, the researchers said.

"During this time, it was not possible to pinpoint a specific device that was compromised, but various components of the infrastructure were updated or left offline and the activity ceased," they wrote.

The attacks are not the first time Evasive Panda, which often targets organizations across Asia that are interested in the Chinese state, has leveraged legit software update channels for nefarious purposes.

In April of last year, researchers from ESET discovered cyberespionage attacks in which the group targeted individuals in China and Nigeria by hijacking update channels for software developed by Chinese companies to deliver the MGBot malware to steal credentials and data.

Indeed, the group is "a highly skilled and aggressive threat actor" that often "compromises third parties to breach intended targets," the researchers warned.

"The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances," they wrote.

The attacks also are related to previous research by ESET concerning the infection vector for the Pocostick malware that also used DNS poisoning to abuse automatic updates, as well as one used by a related APT DriftingBamboo following zero-day exploitation of Sophos firewalls, the researchers noted.

Volexity included a link to various rules and indicators of compromise (IOCs) in its post to help organizations detect if they have been affected by the malicious activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

China's Evasive Panda Attacks ISP to Send Malicious Software Updates

Cybersecurity startup Knostic, a finalist in this year's Black Hat USA Startup Spotlight competition, adds guardrails to how AI uses enterprise data to ensure sensitive data doesn't get leaked.

Source: Deemerwha Studio via Shutterstock

The intense popularity of public generative artificial intelligence (GenAI) tools over the past two years has resulted in many applications rolling out new chat capabilities and other features driven by large language models (LLMs). However, many organizations are learning that connecting LLMs to their internal knowledge repositories is a risky endeavor.

"Business leaders are surprised when the search tools provide anyone \[with\] answers to sensitive questions, such as, 'What are people's salaries?' and 'What are the most recent M&A due diligence results?'" says Sounil Yu, co-founder and CTO of Knostic. Even if the permissions and access controls are set correctly on the files containing sensitive data, the inferences made by the LLM can also lead to oversharing.

AI without controls potentially exposes the organization to increased risk, primarily by exposing information to the wrong people, said Gadi Evron, co-founder and CEO of Knostic, in an April interview with Dark Reading.

"How can we curate personalized information and actually give you value — answer with what you need to know instead of just saying stuff?" Evron said.

Knostic says it is the only company defining per-user need-to-know and creating a knowledge control layer.

"Most companies are focused on addressing the oversharing problem solely through data scanning/permissions and information classification," Yu notes.

Knostic's technology provides organizations with visibility, control, and curation. For visibility, the platform continuously queries the GenAI tool (currently Microsoft's Copilot) on various sensitive topics from the perspective of different users and roles to identify unexpected exposures. For control, Knostic's technology captures and displays permissions for content and gives users the ability to modify those permissions. Just because a user can access the data file doesn't mean the user is supposed to know its contents, Yu says.

"By correcting the permissions of sensitive content, we can prevent oversharing through Copilot," Yu says.

Access should not be binary — either yes or no — so the technology gives security teams the ability to curate search query answers to fit the user's need-to-know level.

The company started by focusing on Copilot for M365. Looking ahead, the company is working on solving the need-to-know problem for tools beyond Copilot and Glean for all software-as-a-service tools that incorporate LLMs as a feature.

**Startup Spotlight Finalist**

Evron and Yu originally planned to call the company Knowalls, a play on words that could mean "no walls," "know walls," and "knows all," but decided against it because of the negative connotation around "know-it-alls." The word Knostic is based on the Greek word gnostic, meaning relating to knowledge, which fits with what they were building, Yu says.

The four finalists in this year's Black Hat Startup Spotlight competition — DryRun Security, Knostic, LeakSignal, and RAD Security — will present their business models to a panel of judges during the Black Hat USA Conference in Las Vegas on Tuesday, Aug. 6. The judges for this year’s competition are Ketaki Borade (senior analyst, Omdia), Coleen Coolidge (CISO adviser, SF Info Security), Trey Ford (CISO adviser), Hollie Hennessy (senior analyst, Omdia), Maria Markstedter (founder and CEO, Azeria Labs), Lucas Nelson (founding partner, Lytical Ventures), Robert J Stratton III (venture partner, NextGen Venture Partners), and Rik Turner (principal analyst, Omdia). The "Shark Tank"-style competition involves each finalist making a presentation and then answering questions from the panel.

Finalists have the opportunity to demonstrate their technology on the show floor at Black Hat. Visitors to Knostic's booth will be able to see how the solution "provides visibility into what is being overshared, capture need-to-know, and control and curate access to knowledge based on a user’s need-to-know," Yu says.

**Startup Brief**

If the company were a band, what would its band name be?

Guardians of Gnosis (thrash metal).

If your company had a mascot, what would the mascot look like?

A barn owl, because an owl is known for its knowledge and wisdom.

Startup Spotlight: Knostic Tackles AI's Oversharing Problem

Cybersecurity startup LeakSignal, a finalist in this year's Black Hat USA Startup Spotlight competition, helps organizations see where data is leaking within their environments.

Source: Rico Ploeg via Alamy Stock Photo

Data leakage is a big problem for organizations. While there are many ways to protect data when it is "at rest," it is much harder to know where the data is going, who is accessing it, and how much has already been accessed. LeakSignal is an openly distributed data governance solution that classifies and protects sensitive data.

Customers can block sensitive data before it is logged, observe and redact it during calls to outbound third-party application programming interfaces (APIs), and observe and set limits on internal API data access.

"We are bringing a new observability metric to the world, allowing organizations to understand and govern the data flowing within their environment," says Wesley Hales, co-founder and CEO.

The platform is designed to seamlessly integrate with an organization's existing architecture, he says.

"We don't require an additional container, \[virtual machine\], or traffic routing," Hales says, noting that there is no disruption to existing traffic.

LeakSignal offers data flow governance focusing on real-time, in-transit data classification.

"Unlike traditional data loss prevention tools or perimeter-based security measures, LeakSignal operates within individual services across modern service mesh, microservices, and bespoke internal environments," Hales adds.

LeakSignal relies on natural language processing techniques to classify and manage data in-transit, he says. It is built with Rust, providing flexible deployment options within modern and existing architectures.

"LeakSignal supports many deployment options leveraging WASM, native proxy filters, and pcap that can be easily deployed within existing infrastructures, such as service meshes, serverless, and GenAI workloads," Hales says.

The LeakSignal team recently published the company's data flow governance approach with National Institute of Standards and Technology and is currently working with Payment Card Industry special interest groups to make data in-transit classifications simple for every regulated environment, Hales says.

"Our next focus is on expanding support for more complex AI models and refining our data classification algorithms to provide even more accurate and comprehensive protection," he explains.

**Startup Spotlight Finalist**

The co-founders chose the name LeakSignal to reflect its core mission: to identify and signal data leaks in real time, providing organizations with the visibility they need to protect sensitive information. The "signal" emphasizes the team's focus on proactive monitoring and alerting, ensuring data issues are detected and addressed before they become significant problems, Hales says.

The four finalists in this year's Black Hat Startup Spotlight competition — DryRun Security, Knostic, LeakSignal, and RAD Security — will present their business models to a panel of judges during the Black Hat USA Conference in Las Vegas on Tuesday, Aug. 6. The judges for this year’s competition are Ketaki Borade (senior analyst, Omdia), Coleen Coolidge (CISO adviser, SF Info Security), Trey Ford (CISO adviser), Hollie Hennessy (senior analyst, Omdia), Maria Markstedter (founder and CEO, Azeria Labs), Lucas Nelson (founding partner, Lytical Ventures), Robert J Stratton III (venture partner, NextGen Venture Partners), and Rik Turner (principal analyst, Omdia). The "Shark Tank"-style competition involves each finalist making a presentation and then answering questions from the panel.

Finalists have the opportunity to demonstrate their technology on the show floor at Black Hat. Visitors to LeakSignal's booth will be able to see demonstrations of the platform as well as case studies with existing customers. They will see how easy it is to deploy LeakSignal within various environments and understand its impact on data security and compliance, says Hales. (Fun fact: Hales says next year's booth will be modeled after a post-apocalyptic diner.)

**Startup Brief**

If the company were a band, what would its band name be?

Packet Frenzy. (A chaotic blend of aggressive riffs and complex rhythms mirroring the fast-paced and unpredictable nature of data flows.) "Packet Frenzy thrives on dissonance and mathematical precision, just like LeakSignal's approach to detecting data anomalies," Hales says.

If your company had a mascot, what would the mascot look like?

A person dressed in a HAZMAT suit (for nuclear waste incidents and cleanup), carrying a Geiger counter that detects if a given individual is leaking personal data.

Startup Spotlight: LeakSignal Helps Plug Leaky Data in Organizations

Adopting a military mindset toward cybersecurity means the industry moves beyond the current network protection strategies and toward a data-centric security approach.

Source: ber1a via Alamy Stock Vector

COMMENTARY

Cybercriminals, terrorists, and nation-states are now striking at commercial entities in ways that can kill and injure people or cause physical destruction. A recent attack on Ascension Healthcare Network forced hospitals to divert patients, reschedule appointments, and resort to manual systems, which could have resulted in serious harm to patients. In 2023, two suspects were arrested for conspiring to attack Baltimore's power grid. The potential harm of such an attack has the US government scrambling to improve security.

In addition to the increased "physical" seriousness of these attacks, company executives can now be held legally responsible for them. In 2022, a federal jury found former Uber CSO Joseph Sullivan guilty of obstruction for actions following the company's breach. In 2023, the Securities and Exchange Commission announced charges against SolarWinds chief information security officer (CISO) Timothy Brown in a similar case (many of which were later thrown out). And earlier this year, Microsoft announced that it will “hold senior leadership directly accountable for cybersecurity.”

We historically have distinguished between attacks on business data — financially motivated incidents that threaten an organization's bottom line in the form of fines, loss of intellectual property, and reputational damage — and state-sponsored attacks on military secrets that have the potential to kill and injure people or undermine the operation of the government. Unfortunately, recent events have blurred the line between physical and cybersecurity, forcing businesses to raise the priority of protecting sensitive data, similar to the military.

**The Military Mindset**

In the military, protecting sensitive information has always been paramount, and the industry prioritizes whatever systems it needs for protection, including multiple layers of physical and digital security. The information simply can't be compromised.

By contrast, businesses are more likely to do a cost-benefit analysis, weighing the costs of securing data against the costs of recovering from the damage. As a result, the industry has never built a data-centric security stack, instead preferring a network-based security approach focused on keeping the bad guys out and responding quickly to contain breaches. However, if an attacker breaches the network security layer, sensitive data is quickly exfiltrated and exposed before most organizations can respond to contain the incident.

In order to safeguard their employees and business interests, organizations need to change their mindset to protect sensitive data with the same intensity as the armed forces, intelligence community, and defense industry.

**Principles of a New Data Protection Strategy**

1\. Principle of least privilege (PoLP)

The principle of least privilege in the military and intelligence community mandates that individuals have access only to the information and resources necessary for their specific duties. This minimizes the risk of unauthorized access, data breaches, and espionage by limiting exposure to sensitive information, which thereby enhances overall security and operational integrity.

Similarly, business systems should provide only the right data to the right people at the right time. Recent privacy laws have forced many organizations to begin implementing this capability, but most organizations are a long way from building least privilege into the very fabric of their data infrastructure. Implementing strong data security requires understanding the context of the users' role and duties found in identity access management (IAM) infrastructures, understanding privacy compliance requirements, and having the ability to automatically identify and secure sensitive information in real-time across on-premises infrastructure, public cloud, software-as-a-service (SaaS) applications, and the organization's supply chain. 

2\. Never trust a third party with data

Data must stay where the company can control and protect it. Attackers go after the weakest link in the data supply chain, and this increasingly means people outside the organization, including children, and third-party data platforms, as with SolarWinds. Companies also lose control of data when it's stored on a vendor's cloud data platform where the vendor's security failures put the data at risk. Thus, companies must ensure that vendors who become part of their data ecosystem do not store it, see it, or otherwise have access to it. This can be accomplished by redacting, masking, tokenizing, or encrypting sensitive data automatically as it leaves the control of the organization.

3\. Identify threats in real-time

Too often, businesses have settled for security architecture centered on detection and response with poor response times. According to the 2023 IBM Security "Cost of a Data Breach Report," the mean time to identify (MTTI) and contain (MTTC) a breach is 277 days. When extensive AI and automation were used for incident response, it still took 214 days to identify and contain breaches. In order to prevent data breaches from resulting in the loss of personally identifiable information (PII), we must shift the focus from reactive containment measures that are not working to proactive data security measures that leverage AI to identify and protect sensitive data in real-time as it flows through the organization and block attempts by unauthorized users to access, steal, or manipulate business-critical information.

4\. Never undermine productivity

An impediment to increased security has long been that added security makes processes slower and inhibits legitimate access to data, frustrating users, constraining collaboration, undermining customer experiences, and stifling innovation. To encourage adoption and use, data security solutions must protect data without delaying operations. Otherwise, users will find a way around it.

5\. Make it fast and easy to deploy

Whatever solutions the industry devises, companies must be able to implement them quickly with little disruption to existing workflows. Otherwise, at best, risks could increase during the implementation process. At worst, the solutions won't be implemented at all or will leave critical gaps in the organization's defenses.

**A Call to Arms**

In practical terms, adopting a military mindset toward cybersecurity means organizations must immediately begin demanding that the industry moves beyond the current network protection strategies and toward a data-centric security approach that proactively secures data in real-time. These actions include:

*   Make data protection a topic at board meetings and throughout the organization.
    
*   Ask every vendor about their approach to protecting data, not just the network.
    
*   Ensure every data supply chain partner is working to adopt the above data protection principles.
    
*   Encourage industry regulators to make these principles a key focus.
    
*   Put pressure on the government to require agencies to adopt these principles.
    

These strategies are crucial for moving toward a data-centric security approach that effectively safeguards organizations against evolving cyber threats.

**About the Authors**

Founder & CEO, Dymium

Denzil Wessels is the founder and CEO of Dymium. He’s an established technology leader and an emerging pioneer who is focused on building new technologies and products that solve networking and security challenges.

He is passionate about identifying and solving difficult enterprise business problems in new and unique ways that did not exist in the industry before.

Using this approach, he is able to help build new business, business groups, and successfully transform existing companies looking to grow. His lineage includes companies like Zscaler, Aruba Networks (HPE), Juniper, and F5 Networks.

COO, Dymium

Glenn Ignazio is the COO of Dymium and a retired Air Force Special Operations commander and national security expert. He is best known for his experience translating complex technology into military and intelligence operations that position solutions into commercial, defense, and government organizations. A sought-after national security expert, he's advised defense agencies globally, including the US Assistant Secretary of Defense and UAE Royal Family. Beyond his 22-year military service, Glenn’s impact extends to solution architecture, business development, executive, and operations roles. He holds an executive MBA and has earned recognition for combat operations.

Protect Data Differently for a Different World

Ultimately, a more cyber-secure world requires a global governing body to regulate and campaign for cybersecurity, with consistent regulatory requirements in the various regions around the world.

Joanna Huisman, Senior Vice President of Strategic Insights & Research, KnowBe4

August 5, 2024

3 Min Read

Source: Iulia Bycheva via Alamy

COMMENTARY

Cybersecurity regulations differ across regions, as does the level of security culture. As a result, cybercriminals are better able to take advantage of weak spots arising from the lack of a global governing cyber alliance. We remain scattered when it comes to overarching procedures and cybersecurity response. From North and South America to Asia, Africa, Europe, and Oceania, cybercrime is prospering within the regulatory gaps.

To bridge these gaps, governments worldwide must collaborate closely to come to a consensus on how to deal with cybersecurity incidents. Unfortunately, this is not the kind of thing that will happen immediately. But by understanding the state of global security culture and regulation, we can point ourselves in the right direction. 

**The Americas**

While the emphasis of security culture in North America has resulted in changes to cybersecurity best practices, there are still plenty of major cyberattacks hitting the news. Ransomware events against MGM and United Healthcare show that even as the workforce improves its level of security awareness, there is a long way to go.

Security culture in South America is even more spotty. The varying levels of development across South American countries means cybersecurity companies will avoid investing too much effort in a less prolific region. Additionally, while there are some key regulatory requirements within South America, the lack of consistency across countries there puts the continent at a disadvantage. Though Colombia may be one of the more prepared countries with its strong outline of cyber strategies in its National Council of Economic and Social Policy, the region as a whole is not.

**Africa & Europe**

Africa, which has up to 2,000 unique languages and a quickly growing population, is rapidly adopting technology. African organizations have also experienced the most growth in cybercrime over the past couple of years. With such a quickly evolving environment, security culture will take a while to catch up.

While various African countries boast cybersecurity legislation, the African Union's Convention on Cybersecurity and Personal Data Protection has only been ratified by 15 of the 55 countries. This is concerning, since the South African Council for Scientific and Industrial Research predicts an increase in cyberattacks against critical infrastructure and government organizations.

In Europe, security awareness increasingly is gaining traction, but a range of attitudes toward cybersecurity culture remains.

While European cybersecurity regulations seem to be on track — for example, the well-established General Data Protection Regulation (GDPR) as well as the Digital Operational Resilience Act (DORA), which will be effective in 2025 — the truth is that many organizations haven't taken substantive efforts to develop a security culture, leaving them vulnerable to cyberattacks.

**Asia & Oceania**

Cybersecurity across Asia varies widely due to Asia's diversity of culture and languages.

While legislation like the Association of Southeast Asian Nations (ASEAN) is a great step at unifying portions of the region, Asia is fragmented, and will likely remain so for some time. This is unfortunate timing, as the Allianz Commercial Risk Barometer for 2024 predicts ransomware, malware, and social engineering to be the highest risks facing Asian organizations.

While Oceania is taking some important steps in solidifying a strong cybersecurity culture, the region has a long way to go. However, due to recent data breaches in the region — Latitude Financial, Optus, and Medibank — cybersecurity is considered more of a shared responsibility.

Additionally, the Australian government has implemented various cybersecurity awareness campaigns teaching citizens how to remain abreast of cyber threats. Meanwhile, Australia and New Zealand have each released their own cyber-strategy policies, which encourage cyber resiliency and foster security culture.

**Global Cyber Cooperation**

The ultimate solution, however idealistic, is for an overarching governing body to regulate and campaign for cybersecurity across the globe. In conjunction, each region should have its own consistent regulatory requirements. But that will take time.

In the meantime, individual organizations and individuals themselves can do various things to protect themselves in the face of increased cyber threat. It all begins with a strong security culture. While it may be more difficult for some organizations, the basis for a robust security culture is for everyone involved to feel responsible for their workplace, their city, their country, and so on.

**About the Author**

Senior Vice President of Strategic Insights & Research, KnowBe4

Joanna Huisman is Senior Vice President, Strategic Insights & Research, at KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform used by more than 65,000 organizations around the globe.

How Regional Regulations Shape Global Cybersecurity Culture

The scheme, from the group also known as APT28, involves targeting Eastern European diplomats in need of personal transportation and tempting them with a purported good deal on a Audi Q7 Quattro SUV.

Source: Uwe Deffner via Alamy Stock Photo

A prolific Russian threat actor known as Fighting Ursa is targeting diplomats through a used-car sale email scheme that then distributes HeadLace backdoor malware.

The gambit involves downloading a .zip file supposedly containing car images of an Audi Q7 Quattro SUV that's been outfitted for diplomatic use; but in fact, the files are executables whose .exe extensions are hidden by default in Microsoft Windows.

The photos of the vehicle are accompanied by a Romanian phone number and a contact at the Southeast European Law Enforcement Center to lend the ad additional credibility.

Fighting Ursa (aka APT28, Fancy Bear, and Sofacy) has adopted the tactic from other Russian threat actors, according to a report on the attack published by Palo Alto Networks' Unit 42.

In July 2023, Unit42 reported on the Russian threat actor Cloaked Ursa, which was using a similar lure — that time a used BMW sedan in Kyiv — to target diplomats working at embassies in Ukraine.

"These lures tend to resonate with diplomats and get targets to click on the malicious content," the blog post noted.

**"Audi" Cyberattack Routine Drives Espionage**

The attack chain begins with the use of the legitimate, free service known as "webhook" to host a malicious HTML page — a tactic that Unit 42 noted is often associated with APT28.

This page then determines if the target machine is running Windows. If it is, a .zip archive is offered for download. If the system is not Windows-based, the user is redirected to a decoy image.

Inside the .zip archive are three files: a Windows calculator executable disguised as an image file, a malicious dynamic link library (DLL), and a batch script.

The calculator executable is used to load the malicious DLL, which then runs the batch script.

The batch script then executes a command to retrieve a file from another webhook site URL, saves it in the downloads folder, renames it for execution, and then deletes it afterward to cover the attack’s tracks. That file contains the HeadLace backdoor, which establishes persistent access to a victim's machine in order to set the stage for follow-on data theft, reconnaissance, and surveillance activities.

"While the infrastructure used by Fighting Ursa varies for different attack campaigns, the group frequently relies on these freely available services \[like webhook\]," a Unit 42 post explained. "Furthermore, the tactics from this campaign fit with previously documented Fighting Ursa campaigns, and the HeadLace backdoor is exclusive to this threat actor."

**Disabling Hide File Extension Options**

Roger Grimes, data-driven defense evangelist at KnowBe4, explains that for nearly as long as Windows has been around, it has automatically hidden the file extension of dozens of commonly used files, such as .exe, .scr, .dll, etc.

"This allows an attacker to create a file — for example, 'carphotos.jpg.exe' — that appears to most Windows users as carphotos.jpg," he explains.

For the real file extension not to be hidden, a user must intentionally disable the "hide file extensions" option in Windows, often having to do so in multiple places.

"Why Microsoft continues to allow hiding file extensions to be the default setting for decades is beyond me, as it is responsible for many tens of millions of exploitations," Grimes says. "It's far past the time for Microsoft to disable this dangerous default."

Microsoft did not immediately respond to a request for comment.

**Fighting Ursa: A Very Active Russian Cyber-Threat Actor**

The hacking group, which most researchers track as APT28, has a long and infamous history as the perpetrators of US election interference in 2016, the NotPetya attacks, the Olympic Destroyer effort, and other high-profile cyber offensives.

More recently, it has targeted Ukrainian government bodies with spear-phishing emails posing as Windows Update guides to trick recipients into executing malicious PowerShell commands.

And in 2022, it disseminated a malicious document exploiting the now-patched CVE-2022-30190 flaw through phishing emails to Ukrainian users. The document, titled “Nuclear Terrorism: A Very Real Threat.rtf,” aimed to exploit concerns about the war in Ukraine escalating into a nuclear disaster.

The threat group has also targeted Ukraine's energy infrastructure, and recently built GooseEgg, a custom tool used to exploit CVE-2022-38028 in attacks directed toward Ukraine, Western Europe, and North America.

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware

The runaway success of an upstart ransomware outfit called "Dark Angels" may well influence the cyberattack landscape for years to come.

Source: Jakub Krechowicz via Alamy Stock Photo

A Fortune 50 company paid $75 million to its cyberattackers earlier this year, greatly exceeding any other confirmed ransom payment in history. The beneficiary of the payout is an outfit called Dark Angels. And Dark Angels isn't just effective — in some ways, the gang turns so much of what we thought we knew about ransomware on its head.

Sure, there have been other big amounts forked over in the past: In 2021, Illinois-based CNA Financial was reported to have paid a then unprecedented $40 million ransom in order to restore its systems after a ransomware attack (the company never confirmed that figure). Later that year, the meat manufacturer JBS admitted to paying $11 million to end a disruption affecting its factories. Caesars Palace last year paid $15 million to make its ransomware disruption problems go away.

But those figures pale in comparison against the $75 million in equivalent Bitcoin paid by the aforementioned large organization, which Zscaler chose to keep anonymous in its 2024 annual ransomware report, where the payout was first recorded. The dollar amount has also been corroborated by Chainalysis.

**Meet the Dark Angels**

Dark Angels first appeared in the wild in May 2022. Ever since, its specialty has been defeating fewer but higher-value targets than its ransomware brethren. Past victims have included multiple S&P 500 companies spread across varied industries: healthcare, government, finance, education, manufacturing, telecommunications, and more.

For example, there was its headline-grabbing attack on the megalith Johnson Controls International (JCI) last year. It breached the company's VMware ESXi hypervisors, freezing them with Ragnar Locker and stealing a reported 27 terabytes worth of data. The ransom demand: $51 million. It's unclear how Johnson Controls responded but, considering its $27 million-plus cleanup effort, it's likely that the company did not cave.

$27 million would have been the second-largest ransom payment in recorded history at the time (after the reported CNA payment). But there's evidence to suggest that this wasn't just some outlandish negotiating tactic — that Dark Angels has good reason to think it can pull off that kind of haul.

**Dark Angels Does Ransomware Differently**

Forget everything you know about ransomware, and you'll start to understand Dark Angels.

Against the grain, the group does not operate a ransomware-as-a-service business. Nor does it have its own malware strain — it prefers to borrow encryptors like Ragnar Locker and Babuk.

Its success instead comes down to three primary factors. First: the extra care it can take by attacking fewer, higher-yielding targets.

Second is its ability to exfiltrate gobs of sensitive data. As Brett Stone-Gross, senior director of threat intelligence at Zscaler explains, "If you look at a lot of these other ransomware groups, their affiliates are stealing maybe a few hundred gigabytes of data. Sometimes even less than 100 gigabytes of data. They usually top out around, maybe, one terabyte or so. In contrast, Dark Angels are stealing tens of terabytes of data."

In that, Dark Angels differs only in degree, not in kind. Where it really separates itself from other groups is in its subtlety. Its leak site isn't flashy. It doesn't make grand pronouncements about its latest victims. Besides the obvious operational security benefits to stealth (it's largely escaped media scrutiny in recent years, despite pulling off major breaches), its aversion to the limelight also helps it earn larger returns on investment.

For example, the group often avoids encrypting victims' data, with the express purpose of allowing them to continue to operate without disruption. This seems to defy common wisdom. Surely the threat of downtime and media scrutiny are effective tools to get victims to pay up?

"You would think that, but the results say otherwise," Stone-Gross suggests.

Dark Angels makes paying one's ransom easy and quiet — an attractive prospect for companies that just want to put their breaches behind them. And avoiding business disruption is mutually beneficial: Without the steep bills associated with downtime, companies have more money to pay Dark Angels.

**Can Dark Angels' Wings Be Clipped?**

In its report, Zscaler predicted "that other ransomware groups will take note of Dark Angels’ success and may adopt similar tactics, focusing on high value targets and increasing the significance of data theft to maximize their financial gains."

If that should come to pass, companies will face much steeper, yet more compelling ransom demands. Luckily, Dark Angels' approach has an Achilles' heel.

"If it's a terabyte of data, \[a hacker\] can probably complete that transfer in several days. But when you're talking terabytes — you know, tens of terabytes of data — now you're talking weeks," Stone-Gross notes. So, companies that can catch Dark Angels in the act may be able to stop them before it's too late.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading