Cyberattacks against OT/ICS engineering workstations are widely underestimated, according to researchers who discovered malware designed to shut down Siemens workstation engineering processes.

Source: Constantine Johnny via Alamy Stock Photo

NEWS BRIEF

Operational technology (OT) and Industrial control systems (ICS) are increasingly exposed to compromise through engineering workstations. A new malware developed to kill stations running Siemens systems joins a growing list of botnets and worms working to infiltrate industrial networks through these on-premises, Internet-connected attack vectors.

Forescout researchers reported the discovery of the Siemens malware, which they called "Chaya\_003." But that's hardly an isolated case. The researchers also found two Mitsubishi engineering workstations compromised by the Ramnit worm, they explained in a new report.

"Malware in OT/ICS is more common than you think — and engineering workstations connected to the Internet are targets," the Forescout team warned.

Researchers from SANS said engineering workstation compromise accounts for more than 20% of OT cybersecurity incidents, the report noted. Botnets targeting OT systems, which the report said includes Aisuru, Kaiten, and Gafgyt, rely on Internet-connected devices to infiltrate networks.

Engineering workstations make excellent targets for cyberattack because they are on-premises stations running traditional operating systems as well as specialized software tools provided by vendors such as the Siemens TIA portal or Mitsubishi GX Works, the Forescout team wrote.

To defend against these campaigns, OT/ICS network operators should ensure engineering workstations are protected and that there is adequate network segmentation, and implement an ongoing threat monitoring program.

The report acknowledges malware developed specifically for OT environments is relatively rare compared with efforts put behind enterprise compromises, "but there’s little room to sleep easily if you’re a security operator in OT or manage industrial control system security," the researchers added.

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

OT/ICS Engineering Workstations Face Barrage of Fresh Malware

Fortinet has patched CVE-2023-34990 in its Wireless LAN Manager (FortiWLM), which combined with CVE-2023-48782 could allow for unauthenticated remote code execution (RCE) and the ability to read all log files.

Source: Konstantin Nechaev via Alamy Stock Photo

NEWS BRIEF

Fortinet has finally patched a critical security vulnerability in its Wireless LAN Manager (FortiWLM) that could allow unauthenticated sensitive information disclosure. And, when chained with another issue, it could lead to remote code execution (RCE), a researcher warned.

The bug (CVE-2023-34990, CVSS 9.6) was first disclosed in March, when it was described as an "unauthenticated limited file read vulnerability" without a CVE.

"This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system," Horizon3.ai security researcher Zach Hanley, who reported the bug to Fortinet, noted in March. He has confirmed to Dark Reading that the bug patched this week is the same issue.

He added, "Luckily for an attacker, the FortiWLM has very verbose logs — and logs the session ID of all authenticated users. Abusing the above arbitrary log file read, an attacker can now obtain the session ID of a user and login and also abuse authenticated endpoints."

NIST's National Vulnerability Database (NVD) has noted that the flaw can also be used to "execute unauthorized code or commands via specially crafted Web requests" — thanks to the access it provides to those authenticated endpoints.

The bug affects FortiWLM versions 8.6.0 through 8.6.5 (fixed in 8.6.6 or above) and versions 8.5.0 through 8.5.4 (fixed in 8.5.5 or above).

**Combining Fortinet Vulnerabilities to Achieve RCE**

Hanley back in March flagged a potential exploit chain as well: When CVE-2023-34990 is combined with an authenticated command-injection bug that Fortinet patched last year (CVE-2023-48782, CVSS 8.8), it becomes another recipe for RCE.

This second issue allows an attacker who has used CVE-2023-34990 to gain access to an authenticated endpoint to, from there, inject a crafted malicious string in a request to the /ems/cgi-bin/ezrf\_switches.cgi endpoint that will be executed with root privileges.

"Combining both the unauthenticated arbitrary log file read and this authenticated command injection, an unauthenticated attacker can obtain remote code execution in the context of root," Hanley explained. "This endpoint is accessible for both low privilege users and admins."

Admins should patch the Fortinet appliances ASAP, given the vendor's status as a most-favored cyberattack target.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Fortinet Addresses Unpatched Critical RCE Vector

A newly discovered vulnerability, CVE-2024-53677, in the aging Apache framework is going to cause major headaches for IT teams, since patching isn't enough to fix it.

Source: ZUMA Press, Inc. via Alamy Stock Photo

A critical, stubborn new vulnerability in Apache Struts 2 may be under active exploitation already, and fixing it isn't as simple as downloading a patch.

Struts 2 is an open source framework for building Java applications. Though long past its prime, Struts 2 remains common in older legacy systems across industries. In fact, its prevalence combined with its agedness is what makes its newly discovered vulnerability — CVE-2024-53677, CVSS 9.5 — so tricky. As its components have withered, and newer technologies and security practices have moved on, fixing any newly arising issues like this can require more than just a standard patch. 

"The risk lies in the fact that older applications are less likely to be integrated with a modern CI/CD pipeline," explains Chris Wysopal, chief security evangelist at Veracode. "As a result, updating the Struts 2 library, building and deploying a new version of a vulnerable application requires more manual effort and takes significantly longer. This significant effort will result in a longer window of vulnerability, during which attackers may exploit and take advantage of this weakness."

Wysopal assesses, "It is likely that we will see the exploitation of this vulnerability for weeks, as organizations find and fix all instances of Struts 2 usage."

Related:Delinea Joins CVE Numbering Authority Program

**RCE Bug in Apache Struts 2**

This same time last year, nearly to the day, a Struts 2 vulnerability with a "critical" 9.8 score in the Common Vulnerability Scoring System (CVSS) was disclosed to the public. CVE-2023-50164 resulted from attackers' ability to manipulate file upload parameters, opening the door to path traversal. Under certain conditions an attacker could upload a specially crafted malicious script in order to achieve remote code execution (RCE) on a server.

CVE-2024-53677 is CVE-2023-50164 regen. It, too, lies in Struts 2's File Upload Interceptor component, responsible for handling file uploads, and enables RCE via path traversal. In a blog post, Johannes Ullrich of the SANS Institute speculated that an inadequate patch for CVE-2023-50164 led to this latest déjà vu.

He also observed active exploitation attempts from one IP address, which utilized a public proof-of-concept (PoC). The attacker played with the vulnerability by uploading "a one-liner script that is supposed to return 'Apache Struts.' Next, the attacker attempts to find the uploaded script. The exploit attempt is very close to the original PoC. Since then, a slightly improved exploit has been uploaded to the same GitHub repository," he wrote.

Related:Does Desktop AI Come With a Side of Risk?

Typically in situations such as this, organizations are advised to apply patches as soon as possible. In the case of CVE-2024-53677, the story isn't quite as simple.

Organizations do need to upgrade to the latest version of Struts, 6.7.0 — or, at least, 6.4.0, released in the wake of CVE-2023-50164, which deprecated the File Upload Interceptor at issue. The fix isn't backward compatible, however, Apache noted in its security bulletin. IT teams will need to migrate to the newfangled Action File Upload Interceptor, and adjust how their existing applications handle file uploads by diligently rewriting their code to make use of it.

"It's not a simple version bump," warns Saeed Abbasi, manager of vulnerability research at Qualys. "It requires code rewrites, configuration adjustments, and can break existing logic and dependencies. In complex environments, removing all traces of the legacy interceptor poses significant challenges due to intricate plug-in chains and layered frameworks. This complexity is further compounded by the need for extensive regression testing."

**The Potential Scope of Impact for CVE-2024-53677**

The national centers for cybersecurity in Australia, Belgium, Canada, Singapore, and the UK have all released urgent security warnings regarding CVE-2024-53677. That this issue has attracted so much attention may not be obvious at first, since Struts 2 is so rarely used by developers today. It does, however, live on in legacy systems worldwide.

Related:Citizen Development Moves Too Fast for Its Own Good

In the 2000s, Struts 2 was king among Java Web frameworks. By 2007 it was receiving nearly 350,000 downloads per month. Its webpage received millions of monthly visits; even its newsletter had thousands of subscribers. Today, Wysopal says, "It no longer has mainstream appeal and is rarely chosen for new projects. Its presence is more an artifact of historical adoption rather than active popularity."

"Its 'kingdom' is confined to those stable, older applications in conservative industries — particularly finance, insurance, government, and large-scale manufacturing or logistics — often in organizations and regions that are regulated and less likely to modernize," he says. Case in point: a Struts 2 vulnerability was at the heart of the infamous 2017 Equifax breach.

Just how common is Struts 2 in legacy systems in 2024? Abbasi reports that within the first 24 hours following the disclosure of CVE-2024-53677, Qualys "observed tens of thousands of vulnerable instances, reflecting the breadth and urgency of the challenge."

To his view, "The persistence of Struts 2 in critical systems, long after more secure frameworks have emerged, illustrates the ongoing struggle enterprises face with technical debt. Many organizations run versions of Struts past their end-of-life, without proper planning which compounds the impact of new vulnerabilities. Enterprises need solid attack surface management, along with lifecycle management strategies, ensuring that critical frameworks are regularly updated, and deprecated components are swiftly phased out."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Orgs Scramble to Fix Actively Exploited Bug in Apache Struts 2

Modern identity verification (IDV) approaches aim to connect digital credentials and real-world identity without sacrificing usability.

Source: Carlos Castilla via Alamy Stock Photo

Just about everyone is familiar with the annoying process of becoming locked out of an account and needing to reset a password. Whether it's forgetting a log-in after months of disuse or being forced to prove your identity to regain access, the experience can be frustrating, time-consuming, and — ironically — less secure than the original authentication process.

"People lose their credentials all the time. Resetting passwords is manual and often less secure than the regular process," says Bruce Schneier, who recently joined the advisory board of Nametag, which focuses on challenges such as artificial intelligence (AI) manipulated documents and remote user verification. The need for robust identity verification (IDV) solutions has become one of the most pressing challenges for organizations today, he says.

One of the biggest security challenges enterprises have to deal with is to reliably verify who someone is, especially in a digital world. Attackers are increasingly exploiting weak identity systems to steal credentials, impersonate users, and gain access to sensitive data. Recent advances in cyber threats, including AI-driven deepfakes and credential theft, have outpaced many legacy verification methods.

"Identification answers, 'Who are you?' Authentication says, 'Prove it,' and authorization tells us, 'What can you do?'" Schneier says, noting that identity verification sits at the intersection of people, technology, and trust.

While authentication systems like two-factor verification can confirm credentials, they often fail to answer the bigger question of identity. For example, traditional systems, such as passwords, scanned documents, or biometric authenticators, can be vulnerable to fraud and tampering. Schneier notes that early fingerprint scanners could be fooled with "gummy finger replicas," and face recognition systems could be tricked with simple photographs. 

These weaknesses underscore the more pervasive challenge of bridging what Schneier calls the "keyboard-to-chair" gap — ensuring that the physical person matches their digital credentials. These days, adversaries are adopting increasingly sophisticated techniques to steal credentials so that their activities look like they are being performed by legitimate users.

Deepfake technology has introduced a new layer of concern, where AI-generated images or videos can mimic biometric data convincingly. The result is a growing risk landscape where IDV failures fuel financial fraud, ransomware attacks, and nation-state cyber-espionage.

Beyond the security risks, weak identity verification comes with significant costs for organizations. Credential loss and resets remain one of the largest IT burdens for businesses, consuming time and resources. Onboarding new users poses similar challenges, especially for enterprises needing to verify employees, customers, or partners at scale. Inefficient IDV systems result in delays, poor user experience, and a reliance on insecure methods, like manually uploading identification documents.

Any solution to identity verification must address these emerging threats head-on, Schneier says.

"This will be an arms race between attackers and defenders," he adds.

**What Makes Modern IDV Different?**

IDV companies like Nametag are focused on balancing robust security, scalability, and usability while keeping pace with the increasingly sophisticated tools used by threat actors, Schneir says. Modern solutions incorporate multiple layers of verification to address emerging threats. For example, Nametag's Deepfake Defense technology detects and blocks AI-generated identity documents and advanced injection attacks — both of which have become critical pain points as deepfakes and synthetic media evolve.

Traditional methods also typically require users to manually upload identification documents, creating friction and vulnerabilities that adversaries can exploit. Requiring users to download additional apps or software to verify their identity is a common deterrent to adoption, Schneier says.

In addition to thwarting sophisticated attacks, modern IDV systems can streamline practical use cases for enterprises, including automating credential recovery processes, onboarding new employees or customers, and verifying users for sensitive transactions or account access.

“This to me solves a corporate pain problem — and that's the cost of regenerating people's credentials when they lose them or onboarding new users," Schneier says. "It's better, faster, and more secure.”

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Bridging the 'Keyboard-to-Chair' Gap With Identity Verification

Non-human identities authenticate machine-to-machine communication. The big challenge now is to secure their elements and processes — before attackers can intercept.

Source: Poptika via Shutterstock

When industrial automation giant Schneider Electric revealed last month that ransomware gang Hellcat stole 40GB of sensitive data, the attackers acknowledged using exposed credentials to breach Schneider's Jira server. 

Once inside the company's project management system, attackers used the miniOrange REST API, a widely used authentication plug-in, to exfiltrate 400,000 rows of data, including 75,000 email addresses, employee names, and customer records. 

What this and dozens of other incidents have in common is that the attackers exploited vulnerabilities in non-human identities (NHIs). Unlike human identities used for authentication by individuals via identity and access management (IAM) credentials, NHIs, also known as machine identities or service accounts, are used by applications, services, and Internet of Things (IoT) installations for authenticating machine-to-machine communications. 

Predictably, investors are funding startups with products that govern and mitigate NHI risk, while more established companies are adding such capabilities, either internally or via acquisition. 

Astrix Security, a prominent startup that says it created the term NHI, earlier this month raised $45 million in Series B funding led by Menlo Ventures and artificial intelligence (AI) platform provider Anthropic, bringing its total funding to $85 million since its founding in 2021.

"A year ago, the term NHI did not exist, and now everyone is talking about them," says Astrix co-founder and CEO Alon Jackson.

Astrix describes its platform as a suite of identity security posture management (ISPM) tools, including non-human identity threat detection and response, NHI life cycle management, auto-remediation, and secrets scanning. 

**Where NHIs Are Vulnerable**

Typical NHIs include API keys, bots, OAuth tokens, database credentials, certificates, and secrets. As organizations have accelerated use of cloud-native applications, IoT infrastructure, and, most notably, AI-based automation during the past two years, NHIs have become a more alarming threat.

Unlike IAM and privilege access management (PAM), few organizations centrally manage NHIs, and there's greater likelihood that they have excessive permissions without expiration dates.

"There are numerous issues with NHIs, including unencrypted credentials, having a full inventory of NHI accounts, inactive accounts, and lack of account ownership," explained Omdia senior analyst Don Tait in a November report.  

Many CISOs are just learning the implications of NHIs. A recent Cloud Security Alliance (CSA) survey of over 800 security and IT professionals found that 24% plan to invest in NHI security during the next six months, and 36% will do so within a year.

More than half of those surveyed believe they may have experienced an incident related to NHIs. 

Astrix is not the only company with NHI discovery and remediation tools attracting investors. Among those that raised Series A funding in 2024 include Aembit ($25 million), Entro Security ($18 million), and Oasis Security ($35 million), which recently discovered the MFA bypass flaw Microsoft Azure. 

The most prominent bet on protecting NHIs was placed in May when CyberArk paid $1.54 billion to acquire machine identity management provider Venafi.

"As NHI continues to evolve, so are the notable vendors in this space," says Christopher Steffen, VP of research at Enterprise Management Associates (EMA). 

Meanwhile, AppSec providers are adding NHI protection capabilities to their offerings. GitGuardian, known for detecting and remediating leaked secrets in GitHub and other source code repositories, recently launched GitGuardian NHI Governance. GitGuardian officials describe it as an addition to its existing platform that will provide visibility and control of NHI life cycles and their associated secrets. 

GitGuardian's initial release will integrate with five key secrets management platforms: HashiCorp Vault, CyberArk Conjur, AWS Secrets Manager, Google Cloud Secrets Manager, and Azure Key Vault.

**Role of NHI Security **

Failure to adequately rotate credentials, overprivileged accounts or identities, and insufficient monitoring and logging are among the common causes of incidents involving compromised NHIs, the CSA report indicates.

"To claim their identity, machines authenticate via secrets like API keys, OAuth tokens, database credentials, usernames and passwords, and certificates," noted GitGuardian product manager Soudanya Ain in a blog post. "They've become the number one vector for a successful attack, frequently overlooked."

Besides the Schneider incident, the NHI Management Group counts over 40 breaches tied to compromised non-human identity credentials during the past two years, including:

*   Microsoft's Midnight Blizzard, which enabled the attackers to access and breach a legacy test OAuth application with elevated privileges.
    
*   The Snowflake breach, which compromised its various customers, including Santander Bank and Ticketmaster.
    
*   Last summer's GitHub extortion attacks by threat actors who used malicious OAuth apps to breach trusted third-party integrations.
    
*   A breach by an attacker who stole secrets, including authentication tokens from the popular Hugging Face open source repository of APIs and other resources for developers who build AI models. 
    

Next year, the risk from compromised NHIs is expected to grow, as is their proportion to human identities, as AI automates more business processes. Omdia's Tait noted industry estimates of the current ratio of NHIs to human identities is 50:1.

"That figure is only likely to increase going forward," he wrote. 

"We do expect NHI growth is going to accelerate further," added Maxine Holt, senior director of Omdia's cybersecurity practice, speaking during a December webinar presented by Dark Reading.

Holt warned that ungoverned NHIs will further raise the threat landscape.

"These identities do require management to ensure secure communication between different services and to prevent unauthorized access and facilitate accountability," she said. "Of course, we need the audit trail there as well. We believe that it's really important to recognize non-human identities as a vital link in the cyber threat chain."

According to the CSA survey, 69% said they are concerned about NHIs as a threat vector, while 38% reported that their organizations have low or no visibility to third parties connected by OAuth apps. Only 20% have a formal process for revoking API keys, and even fewer have procedures for rotating them. 

"There's definitely that trend toward understanding NHI security better and addressing them," said John Yeoh, CSA's global VP of research, at a public meeting in September. "We only expect the NHI field to explode and get out further."

**Blending NHIs and Human Identities **

The current crop of NHI platforms is designed for machine identities, not human credentials, managed by IAM and PAM systems from Microsoft, Okta, Ping Identity, JumpCloud, CyberArk, BeyondTrust, and OneLogin.

Astrix's Jackson says its new round of funding will, in part, go toward expanding integration with human identities.

"Our customers are asking for a 360-degree view of the human and the non-human identities," Jackson says. "But we will be keeping our edge on the NHI space. This is not just posture management and not just anomaly detection, but it's creating the connections in a secure manner."

GitGuardian, which deals with application security and platform engineering teams, has a similar ambition of providing links from its secrets vaults to IAM platforms.

"That's the plan," says Pierre Le Clézio, the company's lead product manager. "But not yet. We are starting with the secret managers and that ecosystem, and then we will have the IAM systems."

**Anticipate M&A Activity **

As NHI security continues to evolve, so will the notable providers, EMA's Steffen says.

"It seems very likely that larger technology players are going to jump into this space," he says. "Many already have complementary offerings, like Wiz and Palo Alto Networks, and are jumping into NHI — either through acquisition or developing their own solution."

Steffen also anticipates that identity providers like Ping and Okta will delve into NHI.

"They already have the infrastructure and the means to enhance NHI for most enterprises, as well as they already lead the market in identity solutions."

Omdia's Holt also anticipates M&A activity.

"The evolving threat landscape really does necessitate a shift toward comprehensive products and solutions that take on both human and non-human identities," she said. "But the market is still developing. A lot of the players are startups. We expect to see more of a move towards platform support and more acquisitions during 2025 for managing non-human identities."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Vendors Chase Potential of Non-Human Identity Management

Seemingly innocent "white pages," including an elaborate Star Wars-themed site, are bypassing Google's malvertising filters, showing up high in search results to lure users to second-stage phishing sites.

Source: Bits And Splits via Shtterstock

Threat actors appear to have found yet another innovative use case for artificial intelligence in malicious campaigns: to create decoy ads for fooling malvertising-detection engines on the Google Ads platform.

The scam involves attackers buying Google Search ads and using AI to create ad pages with unique content and absolutely nothing malicious about them. The goal is to use these decoy ads to then lure visitors to phishing sites for stealing credentials and other sensitive data.

With malvertising, threat actors create malicious ads that are rigged to surface high up in search engine results when people search for a particular product or service. The ads often spoof popular and trusted brands and involve webpages and content that are replicas of the originals but serve instead to redirect users to phishing pages or download an attacker's malware of choice on systems of users who interact with the malicious ads.

While many malvertisement campaigns are targeted at consumers, there have been several recently focused on corporate users as well. One example is a campaign that sought to distribute the Lobshot backdoor on corporate systems, and another that phished employees at Lowe's.

**A Steady, Post-Macro Increase in Malvertising**

"We are seeing more and more cases of fake content produced for deception purposes," researchers at Malwarebytes said in a report on the campaign this week. These so called "white pages," as they are being referred to in the criminal underground, serve as legitimate-looking decoys, or front-end webpages that hide malicious content and activities behind them, according to Malwarebytes.

Related:Manufacturers Lose Azure Creds to HubSpot Phishing Attack

"The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check," Malwarebytes security researcher Jerome Segura wrote. White pages, incidentally, are in contrast to "black pages," which are the actual malicious landing pages containing harmful content or malware.

The use of AI to plant decoy content on Google Ads adds a new wrinkle to malvertising scams, which have seen a remarkable surge in volume recently. Malwarebytes has pinned the increase to Microsoft's decision in 2022 to block macros in Word, Excel, and PowerPoint files downloaded from the Internet — a top malware vector for threat actors. That decision forced attackers to look for other malware distribution vectors, one of which happens to be malvertising, according to Malwarebytes.

Though Google and operators of other major online ad distribution networks have been battling against the scourge — and have gotten better at quickly identifying and removing malvertising content — bad actors have consistently managed to remain a step ahead. A Malwarebytes study found Amazon to be the most spoofed brand in malvertising campaigns, followed by Rufus, Weebly, NotePad++, and TradingView.

Related:CISA Directs Federal Agencies to Secure Cloud Environments

**Spoofing Brands With AI-Generated Content**

In its report, Malwarebytes provided two examples of AI-generated decoy ads it spotted recently on Google Ads. One of the decoy ads targeted users searching the Internet for the Securitas OneID mobile app, and the other targeted users of the Parsec remote desktop app, which is popular among gamers.

The Securitas OneID scam involved an entirely AI-generated website, complete with AI-generated images of supposed executives of the company.

"When Google tries to validate the ad, they will see this cloaked page with pretty unique content and there is absolutely nothing malicious within it," Segura wrote.

With the Parsec ad, the threat actors used some creative license of their own to generate a heavily Star Wars\-influenced website, replete with references to the parsec astronomical measurement unit. The artwork for the website even included several AI-generated Star Wars-themed posters, which while impressive, would likely have suggested to users that the site had nothing to do with the legitimate Parsec app.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

"Ironically, it is quite straightforward for a real human to identify much of the cloaked content as just fake fluff. Sometimes, things just don’t add up and are simply comical," Segura wrote. Even so, as a cloaking mechanism for a malvertising campaign," he added, "the website would have passed Google's validation checks.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Malvertisers Fool Google With AI-Generated Decoy Content

The draft of the long-awaited update to the NCIRP outlines the efforts, mechanisms, involved parties, and decisions the US government will use in response to a large-scale cyber incident.

Source: Andrii Yalansky via Alamy Stock Photo

NEWS BRIEF

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a draft version of the National Cyber Incident Response Plan (NCIRP), outlining how public- and private-sector organizations should handle significant cyber incidents. The public comment period ends Jan. 15, 2025.

The plan outlines the roles that private, state, local, and tribal governments and federal agencies should play in responding to incidents. It also describes how they should work together on integrated responses. The guidance was formulated after an analysis of real-world incidents, training exercises, and updates to statute and policy, CISA said. 

NCIRP defines cyber incidents as events over a network that involve exploitable vulnerabilities, security procedures, internal controls, or implementations that impact computers, communication systems or networks, physical infrastructure, or information. Significant cyber incidents refer to events that result in "demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people."

The draft updates the original version published in 2016. The White House's 2023 National Cybersecurity Strategy pushed to update the plan since the cybersecurity landscape and national response ecosystem have "changed dramatically."

The NCIRP is not intended to be a step-by-step instruction manual for incident response but rather a structure that "responders can use to shape their efforts and maximize both efficiency and coordination," CISA said.

The four lines of effort outlined in the NCIRP are asset response, threat response, intelligence support, and affected entity response. It also incorporates coordination mechanisms and key decision point, and offers guidance on prioritization. It outlines both a "detection" phase of an incident, which encompasses monitoring, analysis and detection, and a "response" phase on how to contain, eradicate, and recover from incidents. 

"While voluntary for all stakeholders outside the federal government, CISA encourages private sector, SLTT government, and all other non-federal stakeholders to review the NCIRP to understand how the U.S. government will partner with them in cyber incident response," CISA said.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

CISA Releases Draft of National Cyber Incident Response Plan

A balance of rigorous supplier validation, purposeful data exposure, and meticulous preparation is key to managing and mitigating risk.

Rob T. Lee, Chief of Research & Head of Faculty, SANS Institute

December 19, 2024

5 Min Read

Source: Michael Burrell via Alamy Stock Photo

COMMENTARY

Israel's electronic pager attacks targeting Hezbollah in September highlighted the dangerous ramifications of a weaponized supply chain. The attacks, which leveraged remotely detonated explosives hidden inside pager batteries, injured nearly 3,000 people across Lebanon, as a worst-case reminder of the inherent risk that lies within global supply networks.

The situation wasn't just another doomsday scenario crafted by financially motivated vendors hoping to sell security products. It was a legitimate, real-world byproduct of our current reality amid the escalating proliferation of adversarial cybercrime. It also underscored the dangers of relying on third-party hardware and software, with roots back to foreign countries of concern — something that happens more often than one might expect. For example, on Sept. 12, a US House Select Committee Investigation revealed that 80% of the ship-to-shore cranes at American ports are manufactured by a single Chinese government-owned company. While the committee did not find evidence that the company used its access maliciously, the vulnerability could have enabled China to manipulate US maritime equipment and technology in the wake of geopolitical conflict. 

As nation-state actors explore new avenues for gaining geopolitical advantage, securing supply chains must be a shared priority amongst the cybersecurity community in 2025. Verizon's "2024 Data Breach Investigations Report" found that the use of zero-day exploits to initiate breaches surged by 180% year-over-year — and among them, 15% involved a third-party supplier. The right vulnerability at the wrong time can put critical infrastructure in the crosshairs of a consequential event.

Implementing impactful supply chain protections is far easier said than accomplished, due to the complexity, scale, and integration of modern supply chain ecosystems. While there isn't a silver bullet for eradicating threats entirely, prioritizing a targeted focus on effective supply chain risk management principles in 2025 is a critical place to start. It will require an optimal balance of rigorous supplier validation, purposeful data exposure, and meticulous preparation.

**Rigorous Supplier Validation: Moving Beyond the Checkboxes**

Whether it's cyber warfare or ransomware, modern supply chain attacks are too sophisticated for organizations to fall short on supplier validation. Now is a vital time to move beyond self-reported security assessments and vendor questionnaires and migrate toward more comprehensive validation processes that prioritize regulatory compliance, response readiness, and secure-by-design.

Ensuring adherence to evolving industry standards must be a foundational driver of any supplier validation strategy. Is your supplier positioned to meet the European Union's Digital Operational Resilience Act (DORA) and Cyber Resilience Act (CRA) regulations? Are they aligned with the National Security Agency's CNSA 2.0 timelines to defend against quantum-based attacks? Do their products possess the cryptographic agility to integrate the National Institute of Standards and Technology's (NIST's) new Post-Quantum Cryptography (PQC) algorithms by 2025? These examples are all important value drivers to consider when selecting a new partner.

Chief information security officers (CISOs) should still push further by mandating actual evidence of cyber resilience. Conduct annual on-site security audits for suppliers that assess everything from physical security measures and solution stacks to IT workflows and employee training programs. In addition, require your suppliers to provide quarterly penetration testing reports and vulnerability assessments, then thoroughly review the documents and track remediation efforts.

Equally crucial to rigorous validation is gauging a supplier's incident response readiness via notification procedures, communication protocols, practitioner expertise, and cross-functional collaboration. Any joint cyber-defense strategy should also be underpinned by a shared commitment to secure-by-design principles and robust product security testing protocols that are integrated into supply chain risk assessments. Implemented during the early stages of product development, secure-by-design helps reduce an application's exploit surface before it is made available for broad use. Product security testing provides a comprehensive understanding of how utilizing a particular product will impact your threat model and risk posture.

**Purposeful Data Exposure: Less Is Always More**

Less (access) is more when it comes to protecting data in supply chain environments. Organizations should be focused on adopting purposeful approaches to data sharing, carefully considering what information is truly necessary for a third-party partnership to succeed. Limiting the exposure of sensitive information to external suppliers via scaled zero-trust concepts will help reduce your supply chain attack surface exponentially, which in turn simplifies the management of third-party risk. 

An important step in this process involves implementing stringent access controls that restrict credentials to only essential data and systems. Data aging and retention policies also play a crucial role here. Automating processes to phase out legacy or unnecessary data helps ensure that even if a breach occurs, the damage is contained and privacy is maintained. Leveraging encryptions aggressively across all data touchpoints accessible to third parties will also add an extra layer of protection for undetected breaches that occur throughout the wider supply chain ecosystem.

**Meticulous Preparation: Assumption of Breach Mindset**

As supply chain attacks accelerate, organizations must operate under the assumption that a breach isn't just possible — it's probable. An "assumption of breach" mindset shift will help drive more meticulous approaches to preparation via comprehensive supply chain incident response and risk mitigation.

Preparation measures should begin with developing and regularly updating agile incident response processes that specifically cater to third-party and supply chain risks. For effectiveness, these processes will need to be well-documented and frequently practiced through realistic simulations and tabletop exercises. Such drills help identify potential gaps in the response strategy and ensure that all team members understand their roles and responsibilities during a crisis. 

Maintaining an up-to-date contact list for all key vendors and partners is another crucial component to preparation. In the heat of an incident, knowing exactly who to call at Vendor X, Y, or Z can save precious time and potentially limit the scope of a breach. This list should be regularly audited and updated to account for personnel changes or shifts in vendor relationships.

Organizations should also have a clear understanding of the shutdown and containment procedures for each critical application or system within their supply chain. While it's impossible to predict every potential scenario, a well-positioned team armed with comprehensive response plans and intimate knowledge of their supply chain environment is far better equipped to combat adversarial threat actors.

**About the Author**

Chief of Research & Head of Faculty, SANS Institute

Known as the “Godfather of Digital Forensics and Incident Response (DFIR),” Rob T. Lee is one of the most renowned cybersecurity experts and thought leaders working today, with over 20 years of experience in computer forensics, incident response, threat hunting, vulnerability and exploit discovery, and intrusion detection/prevention. Rob has mentored many of the cybersecurity experts working today.

Rob currently serves as chief of research and head of faculty at SANS Institute, the world’s leading cybersecurity and digital forensics training company. He is also regularly hired as a consultant and technical adviser by US Congress, federal agencies, and the US military to investigate and review data security breaches. Within the private sector, Rob helps corporations as a hands-on cybersecurity practitioner to look into security breaches, trade secret thefts, and other cybersecurity issues.

Supply Chain Risk Mitigation Must Be a Priority in 2025

The number of DDoS-related incidents targeting APIs have jumped by 30x compared with traditional Web assets, suggesting that attackers see the growing API landscape as the more attractive target.

Source: Ketut Agus Suardika via Shutterstock

Cyberattacks targeting India-based organizations continue to double year-over-year, a rate far higher than the global average, highlighting the rapidly rising risk facing companies and government agencies in South Asia.

Overall, organizations in India encountered nearly 1.2 billion attacks in the third quarter of 2024, up from about 600 million in the same quarter in 2023, according to a quarterly report published by Indusface, a managed application security provider. Some 377 million denial-of-service (DoS) events and 215 million bot-based requests targeted API services and Web servers utilizing the firm's Web application and API protection (WAAP) service.

While attackers typically have used denial-of-service (DoS) attacks powered by bots against businesses, they are evolving, Ashish Tandon, founder and CEO of Indusface, said in a statement to Dark Reading.

Attackers are now focusing "on exploiting websites and APIs using diverse attack vectors," he said. "The rise of large language models (LLMs) has significantly lowered the barrier for executing vulnerability attacks, as reflected in our data, which shows triple-digit growth in such incidents."

The third-largest economy in Asia, India saw 5.4% growth overall in the third quarter, which is driving attackers to more often target Indian organizations — 44% of businesses have suffered a data breach costing at least $500,000 in the past three years, PricewaterhouseCoopers (PwC) stated in its "2025 Global Digital Trust Insights" (India edition). The attacks have resulted in Indian executives prioritizing cybersecurity over other risks, with 61% designating it one of their top three priorities.

Related:African Reliance on Foreign Suppliers Boosts Insecurity Concerns

"Top cyber-risks, including cloud-related threats, attacks on connected products, social engineering and software supply chain compromises, are areas where security executives feel particularly underprepared," PwC India stated in the report.

**Cyberattacks in India Accelerating**

In the second quarter of 2024, cyberattacks doubled both globally and against India-based organizations, rising 105% and 115%, respectively, Indusface stated. While the number of cyberattacks continued to balloon in the third quarter, the expansion decelerated globally, growing only 26% in the third quarter of 2024, compared with a year earlier.

In India, however, attacks continued to skyrocket, jumping 92% compared to the same quarter the previous year, the company stated in its "State of Application Security" report for Q3 2024. In August, the Reserve Bank of India (RBI) issued a warning to companies that their increasing use of digitization comes with increased risks.

Related:Middle East Cybersecurity Efforts Catch Up After Late Start

"While the DDoS attacks in India \[were\] similar to the last year, there was a huge growth in the bot and vulnerability attacks in India," the company stated, adding that attacks in general were on the rise because of attackers' use of AI tools.

"A big part of \[the increase\] could be because of the widespread use of LLM tools such as ChatGPT, which enable novice hackers to easily find and deploy scripts that could exploit open vulnerabilities," the company said. "This accessibility has lowered the barrier to entry for cybercriminals, resulting in an unprecedented rise in vulnerability exploitation."

**Cyber-Risks Heightened for Banks, Utilities**

Cyberattackers have tended to target specific industries in India, with the banking, financial services, and insurance industries collectively seeing twice as many attacks compared with the global average, while power and energy saw four times as many attacks per website, Indusface stated in its report.

"We believe that these industries are targeted for geopolitical reasons, as this will lead to disruption in all essential services," says Phani Deepak Akella, vice president of marketing for Indusface. He adds, "Last year, we saw more DDoS attacks, but this year we are seeing more growth in attacks targeting vulnerabilities. This could be because of LLM adoption, where hackers can get ready made scripts to exploit vulnerabilities such as SQL injection, for example."

Related:Southeast Asian Cybercrime Profits Fuel Shadow Economy

Companies in India suffer from many of the same issues as businesses worldwide, especially around managing vulnerabilities in their attack surface area. Only 19% of companies use an automated scanner to manage their API security, with 45% using manual penetration testing and more than a third (36%) not testing their APIs, according to Indusface.

In addition, companies are slow to patch vulnerabilities in the software used to serve APIs, with more than 30% of critical and high-severity CVSS vulnerabilities remaining unpatched more than six months after discovery. Some 5 million attacks targeted the vulnerable API services, the firm noted.

Security misconfiguration and identification and authentication failures were the top classes of vulnerabilities discovered in production API servers, according to the firm's report. Web applications typically had blind SQL injection, server-side request forgery, and HTML injection issues.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

India Sees Surge in API Attacks, Especially in Banking, Utilities

The agency asks the cybersecurity community to adopt "romance baiting" in place of dehumanizing language.

Source: Olga Yastremska via Alamy Stock Photo

NEWS BRIEF

Victims of online scams are being deterred from coming forward for fear of being associated with language like "pig butchering," a phrase used to describe long-con romance fraud schemes, according to Interpol, which has released an awareness campaign advocating for the use of "romance baiting" in its place.

Romance-baiting cybercrimes start with a fake relationship, in which the target "pig" is "fattened up" before they are scammed into sending money, then "butchered" and subsequently ghosted once they've handed over the "whole hog" of their assets. Once victims realize they've been manipulated and scammed, they're left heartbroken and embarrassed, and further labeling them as a pig isn't helpful, Interpol argues as part of its wider "Think Twice" campaign.

Run by sprawling international cybercrime operations, pig butchering scams cost victims billions every year. One large pig butchering operation was discovered to be running full-fledged call centers staffed by forced labor in Cambodia, Laos, and Myanmar, raking in more than $60 billion over the past three years. The pig butchering tactic has likewise been used in the war between Russia and Ukraine.

"Academic research clearly shows the links between the tactics of fraudsters and of perpetrators of domestic abuse and coercive control," Dr. Elisabeth Carter, associate professor of criminology and forensic linguist at Kingston University London, said in a statement from Interpol. "It is imperative that we do not adopt the terminology of these criminals but instead use terms that assist public protection and support victim reporting."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Source

DARKReading