The largest publicly traded water utility in the US was forced to disconnect some of its online systems, and its website and telecommunications system remained unavailable as of Tuesday morning, Oct. 8.

Source: Juri Samsonov via Alamy Stock Photo

The website of the largest publicly traded water utility in the US remained offline this morning after a cyberattack Oct. 3 forced the company to shut down some of its connected systems and services.

American Water is a significant supplier of water in the US, serving more than 14 million customers across 14 states and 18 military installations. The company employees about 6,500 people across its facilities. It discovered "unauthorized activity within its computer networks and systems" on Oct. 3 that turned out to be the result of a cybersecurity incident, the company reported in a Form 8-K filing with the US Securities and Exchange Commission.

The company activated incident-response protocols and enlisted third-party cybersecurity experts to help it contain and mitigate the attack, which included disconnecting and deactivating "certain" systems to "protect" systems and data, it reported.

**Online, Telecom Systems Affected**

The outages appear to have included the company's online customer-facing sites, as the American Water website as well as its "MyWater" customer portal served up white pages with "Forbidden 403" text today.

An attendant who answered a Dark Reading phone call to American Water's headquarters in Camden, N.J., early on Oct. 8 said she was unable to connect to a member of the media relations team, nor leave a message for anyone because the telecommunications system also "is down."

At this time, it seems that none of the company's water or wastewater facilities or operations have been negatively affected by the incident, although it's too soon to predict the full impact and material effect it will have on the company, according to the filing. An investigation alongside law enforcement officials remains ongoing as to the exact cause and extent of the damage.

**Utilities Under Attack**

Critical infrastructure such as the public water supply and electricity grid both in the US and overseas face increasing risk of attack from threat actors, incidents that have the potential to not only affect network infrastructure or financial coffers, but also cause supply shortages or even physical harm.

The now-infamous May 2021 ransomware attack on Colonial Pipeline is a prime example of the former, while a February 2021 attack on a Florida water-treatment facility, which potentially could have poisoned the water supply if an employee hadn't acted quickly, demonstrates the latter.

“We often overlook how vulnerable our everyday essentials are to digital threats," observes Akhil Mittal, senior manager of cybersecurity strategy and solutions at Black Duck (formerly known as Synopsys Software Integrity Group). "We’re not just talking about data breaches — this is about the safety of millions of people who rely on clean water every day. A cyber incident like this could disrupt water services, delay safety checks, and potentially risk public health."

**Regulatory Effort Stalled**

Unsurprisingly concerned, US federal authorities have put a concerted effort into to doing more to ensure cybersecurity measures at water utilities are a mandatory effort, as nearly 70% of the United States' community drinking water systems fails to comply with the Safe Drinking Water Act, according to the Environmental Protection Agency (EPA).

In fact, the EPA planned to ramp up efforts to enforce the act and other regulatory efforts to ensure better cybersecurity safety across water utilities in May. However, the agency had to roll back these actions last year after it faced litigation from Republican lawmakers and industry groups. Other agencies like CISA have advanced cybersecurity guides for the water sector in the wake of that failed effort.

Prevention of cybersecurity attacks through infrastructure security is indeed the key to ensuring critical services such as the ones utilities offer remain safe, as "protecting these systems is no longer optional now," but "critical to keep things running smoothly and safely," Mittal says.

As this is too late in the case of American Water, he adds, the key to recovering quickly from the incident now will be in taking quick actions to contain the attack, getting all systems back online in a reasonable time frame, and being transparent with the public about what happened.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

American Water Suffers Network Disruptions After Cyberattack

The vast majority of organizations in the region saw more attacks in the past year, but most don't feel prepared for future incidents.

Source: Viacheslav Lopatin via Shutterstock

Organizations in Saudi Arabia, the United Arab Emirates, and Turkey suffered more than 10 attacks in the past year on average — and the vast majority of business and IT professionals expect the coming year to be worse — driving efforts by cybersecurity experts in those countries to simplify and modernize their cyber defenses and IT infrastructure.

Overall, less than half of organizations (46%) feel well-prepared to defend against future cyberattacks, according to a survey of nearly 1,000 security professionals in those three regions published by Internet-services provider Cloudflare. With geopolitical conflict on the rise and cybercriminals increasingly focused on the Middle East region and Turkey, Bashar Bashaireh, regional vice president at Cloudflare, said in a statement.

"Organizations across the Middle East and Türkiye are managing an increasingly complex cybersecurity landscape," he said. "With incidents on the rise in both volume and frequency, this balancing act becomes even more challenging, leaving leaders with a sense of diminishing control over their organizations’ technological and security frameworks."

Cyberattacks have become commonplace in the region, but each nation's threat profile is slightly different. While the vast majority of companies in the UAE, for example, have suffered cyberattacks in the past two years, approximately a quarter of those incidents were caused by insiders. Both Saudi Arabia and the UAE have seen an increase in attacks over the past year, with DDoS attacks alone leveled by hacktivists jumping 70%. And in another wrinkle, a group of cybercriminals recently targeted Turkish users with Android malware aimed at stealing accounts.

The three countries have all embarked on major investments in modernization, pursuing major initiatives such as Abu Dhabi's Economic Vision 2030 and Saudi Arabia's Vision 2030, but the countries also need to strengthen their cybersecurity efforts to protect their investments, Chris Murphy, managing director at FTI Consulting, said in a November 2023 analysis of Middle East firms' cyber-readiness.

"Threat actors will not pause their activities while these strategic plans unfold, and without the necessary security and preparedness measures in place, cyber risks will threaten the vitality of key sectors and the overall economic growth of the region," he said.

**Simplifying & Modernizing Cyber Defense**

The majority of organizations in the Middle East and Turkey plan to increase cybersecurity's share of their IT budgets. The top priority for businesses across the region is to consolidate and simplify their cybersecurity infrastructure, with half of all organizations ranking the effort as a Top 3 initiative, followed by almost half (47%) prioritizing the modernization of their applications, according to Cloudflare's report.

"Despite their plans, many feel they are still not ready for what lies ahead, and there is a 'confidence gap' in key areas for a large number of respondents," Cloudflare stated.

Those include the security of applications and data in the public cloud, a lack of oversight into their supply chain, and a lack of visibility and control over the devices that access their networks, Cloudflare stated in its report.

The good news is that some nations have made strong progress in securing their systems, to the point that the Kingdom of Saudi Arabia is ranked second, after the United States, in the International Telecommunication Union's Global Cybersecurity Index.

**Most Pessimistic Industries: Media, Telecom & Gaming**

According to Cloudflare, cyberattackers in the past year targeted financial services, IT firms, and companies providing business and professional services most often, and were more likely to target larger organizations. Yet, the sectors most worried about future cyberattacks are the media and telecom sector, and the gaming sector, with 97% and 92% of respondents, respectively, predicting a cybersecurity incident in the next 12 months.

Perhaps unsurprisingly, the telecom and media sectors are among the least staffed as well, with 39% of information-security roles remaining unfilled, according to a recent report by cybersecurity firm Kaspersky.

"The growth rate of the domestic IT market in some developing regions is changing so rapidly, the labor market cannot manage to educate and train the appropriate specialists with the necessary skills and expertise in such tight deadlines," Vladimir Dashchenko, a security evangelist with Kaspersky's ICS CERT, said in a statement.

Companies in each region have struggled to meet government-backed cybersecurity frameworks, with 62% of companies in Turkey meeting the requirements of the EU cybersecurity framework, 69% of Saudi firms meeting the Saudi Arabian Monetary Authority (SAMA) framework, and many UAE organizations falling short in complying with the National Electronic Security Authority (NESA) framework.

Yet, despite that, executives' commitment to cybersecurity remains lukewarm, Cloudflare stated in the report

"Interestingly, despite the increasing volume of attacks, many cite a lack of buy-in from leadership as a key challenge," the firm stated. "Perhaps this is a case of cybersecurity fatigue, but whatever the cause, senior leaders cannot afford to ignore the challenges facing their organizations."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Mideast, Turkey Cyber Threats Spike, Prompting Defense Changes

Among those affected by all this monkeying around with DDoS in September were some 4,000 organizations in the US.

Source: Moviestore Collection Ltd via Alamy Stock Photo

Distributed denial-of-service (DDoS) attacks involving a new Mirai variant called GorillaBot surged sharply last month, launching 300,000 attacks, affecting some 20,000 organizations worldwide — including nearly 4,000 in the US alone.

In 41% of the attacks, the threat actor attempted to overwhelm the target network with a flood of User Datagram Protocol (UDP) packets, which are basically lightweight, connection-less units of data often associated with gaming, video streaming, and other apps. Nearly a quarter of the GorillaBot attacks were TCP ACK Bypass flood attacks, where the adversary's goal was to flood the target — often just one port — with a large number of spoofed TCP Acknowledgement (ACK) packets.

**GorillaBot, the Latest Mirai Variant**

"This Trojan is modified from the Mirai family, supporting architectures like ARM, MIPS, x86\_64, and x86," researchers at NSFocus said in report last week, after observing the threat actor behind GorillaBot launch its massive wave of attacks, between Sept. 4 and Sept. 27. "The online package and command parsing module reuse Mirai source code, but leave a signature message stating, 'gorilla botnet is on the device ur not a cat go away \[sic\],' hence we named this family GorillaBot."

NSFocus said it observed the botnet controller leverage five built-in command-and-control servers (C2s) in GorillaBot to issue a steady cadence of attack commands throughout each day. At its peak, the attack commands hit 20,000 in a single day. In all, the attacks targeted organizations in 113 countries with China being the hardest hit, followed by the US, Canada, and Germany, in that order.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

Though GorillaBot is based on Mirai code, it packs considerably more DDoS attack methods — 19 in all. The available attack methods in GorillaBot include DDoS floods via UDP packets and TCP Syn and ACK packets. Such multivector attacks can be challenging for target organizations to address, because each vector often requires a different mitigation approach.

For example, mitigating volumetric attacks such as UDP floods often involve rate limiting or restricting the number of UDP packets from a single source, blocking UDP traffic to unused ports, and distributing attack traffic across multiple servers to blunt the impact. SynAck flood mitigation on the other hand is about using stateful firewalls, SYN cookies, and intrusion-detection systems to track TCP connections and ensure that only valid ACK packets are processed.

**Bad Bots Rising**

Traffic related to so-called bad bots like GorillaBot has been steadily increasing over the past few years, and currently represents a significant proportion of all traffic on the Internet. Researchers at Imperva recently analyzed some 6 trillion blocked bad bot requests from its global network in 2023, and concluded that traffic from such bots currently accounts for 32% of all online traffic — a nearly 2% increase from the prior year. In 2013, when Imperva did a similar analysis, the vendor estimated bad bot traffic at 23.6% and human traffic as accounting for 57% of all traffic.

Related:Criminals Are Testing Their Ransomware Campaigns in Africa

Imperva's 2024 "Bad Bot Report" is focused entirely on the use of bad bots at the application layer and not specifically on volumetric DDoS attack on low-level network protocols. But 12.4% of the bad bot attacks that the company helped customers mitigate in 2023 were DDoS attacks. The security vendor found that DoS attacks in general were the biggest — or among the biggest — use cases for bad bots in some industries, such as gaming, and the telecom and ISP sector in healthcare and retail. Imperva found that threat actors often tend to use bad bots for DDoS attacks where any kind of system downtime or disruption can have significant impact on an organization's operations.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

GorillaBot Goes Ape With 300K Cyberattacks Worldwide

The Chinese state-sponsored cyberattack threat managed to infiltrate the "lawful intercept" network connections that police use in criminal investigations.

Source: Miro Novak via Alamy Stock Photo

The Chinese state-sponsored advanced persistent threat (APT) known as Salt Typhoon appears to have accessed major US broadband provider networks by hacking into the systems that law-enforcement agencies use for court-authorized wiretapping.

According to unnamed sources speaking to the Wall Street Journal, the affected providers include major national players like AT&T and Verizon Communications, along with enterprise-specific service providers like Lumen Technologies.

In addition to the wiretapping connections, the sources said Salt Typhoon also had access to more general Internet traffic flowing through the provider networks, and that the cyberattackers went after a handful of targets outside the US as well. The APT could have had access for months, they added.

"The widespread compromise is considered a potentially catastrophic security breach and was carried out by a sophisticated Chinese hacking group dubbed Salt Typhoon," sources told the WSJ. "It appeared to be geared toward intelligence collection."

Neither AT&T, Lumen, or Verizon immediately responded to a request for comment from Dark Reading.

**Lawful Intercept Connections in China's Hacking Sights**

The news comes about a week after Salt Typhoon was outed as hacking into major telecom networks for cyber-espionage purposes, and possibly to position itself to disrupt communications in the event of a kinetic conflict between China and the US. But the subversion of the connections that law enforcement entities have to service provider networks (which they can use to intercept communications of private individuals or organizations during criminal investigations or for purposes of national security) is a new wrinkle.

No information is available on how the attackers might have gotten access to the lawful intercept infrastructure, but Ram Elboim, CEO of Sygnia, which tracks the APT as "GhostEmperor," notes that clearly Salt Typhoon performed extensive reconnaissance.

"Reaching and compromising these sensitive assets requires not only familiarity with the network structure, but also advanced capabilities to be able to move laterally across separated sub-networks," he tells Dark Reading. "One assumes that these assets are far separated from the ISP corporate and operational network, and also connected to law enforcements’ networks in order for authorities to be able to operate and stream the gathered data in a very secure method."

This breach demonstrates the need for critical infrastructure organizations to not only design their network structure securely with strict segregation strategies, but to "continuously update and test the resilience of their operational networks and sensitive assets as part of a robust incident response playbook," he adds.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report

CISOs' cash compensation tops $400,000 now, but with the high pay comes struggles, rapidly changing responsibilities, and tight budgets.

Source: Natee Jindakum via Shutterstock

Cybersecurity professionals serving as chief information security officers (CISOs) continue to see respectable increases in pay, but not at the same rate as two years ago, and not in a way the keeps up with the changes to their responsibilities.

The average CISO now earns $403,000 in annual compensation — including salary, bonuses for reaching specific goals, and equity, such as stock options — representing a 6.4% increase over the past 12 months, according to IANS Research's "2024 CISO Compensation Report" published on Oct. 2. However, changes to the threat landscape frequently put business operations under attack, the responsibility for which falls on the shoulders of the CISO, especially following rules issued by the Securities and Exchange Commission (SEC) that requires CISOs to determine whether a breach is material within four days of discovery.

CISOs often do not have enough resources at heir disposal to do so, putting them in legal jeopardy, or, conversely, are successfully mitigating threats only to endure budget pressures because of that success, says Fred Kwong, vice president and CISO at DeVry University.

"There's this dichotomy between, Hey, Fred's doing a good job, keeping on top of the threats, mitigating the issues, \[yet\] at the same time \[he's\] asking for more resources, more money, even when they're seeing that the threat is not actualized," he explains. "We're kind of getting questioned, 'Well, do we really need another person? Do we need really need another technology or control, because it seems like you have these things handled.'"

Kwong manages a team of five other cybersecurity professionals, but continues to fight to hire a sixth — even though the organization is unlikely to approve another full-time employee.

Source: 2024 CISO Compensation Report, IANS and Artico

In 2021 and 2022, following increased remote work due to the pandemic, companies found themselves needing to secure their operations infrastructure, driving demand for CISOs — especially as cybercriminals started compromising firms and infecting their systems with ransomware. While CISOs made significant gains in compensation during the tail end of the pandemic — 44% either switched jobs or took a retention bonus in 2022 — the demand now shows signs of settling down, with only 11% doing the same in 2024, says Nick Kakolowski, senior research director at IANS Research.

"We are seeing generally a lack of movement, mostly because of macroeconomic conditions — businesses are just being conservative about hiring more," he says. "Businesses are kind of saying, We'll get by with what we have for a while. We'll hold off on hiring. We'll keep on our current path, and more CISOs are staying put, rather than taking the risk of taking on something new right now."

**CISO Mindsets: A State of Stress**

CISOs that move jobs — or are paid an incentive to stay in their current position — see the biggest increases in compensation, and CISOs for state governments are among the most likely to move. Nearly half of states hired a new CISOs in the past year, leading the average tenure of a CISO to drop from 30 months in 2022 to 23 months this year, according to the biennial Deloitte-NASCIO Cybersecurity Study.

Stress will only continue to build for CISOs in state government positions: Finding and retaining cybersecurity-skilled professionals is difficult, more sophisticated attacks — such as ransomware — have become common, and budgets continue to be tight and often hard-to-predict, says Srini Subramanian, principal with the risk and financial advisory group at consulting firm Deloitte.

Government cybersecurity professionals, which make between $125,000 to $225,000, typically do not include compensation in their Top 3 reasons for job satisfaction. Yet, increasing attacks and greater consequences for their networks, along with increased scrutiny for any outage or incident, puts them squarely in the in the eyes of the public and government officials, he says.

"The state-level systems are also dealing with ... a lot more challenges compared to a private sector systems," Subramanian says. "They have budget constraints, they have talent constraints, and now we are expanding the scope of the systems even more."

**Public Headaches, Private Stressors**

Daniel Schwalbe used to work as a security pro under the CISO at the University of Washington, a large public university, which meant that his role bridged both government and education sectors. He loved the work, and he certainly wasn't there for high pay, he says. Education CISOs are the lowest-paid of all the industries tracked by the IANS survey, with a median annual total compensation of $243,000 (the government sector was not listed).

Yet, the security work was neverending, he says.

"We had half a million devices on a network that we were supposed to protect, and I can tell you that on any given day, we pretty much figured there are 1,000 compromised devices on that network out of half a million," he says. "That's just the reality."

When he left, it wasn't about scoring a better salary, but about combatting the lack of a career path. The only position left for him to graduate to in the security career track at UW was CISO, but the current holder of that position did not intend to retire for at least three years. So, he accepted the job of deputy CISO with Farsight Security, and assumed the role of CISO at DomainTools when that company bought Farsight.

His responsibilities have changed somewhat. Compliance is more of an issue at a private firm, whereas the government and education sector have to deal with bureaucracy. Yet, making technology work better for security is a common factor, and he hopes that automation will reduce stress across the board.

"Investing a little bit upfront and tuning the alerts — so the stuff that actually comes out of your security tools is much more useful — can help," he says. "It costs money, and it's not a silver bullet, but in my opinion, it does help and can help with issues like threat analyst burnout."

**How AI Is Impacting Security**

The research firms' analyses also found that hot potato of AI risk is putting a lot of pressure on CISOs as individuals, escalating the stress. IANS Research's Kakolowski says that, typically, no one security pro in the business is really well positioned to own AI. The right person needs a blend of technical, governance, privacy, and data-science backgrounds to really help organizations fully manage the risk, he says.

Usually, CISOs do not check all those boxes, which could expose them to liability.

"CISOs are becoming the go-to person to inform AI risk decisions, and there's this pushback where CISOs say, 'Well, we can't own all of this risk, because this risk isn't owned by the business unit," he says. "'Using the tooling, we can help inform you about this risk, and we can help you understand this risk, but you have to ultimately be the ones making that decision and taking that ownership.'"

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

CISO Paychecks: Worth the Growing Security Headaches?

Google's Manifest V3 offers better privacy and security controls for browser extensions than the previous M2, but too many lax permissions and gaps remain.

Source: QubixStudio via Shutterstock

Malicious browser extensions are bypassing Google's latest security and privacy standard for Chrome extensions, and they are finding their way into the Chrome Web Store — putting organizations and individuals at considerable risk.

That's according to researchers at Singapore-based SquareX, who recently demonstrated how bad actors could sneak harmful browser add-ons past the protections in Google's latest Manifest V3 update for Chrome extensions.

**Malicious Chrome Extensions Are a Continuing Problem**

In a presentation at DefCon 32, the researchers showed how such extensions could steal live video feeds from platforms like Google Meet and Zoom without requiring any special permissions. They then demonstrated how attackers could use extensions based on the Manifest V3 standard to redirect users to credential-stealing pages, add collaborators to private GitHub repos, and steal site cookies, browsing history, and other user data relatively easily.

Google introduced Manifest V3 in 2018 to address issues in the previous Manifest V2 standard, which more easily allowed bad actors to craft Chrome extensions with a range of malicious capabilities. A study by researchers at Stanford University concluded that there were a staggering 280 million installs of such malicious Chrome extensions between July 2020 and February 2023.

Related:Dark Reading Confidential: The CISO and the SEC

As Google explains it, Manifest V3 is part of a broader effort by the company to "improve the privacy, security, and performance of extensions." Improvements in Manifest V3 include a stricter content security policy, updated and more secure APIs, more granular permission control for users, and changes to how extensions can make cross-origin requests. Some of the updates, like one that changes how Chrome handles content-blocking extensions, have been controversial. Privacy advocates and makers of ad-blocking extensions have described the feature as drastically curtailing the ability for Chrome users to block ads and tracking mechanisms. But overall, the goal with Manifest V3 is improved security and privacy controls around Chrome extensions.

The ground reality is somewhat different, says Vivek Ramachandran, CEO and founder of SquareX. "\[Manifest V3's\] permission model remains too broad, allowing malicious actors to exploit minimal permissions to steal data," he says.

**Overly Broad Permissions for Manifest V3?**

A key example is host permissions that allow an extension to modify or read any Web content on visited pages. "SquareX demonstrated a Google Meet stream-stealing extension that only required host permission," Ramachandran says. "This type of permission is very common in the extension store. In fact, many extensions, like grammar checkers, rely on it."

Related:Mideast, Turkey Cyber Threats Spike, Prompting Defense Changes

Ramachandran estimates there are already hundreds if not thousands of malicious browser extensions based on Manifest V3 that are already in the Chrome Web Store. He expects that number to increase dramatically as more extensions cut over to Manifest V3.

"Google needs to enforce stricter security controls in MV3," Ramachandran says. "They should collaborate with the Web and security community to develop a more robust permission model that is less broad. Additionally, Google should improve the vetting process for extensions and introduce tools to monitor real-time behavior."

Google did not immediately respond to a Dark Reading request for comment on SquareX's research. But the Internet giant previously has conceded that with more than 250,000 browser extensions in Chrome Web Store, there are chances some extensions could pose risks to users and sometimes request permissions that might violate a company's policies.  

"As with any software, extensions can also introduce risk," Google said in a blog post shortly after the Stanford researchers released their paper on risky extensions in the Chrome Web Store.

Related:Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report

**Boosting Chrome Ecosystem Security**

In that blog post and in previous updates, like this one in April 2023, Google has highlighted its efforts to bolster security around Chrome extensions. These include browser extension management capabilities that security teams can use to view and set policies for all installed extensions in their environment, and the ability to review extensions before users can install them.

Chrome security features also include one that alerts admins when a user might install a new browser extension, to make tracking and management easier. And last year, Google introduced two risk assessment tools — CRXcavator and Spin.AI Risk Assessment — that give enterprise admins a way to assess and score extensions for risk.

Google also points to its Chrome extensions page (chrome://extensions/) as a resource that individuals can use to see if their installed extensions pose a security risk; a warning panel appears on the page if Google detects any installed extensions as being suspicious. That definition includes: browsers suspected of containing malware; browsers that violate Chrome Web Store polices; unpublished — and therefore no longer supported extensions; and extensions that are not explicit about their privacy and data-collection practices.

Google had set a deadline of this past June for browser extension makers to migrate to Manifest V3 and has noted that it would also begin disabling Manifest V2 extensions in its pre-stable versions of Chrome at that time. The company has given enterprise organizations until June 2025 to migrate Manifest V2 extensions to the new version. As of Oct. 4, 60.4% of all Chrome browser extension have migrated to Manifest V3.

Ramachandran says enterprises should audit installed extensions and limit their permissions. His advice is that organizations also enable better visibility and control over extensions in the environment. Think of browsers like Chrome as complex platforms, much like operating systems, he suggests.

"Extensions run as internal applications, but endpoint security tools only have visibility at the process level," Ramachandran says. "They cannot assess or control what browser extensions are doing internally."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Malicious Chrome Extensions Skate Past Google's Updated Security

Creating a new office of cyber-regulation strategy is the government's best opportunity to improve security and to protect Americans in an increasingly dangerous world.

Jason Healey, Senior Research Scholar, Columbia University School of International and Public Affairs

October 7, 2024

5 Min Read

Source: Martin Shields via Alamy Stock Photo

COMMENTARY

Regulation is the most complex and politically sensitive cybersecurity measure ever undertaken by the US government.  

The most important step the White House can take is starting a cyber-regulation strategy and creating a new office within the Office of the National Cyber Director (ONCD) to drive smart regulation and harmonization. 

**Regulating Cybersecurity: Strategy Needed**

Government mandates, especially ones to regulate an area tied to speech, touch at the heart of the role of government in a free society. They are far more inherently political than most other cybersecurity initiatives, such as building the cyber workforce, a topic for which ONCD has already created a dedicated strategy. 

Cyber regulation is also exceedingly complex. To improve cybersecurity, the government might impose minimum baseline cybersecurity controls for critical infrastructures (for everything from rail to customer information held by banks), charge companies for fraud under the False Claims Act, use securities laws to criminally charge corporate security executives, impose labeling requirements for smart devices, or regulate cybersecurity for broadband Internet access. 

The US government is defaulting to doing all of these, plus many more, all at once. 

Some of these initiatives are more in line with the president's strategy and priorities than others; some are best done first, others later; some might be challenged in court, post-Chevron; and some will impose larger costs, for fewer gains, than others seeking the same end. 

All will create winners and losers. Unlike efforts to fix the cyber workforce, some might even affect the outcome of elections. 

ONCD must accordingly develop a new strategy (or at least a less-formal road map) for regulating cyberspace, laying out the major options and trade-offs, timelines, and measures of success. The final deciders must be the nation's political leadership in the National Security Council and National Economic Council. 

**New White House Office Also Needed**

To ensure the success of the cyber-workforce strategy, ONCD created a dedicated team, led by an assistant national cyber director. ONCD must create another such special office to focus on the far more politically sensitive and complex topic of regulation. 

ONCD's office would work to not just "create a coherent regulatory system and harmonize cybersecurity requirements," as recommended by the American Chamber of Commerce, or oversee a Harmonization Committee, per a recent Senate bill. It would draft the strategy, develop an implementation plan and track completion, develop frameworks to harmonize regulations, champion mutual recognition, and help oversee if regulations are working and at reasonable cost. 

This office would work with other departments and agencies — especially the Cybersecurity Forum for Independent and Executive Branch Regulators and the Cybersecurity and Infrastructure Security Agency, recently tasked to harmonize critical infrastructure regulations.  

And there are a lot regulations needing coordination. Just in the past few months, there is not only the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), but also: 

1\. Cybersecurity in the Marine Transportation System, "establishing minimum cybersecurity requirements for U.S. flagged vessels" (from the Coast Guard)  

2\. Data Breach Reporting Requirements for telecommunications providers (the Federal Communications Commission) 

3\. Cybersecurity Labeling for Internet of Things (IoT) (FCC) 

4\. Cybersecurity Maturity Model Certification for contractors (Department of Defense) 

5\. Significant Cybersecurity Incident Reporting Requirements for federally approved mortgage lenders (Department of Housing and Urban Development) 

6\. New requirements for US infrastructure-as-a-service (IaaS) providers (Department of Commerce) 

Meanwhile, the Environmental Protection Agency is "increasing inspections and enforcement" of community water systems and "the Centers for Medicare and Medicaid Services (CMS) will be drafting new rules" for hospitals. 

ONCD's harmonization efforts have been solid, led by Nick Leiserson, Brian Scott, and Elizabeth Irwin, among others. But this team is also working on a wide range of other policies and programs, such as including cyber in federal grants to states. Regulation, complex, and politically fraught, deserves a dedicated team and leadership. 

**But It's Close to an Election!**

The next presidential administration may be less eager to regulate than this one, but it will still need a regulatory plan of some sort to coordinate and harmonize between independent agencies and engage with states and the European Union.  

ONCD is staffed not just by political appointees and detailed civil servants — as is the National Security Council, the traditional heart of White House cyber policymaking — but also permanent staff. Starting the work on such a document now can help the smartest policies to survive between administrations and improve predictability for regulated companies. 

This is the White House's best opportunity for perhaps a generation to get this right, to improve security, to protect Americans in an increasingly dangerous world, and to decrease the cost and improve predictability for companies building our digitized economy. 

If the White House doesn't solve other important cyber issues, future administrations will have other chances. The critics fighting regulation will not be so forgiving. 

**About the Author**

Senior Research Scholar, Columbia University School of International and Public Affairs

Jason Healey is a senior research scholar at Columbia University’s School for International and Public Affairs, specializing in cyber-risk and conflict.  Jason was a founding member of both the Office of the National Cyber Director at the White House (2022) and the first cyber command in the world, the Joint Task Force for Computer Network Defense, in 1998. He created Goldman Sachs’ first capabilities for cyber-incident response and threat intelligence and later oversaw the bank’s crisis management and business continuity in Asia. He served as the vice chair of the Financial Services Information Sharing and Analysis Center (FS-ISAC), and is a certified board director (NACD.DC) and information systems security professional (CISSP).

What the White House Should Do Next for Cyber Regulation

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

CISOs and their staff are under more pressure than ever to work their cybersecurity magic. Know the feeling? Send us a cybersecurity-related caption to explain the scene, above, and our favorite will win its creator a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the October 30, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 Amazon gift card — to our friend Paul Mauriks, ICT security specialist, technology solutions, at the Department of Justice and Community Safety in Victoria, Australia. Paul's caption for last month's "Bug Off" cartoon captured first place and appears below. A big thank you to all who participated.

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: And For My Next Trick ...

The popular LiteSpeed Cache plug-in is vulnerable to unauthenticated privilege escalation via a dangerous XSS flaw.

Source: Primakov via Shutterstock

A WordPress plug-in installed more than 6 million times is vulnerable to a cross-site scripting flaw (XSS) that allows attackers to escalate privileges and potentially install malicious code to enable redirects, ads, and other HTML payloads onto an affected website.

A security researcher who goes by the online name "TaiYou" discovered the flaw, tracked as CVE-2024-47374, in LiteSpeed Cache, known as the most popular caching plug-in for the WordPress content management system (CMS). TaiYou reported the flaw on Sept. 24 to Patchstack via the Patchstack Bug Bounty Program for WordPress; it affects LiteSpeed Cache through version 6.5.0.2, and users should update immediately to avoid being vulnerable to attack.

LiteSpeed Cache is described by its developers as an "all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features." It supports WordPress Multisite and is compatible with the most popular plug-ins, including WooCommerce, bbPress, and Yoast SEO.

The flaw that requires immediate attention is an unauthenticated stored XSS vulnerability that "could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," according to Patchstack.

XSS is one of the most oft-exploited and oldest Web vulnerabilities, allowing an attacker to inject malicious code into a legitimate webpage or application to execute malicious scripts that affect the person visiting the site.

**Three WordPress Plug-in Flaws, One Dangerous**

TaiYou actually found three flaws in the plug-in, including another XSS flaw as well as a path-traversal vulnerability. However, only CVE-2024-47374 is considered dangerous and expected to be exploited by attackers, according to Patchstack.

Upon notification by Patchstack, the developers of LiteSpeed cache plug-in sent back a patch for validation on the same day. Patchstack published an update that fixes all three flaws in LiteSpeed cache version 6.5.1 on Sept. 25, and added the flaws to its vulnerability database five days later.

CVE-2024-47374 is characterized as creating "Improper Neutralization of Input During Web Page Generation," according to its listing on CVEdetails.com. "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users," according to the listing.

The vulnerability occurs because the code that handles the view of a queue in a particular piece of the plug-in doesn’t implement sanitization and output escaping, according to Patchstack.

"The plugin outputs a list of URLs that are queued for unique CSS generation and with the URL another functionality called 'Vary Group' is printed on the Admin page," according to the blog post.

In this output, the "Vary Group" functionality combines the concepts of "cache varies" and "user roles." "The vulnerability occurs because Vary Group can be supplied by a user via an HTTP Header and printed on the admin page without sanitization," according to Patchstack.

**Update & Mitigate CVE-2024-47374**

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to target singular plug-ins with large install bases, which makes vulnerable versions of LiteSpeed Cache a likely target.

The patch for CVE-2024-47374 is "fairly simple," sanitizing the output using esc\_html, according to Patchstack. The company issued a virtual patch to mitigate the flaw by blocking any attacks until its customers have updated to a fixed version. Meanwhile, all administrators of WordPress sites that use LiteSpeed Cache are advised to update to fixed version 6.5.1 immediately.

Patchstack also recommends that WordPress website developers working with the plug-in apply escaping and sanitization to any message that will be displayed as an admin notice to mitigate the vulnerability.

"Depending on the context of the data, we recommend using sanitize\_text\_field to sanitize value for HTML output (outside of HTML attribute) or esc\_html," according to the post. "For escaping values inside of attributes, you can use the esc\_attr function."

Patchstack also recommends that site developers working with LiteSpeed Cache also apply a proper permission or authorization check to the registered rest route endpoints to avoid exposing a site to XSS vulnerability.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Single HTTP Request Can Exploit 6M WordPress Sites

The collaboration with industry partners will improve collective AI defenses. Trusted contributors receive protected and anonymized data on real-world AI incidents.

Source: Myron Standret via Alamy Stock Photo

MITRE’s Center for Threat-Informed Defense announced the launch of the AI Incident Sharing initiative this week, a collaboration with more than 15 companies to increase community knowledge of threats and defenses for AI-enabled systems. 

The incident sharing initiative falls under the purview of the center’s Secure AI project, and aims to enable quick and secure collaboration on threats, attacks and accidents involving AI-enabled systems. It expands the reach of the MITRE ATLAS community knowledge base, which has been collecting and characterizing data on anonymized incidents for two years. Under this initiative, a community of collaborators will receive protected and anonymized data on real-world AI incidents. 

Incidents can be submitted via web (at https://ai-incidents.mitre.org/) by anyone. Submitting organizations will be considered for membership with the goal of enabling data-driven risk intelligence and analysis at scale. 

Secure AI also extended the ATLAS threat framework to incorporate information on the generative AI-enabled system threat landscape, adding several new generative AI-focused case studies and attack techniques, as well as new methods to mitigate attacks on these systems. In November 2023, in collaboration with Microsoft, MITRE released updates to the ATLAS knowledge base focused on generative AI. 

"Standardized and rapid information sharing about incidents will allow the entire community to improve the collective defense of such systems and mitigate external harms," said Douglas Robbins, vice president, MITRE Labs, in a statement.

MITRE operates a similar information-sharing public private partnership with the Aviation Safety Information Analysis and Sharing database for sharing data and safety information to identify and prevent hazards in aviation.

Collaborators on Secure AI span industries, with representatives from financial services, technology, and healthcare. The list includes AttackIQ, BlueRock, booz Allen Hamilton, CATO Networks, Citigroup, Cloud Security Alliance, CrowdStrike, FS-ISAC, Fujitsu, HCA Healthcare, HiddenLayer, Intel, JPMorgan Chase Bank, Microsoft, Standard Chartered, and Verizon Business.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Source

DARKReading