CVE-2024-44204 is one of two new Apple iOS security vulnerabilities that showcase an unexpected coming together of privacy snafus and accessibility features.

Source: Aleksey Boldin via Alamy Stock Photo

Apple has patched two quirky bugs that might have offended privacy-oriented iPhone and iPad owners.

The first — an issue with Apple's VoiceOver accessibility feature — could have caused iPhones or iPads to announce sensitive passwords out loud. The other issue — affecting voice messages on new iPhone models — could have recorded users for brief seconds before they knew they were being recorded.

New operating system versions are available for both iOS and iPadOS (18.0.1), fixing each bug with improved validation and checks, respectively. Users should update their devices to avoid being vulnerable.

As Michael Covington, vice president of portfolio strategy for Jamf points out, "The good news is that neither of these highlighted issues involve remote exploits. They are, in fact, issues that will arise with use of the device, and it's user privacy that is ultimately at risk."

Still, he says that "for businesses that use mobile in any capacity for work, I recommend they pay close attention to both of the security issues and take appropriate action to update devices as soon as possible."

**Bug #1: Reading Passwords Aloud**

The first issue involves VoiceOver, the accessibility feature that provides visually impaired users with audible descriptions of the various elements on their screens — text, buttons, images, etc. VoiceOver also allows users to navigate their devices using voice commands and gestures.

Perhaps not everything on a device should be read aloud, though, like passwords. Last month, as part of iOS and iPadOS 18, Apple released a brand new app, "Passwords," allowing users to easily store and manage logins on their devices. CVE-2024-44204 is a logic issue that could have allowed VoiceOver to read out such a user's passwords. It affected essentially every model of iPhone and iPad released since 2018.

VoiceOver is off by default, meaning that only select iPhone users were potentially affected.

Covington notes, "This is not the first time we've seen accessibility features misused. Previous instances include screen reader technology being used by misbehaving apps to capture on-screen details and exfiltrate data from the device. Fortunately, most accessibility features go through extensive security and privacy testing, so these scenarios do not tend to arise often."

**Bug #2: Beginning Audio Messages Too Early**

If iPhone users are on the go, have a lot to say, or maybe just have tired thumbs, they might choose to record an audio message in iMessage, instead of a regular text. After they hit that plus sign on the left side of the message box and choose "Audio," the device will indicate that it has started recording with a red-highlighted sound wave in place of the message box, and a little orange dot in the pill-sized Dynamic Island at the top of the screen.

A security researcher recently discovered though that audio messages could have captured a few seconds of audio before users were made aware that their microphone was hot. The issue has been labeled CVE-2024-44207, and affects all models of the new iPhone 16.

Though it might seem — and, in most cases, would be — a relatively minor issue, Covington points out, "this disconnect between device function and the associated visual indicators is something that Jamf’s own threat research team has connected to persistence techniques used by attackers to maintain a presence on the device following a successful exploit. Addressing this bug before it can be misused is a big win for Apple."

Neither the VoiceOver nor the audio message vulnerability has received a rating in the Common Vulnerability Scoring System (CVSS) yet, nor are any further details public at this time.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

iPhone 'VoiceOver' Feature Could Read Passwords Aloud

A growing number of organizations are taking longer to get back on their feet after an attack, and they're paying high price tags to do so — up to $2M or more.

Source: Panther Media GmbH via Alamy Stock Photo

Organizations are seeing staggering increases in cyberattacks that stem from insider threats, with price tags for remediation reaching eyewatering heights of up to $2 million per incident.

According to research from Gurucul — which surveyed more than 400 IT and cybersecurity professionals — organizations are seeing a rising tide when it comes to insider threats. In 2023, 60% of organizations reported insider attacks, but in 2024 this number jumped to 83%. And in a dramatic shift, the number of organizations experiencing six to 10 attacks in the year doubled from 13% to 25%. Overall, almost half of organizations in the Gurucul study said that the occurrence of inside attacks has become more frequent over the past 12 months.

"Cybersecurity professionals define insider threats as risks originating from individuals within an organization who have authorized access to systems and data but misuse that access, either maliciously or unintentionally," Jason Soroko, senior fellow at Sectigo, wrote in an emailed statement to Dark Reading. "This definition encompasses employees, contractors, or partners who, due to complex IT environments, hybrid work models, or the adoption of advanced tools like GenAI, might exploit vulnerabilities."

This could mean a situation in which an employee steals sensitive data, accidentally leaking data after falling for a phishing scam, or ignoring security updates and protocols, ultimately leading to a security breach, he added.

Related:Dark Reading News Desk Live From Black Hat USA 2024

The Gurucul researchers found that the biggest driver of insider attacks are the growing IT complexities that organizations are faced with, which create visibility gaps that are hard to close. Technology is becoming more complex, and more employees are accessing system networks, extending the attack surface and making it more difficult to cybersecurity staff to safeguard. Not just this, but the adoption of new technologies like Internet of Things (IoT), artificial intelligence (AI), cloud services, and software-as-a-service (SaaS) applications play a role as well in the rapid growth rate that is difficult for organizations to keep pace with. 

With the implementation of new technology, these added "layers of complexity" create challenges for existing staff to combat threats, causing IT staff to become overworked and burned out. Nearly 30% of respondents noted that there is insufficient staff to implement and maintain tools and, if there are enough employees to go around, many lack the training and expertise to effectively manage the tools to safeguard networks. The researchers recommended that organizations that struggle with this cut their losses and transition to more intuitive tools that "reduce alert triage and false positives by providing a complete case of evidence with context and advanced behavior analytics."

Related:MITRE Launches AI Incident Sharing Initiative

Gurucul also pointed out that gaps in insider risk management are also to blame. "Weak enforcement policies, including a lack of consequences for employees and insufficient monitoring, were identified by 31% as contributing factors," according to the report. A fifth (20%) of respondents also cited executive management and policy issues as being one of the major obstacles to combating insider threats and implementing effective management tools and strategies.

Ultimately, it's a story that many in the cybersecurity industry have heard before: Executives need to give cyber threats the attention they deserve and support policy frameworks to help combat it; enforcing this mentality on a companywide level is also essential to strengthen mitigation.

**From Insider Attacks to Financial Spiral**

Insider attacks don't just compromise an organization's safety and information — they come with a high price tag, too. 

According to the study, after dealing with an attack of this kind, the cost of remediation for many organizations (32%) ranges from $100,000 to $499,000. And for others, it’s even more costly: 27% of organizations estimate the cost of remediation to range between $500,000 to $1 million, while 21% say that the costs range from $1 million to $2 million.

Related:Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

And that's just the financial impact for each individual insider attack an enterprise faces. With many experiencing roughly six to 10 attacks a year, these numbers multiply to a price that is likely just too costly to cough up. 

Those high price tags usually add up due to a variety of activities, such as system restoration, data recovery, legal fees, regulatory fines, and reputational damage control. 

And even if organizations can put money into remediation, their recovery is still slow. Roughly 45% of organizations take a week or longer to get back on their feet after an insider attack. The lengthy recovery time is usually due to the technical challenges that cybersecurity teams face when trying to restore intricate systems, a lack of unified visibility, and siloed security tools. Limited resources, regulatory compliances, and ongoing investigations also play a role in dragging out remediation efforts, keeping companies down while they’re most vulnerable. 

"It's essential for organizations to leverage advanced incident-response solutions that go beyond basic automation," according to the Gurucul researchers. "These solutions integrate dynamic risk-based prioritization, machine learning, and comprehensive contextual analysis to ensure that security teams can focus on the most critical threats, thereby reducing recovery times."

But in the end, prevention is better than reaction: That means educating existing employees (who complain of technical challenges, limited resources, compliance and privacy concerns, among other issues as leading to inadvertent mistakes), while also bringing in new cybersecurity talent so that security teams can effectively do their jobs and safeguard and mitigate against threats.

"Investing in ongoing training and development for cybersecurity teams to build the necessary expertise is crucial to address this challenge," the researchers wrote. "Managed security services can supplement internal capabilities, ensuring that tools are effectively implemented and maintained without overburdening existing staff."

Insider Threat Damage Balloons as Visibility Gaps Widen

The successful disruption of notorious Russian hacker group Star Blizzard's operations arrives one month out from the US presidential election — one of the APT's prime targets.

Source: Enik via Alamy Stock Photo

Microsoft and the US Department of Justice joined forces this week to take down more than 100 domains linked to a Russian-sponsored hacker group known as Star Blizzard.

The advanced persistent threat (APT), active since 2017, has targeted journalists, non-governmental organizations (NGOs), and Russia experts, particularly those supporting Ukraine.

The operation, which dismantled the group’s server infrastructure in the West, is expected to delay the cyberattackers' ability to regroup and operate.

"Today's seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action — using all tools to disrupt and deter malicious, state-sponsored cyber actors," Deputy Attorney General Lisa Monaco said in a statement issued by the DoJ.

Star Blizzard, also referred to as "Cold River" and "Callisto," uses primarily phishing emails to steal login credentials from its targets, and had recently developed its first custom backdoor.

In a partially unsealed indictment, the DoJ also revealed that two FSB officers, Ruslan Peretyatko and Andrey Korinets, were charged last December for their involvement in Star Blizzard espionage campaigns, which have extended to the UK, NATO countries, and Ukraine. The government's affidavit reveals that in the US, the group targeted military contractors, intelligence community personnel, and government agencies, among others.

The Kremlin-sponsored APT is known for its sophisticated evasion techniques, although Microsoft has been following it, and disrupted the group's activities in 2022 and again last year.

"Rebuilding infrastructure takes time, absorbs resources, and costs money," Microsoft noted in a blog post on the most recent takedown. "Today's action is an example of the impact we can have against cybercrime when we work together."

**A Step in Protection as US Election Nears**

The disruption comes at a crucial time, as US officials are on high alert for foreign interference ahead of the upcoming presidential election. With Star Blizzard's status as a tool for advancing Russian interests, including election disruption, Microsoft emphasized that the takedown action directly impacts efforts to protect the US democratic process from external threats.

"Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations — journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive — by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities. While we expect Star Blizzard to always be establishing new infrastructure, today's action impacts their operations at a critical point in time when foreign interference in US democratic processes is of utmost concern."

**Russian Threat Likely to Persist**

Sean McNee, head of threat research at DomainTools, says he anticipates a dramatic increase in nation-state backed groups turning toward purchasing domains to carry out cyberespionage, and to seed misinformation and disinformation around the US election as well — so the combined DoJ/Microsoft action might just be a drop in the ocean.

"\[The Star Blizzard takedown is a\] huge step in protecting the Internet," he says, but adds it is likely only "scratching the surface" when it comes to FSB or other groups who have purchased domains to seed malignant websites.

"We have found that some domain hosting services sell domain registrations indiscriminately and are not always responsive when notified about malicious content or coordinated misinformation," he explains.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, warns Russia has "ratcheted up the cyber insurgency" in American cyberspace.

"Russia is cognizant that the soft underbelly of the US is our dependence on technology," he says, pointing out that the Star Blizzard revelations show that "the GRU and a few cybercrime cartels are collaborating in widespread campaigns of infiltration."

He says he is concerned that the resultant backdoors will be used to deploy destructive malware in the coming days, adding threat hunting must be expanded and runtime security must be activated to blunt the Russian campaign.

"Something wicked this way comes," Kellerman says. "The private sector must take this warning seriously."

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

Thoughtfully applied, humor breaks through security fatigue, increases engagement, and fosters a culture of security awareness.

Akhil Mittal, Senior Manager, Synopsys Software Integrity Group

October 4, 2024

5 Min Read

Source: M-SUR via Alamy Stock Photo

COMMENTARY

In the high-pressure world of cybersecurity, daily headlines about breaches, ransomware, and phishing threats create a sense of urgency and tension. But what if one of the most effective tools for defense wasn't just technology, but humor? While it may seem unexpected, humor is emerging as a powerful asset in security training and culture-building. It boosts employee engagement, improves retention of key security concepts, and fosters a resilient security culture — ultimately strengthening an organization's defenses. 

However, humor isn't just about laughs — it's about combating challenges like security fatigue and ineffective training. As cyber threats evolve, the human element remains one of the weakest links. Humor can address that, but it must be carefully navigated. 

**Why Humor Works in Security Training**

According to a study from CompTIA, the human element accounts for the root cause of 52% of data breaches. Despite this, traditional cybersecurity training often fails to engage employees, resulting in low retention and inconsistent application of critical security behaviors. Dry, repetitive sessions packed with jargon cause employees to tune out — this is where humor comes in. 

According to TrainSmart, humor in training can boost retention and create a more relaxed learning environment. Research by Edutopia supports this, showing humor activates dopamine pathways, essential for motivation and memory retention. 

Imagine a monotonous security session versus a phishing simulation email from "IT Support" asking for your password to "upgrade the Internet." Humor transforms routine tasks into memorable learning experiences. 

**Real-World Examples**

Financial institutions and organizations are increasingly turning to gamification to enhance cybersecurity awareness. For example, some organizations have launched superhero-themed phishing campaigns where employees help fictional heroes identify threats, making training more interactive and fun. According to the Gamification at Work Survey by Talent LMS, 83% of participants reported feeling more motivated with gamified training, while 87% saw improvements in productivity and engagement. Additionally, 82% mentioned they felt happier at work due to these engaging methods. Similarly, some organizations use "bad password hall of fame" competitions, where employees guess the worst passwords ever used. These humorous contests make lessons about password strength more memorable, reinforcing security practices. Notably, 80% of organizations that implemented awareness training reported a reduction in phishing susceptibility, showcasing the effectiveness of these innovative approaches. 

**Reducing Security Fatigue**

Security fatigue is a growing issue in corporate environments. Employees face constant alerts, password updates, and phishing warnings, which can lead to negligence. 

Injecting humor into routine security tasks — like humorous phishing emails or lighthearted reminders — provides much-needed relief, keeping employees engaged without overwhelming them.

**Humor as a Solution for Remote Work**

The shift to remote work has highlighted the importance of engaging employees in security practices. Isolated from their IT teams, remote workers have become both the first and last lines of defense. However, 60% of remote employees feel disconnected from their company's cybersecurity efforts, according to Ponemon. In this environment, humor helps combat burnout, while reinforcing critical cybersecurity behaviors. 

**Risks and Challenges**

While humor can be effective, it also carries risks. If not implemented carefully, humor may trivialize serious threats, leading employees to view cybersecurity risks as less critical. Balance is key — humor should engage without undermining the importance of vigilance. 

Moreover, not all humor works in every context, particularly across diverse cultures. A cartoon-style phishing simulation may succeed in one region but be inappropriate elsewhere. To avoid alienating employees, it's crucial to test humor-based campaigns with different cultural groups before deployment. 

It's also critical to measure the effectiveness of humor in security training. Organizations should track phishing reporting rates, training completion, and quiz scores to assess engagement and overall security posture. 

**Learning From Mistakes **

Not all humor-based campaigns are successful. For instance, one company used sarcastic dark humor in its training sessions, which led to complaints from employees who felt the tone was dismissive of real security risks. The lesson? Humor that fails to take security seriously can do more harm than good. 

**Actionable Takeaways**

For organizations looking to enhance cybersecurity training with humor, here are some practical steps: 

*   Incorporate humor in training: Introduce humor into phishing simulations and training exercises to boost engagement and retention. 
    

*   Gamify security awareness: Create competitions or leaderboards where employees race to spot phishing attempts, using humor to reduce monotony. 
    

*   Test for cultural sensitivity: Ensure humor resonates globally by testing content with various employee groups before rolling it out. 
    

*   Track key metrics: Monitor phishing reporting rates, training completion, and engagement metrics to assess the effectiveness of humor in cybersecurity efforts.
    

**Conclusion**

Cybersecurity is serious, but it doesn't have to be boring. Thoughtfully applied, humor breaks through security fatigue, increases engagement, and fosters a culture of security awareness. By balancing humor and seriousness, organizations can strengthen their defenses while keeping employees alert and engaged. Now is the time to inject levity into cybersecurity efforts — without losing sight of vigilance. 

**About the Author**

Senior Manager, Synopsys Software Integrity Group

Akhil Mittal is a recognized cybersecurity leader with more than two decades of experience in application security, cloud security, and DevSecOps. As a Gartner Cybersecurity ambassador and senior manager at Synopsys, he leads key security initiatives, helping global organizations strengthen their defenses against advanced cyber threats. Akhil has worked closely with chief information security officers (CISOs) and executive leadership to align security strategies with business goals, ensuring robust protection across industries. He also contributes his expertise through leading cybersecurity publications and serves as a judge for top industry awards and hackathons. Certified in CISSP and CCSP, his work continues to shape the future of cybersecurity, driving innovation and resilience worldwide.

Cybersecurity Is Serious — but It Doesn't Have to Be Boring

The booming economies of Africa, rich in natural resources and brimming with potential, are attracting not just investors but also cybercriminals.

Source: Skorzewiak via Alamy Stock Photo

The industry consensus about ransomware is that it's not going away anytime soon, evidenced by the consistent growth of ransomware attacks over the past decade. We've seen some of the biggest ransomware attacks in history — including the JBS, Colonial Pipeline, and Equifax breaches — over the past five years. What's more, between 2023 and 2024, there was an 81% year-on-year jump in the number of recorded ransomware attacks, according to cybersecurity research firm Black Kite.

And according to a report earlier this year by cybersecurity research firm Performanta, ransomware gangs have a new strategy: Ransomware-as-a-service (RaaS) organizations are focusing on African nations as initial targets for nation-state attacks before launching malicious campaigns in more developed climes.

But what makes Africa a choice destination for these so-called "RaaS gangs," and what does this mean for the burgeoning economies on the continent?

**Why Africa?**

The booming economies of Africa, rich in natural resources and brimming with potential, are attracting not just investors but also cybercriminals. Performanta's report, which shows that Africa is increasingly becoming a testing ground for ransomware attacks, raises serious concerns for the continent's future and underscores the urgent need for collaboration among African states, corporations, and the West.

One draw for the cybergangs is the continent's overall low levels of cybersecurity strategy at the national level. In the 2024 edition of the International Telecommunication Union's Global Cybersecurity Index, only nine out of 44 countries in Africa qualified for the first or second tier of cybersecurity maturity. While this is an improvement over the previous report's rankings, that still leaves swathes of the continent less prepared.

Funsho Richard, a senior cybersecurity analyst and consultant, agrees with Performanta's findings.

"Africa's potential for profitable attacks amidst its digital growth is a magnet for cybercriminals," he says. Ransomware gangs and nation-state actors are exploiting the continent's weaker cybersecurity defenses to refine their methods in a "lower-risk environment" before launching attacks on better-secured developed nations.

This approach makes perfect sense from the attackers' perspective, as Gal Nakash, co-founder and CPO at identity-based SaaS security company Reco, explains.

"Building a sophisticated testing environment for a campaign is challenging," Nakash says. "Leveraging less interesting or poorly secured victims is more effective and increases the likelihood of remaining undetected by security tools."

In June, South Africa's National Health Laboratory Service (NHLS) confirmed it was dealing with a ransomware attack that significantly affected the dissemination of lab results as the country was responding to an outbreak of mpox (previously known as monkeypox). The NHLS runs 265 laboratories across South Africa that provide testing services for public healthcare facilities in the country's nine provinces. The spokesperson declined to say which ransomware group was behind the incident or whether a ransom was paid.

**Signs and Guardrails**

So how can African businesses identify these potential "ransomware testing" campaigns? Richard points out that, unlike traditional ransomware attacks that target specific industries like finance or energy, these campaigns might target a wider range of businesses.

Traditionally, ransomware gangs have a well-defined appetite: high-value sectors like finance, manufacturing, and energy. A recent surge in attacks targeting a wider range of businesses across various industries in Africa could be a red flag, indicating a testing campaign in progress.

Performanta's research also validates this concern. The report reveals a "large increase in financial/banking trojans with a 59% increase in Kenya and a 32% increase in Nigeria across a single quarter," suggesting gangs are casting a wider net.

Performanta's report suggests African organizations may not be fully prepared for this shift in attack tactics. While Nakash expresses confidence in the capabilities of modern cybersecurity solutions like extended detection and response/endpoint detection and response (XDR/EDR), he acknowledges a lack of widespread adoption. But he says that businesses that regularly update their cybersecurity controls and policies can stop attackers dead in their tracks.

"This includes maintaining visibility into their entire network environment, encompassing cloud, SaaS \[software-as-a-service\], on-premises infrastructure, and all the applications they use daily," Nakash says. "Critical applications should be mapped, and robust policies and alert notifications should be set up to identify and address any violations or misconfigurations that could create potential security vulnerabilities."

However, to spot the wider trend of test campaigns requires national coordination and strategy, as well as regional cooperation. The Africa Center for Strategic Studies cites several regional initiatives, such as Afripol, but warns that only 17 countries on the continent even have a national cybersecurity strategy.

**Building a Strong Defense**

What businesses on the continent need to stay cybersafe is a foundational approach — doing the basic things the right way. Ensuring that all configurations adhere to best security practices and setting up alert notifications for any suspicious activity are essential steps to prevent potential threats.

"Organizations need thorough visibility into their entire network environment, including cloud and on-premises infrastructure," Nakash says.

The fight against cybercrime requires a united front, says Guy Golan, executive chairman and CEO at Performanta.

"The West and Africa must implement long-term collaborative efforts to build a strong defense against this threat," he says. By sharing knowledge, resources, and best practices, both continents can work together to create a more secure digital landscape for all.

Building resilience against these attacks isn't just about protecting individual businesses; it's about safeguarding the future of Africa's booming digital economy.

"The solution lies in long-term collaborative efforts. Only then can we effectively combat this growing threat," says Richard.

**About the Author**

Contributing Writer

Kolawole Samuel Adebayo is a Harvard-trained tech entrepreneur, tech enthusiast, tech writer/journalist, and an executive ghostwriter. He has 10+ years of experience covering various tech news stories, writing thought leadership blogs, reports, datasheets, and case studies. His areas of expertise include cybersecurity, AI, ML, DevOps, blockchain, metaverse, and big data for C-level executive audiences. He has written for several publications, including VentureBeat, RSI Security, NWTechs, WATI Security, Draft.dev, Codecov, Teleport, Doppler, HotCars, and many more. He is also an award-winning poet, with works published in several journals around the world.

Criminals Are Testing Their Ransomware Campaigns in Africa

It's North Korea versus Cambodia, with Windows default settings and sheer patience allowing the bad guys to avoid easy detection.

Source: motioncenter via Alamy Stock Photo

The North Korean state-sponsored threat actor known as APT37 has been carefully spreading a novel backdoor, dubbed "VeilShell." Of note is its target: Most North Korean advanced persistent threats (APTs) have a history of targeting organizations in South Korea or Japan, but APT37's latest campaign seems to be directed at a nation Kim Jong-Un has more complex relations with: Cambodia.

While Pyongyang still maintains an embassy in Phnom Penh and the two nations share a history of Soviet ties in the region, the modern-day relationship between the two is far from cozy. The DPRK's nuclear weapons program, ongoing missile tests, cyber activities, and general aggression towards its neighbors contradicts Cambodia's stance on weapons of mass destruction (WMDs) and its call for meaningful diplomatic dialogue between all countries in the region, observers in the region have noted.

That wariness has drawn the attention of the North Korean regime, according to Securonix, which has flagged a new campaign called "Shrouded#Sleep" circulating against Cambodian organizations.

Securonix did not share detailed victimology, but to lure in targets, APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima) has been spreading malicious emails relating to Cambodian affairs, and in Cambodia's primary language, Khmer. One lure for instance offers recipients access to a spreadsheet related to annual income in US dollars across various sectors in the country, such as social work, education, health, and agriculture.

Related:China-Backed APT Group Culling Thai Government Data

Hidden in these emails are maliciously crafted shortcut files concealing the backdoor, used to establish quiet persistence in targeted networks.

**Shrouded#Sleep's Stealthy Shortcuts**

In terms of the infection routine, a Shrouded#Sleep infection begins, like many others do, with a .ZIP archive containing a Windows shortcut (.LNK) file.

"It's incredibly common — if you were to throw a dart at the threat actor dartboard, a shortcut file is probably going to be hit," says Tim Peck, senior threat researcher at Securonix. "It's easy, it's effective. It pairs really well with phishing emails. And it's easy to mask."

Windows hides the .LNK file extension by default, substituting it with a little arrow in the bottom left hand corner of a file's icon, making for an overall cleaner user interface. The upshot is that attackers like APT37 can swap a .LNK's default icon with another of their choosing, and use double extensions to hide the true nature of the file.

APT37 gives its shortcut files PDF and Excel icons, and assigned them double extensions like ".pdf.lnk," or ".xls.lnk," so that only the .PDF and .XLS parts of the extension show up for users.

Related:UAE, Saudi Arabia Become Plum Cyberattack Targets

In the end, Peck notes, "Unless you're looking for the little arrow that Microsoft adds on shortcut files, odds are you might miss that." An unreasonably eagle-eyed victim might also have noticed that unlike typical shortcut files — which tend to be just a few kilobytes in size — these were anywhere from 60 to 600 kilobytes.

Contained within those kilobytes was APT37's malicious payload, which Securonix has named "VeilShell." 

**VeilShell's Patient Persistence**

The SHROUDED#SLEEP campaign is notable for its state-of-the-art blend of living-off-the-land and proprietary tools, plus impressive persistence and stealth mechanism.

"It represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems," according to the Securonix analysis. "Throughout this investigation, we have shown how the threat actors methodically crafted their payloads and made use of an interesting combination of legitimate tools and techniques to bypass defenses and maintain access to their targets."

Related:China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

VeilShell for instance is a multifunctional, PowerShell-based backdoor-plus-remote-access-trojan (RAT). It's capable of all the things RATs tend to do: download and upload files, modify and delete existing files on the system, modify system settings, create scheduled tasks for persistence, etc.

Notably, APT37 also achieves persistence via AppDomainManager injection, a rarer technique involving the injection of malicious code into .NET applications.

All of these malicious functions and techniques might otherwise make a lot of noise on targeted systems, so APT37 uses some tricks to provide counterbalance. For example, it implements long sleep timers to break up different stages of the attack chain, ensuring that malicious activities don't occur in obvious succession.

As Peck tells it, "The threat actors were incredibly patient, slow, and methodical. They used a lot of long sleep timers — we're talking, like, 6,000 seconds in between different attack stages. And the main goal \[of the shortcut file\] was to set the stage. It didn't actually execute any malware. It dropped the files into a location that would allow them to execute on their own on the next system reboot. That reboot could be the same day, or a week from now, depending on how the user uses their PC."

It was emblematic, perhaps, of a threat actor with confidence and patience to spare. "A lot of times we see these dive in, dive out types of campaigns. But this was definitely designed with stealth in mind," he says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK's APT37 Targets Cambodia With Khmer, 'VeilShell' Backdoor

Several of the flaws enable remote code execution and denial-of-service attacks while others enable data theft, session hijacking, and other malicious activity.

Source: PeterPhoto123 via Shutterstock

Potentially tens of thousands of DrayTek routers, including models that many businesses and government agencies use, are at heightened risk of attack via 14 newly discovered firmware vulnerabilities.

Several of the flaws enable denial-of-service and remote code execution (RCE) attacks, while others allow threat actors to inject and execute malicious code into webpages and the browsers of users who visit compromised websites.

**A Wide Range of Flaws**

Two of the new flaws are critical, meaning they need immediate attention: CVE-2024-41592, a maximum-severity RCE bug in the Web UI component of DrayTek routers, and CVE-2024-41585, an OS command execution/VM escape vulnerability with a CVSS severity score of 9.1. Nine of the vulnerabilities are medium-severity threats, and three are relatively low-severity flaws. The vulnerabilities are present in 24 DrayTek router models.

Researchers at Forescout's Vedere Labs discovered the vulnerabilities during an investigation of DrayTek routers, prompted by what the security vendor described as signs of consistent attack activity targeting the routers and a rash of recent vulnerabilities in the technology.

They found over 704,000 Internet-exposed DrayTek routers — mostly in Europe and Asia — many of which likely contain the newly discovered vulnerabilities.

"Since 75% of these routers are used in commercial settings, the implications for business continuity and reputation are severe," Forescout researchers warned in a report that summarized the findings from their investigation, which they dubbed Dray:Break. "A successful attack could lead to significant downtime, loss of customer trust, and regulatory penalties, all of which fall squarely on a CISO's shoulders."

**Patching May Not Be Enough**

DrayTek has issued patches for all the vulnerabilities via different firmware updates. However, organizations should not stop with just applying the patches, says Daniel dos Santos, the head of security research at Forescout Vedere Labs. To lower risk from similar vulnerabilities in DrayTek routers in the future, security teams should also proactively implement longer-term mitigation measures, he adds. "Our report shows there's a long history of critical vulnerabilities affecting those routers, and many have been weaponized by botnets and other malware," he says. "Taking a proactive security approach ensures that even when new vulnerabilities are found, the risk to an organization will be low."

Attackers will likely find it relatively easy to find DrayTek routers that contain the new vulnerabilities using search engines such as Shodan or Censys, dos Santos says. But "exploitation is more difficult because we did not provide a detailed working proof-of-concept, only the overall description of the vulnerabilities," he adds. "If another researcher or an attacker builds and publishes a working exploit, then mass exploitation could happen — like how it has happened for other DrayTek CVEs in the past."

The mitigations that DrayTek and Forescout have recommended include disabling remote access if not needed, verifying that no unauthorized remote access profiles have been added, enabling system logging, and using only secure protocols such as HTTPS. Forescout also recommends that DrayTek customers ensure proper network visibility, change default configurations, replace end-of-life devices, and segment their networks.

**A Popular Attack Target**

The advice comes amid signs of growing threat actor activity — including by nation-state actors — targeting vulnerabilities in routers and other network devices from DrayTek and a variety of other vendors, including Fortinet, F5, QNAP, Ivanti, Juniper, and Zyxel.

In a September advisory, the FBI, the US National Security Agency, and Cyber National Mission Force warned of Chinese threat actors compromising such routers and Internet of Things devices in widespread botnet operations. "The actors may then use the botnet as a proxy to conceal their identities while deploying distributed denial-of-service (DDoS) attacks or compromising targeted US networks," the advisory warned. Two weeks prior to the advisory, the US Cybersecurity and Infrastructure Security Agency added two DrayTek vulnerabilities from 2021 (CVE-2021-20123 and CVE-2021-20124) to its known exploited vulnerabilities list citing active exploitation activity. In 2022, a critical RCE in DrayTek's Vigor brand of routers put numerous small and medium-size businesses at risk of zero-click attacks.

The relatively high number of critical vulnerabilities in DrayTek products in recent years is another concern because many organizations don’t appear to be addressing them quickly enough, Forescout said. The security vendor's report highlighted 18 vulnerabilities going back to 2020, most of which have near maximum severity scores of 9.8 on the CVSS scale. Yet 38% of more than 704,000 DrayTek devices that Forescout discovered didn't have patches for disclosed vulnerabilities from two years ago.

"Many organizations don't have the right level of visibility into unmanaged devices such as routers, so they may be unaware of these issues on their networks," dos Santos says. "They rely on endpoint telemetry and security agents to provide information about software versions and apply patches. But when it comes to firmware — which doesn't support agents — they might not know that vulnerabilities exist in their network or may not have manually applied the patches."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Thousands of DrayTek Routers at Risk From 14 Vulnerabilities

Ivanti reports that the bug is being actively exploited in the wild for select customers.

Source: Kristoffer Tripplaar via Alamy Stock Photo

One of the latest vulnerabilities that the Cybersecurity and Infrastructure Security Agency has added to the Known Exploited Vulnerabilities Catalog is CVE-2024-29824, found in the Ivanti Endpoint Manager.

The vulnerability is described as an SQL Injection vulnerability in the core server of Ivanti EPM 2022 SU5 and its prior models. It allows an unauthenticated attacker within the network to execute arbitrary code. 

Because of its high risk, its CVSS score is a critical 9.6.

On Oct. 1, Ivanti updated its security advisory to reflect that the vulnerability had been exploited in the wild.  "At the time of this update, we are aware of a limited number of customers who have been exploited," according to Ivanti's advisory.

Ivanti released security updates to patch this flaw in May, alongside several other bugs found in EPM's core server.

"Exploiting this flaw could have serious consequences, such as data breaches, disruption of business operations, and further compromise of internal systems," Eric Schwake, director of cybersecurity strategy at Salt Security, wrote in an emailed statement. "Organizations using Ivanti EPM should prioritize patching their systems immediately and conduct thorough security assessments to detect and mitigate potential compromise. This situation emphasizes the critical importance of proactive vulnerability management and timely patching to protect against evolving threats."

Customers can find information to patch the vulnerability on Ivanti’s website.

**About the Author**

CISA Adds High-Severity Ivanti Vulnerability to KEV Catalog

"Pig butchering," generative AI, and spear-phishing have all transformed digital warfare.

Source: Daniren vua Alamy Stock Photo

As the kinetic war between Russia and Ukraine persists, a parallel battle is being waged in cyberspace, where hackers are targeting critical infrastructure, government entities, and individual service personnel.

The cyber campaigns focus on espionage, disruption, and social engineering to weaken Ukrainian defenses and sow discord, with efforts to compromise personal data and infiltrate secure communication channels like Signal and Telegram.

Russian-aligned cyber actors, including advanced persistent threat (APT) groups like Gamaredon, have intensified their attacks since Russia's 2022 invasion of Ukraine.

Despite Ukrainian efforts to bolster cybersecurity, Russian hackers continue to refine their tools, and Russian cyber warfare tactics are varied and persistent, according to Ukraine's State Service of Special Communications and Information Protection (SSSCIP) September report.

These are just a few of the latest examples of cyberwarfare between the two states, though other additional malware perpetrators and cyberattack units, including Sandworm (aka APT44), continue to proliferate. 

**Messaging Apps Target Service Members**

One recent campaign involves the Russia-aligned UAC-0184 group targeting Ukrainian military personnel through messaging apps, including Signal. 

Hackers impersonate familiar contacts, sending malicious files disguised as combat footage or recruitment material to infect devices with malware.

Dan Black, manager, Mandiant Cyber Espionage Analysis, Google Cloud, says common technologies like smartphones and tablets have become essential tools for military personnel on the front lines, providing real-time intelligence and other critical support capabilities.

"But their utility cuts both ways," he cautions.

Because they provide such valuable capability, penetrating these devices can provide an adversary a surreptitious lens into various types of sensitive battlefield information that can have grave, even lethal, consequences for targets if compromised. 

Abu Qureshi, head of threat research for BforeAI, explains targeted cyberattacks aimed at military personnel through messaging apps can severely compromise operational security.

"By intercepting communications or distributing malware through trusted communication channels, attackers can extract sensitive data on the physical locations of personnel," Qureshi says. "This can lead to real-world consequences."

Malachi Walker, security adviser for DomainTools, adds a targeted cyberattack such as what’s being seen in the Russian/Ukrainian war is like pig-butchering attacks the team has observed in the financial service sector, where an attacker builds a personal relationship with their victim, gaining their trust over a period to gain a payout.

"Seeing this tactic used in warfare, rather than for financial gain, impacts the operational security of a military unit," Walker explains.

He says while a financially motivated pig-butchering attack can only leave one victim, using this technique in a war setting could place an entire group of soldiers in danger.

Adam Gavish, co-founder and CEO at DoControl, says what's particularly concerning is that many of these troops have access to sensitive intelligence and critical systems.

"A successful attack could potentially compromise not just individual soldiers, but entire military operations or strategies," he says.

The ripple effects of a single breach could harm many, making these personalized attacks especially dangerous.

"All of this can significantly impact combat effectiveness, readiness, and overall military capabilities," Gavish says.

**Russian-Speaking Users Targeted**

Meanwhile, the DCRat Trojan has been deployed through HTML smuggling, marking a shift in delivery methods to target Russian-speaking users. 

HTML smuggling techniques can bypass traditional security measures by nesting attacks within obfuscation layers like files, posing a significant threat to critical industries during conflicts.

Walker explains the use of HTML smuggling may not be the sole cause for change in the threat landscape, but it is indicative of an ongoing change that his team has observed in the past two years.

"The evolution of cyberattacks and malware, particularly those that have an intersection with the use of generative AI, have lowered the barrier for entry for threat actors, leading to more threats and a greater volume of attacks," he says.

DCRat and other similar malware can infiltrate systems controlling power grids, oil pipelines, and even nuclear facilities, which could severely disrupt the safety of any nation. "In the context of targeting Russian-speaking users and Russian companies, such attacks could have an impact that extends to other countries and companies and leads to further distrust," Walker adds.

He notes not all Russian companies are sanctioned by NATO-allied countries and those not sanctioned could be the most appealing targets as it would allow these threat actors to extend their reach.

These impacts can have a global impact including the delay of delivery for essential goods and the compromise of critical industries like energy, healthcare, financial services, and transportation.

Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, says this method of attack highlights the need for more sophisticated defense strategies that go beyond conventional antivirus solutions. 

"When looking at this phishing technique you need live analysis of malicious content within the file and that is why you cannot rely on signature-based, feeds-based phishing protection alone," he explains. 

He adds securing industrial control systems is paramount in preventing disruptions that could amplify physical attacks.

"A comprehensive approach involving regular security audits, network segmentation, and robust access controls can help safeguard energy infrastructure against supply chain attacks," Kowski says. 

**Game on for Gamaredon **

An ESET report released last month focused on the 2022 and 2023 campaigns of Gamaredon, one of the most active groups in Ukraine.

The group has been conducting spear-phishing campaigns and using custom malware to breach Ukrainian government institutions, with the attacks undergoing constant evolution — for example, shifting to PowerShell and VBScript-based attacks.

DoControl's Gavish says Gamaredon's persistent approach, while less stealthy, can be highly effective in overwhelming Ukraine's defenses through sheer volume. 

"This constant barrage of attacks ties up cybersecurity resources and increases the chances of a successful breach simply through persistence," he says. The real-world impact forces Ukraine to constantly divert resources to cyber defense. "Gamaredon's attempts to target NATO countries have significant implications for international cybersecurity cooperation," Gavish adds.

From his perspective, these types of threats highlight the need for increased information sharing and joint defense strategies among allied nations. "The situation in Ukraine serves as a stark reminder that cybersecurity is not just an IT issue — it's a matter of national security with very real-world consequences," Gavish says. 

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Ukraine-Russia Cyber Battles Tip Over Into the Real World

Although the veto was a setback, it highlights key debates in the emerging field of AI governance and the potential for California to shape the future of AI regulation.

Debrup Ghosh, Principal Product Manager, F5 Inc.

October 3, 2024

4 Min Read

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

On Sept. 29, California Gov. Gavin Newsom vetoed Senate Bill 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act. This bill aimed to create a comprehensive regulatory framework for AI models, seeking to balance public safety with innovation. Although the veto was a setback for the bill, it highlights key debates in the emerging field of AI governance and the potential for California to shape the future of AI regulation.

**California's Influence on Tech Legislation**

As the home of Silicon Valley, California has long been a leader in technology regulation, with its policies often setting the precedent for other states. For example, the California Consumer Privacy Act (CCPA) inspired similar data protection laws in Virginia and Colorado. With the rapid advancement of AI technology, California's efforts in AI governance could have a lasting impact on both national and international regulatory frameworks, while also catalyzing federal lawmakers to consider nationwide AI regulations, similar to how California's auto emissions standards influenced federal policies.

**What's at Stake**

Gov. Newsom's veto highlights several critical issues. First, the bill solely focused on large-scale models that might overlook the dangers posed by smaller, specialized AI systems. The governor emphasized the need for regulations based on empirical evidence of actual risks rather than the size or cost of AI models. Second, he cautioned that stringent regulations could stifle innovation, particularly if they did not keep pace with the rapidly evolving AI landscape. The governor advocated for a flexible approach that could adapt to new developments. Third, Newsom stressed the importance of considering whether AI systems are deployed in high-risk environments or involve critical decision-making with sensitive data, areas the bill did not specifically address.

**Looking Ahead**

Although this might seem like a setback to some, the veto allows California to continue its thought leadership in shaping modern technology policy. To move forward and reconcile differences, the California legislature and Governor's office can undertake several collaborative efforts:

*   Establish a joint task force comprising representatives from the governor's office, legislators, AI experts, industry leaders, and AI ethics experts. This group can facilitate open discussions to understand each other's concerns and priorities.
    
*   Incorporate insights from academia, research organizations, and the public. Transparency in the legislative process can build trust and ensure diverse perspectives are considered.
    
*   Shift the regulatory focus from the size and computational resources of AI models to the actual risks associated with specific applications. This aligns with the governor's call for evidence-based policymaking.
    
*   Draft legislation that includes provisions for regular review and updates, allowing the regulatory framework to evolve alongside rapid technological advancements in AI.
    

**European Union: AI Act**

California legislators can benchmark existing AI legislation such as the EU Artificial Intelligence Act. The EU's AI Act is a pioneering, comprehensive legal framework designed to foster trustworthy AI while supporting innovation. It adopts a risk-based approach, categorizing AI systems into four levels: unacceptable, high, limited, and minimal risk. Unacceptable risk practices are prohibited, while high-risk AI applications in areas like education, employment, and law enforcement face stringent requirements. The act mandates transparency, requiring users to be informed when interacting with AI systems such as chatbots. It also introduces obligations for general-purpose models, focusing on risk management and transparency.

The AI Act's strengths include comprehensive coverage, ensuring all forms of AI are regulated uniformly, and its emphasis on protecting fundamental rights by categorizing AI based on risk levels. It encourages innovation by reducing regulatory burdens for low-risk AI applications, thus fostering technological development. However, the act's complexity and cost may be burdensome for small and midsize enterprises, and there's a potential risk of regulatory overreach, possibly hindering innovation.

**Conclusion**

California is at the forefront of tackling the challenges and opportunities posed by advanced AI models. Collaboration between government and industry stakeholders is essential in shaping a regulatory framework that keeps pace with the rapid evolution of AI technology. By working together with industry and other thought leaders, legislators can craft a flexible, evidence-based framework that ensures public safety while encouraging innovation. Like past tech regulations, California can set a strong precedent for responsible AI governance, with its influence likely extending beyond state lines. As AI continues to evolve, the world will closely monitor California's efforts, and true success will depend on protecting the public without stifling AI's transformative potential.

**About the Author**

Principal Product Manager, F5 Inc.

Debrup Ghosh is a seasoned product management leader with extensive experience in cybersecurity, SaaS, and AI-driven solutions. Currently a principal product manager at F5 Networks, he leads the development of cutting-edge Web application and API protection (WAAP) products with a focus on AI/ML innovations. Debrup has a proven track record of driving product success at major companies including Synopsys, Verizon, and Michelin. His leadership has earned him multiple global awards, including the 2024 Stevie Awards. A recognized thought leader, his insights have been featured in media outlets such as CNN and Forbes. Debrup holds an MBA from the University of California, Irvine, and a bachelor of technology from the National Institute of Technology, Tiruchirappalli.

Source

DARKReading