For development teams awash in vulnerability reports, reachability analysis can help tame the chaos and offer another path to prioritize exploitable issues.

Source: Photon Photo via Shutterstock

AI assistants are a double-edged sword for developers. On one hand, code-generation assistants have made creating barebones applications easier and led to a surge in code pushed to GitHub. Yet just as easy? Generating code with defects and vulnerabilities.

As a result, application security teams serving large development groups are seeing growing application vulnerability reports — a large portion of which are false positives. In fact, nearly a third of teams (31%) find the majority of reported vulnerabilities are false positives, according to software security firm Snyk's "2023 State of Open Source Security" report.

In the face of growing volumes of code submissions and continuing problems with false positives, application security teams are relying on reachability analysis as an important way to prioritize their remediation requests. Because only 10% to 20% of imported code is typically used by a specific application, determining whether the code is reachable by an attacker — and thus likely exploitable — can dramatically reduce the number of vulnerabilities that need to be patched, says Joseph Hejderup, technical staff member at Endor Labs, who presented on the topic at SOSS Community Day Europe 2024 in September. This makes it possible to prioritize vulnerability reports, he says.

"With software composition analysis — without looking into the code — we are essentially assuming that if you use this library, you're using all this functionality, where in reality we know that you're only using part of the library," Hejderup says. "By going down to the source code, you can see whether this particular vulnerable part of the code is used or not used."

Static application security testing (SAST) tools continue to evolve and have a proven return on investment (ROI), especially if they are used to catch software defects during development time, when the cost of fixing a bug is lower. However, false positives reduce the benefits of SAST tools and undermine developer trust in the tools.

**False Positives, Lack of Context Remain Problems**

Overall, 61% of developers believe the faster cadence of development with automation has increased the number of false positives, according to Snyk's report. For application security teams, finding ways to reduce the volume of vulnerabilities discovered in dozens or hundreds of projects into a more manageable burden is critical, says Randall Degges, head of developer relations at Snyk.

"Each of those projects has hundreds — maybe thousands of vulnerabilities — and a lot of them look scary, like these critical RCE vulnerabilities," he says. "Reachability is really a nice way to kind of calm yourself down as a security team and not stress your teams out because, if you're able to successfully filter the vulnerabilities that you see based on, 'Are they even being executed, like in our code base or not,' that's a really big benefit to security teams."

Overall, companies can reduce their remediation work by 60%, just by excluding unreachable code. One study found that, while 71% of Java applications consist of open source code, applications used only about 12% of that code.

Combining reachability with other contextual information — such as exploitability and business impact — reduces the workload even further. In an analysis of 106 million alerts from 900 organizations, or an average of about 118,000 alerts per organization, reachability analysis reduced the workload by 99.5% — or down to about 660 alerts per organization, according to application security firm OX Security.

Reporting fewer vulnerabilities back to developers can help reduce friction between the two groups, says Katie Teitler-Santullo, cybersecurity strategist with OX Security.

"A lot of the frustration happens because tools aren't able to reduce the noise and focus on the prioritization that developers need \[in order\] to move at the speed of development versus the speed of security," she says.

**Source Code Analysis or Instrumentation**

Typically, there are two approaches to reachability analysis. One is static code analysis focused on building graphs of the function calls in the applications and determining whether specific code can be executed. The determination is not always simple: A conditional statement may be executed only once in hundred or thousands calls — or never — and so application security tools have to determine whether that constitutes a threat.

Snyk, for example, errs on the side of work reduction. If there is a conditional statement, the company's tools will ignore the minor branches and just focus on the likely outcome, says Snyk's Degges.

"We look for things where we can 100% definitively trace it down there, and say that, 'Yes, this is reachable,'" he says. "The trade-off for that is that some things may be marked as not reachable, even though they are. But the benefit is that people aren't getting a bunch of false alerts."

Another approach is to instrument the application and the code, determining at runtime what functions are being executed and label that code as reachable.

Whether a vulnerability in the code can be exploited is another level of investigation. Endor Lab's Hejderup expects companies to be able to filter down to code that is reachable and provably exploitable as the next step.

"This type of more advanced, sophisticated analysis would likely be the next level within reachability analysis," he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Reachability Analysis Pares Down Static Security-Testing Overload

Microsoft warns that ransomware group Storm-0501 has shifted from buying initial access to leveraging weak credentials to gain on-premises access before moving laterally to the cloud.

Source: Vitali Gulenok via Alamy Stock Photo

Adversaries have caught on to the complexity that cybersecurity teams face in securing hybrid cloud environments — the latest of which is a particularly odious group tracked as "Storm-0501," a cash-grab operation that regularly targets the most vulnerable organizations, including schools, hospitals, and law enforcement across the US.

Storm-0501 has been around since 2021, according to a new report from Microsoft Threat Intelligence, operating as affiliates of a variety of ransomware-as-a-service (RaaS) strains including BlackCat/ALPHV, LockBit, and Embargo.

Notably, Microsoft has observed a shift in approach by the ransomware group. Once reliant on buying initial access from brokers, Storm-0501 has more recently found success exploiting hybrid cloud environments with weak passwords and overprivileged accounts. They first crack into the on-premises environment at a target, then pivot to burrow into the cloud, as seen in one campaign that successfully targeted Entra ID credentials.

**Microsoft Entra Connect Credential Crack**

The Microsoft team detailed a recent attack from Storm-0501 threat actors that used compromised credentials to access Microsoft Entra ID (formerly Azure AD). This on-premises Microsoft application is responsible for synching passwords and other sensitive data between objects in Active Directory and Entra ID, which essentially allows a user to sign in to both on-premises and cloud environments using the same credentials.

Once Storm-0501 was able to move laterally into the cloud, it was able to tamper with and exfiltrate data, set up persistent backdoor access, and deploy ransomware, the report warned.

"We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts," Microsoft reported. "Following the compromise of the cloud Directory Synchronization Account, the threat actor can authenticate using the clear-text credentials and get an access token to Microsoft Graph."

From there, an attacker can freely change the Microsoft Entra ID passwords of any hybrid, synced account.

But that's not the only way these slippery cybercriminals have found to vault from a compromised Entra ID account into the cloud. The second strategy is more complicated, as Microsoft detailed, and relied on breaching a domain admin account with a correlating Entra ID that is designated with global admin permissions. Additionally, the account needs to have multifactor authentication (MFA) disabled for the attackers to be successful.

"It is important to mention that the sync service is unavailable for administrative accounts in Microsoft Entra, hence the passwords and other data are not synced from the on-premises account to the Microsoft Entra account in this case," Microsoft said. "However, if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. Web browsers' passwords store), then the pivot is possible."

Once it was in, Storm-0501 got busy setting up persistent backdoor access for later, working to achieve network control, and ensuring lateral movement to the cloud, Microsoft reported. Once that was done, they exfiltrated the files they wanted and deployed Embargo ransomware across the entire organization.

"In the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the Embargo ransomware via a scheduled task named 'SysUpdate' that was registered via GPO on the devices in the network," according to the Microsoft report.

The two separate versions of attacks against Microsoft's Entra ID application demonstrate that cybercriminals of opportunity have focused in on hybrid cloud environments, and their big, fat attack surfaces, as easy wins.

**Securing the Hybrid Cloud Against Storm-0501 Attacks**

"As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations," Microsoft's Threat Intel team warned.

Enterprise cybersecurity teams can achieve this by continuing to move toward a zero-trust framework, according to a statement from Patrick Tiquet, vice president, security and architecture, at Keeper Security.

"This model restricts access based on continuous verification, ensuring that users only have access to the resources essential for their specific roles, minimizing exposure to malicious actors," Tiquet explained via email. "Weak credentials remain one of the most vulnerable entry points in hybrid cloud environments, and groups like Storm-0501 are likely to exploit them."

Centralizing endpoint device management (EDM) is also "essential," he said. "Ensuring consistent security patching across all environments — whether cloud-based or on-premises — prevents attackers from exploiting known vulnerabilities."

Advanced monitoring will help teams spot potential threats across hybrid cloud environments before they can become a breach, he added.

Stephen Kowski, field CTO at SlashNext Security echoed many of the same recommendations in an emailed statement.

"This report highlights the critical need for robust security measures across hybrid cloud environments," Kowski said. "Security teams should prioritize strengthening identity and access management, implementing least privilege principles, and ensuring timely patching of Internet-facing systems."

In addition, he suggested shoring up security to protect against initial access attempts.

"Deploying advanced email and messaging security solutions can help prevent initial access attempts through phishing or social engineering tactics that often serve as entry points for these sophisticated attacks," he added.

Sloppy Entra ID Credentials Attract Hybrid Cloud Ransomware

The threat actors managed to gain access to Sen. Ben Cardin (D-Md.) by posing as a Ukrainian official, before quickly being outed.

Sen. Ben CardinSource: B Christopher via Alamy Stock Photo

Earlier this month, Senator Ben Cardin (D-Md.), who serves as the Democratic chair of the Senate Foreign Relations Committee, was targeted in an advanced deepfake operation that managed to in part succeed in duping the politician.

The operation was centered around Cardin's professional association with Dymtro Kuleba, the former Ukrainian Minister of Foreign Affairs. Cardin's office reportedly received an email from someone they believed to be Kuleba, who Cardin already knew from past meetings.

Kuleba and Cardin met via Zoom through what seemed to be a live audio-video connection "that was consistent in appearance and sound to past encounters," according to a notice issued by the Senator’s security office.

But it was here that things began to go awry for the threat actors. "Kuleba" began to ask Cardin questions such as, "do you support long-range missiles into Russian territory? I need to know your answer," and other "politically charged questions in relation to the upcoming election" according to the notice. 

At this point, Cardin and his staff knew something was wrong.

The malicious actor on the other side of the call continued on, attempting to bait the senator into commenting on a political candidate and other things.

"The Senator and their staff ended the call, and quickly reached out to the Department of State who verified it was not Kuleba," said Nicolette Llewellyn, the director of Senate Security, in the notice.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

**Deepfake Scams Are on the Rise**

On Sept. 25, Cardin commented on the encounter, describing the person on the other side of the screen as a malign actor that engaged in a deceptive attempt to try to have a conversation with him.

"After immediately becoming clear that the individual I was engaging with was not who they claimed to be, I ended the call and my office took swift action, alerting the relevant authorities," Sen. Cardin said. "This matter is now in the hands of law enforcement, and a comprehensive investigation is underway."

However, how far these threat actors managed to get was impressive — and concerning. Had they not revealed their scheme by acting out of character for the person they were impersonating, they may have gleaned sensitive or important information.

"On an individual level, \[deepfakes\] can lead to blackmail and extortion," says Eyal Benishti, CEO of Ironscales. "For businesses, deepfakes pose risks of significant financial loss, reputational damage, and corporate espionage. On a governmental level, they threaten national security and can undermine the democratic processes" — no doubt referencing a deepfake robocall that was created to impersonate President Joe Biden with the goal of getting Biden supporters to stay home for a lower voter turnout.

Related:Zimbra RCE Vuln Under Attack Needs Immediate Patching

It's clear that deepfake schemes are becoming a bigger threat and more widely used by malicious actors. In a July report that Trend Micro shared with Dark Reading, the researchers found that 80% of the consumers involved a survey had seen deepfake images, and 64% had seen deepfake videos. Roughly half of consumers surveyed had heard of deepfake audio clips. And concerningly, 35% of the respondents said they had experienced a deepfake scam themselves, with even more saying that they know someone who has.

These types of scams come in all kinds of varieties, such as the deepfake videos of UK Prime Minister Keir Starmer and Prince William that were circulating on Meta platforms earlier this year to promote a cryptocurrency platform called Immediate Edge. The platform was fraudulent and aimed to dupe potential victims by making it seem as though it was backed by reputable public figures. According to researchers who studied the disinformation campaign, the deepfake ads reached nearly 900,000 people who spent more than £20,000 on the platform.

Related:Retail & Hospitality ISAC Announces Pam Lindemoen As New CSO and VP

"The rise of deepfakes — be it through images, videos, or audio — is hard to deny," Benishti says. "These attacks are becoming increasingly sophisticated and often indistinguishable from reality, thanks to the accessibility of generative AI tools."

And that means that defenses need to shift, Benishti says. 

"Currently, there are no foolproof methods to easily detect deepfakes," he says. "Until technology catches up, we must prioritize awareness, education, and training to equip individuals and organizations with the skills and strategies needed to act on their suspicions, implement effective verification processes, and ultimately improve their ability to discern what is real and what is not."

These recommendations apply to anyone, not just high-ranking or high-profile individuals such as Cardin.

"Cybercriminals capitalize on opportunity, regardless of status, which means that anyone could be a target," Benishti adds. "It's crucial for everyone, not just prominent figures, to stay alert and skeptical of any urgent or unexpected requests. Vigilance and verification are key defenses against these evolving threats."

Elaborate Deepfake Operation Takes a Meeting With US Senator

By combining agility with compliance, and security with accessibility, businesses will treat their data as a well-prepared traveler, ready for any adventure.

Source: Lucie Konecna via Alamy Stock Photo

COMMENTARY

The post-pandemic need for "anywhere connection" is fueling not only borderless business but also the rise of digital nomads. Surprisingly, the two face similar issues.

Consider that both international enterprises and location-independent workers must be prepared for travel, follow local rules, and carry only the essentials. For a digital nomad, this might mean a laptop, a handful of essential apps, and a reliable VPN. For an enterprise and its data, it's multicloud databases, robust encryption, and a zero-trust posture. In both cases, excess baggage only slows you down and increases vulnerability. And, in both cases, not following the rules can result in legal headaches.

Indeed, enterprises today walk a data tightrope. Their information ecosystems must be adaptable across diverse environments, navigating tightening regulations, heightened security requirements, and complex data rules.

Let's explore how enterprises can become data nomads by balancing compliance, security, and agility — all while seeing the world without getting in trouble.

**From Home Bases to Global Expeditions**

Mastering travel is crucial for digital and data nomads. Like savvy travelers navigating international borders, enterprises must maneuver a varied data landscape — especially with the likes of the European Union's General Data Protection Regulation (GDPR) acting as a stringent "passport control" for information. Therefore, understanding what's required is key to moving data from point A to B while abiding by the law.

Enterprises must first map their data — their digital luggage — to know what they have, how it's regulated, and where it's stored. Like nomads with a home base, many adopt a hybrid cloud approach. This home-and-away strategy blends on-premises infrastructure with public cloud services, offering flexibility, cost benefits, and resilience. It ensures data resides in jurisdictionally appropriate locations while enabling global reach. 

However, moving data between specific regions brings additional complications, especially between Europe and the US. For years, the "visa requirements" governing acceptable data transfers between these two superpowers have been in flux, with the EU-US Data Privacy Framework being the latest attempt to streamline cross-border data. Organizations still need to secure the right "travel permits" with a combination of approaches. This might involve keeping sensitive data in EU-based systems, using standard contractual clauses for US transfers, or applying new framework principles where relevant. However, given the turbulent history of previous agreements like Privacy Shield and Safe Harbour, enterprises should watch this space.

Another way to travel without falling afoul of the authorities is isolated connectivity. Google's Distributed Cloud latest configuration exemplifies this balance, with its air-gapped appliance allowing users to access cloud applications without jeopardizing data security — a blend of home comfort and travel flexibility for enterprise data.

**A Nomad's Security Toolkit**

But moving from place to place exposes both digital and data nomads to security risks. Just as globe-trotting workers must stay vigilant against pickpockets and scams, enterprises must be wary of bad actors — a growing concern with the rise of distributed workloads and global hackers.

The good news is that enterprises can and must fight back. End-to-end encryption acts like an unbreakable luggage lock, protecting information at every step. Multifactor authentication serves as a biometric passport, ensuring only authorized personnel gain access. Regular security audits flag potential risks, much like travel advisories. And, by embracing distributed storage, companies avoid keeping all their eggs in one basket, reducing the impact of any single breach.

Adopting a zero-trust architecture — comparable to a cautious security detail — further ensures verification regardless of origin. This "trust nothing, verify always" mindset treats every network as hostile and scrutinizes each access request, thereby reducing the risk of data breaches and unauthorized access.

**Lessons From the Road**

By now I've done this metaphor to death, but the parallels between digital nomads and enterprise data are too striking to ignore — and the challenges will only continue to evolve.

Emerging technologies like edge computing and AI will create new destinations for our data to explore. And don't expect regulations to slow down, further shaping digital travel requirements. This demands IT leaders have their finger on the pulse and think about their data journey from door to door.

The most successful enterprises will be those that can turn potential data pitfalls into opportunities for growth and innovation. By combining agility with compliance, and security with accessibility, they will treat their data as a well-prepared traveler, ready for any adventure.

The lesson from our digital nomad cousins is clear: Pack light, comply right.

**About the Author**

Founder & CEO, Hexnode

Apu Pavithran is the founder and CEO of Hexnode. Recognized in the IT management community as a consultant, speaker, and thought leader, Apu has been a strong advocate for IT governance and information security management.

Treat Your Enterprise Data Like a Digital Nomad

Productivity has a downside: A shocking number of employees share sensitive or proprietary data with the generational AI platforms they use, without letting their bosses know.

Source: Marcos Alvarado via Alamy Stock Photo

Generational AI chatbots are popping up in everything from email clients to HR tools these days, offering a friendly and smooth path toward better enterprise productivity. But there's a problem: All too often, workers aren't thinking about the data security of the prompts they're using to elicit chatbot responses.

In fact, more than a third (38%) of employees share sensitive work information with AI tools without their employer's permission, according to a survey this week by the US National Cybersecurity Alliance (NCA). And that's a problem.

The NCA survey (which polled 7,000 people globally) found that Gen Z and millennial workers are more likely to share sensitive work information without getting permission: A full 46% and 43%, respectively, admitted to the practice, as opposed to 26% and 14% of Gen X and baby boomers, respectively.

**Real-World Consequences From Sharing Data With Chatbots**

The issue is that most of the most prevalent chatbots capture whatever information users put into prompts, which could be things like proprietary earnings data, top-secret design plans, sensitive emails, customer data, and more — and send it back to the large language models (LLMs), where it's used to train the next generation of GenAI.

And that means that someone could later access that data using the right prompts, because it's part of the retrievable data lake now. Or, perhaps the data is kept for internal LLM use, but its storage isn't set up properly. The dangers of this — as Samsung found out in one high-profile incident — are relatively well understood by security pros — but by everyday workers, not so much.

ChatGPT’s creator, OpenAI, warns in its user guide, "We are not able to delete specific prompts from your history. Please don't share any sensitive information in your conversations." But it's hard for the average worker to constantly be thinking about data exposure. Lisa Plaggemier, executive director of NCA, notes one case that illustrates how the risk can easily translate into real-world attacks.

"A financial services firm integrated a GenAI chatbot to assist with customer inquiries," Plaggemier tells Dark Reading. "Employees inadvertently input client financial information for context, which the chatbot then stored in an unsecured manner. This not only led to a significant data breach, but also enabled attackers to access sensitive client information, demonstrating how easily confidential data can be compromised through the improper use of these tools."

Galit Lubetzky Sharon, CEO at Wing, offers another real-life example (without naming names).

"An employee, for whom English was a second language, at a multinational company, took an assignment working in the US," she says. "In order to improve his written communications with his US based colleagues, he innocently started using Grammarly to improve his written communications. Not knowing that the application was allowed to train on the employee's data, the employee sometimes used Grammarly to improve communications around confidential and proprietary data. There was no malicious intent, but this scenario highlights the hidden risks of AI."

**A Lack of Training & the Rise of "Shadow AI"**

One reason for the high percentages of people willing to roll the dice is almost certainly a lack of training. While the Samsungs of the world might swoop into action on locking down AI use, the NCA survey found that 52% of employed participants have not yet received any training on safe AI use, while just 45% of the respondents who actively use AI have.

"This statistic suggests that many organizations may underestimate the importance of training, perhaps due to budget constraints, or a lack of understanding about the potential risks," Plaggemier says. And meanwhile, she adds, "This data underscores the gap between recognizing potential dangers and having the knowledge to mitigate them. Employees may understand that risks exist, but the lack of proper education leaves them vulnerable to the severity of these threats, especially in environments where productivity often takes precedence over security."

Worse, this knowledge gap contributes to the rise of "shadow AI," where unapproved tools are used outside the organization's security framework.

"As employees prioritize efficiency, they may adopt these tools without fully grasping the long-term consequences for data security and compliance, leaving organizations vulnerable to significant risks," Plaggemier warns.

**It's Time for Enterprises to Implement GenAI Best Practices**

It's clear that prioritizing immediate business needs over long-term security strategies can leave companies vulnerable. But when it comes to rolling out AI before security is ready, the golden allure of all those productivity enhancements — sanctioned or not — may often prove too strong to resist.

"As AI systems become more common, it's essential for organizations to view training not just as a compliance requirement but as a vital investment in protecting their data and brand integrity," Plaggemier says. "To effectively reduce risk exposure, companies should implement clear guidelines around the use of GenAI tools, including what types of information can and cannot be shared."

Morgan Wright, chief security adviser at SentinelOne, advocates starting the guidelines-development process with first principles: "The biggest risk is not defining what problem you're solving through chatbots," he notes. "Understanding what is to be solved helps create the right policies and operational guardrails to protect privacy and intellectual property. It's emblematic of the old saying, 'When all you have is a hammer, all the world is a nail.'"

There are also technology steps that organizations should take to shore up AI risks.

"Establishing strict access controls and monitoring the use of these tools can also help mitigate risks," Plaggemier adds. "Implementing data masking techniques can protect sensitive information from being input into GenAI platforms. Regular audits and the use of AI monitoring tools can also ensure compliance and detect any unauthorized attempts to access sensitive data."

There are other ideas out there, too. "Some companies have restricted the amount of data input into a query (like 1,024 characters)," Wright says. "It could also involve segmenting off parts of the organization dealing with sensitive data. But for now, there is no clear solution or approach that can solve this thorny issue to everyone's satisfaction."

The danger to companies can also be exacerbated thanks to GenAI capabilities being added to third-party software-as-a-solution (SaaS) applications, Wing's Sharon warns — this is an area that is too often overlooked.

"As new capabilities are added, even to very reputable SaaS applications, the terms and conditions of those applications is often updated, and 99% of users don't pay attention to those terms," she explains. "It is not unusual for applications to set as the default that they can use data to train their AI models."

She notes that an emerging category of SaaS security tools called SaaS Security Posture Management (SSPM) is developing ways to monitor which applications use AI and even monitor changes to things like terms and conditions.

"Tools like this are helpful for IT teams to assess risks and make changes in policy or even access on a continuous basis," she says.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Shadow AI, Data Exposure Plague Workplace Chatbot Use

The vulnerability is the latest discovered in connected vehicles in recent years, and it points out the cyber dangers lurking in automotive APIs.

Source: Jonathan WeissI via Shutterstock

Car buyers typically have many questions when purchasing a new automobile, but few are likely to consider whether an attacker could remotely control their vehicle using just license plate information.

Yet that's exactly what millions of Kia vehicles allowed until mid-August, when the automaker fixed a flaw that enabled such access, after independent security researchers alerted them to the issue.

**Remote Control of Kia Cars & SUVs**

The glitch is similar to those that the same group of researchers and others have discovered in recent years, and is sure to stoke already high concerns over the vulnerability of modern connected vehicles to cyberattacks.

In a Sept. 26 report, independent researcher Sam Curry said he discovered the Kia vulnerability when doing some follow-up research on multiple flaws he and colleagues discovered a couple of years ago in vehicles from Kia, Honda, Infiniti, Nissan, Acura, BMW, Mercedes, and others.  

At the time, the researchers showed how anyone could take advantage of the vulnerabilities to issue commands for remotely locking and unlocking vehicles, starting and shutting down the engine, and activating a vehicle's headlight and horn. Some of the flaws allowed an adversary to remotely take over an owner's account and lock them out of managing their own vehicle, while others enabled remote access to a vehicle's camera, with the ability to view live images from inside the vehicle. Some of the hacks required an adversary to have little more than a vehicle identification number, and sometimes even just an owner's email address.

**An Issue With Automotive API Protocols**

As with many of the previous flaws, the new issue that Curry and his fellow researchers discovered had to do with the application programming interface (API) protocols that enable Internet-to-vehicle commands on Kia automobiles.

The researchers found that it was relatively easy to register a Kia dealer account and authenticate it to the account. They could then use the generated access token to call APIs reserved for use by dealers, for things like vehicle and account lookup, owner enrollment, and several other functions.

After some poking around, the researchers found that they could use their access to the dealer APIs to enter a vehicle's license-plate information and retrieve data that essentially allowed them to control key vehicle functions. These included functions like turning the ignition on and off, remotely locking and unlocking vehicles, activating its headlights and horn, and determining its exact geolocation.

In addition, they were able to retrieve the owner's personally identifying information (PII) and quietly register themselves as the primary account holder. That meant they had control of functions normally available only the owner. The issues affected a range of Kia model years, from 2024 and 2025 all the way back to 2013. With the older vehicles, the researchers developed a proof-of-concept tool that showed how anyone could enter a Kia's vehicle license plate info and in a matter of 30 seconds execute remote commands on the vehicle.

"The recent discovery underscores the intricate challenges posed by the complex API protocols — such as gRPC, MQTT, and REST — used in connected cars," says Ivan Novikov, CEO of API security firm Wallarm. "Automakers must prioritize enhancing their cybersecurity measures by implementing stronger authentication methods and securing communication channels to protect against unauthorized access."

Akhil Mittal, senior manager of cybersecurity strategy and solutions at Synopsys Software Integrity Group, says the new discovery highlights how the biggest vulnerabilities in connected vehicles often have to do with systems that communicate with the outside world. He points to always-connected vehicle telematics systems as one example of such a component.

"Infotainment systems are another concern, as they connect to smartphones, apps, and other services, creating more entry points for hackers into the car's internal network," Mittal says. "The recent Kia hack really highlights how APIs and cloud services can be weak spots; if the APIs that control critical functions aren't secured properly, they become easy targets for attackers."

**A Troubling Pattern of Cars' Cyber Insecurity**

News of the Kia hack adds to growing concerns over connected vehicles — and not just about their security either. Earlier this year, two senior US lawmakers slammed General Motors, Honda, and Hyundai for collecting extensive data from connected vehicle about owners and their movement. The two lawmakers, Sens. Ron Wyden (D-Ore.) and Edward Markey (D-Mass.) called the data collection by the three automakers of a symptomatic industry-wide problem that highlighted the need for greater oversight and scrutiny of automaker practices.

"Automotive vendors have proven irresponsible at security again and again, and I wonder how much more we are going to see before action is taken," says David Brumley, CEO of software security firm ForAllSecure. "Yesterday the average driver worried about \[the theft of their\] key fob. Today, they have to worry about whether their dealer or manufacturer has an unprotected API. Where is the \[National Transportation Safety Board\] on this?"

Kia Motors did not respond immediately to a Dark Reading request for comment.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Millions of Kia Vehicles Open to Remote Hacks via License Plate

Companies that commit to risk management have a strong cybersecurity foundation that makes it easier to comply with the SEC's rules. Here is what you need to know about 8K and 10K filings.

Source: Louisa Svensson via Alamy Stock Photo

Question: How should security leaders navigate the SEC's cybersecurity and disclosure rules? What do they need to do in order to ensure compliance?

Michael Gray, CTO, Thrive: While the Securities and Exchange Commission's (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules went into effect toward the end of 2023, many organizations still have questions when it comes to filings and disclosures. Under these rules, organizations have to disclose significant cybersecurity incidents and provide annual updates on their cybersecurity posture. Being able to accurately share cybersecurity updates, sometimes within short time frames, requires teams to have a deep understanding of 8-K and 10-K filings, and to implement new processes that simplify compliance.

**The Difference Between an 8-K and 10-K Filing**

8-K filings, in general, are periodic reports that public companies use to share information about major events that investors would likely want to know when making investment decisions. The SEC's cybersecurity rules now explicitly require that companies disclose material cybersecurity incidents via Item 1.05 of Form 8-K.

10-K filings, on the other hand, are detailed annual reports that summarize a public company's financial and operational performance over the past year. Part of a company's responsibility is to disclose the inner happenings of the business with stakeholders, and 10-K filings help to educate investors so that they can make informed decisions about their investments. Public companies must now include information about their cybersecurity strategy, governance, perceived threats, and material events that happened throughout the year within their yearly 10-K filings.

**The 8-K: Define Materiality**

A common question among cybersecurity teams today is how to determine whether a cybersecurity incident is "material" — incidents that have a significant impact on financial outcomes, as well as implications on the company's operations, reputation, compliance, and customer or stakeholder relations — and deserving of an 8-K filing. The SEC's guidance is that a cybersecurity incident is material if a rational investor would want to know about the event, such as incidents that result in substantial revenue losses, operational interruption or downtime, negative media coverage, legal risk, and customer data loss. For example, the Change Healthcare ransomware attack was material —patients' data was compromised, and it negatively affected hospitals, clinics, and healthcare professionals relying on the company. On the other hand, a phishing scheme targeted at an individual through a work email would not be considered material, as it most likely would not result in substantial revenue loss for the business or impact company stakeholders — especially if only personal information was given.

Companies must file an 8-K within four business days of identifying an incident, not within four business days of the incident occurring. If additional material information is identified that needs to be disclosed, companies would file an amendment to the original 8-K that disclosed the incident. In many cases, cybersecurity teams will uncover additional details about the incident that they can then share in subsequent reports to the SEC. Companies also have a duty to correct a prior disclosure that is found to be untrue as additional facts are determined.

**The 10-K: Disclosing Too Much and Too Little Information**

10-K filings are where cybersecurity teams share details on the current state of the company's cybersecurity program and strategy. The SEC's disclosure rules require that organizations identify who has oversight over cybersecurity activity and describe how they evaluate, discover, and mitigate material risks from cybersecurity threats. Item 106 of the 10-K is also where teams can revisit material incidents over the past year and provide additional commentary on the company's response and performance since the event. Item 106 also requires organizations to describe the board of directors' oversight of risks and management's role in assessing material risks. 10-K filings are not necessarily “new” in terms of information about an incident previously reported in an 8-K filing, but rather information about the resultant impact to the business and any identified cyber-risks the company faces that could result from a previous incident.

Again, the rule of thumb on how much information to disclose is that companies should give enough information for shareholders to be able to make sound investment decisions. A few details to consider include whether your company has a CISO, what cyber training programs are implemented for the board and employees at large, and if anyone on the board has detailed cybersecurity knowledge or expertise. More often than not, this means leaning into transparency rather than hiding critical details.

**Make Compliance Simpler**

Outside of 8-K and 10-K filings, employees should understand the company's overarching cybersecurity framework. This framework should cover how the organization approaches cybersecurity overall, document incident response procedures, and summarize how the enterprise improves over time.

Modern organizations have to be able to mitigate risk before and after cybersecurity incidents. Cybersecurity leaders should frequently audit their cybersecurity capabilities, as threats are evolving constantly. This involves identifying potential vulnerabilities and implementing effective risk management strategies, running real-time tests on your network and endpoints, and continuously communicating and training staff on cybersecurity policies. The SEC provides readiness assessments that can help in this area.

After an incident occurs, leaders should reflect on how well the organization responded and ensure key details are thoroughly documented within the 8-K. Companies should also engage with legal experts to review their compliance posture on a regular basis. Furthermore, employees need dedicated training on the SEC's cybersecurity disclosure rules, so that they are aware of the company's reporting obligations and understand their roles when it comes to incident response and annual readouts.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

How Should CISOs Navigate the SEC Cybersecurity and Disclosure Rules?

Adversaries can exploit CVE-2024-6769 to jump from regular to admin access without triggering UAC, but Microsoft says it's not really a vulnerability.

Source: Panther Media GmbH via Alamy Stock Photo

Researchers have flagged a weakness they're tracking as CVE-2024-6769, calling it a combination user access control (UAC) bypass/privilege escalation vulnerability in Windows. It could allow an authenticated attacker to obtain full system privileges, they warned.

That's according to Fortra, which assigned the issue a medium severity score of 6.7 out of 10 on the Common Vulnerability Scoring System (CVSS) scale. Its proof-of-concept exploit demonstrates that "you have the ability to shut down the system," stressed Tyler Reguly, associate director of security R&D at Fortra. "There are certain locations on the drive where you can write and delete files that you couldn't previously." That includes, for example, C:\\Windows, so an attacker could take ownership over files owned by SYSTEM.

For its part, Microsoft acknowledged the research but said it does not consider this an actual vulnerability, because it falls under its concept of acceptability to have "non-robust" security boundaries.

**Understanding Integrity Levels in Windows**

To understand Fortra's findings, we have to go back to Windows Vista, when Microsoft introduced the model of Mandatory Integrity Control (MIC). Simply put, MIC assigned every user, process, and resource a level of access, called an integrity level. Low integrity levels were afforded to all, medium for authenticated users, high for administrators, and system for only the most sensitive and powerful.

Alongside those integrity levels came UAC, a security mechanism that runs most processes and applications at the medium level by default, and requires explicit permission for any actions that require greater privileges than that. Typically, an admin-level user can upgrade simply by right-clicking a command prompt and selecting "Run as Administrator."

By combining two exploit techniques, Fortra researchers demonstrated in their proof of concept how an already-authorized user could slither through this system, jumping across the security boundary imposed on the medium integrity level to obtain full administrative privileges, all without triggering UAC.

**Using CVE-2024-6769 to Jump Across User Boundaries**

To exploit CVE-2024-6769, an attacker first must have a foothold in a targeted system. This requires the medium integrity-level privileges of an average user, and the account from which the attack is triggered must belong to the system's administrative group (the type of account that could level up to admin privileges, if not for UAC being in its way).

The first step in the attack involves remapping the targeted system's root drive — such as "C:" — to a location under their control. This will also shift the "system32" folder, which many services rely on to load critical system files.

One such service is the CTF Loader, ctfmon.exe, which runs without administrator privileges at a high integrity level. If the attacker places a specially crafted, copycat DLL in the copycat system32 folder, ctfmon.exe will load it and execute the attacker's code at that high integrity level.

Next, if the attacker wishes to obtain full administrative privileges, they can poison the activation context cache, which Windows uses to load specific versions of libraries. To do this, they craft an entry in the cache pointing to a malicious version of a legitimate system DLL, contained in an attacker-generated folder. Through a specially crafted message to the Client/Server Runtime Subsystem (CSRSS) server, the fake file is loaded by a process that has administrator privileges, granting the attacker full control over the system.

**Microsoft: Not a Vulnerability**

Despite the potential for privilege escalation, Microsoft refused to accept the issue as a vulnerability. After Fortra reported it, the company responded by pointing to the "non-boundaries" section of the Microsoft Security Servicing Criteria for Windows, which outlines how "some Windows components and configurations are explicitly not intended to provide a robust security boundary." Under the pertinent "Administrator to Kernel" section, it reads:

> Administrative processes and users are considered part of the Trusted Computing Base (TCB) for Windows and are therefore not strongly isolated from the kernel boundary. Administrators are in control of the security of a device and can disable security features, uninstall security updates, and perform other actions that make kernel isolation ineffective.

Essentially, Reguly explains, "They see the admin-to-system boundary as a nonexistent boundary, because admin is trusted on a host." In other words, Microsoft doesn't consider CVE-2024-6769 a vulnerability if an admin user could ultimately perform the same system-level actions anyway, subject to UAC approval.

In a statement to Dark Reading, a Microsoft spokesperson highlighted that "The method requires membership in the Administrator group, so the so-called technique is just leveraging an intended permission or privilege which does not cross a security boundary."

Reguly and Fortra disagree with Microsoft's perspective. "When UAC was introduced, I think we were all sold on the idea that UAC was this great new security feature, and Microsoft has a history of fixing bypasses for security features," he says. "So if they're saying that this is a trust boundary that is acceptable to traverse, really what they're saying to me is that UAC is not a security feature. It's some sort of helpful mechanism, but it's not actually security related. I think it's a really strong philosophical difference."

**Windows Shops Should Still Beware UAC Bypass Risk**

Philosophical differences aside, Reguly stresses that businesses need to be aware of the risk in allowing lower-integrity admins to escalate their privileges to attain full system controls.

At the end of a CVE-2024-6769 exploit, an attacker would have full reign to manipulate or delete critical system files, upload malware, establish persistence, disable security features, access potentially sensitive data, and more.

"Thankfully, only administrators are impacted by this, which means that most of your standard users are unaffected," Fortra noted in an FAQ to reporters. "For administrators, it is important to ensure that you are not running binaries whose origins cannot be verified. For those admins, however, vigilance is the best defense at the moment."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Novel Exploit Chain Enables Windows UAC Bypass

It is imperative for executives and board members to know who their top allies are, and how to best leverage them to successfully navigate a crisis and minimize the harm caused by a breach.

Chris Crummey, Director, Executive & Board Cyber Services, Sygnia

September 27, 2024

5 Min Read

Source: Artur Marciniec via Alamy Stock Photo

COMMENTARY

Many organizations have gone to great lengths in preparing for a cyberattack, leveraging both services and solutions to limit risk and exposure. Despite these efforts, breaches persist, ransomware payouts have grown, and leaders continue to make mistakes during cyber crises that impact organizations and customers both short and long term.

Most of these mistakes happen when the stakeholders do not know their roles, responsibilities, and what they are authorized to do in a crisis. This lack of clarity causes friction when leaders are required to make several highly impactful decisions during a cyber incident with little time and often limited verified information.

The biggest challenge facing crisis response teams is the fact there simply is never enough time to gather, verify, and analyze the necessary information to make the best possible decision. Under the pressure of a compressed timeline and increasingly concerned stakeholders, executives and board members tend to fixate on finding ways to shorten the time to remediation.

They should also prioritize reducing present and future risks for the company and ensure their teams do the same, but that often gets overlooked. As everyone within the organization turns to leadership for guidance and direction, it's important for those in charge to understand who their greatest allies are during a crisis and how they can leverage them to minimize the business and reputational impact of a breach.

**Open and Ongoing Communications**

During the crisis, leadership must rely on its guiding principles to define their communication strategy and provide employees with a North Star that explains what they need to do forthwith. This starts with establishing a secure and classified crisis war room to collaborate and communicate under privilege, categorizing the event and defining what can and cannot be shared, and clearly defining roles and responsibilities for each stakeholder. This creates a leadership filter that determines who is authorized to make decisions and sets a timeline in motion for when information should be disseminated internally and externally, which systems need to be taken offline or brought back on, and if or when authorities and regulators should be contacted. 

Organizations must maintain constant communication with each line of business throughout the crisis because it empowers employees to make the micro-decisions necessary to limit the ongoing business and reputational harm. There is no better example of this than former Maersk CEO Soren Skou, whose tip-of-the-spear leadership helped the company navigate the unprecedented 2017 NotPetya malware attack. Skou participated in all crisis calls and meetings, focused on internal and external communication, and instructed all frontline staff across the 130 countries Maersk operates in to "do what you think is right to serve the customer — don't wait for the HQ, we'll accept the cost." In doing so, Maersk quickly mobilized to identify and remove the malware from its systems to restore operations, provided real-time feedback to its stakeholders about the situation, and resumed online books just eight days after the attack.

**Built-in Alternatives**

Each decision made during a crisis can set off a chain reaction that can compound damage. Business and security leaders often experience a rush of cortisol during the first few hours of a crisis that induces the "fog of war" feeling, clouding judgment and causing mistakes. It is important to understand during these moments that each choice has multiple options, leaders must ask the right information-gathering questions to support a full business response, and there is no perfect answer or solution. 

Redundancy is a key strategy to save time during a crisis, and the most mature organizations have created a collaborative response plan based on the PACE model. For instance, if an organization suffers a ransomware attack and its communications platforms are potentially compromised, moving to an alternate platform quickly removes a significant amount of risk. Teams should be aligned on how much risk they are willing to take with each decision and create a coordinated understanding of their options. By working through the pros and cons associated with these choices, executives and board members can determine which decisions their organizations should make to get operations back up and running as quickly and efficiently as possible.

**Driving a Culture of Preparedness**

Organizations that have dedicated the necessary time to preparing their teams for a crisis have confidence in their employees to successfully execute the incident response plan and limit the amount of damage inflicted by a threat actor. Testing each level of these plans, especially the "small details," is critical for successful execution of the organization's strategy. It allows leadership to adapt their playbooks and runbooks to various situations and circumstances, and evolve their pre-crisis plans to account for emerging threats and their effects on the business.

Conducting tabletop exercises, creating and testing playbooks and runbooks, and putting employees through real-life simulations during war games fosters a well-coordinated response and puts teams in the best position for when (not if) a situation arises. These operations can reveal potential gaps and answer questions that include: How is the company communicating to its employees when the email platform is compromised? Who is managing that list of employees and their corresponding contact information? Where is that document stored and when was it last updated? The responses to these questions are a direct correlation to a company's maturity and preparation.

When a corporation finds itself in the middle of a cyber crisis, the key stakeholders will shift their focus to the executive leadership team to determine how well they are responding. During these times, it is imperative for executives and board members to understand who their top allies are, and how to best leverage them to successfully navigate the situation and minimize the financial and reputational harm caused by the breach.

**About the Author**

Director, Executive & Board Cyber Services, Sygnia

Chris Crummey is the Director for Executive and Board Cyber Services globally at Sygnia. For the past eight years, Chris has prepared and advised thousands of companies, SOCs, executives and Boards of Directors on cybersecurity best practices before, during and after a cybersecurity crisis. These best practices focus on the intersection of cybersecurity, risk-based decision making, crisis communications, leadership under pressure and the role human beings play in cybersecurity. As a keynote speaker on these topics, Chris is also a cybersecurity faculty member of “Competent Boards,” which is the original and premier creator of online of ESG training programs for board directors and senior business professionals. Prior to this role, Chris was the Executive Director for the IBM’s X-Force Command Centers globally and specialized in tabletop exercises and cyber wargames.

Top Allies Executives &amp; Boards Should Leverage During a Cyber Crisis

As Superman has kryptonite, software has weaknesses — with misconfigurations leading the pack.

Mark Troester, Vice President of Strategy, Progress

September 27, 2024

4 Min Read

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY

The convergence of rising cyber threats, advanced artificial intelligence (AI), remote work, and hybrid infrastructures presents significant cybersecurity challenges in today's IT landscape. As a result, it's necessary to make your endpoints, cloud infrastructure, and remote access channels more secure. As cyber adversaries adopt new tactics, organizations worldwide respond by expanding the use of continuous threat exposure management (CTEM) systems, investing in robust security solutions, and leveraging cross-functional collaboration to mitigate risks and safeguard digital assets effectively.

But like Superman has kryptonite, even the best software has weaknesses, with misconfigurations leading the pack.

Consider this: Microsoft research indicates that a staggering 80% of ransomware attacks can be attributed to common configuration errors in software and devices. 

Misconfigurations now hold an unenviable fifth place on the Open Worldwide Application Security Project Top 10 — a crucial vulnerability reference for the cybersecurity community. OWASP found 208,000 occurrences of common weakness enumeration (CWE) within 90% of applications tested for misconfiguration, highlighting the widespread nature of this vulnerability.

OWASP says, "Without a concerted, repeatable application security configuration process, systems are at a higher risk."

With this evidence, it's no wonder that organizations are paying more attention to "misconfigurations."

**Picture This ... **

You're sitting down with your morning cuppa and stories of a data leak hit the headlines. The company affected is a leading insurance firm, and the personal information of thousands of customers has been made available on the Internet for months. With a little research, you learn that the firm left several customer records unprotected on one of its clouds, making it easy for anyone to access this information through a simple SQL command. While digging through the tabloids you stumble upon the cause of such a tremendously ironic turn of events. Turns out, it was a simple misconfiguration error: The system administrator left the cloud open to the public since they missed updating the privacy settings and permissions for the cloud storage in question.

We learn that human errors, despite stringent protocols, are difficult to control and, consequentially, remove. The increasing complexity of distributed and component-based systems and common misunderstandings of system requirements and design will likely lead to more problems. While humans play a critical role in decision-making and monitoring systems, manual updates are no longer viable.

**So, What Can You Do About It?**

With all that's happening in cybersecurity, can you confidently say you have all your endpoints covered? And by all, I mean all — including the data on third-party systems. If your answer to this is yes, congratulations! You're doing better than most organizations in the world! But if your answer is no, I would like you to consider the following measures to improve the security of your systems: 

1.  Employ automation that extends DevOps from application delivery to IT operations to DevSecOps. Automation is the remedy that will help organizations avoid manual errors. It will allow employees to use their precious time for more important tasks while confirming that initial and ongoing configurations are error-free. By automating audits on configurations, you can create a repeatable system hardening process that will potentially save you a lot of time and money in the future. Automation will enable you to reduce human error, improve reliability, maintain consistency, and support collaboration across teams. It will also give all stakeholders visibility over the security posture of your IT estate.
    
2.  Use a policy-as-code approach to help frame your security and compliance policies or rules. Organizations can configure systems by encoding security rules in human-readable and machine-enforceable policies and continuously checking for and remediating drift. In fact, policy-as-code brings both configuration and compliance management into a single step. This removes the security silo and brings all stakeholders into a shared pipeline and framework, enabling collaboration among team members and allowing for security to be shifted left in the development process. The policy-as-code approach can help detect misconfigurations, increase efficiency and speed, and reduce the risk of production errors.
    

While there is a technical aspect to DevSecOps, there is also a human aspect that involves collaboration and planning. A multiprong approach that starts with collaboration across IT operations and security and compliance teams, while discussing the appropriate external and internal compliance requirements, is a critical starting point.

After understanding the configuration and policies, you can start with pre-packaged policies that align with standards such as the Center for Internet Security (CIS) Benchmarks and the Department of Defense Systems Agency-Security Technical Implementation Guides (DISA-STIG). Consider using an automated system to verify if your configurations are continuously accurate. This, in turn, will allow your organization to address complex and heterogeneous environments, including cloud-native public cloud services, Kubernetes configurations, and any on-premises or hybrid cloud workload.

**About the Author**

Vice President of Strategy, Progress

Mark Troester is the vice president of strategy at Progress. He helped guide the strategic go-to-market efforts for Progress before transitioning into a leadership role for the Progress Infrastructure Management division, which includes DevOps/DevSecOps, network management, network detection and response, and application delivery control offerings. Previously, he worked with both upstarts and stalwarts like Sonatype, SAS, and Progress DataDirect. Before these positions, Mark worked as a developer and developer manager for startups and enterprises alike. Mark has extensive speaking experience on topics at the intersection of business and technology, including industry events hosted by Gartner, Forrester, TDWI, and more.

Source

DARKReading