The Andariel group is targeting critical defense, aerospace, nuclear, and engineering companies for data theft, the FBI, NSA, and others said.

Source: DD Images via Shutterstock

A long-known cyber-espionage group working on behalf of North Korea's foreign intelligence service is systematically stealing technical information and intellectual property from organizations in the US and other countries to advance its own nuclear and military programs.

The group — which security vendors track variously as Andariel, Silent Chollima, Onyx Sleet, and Stonefly — is using ransomware attacks on US health care entities to fund the campaign, the US government warned this week.

**A Clear and Present Danger**

In a joint advisory, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others identified the threat actor as primarily targeting defense, aerospace, nuclear, and engineering organizations in the US, Japan, South Korea, and India. "The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide," the advisory noted.

Meanwhile, the US government offered a $10 million reward under the State Department's Rewards for Justice program for information leading to the arrest of Rim Jong Hyok, whom it believes is a key player in the malicious cyber activity. In tandem, the US Justice Department indicted Jong Hyok on charges related to his involvement in Andariel attacks on multiple US entities, including NASA and two US Air Force bases.

The information that Andariel is pursuing in its current campaign is broad and varied. From defense organizations, the adversary has been stealing information pertaining to heavy and light tanks, self-propelled howitzers, combat ships, autonomous underwater vehicles, and other equipment. Aerospace companies are being targeted for information on everything from fighter aircraft, missiles, and missile defense systems to radars and nano-satellite technology. The goal with attacks on organizations in the nuclear sector is to gather data in areas like uranium processing and enrichment, material waste, and storage. And with engineering firms, the threat actor's focus is on shipbuilding, robotics, additive manufacturing, 3D printing, and other technologies.

"The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections," the advisory said.

**Well-Known Threat Actor**

Andariel has been active for several years. Researchers at Google's Mandiant who track the group as APT45 believe it has been operational since at least 2009. Microsoft, which tracks the threat actor as OnyxSleet, says it first spotted the group in 2014. Over the years, researchers have tied the group to numerous information stealing campaigns and destructive attacks on organizations in more than a dozen critical sectors, including defense, aerospace, energy, financial services, transportation, and health care. Many of its attacks have targeted South Korean entitities.

In a report that coincided with the US government warning this week, Mandiant said it had observed APT45 gradually launching more financially motivated attacks — like ransomware attacks — in recent years, even as it has continued with its cyber espionage mission. "APT45 is one of North Korea’s longest running cyber operators, and the group's activity mirrors the regime's geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science," Mandiant said.

Microsoft also released an update on the North Korean actor this week and has observed Onyx Sleet actors recently switch from spear-phishing as a way to gain initial access to using vulnerability exploits. But otherwise, its tradecraft has remained largely unchanged, Microsoft said. "Onyx Sleet has used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting the threat actor views its tradecraft as effective."

**Vulnerability Exploits and Custom Tools**

The US government advisory described Andariel as looking for and exploiting multiple well-known vulnerabilities to gain initial access to target networks in its recent attacks. Vulnerabilities that the group has been exploiting in its attacks include the Log4Shell flaw (CVE-2021-44228) in Apache's Log4j software; CVE-2023-46604, a maximum severity bug in Apache ActiveMQ server technology; CVE-2023-34362, a widely exploited remote code execution flaw in Progress Software's MOVEIt file transfer technology; and a similar flaw in Fortra's GoAnywhere software (CVE-2023-0669).

In all, the joint advisory listed 41 CVEs that Andariel actors have exploited to break into target networks as part of its cyberespionage campaign. Of that, 16 were vulnerabilities that various vendors disclosed last year. The oldest flaw in the list is from 2017 — CVE-2017-4946 — a privilege escalation bug in VMWare's V4H and V4PA desktop agents.

Once they gain access to a network, Andariel actors typically use a variety of custom tools and malware to establish remote access, enable lateral movement, and steal data, the advisory said, listing nearly two dozen of them. The tools "include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control," the advisory said. "The tools allow the actors to maintain access to the victim system, with each implant having a designated C2 node."

The advisory describes in detail other tactics, techniques, and procedures that Andariel actors have employed in recent attacks so organizations in the group's crosshairs can take protective measures. It also provides indicators of compromise that organizations can use to check for signs of the threat actor's presence on their network and systems.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Feds Warn of North Korean Cyberattacks on US Critical Infrastructure

Though IE was officially retired in June 2022, the vulnerability ramped up in January 2023 and has been going strong since.

Source: mundissima via Alamy Stock Photo

Check Point earlier this month discovered a remote code execution vulnerability, tracked as CVE-2024-38112, that impacts Microsoft Windows users and different versions of Windows Server.

The attackers used Windows Internet Shortcut files, which call on the retired Internet Explorer to visit a URL with a hidden malicious extension name and controlled by these threat actors. Because users are opening this URL with Internet Explorer, and not more secure browsers like Chrome or Edge, the threat actor has more advantages in exploiting the victim's device.

The threat actors also use a second method where they "make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous .hta application," wrote the Check Point researchers.

The Cybersecurity and Infrastructure Security Agency (CISA) has added this high-severity vulnerability to its Known Exploited Vulnerabilities Catalog  Catalog, with its score of 7.5 due to its active exploitation, and mandated that all Windows systems within federal agencies must be updated or shut down by July 30.

Other research shows that of the roughly 500,000 endpoints running Windows 10 and 11, more than 10% of those devices are missing endpoint protection controls and almost 9% lack patch management controls, meaning that these organizations have a significant number of blind spots for attackers to exploit. 

Though Microsoft issued a patch on July 9, some exploits of this vulnerability date back more than a year ago, which means organizations need to act quickly in their mitigation efforts.

**About the Author(s)**

Microsoft's Internet Explorer Gets Revived to Lure in Windows Victims

How your organization can leverage the disruptive CrowdStrike update to become more resilient.

Chip Stewart, Director–Security, Privacy, and Risk Consulting, RSM US

July 25, 2024

5 Min Read

Source: Illia Uriadnikov via Alamy Stock Photo

COMMENTARY

In the wake of global IT issues caused by a defect in a content update for CrowdStrike's Falcon sensor, many organizations engaged in executing business continuity plans (BCPs), recovering systems, and restoring from backups. In the throes of these activities, it's easy to overlook the similarity with the playbook for ransomware recovery and miss how organizations of all sizes can leverage this event to identify gaps in their capabilities to respond to and recover from ransomware or other disruptive cyberattacks.

It's important to acknowledge the scale of this disruption, with 8.5 million incapacitated PCs across all sectors and organizational sizes. Small businesses, global conglomerates, government agencies, hospitals, and critical infrastructure were all met with the dreaded blue screen of death.

Even those who were not CrowdStrike customers felt the impact, with flights delayed and canceled, gas stations and grocery stores unable to complete transactions, and critical services like police and fire dispatch delayed.

However, there are lessons that every organization can take away from this event to help improve their ability to respond to a cyberattack.

**Detection**

The mean time to detect, or MTTD, is a metric in cyber operations describing how long it takes between when an incident begins and when the organization identifies that something has happened. This metric has been trending down for the past several years, partially because incidents resulting in ransomware deployment are glaringly and quickly apparent. This speedy detection contrasts with incidents where a sophisticated threat actor is siphoning private data from a network, which typically takes longer to discover.

This behavior parallels the obviousness of the CrowdStrike event. Computers across the network became unavailable, displaying a cryptic message about a failed driver. With this event, we have clarity on the start time, with organizations experiencing blue screens around 04:09 UTC.

Organizations should evaluate how long their teams took to detect the outage and how quickly they could reasonably speculate on the root cause. These metrics matter when threat actors deploy ransomware on a network.

**Response**

As IT teams confirmed the cause of the system issues, organizations scrambled to begin restoring systems. Many organizations struggled with incomplete asset inventories, partially managed devices, and no way to prioritize recovery activities reliably. Some found themselves locked out of the password vaults needed to restore critical systems. Others struggled to scale quickly to reimage laptops of remote users scattered across the country. 

These challenges mirror those expected during a ransomware incident and highlight the importance of maintaining an accurate accounting of IT assets that informs prioritization during recovery. Also, recovery plans must consider the operating environment and support reconstituting services in time frames that align with business objectives.

Organizations should evaluate the effectiveness of their response plans during this event, including their ability to prioritize systems that support critical functions and develop or test the granular recovery plans necessary to expedite the reconstitution of these services. They should also determine where there were gaps in asset management and the underlying causes of those discrepancies.

**Business Continuity**

As IT teams worked around the clock to restore systems and get users back online, this event forced many organizations to execute their business continuity plans and restore mission-critical functions. Organizations frequently confuse BCPs with disaster recovery plans (DRPs), resulting in an inability to execute mission-critical functions during this event.

Organizations frequently experience challenges in this area during a ransomware event, with no plan to reconstitute the capabilities that support mission-critical functions. With several high-profile ransomware attacks affecting health departments across the United States (including one during my tenure as the chief information security officer for the State of Maryland), seemingly simple administrative tasks, such as issuing death certificates, become impossible.

To prepare for ransomware events or other cyber disruptions, organizations should conduct a business impact analysis (BIA) and integrate the outputs into comprehensive BCPs, reducing the risk of protracted business disruption from a ransomware incident.

**Supply Chain and Vendor Risk**

The scale of this event has highlighted the risks of cyber events affecting supply chains more than any event in recent history, with financial transactions stalled, logistics companies unable to deliver goods, and hospitals unable to replenish lifesaving supplies. 

In 2021, Kronos, a human capital and workforce management SaaS provider, experienced substantial downtime due to a ransomware event, preventing employees from being paid and stopping work activities at thousands of organizations around the globe. With many organizations relying on their partners to recover quickly from a cyber incident, few were prepared to sustain operations in the event of an incident affecting their supply chain.

Organizations should consider and plan for cyber incidents that have negative consequences on their supply chains as part of their business continuity plans and ensure their partners do the same. 

**Improving Resilience From This Event**

For organizations affected by the CrowdStrike disruption, there is a unique opportunity to reflect on what went well and what your organization should focus on improving through the lens of a ransomware incident. While the disruption certainly should not be minimized, the reality of a ransomware incident includes exorbitant costs, weeks to months of downtime, regulatory challenges, potential lawsuits, and numerous other adverse effects that represent long-term organizational damage.

For organizations that experienced indirect impact through partners in their supply chain, there is an opportunity to ensure adequate supply chain diversification and contingency planning is happening.

For organizations lucky enough to have not experienced any adverse impact from this event, it's crucial to recognize that this could have happened to your organization just as easily, and it's better to be prepared than to be lucky.

For everyone, this is an opportunity to reflect on what you should be doing to improve your organization's resilience.

**About the Author(s)**

Director–Security, Privacy, and Risk Consulting, RSM US

Chip Stewart is a director in RSM's Security, Privacy, and Risk Consulting practice and the former CISO for the state of Maryland, where his charge was to build a statewide security program from the ground up. In this role, he championed the creation of the MD-ISAC, an advanced cyber-threat intelligence center focused on helping all levels of government in Maryland proactively protect their networks from cyber threats by providing them with real-time information.

Unexpected Lessons Learned From the CrowdStrike Event

A software engineer hired for an internal IT AI team immediately became an insider threat by loading malware onto his workstation.

Source: Den Rise via ShutterStock

A security firm recently hired a software engineer for its internal AI team that turned out to be a North Korean threat actor, who immediately began loading malware to his company-issued workstation.

KnowBe4, which provides security awareness and training, conducted standard pre-hiring background checks for the employee and four separate video-conference interviews with him before his hiring, Stu Sjouwerman, KnowBe4's founder, shared in a blog post about the situation. The company also verified that the person interviewed was the same one in the photo sent in with a resume.

The checks came back clean and the candidate for the position ("principal software engineer") appeared credible and qualified, though later the company realized he was using a stolen identity and his photo was AI-enhanced.

Once the verification and hiring process was complete, KnowBe4 sent the new employee, who is referred to in KnowBe4's post as "XXXX," his Mac workstation, "and the moment it was received, it immediately started to load malware," Sjouwerman wrote.

"On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55pm EST," he detailed. "When these alerts came in, KnowBe4's security operations center (SOC) team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to the SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise."

What the employee was really doing, however, was performing various actions to manipulate session history files, transferring potentially harmful files, and executing unauthorized software using a Raspberry Pi. KnowBe4's SOC attempted to get him on a call to investigate further, but he said he was unavailable and "later became unresponsive." By 10:20am, the SOC had quarantined XXXX's device.

KnowBe4 shared the data it collected about the employee and his activities with cybersecurity firm Mandiant and the FBI, to corroborate the company's initial findings. The company eventually discovered that XXXX was a fake IT worker from North Korea, and an FBI investigation is still ongoing.

**"It Can Happen to Anyone"**

Sjouwerman stressed to customers that no data breach occurred due to the activity, as security tooling blocked the malware before it was executed. His aim in sharing what happened at his company is to provide "an organizational learning moment," he said.

"Do we have egg on our face? Yes," he wrote. "And I am sharing that lesson with you."

KnowBe4 grants new employees' accounts only limited permissions for proceeding through the new hire onboarding process and training, with access to only necessary apps such an an email inbox, Slack, and Zoom. This means that XXXX never had access to any customer data, KnowBe4's private networks, cloud infrastructure, code, or any KnowBe4 confidential information, Sjouwerman said.

"No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems," Sjouwerman wrote. However, "if it can happen to us, it can happen to almost anyone," he added.

Indeed, North Korean threat actors are notorious for engaging in successful cybercriminal activities by posing as credible IT workers. Last October, the Department of Justice warned that the freelance IT market was being flooded by operatives working on behalf of the North Korean government, urging caution to companies when hiring new workers. The department found that these workers are quietly directing their earnings to the government's sanctions-ridden nation's nuclear weapons program.

“Most of these individuals who attempt to obtain employment are not physically located in the US," Sjouwerman explained. "In order for them to conduct work, they require a US location for the equipment to be sent. There are small networks set up at drop locations where a US-based individual will turn on the received computers and configure them to be accessed remotely. The remote worker will then connect into the laptop farm network, and from there remote into the received device. This will cause security and access logs for that person to show up as being US-based and coming from the correct device.”

**How Not to Hire a North Korean Hacker**

KnowBe4 has made "several process changes" to hiring to help ensure any potential bad actor will be detected earlier, according to the post. In the US, for example, the company now will only ship new employee workstations to a nearby UPS shop and require a picture ID to obtain it.

Other process improvements that organizations can make are to ensure all background and reference checks are verified for inconsistencies and properly vetted; review and strengthen access controls and authentication processes; and conduct security awareness training for employees to stress social-engineering tactics used by threat actors.

The company also made recommendations so other organizations can avoid a similar scenario, including scanning remote devices for any suspicious access or activity; improving vetting and resume scanning for inconsistencies; and checking for red flags, like a laptop shipping address that's different from where the person is supposed to live and work.

Other red flags to look out for in potential employees include the use of VoIP numbers and/or lack of digital footprint for provided contact information, and any discrepancies in addresses, personal information, or date of birth across different sources. A remote employee's sophisticated use of VPNs or virtual machines should raise an alarm.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Security Firm Accidentally Hires North Korean Hacker, Did Not KnowBe4

Our critical systems can be protected from looming threats by embracing a proactive approach, investing in education, and fostering collaboration between IT and OT professionals.

Source: Juri Samsonov via Alamy Stock Photo

COMMENTARY

In the realm of cybersecurity risk, the obscure dark corner of the room is operational technology (OT). This is the space where computers and physical function come together, opening and closing valves, flipping breakers, stamping metal, and changing the temperature in your home from an app on your phone. This is also a place that most IT professionals and cybersecurity practitioners shy away from and look to as "that stuff over there we don't really understand."

**The Lack of Attention on Operation Technology Attacks**

The cyberattacks that make the headlines often impact consumers significantly. Historically, these targeted financial systems, hospitals, credit agencies, and occasionally government entities. What is less common to see is public acknowledgment of a cyberattack against true critical infrastructure. Stuxnet was one of the very first, but there was so much shrouded in the mystery of espionage that it did not have a major mental impact on most of the world's population. In contrast, the 2021 Colonial Pipeline attack caused widespread gasoline shortages, highlighting the severe potential impacts of such attacks. Yet, only three years later, it has faded from public memory. Similarly, attacks on small water utilities in Pennsylvania and Texas received little public attention.

Why are people not more focused on securing operational technology, then? Perhaps it's a lack of understanding and a bit of awe as to how much control computers can have; however, the OT space isn't new tech. Many of the components in an OT environment can be decades old. Even still, seasoned network engineers and IT administrators alike may not fully understand OT communications protocols, making cyberattacks in this space more possible and simultaneously less discussed.

**Reimagining OT Security **

How do we manage risk and protect the often-ignored underbelly of IT, which includes the infrastructure that keeps the lights on, water clean, medication available, and manufactured products flowing — all driven by OT?

Protecting this infrastructure isn't overly complex. Here's what's needed:

1.  A solid risk management plan
    
2.  Visibility into what's happening in those environments
    
3.  The ability to understand what's normal so we can tell when something is not
    
4.  Documentation of what is supposed to communicate in OT environments and how and where that communication should happen
    
5.  The ability to have some protective mechanisms that will work in the environment
    
6.  A solid patch and vulnerability management program
    
7.  Secure and monitored remote access
    

If it's that simple, why has protecting this infrastructure been so challenging globally? The primary issue is that available tools are either tailored for IT systems or designed for OT systems but lack necessary integrations for IT staff monitoring. SIEM tools, crucial for monitoring network communications and rogue activity, need to interface with cloud services — something OT environments avoid. Consequently, protective tools like CrowdStrike can't be fully utilized. Even with partnerships with Claroty or Dragos, they still involve a proxy connection to the Internet.

**Proposing Solutions, Highlighting Roadblocks**

There are a few strategies that can be utilized successfully to manage risk in these environments.

The first is to have a thorough understanding of what information needs to flow and in which directions, and what portion of it needs to get to the outside world. Time and again we encounter scenarios in which there's technical documentation about the operational side of the design but not up-to-date information about what data is flowing where and how it's being utilized. The second is that most of the tools that are utilized for visibility in this space require specific network configurations.

These tools rely on network traffic analysis because it's not typically possible to install traditional antivirus or endpoint protection software on the devices that exist in the OT space. That means there must be a mechanism to route the traffic to the inspection points. Most of these networks were designed for resilience and uptime, not for cybersecurity, so reconfiguration is often necessary to be able to route traffic in a direction that allows for inspection. These network resegmentation projects take a lot of time, tend to be expensive, and run the risk of operational downtime, which is something that no OT environment can typically tolerate.

**The First of Many Bottom Lines**

The urgency to secure our critical infrastructure cannot be overstated. Our critical systems can be protected from looming threats by embracing a proactive approach, investing in education, and fostering collaboration between IT and OT professionals. The cost of inaction is too high — our water, power, and safety depend on our ability to safeguard these essential technologies.

Is our water safe to drink? The answer lies in our commitment to securing the unseen, often ignored underbelly of our technological world. Only through vigilance and dedicated effort can we ensure the safety and reliability of our critical infrastructure for the future.

**About the Author(s)**

Chief Security Officer, DirectDefense

Christopher Walcutt is a former network architect with 25 years of experience in security, risk, and compliance leadership. His expertise is predominantly in the energy, utility, smart grid, and manufacturing sectors, specializing in industrial controls architecture, management consulting, and breach and incident handling. He has provided services to a wide variety of enterprise clients, including some of the world’s largest energy, engineering, manufacturing, and water companies, and has advised CISO’s offices and boards of directors globally. Chris served in leadership roles at Constellation Energy, SunGard, and Black & Veatch, where he was responsible for cybersecurity and management consulting for NERC CIP, NRC, smart grid, and NIST compliance. Chris has guided organizational change amidst the ever-changing threat landscape and has served in multiple NERC committees and working groups.

Is Our Water Safe to Drink? Securing Our Critical Infrastructure

DDoS cyberattack campaign averaged 4.5 million requests per second, putting the bank under attack 70% of the time.

Source: VideoFlow via Shutterstock

A distributed denial-of-service (DDoS) attack targeting a financial institution in the United Arab Emirates set records for the duration of the cyberattack and the sustained volume of requests.

The attack — attributed to pro-Palestinian hacktivist group BlackMeta, also known as DarkMeta — lasted six days and included multiple waves of Web requests lasting anywhere from four to 20 hours, targeting the financial institution's site. Overall, it lasted more than 100 hours in total, averaging 4.5 million requests per second, cybersecurity firm Radware stated in an advisory published this week.

The DDoS attack represents a significant departure from the standard hacktivist denial-of-service attacks, says Pascal Geenens, director of threat intelligence for Radware.

"Those attacks were lasting between 60 seconds and five minutes — they came, they hit hard, and they go away after one to five minutes," he says. "Now, in the case of this attack, the campaign in total lasted six days, and in those six days, 70% of the time, that customer was being targeted by an average of 4.5 million requests."

BlackMeta, also known as SN\_BlackMeta, appeared in November 2023 and has a history of claiming responsibility for attacks against organizations in Israel, the United Arab Emirates, and the United States. In May, the group claimed responsibility for a multiday denial-of-service attack on the San Francisco-based Internet Archive. In April, the group claimed to have attacked the Israel-based infrastructure of the Orange Group, a French provider of telecommunication services in Europe, the Middle East, and Africa. The group also targeted organizations in Saudi Arabia, Canada, and the United Arab Emirates.

**DDoS Attacks for $500 a Month**

The BlackMeta group announced its intent to attack the financial institution on Telegram in the days leading up to the operation. The cyberattack inundated the financial firm's website with requests, causing the share of legitimate requests to plummet to as low as 0.002%, with an average of 0.12%. The attacks continued for 70% of the time during the six-day period.

Bandwidth captures showing the attack over six days. Source: Radware

The attackers used a cybercrime service known as InfraShutdown, which allows attackers to target sites for $500 to $625 a week, according to Radware's advisory.

BlackMeta is primarily motivated by a pro-Palestinian ideology, but similar to Anonymous Sudan, has an anti-Western stance, and appears to have links with Russia, and uses Arabic, English, and Russian in its posts, Radware stated.

"The group positions its attacks as retribution for perceived injustices against Palestinians and Muslims," the company stated. "Their targets typically include critical infrastructure such as banking systems, telecommunication services, government websites and major tech companies, all reflecting a strategy to disrupt entities viewed as complicit in or supportive of their adversaries."

**Profiting from DDoS Service?**

BlackMeta is likely a rebrand of Anonymous Sudan, a group that made a name for itself last year attacking targets along with the loose-knit pro-Russian Killnet group, according to the researchers. Anonymous Sudan targeted Israeli organizations and the encrypted messaging service Telegram in 2023. Comparing the number of claimed attacks by month over the past year and a half shows Anonymous Sudan's activity dwindling at the same time that BlackMeta's was ramping up.

Anonymous Sudan advertised its InfraShutdown DDoS attack service during previous attacks, urging other would-be attackers to sign up, which means the group is likely financially benefiting from its "hacktivism."

"If the actors behind \[BlackMeta\] are in any way related to or support Anonymous Sudan, the premium InfraShutdown service is highly likely to be the origin of the 14.7 million \[requests-per-second\], 100-hour attack campaign," Radware stated in its advisory

Rate-limiting the bandwidth during such attacks is not a solution to sustained application-layer attacks, because a company would have to be able to differentiate between the 1.5 billion legitimate requests reaching the website over a six-day period, and the 1.25 trillion malicious requests targeting the site, Geenens says.

"With the attacks going to Layer 7 — the application layer — the problem has shifted," he says. "Before we were at the network level, you could use a firewall, but that is too much processing power, so we moved to network protection. But when you move one layer up \[to Layer 7\], they can target specific pages and randomize the queries that they put in, so they make it look like legitimate posts."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Pro-Palestinian Actor Levels 6-Day DDoS Attack on UAE Bank

Cookies aren't going away, after all. After years of saying it will do so, Google has decided to not remove third-party cookies from Chrome.

Source: Piotr Malczyk via Alamy Stock Photo

After almost four years of tinkering, Google said it will not phase out third-party cookies from its Chrome browser. Instead, the company will provide users with options on how they want to be tracked on the web.

Back in 2020, Google urged browser makers, publishers, developers, and advertisers to move away from using third-party cookies and adopt mechanisms that would provide users with a more private and secure web. Despite opposition from online advertisers, Google set April 2025 as the deadline for removing third-party cookies from Chrome.

However, following discussions with stakeholders -- a list which includes regulators, publishers, developer, and other entities -- Google said it now realizes building ad mechanisms which also preserve privacy has implications for online advertisers.

"In light of this, we are proposing an updated approach that elevates user choice," wrote Chavez. "Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they'd be able to adjust that choice at any time."

One of the mechanisms Google has been working on for the past few years is Privacy Sandbox, a suite of APIs for online ad delivery and analytics with privacy protections built-in. Chrome users will have the choice of keeping third-party cookies or using Privacy Sandbox.

The Electronic Frontier Foundation noted that while major browsers, like Safari and Firefox, block third-party cookies by default, Chrome still does not. And while Privacy Sandbox may be less invasive, it is problematic because it shifts control of online tracking from third-party trackers to Google, according to EFF's Lena Cohen. "That doesn't mean it's good for your privacy," Cohen wrote. EFF suggests downloading its Privacy Badger browser extension to opt out of Privacy Sandbox and the broader online tracking ecosystem.

**About the Author(s)**

Google Will Not Remove Third-Party Cookies From Chrome

Small businesses are increasingly being targeted by cyberattackers. Why, then, are security features priced at a premium?

Source: Song\_about\_summer via Shutterstock

Small and midsize businesses (SMBs) are more vulnerable to attacks because software companies, cloud service providers, and technology makers either charge for safety features that should be offered at every service tier or fail to offer the features at all.

Earlier this year, at least 165 customers of data-services provider Snowflake were compromised — and one reason was because the firm did not offer a way to easily require all users to enable multifactor authentication (MFA), cybersecurity experts say. And just last year, a nonprofit organization failed to detect an attack because, among other reasons, its Microsoft 365 license level of "E3" did not come with logging features that were available to organizations on the more expensive "E5" plan, incident responders stated at the time.

Software makers and service providers need to offer effective security features as a safety measure to every tier of service and not create a cybersecurity gap between the "cyber poor" and enterprises that can afford extra security, says Kymberlee Price, CEO and co-founder of Zatik, a provider of fractional security expertise targeting smaller businesses.

"If vendors do not change the way they price security, if they don't put seatbelts in the base model, then software liability is inevitable," Price says.

Finding ways to secure the cyber poor — those companies and organizations that cannot afford dedicated cybersecurity professionals or high-priced security systems — has become a critical effort worldwide. In 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) pledged to find ways to help the smallest organizations, which typically do not have budgets for information technology, let alone information security. Security compromises can result in business failures and significant stress-related problems for small-business owners.

Driving security down to the smallest firms is critical to promote security across the business ecosystem, as larger companies count SMBs among their vendors, contractors, and partners, says Saeed Abbasi, product manager of vulnerability research at Qualys.

"Strengthening cybersecurity in SMBs is essential for protecting their assets and safeguarding larger business ecosystems, as these small businesses often serve as links in broader supply chains," he says. "Moreover, proactive cybersecurity costs are typically lower than the potential losses from data breaches."

**Delivering More Security By Default**

Defining the difference between what should be a security product in its own right and what should be a security feature is not easy, Price acknowledges. Single sign-on capabilities, such as Okta, would be obviously considered as a security service, but a feature in another product to connect to Okta's SSO should not require purchasing a higher tier, Price says.

"If there's some completely new innovation that revolutionizes the way security works ... that's going to involve development and other costs," so charging extra for that seems fair, she says. "But at this point, so many of these features \[are the equivalent of\] backup cameras, which were an LX-model option when they first came out, but now they're standard in the base models."

Among the safety features Price says she would like to see: Firms should be given the ability to require and monitor two-factor authentication across the business, single sign-on integration should be a base-tier feature, and role-based access controls that split administration and normal user functions should be standard. In addition, companies should start offering audit trails in every application by default and the ability for an administrator to revoke access to users.

For Snowflake, it was not a matter of charging extra for a MFA but of not enabling a feature that cybersecurity professionals have long advocated for. On the platform, individuals could opt into MFA, but company administrators had no power to require the security for every user in their organizations, said Ofer Maor, co-founder and CTO at threat response firm Mitiga, in an interview last month.

"Snowflake not only does not require MFA, but it also makes it very hard for administrators to enforce this," he said. "Unlike other \[software-as-a-service\] platforms, where an admin of a tenant can require MFA for all users in the tenant, in Snowflake this option is not available. The only way for the admin to attempt to enforce it is by manually reviewing every user in the system to see if they voluntarily enabled MFA and, if not, ask them to do so."

Both Snowflake and Microsoft now offer the requested security features on their platforms. As of July 9, administrators can require MFA by default for Snowflake, and Microsoft changed its policy on the cost of logging last year, following criticism of its licenses.

**Make Cyber Safety Easy, Available in Lowest Tiers**

Because SMBs often do not have their own IT specialist, not to mention a skilled cybersecurity expert, offering easy-to-use basic security is paramount. There needs to be a path to drive security down to every user, says Narayana Pappu, CEO at Zendata, a data security and compliance firm.

"SMBs usually lack security expertise in-house, don't have resources to implement nor maintain a solution, and usually carry security risks that can put them out of business if or when a security incident occurs," he says. "These are great reasons to drive good security down to the SMB level — in a connected ... world, you are only as strong as your weakest link."

While generative artificial intelligence and the latest large-language models could provide some companies more security, the cost may still be prohibitive and rarely are such features offered at the base level.

Instead, cybersecurity and software firms should provide basic, effective security in every product at the base service tier, says Zatik's Price, who stresses that she is not against charging everyone a bit extra to make the feature available. However, all tiers should offer the most effective security measures, she says.

"There's no version of a car that does not include seatbelts on the market today," she says. "Are seatbelts free? No, they're baked into the cost of that car. \[Similarly\], we're not saying that all security should be free and zero cost."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Small Businesses Need Default Security in Products Now

With every new third-party provider and partner, an organization's attack surface grows. How, then, do enterprises use threat intelligence to enhance their third-party risk management efforts?

The network of global supply chains means organizations are more interconnected than ever, which increases the potential for a data breach or other security incidents involving third-party suppliers and partners. Third-party vendors, especially those digitally connected to an organization, significantly increase their attack surface and open exposure to software supply chain risks, vulnerabilities, and malicious or negligent insiders.

According to Cyentia Institute, 98% of organizations have at least one third party that suffered a cybersecurity breach within the previous two years.

Organizations have increased their investments in third-party risk management (TPRM) programs to mitigate these risks. In its "2023 Global Third-Party Risk Management Survey," EY found that 90% of respondents were investing to improve their programs' effectiveness. In a recent Dark Reading report, "Managing Third-Party Risk Through Situational Awareness," experts outline how organizations can use threat intelligence to effectively manage third-party risk.

"Third-party risk management is such a big challenge for CISOs," says Rick Holland, VP CISO at security services provider ReliaQuest.

Experts say that the top drivers for TPRM investments are regulatory demands, increased remote work, and data privacy. Much of that investment is being used for threat intelligence programs. By harnessing threat intelligence from various sources, organizations can comprehensively understand the threat landscape and make informed decisions to manage third-party risks effectively.

Threat intelligence is found in many sources, such as open source intelligence, commercial threat intelligence providers, industry-specific information sharing and analysis centers, and internal security data. As applied to third parties, threat intelligence analysts incrementally add intelligence that could indicate that their third parties are either at risk of attack, under attack, or have recently been attacked. Such indicators include comments on Web forums and marketplaces, leaked data, credentials spilled on the Internet, and more.

Download the report to learn how to get started with threat intelligence. Organizations can better comprehend their threat landscape through such threat intelligence and make better-informed decisions to manage their risks. Learn how to collect and use threat intelligence to help reduce many risks associated with third parties.

**About the Author(s)**

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Fighting Third-Party Risk With Threat Intelligence

Cybersecurity startup Zest Security emerged from stealth with an AI-powered cloud risk resolution platform to reduce time from discovery to remediation.

Source: Peachshutterstock via Shutterstock

Organizations have plenty of tools to identify cloud risks, vulnerabilities, and misconfigurations, but not so much for remediating cloud risks. For most companies, significant collaboration is needed between DevOps and security teams to validate the risk, understand the root cause, and determine the best resolution.

Remediating risk usually involves a series of manual and time-consuming processes. Cybersecurity startup Zest Security wants to change that with its AI-powered platform designed to simplify and automate risk resolution. The platform correlates and pinpoints the root cause of cloud risks to craft resolution paths that eliminate cloud vulnerabilities and misconfigurations that attackers can exploit, Zest said in a statement.

On average, it takes 30 to 60 days to remediate a single cloud security risk, and 80% of resolved risks resurface after remediation, Zest said. The increase in known cloud attacks is directly the result of lack of efficient and effective remediation.

"Zest eliminates the back-and-forth typically required between security and DevOps teams to determine the best path to mitigation and remediation," said Matthew Hurewitz, director of platforms and application security at Best Buy, in a statement. "Zest shows security teams all of their options, so they can quickly and confidently resolve their vulnerabilities."

As part of the launch, Zest Security also raised $5 million in seed funding from Hanaco Ventures, Silvertech Ventures, and several angel investors. The company's co-founders have years of experience in cloud and product security. Uri Aronovici, Zest’s CTO, previously worked at Akamai Technologies and Check Point Software. Prior to founding Zest, Snir Ben Shimol, Zest's CEO, built the global cybersecurity platform and services organization at Varonis. Shimol was also the CSO of Cider Security before it was acquired by Palo Alto Networks.

**About the Author(s)**

Source

DARKReading