Judge dismisses claims against SolarWinds for actions taken after its systems had been breached, but allows the case to proceed for alleged misstatements prior to the incident.

Source: Tetra Images via Alamy Stock Photo

A judge has dismissed a major portion of the Securities and Exchange Commission (SEC) litigation against SolarWinds and its chief information security officer (CISO), Tim Brown, ruling that they cannot be held liable for statements and filings made after the breach of the company's flagship Orion product.

However, the SEC can proceed with its charge against SolarWinds and Brown for misrepresentations made about the company's cybersecurity posture leading up to the cyberattack, according to the ruling from US District Court Judge Paul A. Engelmayer released on July 18. Court filings refer to the cyber incident as "Sunburst."

The ruling is in response to SolarWinds' motion to dismiss the SEC lawsuit filed in January of this year.

**SolarWinds Information-Sharing "Vindicated"**

Legal and cybersecurity experts say the ruling is a positive move toward providing guidance to other publicly traded companies on how to deal with cybersecurity incident disclosure regulations.

"For public companies rushing both to investigate an incident and make a materiality disclosure, the court's opinion allows the totality of the disclosure to prevail over the nitty-gritty details," says cyber attorney Beth Burgin Waller of Woods, Rogers, Vandeventer, Black PLC. "This decision vindicates SolarWinds' information sharing with the cybersecurity community post-incident."

While the ruling removes many of the charges against SolarWinds and Brown, the SEC will be allowed to pursue action for statements and other claims made about the cybersecurity posture of the company prior to its compromise. Disclosures and statements made about the company's security posture prior to the breach are "viably pled as materially false and misleading in numerous aspects," the judge wrote.

After joining SolarWinds in 2017, Brown internally highlighted deficits in the company's defenses while delivering more rosy assessments to customers, the ruling explained. Notably, the SolarWinds "Security Statement" falsely claimed compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

A SolarWinds spokesperson said the company was "pleased" with the ruling in a statement.

"We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate," the statement said. "We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed."

**CISO Hot Takes**

Jessica Sica, CISO with Weave, was especially encouraged by the court's decision to toss out internal communications evidence among SolarWinds employees.

"Internally, you need to be able to discuss the state of security — for better or for worse — and not have that get out as if you weren’t doing your job," Sica says. "The SEC keeping that portion in could have led to more companies having a sort of 'don’t ask, don’t tell' policy on security, and that would make things much worse."

The court ruling also loosens some constraints on CISOs, according to Fred Kwong, Ph.D., vice president, and CISO of DeVry University.

"Holding CISOs personally liable, especially those CISOs that do not hold a position on the executive committee, is deeply flawed and would have set a precedent that would be counterproductive and weaken the security posture of organizations," Kwong says. "While not out of the woods, I'm happy to see that the court has dismissed most of the charges, especially those post-Sunburst."

Regardless of the ultimate outcome of the SEC's action against SolarWinds and Brown, Sica urges fellow CISOs to continue to be transparent.

"I think this doesn’t change the fact that you need to be honest about your security posture, and that’s a good thing," Sica says. "If you are promising publicly that you are doing it."

Sizable Chunk of SEC Charges Against SolarWinds Tossed Out of Court

Though the number of victims has risen, the actual number of breaches has gone down, as fewer, bigger breaches affect more individuals.

Source: B Christopher via Alamy Stock Photo

At the end of the second quarter of 2024, the number of US data breach victims has increased by more than 1,000% over the entire previous year, according to new analysis of publicly reported data breaches in the country.

The analysis, conducted by Identity Theft Resource Center (ITRC), determined that the increase in the number of victims in the second quarter of the year was due to the impact of a small number of very large breaches. So, though the number of victims has increased exponentially, there has been a 12% decrease in the actual number of incidents that occurred during that time frame. 

These large breaches include Prudential Financial and the Infosys McCamish System leaks, which affected Fidelity and Bank of America, among others. Together, these sent the victim count into the millions.

The data breach victim count for the first six months of 2024 was more than 1 billion (1,078,989,742), which is a 490% increase compared to the first half of 2023, which had a victim count of 182.6 million. This tally, however, does not include the Change Healthcare breach, which affected a huge swath of US victims.

"The takeaway from this report is simple," said Eva Velasquez, ITRC president and CEO. "Every person, business, institution and government agency must view data and identity protection with a greater sense of urgency."

**About the Author(s)**

US Data Breach Victim Numbers Increase by 1,000%, Literally

The vulnerability was given the highest CVSS score possible, though few details have been released due to its severity.

Source: designer491 via Alamy Stock Photo

Cisco has released a patch for a maximum-severity vulnerability, tracked as CVE-2024-20419, that allows threat actors to change any user or admin password.

The vulnerability carries a CVSS rating of 10, however, the company has not released many details about the bug, likely due to how high risk it is.

The attack complexity was deemed low, as no privileges or user interaction is necessary to complete the action, but the impact on the product's integrity, availability, and confidentiality are all deemed high.

"An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device," Cisco said in a statement. "A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user."

This vulnerability affects SSM On-Prem and SSM Satellite. There are no workarounds for the vulnerability, so it's recommended that users apply patches for the bug as soon as possible. 

Cisco has not released any additional information regarding this vulnerability in the wild or how many users have been potentially impacted. SSM On-Prem is primarily used by "financial institutions, utilities, service providers, and government organizations," according to the vendor, so organizations in these sectors should be especially wary. 

**About the Author(s)**

High-Severity Cisco Bug Grants Attackers Password Access

Three newly discovered SMTP smuggling attack techniques can exploit misconfigurations and design decisions made by at least 50 email-hosting providers.

Source: Maksim Kabakou via Adobe Stock Photo

Three novel attack techniques that chain together vulnerabilities found in numerous email-hosting platforms are allowing threat actors to spoof emails from more than 20 million domains of trusted organizations.

The flaws — discovered by several security researchers at PayPal — allow attackers to use simple mail transfer protocol (SMTP) smuggling to bypass SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) security protocols to deliver malicious emails from domains owned by reputable Fortune 500 companies and government agencies.

The findings include vulnerabilities in email verification processes used by numerous large email service providers, specifically domain-authentication issues, request for comments (RFC) violations, and the abuse of valid DKIM signatures and SPF records.

**Email-Hosting, Vulnerable by Default**

The researchers — Hao Wang, offensive security senior manager; Caleb Sargent, offensive security engineer; and Harrison Pomeroy, lead threat detection engineer — plan to disclose how chaining these vulnerabilities together creates the new attack patterns in a session at the forthcoming Black Hat USA conference during first week in August, entitled "Into the Inbox: Novel Email Spoofing Attack Patterns."

They also will reveal the affected vendors, which could number more than 50. The lag is due to the responsible disclosure timeline, as the researchers allow time for the issues to be addressed, Wang says.

"The issue we want to emphasize is that email gateway vendors remain vulnerable to SMTP smuggling in their default configuration," Wang tells Dark Reading in an interview. "This vulnerability can have a significant impact, especially if the outbound SMTP server of large email or hosting providers is permitted to send emails on behalf of multiple domains."

While some email gateway vendors include a setting to reject spoofed emails and thus mitigate the issue, enabling this feature may inadvertently block legitimate emails. "Consequently, many large customers continue to use the default, vulnerable setting," he says, creating a wide avenue for attacker abuse.

**Novel Attack Techniques**

The team's research was informed by two previous works from other researchers: a "SpamChannel" talk presented by Marcello Salvati at DefCon 2023, and an innovative SMTP smuggling attack unveiled by Timo Longin in December, Wang says.

The first attack technique involves SPF abuse and is due to the fact that several large email and hosting service providers fail to verify domains properly when sending emails, which violates RFC requirements.

"Their domains often have overly permissive SPF records, enabling attackers to bypass SPF/DMARC security controls and deliver fraudulent emails," Wang explains, adding that the attack has a "high success rate" due to the large number of affected domains and the broad reach of email spoofing.

The second attack pattern abuses DKIM due to improper domain verification when utilizing feedback loop (FBL) features from major mailbox providers, allowing large-scale email spoofing campaigns.

The third attack pattern is one that expands upon Longin's SMTP smuggling attack discovery, and will be revealed in more detail during the Black Hat USA session. Longin discovered that attackers can exploit SMTP on vulnerable servers to send scores of malicious emails with fake sender addresses based on the exploit of existing flaws on messaging servers from Microsoft, GMX, and Cisco.

"Most of the attacks do not directly circumvent SPF, DKIM, and DMARC controls in place, but instead leverage misconfigurations and design decisions made by the affected vendors," Wang says. "The result of these attacks are emails with valid SPF and DKIM records that will pass the DMARC check."

**SMTP Smuggling Detection and Mitigation **

As part of their session, the researchers plan to reveal a method for detecting SMTP smuggling attacks that involves the Message-ID identifier that email servers add when they send someone's email. The method correlates the difference between the Message-IDs added by the outbound and inbound SMTP servers when an attacker attempts to send multiple emails within a short period through a single SMTP connection.

"This difference would serve as a strong indicator of an SMTP smuggling attack, enabling the development of custom detection rules," Wang says. "At the very least, organizations can incorporate this technique as part of their compensating controls for mitigating this type of attack."

Indeed, while the attack patterns discovered can allow email spoofing by bypassing DMARC, DKIM, and SPF security controls, the researchers still highly recommended that organizations enforce these measures for their domains as a foundational security baseline.

"Implementing these controls significantly enhances email security by providing mechanisms for verifying the authenticity of email messages, reducing the risk of phishing and email spoofing attacks," Wang says.

Organizations also should use email-filtering solutions that leverage heuristic and content-based analysis in addition to validating messages through DMARC, DKIM, and SPF security controls for a multilayered approach that helps identify and block potential spoofing and phishing emails more effectively, he says.

Wang adds that enforcing RFC standards for authentication and authorization across all email service providers also "is critical for maintaining the security and reliability of email communications," and preventing various forms of email-based attacks."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

20 Million Trusted Domains Vulnerable to Email Hosting Exploits

An official stamp of approval might give the impression that a purported "HotPage" adtech tool is not, in fact, a dangerous kernel-level malware — but that's just subterfuge.

Source: Bruno Rodrigues Baptista da Silva via Alamy Stock Photo

Researchers have stumbled upon a fake ad blocker marketed to Internet cafés in China that, in fact, conceals sophisticated, multifaceted, kernel-level malware.

"HotPage.exe," present on VirusTotal since at least late last year, was approved and signed by Microsoft and developed by what seemed to be a real corporation. Still, security products flag it as adware, and, in truth, it is even worse than that.

Instead of removing ads, it introduces many more of them by intercepting web traffic and redirecting and manipulating content in victims' browsers. Meanwhile, it drops a vulnerable system-level driver that could allow any attacker wandering by to execute malicious code with the highest possible privileges.

According to its new report, ESET reported HotPage to Microsoft on March 18. Microsoft removed it from the Windows Server Catalog on May 1.

**HotPage Can Be Weaponized Easily**

It's unclear as yet how HotPage is delivered to victims. Its product documentation indicates that it's marketed as a security product, which makes sense, seeing as it requires significant privileges to drop its vulnerable driver to the disk.

That driver is the source of all kinds of trouble. It injects libraries into targeted browser applications, and hooks network-based Windows API functions in order to intercept and modify browser activity, redirecting or opening new ad-stuffed web pages on the victim's screen. It connects with a command-and-control (C2) server to send back information about the victim, and retrieve relevant data for the attack.

Worse, though, is that this kernel-mode component lacks proper access restrictions, in effect allowing any running process to communicate with it. It's not clear whether this was designed intentionally or not, but either way, the result is the same: Any attacker could weaponize HotPage for their own purposes.

It's worth noting, then, how HotPage hooks the Windows API function "SetProcessMitigationPolicy," which is used for applying security policies to processes. In so doing, the malware blocks any security policies that might otherwise be applied to it, enabling arbitrary code injection at the system level.

**How HotPage Malware Got its Veneer of Legitimacy**

According to its official signature, HotPage was developed by Hubei Dunwang Network Technology Co. Ltd. The company was first registered on Jan. 6, 2022, with the stated purpose of providing technology-related services, including development, consulting, and advertising. Its website — a barebones form with three fields and a QR code — is no longer live.

How could Microsoft's code signing process be so lax as to allow through such a shady company and its blatant malware? Dark Reading reached out to Microsoft for comment on this point, but the reality is that code signing is regularly abused in any number of ways.

"In a rather simple scenario," explains Romain Dumont, malware researcher for ESET, "a shady company would develop a legitimate computer software, which would go through the driver-signing requirements. Later on, the editor could covertly introduce a backdoor, either through new functionalities or by intentionally introducing a vulnerability."

Similarly, he adds, "HotPage (or DWAdsafe), posed as a security product to block ads, and so possesses interception functionalities. Here, the problem lies in the way the software can be configured and misused."

Microsoft, for its part, can only do so much. "I don’t think a bulletproof process exists," Dumont says. "A naive approach would be to do a background check on companies and verify that the advertised functionalities correspond to the actual functionalities through a security assessment. Microsoft could ask for a certain level of transparency regarding the intended purpose of the software and the required functionalities to achieve it. The more functionalities an editor needs, the more tests they should pass. But let’s face it, it’s a difficult and time-consuming task."

Users, then, cannot blindly trust even the programs Microsoft deems trustworthy. Instead, Dumont says, "I think using computer software from renowned companies is a start. Also, turn to open source software and companies with bug-bounty programs, who are transparent about their functionalities and have history sharing security advisories or vulnerability announcements. ... If possible and as a rule of thumb, companies and users should isolate programs and restrict their privileges as much as possible."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft-Signed Chinese Adware Opens the Door to Kernel Privileges

Digital literacy and protective measures will be key to detecting disinformation and deepfakes as AI is used to shape public opinion and erode trust in the democratic processes, as well as identify nefarious content.

Source: Enrico01 via Alamy Stock Photo

COMMENTARY

Disinformation — information created and shared to mislead opinion or understanding — isn't a new phenomenon. However, digital media and the proliferation of open source generative artificial intelligence (GenAI) tools like ChatGPT, DALL-E, and DeepSwap, coupled with mass dissemination capabilities of social media, are exacerbating challenges associated with preventing the spread of potentially harmful fake content. 

Although in their infancy, these tools have begun shaping how we create digital content, requiring little in the way of skill or budget to produce convincing photo and video imitations of individuals or generate believable conspiratorial narratives. In fact, the World Economic Forum places disinformation amplified by AI as one of the most severe global risks over the next few years, including the possibilities for exploitation amid heightened global political and social tensions, and during critical junctures such as elections. 

In 2024, as more than 2 billion voters across 50 countries have already headed to the polls or await upcoming elections, disinformation has driven concerns over its ability to shape public opinion and erode trust in the media and democratic processes. But while AI-generated content can be leveraged to manipulate a narrative, there is also potential for these tools to improve our capabilities to identify and protect against these threats. 

**Addressing AI-Generated Disinformation**

Governments and regulatory authorities have introduced various guidelines and legislation to protect the public from AI-generated disinformation. In November 2023, 18 countries — including the US and UK — entered into a nonbinding AI Safety agreement, while in the European Union, an AI Act approved in mid-March limits various AI applications. The Indian government drafted legislation in response to a proliferation of deepfakes during elections cycle that compels social media companies to remove reported deepfakes or lose their protection from liability for third-party content. 

Nevertheless, authorities have struggled to adapt to the shifting AI landscape, which often outpaces their ability to develop relevant expertise and reach consensus across multiple (and often opposing) stakeholders from government, civil, and commercial spheres. 

Social media companies have also implemented guardrails to protect users, including increased scanning and removal of fake accounts, and steering users toward reliable sources of information, particularly around elections. Amid financial challenges, many platforms have downsized teams dedicated to AI ethics and online safety, creating uncertainty as to the impact this will have on platforms' abilities and appetite to effectively stem false content in the coming years. 

Meanwhile, technical challenges persist around identifying and containing misleading content. The sheer volume and rate at which information spreads through social media platforms — often where individuals first encounter falsified content — seriously complicates detection efforts; harmful posts can "go viral" within hours as platforms prioritize engagement over accuracy. Automated moderation has improved capabilities to an extent, but such solutions have been unable to keep up. For instance, significant gaps remain in automated attempts to detect certain hashtags, keywords, misspellings and non-English words.  

Disinformation can be exacerbated when it is unknowingly disseminated by mainstream media or influencers who have not sufficiently verified its authenticity. In May 2023, the Irish Times apologized after gaps in its editing and publication process resulted in the publication of an AI-generated article. In the same month, while an AI-generated image on Twitter of an explosion at the Pentagon was quickly debunked by US law enforcement, it nonetheless prompted a 0.26% drop in the stock market. 

**What Can Be Done?**

Not all applications of AI are malicious. Indeed, leaning into AI may help circumvent some limitations of human content moderation, decreasing reliance on human moderators to improve efficiency and reduce costs. But there are limitations. Content moderation using large language models (LLMs) is often overly sensitive in the absence of sufficient human oversight to interpret context and sentiment, blurring the line between preventing the spread of harmful content and suppressing alternative views. Continued challenges with biased training data and algorithms and AI hallucinations (occurring most commonly in image recognition tasks) have also contributed to difficulties in employing AI technology as a protective measure. 

A further potential solution, already in use in China, involves "watermarking" AI-generated content to help identification. Though the differences between AI and human-generated content are often imperceptible to us, deep-learning models and algorithms within existing solutions can easily detect these variations. The dynamic nature of AI-generated content poses a unique challenge for digital forensic investigators, who need to develop increasingly sophisticated methods to counter adaptive techniques from malicious actors leveraging these technologies. While existing watermark technology is a step in the right direction, diversifying solutions will ensure continued innovation which can outpace, or at least keep up with, adversarial uses. 

**Boosting Digital Literacy**

Combating disinformation also requires addressing users' ability to critically engage with AI-generated content, particularly during election cycles. This requires improved vigilance in identifying and reporting misleading or harmful content. However, research shows that our understanding of what AI can do and our ability to spot fake content remains limited. Although skepticism is often taught from an early age in the consumption of written content, technological innovations now necessitate the extension of this practice to audio and visual media to develop a more discerning audience. 

**Testing Ground**

As adversarial actors adapt and evolve their use of AI to create and spread disinformation, 2024 and its multitude of elections will be a testing ground for how effectively companies, governments, and consumers are able to combat this threat. Not only will authorities need to double down on ensuring sufficient protective measures to guard people, institutions, and political processes against AI-driven disinformation, but it will also become increasingly critical to ensure that communities are equipped with the digital literacy and vigilance needed to protect themselves where other measures may fail.

**About the Author(s)**

Associate, Strategic Intelligence, S-RM

Erin Drake is an associate in S-RM’s Strategic Intelligence team, where she leads on case management of regular and bespoke consulting projects. She joined the firm in 2017 and has worked on a variety of projects ranging from threat assessments to security risk assessments across several markets. This often entails the development of client-specific approach and methodological framework for high-level and detailed bespoke projects, to support clients in understanding and monitoring the security, political, regulatory, reputational, geopolitical, and macroeconomic threats present in their operating environment. Erin’s expertise includes global maritime security issues, political stability concerns in the commercial sector, and conflict analysis. Erin holds a master's degree in international relations with a focus on global security issues like nuclear proliferation and multilateral diplomacy.

Global Cyber Threat Intelligence Lead, S-RM

Melissa DeOrio is Global Cyber Threat Intelligence Lead at S-RM, supporting clients on a variety of proactive cyber and cyber-threat intelligence services. Before joining S-RM, Melissa worked on US Federal Law Enforcement cyber investigations as a cyber targeter. In this role, Melissa utilized numerous cyber-investigative techniques and methodologies to investigate cyber threat actors and groups including open source intelligence techniques, cryptocurrency asset tracing as well as identifying and mapping threat actor tactics, techniques, and procedures (TTPs) to provide tactical and strategic intelligence reports. Melissa began her career in corporate intelligence, where she specialized in Turkish regional investigations, managed a global team of researchers, and played a role in the development and implementation of a new compliance program at a leading management consulting firm.

AI Remains a Wild Card in the War Against Disinformation

The group — which has targeted Israel, Saudi Arabia, and other nations — often uses spear-phishing and legitimate remote management tools but is developing a brand-new homegrown tool set.

Source: Muhammad Toqeer via Shutterstock

Iranian cyber-espionage group MuddyWater is pivoting from controlling infected systems with legitimate remote-management software to instead dropping a custom-made backdoor implant.

As recently as April, the group infected systems by targeting Internet-exposed servers or through spear phishing, ending with the installation of the SimpleHelp or Atera remote management platforms, security-operations provider Sekoia said in an advisory. Yet, in June, the group switched to a different attack chain: sending out a malicious PDF file with an embedded link leading to a file on stored on the Egnyte service, which installs the new backdoor, dubbed MuddyRot by Sekoia.

Check Point Software noted the shift to the new tool as well. MuddyWater has been using the backdoor implant, which the firm calls BugSleep, since May, and has quickly been improving it with new features and bug fixes, says Sergey Shykevich, threat intelligence group manager at Check Point Software.

Often, they also introduce new bugs into the malware, however. "They likely realized that their tactic of utilizing remote management tools as a backdoor was not effective enough and decided to swiftly transition to homemade malware," Shykevich says. "Probably due to pressure for a rapid change, they released an incomplete version."

Iran has become a significant cyber-threat actor in the Middle East. Since at least 2018, the MuddyWater threat group has targeted a variety of government agencies and critical industries with malicious attacks, stated a 2022 advisory published jointly by US and UK government agencies. The MuddyWater group is part of the Iranian Ministry of Intelligence and Security (MOIS), with other cybersecurity firms referring to the group as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros, according to the joint advisory.

**An Attack Tool Under Construction**

The BugSleep backdoor uses typical anti-analysis tactics, such as delaying execution — that is, going to "sleep" — to avoid being detected or running in a sandbox. The backdoor also employs encryption, but in many instances the encryption was not properly executed.

The encryption issues are not the only bugs in the code. In other samples, the program creates a file — "a.txt" — and then later deletes it, apparently for no reason. These issues, plus the frequent updates, suggests the code is still under development, stated Check Point Software's advisory.

MuddyWater previously had created its own backdoor programs, such as one called Powerstats, written in PowerShell, but later shifted to using remote management (RMM) software, Sekoia's advisory noted.

"We don’t yet know why MuddyWater operators have reverted to using a homemade implant for their first infection stage in at least one campaign," the advisory stated. "It is likely that the increased monitoring of RMM tools by security vendors, following their rise in abuse by malicious threat actors, has influenced this change."

The use of a file sharing service such as Egnyte to host malicious documents has become more popular among attackers. The trial period is often sufficient enough time to give the attackers a platform to use during an attack, Check Point Software's Shykevich says.

"Numerous file-sharing platforms are utilized by attackers within their infection chains," he says. "In theory, emulating and scanning the uploaded files can reduce the malicious use, but it is quite complicated from operational and cost perspectives for the file-sharing services operators."

**"Umbrella of APTs" in the Middle East**

The lures used in the group's phishing campaigns have become simpler — focusing on "generic themes such as webinars and online course," which allows them to send out a higher volume of attacks, Check Point Software's advisory stated.

"Their sophistication level is medium, but they are a highly persistent and aggressive group from the standpoint of phishing campaigns and targeting of specific sectors or organizations," Shykevich says. "They send hundreds of malicious emails to multiple recipients in the same organization or the same sector, also doing it across different days."

MuddyWater may not be a single group, however. In 2022, Cisco's threat intelligence group, Talos, described them as an "umbrella of APT groups." The US Cybersecurity and Infrastructure Security Agency (CISA) describes the group as "a group of Iranian government-sponsored advanced persistent threat (APT) actors," in its advisory.

The group employs "spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks," CISA stated, adding, "MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors."

While the group focuses on attacking organizations in Israel and Saudi Arabia, they have also hit other nations, including India, Jordan, Portugal, Turkey, and even Azerjaiban, the advisories said.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Iranian Cyber-Threat Group Drops New Backdoor, 'BugSleep'

The tactic is not new, but there has been a steady increase in its use as of this spring.

Source: Chim via Shutterstock

Secure email gateways (SEG) do a lot to protect organizations from malware, spam, and phishing email. For some threat actors though, they also offer an attractive option for sneaking malicious mail past other SEGs.

Security researchers from Cofense this week reported observing a recent surge in attacks, where threat actors have used SEGs to encode or to rewrite malicious URLs embedded in their emails to potential victims. In many cases, when the emails arrived at their destination, SEGs allowed the malicious URLs to go through without properly vetting the link.

**The SEG Versus SEG Threat**

The reason, says Max Gannon, threat intelligence manager at Cofense, is that some secure email gateway products appear not to be handling SEG-encoded URLs properly and assume them to be always safe, when in reality they are not.

"We do not have access to the internals of SEGs, so I can't say for certain," Gannon says. "But they likely either implicitly trust the URLs or they attempt to scan them, but the domain of the SEG that encodes the URL is trusted, so the \[receiving\] SEG assumes the URL itself is legitimate."

In SEG encoding, a secure email gateway product essentially rewrites every URL in an outgoing email into a link that points to its own infrastructure. When a recipient clicks on the encoded link, the user is first directed to the sender's SEG system, which checks if the URL is safe before redirecting the user to the intended destination. The checks usually involve assessing the URL using reputation, blacklists, signatures, and other mechanisms, which means sometimes it might take an SEG days and even weeks before it designates a URL as malicious.

In these situations, problems can arise if the recipient's secure email gateway technology does not recognize an already encoded URL as needing scanning, or if the recipient's SEG scans the URL, but only sees the sending email gateway's domain and not the final destination.

"Oftentimes when SEGs detect URLs in emails that are already SEG-encoded they do not scan the URLs, or the scanning shows only the security tool's scanning page and not the actual destination," Cofense wrote in its report this week. "As a result, when an email already has SEG-encoded URLs, the recipient's SEG often allows the email through without properly checking the embedded URLs."

**A Substantial Increase**

Attackers have abused SEG encoding previously to sneak malicious emails into target environments. But there has been a substantial increase in use of the tactic in the second quarter of this year, May in particular. Cofense said.

According to the security vendor, the four email security gateways that threat actors have abused the most to encode URLs and sneak them past email defense mechanisms are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.

Cofense said its researchers had observed attackers using these SEGs to encode malicious URLs in variously themed campaigns targeted at users protected by SEGs from a variety of vendors.

Gannon says some SEG encodings would require the threat actor to run their URL through the SEG. "Other encodings like Barracuda Link Protect would let you simply prepend their URL to the malicious URL you are trying to bypass with," he says. "For example, to use Barracuda Link Protect to bypass SEGs with the URL hxxp\[:\]//badplace\[.\]com/, I would simply add the Barracuda Link Protect URL and make it: hxxps://linkprotect\[.\]cudasvc\[.\]com/url?a=hxxp\[:\]//badplace\[.\]com/."

Gannon says one reason why threat actors likely aren't using the tactic on a much broader scale is because it involves additional work. "The biggest thing it comes down to is effort," he says. If a threat actor can take an hour to encode all the URLs in a campaign and reach 500 more inboxes, they could take the same hour and just find an additional 1,000 email addresses to send the campaign to."

Protecting against the tactic can be relatively difficult, as most SEGs don't have tuning methods for ignoring other SEG encodings, Gannon says. Therefore, the best way to combat the tactic remains user awareness and training. "A vigilant and informed employee is not going to click a link in a suspect email, even if the URL is encoded by a SEG."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Threat Actors Ramp Up Use of Encoded URLs to Bypass Secure Email

PRESS RELEASE

REDWOOD SHORES, Calif., July 16, 2024 /PRNewswire/ -- Tumeryk Inc., a leader in AI security solutions, proudly announces the launch of the Tumeryk AI Security Studio to enable organizations to simulate and enhance generative AI (gen AI) security. The large language model (LLM) vulnerability scanner can be run by security professionals against their gen AI API inference endpoints. The Tumeryk LLM Safety Report generated allows enterprises to discover potential gen AI risks and protect against them by building security policies in the Tumeryk Gen AI Firewall. The Gen AI Firewall is built using NVIDIA NeMo Guardrails and other state-of-the-art tools and research.

Tumeryk is also hosting a free webinar - Generative AI Security and Risk Mitigation - featuring Rohit Valia, CEO and founder of Tumeryk, and Christopher Parisien, senior manager of applied research at NVIDIA, to share how organizations can leverage Tumeryk's technologies to safely deploy gen AI-based applications into production. Sign up for the webinar enables access to the free gen AI LLM vulnerability scanner service and the Tumeryk Gen AI Security Studio.

"By making the gen AI LLM vulnerability scanner service available for free, Tumeryk is allowing organizations to get an understanding of their risk profile while using these innovative technologies and ensuring that they stay secure and compliant," said Valia. "Artificial intelligence, particularly Gen AI, holds immense transformative potential – and demand for the best security tools." 

"Gen AI presents a powerful opportunity for innovation, and organizations must approach implementations with safety in mind, especially for regulated industries. As CISOs, we need to adapt our security capabilities and operations to be inclusive of Gen AI solutions," said Puneet Thapliyal, ex-CISO at Hippocratic.ai. "Tumeryk provides the tools for enterprises to enhance gen AI security."

The Gen AI Security Studio is designed for security analysts, providing a comprehensive platform to scan LLMs and build and test gen AI Firewall policies. This proactive approach helps identify vulnerabilities and strengthens AI defenses prior to deployment. 

The Gen AI Firewall enables centralized controls over gen AI access. Security and governance teams can collaborate with developers to build sophisticated guardrails using the Gen AI Security Studio and deploy them to the Gen AI Firewall. Utilizing NVIDIA NeMo Guardrails, the Gen AI Firewall leverages heuristics to block jailbreak attempts, score hallucinations, moderate content, and orchestrate dialogs. It enables the creation of virtual silos for LLMs using role-based access control (RBAC) and enhances security through an API key vault. This firewall is crucial for maintaining the integrity and reliability of AI systems by helping ensure interactions remain within predefined security parameters.

The AI Security Monitoring Dashboard offers a single pane of glass for monitoring LLMs across cloud providers. This allows operations teams to monitor the performance of gen AI applications and review comprehensive logs and alerts to ensure any deviations from expected behavior are promptly addressed. 

The free LLM scanner and Gen AI Security Studio can be accessed from the AWS Marketplace or https://tumeryk.com/, providing easy access for organizations looking to enhance their AI security posture. Tumeryk AI solutions represent a significant advancement in AI security, offering a holistic approach to managing the complexities of gen AI. As AI continues to integrate deeper into business operations, Tumeryk Inc. remains at the forefront of ensuring these systems are secure, reliable, and aligned with organizational policies.

About Tumeryk Inc.

Tumeryk Inc. is a pioneering company in AI security solutions, dedicated to developing innovative technologies that safeguard AI systems. With a focus on proactive risk management and comprehensive protection strategies, Tumeryk Inc. enables organizations to deploy AI with confidence and integrity.

You May Also Like

Tumeryk Inc. Launches With Free Gen AI LLM Vulnerability Scanner

PRESS RELEASE

CHICAGO, July 16, 2024 /PRNewswire/ -- Research from MxD (Manufacturing x Digital), the digital manufacturing institute and the National Center for Cybersecurity in Manufacturing supported by the Department of Defense, has revealed an urgent need for the U.S. manufacturing sector to strengthen its cybersecurity posture.

The report, titled Behind the Firewall, establishes the sector's cybersecurity preparedness and finds that manufacturers are overestimating their capabilities.  

Securing U.S. manufacturing has emerged as an economic and national security priority as the manufacturing sector remains the most targeted sector worldwide for cyber-attacks. Faced with unique challenges in securing business operations against geopolitical threats, the report shares insights and strategies for manufacturers to enhance their cyber resilience.

The survey found:

*   76% of manufacturers are confident their organization can prevent cyber risks and respond to cyber-attacks
    
*   Only 34% of manufacturers have comprehensive system security plans (SSPs) in place - a fundamental cybersecurity requirement and often required for compliance
    
*   Just 43% of all manufacturers have a dedicated cybersecurity leader, such as a Chief Information Security Officer (CISO) or Director of Cybersecurity
    
    *   The disparity is stark when compared by size: 88% of large manufacturers (500+ employees) have such leaders, compared to 35% of small- and medium-sized manufacturers (fewer than 500 employees)
        
    
*   Encouragingly, 82% of manufacturers are planning to raise cybersecurity spending in the upcoming budget cycle
    

"The supply chains which support U.S. manufacturing are only as strong as their weakest link. We must strengthen at every level to ensure a resilient domestic manufacturing capability, including within the defense industrial base," said MxD CEO Berardino Baratta. "We see a sense of overconfidence in our research results, which is concerning given that everyone is at risk, from the largest multinational to small- and medium-sized manufacturers who often lack the proper resources to protect themselves from cyber-attacks."

"Manufacturing sector cyber-attacks are no longer rare, one-off events," said MxD Director of Cybersecurity Michael Tanji. "The rise in incidents shows repeated and concerted efforts to steal IP or other company data, resulting in production shutdowns, logistical delays, and more. Our manufacturing sector must stay ahead of these growing threats – and we can only do that by updating and upgrading cyber capabilities across the industry."

This survey identifies key areas where manufacturers can benefit from additional resources to strengthen their cybersecurity infrastructure. Research results were segmented by vertical sector and manufacturer size, which allows for a deeper understanding of needs and insights at all levels of the manufacturing sector. In turn, this enables MxD to develop tools, like cyber playbooks and training guides, which more effectively address sector needs. 

This report launches as MxD reaches its 10-year anniversary and underscores the imperative for strengthening U.S. manufacturing competitiveness and resiliency. As a public-private partnership, MxD convenes and collaborates with manufacturers to prepare and protect domestic supply chains against cybersecurity threats.

About MxD  
MxD (Manufacturing x Digital) advances economic prosperity and national security by strengthening U.S. manufacturing competitiveness through technology innovation, workforce development, and cybersecurity preparedness. In partnership with the Department of Defense, we convene an ecosystem to solve critical manufacturing challenges by accelerating digital adoption, empowering a skilled workforce, and modernizing supply chains. MxD is also the National Center for Cybersecurity in Manufacturing as designated by DoD. Visit mxdusa.org to learn more.

You May Also Like

Source

DARKReading