The threat group used CVE-2024-38112 and a "zombie" version of IE to spread Atlantida Stealer through purported PDF versions of reference books.

Source: Ezyjoe via Alamy Stock Photo

New details have emerged about how an advanced persistent threat (APT) group exploited an unpatched Microsoft zero-day in a spear-phishing campaign to spread the Atlantida Stealer, which lifts system information and sensitive data such as passwords and cookies from various applications.

A blog post published July 15 by Trend Micro sheds new light on how the APT, dubbed Void Banshee, which used the flaw (CVE-2024-38112)against victims in North America, Europe, and Southeast Asia. The bug exists in the MSHTML (Trident) engine for the now retired Internet Explorer (IE) browser, but it can be exploited on a victim's machine even if IE is disabled or not the default browser.

It's an "alarming" attack given that IE has "historically been a vast attack surface but now receives no further updates or security fixes," Trend Micro senior threat researcher Peter Girnus and malware reverse engineer Aliakbar Zahravi wrote in the post.

The Void Banshee campaign lured victims via zip archives containing malicious files disguised as book PDFs that were disseminated via cloud-sharing websites, Discord servers, and online libraries, among others sectors, the researchers found. This is a typical tactic of the group, which tends to target victims both for information stealing and financial gain, they noted.

"\[Atlantida\] malware focuses on extracting stored sensitive and potentially valuable data, such as passwords and cookies, and it can also collect files with specific extensions from the infected system's desktop," the researchers wrote. "Moreover, the malware captures the victim's screen and gathers comprehensive system information."

**New Details on Zero-Day Exploitation**

Separately, security researchers already had revealed that unidentified threat groups were exploiting the IE flaw — which was patched in Microsoft's July Patch Tuesday update— to spread Atlantida and other malware in malicious PDF files.

Microsoft described CVE-2024-38112 as a spoofing vulnerability that could have a high impact on system confidentiality, integrity, and availability if successfully exploited, but only gave it a moderately high severity rating of 7.5 out of 10 on the CVSS vulnerability-severity scale. That's because that for an attack to be successful, an attacker would need to convince a victim to interact with the weaponized URL file, among other factors.

Trend Micro's report provides new details about how Void Banshee was able to get Windows users to do this by convincing targets in a spear-phishing campaign to open URL shortcut files designed to look like PDF copies of a book — specifically, textbooks and reference materials such as "Clinical Anatomy."

This "suggests the campaign is targeting highly skilled professionals and students who often use reference materials and places where digital copies of books are collected," the researchers wrote.

**CVE-2024-38112 Exploitation & Payload Behavior**

A previously revealed attack vector described by Check Point security researcher Haifei Li detailed how malicious shortcuts when could use IE — even if it's not the default browser — to open an attacker-controlled URL by calling the defunct browser instead of a more secure browser such as Chrome or Edge. The vector hid dangerous HTML application (HTA) files in PDF documents that looked safe to users.

Trend Micro's report describes how Void Banshee did this by distributing URL files that contained the MHTML protocol handler and the x-usc! directive, which allowed the group to access and run HTA files directly through the disabled IE process. When a victim opens what looks like an innocuous PDF, it instead opens the URL target in the native IE through the iexplore.exe process.

"The Internet shortcut file that exploits CVE-2024-38112 points to an attacker-controlled domain where an HTML file downloads the HTA stage of the infection chain," the researchers explained. "Using this HTML file, the attacker can also control the window view size of the website through IE. This is used by the threat actor to hide browser information and to mask the downloading of the next stage of the infection chain from the victim."

As mentioned, the attack ultimately delivers the Atlantida stealer, which is built from open source stealers NecroStealer and PredatorTheStealer. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, various cryptocurrency wallets, and Web browsers. The malware then compresses the stolen data into a zip file and sends it back to an attacker-controlled command-and-control (C2) site over TCP port 6655.

**"Zombie Relics" Like IE Remain Dangerous**

Overall, the attacks on CVE-2024-38112 demonstrate how even technology like IE that is no longer supported or even in active use at an organization can still pose a major threat, according to Trend Micro.

"Even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware," the researchers wrote.

Furthermore, the ability of threat actors to access unsupported and disabled system services to circumvent modern Web sandboxes, such as IE mode for Microsoft Edge, poses "a significant industry concern," they wrote.

Patching the flaw is the most obvious way to thwart current exploitation of the IE issue, the researchers noted. Trend Micro also included a list of MITRE ATT&CK techniques and a link to indicators of compromise (IoCs) in its post.

According to Trend Micro, organizations also should take a proactive approach and engage in advanced threat intelligence as well as adopt a security posture that is constantly monitoring scanning software and other corporate network assets for potential flaws and other attack surfaces that potentially can be exploited.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Void Banshee APT Exploits Microsoft Zero-Day in Spear-Phishing Attacks

Bad actors are launching unprecedented waves of attacks against government agencies — and the federal government is woefully underprepared.

Gary Barlet, Public Sector Chief Technology Officer, Illumio

July 16, 2024

4 Min Read

Source: vska via Alamy Stock Photo

COMMENTARY

In the past year, we've seen an influx of attacks on critical infrastructure, which has steadily become a concern for the federal government, including for the healthcare sector, and even the US Department of Health and Human Services (HHS). However, with this rise in attacks across industries, we're still seeing a gap in available cyber professionals to address it. Case in point: 71% of organizations have unfilled cybersecurity positions. This is due largely to outdated training, costly certifications, and the industry's narrative of being difficult to enter. And each of these factors discourages prospective talent from joining the workforce.

To increase accessibility to the industry, the White House announced a commitment to skill-based hiring in order to recruit cybersecurity talent for the private sector and in-demand federal positions. This is a significant step for the federal government, which has long used arcane methods of recruiting cybersecurity professionals. However, it remains saddled with the perception that it's behind the times due to its reliance on legacy technology. 

**Stuck in the Past**

Federal employees spend most of their time and energy on maintaining legacy security systems. As a result, government agencies are lagging in implementing modern security strategies. Limited funding, expertise, and technology make it virtually impossible for them to break this cycle. They just can't compete with the private industry for new hires aspiring to the cybersecurity big leagues.

Consequently, agencies are experiencing an IT skills deficit, specifically at the technician level, where protecting information and data from national security threats is critical. The money to recruit cyber talent and implement new technologies instead goes into maintaining legacy systems.

The question that needs an immediate answer is, How can the federal government close this gap in resources and incentives to attract top cybersecurity talent?

**What Motivates Cybersecurity Pros?**

Young people want to apply their skills to an organization at the cutting edge of technology. When deciding where to work, they consider salary, benefits like unlimited paid time off, bonuses, stock options, and the opportunity to work with the latest cybersecurity solutions. Sacrificing higher pay and perks to serve their country is a less desirable option for many.

Permitting remote working arrangements is another key consideration. The pandemic revealed that working from home is feasible, and convinced a wave of employees they don't have to commute to an office. 

Therefore, the government needs to incentivize and get creative with how it recruits and encourages talent to enhance and maintain national cybersecurity standards. This is a challenge, as the current generation of workers is actively redefining the workforce as we know it.

To make itself more appealing to the younger generation, the federal government needs to reconsider the benefits it offers, moving away from more traditional long-term incentives to a focus on more immediate, short-term perks. Case in point: The military has revamped its benefits to entice current and retired military personnel, with benefits including supplemental allowance for basic needs, housing, and enhanced healthcare options. This step recognizes the shift in what prospective employees value in a job.

**Ways the Government Can Incentivize Prospective Security Talent**

The government will not close the cybersecurity talent gap until it provides incentives that compel prospective employees to transfer their skills from the private sector to positions with federal agencies. Such incentives could include:

*   More opportunity for short-term financial upsides
    
*   Part- or full-time remote working policies
    
*   Thrift Savings Plan (TSP) matching
    

In addition to recruiting individuals with cybersecurity skill sets, the government needs to ensure that it's recruiting blooming talent into its ranks and keeping them informed on the latest developments in the cybersecurity landscape, including threats, programs, tactics, and more.

Employees want benefits and the opportunity to learn and develop their skills. We've seen this first-hand in other federal programs: The Air Force runs a program called Education with Industry (EWI), which loans its fellows for an integrated, experiential learning program among industry partners within the private sector. The program gives participants access to the latest technologies, as well as hands-on learning experience for industry best practices.

To replicate this process, the government should partner with the private sector to develop security talent, offering employees the opportunity to work with the private sector while obtaining that same cutting-edge experience and then return to the federal government so they can apply that knowledge to national security.

From my own personal experience, having government experience on your résumé puts you ahead of those who have only private experience — especially as the private and public sectors continue to lean on each other and partner more heavily. The same could be accomplished for other cyber talent. Once they've gained experience in the private sector, they could be brought back to the government to apply their skills.

We're operating at a time when bad actors are launching unprecedented waves of attacks against government agencies. The threat to our nation has never been higher, and the federal government remains woefully underprepared. It must become more proactive and purposeful in how it recruits cybersecurity talent if it's going to level the cyber battlefield.

**About the Author(s)**

Public Sector Chief Technology Officer, Illumio

Gary Barlet has nearly three decades of cloud, cybersecurity, and network experience in the US federal government leading security and IT teams in both civilian agencies and the Department of Defense (DoD). At Illumio, Gary works with government agencies, contractors, and the broader ecosystem to build in zero-trust segmentation as a strategic component of the government’s zero-trust architecture. Before joining Illumio, Gary served as the chief information officer at the Office of the Inspector General for the US Postal Service and served in the Air Force in several technology leadership capacities, retiring from his role as cyber operations officer.

The Need to Recruit Cyber Talent in the Government

Retail banks in the nation-state will eliminate the use of one-time passwords (OTPs) by bank customers in an effort to thwart phishing.

Source: Saranvarin Nopsuwan via Alamy Stock Photo

Singapore has set in motion an aggressive plan to retire one-time passwords (OTPs) for its retail banking customers within the next three months.

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) said the new authentication process will employ digital tokens in lieu of passwords as a better way to protect against phishing attacks aimed at stealing customer banking credentials. Banking customers will use digital tokens on their mobile devices to authenticate to their accounts on mobile apps and on the banks' websites.

"This measure provides customers with further protection against unauthorized access to their bank accounts. While they may give rise to some inconvenience, such measures are necessary to help prevent scams and protect customers," said Ong-Ang Ai Boon, director of the ABS.

**About the Author(s)**

Singapore Banks Ditch One-Time Passwords

The new cybersecurity startup is focused on helping companies prepare and respond to a "cyber crisis" by consolidating the three Rs: readiness, response, and recovery.

Source: Jacob Lund via Alamy Stock Photo

Organizations are increasingly focused on resiliency — the ability to adjust and keep operating during an ongoing attack as well as to mitigate and recover as quickly as possible. But one of the reasons organizations struggle with response and recovery is due to poor communication among stakeholders. It takes time to find out who needs information and what level of detail they need. And then there is the delay waiting for stakeholders to make decisions on next steps and how to proceed.

Cytactic is a new cybersecurity startup that aims to consolidate crisis readiness, response, and recovery into a software-as-a-service (SaaS) platform. The Cytactic platform provides security teams with a simplified, orchestrated, step-by-step methodology involving relevant stakeholders, the company said. The platform also recognizes that businesses react and respond differently to incidents and so offers a variety of business profiles and risk landscapes.

The company did not provide specifics on how the platform consolidates the various activities, how organizations will use the platform as part of their incident-response planning, or how the platform will be used during an active incident.

Making it easier to provide relevant information to affected stakeholders and speeding up decision-making can help mitigate — or avert — issues resulting from an incident. Gartner recently noted that organizations that focus on synchronized readiness and management in their incident-response preparation increase their chances for a successful outcome.

"Conducting incident response planning and having a formal third-party contingency plan increased third-party cyber risk management effectiveness by 42% and 43%, respectively," according to Gartner.

Cytactic launched on July 10 with the announcement of a $16 million seed funding round led by Evolution Equity Partners. The company's founder, Nimrod Kozlovski, is a former venture capitalist.

**About the Author(s)**

Cytactic Focuses on Stakeholder Communication to Boost Incident Response

Russian hacktivists claim DDoS attacks against basic tourist websites. Is it real, or just smoke and mirrors?

Source: Hemis via Alamy Stock Photo

Against the backdrop of the upcoming Paris Olympics, Russian hacktivists have claimed denial-of-service (DoS) attacks against a few notable French websites.

For months now, the news media has warned of both physical and cyber threats to the upcoming Olympic Games. The fears are well-founded: Any major event these days is a target, and prior Olympics have seen their fair share of incidents.

A potential opening salvo rang out in June, Cyble notes in a new report, when the Russian hacktivist groups HackNeT and the People's Cyber Army claimed a series of distributed DoS attacks on their social media channels. The Sandworm-linked People's Cyber Army referred to the attacks as mere "training."

**Pre-Olympics DDoS Attacks**

On June 23, the hacker collectives posted a series of screenshots of victim websites, and website uptime monitoring tools to demonstrate their downing.

At 8:30 UTC, for example, the People's Cyber Army claimed an attack on the website of the La Rochelle International Film Festival. Shortly thereafter, HackNet published news of another attack against the site for the Grand Palais. Cyble labeled these many claims as "possibly true" but couldn't confirm their legitimacy.

The pattern of targeting relatively mundane websites belonging to popular tourist attractions fits neatly into a picture of amateurish hacktivists seeking attention.

"I think it's mostly about being recognized as a formidable player in this whole space of cyber hacktivism — being seen taking up causes, and appearing to be fighting for it," says Kaustubh Medhe, head of research and intelligence at Cyble. "You have to keep your voice heard and be in the headlines all the time. And it's also a chance for groups to gather more mass support."

The People's Cyber Army in particular has historically done quite well on those fronts. Though it's only just over two years old, its Telegram channel sports more than 50,000 subscribers.

**Cyber Threats to the Paris Olympics**

When it comes to the myriad cyber threats to the Paris Olympics, "I delineate between risks that are scary, and those that are more of a nuisance," says Bojan Simic, co-founder and CEO of HYPR.

"Nuisance types of scenarios are: the Olympics app doesn't work and people don't know where the next event is and it's annoying. And taking down specific events from TV or streaming," he says. Politically motivated hacktivism against static websites — of the kind so boasted about by HackNet and the People's Cyber Army — also falls under this banner.

The problem, Medhe warns, is that nuisances can provide a screen for more ambitious attacks. "There have been instances in the past where DDoS attacks are a distraction to throw off a security team, to focus them on something less important, while some other threat groups are trying to get in some other way, and there is a more advanced attack in progress," he says.

Besides physical threats to athletes and fans, advanced cyber attacks might take the form of a major data breach, such as when Russia's Fancy Bear stole sensitive medical data on athletes at the 2016 games in Rio. This was a major interference, like the Olympic Destroyer attack at Pyeongchang 2018 that disrupted broadcasting, ticketing, various Olympics websites, and Wi-Fi at the host stadium. Attacks might also take some other form not yet seen at prior Games.

"I think they're generally reasonably well prepared," Simic says of the Olympic committee this time around, "but I think their preparations are going to be largely based off of previous attacks. I think they've been on the lookout for DDoS attacks, making sure that they have the ability to automatically scale the environment if they need to, to make sure that disruptions are minimized. Their ability to stop newer attacks is to be seen.

"We haven't really seen organizations adapt to modern, AI-based attacks involving malware and social engineering. That gives me some discomfort around the Olympic Committee being able to stop \[certain\] attacks."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'Trial' DDoS Attacks on French Sites Portend Greater Olympics Threats

The cybercrime group demands ransoms of varying degrees, from thousands to even millions of dollars — in some cases, 2 bitcoin per encrypted customer.

Source: ronstik via Alamy Stock Photo

SEXi ransomware group, a cybercrime group that has targeted a variety of organizations in attacks that started in February of this year, has been operating under the name of APT Inc. since June.

The group uses a leaked Babuk encryptor to target VMware ESXi servers, and a leaked LockBit 3 encryptor to target Windows servers.

Now, having rebranded, the group continues to use its original methods of encryption as it wreaks havoc on new victims, requesting ransom demands that vary from thousands to millions dollars.

Some victims have publicly shared their experiences with the APT Inc. attacks, such are sharing ransom notes like the following:

"You got hacked! We are APT INC; Go to https://getsession\[dot\]org/; download & install; then add 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912 to your contacts and send us a message with this codename - - - > GARAKLY; You gave 1 week to pay, then your decryptor will be deleted," stated one ransom note. "The longer you wait the more money you will have to pay. Don't involve 3rd parties — they can't help you, they will charge you money for nothing, moreover, we always tell them to fuck off; Are you the admin? Talk to your boss right now !!!"

Currently, there are no known weaknesses to Babuk and LockBit 3 encryptors, and there is no free method to recovering the files. 

**About the Author(s)**

SEXi Ransomware Rebrands as 'APT Inc.,' Keeps Old Methods

A malicious Telegram bot is the key to a veritable flourishing garden of nefarious cybercriminal activity, which was discovered via a series of Python packages.

Source: Picturebank via Alamy Stock Photo

A sprawling criminal network has emerged in Iraq, linked to a Telegram bot that dates back to 2022 and contains more than 90,000 messages, mostly in Arabic.

According to researchers at Checkmarx, the bot is the key to a larger, sophisticated cybercriminal ecosystem, including a thriving underground marketplace offering social media manipulation services and financial theft tools, and a suite of malicious PyPI packages that exfiltrate user data.

**Malicious PyPI Packages for Data Theft**

A series of malicious, Arabic-language Python packages recently surfaced on the Python code repository PyPI according to Checkmarx, uploaded by a user named "dsfsdfds." Upon further examination, the researchers found them to contain a malicious script that was pilfering sensitive user data out to a Telegram bot chat.

"The malicious script … begins by scanning the user's file system, focusing on two specific locations: the root folder and the DCIM folder," according to the report, released today. "During this scanning process, the script searches for files with extensions such as .py, .php, and .zip files, as well as photos with .png, .jpg, and .jpeg extensions."

The packages also contained a hardcoded Telegram ID and token, which Checkmarx researchers used to gain direct access to the attacker's Telegram bot, where they discovered "a significant history of activity, with records dating back to at least 2022, long before the malicious packages were released on PyPI."

Ultimately, the 90,000 messages pointed to an origin in Iraq, with ties with many other bots to boot. In all, it's clear that Iraq is home to a heretofore unknown, thriving cybercriminal enterprise with a raft of illicit services on offer.

"The discovery of the malicious Python packages on PyPI and the subsequent investigation into the Telegram bot have shed light on a sophisticated and widespread cybercriminal operation," the report concluded. "What initially appeared to be an isolated incident of malicious packages turned out to be just the tip of the iceberg, revealing a well-established criminal ecosystem based in Iraq."

The discovery underscores the role that open source software continues to play when it comes to providing an attack vector for compromising enterprise information, the researchers noted, adding that they plan to release further details on the Iraq underground discovery in the coming months.

"As the fight against malicious actors in the open-source ecosystem persists, collaboration and information sharing among the security community will be critical in identifying and thwarting these attacks," they said. "Through collective effort and proactive measures, we can work towards a safer and more secure open-source ecosystem for all."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Well-Established Cybercriminal Ecosystem Blooming in Iraq

The breach affects older customer information involved in purchases made from June 6, 2017, up until July 30, 2018.

Source: Robert K. Chin - Storefronts via Alamy Stock Photo

This morning Rite Aid, an American drugstore chain, revealed news of falling victim in a data breach last month in what it called a "limited cybersecurity incident."

On June 6, a third-party threat actor impersonated a company employee and gained access to certain company systems. This unauthorized access was detected soon after, and the company launched an investigation to determine the scope of the breach and whether any data was compromised.

Though the company has determined that no Social Security numbers, financial information, or patient information was affected in the breach, the threat actors did acquire data connected to purchases of retail products, including names, addresses, dates of birth, and driver's licenses or government IDs.

The company has not released an official statement revealing who the threat actors are, but RansomHub gang has claimed that it breached the company's systems.

"While having access to the Rite-Aid network, we obtained over 10GB of customer information equating to around 45 million lines of people's personal information," the ransomware group said on its Dark Web leak site. "This information includes name, address, dl\_id number, DoB, Rite Aid rewards number."

Rite Aid reportedly stopped negotiating a ransom, prompting the ransomware group to share snippets of what it claims is stolen data as proof and add a two-week deadline before more information will be leaked.

**About the Author(s)**

Rite Aid Becomes RansomHub's Latest Victim After Data Breach

Good risk management is necessary to protect customers, ensure operational continuity, safeguard intellectual property, and maintain fiscal responsibility.

Source: Ron Buskirk via Alamy Stock Photo

COMMENTARY

Manufacturers have been feeling urgency around cybersecurity for several years — and it's little wonder given their sector remains the No. 1 ransomware target. Ransomware attacks threaten to affect manufacturers by interrupting operations that ripple through supply chains, leading to significant financial losses through ransom payments, revenue decline, and recovery costs.

Despite the looming threats, there is a notable shortage of cybersecurity professionals who can shield manufacturers from bad actors. But with the proper training and tools, manufacturers can still implement a strong security posture, even if they don't have a security expert on staff. Let's drill down on how can manufacturers can bolster their cybersecurity defenses and, should an attack occur, steps they should take to control the damage.

**Considerations for Securing the Entire Ecosystem**

Small to midsize manufacturing businesses are especially vulnerable to cyber threats due to a lower level of preparedness as compared to enterprises, unprotected data, and willingness to pay ransoms. Strengthening cybersecurity is crucial for product safety, quality assurance, and operational efficiency. For instance, implementing stringent controls on industrial control systems (ICS), operational technology (OT), and enterprise resource planning (ERP) systems can reduce vulnerabilities.

With a comprehensive risk management strategy, manufacturers can protect end customers, ensure operational continuity, safeguard intellectual property, and maintain fiscal responsibility. However, even with robust preventive measures, the possibility of a cyberattack remains. Therefore, manufacturers need to be prepared to identify risks.

**Warning Signs of Ransomware**

Timing is critical when assessing cyber threats in manufacturing, and early detection is the most effective way to prevent ransomware. The longer a breach goes undetected, the more damage attackers can inflict on production lines, supply chains, and intellectual property. Fortunately, even lean manufacturing IT teams can implement robust defense measures without the need for a dedicated cybersecurity expert.

In manufacturing, common warning signs include unusual activity on the network segments that control machinery, production lines, or ERP systems. Another common indicator is unusual network traffic, which can mean that someone has external data access or is conducting other malicious activities within the system. Manufacturers might notice unexpected data transfers from supervisory control and data acquisition (SCADA) systems or other critical OT components.

Consider a scenario where a manufacturer notices an unusual spike in network traffic late at night when production lines are typically idle. This anomaly could indicate an unauthorized party is attempting to transfer data or conduct other malicious activities. Other red flags include unauthorized administrative activities, such as installing programs without official approval or user sign-ins from unusual locations or unfamiliar devices.

Recognizing these warning signs is crucial for early detection and prompt response, preventing minor breaches from turning into major incidents. However, if a ransomware attack occurs, act quickly and efficiently to mitigate damage and begin recovery.

**What to Do in the Event of an Attack**

If hackers strike, manufacturers should take these critical steps to prevent significant damage and begin the recovery process:

1.  Isolate impacted systems: Immediately identify and isolate compromised systems — including production machinery, assembly lines, SCADA systems, or ERP software — from the network. If isolation is not possible, shut them down to prevent further spread.
    
2.  Create an incident document: Maintain and update a document to log discoveries and affected systems — e.g., computer numerical control (CNC) machines, robotic systems, or programmable logic controllers (PLCs) — and coordinate response efforts across the team.
    
3.  Examine detection systems: Review existing detection systems — such as antivirus, endpoint detection and response (EDR), security, information, and event management (SIEM), and intrusion prevention (IPS) systems — for signs of compromise, such as newly created accounts, or indications of persistence mechanisms. This process should include checking logs from ICS and OT monitoring tools.
    
4.  Report the incident: Contact agencies, such as the US Cybersecurity and Infrastructure Security Agency (CISA), your security vendors, the FBI, or the US Secret Service for assistance and to report the attack. Additionally, inform industry-specific bodies or associations that may provide support.
    
5.  Coordinate communication: Work with communications staff to ensure accurate information is shared internally and externally, according to the company's corporate communications guidelines. Use nonstandard communication methods (e.g., phone calls and encrypted messaging apps) to avoid alerting attackers. Notify key stakeholders, including suppliers and customers, about potential impacts on production schedules.
    
6.  Rebuild and restore systems: Prioritize and rebuild critical systems, focusing on restoring manufacturing operations, such as manufacturing execution systems (MES), human-machine interfaces (HMI), and other essential production control systems. Issue password resets for affected accounts and restore data from offline encrypted backups to ensure the integrity and availability of production data.
    
7.  Document lessons learned: After the incident is under control, document your insights and update organizational policies, plans, and procedures accordingly. Conduct a post-incident review to identify gaps in the response and improve resilience against future attacks. Include lessons learned about specific manufacturing processes and impacted technologies.
    

Manufacturing organizations and professionals know the urgency required to address cybersecurity threats. By recognizing early warning signs, responding swiftly to incidents, and strengthening their cybersecurity posture, manufacturers can protect themselves against the growing wave of attacks, allowing the industry to build resilience and ensure the continuity of critical manufacturing processes.

**About the Author(s)**

CTO and Co-Founder, Blumira

Matt is CTO and Co-Founder of Blumira, a leading cybersecurity provider of automated threat detection and response technology. At Blumira, he leads the security and engineering efforts to provide actionable insights into cybersecurity risks at scale. Matt has over 10 years of experience in IT, Information Security, and Software Engineering, focusing on business strategy, architecture, compliance, threat detection and penetration testing. Previously, he was Director of Security Services, Development & Security at NetWorks Group, responsible for defensive information security and services.

How Manufacturers Can Secure Themselves Against Cyber Threats

Careful planning and proactive measures can ensure smooth and secure transitions, paving the way for a successful merger or acquisition.

Source: Mohd Izzuan Roslan via Alamy Stock Photo

COMMENTARY

Mergers and acquisitions (M&As) are exciting ventures, but they come with their share of challenges, especially in the realm of cybersecurity. Integrating systems, data, and cultures from two distinct organizations can introduce various cybersecurity risks that can impact both the transaction and the future operations of the newly combined entity.

**7 M&A Cybersecurity Risks and Tips for Dealing With Them**

Here are the top seven cybersecurity risks commonly associated with M&As, and suggestions on how to mitigate each.

1.  Data breaches: The integration phase in an M&A significantly increases the risk of data breaches. As systems and data from two different organizations are merged, vulnerabilities can be exploited, leading to unauthorized access. To combat this challenge, organizations should adopt a phased integration approach and maintain continuous security monitoring. It's also critical to have a solid incident response plan ready to quickly address any potential breaches.
    
2.  Limited due diligence: Skipping a thorough assessment of the cybersecurity posture of the acquisition target can lead to inheriting unresolved security issues or even ongoing breaches. As such, organizations should perform detailed cybersecurity audits and assessments during the due diligence process. This approach helps uncover and fix any existing vulnerabilities or breaches before they become a problem.
    
3.  Integration challenges: Combining IT systems can be complex and may create security gaps. In particular, differences in security architectures, policies, and practices between the two organizations can lead to vulnerabilities. By developing a detailed integration plan that includes security protocols and standards, organizations can ensure a smooth and secure merging of IT systems, addressing potential security gaps proactively, instead of reactively.
    
4.  Compliance issues: Each company involved in the merger may be subject to different regulatory requirements for data protection and privacy. And, what's more, ensuring the merged entity meets all legal standards can be challenging. Organizations should conduct a comprehensive compliance review to identify all regulatory requirements. They should also create a compliance roadmap to ensure the merged entity meets all necessary legal and regulatory standards.
    
5.  Insider threats: The M&A process can create uncertainty and discontent among employees, increasing the risk of insider threats, such as intentional data leaks or sabotage. Because of this, organizations should implement robust insider threat monitoring and establish clear communication channels to address employee concerns. Reducing uncertainty can help mitigate the risk of insider threats.
    
6.  Legacy systems: Supporting outdated or unsupported technology within the merged entity can pose significant security risks, as these systems are often more vulnerable to cyberattacks. To solve this problem, organizations should prioritize the assessment and modernization of legacy systems. Ensuring these systems are properly secured until they can be replaced or updated will significantly reduce vulnerabilities.
    
7.  Resource allocation: Resources may be spread thin during an M&A, leading to neglected cybersecurity practices or delayed incident responses. Involvement of multiple third parties, such as consultants and advisers, can also increase the risk of data exposure. Organizations can get ahead of this issue by allocating dedicated resources for cybersecurity during the M&A process. They also need to ensure that third-party partners adhere to strict security standards and practices to maintain data security.
    

Navigating the cybersecurity risks in mergers and acquisitions can be daunting, but with careful planning and proactive measures, it's possible to ensure a smooth and secure transition. By following the suggestions above, organizations can mitigate risks and pave the way for a successful merger or acquisition.

**About the Author(s)**

Chief Innovation Officer, Axiad

Bassam Al-Khalidi is the chief innovation officer at Axiad. He is an industry expert with more than 20 years of experience designing and deploying identity and access management solutions across large government, enterprise, and healthcare organizations. He is a leading expert in authentication, CAC/PIV smart card, and PKI deployment, and has been involved in multiple enterprise-class authentication deployments over the past several years.

Source

DARKReading