Among those affected by all this monkeying around with DDoS in September were some 4,000 organizations in the US.

Source: Moviestore Collection Ltd via Alamy Stock Photo

Distributed denial-of-service (DDoS) attacks involving a new Mirai variant called GorillaBot surged sharply last month, launching 300,000 attacks, affecting some 20,000 organizations worldwide — including nearly 4,000 in the US alone.

In 41% of the attacks, the threat actor attempted to overwhelm the target network with a flood of User Datagram Protocol (UDP) packets, which are basically lightweight, connection-less units of data often associated with gaming, video streaming, and other apps. Nearly a quarter of the GorillaBot attacks were TCP ACK Bypass flood attacks, where the adversary's goal was to flood the target — often just one port — with a large number of spoofed TCP Acknowledgement (ACK) packets.

**GorillaBot, the Latest Mirai Variant**

"This Trojan is modified from the Mirai family, supporting architectures like ARM, MIPS, x86\_64, and x86," researchers at NSFocus said in report last week, after observing the threat actor behind GorillaBot launch its massive wave of attacks, between Sept. 4 and Sept. 27. "The online package and command parsing module reuse Mirai source code, but leave a signature message stating, 'gorilla botnet is on the device ur not a cat go away \[sic\],' hence we named this family GorillaBot."

NSFocus said it observed the botnet controller leverage five built-in command-and-control servers (C2s) in GorillaBot to issue a steady cadence of attack commands throughout each day. At its peak, the attack commands hit 20,000 in a single day. In all, the attacks targeted organizations in 113 countries with China being the hardest hit, followed by the US, Canada, and Germany, in that order.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

Though GorillaBot is based on Mirai code, it packs considerably more DDoS attack methods — 19 in all. The available attack methods in GorillaBot include DDoS floods via UDP packets and TCP Syn and ACK packets. Such multivector attacks can be challenging for target organizations to address, because each vector often requires a different mitigation approach.

For example, mitigating volumetric attacks such as UDP floods often involve rate limiting or restricting the number of UDP packets from a single source, blocking UDP traffic to unused ports, and distributing attack traffic across multiple servers to blunt the impact. SynAck flood mitigation on the other hand is about using stateful firewalls, SYN cookies, and intrusion-detection systems to track TCP connections and ensure that only valid ACK packets are processed.

**Bad Bots Rising**

Traffic related to so-called bad bots like GorillaBot has been steadily increasing over the past few years, and currently represents a significant proportion of all traffic on the Internet. Researchers at Imperva recently analyzed some 6 trillion blocked bad bot requests from its global network in 2023, and concluded that traffic from such bots currently accounts for 32% of all online traffic — a nearly 2% increase from the prior year. In 2013, when Imperva did a similar analysis, the vendor estimated bad bot traffic at 23.6% and human traffic as accounting for 57% of all traffic.

Related:Criminals Are Testing Their Ransomware Campaigns in Africa

Imperva's 2024 "Bad Bot Report" is focused entirely on the use of bad bots at the application layer and not specifically on volumetric DDoS attack on low-level network protocols. But 12.4% of the bad bot attacks that the company helped customers mitigate in 2023 were DDoS attacks. The security vendor found that DoS attacks in general were the biggest — or among the biggest — use cases for bad bots in some industries, such as gaming, and the telecom and ISP sector in healthcare and retail. Imperva found that threat actors often tend to use bad bots for DDoS attacks where any kind of system downtime or disruption can have significant impact on an organization's operations.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

GorillaBot Goes Ape With 300K Cyberattacks Worldwide

The Chinese state-sponsored cyberattack threat managed to infiltrate the "lawful intercept" network connections that police use in criminal investigations.

Source: Miro Novak via Alamy Stock Photo

The Chinese state-sponsored advanced persistent threat (APT) known as Salt Typhoon appears to have accessed major US broadband provider networks by hacking into the systems that law-enforcement agencies use for court-authorized wiretapping.

According to unnamed sources speaking to the Wall Street Journal, the affected providers include major national players like AT&T and Verizon Communications, along with enterprise-specific service providers like Lumen Technologies.

In addition to the wiretapping connections, the sources said Salt Typhoon also had access to more general Internet traffic flowing through the provider networks, and that the cyberattackers went after a handful of targets outside the US as well. The APT could have had access for months, they added.

"The widespread compromise is considered a potentially catastrophic security breach and was carried out by a sophisticated Chinese hacking group dubbed Salt Typhoon," sources told the WSJ. "It appeared to be geared toward intelligence collection."

Neither AT&T, Lumen, or Verizon immediately responded to a request for comment from Dark Reading.

**Lawful Intercept Connections in China's Hacking Sights**

The news comes about a week after Salt Typhoon was outed as hacking into major telecom networks for cyber-espionage purposes, and possibly to position itself to disrupt communications in the event of a kinetic conflict between China and the US. But the subversion of the connections that law enforcement entities have to service provider networks (which they can use to intercept communications of private individuals or organizations during criminal investigations or for purposes of national security) is a new wrinkle.

No information is available on how the attackers might have gotten access to the lawful intercept infrastructure, but Ram Elboim, CEO of Sygnia, which tracks the APT as "GhostEmperor," notes that clearly Salt Typhoon performed extensive reconnaissance.

"Reaching and compromising these sensitive assets requires not only familiarity with the network structure, but also advanced capabilities to be able to move laterally across separated sub-networks," he tells Dark Reading. "One assumes that these assets are far separated from the ISP corporate and operational network, and also connected to law enforcements’ networks in order for authorities to be able to operate and stream the gathered data in a very secure method."

This breach demonstrates the need for critical infrastructure organizations to not only design their network structure securely with strict segregation strategies, but to "continuously update and test the resilience of their operational networks and sensitive assets as part of a robust incident response playbook," he adds.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report

CISOs' cash compensation tops $400,000 now, but with the high pay comes struggles, rapidly changing responsibilities, and tight budgets.

Source: Natee Jindakum via Shutterstock

Cybersecurity professionals serving as chief information security officers (CISOs) continue to see respectable increases in pay, but not at the same rate as two years ago, and not in a way the keeps up with the changes to their responsibilities.

The average CISO now earns $403,000 in annual compensation — including salary, bonuses for reaching specific goals, and equity, such as stock options — representing a 6.4% increase over the past 12 months, according to IANS Research's "2024 CISO Compensation Report" published on Oct. 2. However, changes to the threat landscape frequently put business operations under attack, the responsibility for which falls on the shoulders of the CISO, especially following rules issued by the Securities and Exchange Commission (SEC) that requires CISOs to determine whether a breach is material within four days of discovery.

CISOs often do not have enough resources at heir disposal to do so, putting them in legal jeopardy, or, conversely, are successfully mitigating threats only to endure budget pressures because of that success, says Fred Kwong, vice president and CISO at DeVry University.

"There's this dichotomy between, Hey, Fred's doing a good job, keeping on top of the threats, mitigating the issues, \[yet\] at the same time \[he's\] asking for more resources, more money, even when they're seeing that the threat is not actualized," he explains. "We're kind of getting questioned, 'Well, do we really need another person? Do we need really need another technology or control, because it seems like you have these things handled.'"

Kwong manages a team of five other cybersecurity professionals, but continues to fight to hire a sixth — even though the organization is unlikely to approve another full-time employee.

Source: 2024 CISO Compensation Report, IANS and Artico

In 2021 and 2022, following increased remote work due to the pandemic, companies found themselves needing to secure their operations infrastructure, driving demand for CISOs — especially as cybercriminals started compromising firms and infecting their systems with ransomware. While CISOs made significant gains in compensation during the tail end of the pandemic — 44% either switched jobs or took a retention bonus in 2022 — the demand now shows signs of settling down, with only 11% doing the same in 2024, says Nick Kakolowski, senior research director at IANS Research.

"We are seeing generally a lack of movement, mostly because of macroeconomic conditions — businesses are just being conservative about hiring more," he says. "Businesses are kind of saying, We'll get by with what we have for a while. We'll hold off on hiring. We'll keep on our current path, and more CISOs are staying put, rather than taking the risk of taking on something new right now."

**CISO Mindsets: A State of Stress**

CISOs that move jobs — or are paid an incentive to stay in their current position — see the biggest increases in compensation, and CISOs for state governments are among the most likely to move. Nearly half of states hired a new CISOs in the past year, leading the average tenure of a CISO to drop from 30 months in 2022 to 23 months this year, according to the biennial Deloitte-NASCIO Cybersecurity Study.

Stress will only continue to build for CISOs in state government positions: Finding and retaining cybersecurity-skilled professionals is difficult, more sophisticated attacks — such as ransomware — have become common, and budgets continue to be tight and often hard-to-predict, says Srini Subramanian, principal with the risk and financial advisory group at consulting firm Deloitte.

Government cybersecurity professionals, which make between $125,000 to $225,000, typically do not include compensation in their Top 3 reasons for job satisfaction. Yet, increasing attacks and greater consequences for their networks, along with increased scrutiny for any outage or incident, puts them squarely in the in the eyes of the public and government officials, he says.

"The state-level systems are also dealing with ... a lot more challenges compared to a private sector systems," Subramanian says. "They have budget constraints, they have talent constraints, and now we are expanding the scope of the systems even more."

**Public Headaches, Private Stressors**

Daniel Schwalbe used to work as a security pro under the CISO at the University of Washington, a large public university, which meant that his role bridged both government and education sectors. He loved the work, and he certainly wasn't there for high pay, he says. Education CISOs are the lowest-paid of all the industries tracked by the IANS survey, with a median annual total compensation of $243,000 (the government sector was not listed).

Yet, the security work was neverending, he says.

"We had half a million devices on a network that we were supposed to protect, and I can tell you that on any given day, we pretty much figured there are 1,000 compromised devices on that network out of half a million," he says. "That's just the reality."

When he left, it wasn't about scoring a better salary, but about combatting the lack of a career path. The only position left for him to graduate to in the security career track at UW was CISO, but the current holder of that position did not intend to retire for at least three years. So, he accepted the job of deputy CISO with Farsight Security, and assumed the role of CISO at DomainTools when that company bought Farsight.

His responsibilities have changed somewhat. Compliance is more of an issue at a private firm, whereas the government and education sector have to deal with bureaucracy. Yet, making technology work better for security is a common factor, and he hopes that automation will reduce stress across the board.

"Investing a little bit upfront and tuning the alerts — so the stuff that actually comes out of your security tools is much more useful — can help," he says. "It costs money, and it's not a silver bullet, but in my opinion, it does help and can help with issues like threat analyst burnout."

**How AI Is Impacting Security**

The research firms' analyses also found that hot potato of AI risk is putting a lot of pressure on CISOs as individuals, escalating the stress. IANS Research's Kakolowski says that, typically, no one security pro in the business is really well positioned to own AI. The right person needs a blend of technical, governance, privacy, and data-science backgrounds to really help organizations fully manage the risk, he says.

Usually, CISOs do not check all those boxes, which could expose them to liability.

"CISOs are becoming the go-to person to inform AI risk decisions, and there's this pushback where CISOs say, 'Well, we can't own all of this risk, because this risk isn't owned by the business unit," he says. "'Using the tooling, we can help inform you about this risk, and we can help you understand this risk, but you have to ultimately be the ones making that decision and taking that ownership.'"

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

CISO Paychecks: Worth the Growing Security Headaches?

Google's Manifest V3 offers better privacy and security controls for browser extensions than the previous M2, but too many lax permissions and gaps remain.

Source: QubixStudio via Shutterstock

Malicious browser extensions are bypassing Google's latest security and privacy standard for Chrome extensions, and they are finding their way into the Chrome Web Store — putting organizations and individuals at considerable risk.

That's according to researchers at Singapore-based SquareX, who recently demonstrated how bad actors could sneak harmful browser add-ons past the protections in Google's latest Manifest V3 update for Chrome extensions.

**Malicious Chrome Extensions Are a Continuing Problem**

In a presentation at DefCon 32, the researchers showed how such extensions could steal live video feeds from platforms like Google Meet and Zoom without requiring any special permissions. They then demonstrated how attackers could use extensions based on the Manifest V3 standard to redirect users to credential-stealing pages, add collaborators to private GitHub repos, and steal site cookies, browsing history, and other user data relatively easily.

Google introduced Manifest V3 in 2018 to address issues in the previous Manifest V2 standard, which more easily allowed bad actors to craft Chrome extensions with a range of malicious capabilities. A study by researchers at Stanford University concluded that there were a staggering 280 million installs of such malicious Chrome extensions between July 2020 and February 2023.

Related:Dark Reading Confidential: The CISO and the SEC

As Google explains it, Manifest V3 is part of a broader effort by the company to "improve the privacy, security, and performance of extensions." Improvements in Manifest V3 include a stricter content security policy, updated and more secure APIs, more granular permission control for users, and changes to how extensions can make cross-origin requests. Some of the updates, like one that changes how Chrome handles content-blocking extensions, have been controversial. Privacy advocates and makers of ad-blocking extensions have described the feature as drastically curtailing the ability for Chrome users to block ads and tracking mechanisms. But overall, the goal with Manifest V3 is improved security and privacy controls around Chrome extensions.

The ground reality is somewhat different, says Vivek Ramachandran, CEO and founder of SquareX. "\[Manifest V3's\] permission model remains too broad, allowing malicious actors to exploit minimal permissions to steal data," he says.

**Overly Broad Permissions for Manifest V3?**

A key example is host permissions that allow an extension to modify or read any Web content on visited pages. "SquareX demonstrated a Google Meet stream-stealing extension that only required host permission," Ramachandran says. "This type of permission is very common in the extension store. In fact, many extensions, like grammar checkers, rely on it."

Related:Mideast, Turkey Cyber Threats Spike, Prompting Defense Changes

Ramachandran estimates there are already hundreds if not thousands of malicious browser extensions based on Manifest V3 that are already in the Chrome Web Store. He expects that number to increase dramatically as more extensions cut over to Manifest V3.

"Google needs to enforce stricter security controls in MV3," Ramachandran says. "They should collaborate with the Web and security community to develop a more robust permission model that is less broad. Additionally, Google should improve the vetting process for extensions and introduce tools to monitor real-time behavior."

Google did not immediately respond to a Dark Reading request for comment on SquareX's research. But the Internet giant previously has conceded that with more than 250,000 browser extensions in Chrome Web Store, there are chances some extensions could pose risks to users and sometimes request permissions that might violate a company's policies.  

"As with any software, extensions can also introduce risk," Google said in a blog post shortly after the Stanford researchers released their paper on risky extensions in the Chrome Web Store.

Related:Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report

**Boosting Chrome Ecosystem Security**

In that blog post and in previous updates, like this one in April 2023, Google has highlighted its efforts to bolster security around Chrome extensions. These include browser extension management capabilities that security teams can use to view and set policies for all installed extensions in their environment, and the ability to review extensions before users can install them.

Chrome security features also include one that alerts admins when a user might install a new browser extension, to make tracking and management easier. And last year, Google introduced two risk assessment tools — CRXcavator and Spin.AI Risk Assessment — that give enterprise admins a way to assess and score extensions for risk.

Google also points to its Chrome extensions page (chrome://extensions/) as a resource that individuals can use to see if their installed extensions pose a security risk; a warning panel appears on the page if Google detects any installed extensions as being suspicious. That definition includes: browsers suspected of containing malware; browsers that violate Chrome Web Store polices; unpublished — and therefore no longer supported extensions; and extensions that are not explicit about their privacy and data-collection practices.

Google had set a deadline of this past June for browser extension makers to migrate to Manifest V3 and has noted that it would also begin disabling Manifest V2 extensions in its pre-stable versions of Chrome at that time. The company has given enterprise organizations until June 2025 to migrate Manifest V2 extensions to the new version. As of Oct. 4, 60.4% of all Chrome browser extension have migrated to Manifest V3.

Ramachandran says enterprises should audit installed extensions and limit their permissions. His advice is that organizations also enable better visibility and control over extensions in the environment. Think of browsers like Chrome as complex platforms, much like operating systems, he suggests.

"Extensions run as internal applications, but endpoint security tools only have visibility at the process level," Ramachandran says. "They cannot assess or control what browser extensions are doing internally."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Malicious Chrome Extensions Skate Past Google's Updated Security

Creating a new office of cyber-regulation strategy is the government's best opportunity to improve security and to protect Americans in an increasingly dangerous world.

Jason Healey, Senior Research Scholar, Columbia University School of International and Public Affairs

October 7, 2024

5 Min Read

Source: Martin Shields via Alamy Stock Photo

COMMENTARY

Regulation is the most complex and politically sensitive cybersecurity measure ever undertaken by the US government.  

The most important step the White House can take is starting a cyber-regulation strategy and creating a new office within the Office of the National Cyber Director (ONCD) to drive smart regulation and harmonization. 

**Regulating Cybersecurity: Strategy Needed**

Government mandates, especially ones to regulate an area tied to speech, touch at the heart of the role of government in a free society. They are far more inherently political than most other cybersecurity initiatives, such as building the cyber workforce, a topic for which ONCD has already created a dedicated strategy. 

Cyber regulation is also exceedingly complex. To improve cybersecurity, the government might impose minimum baseline cybersecurity controls for critical infrastructures (for everything from rail to customer information held by banks), charge companies for fraud under the False Claims Act, use securities laws to criminally charge corporate security executives, impose labeling requirements for smart devices, or regulate cybersecurity for broadband Internet access. 

The US government is defaulting to doing all of these, plus many more, all at once. 

Some of these initiatives are more in line with the president's strategy and priorities than others; some are best done first, others later; some might be challenged in court, post-Chevron; and some will impose larger costs, for fewer gains, than others seeking the same end. 

All will create winners and losers. Unlike efforts to fix the cyber workforce, some might even affect the outcome of elections. 

ONCD must accordingly develop a new strategy (or at least a less-formal road map) for regulating cyberspace, laying out the major options and trade-offs, timelines, and measures of success. The final deciders must be the nation's political leadership in the National Security Council and National Economic Council. 

**New White House Office Also Needed**

To ensure the success of the cyber-workforce strategy, ONCD created a dedicated team, led by an assistant national cyber director. ONCD must create another such special office to focus on the far more politically sensitive and complex topic of regulation. 

ONCD's office would work to not just "create a coherent regulatory system and harmonize cybersecurity requirements," as recommended by the American Chamber of Commerce, or oversee a Harmonization Committee, per a recent Senate bill. It would draft the strategy, develop an implementation plan and track completion, develop frameworks to harmonize regulations, champion mutual recognition, and help oversee if regulations are working and at reasonable cost. 

This office would work with other departments and agencies — especially the Cybersecurity Forum for Independent and Executive Branch Regulators and the Cybersecurity and Infrastructure Security Agency, recently tasked to harmonize critical infrastructure regulations.  

And there are a lot regulations needing coordination. Just in the past few months, there is not only the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), but also: 

1\. Cybersecurity in the Marine Transportation System, "establishing minimum cybersecurity requirements for U.S. flagged vessels" (from the Coast Guard)  

2\. Data Breach Reporting Requirements for telecommunications providers (the Federal Communications Commission) 

3\. Cybersecurity Labeling for Internet of Things (IoT) (FCC) 

4\. Cybersecurity Maturity Model Certification for contractors (Department of Defense) 

5\. Significant Cybersecurity Incident Reporting Requirements for federally approved mortgage lenders (Department of Housing and Urban Development) 

6\. New requirements for US infrastructure-as-a-service (IaaS) providers (Department of Commerce) 

Meanwhile, the Environmental Protection Agency is "increasing inspections and enforcement" of community water systems and "the Centers for Medicare and Medicaid Services (CMS) will be drafting new rules" for hospitals. 

ONCD's harmonization efforts have been solid, led by Nick Leiserson, Brian Scott, and Elizabeth Irwin, among others. But this team is also working on a wide range of other policies and programs, such as including cyber in federal grants to states. Regulation, complex, and politically fraught, deserves a dedicated team and leadership. 

**But It's Close to an Election!**

The next presidential administration may be less eager to regulate than this one, but it will still need a regulatory plan of some sort to coordinate and harmonize between independent agencies and engage with states and the European Union.  

ONCD is staffed not just by political appointees and detailed civil servants — as is the National Security Council, the traditional heart of White House cyber policymaking — but also permanent staff. Starting the work on such a document now can help the smartest policies to survive between administrations and improve predictability for regulated companies. 

This is the White House's best opportunity for perhaps a generation to get this right, to improve security, to protect Americans in an increasingly dangerous world, and to decrease the cost and improve predictability for companies building our digitized economy. 

If the White House doesn't solve other important cyber issues, future administrations will have other chances. The critics fighting regulation will not be so forgiving. 

**About the Author**

Senior Research Scholar, Columbia University School of International and Public Affairs

Jason Healey is a senior research scholar at Columbia University’s School for International and Public Affairs, specializing in cyber-risk and conflict.  Jason was a founding member of both the Office of the National Cyber Director at the White House (2022) and the first cyber command in the world, the Joint Task Force for Computer Network Defense, in 1998. He created Goldman Sachs’ first capabilities for cyber-incident response and threat intelligence and later oversaw the bank’s crisis management and business continuity in Asia. He served as the vice chair of the Financial Services Information Sharing and Analysis Center (FS-ISAC), and is a certified board director (NACD.DC) and information systems security professional (CISSP).

What the White House Should Do Next for Cyber Regulation

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

CISOs and their staff are under more pressure than ever to work their cybersecurity magic. Know the feeling? Send us a cybersecurity-related caption to explain the scene, above, and our favorite will win its creator a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the October 30, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 Amazon gift card — to our friend Paul Mauriks, ICT security specialist, technology solutions, at the Department of Justice and Community Safety in Victoria, Australia. Paul's caption for last month's "Bug Off" cartoon captured first place and appears below. A big thank you to all who participated.

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: And For My Next Trick ...

The popular LiteSpeed Cache plug-in is vulnerable to unauthenticated privilege escalation via a dangerous XSS flaw.

Source: Primakov via Shutterstock

A WordPress plug-in installed more than 6 million times is vulnerable to a cross-site scripting flaw (XSS) that allows attackers to escalate privileges and potentially install malicious code to enable redirects, ads, and other HTML payloads onto an affected website.

A security researcher who goes by the online name "TaiYou" discovered the flaw, tracked as CVE-2024-47374, in LiteSpeed Cache, known as the most popular caching plug-in for the WordPress content management system (CMS). TaiYou reported the flaw on Sept. 24 to Patchstack via the Patchstack Bug Bounty Program for WordPress; it affects LiteSpeed Cache through version 6.5.0.2, and users should update immediately to avoid being vulnerable to attack.

LiteSpeed Cache is described by its developers as an "all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features." It supports WordPress Multisite and is compatible with the most popular plug-ins, including WooCommerce, bbPress, and Yoast SEO.

The flaw that requires immediate attention is an unauthenticated stored XSS vulnerability that "could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," according to Patchstack.

XSS is one of the most oft-exploited and oldest Web vulnerabilities, allowing an attacker to inject malicious code into a legitimate webpage or application to execute malicious scripts that affect the person visiting the site.

**Three WordPress Plug-in Flaws, One Dangerous**

TaiYou actually found three flaws in the plug-in, including another XSS flaw as well as a path-traversal vulnerability. However, only CVE-2024-47374 is considered dangerous and expected to be exploited by attackers, according to Patchstack.

Upon notification by Patchstack, the developers of LiteSpeed cache plug-in sent back a patch for validation on the same day. Patchstack published an update that fixes all three flaws in LiteSpeed cache version 6.5.1 on Sept. 25, and added the flaws to its vulnerability database five days later.

CVE-2024-47374 is characterized as creating "Improper Neutralization of Input During Web Page Generation," according to its listing on CVEdetails.com. "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users," according to the listing.

The vulnerability occurs because the code that handles the view of a queue in a particular piece of the plug-in doesn’t implement sanitization and output escaping, according to Patchstack.

"The plugin outputs a list of URLs that are queued for unique CSS generation and with the URL another functionality called 'Vary Group' is printed on the Admin page," according to the blog post.

In this output, the "Vary Group" functionality combines the concepts of "cache varies" and "user roles." "The vulnerability occurs because Vary Group can be supplied by a user via an HTTP Header and printed on the admin page without sanitization," according to Patchstack.

**Update & Mitigate CVE-2024-47374**

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to target singular plug-ins with large install bases, which makes vulnerable versions of LiteSpeed Cache a likely target.

The patch for CVE-2024-47374 is "fairly simple," sanitizing the output using esc\_html, according to Patchstack. The company issued a virtual patch to mitigate the flaw by blocking any attacks until its customers have updated to a fixed version. Meanwhile, all administrators of WordPress sites that use LiteSpeed Cache are advised to update to fixed version 6.5.1 immediately.

Patchstack also recommends that WordPress website developers working with the plug-in apply escaping and sanitization to any message that will be displayed as an admin notice to mitigate the vulnerability.

"Depending on the context of the data, we recommend using sanitize\_text\_field to sanitize value for HTML output (outside of HTML attribute) or esc\_html," according to the post. "For escaping values inside of attributes, you can use the esc\_attr function."

Patchstack also recommends that site developers working with LiteSpeed Cache also apply a proper permission or authorization check to the registered rest route endpoints to avoid exposing a site to XSS vulnerability.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Single HTTP Request Can Exploit 6M WordPress Sites

The collaboration with industry partners will improve collective AI defenses. Trusted contributors receive protected and anonymized data on real-world AI incidents.

Source: Myron Standret via Alamy Stock Photo

MITRE’s Center for Threat-Informed Defense announced the launch of the AI Incident Sharing initiative this week, a collaboration with more than 15 companies to increase community knowledge of threats and defenses for AI-enabled systems. 

The incident sharing initiative falls under the purview of the center’s Secure AI project, and aims to enable quick and secure collaboration on threats, attacks and accidents involving AI-enabled systems. It expands the reach of the MITRE ATLAS community knowledge base, which has been collecting and characterizing data on anonymized incidents for two years. Under this initiative, a community of collaborators will receive protected and anonymized data on real-world AI incidents. 

Incidents can be submitted via web (at https://ai-incidents.mitre.org/) by anyone. Submitting organizations will be considered for membership with the goal of enabling data-driven risk intelligence and analysis at scale. 

Secure AI also extended the ATLAS threat framework to incorporate information on the generative AI-enabled system threat landscape, adding several new generative AI-focused case studies and attack techniques, as well as new methods to mitigate attacks on these systems. In November 2023, in collaboration with Microsoft, MITRE released updates to the ATLAS knowledge base focused on generative AI. 

"Standardized and rapid information sharing about incidents will allow the entire community to improve the collective defense of such systems and mitigate external harms," said Douglas Robbins, vice president, MITRE Labs, in a statement.

MITRE operates a similar information-sharing public private partnership with the Aviation Safety Information Analysis and Sharing database for sharing data and safety information to identify and prevent hazards in aviation.

Collaborators on Secure AI span industries, with representatives from financial services, technology, and healthcare. The list includes AttackIQ, BlueRock, booz Allen Hamilton, CATO Networks, Citigroup, Cloud Security Alliance, CrowdStrike, FS-ISAC, Fujitsu, HCA Healthcare, HiddenLayer, Intel, JPMorgan Chase Bank, Microsoft, Standard Chartered, and Verizon Business.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

MITRE Launches AI Incident Sharing Initiative

CVE-2024-44204 is one of two new Apple iOS security vulnerabilities that showcase an unexpected coming together of privacy snafus and accessibility features.

Source: Aleksey Boldin via Alamy Stock Photo

Apple has patched two quirky bugs that might have offended privacy-oriented iPhone and iPad owners.

The first — an issue with Apple's VoiceOver accessibility feature — could have caused iPhones or iPads to announce sensitive passwords out loud. The other issue — affecting voice messages on new iPhone models — could have recorded users for brief seconds before they knew they were being recorded.

New operating system versions are available for both iOS and iPadOS (18.0.1), fixing each bug with improved validation and checks, respectively. Users should update their devices to avoid being vulnerable.

As Michael Covington, vice president of portfolio strategy for Jamf points out, "The good news is that neither of these highlighted issues involve remote exploits. They are, in fact, issues that will arise with use of the device, and it's user privacy that is ultimately at risk."

Still, he says that "for businesses that use mobile in any capacity for work, I recommend they pay close attention to both of the security issues and take appropriate action to update devices as soon as possible."

**Bug #1: Reading Passwords Aloud**

The first issue involves VoiceOver, the accessibility feature that provides visually impaired users with audible descriptions of the various elements on their screens — text, buttons, images, etc. VoiceOver also allows users to navigate their devices using voice commands and gestures.

Perhaps not everything on a device should be read aloud, though, like passwords. Last month, as part of iOS and iPadOS 18, Apple released a brand new app, "Passwords," allowing users to easily store and manage logins on their devices. CVE-2024-44204 is a logic issue that could have allowed VoiceOver to read out such a user's passwords. It affected essentially every model of iPhone and iPad released since 2018.

VoiceOver is off by default, meaning that only select iPhone users were potentially affected.

Covington notes, "This is not the first time we've seen accessibility features misused. Previous instances include screen reader technology being used by misbehaving apps to capture on-screen details and exfiltrate data from the device. Fortunately, most accessibility features go through extensive security and privacy testing, so these scenarios do not tend to arise often."

**Bug #2: Beginning Audio Messages Too Early**

If iPhone users are on the go, have a lot to say, or maybe just have tired thumbs, they might choose to record an audio message in iMessage, instead of a regular text. After they hit that plus sign on the left side of the message box and choose "Audio," the device will indicate that it has started recording with a red-highlighted sound wave in place of the message box, and a little orange dot in the pill-sized Dynamic Island at the top of the screen.

A security researcher recently discovered though that audio messages could have captured a few seconds of audio before users were made aware that their microphone was hot. The issue has been labeled CVE-2024-44207, and affects all models of the new iPhone 16.

Though it might seem — and, in most cases, would be — a relatively minor issue, Covington points out, "this disconnect between device function and the associated visual indicators is something that Jamf’s own threat research team has connected to persistence techniques used by attackers to maintain a presence on the device following a successful exploit. Addressing this bug before it can be misused is a big win for Apple."

Neither the VoiceOver nor the audio message vulnerability has received a rating in the Common Vulnerability Scoring System (CVSS) yet, nor are any further details public at this time.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

iPhone 'VoiceOver' Feature Could Read Passwords Aloud

A growing number of organizations are taking longer to get back on their feet after an attack, and they're paying high price tags to do so — up to $2M or more.

Source: Panther Media GmbH via Alamy Stock Photo

Organizations are seeing staggering increases in cyberattacks that stem from insider threats, with price tags for remediation reaching eyewatering heights of up to $2 million per incident.

According to research from Gurucul — which surveyed more than 400 IT and cybersecurity professionals — organizations are seeing a rising tide when it comes to insider threats. In 2023, 60% of organizations reported insider attacks, but in 2024 this number jumped to 83%. And in a dramatic shift, the number of organizations experiencing six to 10 attacks in the year doubled from 13% to 25%. Overall, almost half of organizations in the Gurucul study said that the occurrence of inside attacks has become more frequent over the past 12 months.

"Cybersecurity professionals define insider threats as risks originating from individuals within an organization who have authorized access to systems and data but misuse that access, either maliciously or unintentionally," Jason Soroko, senior fellow at Sectigo, wrote in an emailed statement to Dark Reading. "This definition encompasses employees, contractors, or partners who, due to complex IT environments, hybrid work models, or the adoption of advanced tools like GenAI, might exploit vulnerabilities."

This could mean a situation in which an employee steals sensitive data, accidentally leaking data after falling for a phishing scam, or ignoring security updates and protocols, ultimately leading to a security breach, he added.

Related:Dark Reading News Desk Live From Black Hat USA 2024

The Gurucul researchers found that the biggest driver of insider attacks are the growing IT complexities that organizations are faced with, which create visibility gaps that are hard to close. Technology is becoming more complex, and more employees are accessing system networks, extending the attack surface and making it more difficult to cybersecurity staff to safeguard. Not just this, but the adoption of new technologies like Internet of Things (IoT), artificial intelligence (AI), cloud services, and software-as-a-service (SaaS) applications play a role as well in the rapid growth rate that is difficult for organizations to keep pace with. 

With the implementation of new technology, these added "layers of complexity" create challenges for existing staff to combat threats, causing IT staff to become overworked and burned out. Nearly 30% of respondents noted that there is insufficient staff to implement and maintain tools and, if there are enough employees to go around, many lack the training and expertise to effectively manage the tools to safeguard networks. The researchers recommended that organizations that struggle with this cut their losses and transition to more intuitive tools that "reduce alert triage and false positives by providing a complete case of evidence with context and advanced behavior analytics."

Related:MITRE Launches AI Incident Sharing Initiative

Gurucul also pointed out that gaps in insider risk management are also to blame. "Weak enforcement policies, including a lack of consequences for employees and insufficient monitoring, were identified by 31% as contributing factors," according to the report. A fifth (20%) of respondents also cited executive management and policy issues as being one of the major obstacles to combating insider threats and implementing effective management tools and strategies.

Ultimately, it's a story that many in the cybersecurity industry have heard before: Executives need to give cyber threats the attention they deserve and support policy frameworks to help combat it; enforcing this mentality on a companywide level is also essential to strengthen mitigation.

**From Insider Attacks to Financial Spiral**

Insider attacks don't just compromise an organization's safety and information — they come with a high price tag, too. 

According to the study, after dealing with an attack of this kind, the cost of remediation for many organizations (32%) ranges from $100,000 to $499,000. And for others, it’s even more costly: 27% of organizations estimate the cost of remediation to range between $500,000 to $1 million, while 21% say that the costs range from $1 million to $2 million.

Related:Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

And that's just the financial impact for each individual insider attack an enterprise faces. With many experiencing roughly six to 10 attacks a year, these numbers multiply to a price that is likely just too costly to cough up. 

Those high price tags usually add up due to a variety of activities, such as system restoration, data recovery, legal fees, regulatory fines, and reputational damage control. 

And even if organizations can put money into remediation, their recovery is still slow. Roughly 45% of organizations take a week or longer to get back on their feet after an insider attack. The lengthy recovery time is usually due to the technical challenges that cybersecurity teams face when trying to restore intricate systems, a lack of unified visibility, and siloed security tools. Limited resources, regulatory compliances, and ongoing investigations also play a role in dragging out remediation efforts, keeping companies down while they’re most vulnerable. 

"It's essential for organizations to leverage advanced incident-response solutions that go beyond basic automation," according to the Gurucul researchers. "These solutions integrate dynamic risk-based prioritization, machine learning, and comprehensive contextual analysis to ensure that security teams can focus on the most critical threats, thereby reducing recovery times."

But in the end, prevention is better than reaction: That means educating existing employees (who complain of technical challenges, limited resources, compliance and privacy concerns, among other issues as leading to inadvertent mistakes), while also bringing in new cybersecurity talent so that security teams can effectively do their jobs and safeguard and mitigate against threats.

"Investing in ongoing training and development for cybersecurity teams to build the necessary expertise is crucial to address this challenge," the researchers wrote. "Managed security services can supplement internal capabilities, ensuring that tools are effectively implemented and maintained without overburdening existing staff."

Source

DARKReading