Hackers claim to have breached MIT Technology Review Magazine via a third-party contractor, leaking nearly 300,000 user records…

Hackers claim to have breached MIT Technology Review Magazine via a third-party contractor, leaking nearly 300,000 user records on Breach Forums. Data includes full names, email addresses, and activity details, posing risks for phishing and targeted scams.

In a new data breach disclosed today, the hacker known as Intel Broker claims to have stolen the personal data of 290,762 individuals from MIT’s _Technology Review_ website via a third-party contractor. The data, which could be the website’s newsletter subscribers list, was posted on Breach Forums, a popular cybercrime platform, earlier today.

Intel Broker, notorious for **recent attacks on high-profile organizations**, alleges that the data includes Personally Identifiable Information. Hackread.com analyzed the leaked data and can confirm it includes personal details, which, while not as sensitive as financial data, could be leveraged in phishing attempts or targeted scams. Here is what the hacker has leaked:

*   **Full names**
*   **Dates of activity**
*   **Educational details**
*   **Email addresses (3,924 – After removal of duplicates: 1,343)**

Screenshot from the leaked data (Credit: Hackread.com)

Though the leak does not appear to contain highly sensitive information like passwords, social security numbers or financial data, the compromised data is still a privacy risk, as it could be exploited for phishing scams or identity verification attacks.

It is worth noting that this is not the first time Intel Broker has targeted a technology publication. In June 2024, an affiliate of Intel Broker **breached the “Tech in Asia” news outlet**, leaking the personal data of 221,470 users.

MIT Technology Review, an esteemed publication from the Massachusetts Institute of Technology, is known for its analysis of emerging technologies and their impact on society. This data breach potentially exposes readers and contributors who engaged with the platform, a situation that may lead to reputational challenges for the publication, as well as privacy concerns for its user base.

**Recent Activity of Intel Broker**

The alleged breach of Technology Review comes on the heels of another claim by Intel Broker, who recently advertised the sale of **sensitive internal data from Nokia** on the same forum, allegedly obtained through a similar contractor vulnerability. In the Nokia case, the hacker reportedly set a price of $20,000 for access to the stolen data, which included SSH keys, source code, and login credentials.

**Privacy Implications and MIT’s Response**

With names, email addresses, and activity data accessible, cybercriminals may use this information to craft sophisticated schemes aimed at those connected with the platform. Hackread.com has reached out to MIT’s Technology Review for a response regarding the data breach. Updates will be provided as more information becomes available. Stay tuned.

1.  **US Microchip Giant Cyberattack Disrupts Operations**
2.  **Hacker IntelBroker Leaks Sensitive US DoD Documents**
3.  **IntelBroker Apple Breach: Steals Source Code for Internal Tools**
4.  **AMD Data Breach: IntelBroker Steals Employee and Product Info**
5.  **Europol Hacked: IntelBroker Claims Major Law Enforcement Breach**

Hackers Leak 300,000 MIT Technology Review Magazine User Records

Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal…

Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal credentials. The data is being sold for $20,000 on BreachForums, though no customer data was affected. Nokia has not yet commented on the claim.

A notorious hacker known as Intel Broker has announced a data breach involving the telecommunications giant Nokia. Posting on the infamous cybercrime forum BreachForums, Intel Broker claims to have gained unauthorized access to sensitive Nokia information through a third-party contractor linked to Nokia’s internal tool development.

The hacker claims that no customer information was accessed, but they have obtained **critical internal data** from Nokia’s systems, which they’re now selling for $20,000.

**Details of the Breach**

According to Intel Broker’s post, the stolen data includes SSH keys, source code, RSA keys, Bitbucket logins, SMTP accounts, webhooks, and hardcoded credentials. All of these items could potentially enable further unauthorized access to internal systems or facilitate other types of cyber attacks. In an attempt to validate the breach, Intel Broker also shared a file tree, showcasing various files and folders apparently related to Nokia’s internal operations.

In an exclusive conversation with Hackread.com, Interl Broker said that the stolen data collection is up for sale for $20,000, and he is reaching out to prospective buyers on BreachForums. According to the post, only those with high-ranking status and sufficient reputation on the forum are being encouraged to inquire.

Intel Broker on Breach Forums (Screenshot: Hackread.com)

The hacker claims to have pulled this data from a contractor working closely with Nokia, rather than Nokia’s own systems directly. This method of breaching systems through third-party vendors has become **increasingly common**, as vendors are often granted extensive access to the companies they serve. Cybersecurity experts have long warned about this weak point, advising companies to ensure that security standards extend to their contractors and partners.

**Potential Impact**

While Intel Broker emphasizes that customer data is not included in the breach, the exposure of alleged Nokia’s internal data could still have widespread implications. With access to development environments, source code, and credentials, hackers could potentially tamper with Nokia’s tools or services, or exploit the vulnerabilities in these resources to compromise other systems.

Screenshot from the sample data that Hackread.com analysed

****Nokia’s Response****

At the time of reporting, there has been no official statement from Nokia on this alleged breach. However, Hackread.com has reached out to the company awaiting a response. Stay tuned.

****About Intel Broker****

Intel Broker who is also the owner of Breach Forums is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **Staffing giant Robert Half**
*   **U.S. contractor Acuity Inc.**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Although the hacker’s origins and affiliates are unknown, according to the United States government, IntelBroker is alleged to be the perpetrator behind one of the **T-Mobile data breaches**.

1.  **Hacker Leaks Thousands of Nokia Employee Details**
2.  **Nokia Taiwan Hacked, 100,000+ accounts leaked online**
3.  **Cisco Network Breach as Employee’s Google Account was Hacked  
    **

Hackers Claim Access to Nokia Internal Data, Selling for $20,000

A list of topics we covered in the week of October 28 to November 3 of 2024

November 1, 2024 - Fraudsters running the Phish 'n Ships campaign infected legitimate website and used SEO poisoning to redirect shoppers to their fake web shops

October 31, 2024 - Android malware FakeCall can intercept calls to the bank on infected devices and redirect the target to the criminals.

October 30, 2024 - Chrome issued a security update that patches two critical vulnerabilities. One of which was reported by Apple

October 29, 2024 - Apple has issued patches for several of its operating systems. The ones for iOS and iPadOS deserve your immediate attention.

October 28, 2024 - There is a whole ecosystem behind the sales and distribution of counterfeit goods. Best to stay away from them.

 A week in security (October 28 &#8211; November 3) 

The sophisticated Chinese cyberattacks of today rest on important groundwork laid during the pandemic and before.

Source: Cinematic via Alamy Stock Photo

Chinese threat actors are operating at a higher level today than ever before, thanks to years of trial-and-error-style attacks against mass numbers of edge devices.

Networking devices are a known favorite of China's advanced persistent threats (APT), and why wouldn't they be? Sitting on the outer banks of an enterprise network, they not only allow threat actors a way in, they also double as useful nodes for botnets. They offer opportunities for lateral movement, they often store sensitive data, and network defenders have a harder time seeing into and securing them than they do other kinds of network computers. 

Over time, Chinese APTs have been improving on their edge attack capabilities. Since 2018, Sophos has traced a distinct evolution in tactics: from naive, low-level attacks came more sophisticated campaigns against massive numbers of devices, followed by a period of more targeted attacks against specific organizations.

**The First Salvo in a Long Cyber War**

On Dec. 4, 2018, Sophos analysts discovered a suspicious device running network scans against Cyberoam, a Sophos subsidiary based in India. In some ways the attack was run of the mill, using commodity malware and common living-off-the-land (LotL) tactics.

Other evidence, though, suggested that this was something different. For example, the attacker utilized a novel technique to pivot from on-premises devices to the cloud, via an overly permissive identity and access management (IAM) configuration to the Amazon Web Services Systems Manager (AWS SM).

Related:Dark Reading News Desk Live From Black Hat USA 2024

"AWS SM was quite a new technology, and it was quite a subtle misconfiguration," Sophos chief information security officer (CISO) Ross McKerchar recalls. "That was one of the first indicators that we were up against an interesting adversary." 

Later, the attackers deployed a novel rootkit called Cloud Snooper. Cloud Snooper was so stealthy that two third-party consultancies missed it in their analysis, before Sophos eventually picked up on its presence.

The goal of the attack, it seemed, was to collect information useful for future attacks against edge devices. It was a harbinger of what was to come.

**A Five-Year Evolution in Chinese TTPs**

Chinese cyber threats blossomed from roughly 2020 to 2022, as attackers focused on identifying and breaching edge devices en masse.

It worked thanks to the large quantity of devices in the wild that have Internet-facing portals. Typically, these interfaces are designed for internal use. With COVID-19, though, more and more companies were allowing employees to connect from the open Web. This provided a window for hackers with the right kind of credentials or vulnerabilities to get in.

Related:The Overlooked Importance of Identifying Riskiest Users

It helped, too, that around that same time — July 2021 — China's Cyberspace Administration passed the Regulations on the Management of Network Product Security Vulnerability Information rules. These mandates forced cybersecurity researchers to report vulnerabilities to the country's Ministry of Industry and Information Technology (MIIT) before disclosing to any other parties. "It was designed to co-opt the whole country — private citizens included — into being assets for PRC objectives," McKerchar says. Sophos argues with medium confidence that two notable campaigns during this period were facilitated by vulnerabilities responsibly disclosed by researchers at universities in the Chinese city of Chengdu.

Chinese APTs weren't only interested in using compromised devices to attack the companies from whence they came. With varying degrees of success, they would often try to incorporate the devices into broader operational relay box networks (ORBs). These ORBs, in turn, offered higher-level threat actors more sophisticated infrastructure from which to launch more advanced attacks and hide any trace of their origin.

Related:FBI, Partners Disrupt RedLine, Meta Stealer Operations

**What's Happening Now**

After this noisy period, around the middle of 2022, Chinese APTs shifted yet again. Ever since, they've been focused on much more deliberate and targeted attacks against organizations of high value: government agencies, military contractors, research and development firms, critical infrastructure providers, and the like.

These attacks follow no single pattern, involving known and zero-day vulnerabilities, userl and and UEFI bootkits, and whatever other elements pair with active, hands-on-keyboard-type attacks. They almost certainly wouldn't be as sophisticated as they are, though, without all of the years of trial and error that occurred before. Evidence to that is just how effective these threat actors are at overcoming cybersecurity defenses. In recent years, they've demonstrated an ability to sabotage hotfixes for vulnerable devices, and block evidence of their activity from reaching Sophos analysts.

"There's a clear arc of moving to stealthier and stealthier persistence in the activity that we've uncovered," McKerchar says.

He explains how "the first malware, whilst it was bespoke for our devices, it wasn't really trying to hide. They were just banking on nobody looking. In the second wave of attacks they learned a bunch of lessons, remarkably quickly. The malware wasn't explicitly trying to hide, it was just smaller, and naturally able to blend in a bit more. Then after that, they started kind of pulling out more interesting tactics: Trojan class files, memory-resident malware, rootkits, bootkits."

He concludes, "It'd be hard to speculate on what's next, except \[that\] they're going to be improving again."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese APTs Cash In on Years of Edge Device Attacks

Apple Security Advisory 10-29-2024-1 - Safari 18.1 addresses an information leakage vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-29-2024-1 Safari 18.1

Safari 18.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121571.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Safari Downloads  
Available for: macOS Ventura and macOS Sonoma  
Impact: An attacker may be able to misuse a trust relationship to  
download malicious content  
Description: This issue was addressed through improved state management.  
CVE-2024-44259: Narendra Bhati, Manager of Cyber Security at Suma Soft  
Pvt. Ltd, Pune (India)

Safari Private Browsing  
Available for: macOS Ventura and macOS Sonoma  
Impact: Private browsing may leak some browsing history  
Description: An information leakage was addressed with additional  
validation.  
CVE-2024-44229: Lucas Di Tomase

WebKit  
Available for: macOS Ventura and macOS Sonoma  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 278765  
CVE-2024-44296: Narendra Bhati, Manager of Cyber Security at Suma Soft  
Pvt. Ltd, Pune (India)

WebKit  
Available for: macOS Ventura and macOS Sonoma  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: A memory corruption issue was addressed with improved input  
validation.  
WebKit Bugzilla: 279780  
CVE-2024-44244: an anonymous researcher, Q1IQ (@q1iqF) and P1umer  
(@p1umer)

Additional recognition

Safari Private Browsing  
We would like to acknowledge an anonymous researcher, r00tdaddy for  
their assistance.

Safari Tabs  
We would like to acknowledge Jaydev Ahire for their assistance.

Safari 18.1 may be obtained from the Mac App Store.

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmchbpEACgkQX+5d1TXa  
Ivr5gBAAk50bIQ2NvoHDWo1ss9TLbGh9aa2RAHRPS0HqbBmnolc5tcrB1wKorkaf  
FF6lACO/OOti2KjAX44zfLl+9zHMsEFzDkmrY8VosFkYAaLUOly/xYaCUcQcuhLC  
VZy4Moviip3ImFDvR/EjO8vI/7GAjt3XafvRf1k5+w5xzmCuM8mhzLSfs1s4/lxd  
EThQBB7oA18grjnxJqAh9tBwquUkfmGuY9twsNH5qccv+wgw9gYvCIr0jbtCn2vz  
K5FHY/RDmMOfoLZ3am0JqrWd/7uO3bWHYQzS5H501x2tsLJw6Hwy9u+P2NxvRzXd  
pu6WJ22Adei85x5o34W+K42iannlzpgMnMeT81khVzVTY1HKPBikZ1wS13kZ9UyY  
j9dnW0NReyKhDYzFPiTehgC2mErmFWzLtRzxzs/Af7iVadAXw+6evBtP5FIzEqFX  
FfbhS+0icaU3FGklxcD+5++T+OKvo5hDAVjp7lGbBv5C2WvlpuNfmdIXkqYbzpdv  
mIujHNTWNYArlIkXr7vUVOHdB//BtfbIGZdjddYpZbx7q6KxX+z8q+NQ/8ESEUXZ  
KIF0cOAI1P2nVdALfpMaqKVFJa+BfwhWklscDDgPOpVQy0I5cIFJj7MVves534js  
sR+tn4B5jKfe6tmLy1xkgqpTYcdPe/TzW0tc6IRidvYVk3zhpMA=  
=9Fs5  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-29-2024-1

Cybersecurity researchers have disclosed a new phishing kit that has been put to use in campaigns targeting Australia, Japan, Spain, the U.K., and the U.S. since at least September 2024.
Netcraft said more than 2,000 phishing websites have been identified the kit, known as Xiū gǒu, with the offering used in attacks aimed at a variety of verticals, such as public sectors, postal, digital services

Cybersecurity researchers have disclosed a new phishing kit that has been put to use in campaigns targeting Australia, Japan, Spain, the U.K., and the U.S. since at least September 2024.

Netcraft said more than 2,000 phishing websites have been identified the kit, known as Xiū gǒu, with the offering used in attacks aimed at a variety of verticals, such as public sectors, postal, digital services, and banking services.

"Threat actors using the kit to deploy phishing websites often rely on Cloudflare's anti-bot and hosting obfuscation capabilities to prevent detection," Netcraft said in a report published Thursday.

Some aspects of the phishing kit were documented by security researchers Will Thomas (@ BushidoToken) and Fox\_threatintel (@banthisguy9349) last month.

Phishing kits like Xiū gǒu pose a risk because they could lower the barrier of entry for less skilled hackers, potentially leading to an increase in malicious campaigns that could lead to theft of sensitive information.

Xiū gǒu, which is developed by a Chinese-speaking threat actor, provides users with an admin panel and is developed using technologies like Golang and Vue.js. The kit is also designed to exfiltrate credentials and other information from the fake phishing pages hosted on the ".top" top-level domain via Telegram.

The phishing attacks are propagated via Rich Communications Services (RCS) messages rather than SMS, warning recipients of purported parking penalties and failed package deliveries. The messages also instruct them to click on a link that's shortened using a URL shortener service to pay the fine or update the delivery address.

"The scams typically manipulate victims into providing their personal details and making payments, for example, to release a parcel or fulfill a fine," Netcraft said.

RCS, which is primarily available via Apple Messages (starting with iOS 18) and Google Messages for Android, offers users an upgraded messaging experience with support for file-sharing, typing indicators, and optional support for end-to-end encryption (E2EE).

In a blog post late last month, the tech giant detailed the new protections it's taking to combat phishing scams, including rolling out enhanced scam detection using on-device machine learning models to specifically filter out fraudulent messages related to package delivery and job opportunities.

Google also said it's piloting security warnings when users in India, Thailand, Malaysia, and Singapore receive text messages from unknown senders with potentially dangerous links. The new protections, which are expected to be expanded globally later this year, also block messages with links from suspicious senders.

Lastly, the search major is adding the option to "automatically hide messages from international senders who are not existing contacts" by moving them to the "Spam & blocked" folder. The feature was first enabled as a pilot in Singapore.

The disclosure comes as Cisco Talos revealed that Facebook business and advertising account users in Taiwan are being targeted by an unknown threat actor as part of a phishing campaign designed to deliver stealer malware such as Lumma or Rhadamanthys.

The lure messages come embedded with a link that, when clicked, takes the victim to a Dropbox or Google Appspot domain, triggering the download of a RAR archive packing a fake PDF executable, which serves as a conduit to drop the stealer malware.

"The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware," Talos researcher Joey Chen said, adding the activity has been ongoing since July 2024.

"The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance."

Phishing campaigns have also been observed impersonating OpenAI targeting businesses worldwide, instructing them to immediately update their payment information by clicking on an obfuscated hyperlink.

"This attack was sent from a single domain to over 1,000 recipients," Barracuda said in a report. "The email did, however, use different hyperlinks within the email body, possibly to evade detection. The email passed DKIM and SPF checks, which means that the email was sent from a server authorized to send emails on behalf of the domain. However, the domain itself is suspicious."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Phishing Kit Xiū gǒu Targets Users Across Five Countries With 2,000 Fake Sites

Chinese APTs lurked in Canadian government networks for five years — and that's just one among a whole host of threats from Chinese bad actors.

Source: tunasalmon via Alamy Stock Photo

Chinese state-backed actors have become Canada's most pressing cyber threat, with the People's Republic of China (PRC) collecting data from Canada's government networks for the past five years.

The Canadian Centre for Cyber Security's National Cyber Threat Assessment calls Beijing's cyber operations "second to none," and noted that at least 20 Canadian government agencies and departments have been breached by PRC state-backed actors. The cyberattackers are mainly attempting to gain information that could lead to strategic, economic, and diplomatic advantages — a play that has only grown in its intensity due to escalating tensions between the West and the PRC.

The center assured the public that the federal government networks that were compromised have since been resolved, but it warned that the threat actors who are responsible for the intrusions are now very familiar with these networks, and could be back to try again. It also stressed that the PRC's aggressive cyber campaigns represent some of the most sophisticated and active threats Canada is facing.

On a related note, the center's researchers also found that the cyber landscape around critical infrastructure in Canada is growing and becoming more complex and unpredictable, with a cast of a variety of threat actors from cybercriminals to hacktivists targeting the sector.

"We assess that our adversaries very likely consider civilian critical infrastructure to be a legitimate target for cyber sabotage in the event of a military conflict," reads their report.

Other key findings include adversaries using network attacks and online information campaigns to disrupt and shape public opinion, and the center flagged ransomware as the top cybercrime threat that Canada's critical infrastructure must grapple with.

**About the Author**

Canada Grapples With 'Second-to-None' PRC-Backed Threat Actors

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up.
"While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ

Spyware / Mobile Security

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up.

"While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ significantly due to platform differences," ThreatFabric said in an analysis published this week.

LightSpy, first documented in 2020 as targeting users in Hong Kong, is a modular implant that employs a plugin-based architecture to augment its capabilities and allow it to capture a wide range of sensitive information from an infected device.

Attack chains distributing the malware leverage known security flaws in Apple iOS and macOS to trigger a WebKit exploit that drops a file with the extension ".PNG," but is actually a Mach-O binary responsible for retrieving next-stage payloads from a remote server by abusing a memory corruption flaw tracked as CVE-2020-3837.

This includes a component dubbed FrameworkLoader that, in turn, downloads LightSpy's Core module and its assorted plugins, which have gone up significantly from 12 to 28 in the latest version (7.9.0).

"After the Core starts up, it will perform an Internet connectivity check using Baidu.com domain, and then it will check the arguments that were passed from FrameworkLoader as the \[command-and-control\] data and working directory," the Dutch security company said.

"Using the working directory path /var/containers/Bundle/AppleAppLit/, the Core will create subfolders for logs, database, and exfiltrated data."

The plugins can capture a wide range of data, including Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages, as well as gather information from apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp.

Some of the newly added plugins also boast destructive features that can delete media files, SMS messages, Wi-Fi network configuration profiles, contacts, and browser history, and even freeze the device and prevent it from starting again. Furthermore, LightSpy plugins can generate fake push notifications containing a specific URL.

The exact distribution vehicle for the spyware is unclear, although it's believed to be orchestrated via watering hole attacks. The campaigns have not been attributed to a known threat actor or group to date.

However, there is some evidence that the operators are likely based in China owing to the fact that the location plugin "recalculates location coordinates according to a system used exclusively in China." It's worth noting that Chinese map service providers follow a coordinate system called GCJ-02.

"The LightSpy iOS case highlights the importance of keeping systems up to date," ThreatFabric said. "The threat actors behind LightSpy closely monitor publications from security researchers, reusing newly disclosed exploits to deliver payloads and escalate privileges on affected devices."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

Knee-jerk reactions to major vendor outages could do more harm than good.

Source: SOPA Images Limited

COMMENTARY

The now-infamous July CrowdStrike outage sparked global chaos and countless conversations about vendor security. Despite the industry noise and myriad headlines about the outage — and its potential cost of more than $5 billion to Fortune 500 companies alone — there is a bigger picture we must consider. And that is how, as an industry, we understand the risks involved and respond to major outages and other cybersecurity crises. 

While the CrowdStrike outage was a freak accident, it's likely not the last time we'll witness this kind of meltdown from a major technology provider. As our digital ecosystems become further interconnected and enterprises increasingly put their trust in singular vendors, business leaders will have to grapple with the inevitability of similar events, whether from a simple outage or a malicious hack. In every case along that spectrum, however, these leaders must avoid knee-jerk reactions that could ultimately do more harm than good. Blindly switching to a new vendor or making drastic changes to IT and security processes could introduce security holes that exacerbate vulnerabilities in an organization's overall security posture, rather than improving it.  

Instead of immediately jumping ship, here are the three things companies should do in the wake of a CrowdStrike-like event to ensure business continuity and high operational standards.  

**1\. Assess Vendors' Overall Reliability and Risk**

Switching vendors after an incident isn't as simple — or as beneficial — as it may seem. Before switching, businesses must evaluate both the existing and potential vendor, and assess each vendor's overall reliability and risk. For instance, Resilience customer data shows that despite the July incident, CrowdStrike Falcon is highly effective. It has the lowest percentage of material claims of endpoint detection and response (EDR) vendors in Resilience's portfolio, with fewer than 3% of clients with Falcon experiencing a cyber-insurance claim with losses. Of course, no company can — or should — claim the ability to avoid 100% of incidents, but in these kinds of deliberations, it's critical to put a vendor's long-term track record into perspective. On the flip side, however, if a vendor shows a consistent history of outages or vulnerabilities (as has VPN provider Ivanti, of late), poor performance or communication, and long delays in remediation, an incident could be the helpful forcing factor in considering the benefits of trying something new.  

It's also important to note the costs of switching vendors that go beyond sticker price, such as implementation time, staff training costs, and adjusting workflows to incorporate the new system and meet business needs. These third-party risk considerations must be considered, with leadership weighing the business interruption costs of an outage with the existing vendor against the total costs that come with making a switch.  

**2\. Avoid Radical Changes to the Update Process**

This particular outage raised the issue of update cadence and testing frequency, with many arguing that the affected organizations should have taken a more cautious, thorough approach to testing the update before rolling it out. But delaying updates is a calculated risk, and not necessarily one that most companies should be taking. Antivirus and EDR signatures are designed to counter quick-breaking, emerging threats toward existing systems, so while you can decide to wait to allow the days or weeks it may take to fully test the update, you may be leaving your systems vulnerable to new exploits in the process. Threat actors only grow faster and more sophisticated in their approaches, so quick security updates are more crucial than ever. The risk of taking additional precautions in testing may not be worth it for every company, especially since most updates happen seamlessly. After all, part of the reason CrowdStrike made headlines was because the outage was so out of the ordinary. 

In a perfect world, where bad actors weren't a consistent threat and update processes took no extra time, following the typical best practice of testing each and every update that comes from each and every vendor might be feasible. But in the real world, changes to the update process are likely to slow down your defenses. Ultimately, there is no one-size-fits-all answer, and the best approach will depend on the specific organization and its risk tolerance.  

**3\. Don't Panic**

It's tempting to liken incidents like CrowdStrike to natural disasters (such as catastrophic hurricanes), but that oversimplification distracts from the heart of the issue. While many insurers use this analogy to describe cyber events, it's neither accurate nor useful, as it becomes an apples-to-oranges comparison that frames cyber incidents or outages as one-sided and world-ending. But the reality is far different. There's no tangible way for individuals to prevent or mitigate the intensity of category hurricanes or tornadoes, but there are certainly simple, actionable steps we can take to mitigate the financial impact of an outage or counteract the negative effects of a potential attack. This includes implementing proper cyber hygiene, transferring financial risk through cyber insurance, and having a detailed cybersecurity action plan in the event of an attack or outage. It's not only feasible but essential that companies take these steps to remain operable and functioning in the midst of an incident.  

In short, decision-makers across the board can't allow themselves to make reactive or fear-based decisions on their security posture directly following a cyber incident. These knee-jerk reactions could lead to greater complications and introduce a host of new vulnerabilities just waiting to be exploited. Instead, leaders must focus on understanding the root cause of the incident, learning from it, and making risk-driven decisions that mitigate the greatest financial loss and improve their organization's overall cyber resilience. This includes taking a proactive approach and incorporating third-party risk management into business continuity planning. That way, you'll be able to avoid catastrophic interruptions to your day-to-day business and maintain continuity and resilience in the face of a cyber incident. 

**About the Author**

CEO & Co-Founder, Resilience

Vishaal Hariprasad, best known as "V8," co-founded what is now known as Resilience in 2016 to bridge the divide between cyber insurance and cybersecurity. As a licensed insurance broker and producer, as well as a veteran of both the US Air Force and the cybersecurity industry, Vishaal brings the leadership skills he honed in his years with the military to his position as CEO for Resilience. After graduating from the United States Air Force Academy, V8 was commissioned to military service as a Cyber Operations Officer for the Air Force. Hariprasad is an Iraq War veteran and a recipient of a Bronze Star Medal. In 2012, he co-founded Morta Security, which was acquired by Palo Alto Networks, where he then served as a threat intelligence architect. In 2015, V8 was tapped to serve as a founding partner at the Pentagon's newly established Defense Innovation Unit Experimental (DIUx) in Mountain View, California, an office under the Secretary of Defense charged with leveraging commercial technology to solve defense challenges. V8 holds a B.A. in Mathematics from the US Air Force Academy and an M.S. in Information Technology from Virginia Polytechnic Institute and State University (Virginia Tech).

The Case Against Abandoning CrowdStrike Post-Outage

On the heels of a Chinese APT eavesdropping on phone calls made by Trump and Harris campaign staffers, Beijing says foreign nations have mounted an extensive seafaring espionage effort.

Source: US Navy Photo via Alamy Stock Photo

Just days after Chinese state-sponsored hackers attacked the presidential campaigns of both Donald Trump and Kamala Harris, Beijing is leveling accusations at unnamed foreign entities, accusing them of using secret maritime buoys and seabed equipment to spy on its naval activities.

In a message on WeChat — China's biggest social media app — the country's Ministry of State Security (MSS) claimed it has discovered devices designed for "reconnaissance and monitoring of our country's waters" and "intelligence collection and technical theft activities."

It went on to allege that foreign "secret guards" are lurking as drifting "spies" and acting as "lighthouses" to guide outsider submarines.

"Faced with the severe and complex situation of covert struggle in the deep-sea security field and the real threat of foreign espionage intelligence agencies, the national security agencies will ... firmly defend our sovereignty," the MSS reportedly said. 

"It’s highly unlikely we will ever find out for definite if these claims are accurate, but when it comes to the culprits, suspicion will definitely land on the West," says Ryan McConechy, chief technology officer at Barrier Networks. "The key lesson here is that the online world has become the preferred playing field for all adversaries today. Nation-states and criminals can operate much stealthier, they can often get deeper into networks and secrets than physical access would allow, and it is much safer for the troops who can physically distance themselves from targets."

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

William Wright, CEO of Closed Door Security, noted that at-sea ships do make for juicy espionage targets.

"Few people fully understand the importance of the maritime industry today, but vessels are like floating computers, and they often contain highly sensitive information," he explains. "Whether the information relates to China's rapidly growing navy, or information on trading, it could prove to be very valuable to another nation-state and China is clearly concerned."

**Tit for Tat? News Follows Reported Chinese Campaign Hacks**

The claims from Beijing come on the heels of reports from the Washington Post and Reuters last weekend that an unnamed advanced persistent threat (APT) infiltrated the Verizon Communications telecom network and intercepted phone calls and texts made by campaign staffers for both Trump and Harris.

In addition, the eavesdroppers also reportedly targeted Trump's own phone calls, along with those of his running mate JD Vance — though how successful these latter attempts were is unknown.

Related:Facebook Businesses Targeted in Infostealer Phishing Campaign

Following the reports, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed they were investigating "unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People's Republic of China," and acknowledged they were seeing "specific malicious activity targeting the sector," though they did not name victims or mention the candidates.

Verizon told Reuters meanwhile that it was "aware of a sophisticated attempt to target US telecoms and gather intelligence."

**China-US Tensions: Time to Up Critical Infrastructure Cyber Defense**

The activity aligns with prior attacks from the now-infamous Chinese state-sponsored APT Volt Typhoon, which first came to light in March 2023 after compromising telecom networks in Guam. It has since consistently targeted critical infrastructure in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and across the Pacific.

Similarly, another Chinese APT known as Salt Typhoon attacked US ISPs last month. The focus on high-value communications service provider networks in the US likely indicates a similar dual set of goals, researchers said at the time — to steal information and set up a launchpad for disruptive attacks.

Related:Canada Grapples With 'Second-to-None' PRC-Backed Threat Actors

"While it's alarming, the recent campaign targeting is also pretty unsurprising," says Casey Ellis, founder and adviser at Bugcrowd. "Given the US election season, and the access that Salt Typhoon had, I'd be surprised if they didn't target the elected officials and candidates for the presidential election."

All industries should learn from these types of campaigns, says Barrier Networks' McConechy, who notes that the seafaring espionage might be in retaliation for Volt Typhoon's assaults.

"Whether it's spyware implanted into routers, snooping hot air balloons, or spying submersibles, nation-states are getting increasingly creative when it comes to eavesdropping on other countries, so critical industries must be prepared for these assaults," he stresses. "In the digital world, these types of cyber-physical espionage campaigns have become the norm. Most countries will deny they conduct them, but they will be, they just won't want to publicly announce it, or let their target know."

He adds, "All systems must be scanned regularly for malware, and the locations close to where critical infrastructure resides must be continuously monitored for intruders, whether human or robotic. Improving defenses both physically and digitally must be a priority.”

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Tag

#apple