Chinese actors are ready and poised to do "devastating" damage to key US infrastructure services if needed, he said.

Source: KaimDH via Shutterstock

FBI Director Christopher Wray this week delivered what might be the starkest warning yet on the threat that China-backed hackers pose to US national and economic security.

In remarks at a Vanderbilt University\-hosted summit on modern conflict and emerging threats, Wray described Chinese hackers as outnumbering FBI personnel by at least 50 to 1 and standing poised to "wreak havoc" on US critical infrastructure at a moment's notice.

**Immediate and Imminent Threat**

Stakeholders across private industry and government need to treat the threat as immediate and implement plans to fortify networks and respond to attacks now, the nation's leading law enforcement official said.

"The \[People's Republic of China\] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage," Wray said. "Its plan is to land low blows against civilian infrastructure to try to induce panic and break America's will to resist."

Wray's comments build on repeated warnings in recent months from US officials — and the FBI itself — about a dangerous and systematic escalation in Chinese targeting of networks and systems belonging to organizations in critical infrastructure sectors. Wray and others have repeatedly described the intrusions as attempts by Chinese hackers to methodically pre-position themselves for attacks designed to disrupt telecommunications, energy, water, technology and other critical infrastructure services when needed.

China's cyberattackers are "giving the Chinese government the ability to wait for just the right moment to deal a devastating blow," Wray said. Beijing, he added, is building a capability to deter any US attempts to intervene in the event of a crisis between China and Taiwan.

**Multifaceted Attacks**

The ongoing attempts by Chinese hackers to establish and maintain a presence on critical infrastructure adds to the pressure that US organizations have had to deal with for more than a decade from China-backed cyber-espionage and cybercriminal groups. To support economic initiatives like Made in China 2025 and multiple separate five-year plans, Beijing has for years deployed cyber groups to systematically steal intellectual property and trade secrets from companies in key competitive sectors, Wray said.

Targets have included organizations in fields as diverse as biotech, aviation, artificial intelligence, agriculture, and healthcare. "The PRC is engaged in the largest and most sophisticated theft of intellectual property and expertise in the history of the world," Wray noted. "You could close your eyes and pull an industry or sector out of a hat and, chances are, Beijing has targeted it."

In recent months, the Volt Typhoon group has been one of the most visible faces of what the US regards as China's untrammeled aggression in cyberspace. The US Cybersecurity and Infrastructure Security Agency (CISA) and security vendors have, on multiple occasions this year, reported on the threat actor's intrusions into US critical infrastructure networks and operational technology environments with a view to gaining a presence on these networks and lying in wait for instructions to attack. Last year, The New York Times identified Volt Typhoon hitting military bases, prompting worried Biden administration officials to admit that the threat actor's malware was more endemic on US networks than previously thought.

**"Scattershot" and "Indiscriminate" Attacks**

Wray pointed to widespread attacks in 2021 that exploited zero-day vulnerabilities in Microsoft Exchange Server as one of the "most egregious examples" of China's "scattershot, indiscriminate, cyber campaigns," in recent memory. Those attacks involved China-backed Hafnium group deploying Web shells for remote access on thousands of corporate systems. The FBI — in an unprecedented move at the time — later obtained a court order to remotely remove those Web shells from thousands of infected systems before the threat actor could use them to inflict further damage.

In response to the growing threat, the FBI has mobilized its own field offices in the US and around the world to address the threat, Wray said. The agency is also working with US Cyber Command, the CIA, and foreign law enforcement agencies to disrupt Chinese hacking operations. The effort has included going after known hackers, malware developers, and the owners of support infrastructure like bulletproof hosting services and money launderers.

Private sector organizations can do their part by being more diligent about their cyber defense and response mechanisms and by sharing information that can prevent nascent threats from "metastasizing to other sectors" and businesses, Wray said. "We've seen the best outcomes in situations where a company made a habit of reaching out to their local FBI field office even before there was any indication of a problem, because that put everyone on the same page and contributed to the company's readiness."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

FBI Director Wray Issues Dire Warning on China's Cybersecurity Threat

A ransomware gang claimed responsibility for the attack, though it is unknown if a ransom was demanded or paid.

The UN City building located in Copenhagen, DenmarkSource: BERK OZDEMIR via Alamy Stock Photo

The United Nations Development Programme (UNDP) became the victim of a cyberattack in late March, which also impacted the IT infrastructure of the city of Copenhagen, Denmark. 

The UNDP received word of a data-extortion actor stealing its data, some of it related to human resources and procurement. 

As the agency continues to assess the scope of the attack, the UNDP noted in a statement that "actions were immediately taken to identify a potential source and contain the affected server."

The UNDP determined which data was exposed and who is at risk because of the breach. It's also been in contact with those who have been impacted, as well as with stakeholders, such as UN system partners. 

Though the UNDP has not confirmed who the threat actor was, 8Base, a ransomware gang, updated its website in early April, listing UNDP as one of its victims, along with three other entities. The group commented that information such as personal data, certificates, "a huge amount of confidential information," and invoices, among other things, were uploaded to the servers.

UNDP made no subsequent comment and didn't address whether a ransom has been demanded or paid.

**About the Author(s)**

UNDP, City of Copenhagen Targeted in Data-Extortion Cyberattack

CryptoChameleon attackers trade quantity for quality, dedicating time and resources to trick even the most diligent user into handing over their high-value credentials.

Source: II.studio via Shutterstock

An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.

Password managers store all of a user's passwords — for Instagram, their job, and everything in between — in one place, protected by one "master" password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they'll have keys to every single one of the accounts within.

Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism. 

CryptoChameleon attacks tend not to be so widespread, but they're successful at a clip largely unseen across the cybercrime world, "which is why we typically see this targeting enterprises and other very high-value targets," explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. "A password vault is a natural extension, because you're obviously going to be able to monetize that at the end of the day."

Thus far, CryptoChameleon has managed to ensnare at least eight LastPass customers — but likely more — potentially exposing their master passwords.

**A Brief History of CryptoChameleon**

At first, CryptoChameleon looked like any other phishing kit.

Its operators had been around since late last year. In January, they began by targeting the cryptocurrency exchanges Coinbase and Binance. This initial targeting, plus its highly customizable toolset, earned it its name.

The picture changed in February, though, when they registered the domain fcc-okta\[.\]com, mimicking the Okta Single Sign On (SSO) page belonging to the US's Federal Communications Commission (FCC). "That suddenly made this rise from one of many consumer phishing kits that we see out there, to something that's going to pivot into targeting the enterprise, going after corporate credentials," Richardson recalls.

Richardson confirmed to Dark Reading that FCC employees were impacted, but could not say how many or whether the attacks led to any consequences for the agency. It was a sophisticated attack, he notes, that he expects to have worked even on trained employees.

The problem with CryptoChameleon wasn't just who it was targeting, but how well it did at defeating them. Its trick was thorough, patient, hands-on engagement with victims.

Consider, for example, the current campaign against LastPass.

It begins when a customer receives a call from an 888 number. A robo caller informs the customer that their account has been accessed from a new device. It then prompts them to press "1" to allow access, or "2" to block it. After pressing "2," they're told that they'll be receiving a call shortly from a customer service representative in order to "close the ticket."

Then the call comes in. Unbeknownst to the recipient, it's from a spoofed number. On the other end of the line is a live person, typically with an American accent. Other CryptoChameleon victims have also reported speaking with British agents.

"The agent has professional call center communication skills, and offers genuinely good advice," Richardson recalls from his many conversations with victims. "So, for example, they might say: 'I want you to write down this support phone number for me.' And they have victims write down the real support phone number for whoever they're impersonating. And then they give them a whole lecture: 'Only call us on this number.' I had a victim report that they actually said, 'For quality and training purposes, this call is being recorded.' They're using the full call script, everything that you can think of to make someone believe that they're really talking to this company right now."

This supposed support agent informs the user that they'll be sending an email shortly, allowing the user to reset access to their account. In fact, this is a malicious email containing a shortened URL, directing them to a phishing site.

The helpful support agent watches in real time as the user enters their master password into the copycat site. Then they use it to log into their account, and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.

All the while, Richardson says, "They don't realize it's a scam — none of the victims I talked to. One person said, 'I don't think I ever entered my master password in there.' \[I told them\] 'You spent 23 minutes on the phone with these guys. You probably did.'"

**The Damage**

LastPass shut down the suspicious domain used in the attack — help-lastpass\[.\]com — shortly after it went live. The attackers have been persistent, though, continuing their activity under a new IP address.

With visibility into the attackers' internal systems, Richardson was able to identify at least eight victims. He also offered evidence (which Dark Reading is keeping confidential) indicating that there may have been more than that.

When asked for further information, LastPass senior intelligence analyst Mike Kosak told Dark Reading, "We do not disclose details on the number of customers who are impacted by this type of campaign, but we support any customer who may be a victim of this and other scams. We encourage people to report potential phishing scams and other nefarious activity impersonating LastPass to us at \[email protected\]."

**Is There Any Defense?**

Because hands-on CryptoChameleon attackers talk their victims through any potential security barriers like multifactor authentication (MFA), defending against them begins with awareness.

"People need to be aware that attackers can spoof phone numbers — that just because an 800 or 888 number calls you, it doesn't mean that it's legitimate," Richardson says, adding that  "just because there's an American on the other end of the line also does not mean that it's legitimate."

In fact, he says, "Don't answer the phone from unknown callers. I know that's a sad reality of the world that we live in today."

Even with all the awareness and precautionary measures known to business users and consumers, though, a particularly sophisticated social engineering attack might still get through.

"One of the CryptoChameleon victims I talked to was a retired IT professional," Richardson recalls. "He said, 'I've gotten training my whole life to not fall for these kinds of attacks. Somehow I fell for it'."

LastPass has asked Dark Reading to remind customers of the following:

*   Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and/or account information. These are part of an ongoing phishing campaign. 
    
*   If you do see this activity and are concerned you may have been compromised, contact the company at \[email protected\].
    
*   And finally, LastPass will never ask you for your password.
    

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Multiple LastPass Users Lose Master Passwords to Ultra-Convincing Scam

Airbnb's Allyn Stott recommends adding the Human Maturity Model (HMM) and the SABRE framework to complement MITRE ATT&CK to improve security metrics analysis.

Source: Dzmitry Skazau via Alamy Stock Photo

Sorting the false positives from the true positives: Ask any security operations center professional, and they'll tell you it's one of the most challenging aspects of developing a detection and response program.

As the volume of threats continues to rise, having an effective approach to measuring and analyzing this kind of performance data has become more critical to an organization's detection and response program. On Friday at the Black Hat Asia conference in Singapore, Allyn Stott, senior staff engineer at Airbnb, encouraged security professionals to reconsider how they use such metrics in their detection and response programs — a topic he broached last year's Black Hat Europe.

"At the end of that talk, a lot of the feedback I received was, 'This is great, but we really want to know how we can get better at metrics,'" Stott tells Dark Reading. "That's an area where I've seen a lot of struggles."

**The Importance of Metrics**

Metrics are critical in assessing the effectiveness of a detection and response program because they drive improvement, reduce the impact of threats, and validate investment by demonstrating how the program lowers risk to the business, Stott says.

"Metrics help us communicate what we do and why people should care," Stott says. "That's especially important in detection and response because it's very difficult to understand from a business perspective.”

The most critical area for delivering effective metrics is alert volume: "Every security operations center I've ever worked in or ever walked foot in, it's their primary metric," Stott says.

Knowing how many alerts are coming in is important but, by itself, is still not enough, he adds.

"The question is always, 'How many alerts are we seeing?'" Stott says. "And that doesn't tell you anything. I mean, it tells you how many alerts the organization receives. But it doesn't actually tell you if your detection and response program is catching more things."

Effectively leveraging metrics can be complex and labor-intensive, adding to the challenge of effectively measuring threat data, Stott says. He acknowledges that he has made his share of mistakes when it comes to engineering metrics to assess the effectiveness of security operations.

As an engineer, Stott routinely evaluates the effectiveness of the searches he conducts and the tools he uses, seeking to get accurate true- and false-positive rates for detected threats. The challenge for him and most security professionals is connecting that information to the business.

**Implementing Frameworks Properly Is Critical **

One of his biggest mistakes was his approach in focusing too much on the MITRE ATT&CK framework. While Stott says he believes it provides critical details on threat actors' different threat techniques and activities and organizations should use it, that doesn't mean they should apply it to everything.

"Every technique can have 10, 15, 20, or 100 different variations," he says. "And so having 100% coverage is kind of a crazy endeavor."

Besides MITRE ATT&CK, Stott recommends using the SANS Institute's Hunting Maturity Model (HMM), which helps describe an organization's existing threat-hunting capability and provides a blueprint for improving it.

"It gives you the ability to, as a metric, say where you're at as far as your maturity today and how the investments you're planning to make or the projects you're planning to do will increase your maturity," Stott says.

He also recommends using the Security Institute's SABRE framework, which provides risk management and security performance metrics validated with third-party certifications.

"Rather than test across all of the MITRE ATT&CK framework, you're actually working on a prioritized list of techniques, which includes using MITRE ATT&CK as a tool," he says. "That way, you're not just looking at your threat intel but also at security incidents and threats that would be critical risks for the organization."

Use of these guidelines for metrics requires buy-in from CISOs, since it means gaining organizational adherence to these different maturity models. Nevertheless, it tends to be driven by a bottom-up approach, where threat intelligence engineers are the early drivers.

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Rethinking How You Work With Detection and Response Metrics

### Summary
This is basically [GHSA-88j4-pcx8-q4q](https://github.com/louislam/uptime-kuma/security/advisories/GHSA-88j4-pcx8-q4q3) but instead of changing passwords, when enabling authentication.

### PoC
- Open Uptime Kuma with authentication disabled
- Enable authentication using another window
- Access the platform using the previously logged-in window
- Note that access (read-write) remains despite the enabled authentication
- Expected behaviour:
  - After enabling authentication, all previously connected sessions should be invalidated, requiring users to log in.
- Actual behaviour:
  - The system retains sessions and never logs out users unless explicitly done by clicking logout or refreshing the page.

### Impact
See [GHSA-g9v2-wqcj-j99g](https://github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99g) and [GHSA-88j4-pcx8-q4q](https://github.com/louislam/uptime-kuma/security/advisories/GHSA-88j4-pcx8-q4q3)

TBH this is quite a niche edge case, so I don't know if this even warrants a security report.  


Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-23q2-5gf8-gjpp

**Enabling Authentication does not close all logged in socket connections immediately**

Low severity GitHub Reviewed Published Apr 19, 2024 in louislam/uptime-kuma • Updated Apr 19, 2024

**Package**

npm uptime-kuma (npm)

**Affected versions**

<= 1.23.11

**Description**

**Summary**

This is basically GHSA-88j4-pcx8-q4q but instead of changing passwords, when enabling authentication.

**PoC**

*   Open Uptime Kuma with authentication disabled
*   Enable authentication using another window
*   Access the platform using the previously logged-in window
*   Note that access (read-write) remains despite the enabled authentication
*   Expected behaviour:
    *   After enabling authentication, all previously connected sessions should be invalidated, requiring users to log in.
*   Actual behaviour:
    *   The system retains sessions and never logs out users unless explicitly done by clicking logout or refreshing the page.

**Impact**

See GHSA-g9v2-wqcj-j99g and GHSA-88j4-pcx8-q4q

TBH this is quite a niche edge case, so I don't know if this even warrants a security report.

**References**

*   GHSA-23q2-5gf8-gjpp
*   GHSA-88j4-pcx8-q4q3
*   GHSA-g9v2-wqcj-j99g
*   louislam/uptime-kuma@7a9e2f5

Published to the GitHub Advisory Database

Apr 19, 2024

Last updated

Apr 19, 2024

GHSA-23q2-5gf8-gjpp: Enabling Authentication does not close all logged in socket connections immediately 

By Waqas
Fear AI taking your IT or cybersecurity job? Don't! Learn how AI creates new opportunities in network management, threat detection & more.
This is a post from HackRead.com Read the original post: IT and Cybersecurity Jobs in the Age of Emerging AI Technologies

Artificial intelligence (AI) is rapidly transforming industries, and IT and cybersecurity are no exception. While some fear AI replacing human workers, the reality is far more subtle. AI will undoubtedly automate tasks, but it will also create entirely new job opportunities in both the IT and cybersecurity sectors.

According to the cybersecurity and IT certification exam practice platform Examice, the IT sector has become more lucrative than ever before due to the sudden emergence of AI applications. This growth has caused the need for skilled professionals capable of managing and securing AI-driven systems.

ISC2’s AI Cyber 2024 study also reveals a strong sense of optimism among respondents, with 82% expressing belief in AI’s potential to enhance job efficiency. Additionally, 56% anticipate AI streamlining certain job tasks, thereby allowing more time for tasks of higher value. However, there is a general concern among 75% of respondents regarding the potential misuse of AI for cyberattacks and other malicious purposes.

This article explores how AI will impact these fields and the skills that will be most in demand in the coming years.

****AI’s Impact on IT****

AI’s integration into IT optimises operational tasks and promotes innovation, allowing IT professionals to focus on more strategic initiatives. Here are three key impacts of AI on the IT sector:

*   **Automation of Mundane Tasks:** AI will take over repetitive tasks like server management, software configuration, and basic troubleshooting. This will free up IT professionals to focus on more strategic initiatives like cloud migration, data center optimization, and user experience design.
*   **Enhanced Network Management:** AI-powered tools will proactively monitor networks, identify potential issues, and even take corrective actions before problems arise. This will lead to increased network uptime and efficiency.
*   **The Rise of AI-powered Support:** Chatbots and virtual assistants powered by AI will handle routine user inquiries, freeing up IT staff to address more complex issues.

****New Opportunities in IT****

While adding innovation to the Information Technology sector AI is also creating new opportunities for professionals, job seekers and entrepreneurs. Here are three among countless opportunities that professionals are already taking advantage of, thanks to AI:

*   **AI Integration Specialists:** Businesses will need specialists to integrate AI solutions into existing IT infrastructure and ensure seamless operation.
*   **Data Scientists and Analysts:** The vast amount of data generated by AI systems will require skilled data scientists to analyze it and extract valuable insights.
*   **IT Security Specialists for AI:** As AI becomes more prevalent, securing these systems against cyberattacks will be crucial. This will create a demand for IT security professionals with expertise in AI vulnerabilities.

****AI and Cybersecurity****

Cybersecurity is already a lucrative sector. While hackers can earn big bucks, they also protect and serve their countries by protecting their critical infrastructure from devastating cyber attacks.

It is also a fact that as the cybersecurity sector grows the same can be said about cyber attacks and cyber criminals. Here are 6 key things AI can or is already helping organisations with:

*   **AI-powered Threat Detection:** AI can analyze network traffic patterns and identify malicious activity with greater accuracy and speed than traditional methods. This will be crucial in the fight against increasingly sophisticated cyberattacks.
*   **Vulnerability Detection:** AI can continuously scan systems for vulnerabilities and recommend patches before attackers can exploit them.
*   **AI-driven Phishing Detection:** AI can analyze emails and identify subtle language cues that might indicate a phishing attempt.

*   **Expertise in AI Security:** Understanding how AI systems work and the specific security challenges they pose will be essential.
*   **Human-AI Collaboration:** Security professionals will need to be adept at working alongside AI tools to leverage their combined strengths.
*   **Strong Analytical Skills:** The ability to analyze data and identify security threats will remain a critical skill.

****The Future is Bright****

The rise of AI will undoubtedly change the future of the IT and cybersecurity sectors. However, these changes will not lead to widespread job displacement. Instead, AI will create new opportunities for professionals who are willing to adapt and develop the skills needed to thrive in this evolving environment.

However, cybercriminals are also monitoring the rise of AI. Malicious versions of AI chatbots, such as WormGPT and FraudGPT, are prime examples. Therefore, authorities must take necessary measures to prevent the misuse of AI, while simultaneously fostering its beneficial applications in the IT and cybersecurity domains.

1.  The Most In-Demand Freelance Skills
2.  AI-Powered Scams Fuel Global Cybercrime Surge: INTERPOL
3.  Microsoft is Opening AI-Powered “Copilot for Security” to Public
4.  Mockingbird AI Tool Detects Deepfake Audio with 90% accuracy
5.  Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam

IT and Cybersecurity Jobs in the Age of Emerging AI Technologies

Securing the presidential election requires vigilance and hardened cybersecurity defenses.

Shawn Henry, Chief Security Officer, CrowdStrike

April 19, 2024

3 Min Read

Source: thinkx2 via Alamy Stock Photo

COMMENTARY

Foreign adversaries have attempted to disrupt the US elections for years through various methods. This includes espionage and "hack and leak" campaigns that steal sensitive data and later amplify it in public forums. Today, generative AI (GenAI) is altering the battlefield for attacks, and in the modern information ecosystem where misinformation and disinformation can spread rapidly, it has the potential to transform geopolitics.

Throughout my 24-year career with the FBI, I witnessed sophisticated adversaries attempt to sow confusion and cripple networks, as cyber-threat actors developed tools and tactics to disrupt businesses, governments, and more. The malicious use and proliferation of GenAI in 2024 presents one of the toughest challenges we'll face in an election year. 

**Adversaries Continue on Their Path to Disrupt and Dismantle**

Nation-state adversaries affiliated with and tied to the motivations of foreign governments have the resources to scale operations, and pose a constant threat to democracy. As we've seen previously, it's likely that threat actors from China, Russia, and Iran (charged for sending fake, intimidating emails to US voters in 2020) will seek to interfere with the 2024 US election.

Adversaries may seek to target actual election infrastructure itself, including the hardware and software used to tally and transmit votes, as well as political campaign assets. While some actors have leveraged information operations, generative AI is poised to increase the attractiveness of this malicious activity. With GenAI, it is easier than ever for threat actors to create content and influence narratives that support their underlying goals and objectives. This, in turn, can undermine public confidence and perceptions of political issues, parties, and candidates.

In fact, we're already starting to see the impacts. Threat actors from China recently weaponized deepfakes ahead of Taiwan's election, aiming to increase the voting public's confidence in candidates more diplomatic to China. Fabricated information campaigns stemming from state-nexus entities will not be novel in 2024; however, generative AI will make deciphering what is real or not infinitely more difficult. 

The rise of GenAI has also lowered the barrier of entry for virtually anyone to interfere with elections. Less sophisticated hackers or hacktivists with a specific geopolitical goal may be able to create high-quality disinformation campaigns with relative ease. We've already seen a local magician make global headlines this year by using AI to create fake robocalls, and it's only April.

**Countering These Growing Threats**

So, what can be done? When it comes to protecting the disparate election systems, it is critical to apply a risk-informed approach. At the heart of this is hardening environments to protect systems and stop breaches, 24/7 continuous monitoring of systems, and deep visibility into critical areas of risk, including endpoints, cloud, and identity. Employing both threat hunting and threat intelligence is equally as important, as these tools help to proactively protect against adversaries who may attempt to penetrate networks.

State and local elections administration entities have improved their security over the past several election cycles. So too have political parties and campaign entities. But additional attention and investment is warranted.

With respect to information operations, we must continue to raise awareness. Defending against this threat starts with vigilance from everyone. Citizens must be on alert and validate the origin of information they are consuming, consider the source's political stance and objective, and attempt to validate information through trusted sources prior to amplifying it. All Americans have a crucial role to play in critically analyzing the information they are getting and, more importantly, sharing 

Social media companies and GenAI companies should work to detect and prevent threat actors' use of their tools and platform. At a minimum this means cooperating with each other where appropriate and collaborating with cybersecurity companies and IT providers that have experience tracking these groups.

In 2024, voters in all 50 states and across 55 countries will participate in elections, providing numerous opportunities for adversaries with various motivations to disrupt and dismantle confidence in democracy. With proper awareness, preparation, and cybersecurity best practices in place, we can take a big step forward in defending democracy in the digital age. Failure to do so could be catastrophic.

**About the Author(s)**

Chief Security Officer, CrowdStrike

Shawn Henry serves as chief security officer and is one of the company's longest tenured executive leaders, having joined in 2012 after retiring from the FBI senior executive service. In Henry’s role, he oversees all security aspects of CrowdStrike, including the company's information security, business continuity and resiliency, and risk reduction programs, as well as the physical security of CrowdStrike's global facilities, personnel, executive protection, and corporate events. Prior to joining CrowdStrike, Shawn oversaw half of the FBI's investigative operations as Executive Assistant Director, including all FBI criminal and cyber investigations worldwide, international operations, and the FBI's critical incident response to major investigations and disasters.

AI Lowers Barrier for Cyber-Adversary Manipulation in 2024 Election

Malformed DOS paths in file-naming nomenclature in Windows could be used to conceal malicious content, files, and processes.

Source: Robert Adrian Hillman via Alamy Stock Vector

BLACK HAT ASIA – Singapore – A known issue associated with the DOS-to-NT path conversion process in Windows opens up significant risk for businesses by allowing attackers to gain rootkit-like post-exploitation capabilities to conceal and impersonate files, directories, and processes.

That's according to Or Yair, security researcher at SafeBreach, who outlined the issue during a session here this week. He also detailed four different vulnerabilities related to the issue, which he dubbed "MagicDot" - including a dangerous remote code-execution bug that can be triggered simply by extracting an archive.

**Dots & Spaces in DOS-to-NT Path Conversion**

The MagicDot group of problems exist thanks to the way that Windows changes DOS paths to NT paths.

When users open files or folders on their PCs, Windows accomplishes this by referencing the path where the file exists; normally, that's a DOS path that follows the "C:\\Users\\User\\Documents\\example.txt" format. However, a different underlying function called NtCreateFile is used to actually perform the operation of opening the file, and NtCreateFile asks for an NT path and not a DOS path. Thus, Windows converts the familiar DOS path visible to users into an NT path, prior to calling NtCreateFile to enable the operation.

The exploitable problem exists because, during the conversion process, Windows automatically removes any periods from the DOS path, along with any extra spaces at the end. Thus, DOS paths like these:

*   C:\\example\\example<space>    
    

are all converted to "\\??\\C:\\example\\example" as an NT path.

Yair discovered that this automatic stripping out of erroneous characters could allow attackers to create specially crafted DOS paths that would be converted to NT paths of their choice, which could then be used to either render files unusable or to conceal malicious content and activities.

**Simulating an Unprivileged Rootkit**

The MagicDot issues first and foremost create the opportunity for a number of post-exploitation techniques that help attackers on a machine maintain stealth.

For instance, it's possible to lock up malicious content and prevent users, even admins, from examining it. "By placing a simple trailing dot at the end of a malicious file name or by naming a file or a directory with dots and/or spaces only, I could make all user-space programs that use the normal API inaccessible to them ... users would not be able to read, write, delete, or do anything else with them," Yair explained in the session.

Then, in a related attack, Yair found that the technique could be used to hide files or directories within archive files.

"I simply ended a file name in an archive with a dot to prevent Explorer from listing or extracting it," Yair said. "As a result, I was able to place a malicious file inside an innocent zip — whoever used Explorer to view and extract the archive contents was unable to see that file existed inside."

A third attack method involves masking malicious content by impersonating legitimate file paths.

"If there was a harmless file called 'benign,' I was able to \[use DOS-to-NT path conversion\] to create a malicious file in the same directory \[also named\] benign," he explained, adding that the same approach could be used to impersonate folders and even broader Windows processes. "As a result, when a user reads the malicious file, the content of the original harmless file would be returned instead," leaving the victim none the wiser that they were actually opening malicious content.

Taken together, manipulating MagicDot paths can grant adversaries rootkit-like abilities without admin privileges, explained Yair, who published detailed technical notes on the attack methods in tandem with the session.

"I found I could hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more," he said — all without admin privileges or the ability to run code in the kernel, and without intervention in the chain of API calls that retrieve information.

"It's important that the cybersecurity community recognize this risk and consider developing unprivileged rootkit detection techniques and rules," he warned.

**A Series of "MagicDot" Vulnerabilities**

During his research into the MagicDot paths, Yair also managed to uncover four different vulnerabilities related to the underlying issue, three of them since patched by Microsoft.

One remote code execution (RCE) vulnerability (CVE-2023-36396, CVSS 7.8) in Windows's new extraction logic for all newly supported archive types allows attackers to craft a malicious archive that would write anywhere they choose on a remote computer once extracted, leading to code execution.

"Basically, let's say you upload an archive to your GitHub repository advertising it as a cool tool available for download," Yair tells Dark Reading. "And when the user downloads it, it's not an executable, you just extract the archive, which is considered a completely safe action with no security risks. But now, the extraction itself is able to run code on your computer, and that is seriously wrong and very dangerous."

A second bug is an elevation of privilege (EoP) vulnerability (CVE-2023-32054, CVSS 7.3) that allows attackers to write into files without privileges by manipulating the restoration process of a previous version from a shadow copy.

The third bug is Process Explorer unprivileged DOS for anti-analysis bug, for which CVE-2023-42757 has been reserved, with details to follow. And the fourth bug, also an EoP issue, allows unprivileged attackers to delete files. Microsoft confirmed that the flaw led to "unexpected behavior" but hasn't yet issued a CVE or a fix for it.

"I create a folder inside the demo folder called …<space> and inside, I write a file named c.txt," Yair explained. "Then when an administrator attempts to delete the …<space> folder, the entire demo folder is deleted instead."

**Potentially Wider "MagicDot" Ramifications**

While Microsoft addressed Yair's specific vulnerabilities, the DOS-to-NT path conversion auto-stripping of periods and spaces persists, even though that's the root cause of the vulnerabilities.

"That means there might be many more potential vulnerabilities and post-exploitation techniques to find using this issue," the researcher tells Dark Reading. "This issue is still exists and can lead to many more issues and vulnerabilities, which can be much more dangerous than the ones we know about."

He adds that the problem has ramifications beyond Microsoft.

"We believe the implications are relevant not only to Microsoft Windows, which is the world's most widely used desktop OS, but also to all software vendors, most of whom also allow known issues to persist from version to version of their software," he warned in his presentation.

Meanwhile, software developers can make their code safer against these types of vulnerabilities by utilizing NT paths rather than DOS paths, he noted.

"Most high-level API calls in Windows support NT paths," Yair said in his presentation. "Using NT paths avoids the conversion process and ensures the provided path is the same path that is being actually operated on."

For businesses, security teams should create detections that look for rogue periods and spaces within file paths.

"There are pretty easy detections that you can develop for these, to look for files or directories, that have trailing dots or spaces in them, because if you find those, on your computer, it means that someone did it on purpose because it's not that easy to do," Yair tells Dark Reading. "Normal users can't just create a file with ends with a dot or space, Microsoft will prevent that. Attackers will need to use a lower API that is closer to the kernel, and will need some expertise to accomplish this."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

'MagicDot' Windows Weakness Allows Unprivileged Rootkit Activity

The local phone and business communications company said that attackers accessed unspecified PII, after infiltrating its internal networks.

A blue whale breaching out of the oceanSource: Kerry Hargrove via Alamy Stock Photo

Texas-based Frontier Communications, which provides local residential and business telecom services in 25 states, has shut down its operations in the wake of a cyberattack that resulted in the theft of personally identifiable information (PII).

The breach occurred four days ago on April 14, when it detected a breach by an unauthorized third party who had gained access to "portions of its information technology environment," according to an incident filing with the US Securities & Exchange Commission (SEC).

As part of its containment efforts, Frontier took "certain of the company's systems \[offline, which\] resulted in an operational disruption that could be considered material." It reported that while its core IT environment is up and running, normal business operations have yet to resume; and as of this writing, the telco's website was still offline.

Frontier didn't disclose what PII the cyberattacker accessed or who's affected, nor the suspected nature of the adversary. Telecom companies are a popular target for both financially motivated attackers as well as advanced persistent threats (APT), given the rich data repositories they hold. For instance, the Sandman APT was behind a prolific string of attacks last fall bent on stealing call-data records, mobile subscriber identity data, and metadata from carrier networks.

"The company continues to investigate the incident, has engaged cybersecurity experts, and has notified law enforcement authorities," according to the SEC filing. "The company does not believe the incident is reasonably likely to materially impact the company's financial condition or results of operations."

**About the Author(s)**

Cyberattack Takes Frontier Communications Offline

It turns out that a powerful security solution can double as even more powerful malware, capable of granting comprehensive access over a targeted machine.

Source: Maurice Norbert via Alamy Stock Photo

A creative exploit of Palo Alto Networks' extended detection and response (XDR) software could have allowed attackers to puppet it like a malicious multitool.

In a briefing at Black Hat Asia this week, Shmuel Cohen, security researcher at SafeBreach, described how he not only reverse-engineered and cracked into the company's signature Cortex product but also weaponized it to deploy a reverse shell and ransomware.

All but one of the weaknesses associated with his exploit have since been mended by Palo Alto. Whether other, similar XDR solutions are vulnerable to a similar attack is as yet unclear.

**A Devil's Bargain in Cybersecurity**

There is an inescapable devil's bargain when it comes to using certain kinds of far-reaching security tools. In order for these platforms to do their jobs, they must be granted highly privileged carte blanche access over every nook and cranny in a system.

For instance, to perform real-time monitoring and threat detection across IT ecosystems, XDR demands the highest possible permissions, and access to very sensitive information. And, to boot, it can't be easily removed. It was this immense power wielded by these programs that inspired in Cohen a twisted idea.

"I thought to myself: Would it be possible to turn an EDR solution itself into malware?" Cohen tells Dark Reading. "I'd take all these things that the XDR has and use them against the user."

After picking a laboratory subject — Cortex — he began reverse-engineering its various components, trying to figure out how it defined what is and isn't malicious.

A lightbulb switched on when he discovered a series of plaintext files the program relied on more than most.

**How to Turn XDR Evil**

"But those rules are inside my computer," Cohen thought. "What would happen if I manually removed them?"

It turned out that Palo Alto had thought of this already. An anti-tampering mechanism prevented any user from touching those precious Lua files — except the mechanism had an Achilles' heel. It worked by protecting not each individual Lua file by name, but the folder that encapsulated them all. To reach the files he wanted, then, he wouldn't have to undo the anti-tampering mechanism, if he could just reorient the path used to reach them and bypass the mechanism altogether.

A simple shortcut probably wouldn't have sufficed, so he used a hard link: the computer's way of connecting a filename with the actual data stored on a hard drive. This allowed him to point his own new file to the same location on the drive as the Lua files.

"The program was not aware that this file was pointing to the same location in the hard disk as the original Lua file, and this allowed me to edit the original content file," he explains. "So I created a hard link to the files, edited and removed some rules. And I saw that as I removed them — and did another little thing that caused the app to load new rules—I could load a vulnerable driver. And from there, the whole computer was mine."

After taking complete control in his proof of concept attack, Cohen recalls, "What I did first was change the protection password on the XDR so it cannot be removed. I also blocked any communication to its servers."

Meanwhile, "Everything seems like it's working. I can hide the malicious activities from the user. Even for an action which would've been prevented, the XDR won't provide a notification. The endpoint user will see the green marks that indicate everything is OK, while underneath I'm running my malware."

The malware he decided to run was, first, a reverse shell, enabling full control over the targeted machine. Then he successfully deployed ransomware, right under the program's nose.

**The Fix Palo Alto Didn't Make**

Palo Alto Networks was receptive to Cohen's research, working closely with him to understand the exploit and develop fixes.

There was one vulnerability in his attack chain, however, that they chose to leave as is: the fact that Cortex's Lua files are stored entirely in plaintext, with no encryption whatsoever, despite their highly sensitive nature.

That seems alarming, but the reality is that encryption wouldn't be much of a deterrent for attackers, so after discussing the matter, he and the security company agreed that they didn't need to change that. As he notes, "The XDR eventually needs to understand what to do. So even if it's encrypted, at some point in its operation it will need to decrypt those files in order to read them. So attackers could just catch the content of the files then. It would be one more step for me in order to read those files, but I can still read them."

He also says that other XDR platforms are likely susceptible to the same kind of attack.

"Other XDRs will implement this differently, maybe," he says. "Maybe the files will be encrypted. But no matter what they will do, I can always bypass it."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#auth