Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called OilRig.
The attacks singled out Iraqi organizations such as the Prime Minister's Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis.
OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug,

Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called **OilRig**.

The attacks singled out Iraqi organizations such as the Prime Minister's Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis.

OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber group associated with the Iranian Ministry of Intelligence and Security (MOIS).

Active since at least 2014, the group has a track record of conducting phishing attacks in the Middle East to deliver a variety of custom backdoors such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah for information theft.

The latest campaign is no exception in that it involves the use of a new set of malware families dubbed Veaty and Spearal, which come with capabilities to execute PowerShell commands and harvest files of interest.

"The toolset used in this targeted campaign employs unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol, and a tailor-made email based C2 channel," Check Point said.

"The C2 channel uses compromised email accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim's networks."

Some of the actions that the threat actor took in executing the attack, and following it, were consistent with tactics, techniques, and procedures (TTPs) that OilRig has employed when carrying out similar operations in the past.

This includes the use of email-based C2 channels, specifically leveraging previously compromised email mailboxes to issue commands and exfiltrate data. This modus operandi has been common to several backdoors such as Karkoff, MrPerfectionManager, and PowerExchange.

The attack chain is kicked off via deceptive files masquerading as benign documents ("Avamer.pdf.exe" or "IraqiDoc.docx.rar") that, when launched, pave the way for the deployment of Veaty and Spearal. The infection pathway is likely said to have involved an element of social engineering.

The files initiate the execution of intermediate PowerShell or Pyinstaller scripts that, in turn, drop the malware executables and their XML-based configuration files, which include information about the C2 server.

"The Spearal malware is a .NET backdoor that utilizes DNS tunneling for \[C2\] communication," Check Point said. "The data transferred between the malware and the C2 server is encoded in the subdomains of DNS queries using a custom Base32 scheme."

Spearal is designed to execute PowerShell commands, read file contents and send it in the form of Base32-encoded data, and retrieve data from the C2 server and write it to a file on the system.

Also written .NET, Veaty leverages emails for C2 communications with the end goal of downloading files and executing commands via specific mailboxes belonging to the gov-iq.net domain. The commands allow it to upload/download files and run PowerShell scripts.

Check Point said its analysis of the threat actor infrastructure led to the discovery of a different XML configuration file that's likely associated with a third SSH tunneling backdoor.

It further identified an HTTP-based backdoor, CacheHttp.dll, that targets Microsoft's Internet Information Services (IIS) servers and examines incoming web requests for "OnGlobalPreBeginRequest" events and executes commands when they occur.

"The execution process begins by checking if the Cookie header is present in incoming HTTP requests and reads until the; sign," Check Point said. "The main parameter is F=0/1 which indicates whether the backdoor initializes its command configuration (F=1) or runs the commands based on this configuration (F=0)."

The malicious IIS module, which represents an evolution of a malware classified as Group 2 by ESET in August 2021 and another APT34 IIS backdoor codenamed RGDoor, supports command execution and file read/write operations.

"This campaign against Iraqi government infrastructure highlights the sustained and focused efforts of Iranian threat actors operating in the region," the company said.

"The deployment of a custom DNS tunneling protocol and an email-based C2 channel leveraging compromised accounts highlights the deliberate effort by Iranian actors to develop and maintain specialized command-and-control mechanisms."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack

The Irish Data Protection Commission (DPC) has announced that it has commenced a "Cross-Border statutory inquiry" into Google's foundational artificial intelligence (AI) model to determine whether the tech giant has adhered to data protection regulations in the region when processing the personal data of European users.
"The statutory inquiry concerns the question of whether Google has complied

Regulatory Compliance / Data Protection

The Irish Data Protection Commission (DPC) has announced that it has commenced a "Cross-Border statutory inquiry" into Google's foundational artificial intelligence (AI) model to determine whether the tech giant has adhered to data protection regulations in the region when processing the personal data of European users.

"The statutory inquiry concerns the question of whether Google has complied with any obligations that it may have had to undertake an assessment, pursuant to Article 35\[2\] of the General Data Protection Regulation (Data Protection Impact Assessment), prior to engaging in the processing of the personal data of E.U./E.E.A. data subjects associated with the development of its foundational AI model, Pathways Language Model 2 (PaLM 2)," the DPC said.

PaLM 2 is Google's state-of-the-art language model with improved multilingual, reasoning, and coding capabilities. It was unveiled by the company in May 2023.

With Google's European headquarters based in Dublin, the DPC acts as the primary regulator responsible for making sure the company abides by the bloc's stringent data privacy rulebook.

The DPC said an inquiry is crucial to ensure that individuals' fundamental rights and freedoms are safeguarded, especially when processing of such data when developing AI systems can lead to a "high risk."

The development comes weeks after social media platform X permanently agreed not to train its AI chatbot, Grok, using the personal data it collected from European users without obtaining prior consent. Back in August, the DPC said X consented to suspend its "processing of the personal data contained in the public posts of X's E.U./E.E.A. users which it processed between 7 May 2024 and 1 August 2024."

Meta, which recently admitted to scraping every Australian adult Facebook user's public data to train its AI system, has paused its plans to use content posted by European users following a request from the DPC over privacy concerns. It has also suspended the use of generative AI (GenAI) in Brazil after the country's data protection authority issued a preliminary ban objecting to its new privacy policy.

Last year, Italy's data privacy regulator also temporarily banned OpenAI's ChatGPT because of concerns that its practices are in violation of data protection laws in the region.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ireland's Watchdog Launches Inquiry into Google's AI Data Practices in Europe

Torrance, United States / California, 12th September 2024, CyberNewsWire

**Torrance, United States / California, September 11th, 2024, CyberNewsWire**

Criminal IP, a distinguished leader in Cyber Threat Intelligence (CTI) search engine developed by AI SPERA, announced that it has successfully integrated its IP address-related risk detection data with IPLocation.io, one of the most visited IP analysis and lookup tools on the internet.

Through the integration, IPLocation.io, a prominent IP address geolocation tracker platform with a substantial user base, now offers more detailed insights on IP addresses from Criminal IP’s accurate and up-to-date threat intelligence database.

**Innovative Data Ecosystem Driven by Search Engine and AI Expertise**

This is a groundbreaking advancement because Criminal IP’s database, built on a search engine framework, is more than a collection of information; it’s a refined machine learning ecosystem honed through extensive scanning and detection of malicious IP addresses. The system continuously enhances its accuracy by transforming self-collected threat data, particularly behavioral patterns for IP address evasion, into actionable intelligence using AI and machine learning techniques.

**Tracking Down Threat History with Snort and Scanner Information**

Unlike traditional IP tracking methods, which only provide the geographic location of IP addresses, Criminal IP data in IPLocation.io now delivers information from ‘Snort’, a network intrusion detection system, and vulnerability scanners on open ports. This, along with newly provided inbound and outbound scores of IP addresses, enables the comprehensive identification of threat information related to IP addresses. Users can now compile the information themselves to assess the risk of an IP address, supported by a variety of fact-based evidence.

Threat data from Criminal IP accessible on IPLocation.io website

Among IP Location Lookup data sources, Criminal IP provides the most comprehensive data, offering 25 distinct data points for a single IP address.

**Evasion-Focused Dynamic Pattern Analysis Unveils Potential Attack Scenarios**

Users can also detect IP address obfuscation and protect their assets with new VPN, Proxy, and Tor data in IP Location. The aforementioned data helps identify discrepancies between actual and reported locations of an IP address, as well as traffic routed through multiple servers, thus revealing potential threats. The system goes beyond a mere review of past records; it offers predictive insights into future risks by analyzing behavioral patterns and potential attack scenarios. This underscores the CTI database’s distinctive capability to continuously learn and analyze attack patterns executed online.

**About AI SPERA**

AI SPERA equips cybersecurity professionals with advanced tools and insights to protect digital assets. Its flagship products include Criminal IP, renowned for its AI-based search engine, as well as attack surface management and fraud detection for enterprise solutions. The firm’s established presence in major marketplaces like AWS and Snowflake further underscores its credibility and the trust placed in its services by leading industry players. Recently, AI SPERA achieved Level 1 certification under PCI DSS v4.0, overseen by the six leading global card issuers, showcasing its commitment to top-tier data security.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Criminal IP Teams Up with IPLocation.io to Deliver Unmatched IP Solutions to Global Audiences

Private Cloud Compute is an entirely new kind of infrastructure that, Apple’s Craig Federighi tells WIRED, allows your personal data to be “hermetically sealed inside of a privacy bubble.”

The generative AI boom has, in many ways, been a privacy bust thus far, as services slurp up web data to train their machine learning models and users’ personal information faces a new era of potential threats and exposures. With the release of Apple’s iOS 18 and macOS Sequoia this month, the company is joining the fray, debuting Apple Intelligence, which the company says will ultimately be a foundational service in its ecosystem. But Apple has a reputation to uphold for prioritizing privacy and security, so the company took a big swing. It has developed extensive custom infrastructure and transparency features, known as Private Cloud Compute (PCC), for the cloud services Apple Intelligence uses when the system can't fulfill a query locally on a user's device.

The beauty of on-device data processing, or “local” processing, is that it limits the paths an attacker can take to steal a user's data. The data never leaves the computer or phone, so that's what the attacker has to target. It doesn't mean an attack will never be successful, but the battleground is defined and constrained. Giving data to a company to process in the cloud isn't inherently a security issue—an unfathomable amount of data moves through global cloud infrastructure safely every day. But it expands that battlefield immensely and also creates more opportunities for mistakes that inadvertently expose data. The latter has particularly been an issue with generative AI given the unintended ways that a system tasked with generating content may access and share information.

With Private Cloud Compute, Apple has developed an array of innovative cloud security technologies. But the service is also significant for pushing the limits of what is an acceptable business proposition for a cloud service, seemingly prioritizing secure architecture over what would be most technically efficient or economical.

“We set out from the beginning with a goal of how can we extend the kinds of privacy guarantees that we’ve established with processing on-device with iPhone to the cloud—that was the mission statement," Craig Federighi, senior vice president of software engineering at Apple, tells WIRED. “It took breakthroughs on every level to pull this together, but what we’ve done is achieve our goal. I think this sets a new standard for processing in the cloud in the industry.”

To remove many of the potential attack points and pitfalls that cloud computing can introduce, Apple says its developers focused on the idea that “security and privacy guarantees are strongest when they are entirely technically enforceable” rather than implemented through policies.

In other words, you can have a plate of cupcakes on the counter and make a policy for yourself that you're not going to eat any of them. Or you could have a policy that you never make or buy cupcakes. But the Private Cloud Compute approach would be to move to a town with no bakeries, rip out your kitchen, and close your credit cards to prevent yourself from buying Easy Bake Ovens. That way there's no question about your cupcake access or the possibility of accidental cupcake hoarding.

**Starting Fresh**

Apple created purpose-built servers running Apple processors for PCC and developed a custom PCC server operating system that's a stripped down, hybrid version of iOS and macOS. The scheme incorporates hardware and software security features the company has developed for Macs and iPhones over the past two decades.

Unlike these consumer devices, though, PCC servers are as bare-bones as possible. For example, they don't include “persistent storage,” meaning that they don't have a hard drive that can keep processed data long-term. They do incorporate Apple's dedicated hardware encryption key manager known as the Secure Enclave and randomize each file system's encryption key at every boot up as well. This means that once a PCC server is rebooted, no data is retained and, as an additional precaution, the entire system volume is cryptographically unrecoverable. At that point, all the server can do is start fresh with a new encryption key.

PCC servers also use Apple's Secure Boot to validate the integrity of the operating system and use a code verification feature the company debuted with iOS 17, known as Trusted Execution Monitor. Instead of using Trusted Execution Monitor in the usual way for oversight, though, PCC runs it in a much stricter mode where once the server restarts and completes the boot sequence, the system locks down and can't load any new code whatsoever. Essentially, all the software the server needs to run gets pummeled with checks and validation and then goes into an envelope that's sealed before user requests and data can begin to process through.

More broadly, Apple says it completely replaced its normal server management tools for PCC. For example, most cloud platforms have policies and controls to prevent unauthorized access, but they also build “break in case of emergency”-type options so highly trusted system administrator accounts can take quick action in case of a bug or failure. In keeping with Apple's focus on technically enforceable guarantees versus policy guarantees, PCC doesn't allow privileged access and drastically limits remote management options.

In recent years, Apple took a major security step by offering its users end-to-end encryption for iCloud backups, in which the company simply holds data in its cloud infrastructure for its customers and doesn't have the technical capability to decrypt and read that data. With current technology, such a scheme is impossible to implement for generative AI because the system needs to process the inputs to give an output. For example, if you want Apple Intelligence to give you a summary of all the text messages and emails you've received in the past three hours, the system needs access to those messages. End-to-end encryption would make that access virtually impossible.

Apple says it is still committed to doing as much Apple Intelligence processing as possible on-device, and a brand new iPhone 16 with its A18 chip, for example, will be able to do more AI processing locally than an iPhone 15 with an A16 chip. Still, the reality seems to be that Apple will need to do a substantial amount of Apple Intelligence processing in the cloud—hence the investment in developing PCC. (In iOS 18.1, users can go to Settings > Privacy & Security > Apple Intelligence Report to view a log of which requests are processed on device versus in the cloud.)

“What was really unique about the problem of doing large language model inference in the cloud was that the data had to at some level be readable by the server so it could perform the inference. And yet, we needed to make sure that that processing was hermetically sealed inside of a privacy bubble with your phone," Federighi says. “So we had to do something new there. The technique of end-to-end encryption—where the server knows nothing—wasn’t possible here, so we had to come up with another solution to achieve a similar level of security.”

Still, Apple says that it offers “end-to-end encryption from the user’s device to the validated PCC nodes, ensuring the request cannot be accessed in transit by anything outside those highly protected PCC nodes.” The system is architected so Apple Intelligence data is cryptographically unavailable to standard data center services like load balancers and logging devices. Inside a PCC cluster, data is decrypted and processed, but Apple emphasizes that once a response is encrypted and sent on its journey to the user, no data is retained or logged and none of it is ever accessible to Apple or its individual employees.

**Open Book, Closed System**

Apple says the overarching vision for PCC is that an attacker should have to compromise the entire system—a difficult thing to do at all much less without being detected—in order to target a specific user's personal data. Even if an attacker could physically compromise an individual live PCC node, the system is devised with an anonymous relay feature so the queries and data on any one node can't be connected to individual users.

It all sounds pretty groovy, but the notoriously secretive company seems to be aware that professing to do all of these things and claiming to offer technical guarantees is ultimately only compelling with proof and transparency. So PCC includes an external auditing mechanism that serves a crucial dual purpose.

Apple is making every production PCC server build publicly available for inspection so people unaffiliated with Apple can verify that PCC is doing (and not doing) what the company claims, and that everything is implemented correctly. All of the PCC server images are recorded in a cryptographic attestation log, essentially an indelible record of signed claims, and each entry includes a URL for where to download that individual build. PCC is designed so Apple can't put a server into production without logging it. And in addition to offering transparency, the system works as a crucial enforcement mechanism to prevent bad actors from setting up rogue PCC nodes and diverting traffic. If a server build hasn't been logged, iPhones will not send Apple Intelligence queries or data to it.

PCC is part of Apple's bug bounty program, and vulnerabilities or misconfigurations researchers find could be eligible for cash rewards. Apple says, though, that since the iOS 18.1 beta became available in late July, no on has found any flaws in PCC so far. The company recognizes that it has only made the tools to evaluate PCC available to a select group of researchers so far.

Multiple security researchers and cryptographers tell WIRED that Private Cloud Compute looks promising, but they haven't spent significant time digging into it yet.

“Building Apple silicon servers in the data center when we didn’t have any before, building a custom OS to run in the data center was huge,” Federighi says. He adds that “creating the trust model where your device will refuse to issue a request to a server unless the signature of all the software the server is running has been published to a transparency log was certainly one of the most unique elements of the solution—and totally critical to the trust model.”

To questions about Apple's partnership with OpenAI and integration of ChatGPT, the company emphasizes that partnerships are not covered by PCC and operate separately. ChatGPT and other integrations are turned off by default, and users must manually enable them. Then, if Apple Intelligence determines that a request would be better fulfilled by ChatGPT or another partner platform, it notifies the user each time and asks whether to proceed. Additionally, people can use these integrations while logged into their account for a partner service like ChatGPT or can use them through Apple without logging in separately. Apple said in June that another integration with Google's Gemini is also in the works.

Apple said this week that beyond launching in United States English, Apple Intelligence is coming to Australia, Canada, New Zealand, South Africa, and the United Kingdom in December. The company also said that additional language support—including for Chinese, French, Japanese, and Spanish—will drop next year. Whether that means that Apple Intelligence will be permitted under the European Union's AI Act and whether Apple will be able to offer PCC in its current form in China is another question.

“Our goal is to bring ideally everything we can to provide the best capabilities to our customers everywhere we can,” Federighi says. “But we do have to comply with regulations, and there is uncertainty in certain environments we’re trying to sort out so we can bring these features to our customers as soon as possible. So, we’re trying.”

He adds that as the company expands its ability to do more Apple Intelligence computation on-device, it may be able to use this as a workaround in some markets.

Those who do get access to Apple Intelligence will have the ability to do far more than they could with past versions of iOS, from writing tools to photo analysis. Federighi says that his family celebrated their dog’s recent birthday with an Apple Intelligence–generated GenMoji (viewed and confirmed to be very cute by WIRED). But while Apple's AI is meant to be as helpful and invisible as possible, the stakes are incredibly high for the security of the infrastructure underpinning it. So how are things going so far? Federighi sums it up without hesitation: “The rollout of Private Cloud Compute has been delightfully uneventful.”

Apple Intelligence Promises Better AI Privacy. Here’s How It Actually Works

Business intelligence firm Gartner labels security orchestration, automation, and response as "obsolete," but the fight to automate and simplify security operations is here to stay.

Source: Screenshot of Gartner Chart via Robert Lemos

What Gartner giveth, Gartner can take away.

Seven years ago, analysts at the business intelligence firm coined the term "security orchestration, automation, and response" (SOAR) to describe what they considered a new class of products: integrated security operations that could not only detect threats and issues, but also use playbooks to augment incident responders' efforts and, eventually, completely automate the response.

No wonder, then, that Gartner's labeling of the technology two months ago as "obsolete before plateau" — meaning the category has stalled before becoming a well-established IT tool — created a kerfuffle. Customers inundated the firm with questions on what the designation implied. Vendors in the security automation sector were more blunt.

Any suggestion that SOAR is dead is "the dumbest thing I've ever heard — absolutely asinine," says James Brear, CEO of Swimlane, a provider of security operations automation. "If you just remove the \[term\] SOAR and added the word automation, \[then the assertion\] sounds ridiculous. It's kind of like saying that AI is going away."

SOAR is not the first technology to be assigned Gartner's dreaded "Hype Cycle" designation. In 2022, data meshes became obsolete before reaching the plateau — more formally, the "Plateau of Productivity." In 2020, Gartner slapped the label on demand-driven material requirements planning, a supply chain management approach. Ditto for broadband over powerlines in 2010.

"This premature obsolescence typically results from the emergence of a competing technology — for example, analog high-definition TV gave way to digital high-definition TV," Gartner stated in an explanation of its Hype Cycle model.

In the latest case, labeling SOAR as obsolete comes as the components of the product category have become subsumed by other products and services, while automation is increasingly an expected feature, says Eric Ahlm, senior director analyst at Gartner. Security operations centers (SOCs) required orchestration as a standalone feature to integrate disparate products into a single hub for operations, the analyst explains, and as corporate customers sought out simplified operations, vendors further integrated their services to consolidate SOAR with other products and services.

A parade of mergers and acquisitions highlights the trend. Palo Alto Networks bought Demisto in 2019 and acquired QRadar from IBM earlier this year. Rapid7 bought SOAR firm Komand back in 2017, and SumoLogic acquired DFLabs in 2021.

"There's a lot of different ways to add automation — an efficiency boost or increase scale through automation — without going out and buying a standalone, dedicated SOAR platform," Ahlm says. "That's really what we're calling out — not the end of automation or that it's a dead-end concept — but the field of vendors who sell nothing but dedicated platforms for automation, I don't think ... have a very lively future."

**Wanted: A Simplified Security Hub**

Most companies want a single hub for all of their security information, from which they can manage incidents, conduct investigations, and respond to threats. SOAR was originally envisioned to be that central hub, but strong integration between products, better automation, and a focus on visibility means that other products can now fill that role.

In other words, the central hub does not have to be SOAR. Increasingly, the choice of security operations platform depends on where a business starts out and what core platform it believes delivers most value, Ahlm says. Both extended detection and response (XDR) and security event and information management (SIEM) platforms, for example, are increasingly a security focal point for companies.

The features of SOAR — the integration, visibility, and automated response — have migrated to a variety of security products, says Chas Clawson, field CTO at Sumo Logic, a provider of automated security operations platforms.

"It shows the maturity of the security operations world, when something as critical as automation becomes kind of table stakes, and every solution has to have some flavor of automation," he says. "It's probably long overdue \[because of the\] pain ... from the defender side — analyst burnout and swivel-chair syndrome ... \[from which\] we really need some reprieve."

Sumo Logic has its own SOAR product — Cloud SOAR — which focuses on integrating data streams from different IT devices, security products, and cloud services, along with automation for security operations.

**Still a Strong Case for Better SOAR**

Yet another company behind SOAR is cybersecurity firm Palo Alto Networks, which has doubled down on security automation. The company's security operations center ingests 36 billion events per day — a volume of more than 75 terabytes — with only 10 human analysts. In its use case, the company says its Cortex XSOAR automates the work of 16 analysts and reduces time spent on manual actions by 90%.

"By standardizing and automating time-consuming, manual tasks, SOAR solutions dramatically reduce time spent on incident response," says Gonen Fink, senior vice president of Palo Alto Networks' Cortex and Prisma Cloud products. "While many stand-alone security products will continue to integrate some level of automation, SOAR solutions provide more robust capabilities, orchestrating and automating various actions across an organization's technology stack."

Swimlane has also focused on automating security tasks and incident response, typically for larger companies such as the Fortune 2000. Founded in 2014 — three years before Gartner reportedly created the modern term SOAR — the company's approach is to gather data from all of the IT devices and intelligence from security products and then automate the response to any identified incidents, says Swimlane's Brear.

"The genesis \[of the company was\], 'How can we make the SOC better?'" he says. "If you go back in time, there were a bazillion different tools that the SOC guys were looking at — it's complicated to try to get visibility."

For those reasons, a standalone SOAR platform is a necessary and reasonable approach to security for many companies — and far from obsolete — but customers will continue to need better integrations with common technologies, such as Microsoft and managed detection and response (MDR) platforms, according to analyst firm Omdia.

"Users of security technologies want to have solutions that are easy to use, require minimum training, and can integrate easily," says Elvia Finalle, senior analyst at Omdia. "SOAR vendors will have to continue to adapt to platforms and expand their compatibility with other vendors and solutions."

**AI + Automation = Security Evolution**

While the core use case for SOAR remains strong, the combination of artificial intelligence, automation, and the current plethora of cybersecurity products will result in a platform that could take market share from SOAR systems, such as an AI-enabled next-generation SIEM, says Eric Parizo, managing principal analyst at Omdia.

"SOC decision-makers are \[not\] going out looking to purchase orchestration and automation as much as they're looking to solve the problem of fostering a faster, more efficient TDIR \[threat detection, investigation, and response\] life cycle with better, more consistent outcomes," he says. "The orchestration and automation capabilities within standalone SOAR solutions are intended to facilitate those business objectives."

AI and machine learning will continue to increasingly augment automation, says Sumo Logic's Clawson. While creating AI security agents that process data and automatically respond to threats is still in its infancy, the industry is clearly moving in that direction, especially as more infrastructure uses an "as-code" approach, such as infrastructure-as-code, he says.

The result could be an approach that reduces the need for SOAR.

"When you have this Copilot technology — you've heard the term 'agentification,' \[where\] you've got this agent at your disposal that can do anything that you want — it dilutes the value of SOAR," Clawson says. "Because AI can be an expert coder and developer, and it has access to every API and all the documentation, you can almost just start to interact with systems in a more humanlike way."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

SOAR Is Dead, Long Live SOAR

PRESS RELEASE

Xiphera, Ltd, a Finnish company designing and implementing hardware-based security solutions, announces a project for developing quantum-resilient Authenticated Boot and Hardware Root of Trust solutions for space-grade semiconductor architectures.

Authenticated Boot and Hardware Root of Trust solutions ensure trust in the digital hardware components and system configurations in space and satellite infrastructures.  Xiphera’s implementations are based on hybrid cryptography – a combination of traditional and Post-Quantum Cryptography (PQC) – thus ensuring the security of the system throughout its life cycle. 

The development project is partially financed by the European Space Agency, as part of its General Support Technology Program (GSTP). The solutions have been designed in close co-operation with Frontgrade Gaisler, a leading Swedish developer of space-grade electronics. Authenticated Boot is planned to be integrated into Frontgrade Gaisler’s space-grade GR765 processor.

The Authenticated Boot and Hardware Root of Trust technologies are productised for general availability in Xiphera’s nQrux® family of Hardware Trust Engines – highly optimised and customisable security solutions for FPGAs and ASICs. The first released product is nQrux® Secure Boot, available immediately for semiconductor and equipment vendors in space technology and other industrial and critical infrastructure sectors.

“The ESA project will increase European digital sovereignty and resilience both in the supply chain and underlying technology. Our IP cores have always been secure by design, and the complex solutions developed in this project require careful system design methodology” says Petri Jehkonen, Xiphera’s Director of Strategic Programs. “In addition to delivering first class cryptographic algorithms and security protocols, the technology we develop must be compatible with space-grade ASIC manufacturing processes. Xiphera’s solutions are designed in pure digital logic without any hidden software components. This benefit is emphasised particularly in space-grade applications, where software components typically require significantly more complicated validation and certification paths.”

“The integration of Xiphera technology in our next-generation GR765 octa-core SoC provides the foundation to build systems that are resilient against cybersecurity threats” says Jan Andersson Nerén, Director of Engineering at Frontgrade Gaisler. “This collaboration allows our customers to meet stricter requirements while minimising impact on development effort. It also allows them to tackle both present and future challenges, including those posed by quantum computing.”

“Security elements are required today in most space systems. Sensitive elements uploaded over the air, such as software, FPGA bitstreams and telecommands need to be authenticated. Mission data, if confidential or of commercial value, must be encrypted. We are looking forward to working with Xiphera to develop quantum-resistant secure IP cores for space processing chips, namely microprocessors and FPGA” says Roland Weigand from Microelectronics Section at ESA. 

About Xiphera

Xiphera, Ltd, designs and implements hardware-based security using proven cryptographic algorithms. Our strong cryptographic expertise and extensive experience in digital system design enable us to help our customers to protect their most valuable assets.

We offer secure and highly optimised cryptographic Intellectual Property (IP) cores, designed directly for Field Programmable Gate Arrays (FPGAs) and Application Specific Integrated Circuits (ASICs) without software components. The broad, fully in-house designed, and up-to-date portfolio, including implementations of Post-Quantum Cryptography, enables cost-effective development projects with fast time-to-market – providing peace of mind in a dangerous world.

Read more: www.xiphera.com

About Frontgrade Gaisler

Frontgrade Gaisler, a Frontgrade Technologies company, is a leading global provider of radiation-hardened microprocessors and IP cores for criticalapplications, particularly in the space industry. The company’s highly integrated SoC processors are known for their reliability, fault tolerance, and radiation tolerance, making them ideal for any space mission or other high-reliability application. Find out more about space computing at www.gaisler.com.

About ESA

The European Space Agency (ESA) is Europe’s gateway to space. Its mission is to shape the development of Europe’s space capability and ensure that investment in space continues to deliver benefits to the citizens of Europe and the world. ESA is an international organisation with 22 Member States. By coordinating the financial and intellectual resources of its members, it can undertake programmes and activities far beyond the scope of any single European country.

https://www.esa.int

Xiphera Develops Quantum-Resilient Hardware Security Solutions for Space

CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges.

**Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API**

Wednesday, September 11, 2024 12:00

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. 

Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Microsoft AllJoyn API information disclosure vulnerability **

   
The AllJoyn API in some versions of the Microsoft Windows operating system contains an information disclosure vulnerability. 

TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. 

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. 

Microsoft fixed this issue as part of its monthly security update on Tuesday. For more on Patch Tuesday, read Talos’ blog here. 

CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges.   

**Adobe Acrobat Reader annotation object page race condition  **

_Discovered by KPC._ 

Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

TALOS-2024-2011 (CVE-2024-39420) can be executed if an adversary tricks a targeted user into opening a specially crafted PDF file with malicious JavaScript embedded. This JavaScript could then trigger memory corruption due to a race condition.  

Depending on the memory layout of the process this vulnerability affects, it may be possible to abuse this vulnerability for arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.

Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API

PRESS RELEASE

Darktrace plc (DARK.L), a global leader in cybersecurity AI, announces Poppy Gustafsson will step down as Chief Executive Officer (CEO) with effect from today and Jill Popelka, Darktrace's current Chief Operating Officer (COO), has been appointed as her successor. Jill will assume the role of CEO and will also be appointed to the Darktrace Board of Directors with effect from today.

Jill has more than two decades of experience of driving operational best practices and maturing teams, systems and processes for fast-growing businesses. She previously held senior leadership roles at leading global technology businesses, including Accenture, Snap Inc and SAP SuccessFactors, one of the largest enterprise cloud businesses in the world, which she led as President. Jill joined Darktrace in January 2024 as a Non-Executive Director, before assuming her current role of COO at Darktrace on 1 June 2024.

Poppy Gustafsson, outgoing CEO of Darktrace, said: "Darktrace has been a huge part of my life and my identity for over a decade and I am immensely proud of everything we have achieved in that time. Together we have revolutionised the marketplace for cyber security and brought our AI-powered technology to almost 10,000 customers around the world, keeping them safe from cyber disruption.

This challenge has required tremendous personal and professional commitment from me. With the acquisition of Darktrace by Thoma Bravo nearing its completion and with us having identified an excellent successor in Jill, now is the right time to hand over the reins so Jill can lead Darktrace through its transition into private ownership and beyond. I am profoundly grateful to have had the privilege of leading such an exceptional team and I look forward to remaining engaged in this exciting next chapter of the business as a non-executive director after the transaction completes. I remain Darktrace's number one fan."

Gordon Hurst, Chairman of Darktrace, said: "Poppy is a remarkable leader who has grown and nurtured one of the UK's proudest technology success stories. Under Poppy's stewardship, the business has transformed from a promising collaboration of AI and intelligence experts to a high-growth global leader in cyber security. This has been reflected in the significant value Darktrace has created for its shareholders under Poppy's leadership since its IPO in 2021 and through the acquisition by Thoma Bravo, one of the world's leading investors in software businesses.

"Jill is a proven and highly regarded leader in global technology businesses who has contributed immensely to the Board and more recently in her role as COO. With Poppy stepping down, the Board has implemented its CEO succession plan and is delighted that Jill has accepted the role of CEO. She has the deep sector experience, people leadership skills and energy and passion to lead Darktrace into the next stage of its journey."

Jill Popelka, incoming CEO of Darktrace, said: "Poppy and the team have built something very special. The potential of Darktrace is enormous - our technology has never been more critical to organisations around the world and our AI-native capabilities position us at the forefront of the ever-changing cyber security market. We have an outstanding platform offering, a broad base of customers across the globe, and some of the most talented people working in technology, not least our remarkable R&D teams based in Cambridge and The Hague.  I am excited to partner with the whole Darktrace team to take advantage of the many opportunities we have ahead of us as we embark on this next phase of our journey." 

Andrew Almeida, Partner at Thoma Bravo, said: "We are fully supportive of Poppy and the Board's succession plan. Jill is the perfect leader to build on Poppy's tremendous legacy at Darktrace as it embarks on this next phase of its life given her immense experience of scaling and maturing fast-growing businesses. She cares deeply about people, about serving customers and about creating a company with a sense of mission and purpose at its core. We look forward to working with Jill and the wider team to help elevate Darktrace's place as the essential cybersecurity platform for the changing threat landscape."

The acquisition of Darktrace by Thoma Bravo continues to progress as anticipated. All antitrust and regulatory approvals have now been received, with the exception of one foreign regulatory approval, which is currently anticipated by 28 September 2024. Per the transaction timetable, Darktrace will seek the UKcourt's sanction of the transaction as soon as this final regulatory approval has been received, with the closing of the transaction expected shortly afterwards.  

This announcement is made in accordance with the notification requirement in UKLR 6.4.6R and there are no other disclosures that need to be made under UKLR 6.4.8R relating to the appointment of Jill Popelka.

Poppy Gustafsson to Step Down As CEO of Darktrace; Jill Popelka Appointed Successor

The threat of ransomware hasn't gone away. But law enforcement has struck a blow by adjusting its tactics and taking out some of the biggest adversaries in the ransomware scene.

Source: Andreas Prott via Alamy Stock Photo

COMMENTARY

The year to date has been particularly eventful across the ransomware landscape, with prolific ransomware groups, including LockBit, seeing their operations seized and dismantled. The strategies used to take down these groups were meticulously planned and executed, successfully undermining the most accomplished cybercriminal experts.

The fight against ransomware has for years felt like an uphill battle. Each takedown faces the inevitable criticism that these actions are temporary, resulting in groups reforming and coming back.

However, the past year has seen some of history's biggest takedowns, with international collaborative efforts from law enforcement employing new tactics. Are we seeing the balance of power beginning to shift?

**The Development of Law Enforcement's Strategy**

Law enforcement agencies have had to change their approach to remain successful in an environment where cybercriminal gangs adapt and develop constantly. Although previous takedowns have shown initial success in disrupting gangs on a technical level, law enforcement agencies have recognized the need to go further and think outside of the box.

Adding a twist, ransomware takedown teams are focusing on publicly damaging groups' credibility, acknowledging the fact that reputation and trust are (somewhat counterintuitively) valued commodities on the Dark Web.

Law enforcement's new approach was rolled out with Operation Cronos, the disruption campaign against one of the most prolific ransomware gangs, LockBit.

With a force of 10 countries' law enforcement agencies, the highlights of the takedown included 34 servers being seized, 200 cryptocurrency accounts being frozen, and two arrests taking place, and it didn't stop there.

The National Crime Agency (NCA) deployed psyops methods, using LockBits' own site, which it had hijacked, to publish images of LockBit's administration system and leak internal conversations, while publishing the usernames and login details of 194 LockBit "affiliate" members. Then, the unmasking of "LockBitSupp" — the gang's leader — was teased with a countdown timer on the LockBit website, eventually naming him as Dmitry Khoroshev. Law enforcement also implied that he had collaborated with them by leaking the affiliate's details, creating more doubt among Dark Web associates. 

When logging in to their systems, LockBit members were greeted with personalized messages stating that the authorities had details regarding their IP addresses, cryptocurrency wallet details, internal chats, and their personal identity.

Law enforcement's strategy undermined LockBit's reputation and emphasized its fragility. Hijacking the website exposed infrastructure weaknesses, unmasking LockBit's leader proved he had weak operations security, and leaking the affiliates demonstrated the risks of associating with LockBit. These methods dethroned LockBit's reputation further. Although the group is still active, recent data shows that the average number of monthly LockBit attacks in the UK has reduced by 73% since February.

**The Snowball Effect in the Dark Web Community**

The LockBit takedown has caused a ripple effect and garnered a lot of attention across the ransomware landscape, eliciting the message that if LockBit can be taken down, anyone could be next. Targeting the biggest ransomware group was law enforcement's message that no group is beyond its reach.

Two weeks later, BlackCat, the second biggest ransomware group, claimed to have been disrupted by law enforcement, even uploading a fake seizure banner. However, law enforcement quickly denied its involvement. In fact, the group appears to have closed itself down after stealing a large sum of money from its affiliate, following a ransomware attack on Change Healthcare. The timing of BlackCat's retirement suggests a potential reaction to the LockBit takedown, showing a newfound sense of fear on the Dark Web.

**What Comes Next?**

Disrupting some of the world's most dangerous and prolific ransomware groups such as LockBit and BlackCat, which have dominated the ransomware landscape in recent years, is a huge achievement. 

Of course, these successes have not immediately led to the collapse of the ransomware underground. In fact, our statistics show that there were 73 ransomware groups in operation in the first half 2024 compared with the same period for 2023, representing a 56% increase in the number of ransomware groups. 

However, although there are more groups, we have seen a 16% decrease in victims listed between the second half of 2023 and the first half of 2024, which suggests that taking on the big groups with new tactics has had a measurable impact. It appears that what we are actually observing is a diversification — rather than growth — in the ransomware landscape.

A recent Europol report also highlighted a fragmentation of the ransomware landscape. While the threat is no longer coming primarily from a group of three to four dominant ransomware-as-a-service (RaaS) groups, the affiliates who led a mass exodus have started their own operations, developing their own ransomware tooling and lessening their reliance on the big players. 

This creates its own challenges for security professionals. A more diverse ransomware ecosystem means a more diverse landscape for cybersecurity teams to navigate. As things move quickly in the ransomware world, collecting up-to-date intelligence on ransomware groups is more important than ever before.

The threat of ransomware hasn't gone away. However, law enforcement has certainly struck a blow by adjusting its tactics and has potentially created some breathing room for security professionals by taking out some of the biggest adversaries in the ransomware scene.

**About the Author**

CTO & Co-founder, Searchlight Cyber

Dr. Gareth Owenson is the CTO and co-founder of the Dark Web intelligence company Searchlight Cyber. Gareth completed his Ph.D. in computer science in 2007 and is a world leader in Tor Dark Web research. He advises governments, military, and law enforcement on Dark Web technologies and guides the development of a suite of technologies that have put Searchlight Cyber in the forefront of Dark Web investigative and intelligence efforts. Gareth co-founded Searchlight Cyber in 2017 to help governments, law enforcement, and enterprises in the fight to protect society from threats that emanate from the Dark Web.

How Law Enforcement's Ransomware Strategies Are Evolving

In the "PixHell" attack, sound waves generated by pixels on a screen can transmit information across seemingly impenetrable air gaps.

Source: Miscellaneoustock via Alamy Stock Photo

A newly devised covert channel attack method could undermine diligently devised air gaps at highly sensitive organizations.

In industrial control systems security, the term "air gap" is contested. It typically describes a total physical separation between networks — a literal gap through which no Wi-Fi signals, wires, etc., can pass. The most critical military, government, and industrial sites use air gaps to prevent Internet-based cyber threats from penetrating the kinds of networks that protect state secrets and human lives.

But any medium capable of transmitting information can, in theory, be weaponized to transmit the bad kind. Mordechai Guri of Israel's Ben-Gurion University has long researched ways of crossing air gaps with sound waves: via computer fans, hard disk drives, CD/DVD drives, and more. His latest attack scenario, "Pixhell," enables data theft using sounds produced by specially generated, rapidly shifting bitmap patterns on an LCD screen.

**How Pixhell Works**

It's midnight, and everyone working at the top secret intelligence facility has long gone home for the night, when all of a sudden a computer screen flashes with what appears to be random noise, as if it's missing a signal. It isn't missing a signal — the apparent noise is the signal.  

Pixhell only works if an attacker can infect or control at least one device on each side of an air gap.

Air gaps typically connect critical networks with less critical networks, so the latter half of that job might be achieved by an Internet-based attack, while the former will require more stringent measures. Still, a machine behind an air gap can be infected in any number of ways: via supply chain compromise, a removable drive in the hands of a malicious or unwitting insider, or assorted other options.

Then, with no other obvious means of communicating — not Wi-Fi, Bluetooth, a speaker, or anything else — a computer can be made to transmit information over an air gap via the sounds generated by its screen.

Simplified, LCD screens have capacitors — which store and release electrical charge — and inductors — which help manage the voltage to those capacitors. While they're working, these components generate the faintest of high-pitched frequencies, inaudible to the human ear.

However, "Speakers and microphones generally have a frequency range that is broader than human hearing," explains Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. "The high end of the frequency range is where you can encode the greatest amount of information — the largest number of bits per second — and it's ultrasound. Dogs might freak out in the room, but humans can't hear it."

In experiments, the Pixhell malware manipulated pixels on a screen in such a way as to cause its inductors and capacitors to vibrate at specific frequencies. In so doing, they generated sound waves translating stolen, encoded data to the machine on the other side of an air gap, with varying fidelity at distances of up to two and a half meters. As Ginter puts it, "An attacker can send information from either computer to the other's microphone, and you can be sitting in the room and not realize information is being communicated."

**The Wide World of Covert Channel Attacks**

Besides acoustics, there are any number of other, equally creative means to carry out covert channel attacks in theory.

"It's been reported that with sufficient effort, you can use Ethernet wiring as software-defined radio transmitters and receivers," Ginter notes. Some 20 years ago, 56-kilobit-per-second modems had an LED on the front so users could see if their data was moving. Ginter says you could turn the LED on when there was a one bit being transmitted, or off when it was a zero bit. "And it turned out that the LED was extremely responsive — so responsive that if you had a fast enough camera or detector, you could actually detect every bit that was being sent through the modem by watching the LED," he adds. 

Countless other fun examples can be found in the annals of computer research archives. "Some computers have the ability to do detailed measurements on the voltage that's coming into the battery. And what that means is that if you have two computers plugged into the same circuit, even if they're using different outlets, one computer can consume more power briefly and less power a fraction of a second later, and the other one can detect these very tiny changes in voltage, so they can signal to each other that way. Even though they're electrically connected to different networks, they're both connected to the same power," he explains.

**What the Best Air Gaps Look Like**

For the overwhelming majority of organizations, a physical air gap is sufficient to protect against even high-level adversaries, who aren't likely to pull off Pixhell-style attacks.

Those few most sensitive sites on the planet that have to worry about covert channel attacks — spy agencies, military headquarters, power plants — have already dedicated significant time and resources to building not just air gaps, but air gaps that make these scenarios impractical.

"At some extremely sensitive OT sites, they will have all of the OT equipment in one server room, and they'll have the IT equipment in another server room down the hall. And the only connection between the server rooms is a single fiber-optic connection that is a unidirectional gateway from OT to IT," Ginter explains.

Past that, he adds, the greater the distance between communicating computers, the more difficult it is to exploit covert channels. "If it's an electrical \[channel you're worried about\], you've got electrical noise between rooms. If it's audible, there are closed doors in the way. If it's temperature, you can heat up the room in a region very slightly \[at intervals\], so there's so much thermal noise that it becomes impractical to send any information out." The operative idea is signal-to-noise ratio (SNR): How much noise does one have to generate to make a covert channel attack impractical?

Whether such science-fiction-level defenses are warranted will depend on the organization at risk. "Some of the countermeasures were given for scientific discussion, but they are less practical to deploy in real life," Guri says. As an example, he points out that acoustic jammers would stop Pixhall right in its tracks: "Such a noise jammer may work in countering the attack, but it will make the environment too noisy for people to work."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#intel