Red Hat Security Advisory 2024-3939-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 7.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3939.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: linux-firmware security update  
Advisory ID:        RHSA-2024:3939-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3939  
Issue date:         2024-06-17  
Revision:           03  
CVE Names:          CVE-2022-27635  
====================================================================

Summary: 

An update for linux-firmware is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The linux-firmware packages contain all of the firmware files that are required by various devices to operate.

Security Fix(es):

* hw: intel: Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi (CVE-2022-46329)

* hw: intel: Improper access control for some Intel(R) PROSet/Wireless WiFi (CVE-2022-27635)

* hw: intel: Improper access control for some Intel(R) PROSet/Wireless WiFi (CVE-2022-40964)

* hw: intel: Improper input validation in some Intel(R) PROSet/Wireless WiFi (CVE-2022-36351)

* hw: intel: Improper input validation in some Intel(R) PROSet/Wireless WiFi (CVE-2022-38076)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-27635

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2238960  
https://bugzilla.redhat.com/show_bug.cgi?id=2238961  
https://bugzilla.redhat.com/show_bug.cgi?id=2238962  
https://bugzilla.redhat.com/show_bug.cgi?id=2238963  
https://bugzilla.redhat.com/show_bug.cgi?id=2238964

Red Hat Security Advisory 2024-3939-03

Microsoft has announced that its Copilot+PC's Recall feature will be delayed due to privacy concerns and security risks.

Microsoft has announced it will postpone the broadly available preview of the heavily discussed Recall feature for Copilot+ PCs. Copilot+ PCs are personal computers that come equipped with several artificial intelligence (AI) features.

The Recall feature tracks anything from web browsing to voice chats. The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user’s activity and storing them locally. The user would then be able to search the database for anything they’ve seen on their PC.

However, Recall received heavy criticism by security researchers and privacy advocates since it was announced last month. The ensuing discussion saw a lot of contradictory statements. For example, Microsoft claimed that Recall would be disabled by default, while the original documentation said otherwise.

Researchers demonstrated how easy it was to extract and search through Recall snapshots on a compromised system. While some may remark that the compromised system is the problem in that equation—and they are not wrong—Recall would potentially provide an attacker with a lot of information that normally would not be accessible. Basically, it would be a goldmine that spyware and information stealers could easily access and search.

In Microsoft’s own words:

> “Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

Microsoft didn’t see the problem, with its vice chair and president, Brad Smith even using Recall as an example to demonstrate how Microsoft is secure during the Committee Hearing: A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.

But now things have changed, and Recall will now only be available for participants in the Windows Insider Program (WIP) in the coming weeks, instead of being rolled out to all Copilot+ PC users on June 18 as originally planned.

Another security measure taken only as an afterthought was that users will now have to log into Windows Hello in order to activate Recall and to view your screenshot timeline.

In its blog, Microsoft indicates it will act on the feedback it expects to receive from WIP users.

> “This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users.”

Our hope is that the WIP community will convince Microsoft to abandon the whole Recall idea. If not, we will make sure to let you know how you can disable it or use it more securely if you wish to do so.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Microsoft Recall delayed after privacy and security concerns 

A ShinyHunters hacker tells WIRED that they gained access to Ticketmaster’s Snowflake cloud account—and others—by first breaching a third-party contractor.

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they obtained access to some of the Snowflake accounts by first breaching a Belarusian-founded contractor that works with those customers.

About 165 customer accounts were potentially affected in the recent hacking campaign targeting Snowflake’s customers, but only a few of these have been identified so far. In addition to Ticketmaster, the banking firm Santander has also acknowledged that their data was stolen but declined to identify the account from which it was stolen. Wired, however, has independently confirmed that it was a Snowflake account; the stolen data included bank account details for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about staff, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also said they might be victims as well.

Snowflake has not revealed details about how the hackers accessed the accounts, saying only that the intruders did not directly breach Snowflake’s network. This week, Google-owned security firm Mandiant, one of the companies engaged by Snowflake to investigate the breaches, revealed in a blog post that in some cases the hackers first obtained access through third-party contractors, without identifying the contractors or stating how this access aided the hackers in breaching the Snowflake accounts.

But according to one of the hackers who spoke with WIRED through a text chat, one of those firms was EPAM Systems, a publicly traded software engineering and digital services firm, founded by Belarus-born Arkadiy Dobkin, with current revenue of around $4.8 billion. The hacker says his group, which calls themselves ShinyHunters, used data found on an EPAM employee system to gain access to some of the Snowflake accounts.

EPAM told WIRED that it does not believe that it played a role in the breaches and suggested the hacker had fabricated the tale. ShinyHunters has been around since 2020 and has been responsible for numerous breaches since then that involve stealing large troves of data and leaking or selling it online.

Snowflake is a large data storage and analysis firm that provides tools for companies to derive intelligence and insight from customer data. EPAM develops software and provides various managed services for customers worldwide, primarily in North America, Europe, Asia, and Australia, according to its web site, with about 60 percent of its revenue coming from customers in North America. Among the services EPAM provides customers is assistance with using and managing their Snowflake accounts to store and analyze their data. EPAM claims it has some 300 workers who are experienced in using Snowflake’s data analytics tools and services, and announced in 2022 that it had attained “Elite Tier Partner” status with Snowflake to leverage the latter’s analytics platform for its customers.

EPAM’s founder emigrated from Belarus to the US in the ’90s before founding his company in 1993 from his New Jersey apartment. Nearly two-thirds of EPAM’s 55,000 employees resided in Ukraine, Belarus, and Russia until Russia invaded Ukraine, at which point the company says it closed its Russia operations and moved some of its Ukrainian workers to locations outside of that country.

The hacker who spoke with WIRED says that a computer belonging to one of EPAM’s employees in Ukraine was infected with info-stealer malware through a spear-phishing attack. It’s unclear if someone from ShinyHunters conducted this initial breach or just purchased access to the infected system from someone else who hacked the worker and installed the infostealer. The hacker says that once on the EPAM worker’s system, they installed a remote-access Trojan, giving them complete access to everything on the worker’s computer.

Using this access, they say, they found unencrypted usernames and passwords that the worker used to access and manage EPAM customers’ Snowflake accounts, including an account for Ticketmaster. The hacker says the credentials were stored on the worker’s machine in a project management tool called Jira. The hackers were able to use those credentials, they say, to access the Snowflake accounts because the Snowflake accounts didn’t require multifactor authentication (MFA) to access them. (MFA requires that users type in a one-time temporary code in addition to a username and password, making accounts that use MFA more secure.)

While EPAM denies it was involved in the breach, hackers did steal data from Snowflake accounts including Ticketmaster's, and have extorted the owners of the data by demanding hundreds of thousands, and in some cases more than a million, dollars to destroy the data or risk having the hackers sell it elsewhere.

The hacker who spoke with WIRED didn’t identify all of the victims breached through EPAM but did indicate that Ticketmaster was one of them. Ticketmaster did not respond to a request for comment from WIRED. But Ticketmaster’s parent company, Live Nation, has acknowledged that data was stolen from its Snowflake account in May without revealing how much data was stolen or how the hackers accessed the Snowflake account. In a post offering the data for sale, however, the hackers indicated that they had taken data on 560 million Ticketmaster consumers.

The hacker claims that in some cases they were able to directly access the Snowflake account of EPAM customers using the plaintext usernames and passwords they found on the EPAM worker’s computer. But in cases where Snowflake credentials weren’t stored on the worker’s system, the hacker claims they sifted through stockpiles of old credentials stolen in previous breaches by hackers using infostealer malware and found additional usernames and passwords for Snowflake accounts, including ones harvested from the machine of the same EPAM worker in Ukraine.

Credentials harvested by infostealers are often posted online or made available for sale on hacker forums. If victims don’t change their login credentials after a breach, or don’t know their data has been stolen, those credentials can remain active and available for years. It’s especially problematic if those credentials are used across multiple accounts; hackers can identify the user through the email address they use as a login credential, and if that person reuses the same password, hackers can simply try those credentials in multiple places.

The hackers in this case say they were able to use credentials stolen by an infostealer in 2020 to access Snowflake accounts.

WIRED wasn’t able to independently confirm that the hackers were inside the EPAM worker’s machine or used EPAM to gain access to Ticketmaster’s data and other Snowflake accounts, but the hacker provided WIRED with a file that appears to be a list of EPAM worker credentials lifted from the company’s Active Directory database after they gained access to the worker’s computer.

Furthermore, in the blog post written by Mandiant, which was published after the hacker told WIRED about his group’s use of data harvested by infostealers, the security firm revealed that the hackers who breached Snowflake accounts used old data siphoned by infostealers to access some of the accounts. Mandiant said that about 80 percent of the victims it identified in the Snowflake campaign were compromised using credentials that had previously been stolen and exposed by infostealers.

And an independent security researcher who has been helping to negotiate the ransom transactions between the ShinyHunter hackers and victims of the Snowflake campaign pointed WIRED to an online repository of data harvested by an infostealer that includes data siphoned from the computer of the EPAM worker in Ukraine that the hacker says was used to gain access to the Snowflake accounts. This stolen data includes the worker’s browser history, which reveals the worker’s complete name. It also includes an internal EPAM URL pointing to Ticketmaster’s Snowflake account, as well as a plaintext version of the username and password that the EPAM worker used to access the Ticketmaster Snowflake account.

“This means that \[an EPAM worker\] who had access to that Snowflake \[account\] had password-stealing malware on their computer, and their password was stolen and sold on the dark web,” says the researcher, who asked to be identified only as Reddington, an identity they use online to communicate with cybercriminals. “This means that anyone that knew the correct URL to \[Ticketmaster’s\] Snowflake could have simply looked up the password, logged in, and stolen the data.”

An EPAM spokesperson did not seem to be aware when contacted by WIRED early this week that its company allegedly played a role in breaches of Snowflake accounts. “We do not comment on situations to which we are not a part,” she wrote in an email, suggesting the company did not believe it played any role in the campaign. When WIRED provided the spokeswoman with details about how the hackers say they obtained access to the system of an EPAM worker in Ukraine, she replied, “Hackers frequently spread false information to advance their agendas. We maintain a policy of not engaging with misinformation and consistently uphold robust security measures to protect our operations and customers. We are continuing our exhaustive investigation and, at this time, see no evidence to suggest that we have been affected or involved in this matter.”

WIRED followed up by providing the name of the Ukrainian worker whose machine the hackers allegedly compromised, as well as the username and password the worker used for accessing Ticketmaster’s Snowflake account, but the spokesperson did not respond to any additional questions.

It’s possible the ShinyHunter hackers did not directly hack the EPAM worker, and simply gained access to the Snowflake accounts using usernames and passwords they obtained from old repositories of credentials stolen by info stealers. But, as Reddington points out, this means that anyone else can sift through those repositories for these and other credentials stolen from EPAM accounts. Reddington says they found data online that was used by nine different infostealers to harvest data from the machines of EPAM workers. This raises potential concerns about the security of data belonging to other EPAM customers.

EPAM has customers across various critical industries, including banks and other financial services, health care, broadcast networks, pharmaceutical, energy and other utilities, insurance, and software and hi-tech—the latter customers include Microsoft, Google, Adobe, and Amazon Web Services. It’s not clear, however, if any of these companies have Snowflake accounts to which EPAM workers have access. WIRED also wasn’t able to confirm whether Ticketmaster, Santander, Lending Tree, or Advance AutoParts are EPAM customers.

The Snowflake campaign also highlights the growing security risks from third-party companies in general and from infostealers. In its blog post this week, Mandiant suggested that multiple contractors were breached to gain access to Snowflake accounts, noting that contractors—often known as business process outsourcing (BPO) companies—are a potential gold mine for hackers, because compromising the machine of a contractor that has access to the accounts of multiple customers can give them direct access to many customer accounts.

“Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” wrote Mandiant in its blog post. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

The company also highlighted the growing risk from infostealers, noting that the majority of the credentials the hackers used in the Snowflake campaign came from repositories of data previously stolen by various infostealer campaigns, some of which dated as far back as 2020. “Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020,” the company noted.

This, accompanied by the fact that the targeted Snowflake accounts didn’t use MFA to further protect them, made the breaches in this campaign possible, Mandiant notes.

Snowflake’s CISO, Brad Jones, acknowledged last week that the lack of multifactor authentication enabled the breaches. In a phone call this week, Jones told WIRED that Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to \[make the\] default MFA,” he says.

_Update 6/17/2024, 5:45 pm EDT: The article was updated to clarify the details that Santander has publicly revealed about the hack._

Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake

Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet.
The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office.
"Due to the nature of crack programs, information sharing amongst

Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet.

The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office.

"Due to the nature of crack programs, information sharing amongst ordinary users contributes to the malware's distribution independently from the initial distributor," the AhnLab Security Intelligence Center (ASEC) said.

"Because threat actors typically explain ways to remove anti-malware programs during the distribution phase, it is difficult to detect the distributed malware."

Alternate distribution vectors involve the use of a botnet comprising zombie computers that are infiltrated by a remote access trojan (RAT) known as NanoCore RAT, mirroring prior activity that leveraged the Nitol DDoS malware for propagating another malware dubbed Amadey Bot.

NiceRAT is an actively developed open-source RAT and stealer malware written in Python that uses a Discord Webhook for command-and-control (C2), allowing the threat actors to siphon sensitive information from the compromised host.

First released on April 17, 2024, the current version of the program is 1.1.0. It's also available as a premium version, according to its developer, suggesting that it's advertised under the malware-as-a-service (MaaS) model.

The development comes amid the return of a cryptocurrency mining botnet referred to as Bondnet, which has been detected using the high-performance miner bots as C2 servers since 2023 by configuring a reverse proxy using a modified version of a legitimate tool called Fast Reverse Proxy (FRP).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NiceRAT Malware Targets South Korean Users via Cracked Software

The United States and China appear locked in a race to weaponize four-legged robots for military applications.

The Chinese military recently unveiled a new kind of battle buddy for its soldiers: a “robot dog” with a machine gun strapped to its back.

In video distributed by the state-run news agency CCTV, People's Liberation Army personnel are shown operating on a testing range alongside a four-legged robot with what appears to be a variant of the standard-issue 5.8 x 42-mm QBZ-95 assault rifle mounted on it as part of China’s recent Golden Dragon 24 joint military exercises with Cambodia in the Gulf of Thailand. In one scenario, Chinese soldiers stand on either side of a doorway while the robot dog enters the building ahead of them; in another, the robot fires off a burst of bullets as it advances on a target.

“It can serve as a new member in our urban combat operations, replacing our members to conduct reconnaissance and identify enemy \[sic\] and strike the target during our training,” one Chinese soldier shown operating the robot told CCTV.

This isn’t the first time the Chinese military-industrial complex has shown off an armed robot dog. In October 2022, Chinese defense company Kestrel Defense published a video showing an unmanned aerial vehicle air-dropping a quadrupedal ground vehicle affixed with a 5.8 x 42-mm QBB-97 light machine gun on a roof during an urban warfare experiment. The company had previously released footage of robot dogs outfitted with combat systems that included everything from smoke grenades to loitering munitions. And as recently as this March, Chinese researchers claimed that tests involving robot dogs outfitted with an unidentified 7.62-mm rifle (likely a variant of the Type 56 assault rifle that’s based on the ubiquitous Soviet-made AK-47) yielded marksmanship that rivaled trained Chinese sharpshooters, according to the South China Morning Post.

China’s demonstration clearly rankled international observers, prompting at least one American lawmaker to call on the US Defense Department for a report on “rifle-toting robot dogs” and their potential national security implications. But if the Chinese military is pioneering the weaponization of robot dogs, then the United States military isn’t far behind.

In the past year, the Pentagon has experimented with outfitting quadrupedal ground robots with its standard-issue 5.56 x 45-mm M4A1 carbine, the 6.8-mm XM7 rifle that the US Army is in the process of adopting under its Next Generation Squad Weapon program, and even the M72 Light Anti-Tank Weapon that’s been in service with American troops since the Vietnam War. Just weeks before CCTV published its footage of armed robot dogs in action, Marine Corps Special Operations Command (MARSOC) revealed that it was experimenting with adding mounted gun systems based on defense contractor Onyx’s artificial intelligence-enabled SENTRY remote weapons system to its own mechanized canines.

American defense officials have been quick to emphasize that the development of weaponized robot dogs is, at this stage, purely experimental, intended to help military planners “explore the realm of the possible” when it comes to the potential applications of revolutionary robotic systems in a future conflict, as one Army official put it last August. But with Army soldiers conducting urban assault drills alongside robot dogs and the Marine Corps increasingly eyeing mechanical quadrupeds to augment future formations with “intelligent robotics,” it may not be too long before the US military is forced to seriously consider adopting armed robot canines for combat before China does.

“Why are we acting surprised by this? It was so obviously coming,” Peter W. Singer, a senior fellow at the Washington, DC-based think tank New America and expert on advanced military technology, tells WIRED. “The first wheeled and tracked \[explosive ordnance disposal\] robots had cameras on them to inspect roadside bombs, then someone added guns to them; the same thing with the Predator drone, which started out unarmed until the military strapped missiles to it. Armed robotics has been a trendline for years.”

A human-machine integration test using the Ghost Robotic Dog and the US Army Small Multipurpose Equipment Transport at Fort Irwin, California, March 15, 2024.Photograph: Spc. Samarion Hicks/U.S. Army/DVIDS

**Man’s Best Friend**

Quadrupedal robots aren’t a new development in the annals of military technology. In 2005, robotics leader Boston Dynamics unveiled BigDog, a four-legged mechanical “pack mule” that was intended to haul weapons and supplies for US troops over terrain considered unwelcoming to traditional wheeled or tracked ground vehicles. Funded by the Defense Advanced Research Projects Agency and adopted as the Legged Squad Support System by the Marine Corps Warfighting Laboratory, BigDog was eventually deemed too loud for practical use and discontinued after a decade and more than $40 million invested in the much-hyped project.

Despite BigDog’s shortcomings, the underlying research behind the system eventually gave rise to Spot, a smaller and quieter “robot dog” that Boston Dynamics debuted in 2015. While too small to lug around gear and weapons, the system immediately had clear military applications for everything from base perimeter security to remote site inspection. In the years since its introduction, Spot has proven the platform-defining vision of quadrupedal ground robots, inspiring both collaborators like Asylon Robotics’ DroneDog and alleged imitators like Ghost Robotics’ Vision 60 to compete for a slice of the Defense Department’s growing robotics budget.

Based on publicly available media in Defense Visual Information Distribution Service (DVIDS), the Pentagon’s media distribution hub, the adoption of robot dogs across the US military didn’t start in earnest until 2020, when the Air Force integrated a handful of Ghost Robotics systems into what’s called an “agile combat employment” exercise at Nellis Air Force Base in Nevada, which saw airmen work with their new best friends to secure an airfield against a simulated attack. Just a few months later, officials at Tyndall Air Force Base in Florida became the first US military installation in the world to incorporate the semiautonomous robot dogs into its base security regimen.

“These dogs will be an extra set of eyes and ears while computing large amounts of data at strategic locations throughout Tyndall Air Force Base,” Major Jordan Criss, 325th Security Forces Squadron commander, said of the systems during initial testing in late 2020. “They will be a huge enhancement for our defenders and allow flexibility in the posting and response of our personnel.”

In the intervening years, robot dogs have become an increasingly common fixture across the US military, beyond patrolling sensitive installations. In July 2023, Minot Air Force Base in North Dakota introduced robot dogs to enable airmen to respond to chemical, biological, radiological, and nuclear threats “without risking the safety of themselves or others.” In August, Patrick Space Force Base in Florida added robot dogs to its perimeter security rotation for an “additional detection and alert capability.” That same month, the Naval Surface Warfare Center, Philadelphia Division, announced the employment of robot dogs to “build 3-D ship models aboard the ‘mothballed’ fleet of decommissioned ships at the Philadelphia Navy Yard,” while the Coast Guard unveiled four-legged “droid” dogs in Hawaii to “combat weapons of mass destruction.” Finally, in November, airmen at Barksdale Air Force Base in Louisiana debuted robot dogs for explosive ordnance disposal.

Despite these practical noncombat applications, some robotics companies have had an eye on weaponization. In October 2021, Ghost Robotics showed off a so-called “Special Purpose Unmanned Rifle,” or SPUR, quadrupedal robot with an 6.5-mm Creedmoor assault rifle developed by SWORD International mounted on its back during an annual Army weapons expo in Washington, DC, in the first public example of a robot dog armed with a firearm. The following year, a video of a robot dog outfitted with a PP-19 Vityaz submachine gun by Russian entrepreneur Alexander Atamov quickly went viral on YouTube and Twitter. By 2023, an American company had debuted a robot dog with a flamethrower strapped to its back, albeit not explicitly for military use (no longer fielded to US soldiers, using flamethrowers against enemy combatants is technically not prohibited). Like the Predator drone, you can’t build a new robot without someone slapping a weapon on it.

**Cry Havoc**

The public reception to weaponized robot dogs is overwhelmingly defined by concern mixed with discomfort, especially given the rise of autonomous or semiautonomous weapon systems that can independently track and identify targets. Even beyond the conventional invocation of _Terminator_\-inspired techno-anxiety, the robot dogs appear eerily reminiscent of the menacing mechanized canines of _Black Mirror_.

Part of the creep factor stems from the “uncanny valley,” says Singer, invoking the psychological phenomenon in which robots that look and act almost-but-not-quite natural end up unnerving their human observers. “On the engineering side, these robots take inspiration from nature, since real dogs are, through evolution, designed to operate really well in the field,” Singer says. “As a result, we layer our beliefs about these types of creatures on top of ‘bioinspired’ robots, and the more something acts lifelike but not likelike, the more we react with fear or disgust.”

Such anxiety over armed robot dogs even prompted six leading robotics companies—led by Spot pioneer Boston Dynamics—to release a letter in October 2022 promising to prohibit military customers from weaponizing their robots for combat purposes. (SPUR creator Ghost Robotics was not a signatory.)

“We believe that adding weapons to robots that are remotely or autonomously operated, widely available to the public, and capable of navigating to previously inaccessible locations where people live and work, raises new risks of harm and serious ethical issues,” the companies wrote. “Weaponized applications of these newly-capable robots will also harm public trust in the technology in ways that damage the tremendous benefits they will bring to society.”

To be fair, both the US military and American robotics companies have urged caution when it comes to developing autonomous weapons systems. Upon unveiling the SPUR, late Ghost Robotics CEO Jiren Parikh emphasized that the armed robot always has an operator in the loop, with no AI or autonomy-related systems that could potentially falter under extreme circumstances. And while the SENTRY turret that MARSOC is reportedly testing affixed to a pair of robot dogs does use AI to scan for and identify targets, the company also emphasized that the decision to engage with the weapon system is completely reliant on a human operator. While the idea of armed robot dogs with minds of their own running amok may be a recent addition to Americans’ dystopian imagination, the US military-industrial complex appears firmly focused on keeping humans in control at all times.

Ghost Robotics Quadruped Unmanned Ground Vehicles (Q-UGV) pose for a photo at Cape Canaveral Space Force Station, Florida, in July 2022.Photograph: Senior Airman Samuel Becker/U.S. Space Force/DVIDS

Despite understandable concerns over their growing role in military affairs, anxiety over packs of armed robot dogs operating on a future battlefield may be premature, according to Sam Bendett, an analyst at the Virginia-based Center for Naval Analyses think tank whose research focuses on robotics and unmanned systems. While footage of armed robot dogs may alarm the average observer, these systems are currently nowhere near agile or versatile enough to make practical sense on chaotic battlefields.

“I had a chance to operate \[a robot dog\] at an AI conference in the Netherlands last year, and it doesn’t have the same dexterity you would expect from a quadruped,” Bendett tells WIRED. “It’s not quite as dexterous, as flexible, or as fast in how it operates. Apart from videos of them doing push-ups and shit like that, it doesn’t run, it can maybe jog, but it can’t even make a turn quite as fast as a tracked or wheeled unmanned ground vehicle.”

“The battlefield is full of man-made and natural countermeasures,” he adds. “That doesn't mean the US and China won't try it out, but it’ll just be in a more limited capacity.”

The Chinese military exercise spotlighted on CCTV may appear concerning, but it’s still a controlled exercise in a managed, relatively stable environment, Bendett says. Until robot dogs demonstrate that they can navigate “the debris of the battlefield” under less-than-ideal conditions, they’ll remain something of a mechanical novelty for military planners.

“Yes, they’re neat, they’re cool,” Bendett says. “But show me a video of a pack of these moving on their own through a forest, not just walking by tapping their feet at every step but actually jogging between trees the way I would with a dog. Then we’ll get to the point where these are actual combat dogs.”

It’s unclear what the future of robot dogs might look like in the ranks of the US military, or even the Chinese military. While they’ve certainly proved useful in augmenting base security and conducting hazardous operations like explosive ordnance disposal, their potential combat applications remain understandably ambiguous. But given American and Chinese military planners’ ongoing experiments with armed robot dogs, the future of warfare may involve not just the grind of tank treads and the roar of helicopter rotors, but the metallic patter of four-legged death across distant battlefields.

Let Slip the Robot Dogs of War

Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider.
The individual, a 22-year-old man from the United Kingdom, was arrested this week in the Spanish city of Palma de Mallorca as he attempted to board a flight to Italy. The move is said to be a joint effort between the U.S. Federal Bureau of Investigation (FBI) and the

Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider.

The individual, a 22-year-old man from the United Kingdom, was arrested this week in the Spanish city of Palma de Mallorca as he attempted to board a flight to Italy. The move is said to be a joint effort between the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.

News of the arrest was first reported by Murcia Today on June 14, 2024, with vx-underground subsequently revealing that the apprehended party is "associated with several other high profile ransomware attacks performed by Scattered Spider."

The malware research group further said the individual was a SIM swapper who operated under the alias "Tyler." SIM-swapping attacks work by calling the telecom carrier to transfer a target's phone number to a SIM under their control with the goal of intercepting their messages, including one-time passwords (OTPs), and taking control of their online accounts.

According to security journalist Brian Krebs, Tyler is believed to be a 22-year-old from Scotland named Tyler Buchanan, who goes by the name "tylerb" on Telegram channels related to SIM-swapping.

Tyler is the second member of the Scattered Spider group to be arrested after Noah Michael Urban, who was charged by the U.S. Justice Department earlier this February with wire fraud and aggravated identity theft for offenses.

Scattered Spider, which also overlaps with activity tracked the monikers 0ktapus, Octo Tempest, and UNC3944, is a financially motivated threat group that's infamous for orchestrating sophisticated social engineering attacks to gain initial access to organizations. Members of the group are suspected to be part of a bigger cybercriminal gang called The Com.

Initially focused on credential harvesting and SIM swapping, the group has since adapted their tradecraft to focus on ransomware and data theft extortion, before shifting to encryptionless extortion attacks that aim to steal data from software-as-a-service (SaaS) applications.

"Evidence also suggests UNC3944 has occasionally resorted to fear-mongering tactics to gain access to victim credentials," Google-owned Mandiant said. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material."

Mandiant told The Hacker News the activity associated with UNC3944 exhibits some level of similarities with another cluster tracked by Palo Alto Networks Unit 42 as Muddled Libra, which has also been observed targeting SaaS applications to exfiltrate sensitive data. It, however, emphasized that they "should not be considered the 'same.'"

The names 0ktapus and Muddled Libra come from the threat actor's use of a phishing kit that's designed to steal Okta sign-in credentials and has since been put to use by several other hacking groups.

"UNC3944 has also leveraged Okta permissions abuse techniques through the self-assignment of a compromised account to every application in an Okta instance to expand the scope of intrusion beyond on-premises infrastructure to Cloud and SaaS applications," Mandiant noted.

"With this privilege escalation, the threat actor could not only abuse applications that leverage Okta for single sign-on (SSO), but also conduct internal reconnaissance through use of the Okta web portal by visually observing what application tiles were available after these role assignments."

Attack chains are characterized by the use of legitimate cloud synchronization utilities like Airbyte and Fivetran to export the data to attacker-controlled cloud storage buckets, alongside taking steps to conduct extensive reconnaissance, set up persistence through the creation of new virtual machines, and impair defenses.

Additionally, Scattered Spider has been observed making use of endpoint detection and response (EDR) solutions to run commands such as whoami and quser in order to test access to the environment.

"UNC3944 continued to access Azure, CyberArk, Salesforce, and Workday and within each of these applications conducted further reconnaissance," the threat intelligence firm said. "Specifically for CyberArk, Mandiant has observed the download and use of the PowerShell module psPAS specifically to programmatically interact with an organization's CyberArk instance."

The targeting of the CyberArk Privileged Access Security (PAS) solution has also been a pattern observed in RansomHub ransomware attacks, raising the possibility that at least one member of Scattered Spider may have turned into an affiliate for the nascent ransomware-as-a-service (RaaS) operation, according to GuidePoint Security.

The evolution of the threat actor's tactics further coincides with its active targeting of finance and insurance industries using convincing lookalike domains and login pages for credential theft.

The FBI told Reuters last month that it's laying the groundwork to charge hackers from the group that has been linked to attacks targeting over 100 organizations since its emergence in May 2022.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain

Plus: US lawmakers have nothing to say about an Israeli influence campaign aimed at US voters, a former LA Dodgers owner wants to fix the internet, and more.

Despite years worth of efforts to eliminate the scourge of ransomware targeting schools, hospitals, and critical infrastructure worldwide, experts are warning that the crisis is only heating up, with criminal gangs growing ever more aggressive in their tactics. The threat of real-world violence now looms, some experts warn, as the data stolen grows increasingly sensitive and millions in potential profits hang in the balance. “We know where your CEO lives,” read a message reportedly received by one victim. Attacks targeting the medical sector are blooming in response to the $44 million payout by Change Healthcare this March.

United States lawmakers and intelligence officials are circling their wagons following the revelation of Israel’s involvement in a malign influence campaign that targeted US voters—an attempt by America’s Middle East ally to artificially boost support for an increasingly unpopular war that was kicked off by Hamas’ unprecedented Oct. 7th attack. The sock-puppet operation, which was launched by an Israeli contractor on X, Facebook, and Instagram and utilized OpenAI’s ChatGPT software, impersonated mostly Black Americans and targeted “Black and Democratic” lawmakers. A weeks’ worth of efforts by WIRED to get answers from US officials who may have been notified about the operation prior to a vote on enhancing military aide to Israel went ignored. Strikingly, the National Security Council denied having ever heard of it.

Frank McCourt, a real estate mogul and former owner of the Los Angeles Dodgers, explained why he’s spearheading an effort to purchase TikTok, which the United States is slated to ban unless its current owner, ByteDance, decides to sell the platform to a US company—a decision that will undoubtedly require the consent of the Chinese government. McCourt sees the internet as being imperiled by closed-off platforms like Facebook and X and is embracing the growing interest in decentralized networks. Decentralized platforms such as Mastodon have been popular among a subset of users for many years, allowing people to effectively own their own social networks and moderate them according to their own rules. These private networks are free to connect with others using the same software but can also sever connections to communities that embrace harmful content. (Think of these user-controlled networks as “islands” with diplomatic ties between them.) McCourt says purchasing and decentralizing TikTok could be the first step in raising the internet out of the siloed swamp that it is today thanks to Meta and its competitors.

But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

****Pentagon Led Anti-Vax Psyops Against Filipinos Under Trump****

A bombshell Reuters investigation has unearthed a malign influence campaign launched by the US military at the height of the 2020 Covid-19 pandemic. The campaign utilized sock-puppet accounts on X, Facebook, and Instagram and was focused on convincing citizens of the Philippines that vaccines produced by China were dangerous and—preying on the religious beliefs of Muslims—full of pig parts. Infectious disease experts expressed dismay at the Pentagon’s actions. According to Reuters, the campaign was ordered to an end by the Biden White House shortly after the president’s inauguration, though the Pentagon was apparently slow to enact the commander in chief’s orders. The private contractor responsible for producing the Pentagon’s disinformation was recently awarded a $493 million US government contract.

****Microsoft Hid Major Vulnerability Tied to Historic SolarWinds Attack****

ProPublica recounts how, in 2016, a top cybersecurity specialist raised alarms about a cloud-based vulnerability at Microsoft, a major US government contractor. The weakness threatened to expose national security secrets among other sensitive data. The specialist “pleaded” with the company to address the problem, but his concerns were dismissed by the tech giant as it strived to secure a multibillion-dollar government contract in the cloud computing space. Frustrated, the specialist quit the company and, months later, as predicted, Russian hackers carried out SolarWinds, one of the largest cyberattacks in US history. The reporting brings into question testimony by Microsoft president Brad Smith, who assured Congress in 2016 there was no way the hackers had exploited his company’s software.

****Police Victims of Face-Recognition Errors Decry California Bill as Inadequate****

Three Black men jailed in the US for crimes they didn't commit—after having been falsely identified by police face-recognition software—are speaking out _against_ pending legislation in California that lawmakers claim would protect citizens from such egregious mistakes. The men say the bill, which passed with unanimous support from the state assembly last month and now is under scrutiny in its upper chamber, would have done nothing to stop them from being falsely arrested. Said one of the men: “In my case, as in others, the police did exactly what AB 1814 would require them to do,” adding, “Once the facial recognition software told them I was the suspect, it poisoned the investigation. This technology is racially biased and unreliable and should be prohibited.”

****The Other Threat From Surveillance Data Brokers: Garbage Data****

While much of the scrutiny facing the data broker industry concerns its power to monitor people’s movements and attendance at sensitive locations such abortion clinics and mental health facilities, there’s another issue at play: Much of the data it markets is “inaccurate trash,” The Record reports. A chief privacy officer at Acxiom, a leading third-party data broker, acknowledged as much in an interview last month, saying the “inferences” drawn by his company are, at best, “informed guesses.” Experts are growing increasingly concerned about the downstream effects, with some highlighting how insurance companies are relying more and more on data brokers to inform how much customers should pay. Another expert tells The Record that data brokers may be incentivized not to scrutinize the data too closely, noting that customers aren’t too worried if a fraction of it leads them to false assumptions.

Ransomware Attacks Are Getting Worse

Meta on Friday said it's delaying its efforts to train the company's large language models (LLMs) using public content shared by adult users on Facebook and Instagram in the European Union following a request from the Irish Data Protection Commission (DPC).
The company expressed disappointment at having to put its AI plans on pause, stating it had taken into account feedback from regulators and

Artificial Intelligence / Privacy

Meta on Friday said it's delaying its efforts to train the company's large language models (LLMs) using public content shared by adult users on Facebook and Instagram in the European Union following a request from the Irish Data Protection Commission (DPC).

The company expressed disappointment at having to put its AI plans on pause, stating it had taken into account feedback from regulators and data protection authorities in the region.

At issue is Meta's plan to use personal data to train its artificial intelligence (AI) models without seeking users' explicit consent, instead relying on the legal basis of 'Legitimate Interests' for processing first and third-party data in the region.

These changes were expected to come into effect on June 26, before when the company said users could opt out of having their data used by submitting a request "if they wish." Meta is already utilizing user-generated content to train its AI in other markets such as the U.S.

"This is a step backwards for European innovation, competition in AI development and further delays bringing the benefits of AI to people in Europe," Stefano Fratta, global engagement director of Meta privacy policy, said.

"We remain highly confident that our approach complies with European laws and regulations. AI training is not unique to our services, and we're more transparent than many of our industry counterparts."

It also said it cannot bring Meta AI to Europe without being able to train its AI models on locally-collected information that captures the diverse languages, geography, and cultural references, noting that doing so would otherwise amount to a "second-rate experience."

Besides working with the DPC to bring the AI tool to Europe, it noted the delay will help it address requests it received from the U.K. regulator, the Information Commissioner's Office (ICO), prior to commencing the training.

"In order to get the most out of generative AI and the opportunities it brings, it is crucial that the public can trust that their privacy rights will be respected from the outset," Stephen Almond, executive director of regulatory risk at the ICO, said.

"We will continue to monitor major developers of generative AI, including Meta, to review the safeguards they have put in place and ensure the information rights of U.K. users are protected."

The development comes as Austrian non-profit noyb (none of your business) filed a complaint in 11 European countries alleging violation of GDPR privacy laws in the region by collecting users' data to develop unspecified AI technologies and share it with any third-party.

"Meta is basically saying that it can use 'any data from any source for any purpose and make it available to anyone in the world,' as long as it's done via 'AI technology,'" noyb's founder Max Schrems said. "This is clearly the opposite of GDPR compliance."

"Meta doesn't say what it will use the data for, so it could either be a simple chatbot, extremely aggressive personalized advertising or even a killer drone. Meta also says that user data can be made available to any 'third-party' – which means anyone in the world."

Noyb also criticized Meta for making disingenuous claims and framing the delay as a "collective punishment," pointing out that the General Data Protection Regulation (GDPR) permits personal data to be processed as long as users give their informed opt-in consent.

"Meta could therefore roll out AI technology in Europe, if it would just bother to ask people to agree, but it seems Meta is doing everything to ever gain opt-in consent for any processing," it said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Meta Halts AI Training on EU User Data Amid Privacy Concerns

The company focused heavily on data and system security in the announcement of its generative AI platform, Apple Intelligence, but experts worry that companies will have little visibility into data security.

Source: Cosmo Condina via Alamy Stock Photo

Apple's long-awaited announcement of its generative AI (GenAI) capabilities came with an in-depth discussion of the company's security considerations for the platform. But the tech industry's past focus on harvesting user data from nearly every product and service have left many concerned over the data security and privacy implications of Apple's move. Fortunately, there are some proactive ways that companies can address potential risks.

Apple's approach to integrating GenAI — dubbed Apple Intelligence — includes context-sensitive searches, editing emails for tone, and the easy creation of graphics, with Apple promising that the powerful features require only local processing on mobile devices to protect user and business data. The company detailed a five-step approach to strengthen privacy and security for the platform, with much of the processing done on a user's device using Apple Silicon. More complex queries, however, will be sent to the company's private cloud and use the services of OpenAI and its large language model (LLM).

While companies will have to wait to see how Apple's commitment to security plays out, the company has put a lot of consideration into how GenAI services will be handled on devices and how the information will be protected, says Joseph Thacker, principal AI engineer and security researcher at AppOmni, a cloud-security firm.

"Apple's focus on privacy and security in the design is definitely a good sign," he says. "Features like not allowing privileged runtime access and preventing user targeting show they are thinking about potential abuse cases."

Apple spent significant time during its announcement reinforcing the idea that the company takes security seriously, and published a paper online that describes the company's five requirements for its Private Cloud Compute service, such as no privileged runtime access and hardening the system to prevent targeting specific users.

Still, large language models (LLMs), such as ChatGPT, and other forms of GenAI are new enough that the threats remain poorly understood, and some will slip through Apple's efforts, says Steve Wilson, chief privacy officer at cloud security and compliance provider Exabeam, and lead on the Open Web Application Security Project's Top 10 Security Risks for LLMs.

"I really worry that LLMs are a very, very different beast, and traditional security engineers, they just don't have experience with these AI techniques yet," he says. "There are very few people who do."

**Apple Makes Security a Centerpiece**

Apple seems to be aware of the security risks that concern its customers, especially businesses. The implementation of Apple Intelligence across a user's devices, dubbed the Personal Intelligence System, will connect data from applications in a way that has, perhaps, only been implemented through the company's health-data services. Conceivably, every message and email sent from a device could be reviewed by AI and context added through on-device semantic indexes.

Yet, the company pledged that, in most cases, the data never leaves the device, and the information is anonymized as well.

"It is aware of your personal data, without collecting your personal data," Craig Federighi, senior vice president of software engineering at Apple, stated in a four-minute video on Apple Intelligence and privacy during the company's June 10 launch, adding: "You are in control of your data, where it is stored and who can access it."

When it does leave the device, data will be processed in the company's Private Cloud Compute service, so Apple can take advantage of more powerful server-based generative-AI models, while still protecting privacy. The company says that it never stores or makes accessible any data to Apple. In addition, Apple will make every production build of its Private Cloud Compute platform available to security researchers for vulnerability research in conjunction with a bug-bounty program.

Such steps seemingly go beyond what other companies have promised and should assuage the fears of enterprise security teams, AppOmni's Thacker says.

"This type of transparency and collaboration with the security research community is important for finding and fixing vulnerabilities before they can be exploited in the wild," he says. "It allows Apple to leverage the diverse skills and perspectives of researchers to really put the system through the wringer from a security testing perspective. While it's not a guarantee of security, it will help a lot."

**There's an App for (Leaking) That**

However, the interactions between apps and data on mobile devices and the behavior of LLMs may be too complex to fully understand at this point, says Exabeam's Wilson. The attack surface area of LLMs continues to surprise the large companies behind the major AI models. Following its release of its latest Gemini model, for example, Google had to contend with inadvertent data poisoning that arose from training its model with untrusted data.

"Those search components are falling victim to these kind of indirect injection data-poisoning incidents, where they're off telling people to eat glue and rocks," Wilson says. "So it's one thing to say, 'Oh, this is a super-sophisticated organization, they'll get this right,' but Google's been proving over and over and over again that they won't."

Apple's announcement comes as companies are quickly experimenting with ways to integrate GenAI into the workplace to improve productivity and automate traditionally tough-to-automate processes. Bringing the features to mobile devices has happened slowly, but now, Samsung has released its Galaxy AI, Google has announced the Gemini mobile app, and Microsoft has announced Copilot for Windows.

While Copilot for Windows is integrated with many applications, Apple Intelligence appears to go beyond even Microsoft's approach.

**Think Different (About Threats)**

Overall, companies need to first gain visibility into their employees' use of LLMs and other GenAI. While they do not need to go to the extent of billionaire tech innovator Elon Musk, a former investor in OpenAI, who raised concerns that Apple — or OpenAI — would abuse users' data or fail to secure business information and pledged to ban iPhones at his companies, chief information security officers (CISOs) certainly should have a discussion with their mobile device management (MDM) providers, Exabeam's Wilson says.

Right now, controls to regulate data going into and out of Apple Intelligence do not appear to exist and, in the future, may not be accessible to MDM platforms, he says.

"Apple has not historically provided a lot of device management, because they are leaned in on personal use," Wilson says. "So it's been up to third parties for the last 10-plus years to try and build these third-party frameworks that allow you to install controls on the phone, but it's unclear whether they're going to have the hooks into \[Apple Intelligence\] to help control it."

Until more controls come online, enterprises need to set a policy, and to find ways to integrate their existing security controls, authentication systems, and data loss prevention tools with AI, says AppOmni's Thacker.

"Companies should also have clear policies around what types of data and conversations are appropriate to share with AI assistants," he says. "So while Apple's efforts help, enterprises still have work to do to fully integrate these tools securely."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Apple Intelligence Could Introduce Device Security Risks

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Rockwell's dire ICS warning; a red alert on biometrics; cybersecurity for the Hajj season.

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner:**

*   Apple's AI Offering Makes Big Privacy Promises
    
*   Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks
    
*   DR Global: Governments, Businesses Tighten Cybersecurity Around Hajj Season
    

*   Why CIO & CISO Collaboration Is Key to Organizational Resilience
    
*   Rockwell's ICS Directive Comes as Critical Infrastructure Risk Peaks
    
*   4 Ways to Help a Security Culture Thrive
    

Don't miss "Anatomy of a Data Breach: What to Do if It Happens to You," a free Dark Reading virtual event scheduled for June 20! Speakers include Verizon's Alex Pinto, plus execs from Snowflake, pharma giant GSK, Salesforce, and more — register today!

**Apple's AI Offering Makes Big Privacy Promises**

By Agam Shah, Contributing Writer, Dark Reading

Apple's guarantee of privacy on every AI transaction — whether on-device or cloud — is ambitious and could influence trustworthy AI deployments on device and in the cloud, analysts say.

Apple's announcement of Apple Intelligence and plans to integrate AI across its devices and applications comes with a commitment to guarantee privacy on every AI transaction. This sets a high bar on zero-trust infrastructure that competitors may try to match.

Because of Apple's walled garden model, rival providers don’t have nearly the same level of control over their AI infrastructure. Unlike Apple, they can’t lock down security as queries pass through various hardware and software layers. For example, OpenAI and Microsoft process queries through GPUs from Nvidia, which handles vulnerability discovery and patching.

“If Apple sets the standard, the effect will be 'why I should buy Android if I don’t care about the privacy,'" says Alex Matrosov, CEO of security company Binarly.io. "The next step will be Google following up and trying to maybe implement or do the similar thing."

Read more: Apple's AI Offering Makes Big Privacy Promises

Related: OpenAI Forms Another Safety Committee After Dismantling Prior Team

**Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks**

By Nate Nelson, Contributing Writer, Dark Reading

Face scans stored like passwords inevitably will be compromised, like passwords are. But there's a crucial difference between the two that organizations can rely on when their manufacturers fail.

Biometric security is more popular today than ever, with widespread adoption in the public sector — law enforcement, national ID systems, etc. — as well as for commercial industries like travel and personal computing. In Japan, subway riders can "pay by face," and Singapore's immigration system relies on face scans and thumbprints to allow travelers into the country. The fact that even burger places are experimenting with face scans suggests something's brewing here.

But researchers have found two dozen vulnerabilities in a biometric terminal used in critical facilities worldwide could allow hackers to gain unauthorized access, manipulate the device, deploy malware, and steal biometric data, which highlights the risks that come with implementing these systems.

The critical nature of the environments in which these systems are so often deployed necessitates that organizations go above and beyond to ensure their integrity. And that job takes much more than just patching newly discovered vulnerabilities.

Read more: Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks

Related: Biometric Bypass: BrutePrint Makes Short Work of Fingerprint Security

**Global: Governments, Businesses Tighten Cybersecurity Around Hajj Season**

By Robert Lemos, Contributing Writer, Dark Reading

While cyberattacks drop slightly during the week of the Islamic pilgrimage, organizations in Saudi Arabia and other countries with large Muslim populations see attacks on the rise.

The final month of the Islamic calendar, Dhu al-Hijjah, began on June 7, marking the countdown for millions of Muslims to the Hajj pilgrimage, and also a time when cybercriminals and cyber-espionage actors see increased opportunity amid reduced vigilance and slimmed staffing.

While many of the cyberattacks are focused on pilgrims as consumers of travel services, a variety of businesses — from banks to e-commerce sites — are at greater risk of data theft and denial-of-service attacks, according to experts. On June 3, for example, cyber-threat actors announced a data leak on an underground forum that allegedly contained the personal information of 168 million users from "The Hajj and Pilgrimage Organization in Iran," according to cybersecurity firm Kaspersky.

The attacks highlight the two aspects of how cyberattackers see the Hajj season: as an opportunity to take advantage of pilgrims, but also as a time of reduced resources for security teams, making business and government agencies vulnerable.

Read more: Governments, Businesses Tighten Cybersecurity Around Hajj Season

Related: 'DuneQuixote' Shows Stealth Cyberattack Methods Are Evolving. Can Defenders Keep Up?

**The CEO Is Next**

Commentary by Joe Sullivan, CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC

If CEOs want to avoid being the target of government enforcement actions, they need to take a personal interest in ensuring that their corporation invests in cybersecurity.

One day soon, a government agency will very publicly seek to hold a corporate CEO personally liable for a failure to ensure their organization invested sufficiently in cybersecurity. The surprising thing won't be that it happens, but rather how many people who work for and look up to the CEO will be happy when it does.

We're experiencing a movement toward regulation by enforcement. Look no further than the National Cybersecurity Strategy, which, at its core, demands that corporate America do more to protect citizens from cyberattacks. There's also the Securities and Exchange Commission's (SEC) action against the software company SolarWinds and its head of security. The case has raised eyebrows, specifically because the security leader was held personally responsible.

But with very few exceptions, the CISO or senior-most security leader is simply not the "responsible corporate officer.” It's the CEO. Security leaders rarely, if ever, get the budget needed to do their job well. CEOs and boards that do control the corporate budget rarely invest the time to understand their cyber-risks, and instead allocate resources in other directions.

Read more: The CEO Is Next

Related: White House Fills in Details of National Cybersecurity Strategy

**Why CIO & CISO Collaboration Is Key to Organizational Resilience**

Commentary by Robert Grazioli, Chief Information Officer, Ivanti

Alignment between these domains is quickly becoming a strategic imperative.

Gartner forecasts that the world will spend $215 billion on risk management and cybersecurity in 2024. That's a 14% increase over 2023. But many workers are feeling spread thin, with more data and endpoints than ever and not enough qualified talent to be found. It's time to finally break down the silos between IT and security.

That starts by fostering alignment between the CIO and chief information security officer (CISO).

Individually, CISOs and CIOs are powerful forces with a lot on their plates — and a lot on the line. Together, they could be unstoppable. However, historically, organizational structures have relegated CISOs and CIOs to separate domains with distinct — and occasionally contradictory — objectives.

Here's how to foster alignment: Why CIO & CISO Collaboration Is Key to Organizational Resilience

Related: CISO & CIO Convergence: Ready or Not, Here It Comes

**Rockwell's ICS Directive Comes as Critical Infrastructure Risk Peaks**

By Tara Seals, Managing Editor, News, Dark Reading

Critical infrastructure is facing increasingly disruptive threats to physical processes, while thousands of devices are online with weak authentication and riddled with exploitable bugs.

Industrial control systems (ICS) giant Rockwell Automation's recent directive to customers to disconnect their gear from the Internet showcases not just growing cyber risk to critical infrastructure, but the unique challenges that security teams face in the sector, experts say.

CISA is warning that increased threats to could lead to various catastrophic attacks, including denial-of-service (DoS) efforts that take down electrical grids; privilege escalation and lateral movement to burrow deeper into the operational technology (OT) environment in order to control it; modifying settings to, say, change safety thresholds for power generators; remotely compromising programmable logic controllers (PLCs) to halt water sector operations; or even conducting destructive Stuxnet-style attacks that can obliterate a site's ability to function permanently.

Yet thousands of devices are exposed online with weak authentication and riddled with exploitable bugs; and there's an endemic lack of security team participation in site design and asset/infrastructure management. All in all, it's not an ideal situation.

Read more: Rockwell's ICS Directive Comes as Critical Infrastructure Risk Peaks

Related: Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity

**4 Ways to Help a Security Culture Thrive**

DR Technology commentary by Ken Deitz, CSO/CISO, Secureworks

Creating and nurturing a corporate environment of proactive cybersecurity means putting people first — their needs, weaknesses, and skills.

A good cybersecurity culture trusts and empowers teammates to make good decisions. In turn, that trust fuels a more productive relationship between cybersecurity and the business. Culture is a living entity that needs to be continuously nurtured. Give it the dedication it needs, and your businesses will be safer as a result.

Here are some core pillars for establishing an effective security culture:

1\. Establish the Right Mindset: Focus on the positive actions that people can and should take.

2\. Engage with Empathy: A productive and inclusive security culture is one that shuns blame. Instead, focus on what you can collectively learn from the incident to enrich your cyber strategy for the future.

3\. Communicate, Communicate, Communicate: When it comes to cybersecurity, there's no such thing as too much communication. People have a lot going on in their jobs and lives. Meet people where they are, and you'll have much better results.

4\. Stay on Your Toes: New and emerging technologies bring opportunities and challenges. Generative artificial intelligence (AI), for example, can offer teammates productivity gains, but they also need to know the risks.

Read more: 4 Ways to Help a Security Culture Thrive

Related: How to Transform Security Awareness Into Security Culture

Tag

#intel