Why we should applaud the Red Cross's efforts, even if they likely won't work.

Source: Brain light via Alamy Stock Photo

The efforts of the International Committee of the Red Cross (ICRC) to establish rules of engagement to combatants in a cyberwar should be applauded internationally, even if adherence is likely to be limited. The ICRC recently released a set of rules for civilian hackers involved in conflicts to follow in order to clarify the line between civilians and combatants, as cyberspace can be a blurry place to work in — especially during a war. 

The ongoing conflict between Russia and Ukraine in particular has caused unprecedented numbers of civilian hackers to place themselves in the middle of the war, using their skills to fuel attacks on banks, manufacturing facilities, hospitals, and railways, in an attempt to sway the war to one side or another. Cyber vigilantism isn't a new concept, but the large scale of these nascent patriotic cyber "gangs" has given the ICRC reason to take action with the hope that that hackers on both sides adhere to these rules.

**Do's and Don'ts for Hacktivists**

ICRC's eight rules for "hacktivists" are:

1.  Do not direct cyberattacks against civilian objects.
    
2.  Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.
    
3.  When planning a cyberattack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians.
    
4.  Do not conduct any cyber operation against medical and humanitarian facilities.
    
5.  Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces.
    
6.  Do not make threats of violence to spread terror among the civilian population.
    
7.  Do not incite violations of international humanitarian law.
    
8.  Comply with these rules even if the enemy does not.
    

These rules come at a time when it's never been easier for groups, or even individuals, to get involved in attacks and do their part for their cause. The easier it is for anybody with a grudge to launch a cyberattack, the less restrictive these rules will be and the less they will be followed. Many of the stateless groups involved in the Russia-Ukraine conflict aren't bound by current national or international laws. Indeed, several groups, such as the pro-Russian Killnet group, already have reported they will not follow the ICRS's rules.

 Even though these rules likely will not be accepted by the hacking groups currently operating within the Russia-Ukraine conflict, the ICRC should be commended for coming up with and publishing these rules. Establishing norms is crucial for holding such groups accountable for potential war crimes, civilian death and destruction, and other harmful ancillary effects.

The rules are supposed to fall in line with international humanitarian law, a set of rules that seek to limit the effects of armed conflict and, when broken, constitute war crimes. The IHL rules for armed conflict are critical in protecting citizens in military zones during wartime, but the often anonymous and detached nature of cyberspace means it will be much, much harder to police these new cyber-focused IHL rules.

Rule No. 3, for example, is absolutely critical to mitigating the damage to civilians during a conflict. But civilian hackers working on behalf of a military goal may be totally unaware of the unintended destruction they would cause with their attacks. When preparing any kind of cyberattack, the intelligence that an actor has going into the target environment is rarely 100%, even if they're a professional. If the intention is to impact a single component of a bank, for example, but the attacker fails to realize that a nearby hospital relies on that same electrical grid, the situation can escalate very quickly. And when it's a low-skilled attacker with little regard or understanding of what a high-powered tool can do, miscalculations become alarmingly easy. 

**Collateral Damage**

It's also likely that the private sector will take the brunt of this collateral damage. For example, NotPetya — a targeted attack against Ukrainian infrastructure — went into the wild in 2017, paralyzing factories across the globe and costing shipping company Maersk $300 million. The other cause for concern is that the commercialization of cybercrime has enabled less advanced actors to rent state-of-the-art malware and launch campaigns with speed and with ease. For example, the Colonial Pipeline attack was likely orchestrated by an affiliate who had paid for the DarkSide malware. This makes it far more challenging to monitor who is being targeted, and even the developers probably don't know for certain how and where their malware will be used.

The ICRC is sending these rules to hacking groups on both sides of the conflict, and has called on all states — not just Russia and Ukraine — to "give due consideration to the risk of exposing civilians to harm if encouraging or requiring them to be involved in military cyber operations." Creating the parameters for civilian hackers involved in conflicts now hopefully will lead to internationally accepted and enforceable rules in the future. If even some level of deterrence can be achieved by these rules, it will serve to avoid unnecessary damage and harm in future conflicts.

**About the Author(s)**

CISO, Arctic Wolf

Adam Marrè is the Chief Information Security Officer at Arctic Wolf. Prior to joining Arctic Wolf, Adam was the Global Head of Information Security Operations and Physical Security at Qualtrics. With deep roots in the cybersecurity space, Adam spent almost 12 years with the FBI, holding positions like SWAT Senior Team Leader and Special Agent.

Establishing New Rules for Cyber Warfare

Legislation set to be introduced in Congress this week would extend Section 702 surveillance of people applying for green cards, asylum, and some visas—subjecting loved ones to similar intrusions.

Americans with family overseas who hope to visit the United States may soon face an increased risk of being surveilled by their own government.

Support in Congress is growing for intensified vetting procedures at the US border, which would see immigrants and foreign visitors subjected to the same levels of scrutiny as suspected terrorists and spies. A bill introduced last week by members of the Senate Intelligence Committee (SSCI) and forthcoming legislation from its House counterpart both aim to expand the use of a key foreign intelligence program—Section 702—for screening and vetting visitors to the US.

The House bill, which has yet to be introduced, would additionally target asylum seekers and those applying for nonimmigrant visas and green cards, according to a memo released by the House Intelligence Committee (HPSCI) last month.

In an interview with CBS on Sunday, US Representative Mike Turner, Republican from Ohio and HPSCI chair, said he had gained the support of his Democratic counterpart, Jim Himes, in advancing legislation that would include the enhanced vetting procedures.

The 702 program allows the government to force US companies to wiretap the communications of foreigners who are presumed to be overseas—even when they’re communicating with people inside the US. Billions of calls, texts, and emails are intercepted under the program and committed to a searchable database accessible by four US intelligence agencies, including the Central Intelligence Agency (CIA) and Federal Bureau of Investigation (FBI).

A warrant is not required to conduct searches of the database, and its targets need not be suspected threats to the country. While ostensibly for defense, the 702 program selects targets based on whether they’re expected to possess or receive “foreign intelligence information.” In May, the US State Department said the program was “essential to advancing and promoting US interests around the world,” citing its value as a diplomatic tool.

In a declassified report released this year, a presidential oversight board said the calls and messages of Americans intercepted under Section 702 are “highly personal and sensitive,” detailing exchanges between “loved ones, friends, medical providers, academic advisors, lawyers, or religious leaders.” These communications, according to the Privacy and Civil Liberties Oversight Board (PCLOB), a federal civil liberties watchdog, may provide “great insight into an individual’s whereabouts, both in a given moment and in patterns over time.”

Public knowledge of this surveillance, the board concluded, “can have a chilling effect on speech.”

The 702 program is slated to expire on January 1, 2024. Lawmakers in the House and Senate are rushing to find a solution that would enable the program to continue despite growing mistrust from lawmakers and the public following years of unauthorized use. Abuses of 702 data have included the targeting of racial justice protesters, political activists, and immigrants. Other misused searches of the database for information related to a sitting US congressperson, a US senator, and members of a local political party.

US intelligence community leaders say permitting the program to expire would significantly diminish the government’s ability to monitor and disrupt overseas threats, from terrorism and cyberattacks targeting US infrastructure to espionage and the black market sale of nuclear weapons. “Loss of this vital provision, or its reauthorization in a narrowed form, would raise profound risks,” FBI director Christopher Wray said in a statement this fall.

The wealth of data collected under the 702 program is imponderable. US intelligence agencies have repeatedly claimed there are no means by which to calculate how often Americans are wiretapped without violating procedures intended to keep the program constitutional. The PCLOB report published earlier this year says simply that the collection of domestic communications “should not be understood as occurring infrequently.”

Civil rights experts argue that expanding the program to include routine vetting of people entering the United States would almost certainly be an encumbrance on immigration and asylum systems that US politicians readily acknowledge are broken. There are currently more than 2 million cases pending in US immigration courts, with the average case taking more than four years to adjudicate.

“Some noncitizens—including children and families—wait years to have their cases heard. The delays postpone decisions for vulnerable populations who may be eligible for protections, such as asylum. They also prolong the removal from the US of those who do not have valid claims to remain,” the US Government Accountability Office reported in October.

The vetting proposal, now formally endorsed by both intelligence committees in Congress, has ignited a firestorm among immigrants’ rights groups and nonprofits combating racism against Asian American and Pacific Islander (AAPI) communities. The groups say that, due to their international ties, immigrants naturally face an increased risk of having their communications swept up by the 702 program.

Kia Hamadanchy, senior policy counsel at the American Civil Liberties Union (ACLU), says the Section 702 program “invariably” intercepts communications between foreigners and their American family members. Using the program for vetting purposes means committing to “entirely suspicionless searches” of both, he says.

Andy Wong, a director of advocacy at Stop AAPI Hate, a coalition of community-based groups, has called out Democrats specifically for supporting the move, labeling it a “betrayal” of the Latino and Asian American communities. “We need leaders who dismantle systemic racism,” Wong says, “not entrench policies that leave us more exposed, separated, and vulnerable.”

“The government should be seeking to streamline the immigration process, including the family-based immigration system, not expand warrantless surveillance for individuals seeking to come to the United States,” says Joanna YangQing Derman, program director at the nonprofit Asian Americans Advancing Justice (AAJC). "Expanding warrantless surveillance to specifically go after immigrant communities would not only be harmful, but it would also be a deeply disappointing continuation of this country’s unfair treatment of Asian Americans and Asian immigrants.”

Representative Turner, the HPSCI chair, said Sunday on _Face the Nation_ that his committee had a bill to extend the 702 program endorsed by, among others, Representative Jim Himes, the committee’s ranking Democrat. Turner accused lawmakers not onboard with his bill of misunderstanding how the program works and its “value and importance” to “national security.”

ACLU’s Hamadanchy tells WIRED that it would be concerning to see Himes and other Democrats endorsing use of the program against immigrant communities. “It would represent a dramatic expansion of the current vetting practices,” he says, “and it would be disappointing if it is something Congressman Himes has signed on to.”

Himes did not immediately respond to a request for comment.

Turner said Sunday that he’d already gained the support of the SSCI chair, Senator Mike Warner (D-Virginia), who introduced his own 702 bill last week. Warner’s bill also includes language that expands the 702 program to “enable the vetting of non-United States persons who are being processed for travel to the United States,” but does not mention visas or green cards.

Elizabeth Goitein, senior director of the Brennan Center for Justice’s liberty & national security program, calls Warner’s proposals unnecessary. “There are already plenty of vetting mechanisms in place to ensure that visitors to this country don’t pose a threat to national security or public safety,” she says.

“People should be able to vacation, work, or study in the United States without opening up their private communications to US government scrutiny,” Goitein adds.

Although the text of his bill is not public, much is already known about Turner’s aims. Last month, the HPSCI released an outline of its proposals describing, among other so-called reforms, an amendment that would allow the government to search the 702 database “for the purpose of screening and vetting immigration and non-immigrant visa applicants.”

According to Goitein, the HPSCI proposal would likely impact millions of people living lawfully in the United States, including those with work permits and student visas. “The notion that immigrants give up their privacy rights when they come to this country is wrong and repugnant,” she says.

Senior congressional sources tell WIRED that the HPSCI bill may surface as early as this week. It will compete against another bipartisan bill introduced in the House Judiciary Committee (HJC), chaired by Representative Jim Jordan (R-Ohio), a prominent critic of domestic surveillance abuse.

The contrast between the two House bills is likely to be drastic, with Jordan having previously endorsed an array of privacy reforms, including those aimed at requiring the FBI to obtain a warrant before accessing Americans’ communications amassed by the 702 program—a limitation that is strictly opposed by the heads of the two intelligence committees.

Neither Warner nor Turner immediately responded to inquiries from WIRED on Monday.

Mystery surrounds which bill Representative Mike Johnson (R-Louisiana), the new House speaker, will inevitably endorse. But the HJC traditionally faces stiff opposition from House leaders when pursuing surveillance reform. Republican and Democratic leaders alike have historically shown deference to the appeals of the intelligence community for sustaining and enhancing its authority.

Johnson, meanwhile, is rumored to have held war room discussions last month about extending the Section 702 program by amending must-pass legislation, such as the National Defense Authorization Act—which, despite being months late already, has yet to materialize.

Johnson has not responded to repeated requests for comment from WIRED regarding his thoughts on the 702 program.

_Updated at 10:45 am ET, December 4, 2023, with comment from Joanna YangQing Derman of AAJC._

US Lawmakers Want to Use a Powerful Spy Tool on Immigrants and Their Families

The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware.
The shortcomings, collectively labeled LogoFAIL by Binarly, "can be used by threat actors to deliver a malicious payload and bypass Secure Boot, Intel

Technology / Firmware Security

The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware.

The shortcomings, collectively labeled **LogoFAIL** by Binarly, "can be used by threat actors to deliver a malicious payload and bypass Secure Boot, Intel Boot Guard, and other security technologies by design."

Furthermore, they can be weaponized to bypass security solutions and deliver persistent malware to compromised systems during the boot phase by injecting a malicious logo image file into the EFI system partition.

While the issues are not silicon-specific, meaning they impact both x86 and ARM-based devices, they are also UEFI and IBV-specific. The vulnerabilities comprise a heap-based buffer overflow flaw and an out-of-bounds read, details of which are expected to be made public later this week at the Black Hat Europe conference.

Specifically, these vulnerabilities are triggered when the injected images are parsed, leading to the execution of payloads that could hijack the flow and bypass security mechanisms.

"This attack vector can give an attacker an advantage in bypassing most endpoint security solutions and delivering a stealth firmware bootkit that will persist in an ESP partition or firmware capsule with a modified logo image," the firmware security company said.

In doing so, threat actors could gain entrenched control over the impacted hosts, resulting in the deployment of persistent malware that can fly under the radar.

Unlike BlackLotus or BootHole, it's worth noting that LogoFAIL doesn't break runtime integrity by modifying the boot loader or firmware component.

The flaws affect all major IBVs like AMI, Insyde, and Phoenix as well as hundreds of consumer and enterprise-grade devices from vendors, including Intel, Acer, and Lenovo, making it both severe and widespread.

The disclosure marks the first public demonstration of attack surfaces related to graphic image parsers embedded into the UEFI system firmware since 2009, when researchers Rafal Wojtczuk and Alexander Tereshkin presented how a BMP image parser bug could be exploited for malware persistence.

"The types – and sheer volume – of security vulnerabilities discovered \[...\] show pure product security maturity and code quality in general on IBVs reference code," Binarly noted.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks

Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector.
The DanaBot infections led to "hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware," the Microsoft Threat Intelligence team said in a series of posts on X (

Ransomware / Cyber Attack

Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector.

The DanaBot infections led to "hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter).

DanaBot, tracked by the tech giant as Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that's capable of acting as a stealer and a point of entry for next-stage payloads.

UNC2198, for its part, has been previously observed infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor, as detailed by Google-owned Mandiant in February 2021.

Per Microsoft, the threat actor has also taken advantage of initial access provided by QakBot infections. The change to DanaBot is likely the result of a coordinated law enforcement operation in August 2023 that took down QakBot's infrastructure.

"The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering," Redmond further noted.

The credentials harvested by the malware are transmitted to an actor-controlled server, which is followed by lateral movement via RDP sign-in attempts and ultimately handing off access to Storm-0216.

The disclosure comes days after Arctic Wolf revealed another set of CACTUS ransomware attacks that are actively exploiting critical vulnerabilities in a data analytics platform called Qlik Sense to gain access to corporate networks.

It also follows the discovery of a new macOS ransomware strain dubbed Turtle that's written in the Go programming language and is signed with an adhoc signature, thereby preventing it from being executed upon launch due to Gatekeeper protections.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware

By Owais Sultan
The financial industry is undergoing a digital transformation. Digital technology has been around for decades, but it’s only…
This is a post from HackRead.com Read the original post: Digital Transformation in the Financial Industry: The Role of Fintech

The financial industry is undergoing a digital transformation. Digital technology has been around for decades, but it’s only recently that it has become an integral part of how we conduct our finances. Many people now do most of their banking online or through mobile apps and that number is growing every year.

This isn’t surprising when you consider how much money can be saved by using technology instead of going into a branch or calling customer service over the phone (not to mention how much time is saved). But what exactly does this mean for the future?

Fintech companies are providing innovative solutions to help customers save money and manage risk more effectively than ever before; they’re also fueling innovation within traditional banks themselves by creating new products based on customer feedback or challenging existing models with newer ones that might be better suited

****The Emergence and Evolution of Fintech****

Fintech is a broad term that encompasses many different technologies and business models. It has been around for decades, but it has grown in popularity in recent years. Fintech is a global industry with investors across the world.

 Fintech companies are using technology to provide financial services at cheaper costs than traditional banks and other institutions, and they’re having an impact on how we think about money today.

****Technological Advancements Driving Fintech Innovation****

Technological advancements are driving fintech innovation, with artificial intelligence and machine learning at the forefront. These technologies are making it possible for companies to analyze large amounts of data in real-time, allowing them to make faster and better decisions.

For example, AI can help banks predict customer behaviour based on past transactions or use sentiment analysis to identify potential fraudsters before they commit crimes. For more information on cutting-edge technologies in the financial industry, you can explore top insurance software development companies here.

Blockchain technology has also become an important part of fintech innovation because it allows users to exchange value without relying on centralized institutions like banks or governments (although some argue that this could lead to an increase in trust issues).

****Fintech Startups and Disruption: Case Studies****

In this section, we will look at how fintech startups are disrupting the financial industry. We’ll also take a look at some of the most successful cases of disruption and their impact on both banks and consumers.

The importance of fintech startups in digital transformation cannot be understated. They have been responsible for creating new business models that provide better services at lower costs than traditional providers, as well as innovating ways to connect people who were previously excluded from mainstream finance because of their location or income levels.

****Collaboration and Integration: Traditional Financial Institutions and Fintech****

Collaboration and integration between traditional financial institutions and fintech companies can bring numerous benefits to both parties and the customers they serve. Here are some key points to consider:

*   **Access to Innovation:** 

Fintech companies are known for their ability to leverage new technologies and develop innovative solutions. By collaborating with fintech firms, traditional financial institutions can gain access to these cutting-edge technologies, allowing them to enhance their product offerings, streamline processes, and provide better services to their customers.

*   **Enhanced Customer Experience:** 

Fintech companies often prioritize user-centric design and user experience. By integrating fintech solutions into their operations, traditional financial institutions can improve their digital channels, making transactions faster, more convenient, and more user-friendly for their customers. This can lead to increased customer satisfaction and loyalty.

*   **Expanded Market Reach:** 

Collaboration with fintech companies can help traditional financial institutions tap into new customer segments. Fintech firms often have a strong presence in niche markets or among tech-savvy individuals who prefer digital banking solutions. By integrating fintech services, traditional financial institutions can expand their market reach and attract new customers.

*   **Improved Efficiency:** 

Fintech solutions, such as automation and artificial intelligence, can significantly improve operational efficiency for traditional financial institutions. By integrating these technologies, banks and other financial institutions can streamline their processes, reduce costs, minimize errors, and enhance risk management.

*   **Compliance and Trust:** 

Traditional financial institutions are subject to rigorous regulatory requirements. Collaborating with fintech companies can help them address these compliance challenges more effectively. Fintech firms often have expertise in regulatory technology (RegTech) and can assist in implementing robust compliance and risk management systems, thereby strengthening customer trust.

*   **Relevant Partnerships:** 

Collaboration between traditional financial institutions and fintech companies can create mutually beneficial partnerships. Fintech firms can gain access to traditional institutions’ extensive customer base and infrastructure, while traditional institutions can benefit from fintech expertise and innovation. This partnership can result in the development of new products, services, and business models beneficial to both parties.

Overall, collaboration and integration between traditional financial institutions and fintech companies have the potential to bring significant advantages, including innovation, improved customer experience, expanded market reach, operational efficiency, compliance, and relevant partnerships. It is an exciting opportunity for both sectors to leverage each other’s strengths and create a more robust and customer-centric financial ecosystem.

****Regulatory Challenges and Compliance in the Fintech Era****

 This is a topic that will be covered in depth in this guide, but let’s go over the basics here. Fintech has been around for quite some time now, so it’s safe to say that regulators have had plenty of time to catch up with the new technology and create regulations surrounding it. However, many feel as though these regulations are still not enough to keep up with how fast fintech startups are growing and they may be right!

One reason for this is that it can take years before someone becomes an expert at something; therefore it makes sense that regulators would need more time than just two or three years (which seems like ages when dealing with this kind of thing). 

****Financial Inclusion: Fintech’s Role in Bridging Gaps****

As we’ve discussed, financial inclusion is one of the biggest challenges facing the global community. More than 2 billion people do not have access to basic financial services, which means that they cannot save money or borrow money when they need it. This leaves them vulnerable to poverty and hunger, as well as other issues related to being unbanked (including higher interest rates on consumer loans).

Financial technology (fintech) companies are helping tackle this problem by making it easier for people from all walks of life whether they live in rural areas or urban centers to get access to affordable credit products like loans and savings accounts. 

****Conclusion****

We hope that this article has given you a better understanding of fintech, its role in digital transformation, and how it can help your organization adapt to changing trends in finance. Fintech is an exciting field with many opportunities for growth and innovation, but it also presents challenges due to its rapid pace of change and disruption of traditional business models.

1.  The Ultimate Guide to Price Optimization
2.  Payoro: A Glimmer of Disruption in the Banking Sector
3.  Efficiency in a Virtualized World: A Deep Dive into Modern IT
4.  Buy-Now-Pay-Later (BNPL) is Revolutionising E-Commerce Landscape

Digital Transformation in the Financial Industry: The Role of Fintech

An ESA cybersecurity expert explains how space-based data and services benefit from public investment in space programs.

Source: NASA / Dembinsky Photo Associates via Alamy Stock Photo

Cybersecurity for space missions is not optional and should be taken seriously. The barrier to entry for threat actors has significantly shrunk, exposing organizations to attacks from hardened cybercriminals and script kiddies alike.

While Europe's burgeoning commercial space industry is facing some challenges, the European Space Agency (ESA) is taking specific steps to boost defenses, such as planning to provide access for organizations to its space cybersecurity operations center (C-SOC), which is currently under development, and providing tools to those in the space industry. In a Nov. 2 keynote presentation at this year's Software Defined Space Conference, in Tallinn, Estonia, I explained some of the immediate commercial challenges for Europe's burgeoning space industry and what the ESA is doing to shore up commercial space cybersecurity.

**Main Cyber Threats to Space Infrastructure**

The main threats that target space infrastructure are not new. In many cases they are well-known threats similar to those we see in many other business fields and in critical infrastructure outside of the space domain. The reason why those are now affecting the space domain so much is mainly due to a dramatic evolution in technology for space infrastructures.

Until a few years ago, space infrastructure used technology that did not exist elsewhere, was extremely expensive, and required special knowledge and insight to understand and attack. This created a high entry barrier for threat actors, and only large, state-level actors had the resources for a successful attack.

The situation has changed dramatically over the past decade. Commercialization is driving the fusion of standard IT technology and software solutions with the space business. That lowers the barrier for both space-based businesses and threat actors, bringing a number of everyday threats from the Internet into the space domain.

A spacecraft, even a small one, represents the most significant investment for companies that want to establish a business around space-based data and services. This is especially true for startups and smaller companies, where the survival of the company is directly connected to the operational availability of the spacecraft. As such, most companies take cybersecurity very seriously and have taken measures to protect their assets both in space and on the ground. These measures include the execution of cybersecurity controls in the ground segment and protection of the communications links by, for example, deploying telecommand authentication.

At the same time, space systems are no longer isolated. In many cases they are fully integrated with other networks, such as the Internet, to meet business needs. That means cybercriminals and "script kiddies" have access to the space domain, driven by the quick profits to be made through information theft or the ransoming of assets.

**Common Vulnerabilities for Space Projects**

The most common weaknesses and vulnerabilities targeted are the same as those we see elsewhere, such as in a financial system. Attackers pick at the whole space system stack, from network protocol and protocol implementation weaknesses; social engineering, application, and operating system exploits; through to sending malicious commands. And now all of this can be automated, significantly increasing the likelihood of a successful attack.

ESA's answer to this situation is to deploy a solid defense-in-depth security posture, a fully security-certified end-to-end mission ground segment called Ground Operation System Common Core — Multi-Mission Generation (EGOS-MG). All elements of this system will be available to the European space industry under European community license and, if deployed in an appropriate environment, can provide a similar level of protection for commercial ground segments.

This system is complemented with a Space Cybersecurity Operations Centre (C-SOC), deployed at the European Space Operations Centre (ESOC) and the European Space Security and Education Centre (ESEC). C-SOC will start initial operations in 2024 and will provide the ability to detect and act on emerging cyberattacks to ESA's space system infrastructures. The C-SOC services will also be available to the European space industry.

**How Technologies Can Improve Public and Private Space Cybersecurity**

Artificial intelligence (AI) and digitalization have a profound impact on space cybersecurity. AI can greatly enhance cybersecurity capabilities related to pattern recognition and automated testing. In the case of the C-SOC, AI will help human staffers understand which detected anomaly is really a cyberattack and which is a false positive. Machine learning will help the C-SOC reduce the number of false positives over time and detect novel attack patterns that did not occur before.

Likewise, digitalization — in particular, model-based system engineering (MBSE) — has the potential to significantly improve the cybersecurity engineering process for a complex system by allowing efficient threat and risk assessment. For example, the digital model will help system and security engineers to immediately understand the impact of introducing a certain security control (e.g., the encryption of telemetry) on the overall system. It could be that this encryption control requires changes to other parts of the system or updates to the risk assessment that are not immediately apparent.

However, new technologies also bring new threats. AI is particularly vulnerable to cyberattacks in the form of data poisoning. It is essential that organizations that deploy these new technologies are aware of the increased number of threats they allow for.

The ESA Directorate of Operations is currently working with the European space industry to mature these capabilities in a secure manner as part of the ESA General Support Technology Programme (GSTP), which will benefit the ESA and industry alike.

**About the Author(s)**

Head of Ground Segment System and Cybersecurity Engineering, European Space Agency

Dr. Daniel Fischer is Head of Ground Segment System and Cybersecurity Engineering at the European Space Agency (ESA). Cybersecurity is now a key topic in the agency's technology development programs, which Dr. Fischer encourages businesses across Europe's space sector to explore and participate in.

The European Space Agency Explores Cybersecurity for Space Industry

Sanctions on Kimsuky/APT43 focuses the world on disrupting DPRK regime's sprawling cybercrime operations, expert says.

Source: Stuart Miles via Alamy Stock Photo

The US Department of the Treasury Office of Foreign Assets Control (OFAC) has announced it has sanctioned cyberespionage group Kimsuky (aka APT43) for collecting intelligence on behalf of the Democratic People's Republic of Korea (DPRK).

The OFAC said the sanctions are technically in retaliation for a North Korean military reconnaissance satellite launch on Nov. 21, but, more broadly, they are designed to block the DPRK from revenue, materials, and intelligence necessary to perpetuate its weapons of mass destruction development program the Treasury's sanctions announcement added.

Kimsuky is a well-known advanced persistent threat (APT) group active since 2013 that works on behalf of the Kim Jong Un regime.

The move to file the sanctions is an important step forward in stymying the DPRK's malicious cyber activities, according to a statement from Michael Barnhart, Mandiant principal analyst, Google Cloud.

"Recent actions, including the OFAC sanctions of today and increased global awareness of these cyber threats, are forcing North Korea to adapt its strategies," Barnhart explained via email. "While these measures have undoubtedly disrupted the regime's cyber activities, it is crucial to recognize that North Korea remains a formidable threat."

**Can the DPRK Cybercrime Machine Be Stopped?**

In October, Kimsuky waged a campaign abusing Remote Desk Protocols (RDP) and other tools to to take over targeted systems. The previous March, the group had already emerged as what researchers characterized "unusually aggressive" APT, becoming adept at achieving the dueling goals of using social engineering to gather intelligence, as well as operating a massive cryptomining operation to raise funds for the North Korean regime.

The wider strategy to shut down cyberattacks from the DPRK must include a combination of greater public awareness of their activities, robust cybersecurity measures, as well as additional targeted sanctions and other measures that help disrupt the regime's cyber threat, according to Barnhart.

"Despite the exposure of their operations, APT43 has demonstrated remarkable resilience, continuing to employ sophisticated social engineering tactics to target unsuspecting individuals and organizations," he added. "This highlights the need for heightened vigilance and a comprehensive approach to combating North Korea's cyber threats."

The US is joined in sanctioning the cyber-threat group with allied nations Australia, Japan, and the Republic of Korea, according to the OFAC announcement.

"As an intelligence gathering apparatus for the Reconnaissance General Bureau (RGB), APT43 operates with the full backing of the North Korean regime, tasked with gathering sensitive information on a wide range of topics, including nuclear technology, sanctions evasion, and unification efforts," Barnhart said. "APT43 and DPRK-aligned cyber threats pose a significant and evolving challenge to the global community."

North Korea APT Slapped With Cyber Sanctions After Satellite Launch

Hundreds of consumer and enterprise-grade x86 and ARM models from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable to bootkits and takeover.

Source: Tetra Images via Alamy Stock Photo

Researchers have uncovered "LogoFAIL," a set of critical vulnerabilities present in the Unified Extensible Firmware Interface (UEFI) ecosystem for PCs.

Exploitation of the vulnerabilities nullify essential endpoint security measures and provide attackers with deep control over affected systems.

The flaws originate in image-parsing libraries within the boot process, impacting all major device manufacturers on both x86 and ARM-based devices, according to a Binarly Research report that will be officially released at Black Hat Europe in London next week.

The severity of LogoFAIL is exacerbated by its widespread reach, researchers warn, noting that it affects the entire ecosystem, not just individual vendors here and there. The findings were reported via the CERT/CC VINCE system, with anticipated vendor patches scheduled for December 6, in tandem with the Black Hat talk, which is entitled, "LogoFAIL: Security Implications of Image Parsing During System."

**Hijacking the Boot Process With LogoFAIL**

Binarly researchers found that by embedding compromised images in the EFI System Partition (ESP) or unsigned firmware update sections, threat actors can execute malicious code during boot-up, enabling them to hijack the boot process.

This exploitation bypasses crucial security measures like Secure Boot and Intel Boot Guard, facilitating the insertion of a persistent firmware bootkit operating beneath the OS level.

"Because the attacker is getting the privileged code execution into the firmware, it's bypassing the security boundaries by design, like a Secure Boot," explains Alex Matrosov, CEO and founder of Binarly. "The Intel Boot Guard and other trusted boot technologies are not extended in runtime, and after the firmware is verified, it just boots further in the system boot flow."

He says the Binarly Research team originally was experimenting with logo modification on one of the Lenovo devices they have in the lab.

"One day, it suddenly started to reboot after showing the boot logo," he says. "We realized that the root cause of the issue was the change of the original logo, which led to a deeper investigation."

He adds, "In this case, we are dealing with continued exploitation with a modified boot logo image, triggering the payload delivery in runtime, where all the integrity and security measurements happen before the firmware components are loaded.”

This is not the first Secure Boot bypass ever discovered; in November 2022, a firmware flaw was found in five Acer laptop models that could be used to disable Secure Boot and allow malicious actors to load malware; and the BlackLotus or BootHole threats have opened the door to boot process hijacking before. However, Matrosov says that LogoFAIL differs from prior threats because it doesn't break runtime integrity by modifying the bootloader or firmware component.

In fact, he says LogoFAIL is a data-only attack, occurring when malicious input comes from the firmware image or the logo is read from the ESP partition during the system boot process — and thus, it's hard to detect.

"Such an approach with the ESP attack vector leaves zero evidence of the firmware attack inside the firmware itself, since the logo comes from an outside source," he explains.

**Majority of the PC Ecosystem Is Vulnerable**

Devices equipped with firmware from the three major independent BIOS vendors (IBVs), Insyde, AMI, and Phoenix, are susceptible, indicating a potential impact across diverse hardware types and architectures. Between them, the three cover 95% of the BIOS ecosystem, Matrosov says.

In fact, Matrosov says LogoFAIL affects "most devices worldwide," including consumer and enterprise-grade PCs from various vendors —Acer, Gigabyte, HP, Intel, Lenovo, MSI, Samsung, Supermicro, Fujitsu, and "many others."

"The exact list of affected devices is still being determined, but it's crucial to note that all three major IBVs — AMI, Insyde, and Phoenix — are impacted due to multiple security issues related to image parsers they are shipping as a part of their firmware," the Binarly report warned. "We estimate LogoFAIL impacts almost any device powered by these vendors in one way or another."

For its part, Phoenix Technologies published an early security notification this week (now taken down but available as a cache until it goes back up Dec. 6) detailing that the bug (CVE-2023-5058) is present in all versions lower than 1.0.5 of its Phoenix SecureCore Technology 4, which is a BIOS firmware that provides advanced security features for various devices.

"The flaw exists in the processing of user-supplied splash screen during system boot, which can be exploited by an attacker who has physical access to the device," according to the notification, which noted that an updated version is available. "By supplying a malicious splash screen, the attacker can cause a denial-of-service attack or execute arbitrary code in the UEFI DXE phase, bypassing the Secure Boot mechanism and compromising the system integrity."

LogoFAIL is also tracked by Insyde as CVE-2023-40238, and by AMI as CVE-2023-39539 and CVE-2023-39538.

Matrosov says the company is actively collaborating with multiple device vendors to coordinate disclosure and mitigation efforts across the spectrum.

**Firmware Updates Key to Minimizing Risk**

To minimize firmware risk in general, users should stay updated with manufacturer advisories and promptly apply firmware updates, as they often address critical security flaws.

Also, vetting suppliers is a must. "Be picky about the device vendors you rely on daily as personal device or devices across your enterprise infrastructure," Matrosov adds. "Don't blindly trust the vendors, but rather validate the vendor's security promises and identify the gaps across your device inventory and beyond."

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Critical 'LogoFAIL' Bugs Offer Secure Boot Bypass for Millions of PCs

The agency, known as JAXA, has shut down parts of its network as it conducts an investigation to discover the scope and impact of the breach.

Source: Tofino via Alamy Stock Photo

Japan's Space Exploration Agency (JAXA) reported this week that it experienced a cyber incident this past summer stemming from a breach of Microsoft Active Directory (AD) — raising concerns that nation-state actors might be after the country's space program data.

Chief cabinet secretary Hirokazu Matsuno raised the topic of the incident in a morning briefing on Nov. 29, mentioning that the agency investigated and preliminarily found that illegal access had indeed taken place. The agency was allegedly unaware of the attack until it was contacted by the authorities.

As mentioned, the breach was located in the organization's AD environment, the central server that manages access control for JAXA's network, including admin passwords for corporate applications. According to The Japan News, an official related to JAXA reportedly stated that "as long as the AD server was hacked, it was very likely that most of the information was visible. This is a very serious situation," though there is much that has not yet been confirmed.

This is not the first time that this Microsoft component has led to a compromise of information. Just earlier this year, US Sen. Ron Wyden (D-Ore.) wrote to the heads of CISA, the Justice Department, and the FTC asking them to hold Microsoft responsible after a Microsoft 365 breach due to three vulnerabilities in its Exchange Online email service and the Azure Active Directory. And just prior to that, it was discovered that a stolen Microsoft account key could allow threat actors to create access tokens for a variety of different types of Azure Active Directory applications.

**State-Sponsored Hackers After Japan's Space Program Secrets?**

The breach raises concerns that Japan's space program has been exposed, according to Ted Miracco, CEO of mobile security company Approov, who noted that JAXA has been a target before; in 2016 and 2017, JAXA was among 200 Japanese companies and research institutes allegedly targeted by Chinese military hackers.

"The cyberattack on Japan's aerospace exploration agency bears all the characteristics reminiscent of past incidents, raising questions about the involvement of state-sponsored actors," Miracco said via email. "In the historical context, previous attacks were linked to Chinese military hackers, and the reported exploitation of a vulnerability disclosed by a network equipment manufacturer in June adds a layer of sophistication to the attack, indicating a state-sponsored attack.

He added, "The motivation behind the cyber intrusion, given the nature of JAXA's operations in satellite development and advanced missions, points towards an interest in strategic intelligence and technological advancements. Understanding the identity, methods, and motivations of the perpetrators becomes crucial in fortifying cybersecurity measures to mitigate future risks, as these attacks are unlikely to stop anytime soon."

Meanwhile, JAXA has shut down part of its network and launched a full investigation to determine the scope of the breach and its impact. The agency is working with the central government, as well as police, on the matter.

Japan's Space Program at Risk After Microsoft Active Directory Breach

Ubuntu Security Notice 6502-4 - Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem discovered that the InfiniBand RDMA driver in the Linux kernel did not properly check for zero-length STAG or MR registration. A remote attacker could possibly use this to execute arbitrary code. Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6502-4  
November 30, 2023

linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp,  
linux-gcp-6.2 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure: Linux kernel for Microsoft Azure Cloud systems  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-azure-6.2: Linux kernel for Microsoft Azure cloud systems  
- linux-azure-fde-6.2: Linux kernel for Microsoft Azure CVM cloud systems  
- linux-gcp-6.2: Linux kernel for Google Cloud Platform (GCP) systems

Details:

Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem  
discovered that the InfiniBand RDMA driver in the Linux kernel did not  
properly check for zero-length STAG or MR registration. A remote attacker  
could possibly use this to execute arbitrary code. (CVE-2023-25775)

Yu Hao discovered that the UBI driver in the Linux kernel did not properly  
check for MTD with zero erasesize during device attachment. A local  
privileged attacker could use this to cause a denial of service (system  
crash). (CVE-2023-31085)

Manfred Rudigier discovered that the Intel(R) PCI-Express Gigabit (igb)  
Ethernet driver in the Linux kernel did not properly validate received  
frames that are larger than the set MTU size, leading to a buffer overflow  
vulnerability. An attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-45871)

Maxim Levitsky discovered that the KVM nested virtualization (SVM)  
implementation for AMD processors in the Linux kernel did not properly  
handle x2AVIC MSRs. An attacker in a guest VM could use this to cause a  
denial of service (host kernel crash). (CVE-2023-5090)

It was discovered that the SMB network file sharing protocol implementation  
in the Linux kernel did not properly handle certain error conditions,  
leading to a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-5345)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   linux-image-6.2.0-1017-azure    6.2.0-1017.17  
   linux-image-6.2.0-1019-gcp      6.2.0-1019.21  
   linux-image-azure               6.2.0.1017.17  
   linux-image-gcp                 6.2.0.1019.19

Ubuntu 22.04 LTS:  
   linux-image-6.2.0-1017-azure    6.2.0-1017.17~22.04.1  
   linux-image-6.2.0-1017-azure-fde  6.2.0-1017.17~22.04.1.1  
   linux-image-6.2.0-1019-gcp      6.2.0-1019.21~22.04.1  
   linux-image-azure               6.2.0.1017.17~22.04.1  
   linux-image-azure-fde           6.2.0.1017.17~22.04.1.14  
   linux-image-gcp                 6.2.0.1019.21~22.04.1

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6502-4  
   https://ubuntu.com/security/notices/USN-6502-1  
   CVE-2023-25775, CVE-2023-31085, CVE-2023-45871, CVE-2023-5090,  
   CVE-2023-5345

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure/6.2.0-1017.17  
   https://launchpad.net/ubuntu/+source/linux-gcp/6.2.0-1019.21  
   https://launchpad.net/ubuntu/+source/linux-azure-6.2/6.2.0-1017.17~22.04.1

 https://launchpad.net/ubuntu/+source/linux-azure-fde-6.2/6.2.0-1017.17~22.04.1.1  
   https://launchpad.net/ubuntu/+source/linux-gcp-6.2/6.2.0-1019.21~22.04.1

Tag

#intel