Apple has released security updates that patch vulnerabilities in Siri and VoiceOver that could be used to access sensitive user data.

Apple has released security updates for many of its products in order to patch several vulnerabilities that could allow an attacker to steal sensitive information from a locked device.

Included in the patches for Apple Watch, iOS, and iPadOS are four vulnerabilities in Siri. While your device is locked there are several voice-commands your digital assistant can process.

Apple has restricted these options to stop an attacker with physical access from being able to access contacts from the lock screen and access other sensitive user data. Using Siri on a locked device has limitations to protect your privacy and security, and the digital assistant should only be able to perform tasks that do not require access to sensitive data locked behind the device’s security systems, such as Face ID or a passcode.

A similar vulnerability was also patched in the VoiceOver component in Apple Watch, iOS, iPadOS, and macOS Ventura. To check whether VoiceOver is on or off on your iPhone or iPad, you can check by looking at **Settings > Accessibility > VoiceOver**.

To check if you’re using the latest software version of iOS and iPadOS, go to **Settings** > **General** > **Software Update**. You want to be on iOS 17.6 or iPadOS 17.6, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

iPad Software update is available

Here’s an overview of the available updates for the various Apple products:

Name:

Available for:

Safari 17.6

macOS Monterey and macOS Ventura

iOS 17.6 and iPadOS 17.6

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.9 and iPadOS 16.7.9

iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

macOS Sonoma 14.6

macOS Sonoma

macOS Ventura 13.6.8

macOS Ventura

macOS Monterey 12.7.6

macOS Monterey

watchOS 10.6

Apple Watch Series 4 and later

tvOS 17.6

Apple TV HD and Apple TV 4K (all models)

visionOS 1.3

Apple Vision Pro

iOS 15.8.3 and iPadOS 15.8.3

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Apple also patched the regreSSHion vulnerability that allows unauthenticated Remote Code Execution (RCE) in OpenSSH.

For beta testers Apple also released the first beta of iOS 18.1 to developers. This update is available for iPhone 15 Pro and iPhone 15 Pro Max and includes the first set of Apple Intelligence features, such as Writing Tools, new features for Mail and notifications, upgrades to Photos, and more.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple fixes Siri vulnerabilities that could have allowed sensitive data theft from locked device. Update now! 

We look back on 10 years of Talos, in multiple interviews with Talos' leaders.

Wednesday, July 31, 2024 07:55

As part of the celebrations of Cisco Talos turning 10, we’d like to take you back to where it all began: How we formed our mission of protecting our customers and making the internet suck a bit less, an insight into our culture, and how we came to work with some of the most talented human beings on the planet.  

This is the history of Talos, as told through the eyes of some of our senior leaders. 

**The Sourcefire years**

_Editor's note: Sourcefire was a company that specialized in Firepower network security appliances based on Snort, an open-source intrusion detection system. Sourcefire was acquired by Cisco for $2.7 billion in July 2013._

**Matt Watchinski, Vice President of Talos:** What I remember most from the early years of Sourcefire was all of us being crowded into a minuscule meeting room. We spent our days discussing huge, complicated s\*\*t. There was so much mutual respect and understanding for what we set out to achieve. 

**Chris Marshall, Director of Talos Network Detection and Response Team:** We all collectively believed that we could be the best security team on the planet. We were so passionately driven to achieve things together. And we went out of our way to take care of each other to make sure those two other things happened. 

**Watchinksi:** We had a group that could change priorities on a dime, and then actually execute on them — without anybody coming back and saying, “The dumbest decision in the entire world was just made in that tiny room. Now we have to go and do stupid s\*\*t.” Everybody came back from that room and said, “Alright, this is the thing that's going to make Sourcefire the most successful, and so that’s the direction we’re going to march in.” 

**Lurene Grenier, Director of Competitive Analysis:** At Sourcefire our goal was to build the best and most open product we could. At the time, all the rules had to be written by hand, without any guidance. We had no contracts with any companies. The biggest thing on the map at that point was Patch Tuesday bugs, and they were all remote root bugs. Every month, 15 - 20 of those bugs would get dropped. It was my job to grab the patches, patch the systems, reverse engineer the patches, and write an exploit for the bug. And then I would pass that exploit to the team who wrote the \[Snort\] rules. We would write the documentation, package everything up, and send that to QA. 

We significantly changed the security posture and behaviour of Fortune 50 companies on the regular, with about 30 people. We were doing things that the industry said was impossible. And my favorite part was we had executives from those Fortune 50 companies coming out to buy us lunch, begging us to stop telling the public the truth. 

**The acquisition of Sourcefire**

**Marshall:** I came to Sourcefire from the U.S. military. I had no idea what being acquired meant.  

**Watchinski:** We had been in negotiations with Cisco for about six months. I couldn’t tell anyone about that though. Those final negotiations went on until 4 a.m. the morning that the deal closed. We didn’t stop until we had reached a deal that was right for our people. At 4:30 a.m., I sent a text to my directs, telling them that something big was happening, and they should come into the office at 7 a.m.  

**Marshall:** At the time, I ran the response work. And Watchinski didn't tell me if there was a problem. So, my instincts told me something was very wrong. “Who else do I need to call? How bad is the situation?” And he just replied, “I just need you there first thing in the morning.” So, the next morning Watchinski walked in, and me, \[Matt\] Olney \[Director of Threat Intelligence and Interdiction\] and Nigel \[Houghton, former director of Talos Operations\] are standing around anxiously. And then Watchinski said, “Cisco just bought us. We're not working today.”   

**Three teams coming together**

 **Watchinski:** For the first year after the acquisition, Sourcefire continued as the VRT (Vulnerability Research Team). During that time, we met various people across Cisco and tried to figure out what they all did. One of the people I met was Luci \[Lagrimas\]. She’s an incredible person, and we started hatching a plan on how we could be successful together. 

We proposed bringing together a singular set of services, a singular threat research and intelligence team, a singular understanding of our data, and a singular voice of how we talk about security. 

I gave a presentation to what was then three different groups — VRT, Cisco Threat Research, Analysis and Communications (TRAC), and Security Applications (SecApps).  

**Luci Lagrimas, Senior Director of Engineering:** That was a day I’ll always remember. We all gave presentations about who we were and who our teams were. I put three pictures on an “About Me” slide, and one of them was me playing field hockey, wearing a T-shirt that definitely showed off my guns. \[Matt\] Olney leans over to Marshall and says, “Dude, she can kick our ass!”  

**Matt Olney, Director of Talos Threat Intelligence & Interdiction**: This remains true to this day. 

__Luci’s photo from her original slide deck at the first Talos meeting.__

**Marshall:** My first impression of Luci was that slide. That set the tone for these teams coming together, because here’s this badass lady with a field hockey stick causing carnage on the field, and that’s what we were going to bring into our group.  

**The Talos brand is born**

**Lee Jones, Talos distinguished engineer:** My first exposure to Matt \[Watchinski\] was a cultural definition point, because Matt came in and did what he’s great at, which is coalesce things. It was incredible to watch how he started forming the vision of what Talos was going to be. 

**Watchinski:** I believe that to have an effective team, you need three things: a mission that everybody understands, a culture that everybody can work in, and some type of icon that people can rally behind. A colleague of mine would always say, “This is how you build a cult!” And I would reply, “Yeah, kinda...but the good kind of cult.” 

I knew that having three different brands and messages wouldn’t work. We needed the branding to reflect on who we were as a new team coming together. That was a point of unity — giving up what the VRT had built from a brand perspective for over 10 years. And asking the others to do the same. 

**Luci:** Between April and August 2014, the team leaders all threw different ideas into the ring about what we would be called and what sort of brand could represent who we were becoming.  

**Watchinski:** If I remember it right, it was Matt Olney who came up with Talos, protector of the shores. That one resonated most with everyone, because it aligned with our main mission of protecting our customers.  

**Matt Olney** It came about because we wanted something big to represent us. We were now part of a team that was focussed on much more than vulnerabilities. We wanted to have a larger voice as an organization, and a larger role in security consciousness. 

**Luci:** Talos was officially launched at BlackHat in 2014. 

**The team grows**

**Liz Cooperrider, Leader, Talos Project Management Office:** When I started reporting directly to Matt \[Watchinski\] he elevated the Project Management Office (PMO) and the value of what we brought to the organization. 

Since 2019, we’ve been able to grow and become an integral part of Talos, mainly because I was given a lot of independence and autonomy from the team.

**Lee:** After Talos was formed, I was working across the Cisco portfolio, helping them to design products from a security perspective. In 2018, I came back home to Talos. My role was to work with Luci to transition the architectural aspect of Talos, and get it to a trusted product partner level, global in scope and scale, beyond the core competency of the security mission. 

We created a service delivery architecture called “Tomorrowland”. This was a big turning point. It didn’t change our security capabilities themselves, but our ability to project our power went up. 

**Lee:** At a lot of other places, rank and hierarchy matter. Titles matter, and there can be a top-down approach sometimes. But at Talos, there’s a culture of asking questions and pushing back to see, “Do I really believe this and want to incorporate this to my mission?” That is very energizing. I sat back and thought, “This is where I want to be. I’m happy. This is what I was hoping for.” 

**Amy Henderson, Director of Talos Strategic Communications and Operations:** I was a portfolio manager in the Customer Experience organization in Cisco, and at that time (October 2019), one of our key services was Incident response. The IR team worked very closely with Talos, sharing intelligence, understanding what's going on at a customer site when things go down, etc. We eventually came to the decision that Incident Response should become Talos Incident Response, bringing those teams under one umbrella. 

I got to know Watchinski and Olney and really enjoyed working with them. But there was a moment during the transition that the Talos team pulled back. They said they wanted to pause things because it wasn’t being done in the right way. Not being part of Talos at that point, I really appreciated their honesty and integrity. Because when you’re working towards delivering on a priority, sometimes you end up just pushing the ball down the road without necessarily getting the outcome that you want. It’s important to take stock and think about, “Is this actually what we want to achieve?” 

I pinged Olney and said how much I respected their decision. Because it showed the character of the Talos team. They’re not going to rubber stamp everything and say it’s OK when it’s not. 

**Brad Garnett, Director of Talos Incident Response:** I was another Talos transplant. I was running the Incident Response team on the CX side, and as Amy mentioned it made sense to bring us into Talos. Response and intelligence are like peanut butter and jelly, it just goes together.  

We gathered in London in the fall of 2019, and we talked about what IR might look like inside of Talos. Our brand, reputation, integration, intelligence services etc. I still have that agenda from nearly five years ago, and I still remember our first three customers.

That helps me bring perspective — no matter how challenging things get, we’ve hugely grown in scale. Customers need us more than ever. And our mission has grown to not just helping customers on an individual level, but to use that experience to protect all our customers. “The power of the debrief”, as I frequently say to my team. Take what we’re seeing and go help more people. 

**The mission**

**Olney**: When people ask me what I do, I tell them, “I build the expertise that allows me and my team to go places and fix things.” I’m most proud of the work that we do that makes no sense from a corporate or financial perspective, such as the election security work, the work we’ve done to protect Ukraine’s critical infrastructure…the stuff that doesn’t turn a dollar but makes the world a better place. To do all that within a capitalistic entity is pretty remarkable. 

That’s what makes me so proud of this team. We approach security problems as, “How can I positively affect the most amount of people?”  

**Luci:** Whenever I see Talos in the news, I feel really proud to be a part of an organization that isn’t out there just for the money. We’re out there to make the world a better place. 

**Watchinski:** The work we did to help Ukraine, to fill 747s with Cisco kit and fly into a country at war….being able to actually support their operations from either afar or in country, help protect their people, help them turn back on civil infrastructure so that trains run, telephones work, payment processing is functional, the basic needs of society are still met, even though adversaries are actively trying to bring those things offline… I don't think there's a ton of companies that can say they have the capability to do those things. Or even the will to do them. 

**Amy:** And then on top of that, you have Joe Marshall’s Project PowerUp work which helped keep the electrical grid in Ukraine running after disruption from GPS jamming. Joe, on his own terms, found the right people, pulled volunteers together, and we were able to build something to help the grid maintain better time so Ukrainians can have more stable electrical power. 

Extract from a Dutch newspaper reporting on Talos' work on Project PowerUp

 **Marshall:** When we can pull off that kind of thing, it’s because of the trust that we have. More people today trust us than ever before. And I think that trust is well-deserved because of the solid information we can provide.

We bring verified information our customers can act upon, as well as bringing calm to a situation so we can encourage reason. We keep doing that no matter what else happens, and that gives people peace of mind. 

**Amy:** What’s common amongst the folks that we hire is they know that sometimes they’ll need to drop everything and pivot to a rapid response effort. I hope they know that our leadership team fights to give them air cover to a) keep them sane during those times, and b) makes sure that they have what they need. As a leadership team we fight for budgets and time and resources that can help them, because our people have such an innate sense of doing the right thing. We know that the lengths that people go to, and that's one of the many reasons why we will protect them every single day. 

** Our culture**

**Lurene:** In the early days of Sourcefire, there was no situation that came up where we couldn't sit down together and come up with a plan to solve it. We would make it work, and in so doing, we would make a change in the industry. We were given the space to do that. Matt \[Watchinski\] would say, “Go figure this out, come up with some plans, give me three options, and then we're gonna pick one of them and do it.” 

When I came back to Talos two years ago, I was so pleased to see that everybody had protected that culture and passed it on to new leaders in the group. I’m really proud of that. 

It’s our job to make people feel comfortable who might not feel comfortable elsewhere. Developing a space for people who are extremely valuable team members but might have trouble thriving in an extremely generic environment. I am one of those people, so I know I can say that. 

**Olney:** We want Talos be a thing that's worth being yourself with. Our culture is very conscious.  We didn’t do a survey and figure out, “Employees are 2.5% more engaged if you give them free drinks.” They get to define who they are, and who they want to be at Talos. And they get to define what you want your experience at Talos to be like. 

**Liz:** In other organizations, if a team doesn't make their deliverable, there’s zero compassion and no understanding – “Why did that fail?” Within Talos, we can fail and fail fast because there is so much clear transparency. That’s completely a part of the culture. 

**Marshall:** It really is. Until I myself attain perfection, it’s unfair for me to expect perfection from anyone else. 

**Olney:** We ask so much of our people.  We ask them to move fast and make tough decisions. If we were set the tone that every time someone screwed up, it was a job threatening situation, then people would be far more hesitant. They would work inside of smaller boxes. They would think smaller, and they would act less boldly. They would fade into the background more often. That’s the exact opposite of what we want.  

There’s no “Key performance metric” for Joe Marshall to build relationships with the Ukrainians and then come up with a solution that helps them keep the lights on. It’s just what we do…it’s just what we, as Talos, do. 

**Watchinski:** Our culture is the thing I’m most proud of, of all the things Talos has achieved over the past 10 years. 

**Liz:** Talos is also very family first. I remember once I was caring for my father. He had had a hip replacement, and I was to take care of him when he came home from the hospital. I thought I could do it by myself – be his 24-hour nurse and do my job at the same time. I showed up to a sync with Chinski, and he immediately knew something was wrong. He wasn't interested in any of the business side of things. He simply said, “Go. Go take care of your father.”  

**Marshall:** I stand by the idea that if I take care of my people, my people take care of me. That’s something I ask of all my managers — just take care of your people. The No. 2 thing I ask is to meet the needs of the business. 

**Watchinski:** A lot of people in this organization have been with me for 5,10,15 even 20 years. They’ve gone from junior analyst to senior director inside a Fortune 500 company. And even when you look at all the folks that have left the organization over the years, they've all gone on to do great things. 

**Marshall:** No matter what, I want people to be better for their time spent with us. And if they exit tomorrow but they’ve accomplished that, then we’ve done our job. 

**Brad:** People who have moved on from Talos have said to me, “The Talos years are some of the best years of my career.” To me, that’s worth protecting. 

For more Talos 10 celebrations, take a look at some our key moments:

"There is no business school class that would ever sit down and design Talos"

Japanese organizations are the target of a Chinese nation-state threat actor that leverages malware families like LODEINFO and NOOPDOOR to harvest sensitive information from compromised hosts while stealthily remaining under the radar in some cases for a time period ranging from two to three years.
Israeli cybersecurity company Cybereason is tracking the campaign under the name Cuckoo Spear,

Cyber Attack / Threat Intelligence

Japanese organizations are the target of a Chinese nation-state threat actor that leverages malware families like LODEINFO and NOOPDOOR to harvest sensitive information from compromised hosts while stealthily remaining under the radar in some cases for a time period ranging from two to three years.

Israeli cybersecurity company Cybereason is tracking the campaign under the name **Cuckoo Spear**, attributing it as related to a known intrusion set dubbed APT10, which is also known as Bronze Riverside, ChessMaster, Cicada, Cloudhopper, MenuPass, MirrorFace, Purple Typhoon (formerly Potassium), and Stone Panda.

"The actors behind NOOPDOOR not only utilized LODEINFO during the campaign, but also utilized the new backdoor to exfiltrate data from compromised enterprise networks," it said.

The findings come weeks after JPCERT/CC warned of cyber attacks mounted by the threat actor targeting Japanese entities using the two malware strains.

Earlier this January, ITOCHU Cyber & Intelligence disclosed that it had uncovered an updated version of the LODEINFO backdoor incorporating anti-analysis techniques, highlighting the use of spear-phishing emails to propagate the malware.

Trend Micro, which originally coined the term MenuPass to describe the threat actor, has characterized APT10 as an umbrella group comprising two clusters it calls Earth Tengshe and Earth Kasha. The hacking crew is known to be operational since at least 2006.

While Earth Tengshe is linked to campaigns distributing SigLoader and SodaMaster, Earth Kasha is attributed to the exclusive use of LODEINFO and NOOPDOOR. Both the sub-groups have been observed targeting public-facing applications with the aim of exfiltrating data and information in the network.

Earth Tengshe is also said to be related to another cluster codenamed Bronze Starlight (aka Emperor Dragonfly or Storm-0401), which has a history of operating short-lived ransomware families like LockFile, Atom Silo, Rook, Night Sky, Pandora, and Cheerscrypt.

On the other hand, Earth Kasha has been found to switch up its initial access methods by exploiting public-facing applications since April 2023, taking advantage of unpatched flaws in Array AG (CVE-2023-28461), Fortinet (CVE-2023-27997), and Proself (CVE-2023-45727) instances to distribute LODEINFO and NOOPDOOR (aka HiddenFace).

LODEINFO comes packed with several commands to execute arbitrary shellcode, log keystrokes, take screenshots, terminate processes, and exfiltrate files back to an actor-controlled server. NOOPDOOR, which shares code similarities with another APT10 backdoor known as ANEL Loader, features functionality to upload and download files, execute shellcode, and run more programs.

"LODEINFO appears to be used as a primary backdoor and NOOPDOOR acts as a secondary backdoor, keeping persistence within the compromised corporate network for more than two years," Cybereason said. "Threat actors maintain persistence within the environment by abusing scheduled tasks."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware

We’ll TL;DR the FUDdy introduction: we all know that phishing attacks are on the rise in scale and complexity, that AI is enabling more sophisticated attacks that evade traditional defenses, and the never-ending cybersecurity talent gap means we’re all struggling to keep security teams fully staffed. 
Given that reality, security teams need to be able to monitor and respond to threats

We'll TL;DR the FUDdy introduction: we all know that phishing attacks are on the rise in scale and complexity, that AI is enabling more sophisticated attacks that evade traditional defenses, and the never-ending cybersecurity talent gap means we're all struggling to keep security teams fully staffed.

Given that reality, security teams need to be able to monitor and respond to threats effectively and efficiently. You obviously can't let real threats slip past unnoticed, but you also can't afford to waste time chasing false positives.

In this post, we're going to look at some of the ways Material Security's unique approach to email security and data protection can dramatically–and quantifiably–save your security teams hours each week while improving the effectiveness of your security program.

**What's Your Alert Budget?**

Before we dive into the "how," let's take a moment to look at _why_ efficiency is critical in security operations. To do that, let's think about how many alerts can your security and incident response teams realistically triage, investigate, and respond to in a given day. Just like your department has a budget that limits how much money you can spend on people and tools, your security teams have a limit to the amount of time they can devote to responding to threats on any given day. **That's your alert budget**.

That number will change day-to-day, of course, depending on the severity and complexity of the incidents that pop, the number of critical strategic projects your team is working on, and myriad other factors. But there is a limit. And just as you can't afford to waste your limited financial resources on redundant tools or software that provides no value to your team, you can't afford for your teams to waste their alert budget investigating duplicate alerts, remediating the same issue over and over, or chasing false positives.

The efficiency with which your security team spends their alert budget is just as important as how you spend your money, if not more so. Now let's dive into how we help improve that efficiency.

**Balancing Accuracy and Sensitivity**

No matter how many alerts your team receives, there are a limited number of hours in any given day that your team can devote to responding to them. Material's approach to phishing has been built on the philosophy that we need to help our customers make the most of their time. The alerts we generate must both catch as many threats as possible–while also generating as few false positives as possible.

"Precision" and "recall" are terms that will be familiar to a data scientist, but may not immediately ring a bell for security folks. In the context of email detections, precision is a measure of how many emails flagged as malicious are actually malicious, while recall is a measure of how many of the actual malicious emails received are flagged by the system.

A security system that generates very few false positives has high precision, and a system that catches nearly all the threats it sees has high recall. At a certain granular level, there is some tradeoff between the two: as you can imagine, you can lower the number of false positives you generate by decreasing the sensitivity of the detections: but decreasing the sensitivity will often lead to true positives being missed as well. Conversely, you can minimize those missed true positives by turning the sensitivity way up, but doing so will generate more false positives.

The focus at Material has been to build a detection engine that balances the two effectively, and surfaces the malicious messages that you truly need to focus on. In today's increasingly-complex threat environment, no single layer of protection is sufficient–and no single method of detection can possibly strike the right balance on its own. To that end, the Material Detection Engine is made up of four key components:

*   **Material Detections:** A combination of machine learning techniques with rules built by our dedicated threat research team. AI and ML are great for connecting dots and finding relationships that humans may miss, but for all the advancements in AI lately, there's still no replacement for the insight and capability of human expertise. Material Detections are the best of both worlds.
*   **Custom Detections:** Every organization and every environment are unique, so we give customers the ability to create custom detections based on what you're seeing across your user base or out in the wild.
*   **Email Provider Alerts:** Google and Microsoft periodically issue alerts for phishing emails that they've detected post-delivery; we ingest and process those alerts and add them to our detections.
*   **User Reports:** Material automates your abuse mailbox, from ingesting user reports, consolidating similar messages within a single case, and applying automated protection immediately while providing flexible remediation flows to security teams.

All of these facets combine into a powerful and incredibly precise detection platform that gives our customers powerful protection without wasting their time with false positives and noise–striking what we believe to be the right balance between precision and recall. But while effectively balancing accuracy and sensitivity is critical, it's not enough: a modern email security platform also needs to streamline security operations themselves.

**Fool Me Twice, Shame on Me**

There's been a noticeable uptick in email attack campaigns that are not just wide-ranging but very personalized. There's debate about how much of this can be attributed to generative AI–the prevailing assumption was that the explosion of generative AI would give adversaries a new bag of tools to play with, but research like Verizon's 2024 DBIR show little meaningful impact on attacks and breaches at this point.

Regardless of whether these attacks are AI-generated or not, there's no denying they're on the rise. Sure, we all still get the generic and transparent '_are you available?'_ messages from our "CEOs" when we first join a new company. But we also get emails with fake invoices coming from domains that are spoofs or homoglyphs of trusted partners and vendors. We see complex pretexting attacks laying out completely believable stories from senders who appear to have connections with us. We receive emails from spoofed or homoglyph domains that fool even the most conscientious user.

And often these attacks are repeated across an organization, but tailored to each recipient. Not only do they evade native email security controls and make it through SEGs, but they appear as individual attacks. Subject lines, senders, and even body content can vary from email to email, making it hard to easily group them together–meaning your security team has to burn through multiple cycles to investigate and respond to dozens or hundreds of iterations of the exact same attack.

Material helps security and IR teams address this problem with automatic clustering of suspicious messages. When Material detects a potential threat, it automatically creates a Case within our platform. It then scours the entire environment for messages that match that case, based on a range of criteria. It looks for similarities among the usual fields, of course: matching senders, matching subject lines, matching body text, etc. But it also looks for things like the URLs embedded within the messages and attachment, matching attacks that are otherwise impossible to group by other means.

Material creates cases for all detected messages, and clusters similar messages together, simplifying investigation and remediation.

And when messages are clustered together in a single case, it makes triage, investigation, and even remediation significantly simpler. Speedbumps by default are automatically applied to _all_ the messages within the case–so your users will get a warning that the message may be malicious before your team even has a chance to investigate. And once you've investigated and applied a remediation to a single message within the case, every message in that case–even matched messages that are delivered after your investigation–receive that same remediation.

We've already seen powerful examples of how this helps our customers in the real world. One Material customer recently told us that they tracked their phishing email investigations over a three-month period. In those 90 days with Material Security's help, their SOC saved over 300 hours of time investigating and responding to phishing emails. All those hours stayed in their alert budget to deal with other pressing matters.

**Harnessing Your Organization's Collective Intelligence**

Today's workforce is well aware of phishing threats. That doesn't mean they don't still fall for them, of course, but it means they're on the lookout for suspicious, poorly-worded, or simply unexpected messages.

And it's important to get it right. No single line of defense is going to catch all inbound email threats, and for all the incredible advancements in AI and machine detections, sometimes there's no substitute for a keen-eyed employee noticing an email just doesn't pass the sniff test.

The downside is that _handling_ user reporting can also be a significant drain on your security team if not handled correctly. Duplicate reports, harmless emails flagged for review, the need to respond to the user(s) who flagged… when you add up the minutes all of these actions require over dozens or hundreds of reports every day, it can be a significant time suck.

Material automates the full lifecycle of user report response, applying immediate herd immunity to all messages within a reported message case across your entire organization.

Material cuts away the day-to-day backend slog of user reporting, automating your abuse mailbox to both speed remediation and save your security team time. Material automatically adds a speedbump to reported messages across your entire user base, providing an immediate layer of protection while your security team investigates the issue.

Granular remediation options allow your teams to speedbump, block links, or outright delete reported emails that turn out to be malicious. And thanks to case consolidation and similar message matching, when you've investigated and responded to one email, you've responded to every similar message in the entire case. Finally, Material automatically responds to reporters with an acknowledgement message–that you can change or update as your investigation proceeds if you wish.

Material simplifies and streamlines the process of ingesting and responding to user reporting, while adding immediate protection to provide air cover for investigations.

**Advanced Protection You Can Trust, Efficiency You Can Take to the Bank**

Your security teams have to juggle enough as it is. With Material Security, they'll chase far fewer false positives, triage and investigate phishing cases faster, and spend less time on administrative busywork with user reporting. Material frees up more of your alert budget so you can spend it on what really matters.

To see how much time you can give back to your security team, contact us for a demo today.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How To Get the Most From Your Security Team’s Email Alert Budget

OpenAI’s newest model is “a data hoover on steroids,” says one expert—but there are still ways to use it while minimizing risk.

Open AI says this data is used to train the AI model and improve its responses, but the terms allow the firm to share your personal information with affiliates, vendors, service providers, and law enforcement. “So it’s hard to know where your data will end up,” says Love.

OpenAI’s privacy policy states that ChatGPT does collect information to create an account or communicate with a business, says Bharath Thota, a data scientist and chief solutions officer of analytics practice at management consulting firm Kearney, which advises firms on managing and using AI data to power new revenue streams.

Part of this data collection includes full names, account credentials, payment card information, and transaction history, he says. “Personal information can also be stored, particularly if images are uploaded as part of prompts. Likewise, if a user decides to connect with any of the company’s social media pages like Facebook, LinkedIn, or Instagram, personal information may be collected if they’ve shared their contact details.”

OpenAI uses consumer data like other big tech and social media companies, but it does not sell advertising. Instead, it provides tools—an important difference, says Jeff Schwartzentruber, senior machine learning scientist at security firm eSentire. “The user input data is not used directly as a commodity. Instead, it is used to improve the services that benefit the user—but it also increases the value of OpenAI’s intellectual property.”

****Privacy Controls****

Since its launch in 2020 and amid criticism and privacy scandals, OpenAI has introduced tools and controls you can use to lock down your data. OpenAI says it is “committed to protecting people's privacy.”

For ChatGPT specifically, OpenAI says it understands users may not want their information used to improve its models and therefore provides ways for them to manage their data. “ChatGPT Free and Plus users can easily control whether they contribute to future model improvements in their settings,” the firm writes on its website, adding that it does not train on API, ChatGPT Enterprise, and ChatGPT Team customer data by default.

“We provide ChatGPT users with a number of privacy controls, including giving them an easy way to opt out of training our AI models and a temporary chat mode that automatically deletes chats on a regular basis,” OpenAI spokesperson Taya Christianson tells WIRED.

The firm says it does not seek out personal information to train its models, and it does not use public information on the internet to build profiles about people, advertise to them, or target them—or to sell user data.

OpenAI does not train your models on audio clips from voice chats—unless you choose to share your audio “to improve voice chats for everyone,” the Voice Chat FAQ on OpenAI’s website notes.

“If you share your audio with us, then we may use audio from your voice chats to train our models,” Open AI says in its Voice Chats FAQ. Meanwhile, transcribed chats may be used to train models depending on your choices and plan.

Can GPT-4o Be Trusted With Your Private Data?

Companies in Russia and Moldova have been the target of a phishing campaign orchestrated by a little-known cyber espionage group known as XDSpy.
The findings come from cybersecurity firm F.A.C.C.T., which said the infection chains lead to the deployment of a malware called DSDownloader. The activity was observed this month, it added.
XDSpy is a threat actor of indeterminate origin that was first

Cyber Espionage / Threat Intelligence

Companies in Russia and Moldova have been the target of a phishing campaign orchestrated by a little-known cyber espionage group known as **XDSpy**.

The findings come from cybersecurity firm F.A.C.C.T., which said the infection chains lead to the deployment of a malware called DSDownloader. The activity was observed this month, it added.

XDSpy is a threat actor of indeterminate origin that was first uncovered by the Belarusian Computer Emergency Response Team, CERT.BY, in February 2020. A subsequent analysis by ESET attributed the group to information-stealing attacks aimed at government agencies in Eastern Europe and the Balkans since 2011.

Attack chains mounted by the adversary are known to leverage spear-phishing emails in order to infiltrate their targets with a main malware module known as XDDown that, in turn, drops additional plugins for gathering system information, enumerating C: drive, monitoring external drives, exfiltrating local files, and gathering passwords.

Over the past year, XDSpy has been observed targeting Russian organizations with a C#-base dropper named UTask that's responsible for downloading a core module in the form of an executable that can fetch more payloads from a command-and-control (C2) server.

The latest set of attacks entails the use of phishing emails with agreement-related lures to propagate a RAR archive file that contains a legitimate executable and a malicious DLL file. The DLL is then executed by means of the former using DLL side-loading techniques.

The library takes care of downloading and running DSDownloader, which, in turn, opens a decoy file as a distraction while surreptitiously downloading the next-stage malware from a remote server. F.A.C.C.T. said the payload was no longer available for download at the time of analysis.

The onset of the Russo-Ukrainian war in 2022 has witnessed a significant escalation in cyber attacks on both sides, with Russian companies compromised by DarkWatchman RAT as well as by activity clusters tracked as Core Werewolf, Hellhounds, PhantomCore, Rare Wolf, ReaverBits, and Sticky Werewolf, among others in recent months.

What's more, pro-Ukrainian hacktivist groups such as Cyber.Anarchy.Squad has also set its sights on Russian entities, conducting hack-and-leak operations and disruptive attacks against Infotel and Avanpost.

The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a spike in phishing attacks carried out by a Belarusian threat actor called UAC-0057 (aka GhostWriter and UNC1151) that distribute a malware family referred to as PicassoLoader with an aim to drop a Cobalt Strike Beacon on infected hosts.

It also follows the discovery of a new campaign from the Russia-linked Turla group that utilizes a malicious Windows shortcut (LNK) file as a conduit to serve a fileless backdoor that can execute PowerShell scripts received from a legitimate-but-compromised server and disable security features.

"It also employs memory patching, bypass AMSI and disable system's event logging features to impair system's defense to enhance its evasion capability," G DATA researchers said. "It leverages Microsoft's msbuild.exe to implement AWL (Application Whitelist) Bypass to avoid detection."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cyber Espionage Group XDSpy Targets Companies in Russia and Moldova

The nation-state espionage group known for attacking Pakistan has expanded its reach to targets in Egypt and Sri Lanka.

Source: Papilio via Alamy

A nation-state cyber-espionage group linked to India has broadened its targeting beyond regional rivals in Pakistan, Afghanistan, China, and Nepal and is focused on compromising computers and networks at maritime facilities in countries as far away as the Mediterranean Sea.

The group — known variously as SideWinder, Razor Tiger, and Rattlesnake — commonly wages spear-phishing attacks using images of official-looking documents. In its latest campaigns, SideWinder has falsified documents from specific ports, including the Port of Alexandria in Egypt, with high-interest topics such as job termination and salary reductions, researchers from BlackBerry said in a newly published advisory.

While the group has typically focused on rivals closer to home and is less prolific than other cyber spies, the current campaign suggests that they have expanded their targeting, says Ismael Valenzuela, vice president of threat research and intelligence at BlackBerry.

"It's the first time we have seen SideWinder targeting ports and maritime facilities in EMEA," he says. "We see a lot of geopolitical turbulence and \[changing\] environments across the globe on a variety of issues. This often galvanizes threat groups and state-sponsors to specifically strike down critical assets, like those within the maritime industry."

The maritime industry increasingly has become a target of cyberattacks, posing serious danger to ships and ports. In 2019, the US Coast Guard warned shipping companies that attacks on their systems could lead to accidents and catastrophes. In the past year, following increased Chinese cyber operations against critical infrastructure including maritime systems in and around the South China Sea, various countries in the Asia-Pacific region have banded together to protect their networks and systems.

The cyber warnings also come as physical threats to shipping increase as well. Piracy off the Atlantic coast of Africa and the Arabian Sea, and among the island nations of the Asia-Pacific, has escalated, while ship malfunctions — such as the one the caused a vessel to collide with the Baltimore bridge — have become more frequent.

**New Phishing Lures, Old Exploits**

SideWinder has conducted attacks since at least 2012. The group is relatively sophisticated, commonly using encrypted malware samples, various obfuscation techniques, and running code in memory to avoid file scanners, according to a presentation at Black Hat Asia in 2022. From 2020 to 2022, the group conducted more than 1,000 attacks, Noushin Shabab, senior security researcher with Kaspersky, said during that presentation.

"I think what truly makes them stand out among other APT \[advanced persistent threat\] actors is the large tool set they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure," Shabab said. "I haven't seen 1,000 attacks from a single APT" from another group thus far.

However, the current cyberattacks are, in many cases, using older vulnerabilities, such as a flaw in Microsoft Office dating back to 2017. The vulnerability (CVE-2017-0199) allows remote code execution against old versions of Microsoft Office and Windows, and has been a very popular vector of attack, with more than 5,600 malware samples exploiting the issue this year, including 15 malicious samples reported from Egypt, according to BlackBerry.

Like most groups, SideWinder does not like to waste a good exploit, even if it's seven years old, says Valenzuela.

"Why do we still see old CVEs like these exploited in the wild? Attackers know that many organizations don’t patch their Office software for many years," he says. "This is especially common in organizations with legacy systems, which are often used in ports and maritime facilities as well as other critical infrastructure."

BlackBerry documented the use of another very popular — and seven-year-old — vulnerability, in the Microsoft Office Equation Editor (CVE-2017-11882), with more than 9,500 samples of Office documents exploiting the issue since the start of 2024. Both of these vulnerabilities have made the Known Exploited Vulnerabilities list maintained by the Cybersecurity and Infrastructure Security Agency (CISA).

**Maritime Under Attack**

BlackBerry's threat researchers discovered a variety of domains in the first and second stages of the attack that are likely evidence of their targets, including a long list in South Asia including Pakistan, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. Egyptian ports appear to be the only target outside of India's extended neighborhood.

While the country appears to be extending its reach to other regions of the world, the cyber operations are not actually targeting ports on a global scale, Valenzuela says.

"They’re certainly targeting ports in key countries where this threat actor has geopolitical interests, and that includes the Indian Ocean and the Mediterranean, \[such as\] Egypt," he says. "We don’t have information about other targets in the Mediterranean Sea at this time."

The researchers have not captured the final payload in the attacks, but based on the group's previous actions, they believe the goal is intelligence-gathering and cyber espionage, the company stated in its advisory.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

India-Linked SideWinder Group Pivots to Hacking Maritime Targets

With sufficient privileges in Active Directory, attackers only have to create an "ESX Admins" group in the targeted domain and add a user to it.

Source: Schoening via Alamy Stock Photo

Multiple ransomware groups have been weaponizing an authentication bypass bug in VMware ESXi hypervisors to quickly deploy malware across virtualized environments.

VMware assigned the bug (CVE-2024-37085) a "medium" 6.8 out of 10 score on the CVSS scale. The average score is largely due to the fact that it requires an attacker to have existing permissions in a target's Active Directory (AD).

If they do have AD access, however, attackers can cause significant damage. With no technical trickery whatsoever, they can use CVE-2024-37085 to instantly scale up their ESXi privileges to the max, opening the door to ransomware deployment, data exfiltration, lateral movement, and more. Groups like Storm-0506 (aka Black Basta), Storm-1175, Manatee Tempest (part of Evil Corp), and Octo Tempest (aka Scattered Spider) have already tried it out, deploying ransomware such as Black Basta and Akira.

Broadcom recently published a fix, available on its website.

**How CVE-2024-37085 Works**

Some organizations configure their ESXi hypervisors to use AD for user management. It turns out that by doing this, organizations were exposing themselves to something unexpected. By default, ESXi hypervisors granted full administrative access to any member of an AD domain group named "ESX Admins."

It's unclear how the "ESX Admins" group vulnerability was introduced into ESXi in the first place—Broadcom declined to clarify when Dark Reading reached out on the question. As Microsoft noted in a blog post, there's no particular reason why the hypervisor should have expected such a domain group, or have had a rule for what to do with it. "This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist," the threat intel team wrote. "Additionally, the membership in the group is determined by name and not by security identifier (SID)."

Exploiting CVE-2024-37085 was entirely trivial. So long as an attacker had sufficient privileges in AD, all they'd have to do to gain ESXi admin privileges was to create an "ESX Admins" group in the targeted domain and add a user to it. They could also rename any existing group to "ESX Admins," and either wield one of its existing users or add a new one.

**The Risk with Hypervisors**

"Ransomware attacks targeting ESXi and VMs are increasingly common, especially since around 2020, when enterprises increased their move toward digital transformation and took advantage of modern hybrid cloud and virtualized on-premise environments," explains Jason Soroko, senior vice president of product at Sectigo.

For all the business sense they make, virtualized environments also afford hackers unique benefits. Hypervisors tend to run many VMs at once, making them a one-stop shop for blasting ransomware as widely as possible, and those VMs often host critical services and business data.

Their utility to hackers makes it all the more troubling that, as Microsoft noted in its blog, security products have limited visibility and protections for hypervisors. This, Soroko explains, is "due to their isolation, complexity, and the specialized knowledge required for their protection. This isolation makes it difficult for traditional security tools to monitor and protect the entire environment, and API integration limits further exacerbate this issue."

To cover for these shortcomings, Microsoft highlighted the importance of keeping up to date with patches, and practicing broader cyber hygiene around critical and vulnerable assets. "Attackers love using the path of least resistance that provides maximum opportunity," Soroko notes, adding that ransomware actors will only target these systems more and more in the future.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs

This year’s Intelligence Authorization Act would mandate penetration testing for federally certified voting machines and allow independent researchers to work on exposing vulnerabilities.

Congress is moving closer to putting US election technology under a stricter cybersecurity microscope.

Embedded inside this year’s Intelligence Authorization Act, which funds intelligence agencies like the CIA, is the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act, which would require penetration testing of federally certified voting machines and ballot scanners, and create a pilot program exploring the feasibility of letting independent researchers probe all manner of election systems for flaws.

The SECURE IT Act—originally introduced by US senators Mark Warner, a Virginia Democrat, and Susan Collins, a Maine Republican—could significantly improve the security of key election technology in an era when foreign adversaries remain intent on undermining US democracy.

“This legislation will empower our researchers to think the way our adversaries do, and expose hidden vulnerabilities by attempting to penetrate our systems with the same tools and methods used by bad actors,” says Warner, who chairs the Senate Intelligence Committee.

The new push for these programs highlights the fact that even as election security concerns have shifted to more visceral dangers such as death threats against county clerks, polling-place violence, and AI-fueled disinformation, lawmakers remain worried about the possibility of hackers infiltrating voting systems, which are considered critical infrastructure but are lightly regulated compared to other vital industries.

Russia’s interference in the 2016 election shined a spotlight on threats to voting machines, and despite major improvements, even modern machines can be flawed. Experts have consistently pushed for tighter federal standards and more independent security audits. The new bill attempts to address those concerns in two ways.

The first provision would codify the US Election Assistance Commission’s recent addition of penetration testing to its certification process. (The EAC recently overhauled its certification standards, which cover voting machines and ballot scanners and which many states require their vendors to meet.)

While previous testing simply verified whether machines contained particular defensive measures—such as antivirus software and data encryption—penetration testing will simulate real-world attacks meant to find and exploit the machines’ weaknesses, potentially yielding new information about serious software flaws.

“People have been calling for mandatory \[penetration\] testing for years for election equipment,” says Edgardo Cortés, a former Virginia elections commissioner and an adviser to the election security team at New York University’s Brennan Center for Justice.

The bill’s second provision would require the EAC to experiment with a vulnerability disclosure program for election technology—including systems that are not subject to federal testing, such as voter registration databases and election results websites.

Vulnerability disclosure programs are essentially treasure hunts for civic-minded cyber experts. Vetted participants, operating under clear rules about which of the organizer’s computer systems are fair game, attempt to hack those systems by finding flaws in how they are designed or configured. They then report any flaws they discover to the organizer, sometimes for a reward.

By allowing a diverse group of experts to hunt for bugs in a wide range of election systems, the Warner–Collins bill could dramatically expand scrutiny of the machinery of US democracy.

The pilot program would be a high-profile test of the relationship between election vendors and researchers, who have spent decades clashing over how to examine and disclose flaws in voting systems. The bill attempts to assuage vendors’ concerns by requiring the EAC to vet prospective testers and by prohibiting testers from publicly disclosing any vulnerabilities they find for 180 days. (They would also have to immediately report vulnerabilities to the EAC and the Department of Homeland Security.)

Still, one provision could spark concern. The bill would require manufacturers to patch or otherwise mitigate serious reported vulnerabilities within 180 days of confirming them. The EAC—which must review all changes to certified voting software—would have 90 days to approve fixes; any fix not approved within that timetable would be “deemed to be certified,” though the commission could review it later.

A vendor might not be able to fix a problem, get that fix approved, and get all of its customers to deploy that fix before the nondisclosure period expires.

“Updates to equipment in the field can take many weeks, and modifying equipment close to an election date is a risky operation,” says Ben Adida, the executive director of the vendor VotingWorks.

Some vendors might also chafe at the bill’s legal protections for researchers. The legislation includes a “safe harbor” clause that exempts testing activities from the prohibitions of the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act, and bars vendors from suing researchers under those laws for accidental violations of the program’s terms.

There is also a funding question. The SECURE IT Act doesn’t authorize any new money for the EAC to run these programs.

“I hope Congress accounts for the necessary funding needed to support the increased responsibilities the EAC will take on,” says EAC chair Ben Hovland. “Investments in programs like this are critical to maintaining and strengthening the security of our elections.”

Meanwhile, the bill’s prospects are unclear. Even if it passes the Senate, there is no sign of similar momentum in the House.

A Senate Bill Would Radically Improve Voting Machine Security

The incident serves as a stark reminder of the fragility of our digital infrastructure. By adopting a diversified, resilient approach to cybersecurity, we can mitigate the risks and build a more secure digital future.

Source: SOPA Images Limited via Alamy Stock Photo

COMMENTARY

On July 19, the world experienced one of the largest IT outages in history, affecting millions of users globally, and systems and people will be reeling from its impact for weeks. The cause? A faulty update on CrowdStrike's Falcon platform. This seemingly minor error in code cascaded into a major outage, affecting critical infrastructure worldwide. Airports, hospital systems, and other large enterprises relying on CrowdStrike were brought to a standstill, highlighting the vulnerabilities inherent in our increasingly digital world.

Falcon, a cloud-based security solution, functions like an advanced antivirus, updating threat intelligence and protecting systems automatically without user intervention. This automation is a boon for large enterprises, which can ensure all endpoints are protected and up to date without manual oversight. While efficient, this centralized system also introduces a fundamental risk: a single point of failure. When the update failed, it didn't just affect a few computers, but millions, all at once. The very feature that made Falcon attractive — its cloud-based, seamless, automated updates — became its Achilles' heel.

The Falcon failure exposed another fundamental flaw in our approach to cybersecurity and IT infrastructure. We tend to focus on protecting the most critical systems — flight control systems, cardiac machines in hospitals — while neglecting the everyday, mundane systems that are equally vital. In this case, it wasn't the high-stakes technology that failed but the routine systems like accounting, billing, and ticketing. These systems, often taken for granted, are the backbone of our daily operations, and their disruption can lead to chaos. 

This is not a new phenomenon. Often when hospitals and pipelines are hacked, attackers target accounting and billing systems, not the core refinery or processing plant. Without the ability to track and bill customers, operations came to a halt. Our reliance on digital solutions, coupled with the assumption that technology will always function flawlessly, leaves us unprepared for such disruptions.

Finally, we won't be able to fully recover for a while, even though mitigation guidance has already been released by CrowdStrike. It is because the system needs to be reset, and most endpoint users either lack the permissions (because IT has locked down systems by default) or because they don't know how to reset or revert systems. This is the third reason why the problem is persisting despite mitigation guidance already being released.

Such issues will only get worse as artificial intelligence (AI) gets integrated into systems. AI will centralize control further, automate complex tasks, and strip power and autonomy from users at the endpoint. Imagine a hospital where AI manages patient data, schedules, and even treatment plans. If such a system fails, frontline healthcare workers might find themselves unable to access crucial information or perform essential tasks, leading to potentially life-threatening delays. As AI becomes more integrated into our systems, the potential for large-scale disruptions increases. Our reliance on silicon-based systems will only deepen, making it imperative to address these vulnerabilities now.

**Blueprint for Resilience**

Fortunately, carbon-based systems in nature provides a blueprint for resilience. In the early 1900s, Buffalo, N.Y., where I live, had thousands of tree-lined streets designed by Frederick Law Olmsted. Many of these trees were the same species, with streets named for the trees that lined them. But it created a single point of failure. When Dutch elm disease struck in the 1950s, it wiped out most of the elm trees because they were planted too closely together, allowing the disease to spread rapidly. This lesson teaches us the importance of diversity — in this case, heterogeneous computing systems. Organizations must implement diverse IT systems, especially for their core functions. Just as a monoculture of trees can be decimated by a single disease, a uniform IT infrastructure can be crippled by a single point of failure. Introducing variety in hardware and software solutions can create a more resilient digital environment.

Nature also offers insights into protecting core functions. Just as the human body employs multiple layers of defense to protect vital organs, organizations should use a variety of software and operating systems to handle critical functions. For example, a hospital's patient management system could run on one platform while its diagnostic tools operate on another, ensuring that a failure in one system doesn't compromise the entire operation. This is akin to how different species of trees in a forest can prevent the spread of disease; if one species is affected, others can continue to thrive. Similarly, deploying diverse cybersecurity measures and segregating core functions can provide a buffer against widespread failure, enhancing overall system resilience.

Finally, to prevent future meltdowns like the CrowdStrike incident, we also need to invest in training and preparedness drills to equip IT teams to respond swiftly and effectively to emerging threats. This is not a minor issue. Fixing the current problem required computers to be reverted back to their pre-update stage or waiting to deploy an updated patch. Even as technology is being centralized and implemented, more of the core functionalities are being centrally administered or locked down. While this approach aims to prevent disruption, it also makes it harder for staff to reboot systems or have administrative access, such as needing to reboot the system in safe mode or revert systems to their older state.

The issue is that people aren't really given access or equipped to handle these things, even as more of the technological functionalities are being centrally administered and removed from the hands of users at the endpoint. People remain the weakest link in cybersecurity — whether it's the coders creating patches or the individuals installing or reverting systems. Thus, our solutions must also include comprehensive training and a focus on the human element to ensure robust security measures.

The CrowdStrike meltdown serves as a stark reminder of the fragility of our digital infrastructure. By learning from nature and adopting a diversified, resilient approach to cybersecurity, we can mitigate the risks and build a more secure digital future. As the saying goes, "Those who can't remember the past are condemned to repeat it." Let us collaborate, innovate, and learn from our mistakes to ensure that such a disruption never happens again. The future of our digital world depends on the lessons we learn from the past and the actions we take today.

This column was updated to clarify a reference to pipeline attacks, July 30, 2024.

**About the Author(s)**

Technologist

Arun Vishwanath, Ph.D., MBA, is among the foremost experts on the "people problem" of cybersecurity. He is the author of the book, The Weakest Link: How to Diagnose, Detect, and Defend Users from Phishing, published by MIT Press.

His research on the science of cybersecurity focuses on the biggest vulnerability in enterprise security: users. His body of work includes the development of methodologies to quantify human cyber-risk, approaches to diagnose how and why people are at risk through social engineering, and techniques to mitigate this risk.

Arun, an alumnus of the Berkman Klein Center at Harvard University, has held faculty positions at the University at Buffalo and Indiana University. He has authored close to 50 peer-reviewed research papers on the science of security and has written pieces for CNN, the Washington Post, and other leading media. His views on cybersecurity have also appeared in Wired Magazine and in reports such as the Verizon "Data Breach Investigations Report" (DBIR). You can read more about him on his website here.

Tag

#intel