The U.S. Department of Justice (DoJ) on Thursday unsealed an indictment against a North Korean military intelligence operative for allegedly carrying out ransomware attacks against healthcare facilities in the country and funneling the payments to orchestrate additional intrusions into defense, technology, and government entities across the world.
"Rim Jong Hyok and his co-conspirators deployed

The U.S. Department of Justice (DoJ) on Thursday unsealed an indictment against a North Korean military intelligence operative for allegedly carrying out ransomware attacks against healthcare facilities in the country and funneling the payments to orchestrate additional intrusions into defense, technology, and government entities across the world.

"Rim Jong Hyok and his co-conspirators deployed ransomware to extort U.S. hospitals and health care companies, then laundered the proceeds to help fund North Korea's illicit activities," said Paul Abbate, deputy director of the Federal Bureau of Investigation (FBI). "These unacceptable and unlawful actions placed innocent lives at risk."

Concurrent with the indictment, the U.S. Department of State announced a reward of up to $10 million for information that could lead to his whereabouts, or the identification of other individuals in connection with the malicious activity.

Hyok, part of a hacking crew dubbed Andariel (aka APT45, Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2), is said to be behind extortion-related cyber attacks involving a ransomware strain called Maui, which was first disclosed in 2022 as targeting organizations in Japan and the U.S.

The ransom payments were laundered through Hong Kong-based facilitators, converting the illicit proceeds into Chinese yuan, following which they were withdrawn from an ATM and used to procure virtual private servers (VPSes) that, in turn, were employed to exfiltrate sensitive defense and technology information.

Targets of the campaign include two U.S. Air Force bases, NASA-OIG, as well as South Korean and Taiwanese defense contractors and a Chinese energy company.

In one instance highlighted by the State Department, a cyber attack that began in November 2022 led to the threat actors exfiltrating more than 30 gigabytes of data from an unnamed U.S.-based defense contractor. This comprised unclassified technical information regarding material used in military aircraft and satellites.

The agencies have also announced the "interdiction of approximately $114,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions, as well as the seizure of online accounts used by co-conspirators to carry out their malicious cyber activity."

Andariel, affiliated with the Reconnaissance General Bureau (RGB) 3rd Bureau, has a track record of striking foreign businesses, governments, aerospace, nuclear, and defense industries with the goal of obtaining sensitive and classified technical information and intellectual property to further the regime's military and nuclear aspirations.

Other recent targets of interest encompass South Korean educational institutions, construction companies, and manufacturing organizations.

"This group poses an ongoing threat to various industry sectors worldwide, including, but not limited to, entities in the United States, South Korea, Japan, and India," the National Security Agency (NSA) said. "The group funds their espionage activity through ransomware operations against U.S. healthcare entities."

Initial access to target networks is accomplished by means of exploiting known N-day security flaws in internet-facing applications, enabling the hacking group to conduct follow-on reconnaissance, filesystem enumeration, persistence, privilege escalation, lateral movement, and data exfiltration steps using a combination of custom backdoors, remote access trojans, off-the-shelf tools, and open-source utilities at their disposal.

Other documented malware distribution vectors entail the use of phishing emails containing malicious attachments, such as Microsoft Windows Shortcut (LNK) files or HTML Application (HTA) script files inside ZIP archives.

"The actors are well-versed in using native tools and processes on systems, known as living-off-the-land (LotL)," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. "They use Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash, for system, network, and account enumeration."

Microsoft, in its own advisory on Andariel, described it as constantly evolving its toolset to add new functionality and implement novel ways to bypass detection, while exhibiting a "fairly uniform attack pattern."

"Onyx Sleet's ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors," the Windows maker noted.

Some of the noteworthy tools highlighted by Microsoft are listed below -

*   TigerRAT - A malware that can steal confidential information and carry out commands, like keylogging and screen recording, from a command-and-control (C2) server
*   SmallTiger - A C++ backdoor
*   LightHand - A lightweight backdoor for remote access to infected devices
*   ValidAlpha (aka Black RAT) - A Go-based backdoor that can run an arbitrary file, list contents of a directory, download a file, take screenshots, and launch a shell to execute arbitrary commands
*   Dora RAT - A "simple malware strain" with support for reverse shell and file download/upload capabilities

"They have evolved from targeting South Korean financial institutions with disruptive attacks to targeting U.S. healthcare with ransomware, known as Maui, although not at the same scale as other Russian speaking cybercrime groups," Alex Rose, director of threat research and government partnerships at Secureworks Counter Threat Unit, said.

"This is in addition to their primary mission of gathering intelligence on foreign military operations and strategic technology acquisition."

Andariel is just one of the myriad state-sponsored hacking crews operating under the direction of the North Korean government and military, alongside other clusters tracked as the Lazarus Group, BlueNoroff, Kimsuky, and ScarCruft.

"For decades, North Korea has been involved in illicit revenue generation through criminal enterprises, to compensate for the lack of domestic industry and their global diplomatic and economic isolation," Rose added.

"Cyber was rapidly adopted as a strategic capability that could be used for both intelligence gathering and money making. Where historically these objectives would have been covered by different groups, in the last few years there has been a blurring of the lines and many of the cyber threat groups operating on behalf of North Korea have also dabbled in money making activities."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. DoJ Indicts North Korean Hacker for Ransomware Attacks on Hospitals

Mimecast's acquisition of Code42 helps the company move into insider risk management, joining key rival Proofpoint and others in the space.

Source: Panther Media GmbH via Alamy Stock Photo

Email security providers are increasingly adding human risk management (HRM) tools to their portfolios to broaden their data loss prevention (DLP) capabilities. The latest to sharpen its focus on HRM is Mimecast, which acquired insider risk tool provider Code42 for undisclosed terms this week.

The deal marks Mimecast's second acquisition of an HRM company this year. In January, it made its foray into human risk management with the acquisition of Elevate Security, which resulted in last week's release of Mimecast's Engage risk management platform.

Omdia senior principal analyst Fernando Montenegro says Mimecast's competitors, such as Proofpoint, Sophos, ESET, OpenText (Webroot), and Barracuda Networks, have made similar moves into HRM.

"We have seen similar packaging of messaging security with user training and human factors in many vendors," Montenegro says. "This makes sense as we think there is a long-standing evolutionary pattern to cybersecurity to be better aligned to business outcomes and concerns, and this fits well into this narrative."

Mimecast is playing catch-up to Proofpoint, its most formidable competitor, which released its Proofpoint Nexus People Risk Explorer in 2021. Earlier, Proofpoint made its foray into insider threat management by acquiring ObserveIT, known for its insider threat management platform.

**Insider Risk Tied to Data Breaches**

According to Verizon's "2024 Data Breach Investigations Report" (DBIR), insiders were involved in 68% of all breaches in 2023. Forrester Research forecasts that figure could rise to 90% in 2024, according to its "Predictions 2024" report.

"HRM solutions and programs have surfaced to help CISOs evaluate their firm's human risk, determine whether they are getting a return on their training investment, whether their training is really changing anyone's behavior and improving the firm's cybersecurity posture, and determine what to manage human risk in addition to training people," the report's authors noted.

Weeks after closing the Elevate acquisition in January, Marc van Zadelhoff was tapped as Mimecast's new CEO, replacing co-founder Peter Bauer. Tasked with expanding Mimecast's emerging HRM portfolio, Zadelhoff inked a partnership with Code42 to integrate Code42 Incydr with the Mimecast platform.

By integrating Code42 Incydr's Watchlists for employees with a history of engaging in risky behavior (such as those who frequently fall for phishing attempts) with Mimecast's Profile Groups, organizations can automate the formation, management and policy enforcement among user groups. Likewise, Incydr can be used to manage Mimecast Profile Groups. The integration also lets Mimecast administrators detect and manage exfiltration activity.

Mimecast CEO Marc van Zadelhoff tells Dark Reading that the plan was to leverage that capability to emphasize Mimecast's human risk detection and management capabilities.

"We had been talking to Code42 for a while, and we did the partnership," van Zadelhoff says. "One thing led to another in terms of strengthening it."

Van Zadelhoff says the two acquisitions mark the company's entry into HRM.

"The partnership exposed to us that we had a lot of joint customer interest," he says. "In fact, during that time, we saw an increasing number of our customers adopt Code42 in a fairly short amount of time. As we started leveraging the human risk dashboard and the human risk platform, we started to see that when you add Code42 into the score, it really adds a lot of value on identifying the riskiest segment of the population out there.

**Product Portfolios to Remain Intact With Common Dashboard**

According to van Zadelhoff, there is no overlap between the products Mimecast now offers and Code42's portfolio.

"We tested the product around scalability and how it would work with our technology stack," he says. "It is incredibly compatible. There's zero overlap."

Further, van Zadelhoff insists no products from either company will be deprecated in the wake of the acquisition; the Code42 products will be rebranded Mimecast. Also, in the coming months, Mimecast will create a common human risk dashboard tied to its distinct offerings.

At next month's Black Hat USA Conference in Las Vegas, the company will demonstrate and roll out new artificial intelligence (AI) tools to detect exfiltration risk when employees upload files into generative AI platforms, such as Chat GPT.

"What we're really focused on is understanding when someone takes data from their corporate organizations or from a key repository and exfiltrates that to a public generative AI location," says Rob Juncker, Code42's CTO. "AI is something that we all have to deal with now. So it will be in our base product for all customers effective immediately."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Mimecast Joins Human Risk Management Fray With Code42 Deal

The Andariel group is targeting critical defense, aerospace, nuclear, and engineering companies for data theft, the FBI, NSA, and others said.

Source: DD Images via Shutterstock

A long-known cyber-espionage group working on behalf of North Korea's foreign intelligence service is systematically stealing technical information and intellectual property from organizations in the US and other countries to advance its own nuclear and military programs.

The group — which security vendors track variously as Andariel, Silent Chollima, Onyx Sleet, and Stonefly — is using ransomware attacks on US health care entities to fund the campaign, the US government warned this week.

**A Clear and Present Danger**

In a joint advisory, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others identified the threat actor as primarily targeting defense, aerospace, nuclear, and engineering organizations in the US, Japan, South Korea, and India. "The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide," the advisory noted.

Meanwhile, the US government offered a $10 million reward under the State Department's Rewards for Justice program for information leading to the arrest of Rim Jong Hyok, whom it believes is a key player in the malicious cyber activity. In tandem, the US Justice Department indicted Jong Hyok on charges related to his involvement in Andariel attacks on multiple US entities, including NASA and two US Air Force bases.

The information that Andariel is pursuing in its current campaign is broad and varied. From defense organizations, the adversary has been stealing information pertaining to heavy and light tanks, self-propelled howitzers, combat ships, autonomous underwater vehicles, and other equipment. Aerospace companies are being targeted for information on everything from fighter aircraft, missiles, and missile defense systems to radars and nano-satellite technology. The goal with attacks on organizations in the nuclear sector is to gather data in areas like uranium processing and enrichment, material waste, and storage. And with engineering firms, the threat actor's focus is on shipbuilding, robotics, additive manufacturing, 3D printing, and other technologies.

"The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections," the advisory said.

**Well-Known Threat Actor**

Andariel has been active for several years. Researchers at Google's Mandiant who track the group as APT45 believe it has been operational since at least 2009. Microsoft, which tracks the threat actor as OnyxSleet, says it first spotted the group in 2014. Over the years, researchers have tied the group to numerous information stealing campaigns and destructive attacks on organizations in more than a dozen critical sectors, including defense, aerospace, energy, financial services, transportation, and health care. Many of its attacks have targeted South Korean entitities.

In a report that coincided with the US government warning this week, Mandiant said it had observed APT45 gradually launching more financially motivated attacks — like ransomware attacks — in recent years, even as it has continued with its cyber espionage mission. "APT45 is one of North Korea’s longest running cyber operators, and the group's activity mirrors the regime's geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science," Mandiant said.

Microsoft also released an update on the North Korean actor this week and has observed Onyx Sleet actors recently switch from spear-phishing as a way to gain initial access to using vulnerability exploits. But otherwise, its tradecraft has remained largely unchanged, Microsoft said. "Onyx Sleet has used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting the threat actor views its tradecraft as effective."

**Vulnerability Exploits and Custom Tools**

The US government advisory described Andariel as looking for and exploiting multiple well-known vulnerabilities to gain initial access to target networks in its recent attacks. Vulnerabilities that the group has been exploiting in its attacks include the Log4Shell flaw (CVE-2021-44228) in Apache's Log4j software; CVE-2023-46604, a maximum severity bug in Apache ActiveMQ server technology; CVE-2023-34362, a widely exploited remote code execution flaw in Progress Software's MOVEIt file transfer technology; and a similar flaw in Fortra's GoAnywhere software (CVE-2023-0669).

In all, the joint advisory listed 41 CVEs that Andariel actors have exploited to break into target networks as part of its cyberespionage campaign. Of that, 16 were vulnerabilities that various vendors disclosed last year. The oldest flaw in the list is from 2017 — CVE-2017-4946 — a privilege escalation bug in VMWare's V4H and V4PA desktop agents.

Once they gain access to a network, Andariel actors typically use a variety of custom tools and malware to establish remote access, enable lateral movement, and steal data, the advisory said, listing nearly two dozen of them. The tools "include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control," the advisory said. "The tools allow the actors to maintain access to the victim system, with each implant having a designated C2 node."

The advisory describes in detail other tactics, techniques, and procedures that Andariel actors have employed in recent attacks so organizations in the group's crosshairs can take protective measures. It also provides indicators of compromise that organizations can use to check for signs of the threat actor's presence on their network and systems.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Feds Warn of North Korean Cyberattacks on US Critical Infrastructure

How your organization can leverage the disruptive CrowdStrike update to become more resilient.

Chip Stewart, Director–Security, Privacy, and Risk Consulting, RSM US

July 25, 2024

5 Min Read

Source: Illia Uriadnikov via Alamy Stock Photo

COMMENTARY

In the wake of global IT issues caused by a defect in a content update for CrowdStrike's Falcon sensor, many organizations engaged in executing business continuity plans (BCPs), recovering systems, and restoring from backups. In the throes of these activities, it's easy to overlook the similarity with the playbook for ransomware recovery and miss how organizations of all sizes can leverage this event to identify gaps in their capabilities to respond to and recover from ransomware or other disruptive cyberattacks.

It's important to acknowledge the scale of this disruption, with 8.5 million incapacitated PCs across all sectors and organizational sizes. Small businesses, global conglomerates, government agencies, hospitals, and critical infrastructure were all met with the dreaded blue screen of death.

Even those who were not CrowdStrike customers felt the impact, with flights delayed and canceled, gas stations and grocery stores unable to complete transactions, and critical services like police and fire dispatch delayed.

However, there are lessons that every organization can take away from this event to help improve their ability to respond to a cyberattack.

**Detection**

The mean time to detect, or MTTD, is a metric in cyber operations describing how long it takes between when an incident begins and when the organization identifies that something has happened. This metric has been trending down for the past several years, partially because incidents resulting in ransomware deployment are glaringly and quickly apparent. This speedy detection contrasts with incidents where a sophisticated threat actor is siphoning private data from a network, which typically takes longer to discover.

This behavior parallels the obviousness of the CrowdStrike event. Computers across the network became unavailable, displaying a cryptic message about a failed driver. With this event, we have clarity on the start time, with organizations experiencing blue screens around 04:09 UTC.

Organizations should evaluate how long their teams took to detect the outage and how quickly they could reasonably speculate on the root cause. These metrics matter when threat actors deploy ransomware on a network.

**Response**

As IT teams confirmed the cause of the system issues, organizations scrambled to begin restoring systems. Many organizations struggled with incomplete asset inventories, partially managed devices, and no way to prioritize recovery activities reliably. Some found themselves locked out of the password vaults needed to restore critical systems. Others struggled to scale quickly to reimage laptops of remote users scattered across the country. 

These challenges mirror those expected during a ransomware incident and highlight the importance of maintaining an accurate accounting of IT assets that informs prioritization during recovery. Also, recovery plans must consider the operating environment and support reconstituting services in time frames that align with business objectives.

Organizations should evaluate the effectiveness of their response plans during this event, including their ability to prioritize systems that support critical functions and develop or test the granular recovery plans necessary to expedite the reconstitution of these services. They should also determine where there were gaps in asset management and the underlying causes of those discrepancies.

**Business Continuity**

As IT teams worked around the clock to restore systems and get users back online, this event forced many organizations to execute their business continuity plans and restore mission-critical functions. Organizations frequently confuse BCPs with disaster recovery plans (DRPs), resulting in an inability to execute mission-critical functions during this event.

Organizations frequently experience challenges in this area during a ransomware event, with no plan to reconstitute the capabilities that support mission-critical functions. With several high-profile ransomware attacks affecting health departments across the United States (including one during my tenure as the chief information security officer for the State of Maryland), seemingly simple administrative tasks, such as issuing death certificates, become impossible.

To prepare for ransomware events or other cyber disruptions, organizations should conduct a business impact analysis (BIA) and integrate the outputs into comprehensive BCPs, reducing the risk of protracted business disruption from a ransomware incident.

**Supply Chain and Vendor Risk**

The scale of this event has highlighted the risks of cyber events affecting supply chains more than any event in recent history, with financial transactions stalled, logistics companies unable to deliver goods, and hospitals unable to replenish lifesaving supplies. 

In 2021, Kronos, a human capital and workforce management SaaS provider, experienced substantial downtime due to a ransomware event, preventing employees from being paid and stopping work activities at thousands of organizations around the globe. With many organizations relying on their partners to recover quickly from a cyber incident, few were prepared to sustain operations in the event of an incident affecting their supply chain.

Organizations should consider and plan for cyber incidents that have negative consequences on their supply chains as part of their business continuity plans and ensure their partners do the same. 

**Improving Resilience From This Event**

For organizations affected by the CrowdStrike disruption, there is a unique opportunity to reflect on what went well and what your organization should focus on improving through the lens of a ransomware incident. While the disruption certainly should not be minimized, the reality of a ransomware incident includes exorbitant costs, weeks to months of downtime, regulatory challenges, potential lawsuits, and numerous other adverse effects that represent long-term organizational damage.

For organizations that experienced indirect impact through partners in their supply chain, there is an opportunity to ensure adequate supply chain diversification and contingency planning is happening.

For organizations lucky enough to have not experienced any adverse impact from this event, it's crucial to recognize that this could have happened to your organization just as easily, and it's better to be prepared than to be lucky.

For everyone, this is an opportunity to reflect on what you should be doing to improve your organization's resilience.

**About the Author(s)**

Director–Security, Privacy, and Risk Consulting, RSM US

Chip Stewart is a director in RSM's Security, Privacy, and Risk Consulting practice and the former CISO for the state of Maryland, where his charge was to build a statewide security program from the ground up. In this role, he championed the creation of the MD-ISAC, an advanced cyber-threat intelligence center focused on helping all levels of government in Maryland proactively protect their networks from cyber threats by providing them with real-time information.

Unexpected Lessons Learned From the CrowdStrike Event

Seeing a “blue screen of death,” often with code that looks indecipherable, has been ingrained into our heads that it’s a “hack."

Thursday, July 25, 2024 14:00

You’re not going to believe this, but there was a lot of misinformation on social media over the weekend after the massive CrowdStrike/Microsoft outage.  

As airlines cancelled flights, hospitals had to reschedule patients and some companies just flat-out couldn’t work on Friday, people were quick to assume that the outage, which was actually caused by a faulty CrowdStrike Falcon update, was a cyber attack. 

Media headlines posed the question: “Cyber attack, or outage?” Social posters quickly assumed this was some sort of “hack.”  

On the one hand, I get it. Seeing a “blue screen of death,” often with code that looks indecipherable, has been ingrained into our heads that it’s a “hack,” because that’s how they’ve always been displayed in works of fiction or as the generic image of a “hack” anytime there is actually a real cyber attack.  

That’s not to say there aren’t many lessons to be learned from this outage, and at some point, we’ll be ready to dig into those. But also calling this a cyber attack can spread unnecessary FUD, especially when threat actors are trying to capitalize on the outage to spread malware in _actual_ cyber attacks.  

**The one big thing **

Business email compromise (BEC) and ransomware were the top threats observed by Cisco Talos Incident Response (Talos IR) in the second quarter of 2024, accounting for 60 percent of engagements. Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row. There was a slight increase in ransomware where Talos IR responded to Mallox and Underground Team ransomware for the first time this quarter, as well as the previously seen Black Basta and BlackSuit ransomware operations.   

**Why do I care? **

Within BEC attacks, adversaries will compromise legitimate business email accounts and use them to send phishing emails to obtain sensitive information, such as account credentials. Adversaries can also use compromised accounts to send emails with fraudulent financial requests, such as changing bank account information related to payroll or vendor invoices. Targeting employees’ personal mobile devices can be an effective method for initial access because they may not have the same security controls as their corporate devices. Organizations should ensure SMS phishing scams are included in security awareness training for employees.    

**So now what? **

The lack of MFA remains one of the biggest impediments for enterprise security. All organizations should implement some form of MFA, such as Cisco Duo. The implementation of MFA and a single sign-on system can ensure only trusted parties are accessing corporate email accounts to prevent the spread of BEC. 

**Top security headlines of the week **

**A false narrative spread over the weekend that Southwest Airlines was using a very old version of Windows, which allowed it to escape the CrowdStrike-related outage.** Many news outlets reported that Southwest’s system relies on Windows 3.1, released more than 20 years ago. However, this does not actually appear to be the case, though Southwest’s systems may still be outdated compared to its competitors. Instead, Southwest may have been largely unaffected by the outage simply because it doesn’t use CrowdStrike. Delta, American, Spirit, Frontier, United and Allegiant airlines all reported that they were affected by the outage, forcing the cancellation of thousands of flights across the globe. The source of the story that Southwest uses Windows 3.1 appears to come from posts on social media, the original one of which provided no sources, links or background information to back this statement up. Another popular piece of fake news that made the rounds during the widespread outage was that the Las Vegas Sphere was a victim of the outage, with a fake image spreading online appearing to show the “blue screen of death” on the outside of the concert and event venue. (Kotaku, OSNews) 

**U.K. police arrested a teenager suspected of being a member of the Scattered Spider hacking group and a perpetrator of the massive MGM ransomware attack last year.** The arrest is part of a larger investigation conducted by the National Crime Agency in the U.K. and the U.S.’s FBI into a hacking group that is known to breach networks, steal data and deploy ransomware. While not named explicitly in the arrest announcement, this group is largely known as Scattered Spider. The group breached MGM’s network last year, taking hotel and casino services offline for several days, even just forcing some casino operations to stop altogether. MGM eventually paid a multi-million dollar ransomware to the attackers. Scattered Spider is a group of English-speaking threat actors, some of whom are as young as 16, and commonly communicate via Telegram channels and Discord servers. An English detective involved in the operation stated that the 17-year-old in question was part of a group that “targeted well-known organizations with ransomware, and they have successfully targeted multiple victims around the world, taking from them significant amounts of money.” (Bleeping Computer, Dark Reading) 

**Russian state-sponsored actors or hacktivist groups are likely to try and disrupt the upcoming Olympic games in France via cyber attacks, misinformation campaigns and deepfake photos and videos.** Russia has been excluded from the Summer Olympics because of its involvement in an alleged doping scheme with its athletes and has been increasingly hostile toward the West for its support of Ukraine. Russian threat actors have already been spreading disinformation, with Microsoft warning that some actors have been deploying influencers deploying artificial intelligence to “denigrate the reputation of the \[International Olympic Committee\]” and “creating the expectation of violence” at the Olympics. French authorities have also already arrested a Russian national who the government alleges was planning various events to “destabilize” the games. Researchers from FortiGuard Labs have also reported that there has been a spike of dark web activity among known Russian adversaries, including Cyber Army Russia Reborn and LulzSec, specifically saying they plan to target the Olympics. Russia may also seek to use its influence on hacktivist groups to do its bidding so that the Russian government has plausible deniability in any activities. (Forbes, Financial Times) 

**Can't get enough Talos?**

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

The massive computer outage over the weekend was not a cyber attack, and I’m not sure why we have to keep saying that

A North Korea-linked threat actor known for its cyber espionage operations has gradually expanded into financially-motivated attacks that involve the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country.
Google-owned Mandiant is tracking the activity cluster under a new moniker APT45, which overlaps with names such as Andariel, Nickel Hyatt,

A North Korea-linked threat actor known for its cyber espionage operations has gradually expanded into financially-motivated attacks that involve the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country.

Google-owned Mandiant is tracking the activity cluster under a new moniker **APT45**, which overlaps with names such as Andariel, Nickel Hyatt, Onyx Sleet, Stonefly, and Silent Chollima.

"APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009," researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart said. "APT45 has been the most frequently observed targeting critical infrastructure."

It's worth mentioning that APT45, along with APT38 (aka BlueNoroff), APT43 (aka Kimsuky), and Lazarus Group (aka TEMP.Hermit), are elements within North Korea's Reconnaissance General Bureau (RGB), the nation's premier military intelligence organization.

APT45 is notably linked to the deployment of ransomware families tracked as SHATTEREDGLASS and Maui targeting entities in South Korea, Japan, and the U.S. in 2021 and 2022. Details of SHATTEREDGLASS were documented by Kaspersky in June 2021.

"It is possible that APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to generate funds for other North Korean state priorities," Mandiant said.

Another notable malware in its arsenal is a backdoor dubbed Dtrack (aka Valefor and Preft), which was first used in a cyber attack aimed at the Kudankulam Nuclear Power Plant in India in 2019, marking one of the few publicly known instances of North Korean actors striking critical infrastructure.

"APT45 is one of North Korea's longest running cyber operators, and the group's activity mirrors the regime's geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science," Mandiant said.

"As the country has become reliant on its cyber operations as an instrument of national power, the operations carried out by APT45 and other North Korean cyber operators may reflect the changing priorities of the country's leadership."

The findings come as security awareness training firm KnowBe4 said it was tricked into hiring an IT worker from North Korea as a software engineer, who used a stolen identity of a U.S. citizen and enhanced their picture using artificial intelligence (AI).

"This was a skillful North Korean IT worker, supported by a state-backed criminal infrastructure, using the stolen identity of a U.S. citizen participating in several rounds of video interviews and circumvented background check processes commonly used by companies," the company said.

The IT worker army, assessed to be part of the Workers' Party of Korea's Munitions Industry Department, has a history of seeking employment in U.S.-based firms by pretending to be located in the country when they are actually in China and Russia and logging-in remotely through company-issued laptops delivered to a "laptop farm."

KnowBe4 said it detected suspicious activities on the Mac workstation sent to the individual on July 15, 2024, at 9:55 p.m. EST that consisted of manipulating session history files, transferring potentially harmful files, and executing harmful software. The malware was downloaded using a Raspberry Pi.

Twenty-five minutes later, the Florida-based cybersecurity company said it contained the employee's device. There is no evidence that the attacker gained unauthorized access to sensitive data or systems.

"The scam is that they are actually doing the work, getting paid well, and giving a large amount to North Korea to fund their illegal programs," KnowBe4's chief executive Stu Sjouwerman said.

"This case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Shift from Cyber Espionage to Ransomware Attacks

Red Hat Security Advisory 2024-4831-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4831.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kernel-rt security updateAdvisory ID:        RHSA-2024:4831-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4831Issue date:         2024-07-24Revision:           03CVE Names:          CVE-2021-47459====================================================================Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.Security Fix(es):* kernel: vmwgfx: multiple flaws (CVE-2022-36402, CVE-2022-40133, CVE-2022-38457, CVE-2023-5633)* kernel: nftables: (CVE-2024-26581)* kernel: uio: (CVE-2023-52439)* kernel: smb: (CVE-2023-52434)* kernel: intel: (CVE-2023-52450)* kernel: net: multiple flaws (CVE-2023-52578, CVE-2024-36978, CVE-2022-48743)* kernel: Bluetooth: (CVE-2023-52518)* kernel: netfilter: multiple flaws (CVE-2024-26668, CVE-2024-26808, CVE-2024-26925, CVE-2024-27020, CVE-2024-27019, CVE-2024-27016, CVE-2024-27065, CVE-2024-35899, CVE-2024-35897)* kernel: hv_netvsc: (CVE-2024-26698)* kernel: ext4: multiple flaws (CVE-2024-26704, CVE-2024-26773)* kernel: net/sched: (CVE-2024-26739)* kernel: vfio/pci: (CVE-2024-26810)* kernel: dm: (CVE-2024-26880)* kernel: af_unix: multiple flaws (CVE-2024-26923, CVE-2024-38596)* kernel: scsi: multiple flaws (CVE-2024-26931, CVE-2024-26929, CVE-2023-52811, CVE-2024-36025, CVE-2024-36924, CVE-2024-36952)* kernel: Squashfs: (CVE-2024-26982)* kernel: KVM: (CVE-2024-35791)* kernel: ipv6: (CVE-2024-27417)* kernel: drm/client: (CVE-2024-35950)* kernel: sched/psi: (CVE-2023-52707)* kernel: can: (CVE-2021-47459)* kernel: tcp: (CVE-2024-36904)* kernel: tls: (CVE-2024-36489)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-47459References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2133451https://bugzilla.redhat.com/show_bug.cgi?id=2133453https://bugzilla.redhat.com/show_bug.cgi?id=2133455https://bugzilla.redhat.com/show_bug.cgi?id=2218195https://bugzilla.redhat.com/show_bug.cgi?id=2218212https://bugzilla.redhat.com/show_bug.cgi?id=2245663https://bugzilla.redhat.com/show_bug.cgi?id=2262241https://bugzilla.redhat.com/show_bug.cgi?id=2265185https://bugzilla.redhat.com/show_bug.cgi?id=2265271https://bugzilla.redhat.com/show_bug.cgi?id=2265285https://bugzilla.redhat.com/show_bug.cgi?id=2265649https://bugzilla.redhat.com/show_bug.cgi?id=2267758https://bugzilla.redhat.com/show_bug.cgi?id=2267799https://bugzilla.redhat.com/show_bug.cgi?id=2272797https://bugzilla.redhat.com/show_bug.cgi?id=2273117https://bugzilla.redhat.com/show_bug.cgi?id=2273174https://bugzilla.redhat.com/show_bug.cgi?id=2273236https://bugzilla.redhat.com/show_bug.cgi?id=2273270https://bugzilla.redhat.com/show_bug.cgi?id=2273405https://bugzilla.redhat.com/show_bug.cgi?id=2273654https://bugzilla.redhat.com/show_bug.cgi?id=2275690https://bugzilla.redhat.com/show_bug.cgi?id=2277166https://bugzilla.redhat.com/show_bug.cgi?id=2277171https://bugzilla.redhat.com/show_bug.cgi?id=2278245https://bugzilla.redhat.com/show_bug.cgi?id=2278250https://bugzilla.redhat.com/show_bug.cgi?id=2278256https://bugzilla.redhat.com/show_bug.cgi?id=2278258https://bugzilla.redhat.com/show_bug.cgi?id=2278264https://bugzilla.redhat.com/show_bug.cgi?id=2278337https://bugzilla.redhat.com/show_bug.cgi?id=2278380https://bugzilla.redhat.com/show_bug.cgi?id=2281052https://bugzilla.redhat.com/show_bug.cgi?id=2281097https://bugzilla.redhat.com/show_bug.cgi?id=2281667https://bugzilla.redhat.com/show_bug.cgi?id=2281672https://bugzilla.redhat.com/show_bug.cgi?id=2281942https://bugzilla.redhat.com/show_bug.cgi?id=2282615https://bugzilla.redhat.com/show_bug.cgi?id=2282743https://bugzilla.redhat.com/show_bug.cgi?id=2282898https://bugzilla.redhat.com/show_bug.cgi?id=2284421https://bugzilla.redhat.com/show_bug.cgi?id=2284506https://bugzilla.redhat.com/show_bug.cgi?id=2284541https://bugzilla.redhat.com/show_bug.cgi?id=2284598https://bugzilla.redhat.com/show_bug.cgi?id=2293078https://bugzilla.redhat.com/show_bug.cgi?id=2293316https://bugzilla.redhat.com/show_bug.cgi?id=2293371https://bugzilla.redhat.com/show_bug.cgi?id=2293687

Red Hat Security Advisory 2024-4831-03

Red Hat Security Advisory 2024-4823-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include denial of service, double free, and information leakage vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4823.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security update  
Advisory ID:        RHSA-2024:4823-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4823  
Issue date:         2024-07-24  
Revision:           03  
CVE Names:          CVE-2021-47459  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

* kernel: vmwgfx: multiple flaws (CVE-2022-36402, CVE-2022-40133, CVE-2022-38457, CVE-2023-5633)

* kernel: nftables: (CVE-2024-26581)

* kernel: uio: (CVE-2023-52439)

* kernel: smb: (CVE-2023-52434)

* kernel: intel: (CVE-2023-52450)

* kernel: net: multiple flaws (CVE-2023-52578, CVE-2024-36978, CVE-2022-48743)

* kernel: Bluetooth: (CVE-2023-52518)

* kernel: netfilter: multiple flaws (CVE-2024-26668, CVE-2024-26808, CVE-2024-26925, CVE-2024-27020, CVE-2024-27019, CVE-2024-27016, CVE-2024-27065, CVE-2024-35899, CVE-2024-35897)

* kernel: hv_netvsc: (CVE-2024-26698)

* kernel: ext4: multiple flaws (CVE-2024-26704, CVE-2024-26773)

* kernel: net/sched: (CVE-2024-26739)

* kernel: vfio/pci: (CVE-2024-26810)

* kernel: dm: (CVE-2024-26880)

* kernel: x86/xen: (CVE-2024-26908)

* kernel: af_unix: multiple flaws (CVE-2024-26923, CVE-2024-38596)

* kernel: scsi: multiple flaws (CVE-2024-26931, CVE-2024-26929, CVE-2023-52811, CVE-2024-36025, CVE-2024-36924, CVE-2024-36952)

* kernel: Squashfs: (CVE-2024-26982)

* kernel: KVM: (CVE-2024-35791)

* kernel: ipv6: (CVE-2024-27417)

* kernel: drm/client: (CVE-2024-35950)

* kernel: sched/psi: (CVE-2023-52707)

* kernel: can: (CVE-2021-47459)

* kernel: tcp: (CVE-2024-36904)

* kernel: tls: (CVE-2024-36489)

* The kernel packages contain the Linux kernel, the core of any Linux operating system.

* Security Fix(es):

* * kernel: vmwgfx: race condition leading to information disclosure vulnerability (CVE-2023-33951,ZDI-23-707,ZDI-CAN-20110)

* * kernel: vmwgfx: double free within the handling of vmw_buffer_object objects (CVE-2023-33952,ZDI-23-708,ZDI-CAN-20292)

* * kernel: stack overflow problem in Open vSwitch kernel module leading to DoS (CVE-2024-1151)

* For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47459

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2133451  
https://bugzilla.redhat.com/show_bug.cgi?id=2133453  
https://bugzilla.redhat.com/show_bug.cgi?id=2133455  
https://bugzilla.redhat.com/show_bug.cgi?id=2218195  
https://bugzilla.redhat.com/show_bug.cgi?id=2218212  
https://bugzilla.redhat.com/show_bug.cgi?id=2245663  
https://bugzilla.redhat.com/show_bug.cgi?id=2262241  
https://bugzilla.redhat.com/show_bug.cgi?id=2265185  
https://bugzilla.redhat.com/show_bug.cgi?id=2265271  
https://bugzilla.redhat.com/show_bug.cgi?id=2265285  
https://bugzilla.redhat.com/show_bug.cgi?id=2265649  
https://bugzilla.redhat.com/show_bug.cgi?id=2267758  
https://bugzilla.redhat.com/show_bug.cgi?id=2267799  
https://bugzilla.redhat.com/show_bug.cgi?id=2272797  
https://bugzilla.redhat.com/show_bug.cgi?id=2273117  
https://bugzilla.redhat.com/show_bug.cgi?id=2273174  
https://bugzilla.redhat.com/show_bug.cgi?id=2273236  
https://bugzilla.redhat.com/show_bug.cgi?id=2273270  
https://bugzilla.redhat.com/show_bug.cgi?id=2273405  
https://bugzilla.redhat.com/show_bug.cgi?id=2273654  
https://bugzilla.redhat.com/show_bug.cgi?id=2275690  
https://bugzilla.redhat.com/show_bug.cgi?id=2275744  
https://bugzilla.redhat.com/show_bug.cgi?id=2277166  
https://bugzilla.redhat.com/show_bug.cgi?id=2277171  
https://bugzilla.redhat.com/show_bug.cgi?id=2278245  
https://bugzilla.redhat.com/show_bug.cgi?id=2278250  
https://bugzilla.redhat.com/show_bug.cgi?id=2278256  
https://bugzilla.redhat.com/show_bug.cgi?id=2278258  
https://bugzilla.redhat.com/show_bug.cgi?id=2278264  
https://bugzilla.redhat.com/show_bug.cgi?id=2278337  
https://bugzilla.redhat.com/show_bug.cgi?id=2278380  
https://bugzilla.redhat.com/show_bug.cgi?id=2281052  
https://bugzilla.redhat.com/show_bug.cgi?id=2281097  
https://bugzilla.redhat.com/show_bug.cgi?id=2281667  
https://bugzilla.redhat.com/show_bug.cgi?id=2281672  
https://bugzilla.redhat.com/show_bug.cgi?id=2281942  
https://bugzilla.redhat.com/show_bug.cgi?id=2282615  
https://bugzilla.redhat.com/show_bug.cgi?id=2282743  
https://bugzilla.redhat.com/show_bug.cgi?id=2282898  
https://bugzilla.redhat.com/show_bug.cgi?id=2284421  
https://bugzilla.redhat.com/show_bug.cgi?id=2284506  
https://bugzilla.redhat.com/show_bug.cgi?id=2284541  
https://bugzilla.redhat.com/show_bug.cgi?id=2284598  
https://bugzilla.redhat.com/show_bug.cgi?id=2293078  
https://bugzilla.redhat.com/show_bug.cgi?id=2293316  
https://bugzilla.redhat.com/show_bug.cgi?id=2293371  
https://bugzilla.redhat.com/show_bug.cgi?id=2293687

Red Hat Security Advisory 2024-4823-03

DDoS cyberattack campaign averaged 4.5 million requests per second, putting the bank under attack 70% of the time.

Source: VideoFlow via Shutterstock

A distributed denial-of-service (DDoS) attack targeting a financial institution in the United Arab Emirates set records for the duration of the cyberattack and the sustained volume of requests.

The attack — attributed to pro-Palestinian hacktivist group BlackMeta, also known as DarkMeta — lasted six days and included multiple waves of Web requests lasting anywhere from four to 20 hours, targeting the financial institution's site. Overall, it lasted more than 100 hours in total, averaging 4.5 million requests per second, cybersecurity firm Radware stated in an advisory published this week.

The DDoS attack represents a significant departure from the standard hacktivist denial-of-service attacks, says Pascal Geenens, director of threat intelligence for Radware.

"Those attacks were lasting between 60 seconds and five minutes — they came, they hit hard, and they go away after one to five minutes," he says. "Now, in the case of this attack, the campaign in total lasted six days, and in those six days, 70% of the time, that customer was being targeted by an average of 4.5 million requests."

BlackMeta, also known as SN\_BlackMeta, appeared in November 2023 and has a history of claiming responsibility for attacks against organizations in Israel, the United Arab Emirates, and the United States. In May, the group claimed responsibility for a multiday denial-of-service attack on the San Francisco-based Internet Archive. In April, the group claimed to have attacked the Israel-based infrastructure of the Orange Group, a French provider of telecommunication services in Europe, the Middle East, and Africa. The group also targeted organizations in Saudi Arabia, Canada, and the United Arab Emirates.

**DDoS Attacks for $500 a Month**

The BlackMeta group announced its intent to attack the financial institution on Telegram in the days leading up to the operation. The cyberattack inundated the financial firm's website with requests, causing the share of legitimate requests to plummet to as low as 0.002%, with an average of 0.12%. The attacks continued for 70% of the time during the six-day period.

Bandwidth captures showing the attack over six days. Source: Radware

The attackers used a cybercrime service known as InfraShutdown, which allows attackers to target sites for $500 to $625 a week, according to Radware's advisory.

BlackMeta is primarily motivated by a pro-Palestinian ideology, but similar to Anonymous Sudan, has an anti-Western stance, and appears to have links with Russia, and uses Arabic, English, and Russian in its posts, Radware stated.

"The group positions its attacks as retribution for perceived injustices against Palestinians and Muslims," the company stated. "Their targets typically include critical infrastructure such as banking systems, telecommunication services, government websites and major tech companies, all reflecting a strategy to disrupt entities viewed as complicit in or supportive of their adversaries."

**Profiting from DDoS Service?**

BlackMeta is likely a rebrand of Anonymous Sudan, a group that made a name for itself last year attacking targets along with the loose-knit pro-Russian Killnet group, according to the researchers. Anonymous Sudan targeted Israeli organizations and the encrypted messaging service Telegram in 2023. Comparing the number of claimed attacks by month over the past year and a half shows Anonymous Sudan's activity dwindling at the same time that BlackMeta's was ramping up.

Anonymous Sudan advertised its InfraShutdown DDoS attack service during previous attacks, urging other would-be attackers to sign up, which means the group is likely financially benefiting from its "hacktivism."

"If the actors behind \[BlackMeta\] are in any way related to or support Anonymous Sudan, the premium InfraShutdown service is highly likely to be the origin of the 14.7 million \[requests-per-second\], 100-hour attack campaign," Radware stated in its advisory

Rate-limiting the bandwidth during such attacks is not a solution to sustained application-layer attacks, because a company would have to be able to differentiate between the 1.5 billion legitimate requests reaching the website over a six-day period, and the 1.25 trillion malicious requests targeting the site, Geenens says.

"With the attacks going to Layer 7 — the application layer — the problem has shifted," he says. "Before we were at the network level, you could use a firewall, but that is too much processing power, so we moved to network protection. But when you move one layer up \[to Layer 7\], they can target specific pages and randomize the queries that they put in, so they make it look like legitimate posts."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Pro-Palestinian Actor Levels 6-Day DDoS Attack on UAE Bank

Small businesses are increasingly being targeted by cyberattackers. Why, then, are security features priced at a premium?

Source: Song\_about\_summer via Shutterstock

Small and midsize businesses (SMBs) are more vulnerable to attacks because software companies, cloud service providers, and technology makers either charge for safety features that should be offered at every service tier or fail to offer the features at all.

Earlier this year, at least 165 customers of data-services provider Snowflake were compromised — and one reason was because the firm did not offer a way to easily require all users to enable multifactor authentication (MFA), cybersecurity experts say. And just last year, a nonprofit organization failed to detect an attack because, among other reasons, its Microsoft 365 license level of "E3" did not come with logging features that were available to organizations on the more expensive "E5" plan, incident responders stated at the time.

Software makers and service providers need to offer effective security features as a safety measure to every tier of service and not create a cybersecurity gap between the "cyber poor" and enterprises that can afford extra security, says Kymberlee Price, CEO and co-founder of Zatik, a provider of fractional security expertise targeting smaller businesses.

"If vendors do not change the way they price security, if they don't put seatbelts in the base model, then software liability is inevitable," Price says.

Finding ways to secure the cyber poor — those companies and organizations that cannot afford dedicated cybersecurity professionals or high-priced security systems — has become a critical effort worldwide. In 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) pledged to find ways to help the smallest organizations, which typically do not have budgets for information technology, let alone information security. Security compromises can result in business failures and significant stress-related problems for small-business owners.

Driving security down to the smallest firms is critical to promote security across the business ecosystem, as larger companies count SMBs among their vendors, contractors, and partners, says Saeed Abbasi, product manager of vulnerability research at Qualys.

"Strengthening cybersecurity in SMBs is essential for protecting their assets and safeguarding larger business ecosystems, as these small businesses often serve as links in broader supply chains," he says. "Moreover, proactive cybersecurity costs are typically lower than the potential losses from data breaches."

**Delivering More Security By Default**

Defining the difference between what should be a security product in its own right and what should be a security feature is not easy, Price acknowledges. Single sign-on capabilities, such as Okta, would be obviously considered as a security service, but a feature in another product to connect to Okta's SSO should not require purchasing a higher tier, Price says.

"If there's some completely new innovation that revolutionizes the way security works ... that's going to involve development and other costs," so charging extra for that seems fair, she says. "But at this point, so many of these features \[are the equivalent of\] backup cameras, which were an LX-model option when they first came out, but now they're standard in the base models."

Among the safety features Price says she would like to see: Firms should be given the ability to require and monitor two-factor authentication across the business, single sign-on integration should be a base-tier feature, and role-based access controls that split administration and normal user functions should be standard. In addition, companies should start offering audit trails in every application by default and the ability for an administrator to revoke access to users.

For Snowflake, it was not a matter of charging extra for a MFA but of not enabling a feature that cybersecurity professionals have long advocated for. On the platform, individuals could opt into MFA, but company administrators had no power to require the security for every user in their organizations, said Ofer Maor, co-founder and CTO at threat response firm Mitiga, in an interview last month.

"Snowflake not only does not require MFA, but it also makes it very hard for administrators to enforce this," he said. "Unlike other \[software-as-a-service\] platforms, where an admin of a tenant can require MFA for all users in the tenant, in Snowflake this option is not available. The only way for the admin to attempt to enforce it is by manually reviewing every user in the system to see if they voluntarily enabled MFA and, if not, ask them to do so."

Both Snowflake and Microsoft now offer the requested security features on their platforms. As of July 9, administrators can require MFA by default for Snowflake, and Microsoft changed its policy on the cost of logging last year, following criticism of its licenses.

**Make Cyber Safety Easy, Available in Lowest Tiers**

Because SMBs often do not have their own IT specialist, not to mention a skilled cybersecurity expert, offering easy-to-use basic security is paramount. There needs to be a path to drive security down to every user, says Narayana Pappu, CEO at Zendata, a data security and compliance firm.

"SMBs usually lack security expertise in-house, don't have resources to implement nor maintain a solution, and usually carry security risks that can put them out of business if or when a security incident occurs," he says. "These are great reasons to drive good security down to the SMB level — in a connected ... world, you are only as strong as your weakest link."

While generative artificial intelligence and the latest large-language models could provide some companies more security, the cost may still be prohibitive and rarely are such features offered at the base level.

Instead, cybersecurity and software firms should provide basic, effective security in every product at the base service tier, says Zatik's Price, who stresses that she is not against charging everyone a bit extra to make the feature available. However, all tiers should offer the most effective security measures, she says.

"There's no version of a car that does not include seatbelts on the market today," she says. "Are seatbelts free? No, they're baked into the cost of that car. \[Similarly\], we're not saying that all security should be free and zero cost."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#intel