Plus: The FBI unlocks the Trump shooter’s phone, a security researcher gets legal threats for exposing hackable traffic lights, and more.

The week was particularly chock-full of dramatic security news. On Friday, a flawed update to CrowdStrike’s Falcon platform caused massive global service outages and disruptions around the world. The issue, which only impacted Windows computers, crashed PCs and servers, disrupting air travel, hospitals, banks, universities, and more.

Earlier in the week, WIRED had reported that following a massive data breach, AT&T paid $370,000 to get hackers to delete the stolen data. And, though it’s always possible that attackers saved a copy of the trove, a security researcher with knowledge of the transaction told WIRED he believes the only copy has been wiped. In a separate incident, hackers claimed last week to have stolen and leaked more than a terabyte of data comprising Disney’s complete Slack archive.

A WIRED analysis of Republican vice presidential nominee J.D. Vance’s Venmo account sheds some light on the Senator’s network and connections, including some of the architects of Project 2025 and enemies of Vance’s running mate, Donald Trump.

Federal prosecutors indicted a 20-year-old man on Tuesday for allegedly leading the violent and White supremacist Eastern European gang known as “Maniac Murder Cult,” or MKY. The group has been implicated in a number of assaults and attacks abroad, including at least one murder.

The US Supreme Court’s recent decision in _Loper Bright Enterprises v. Raimondo_ to overturn what’s known as the Chevron deference will have major implications for US cybersecurity defense, because federal agencies are now limited in their ability to regulate. And US senator Mark Warner of Virginia is working to pass new limits on government wiretaps, but at least two senators are quietly trying to stop him.

And there’s more. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

**Russian Hacktivists Who Attacked US Water Utilities Named and Sanctioned**

Sometimes “Julia,” the shadowy, pseudonymous Russian hacker telling you her grand plans to sabotage the West, really is just Julia. Or Yuliya.

On Friday, the Treasury Department announced that it is imposing sanctions on two alleged Russian cybercriminals for their alleged involvement in the hacktivist group Cyber Army of Russia Reborn, or CARR, which rose to prominence this year due to its reckless and somewhat sloppy attacks on Western critical infrastructure, as well as its apparent ties to Russia’s GRU military intelligence agency. Those two sanctioned hackers are identified in Treasury’s statement for the first time as Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko.

In May, WIRED interviewed a CARR spokesperson who called herself Julia about the group’s attacks, which included one that caused tens of thousands of gallons of water to be spilled from a water utility in the small town of Muleshoe, Texas. That spokesperson now appears to have likely been Pankratova, who is identified by Treasury as CARR’s spokesperson, while Degtyarenko is described as its “primary hacker.”

Treasury also notes that “instances of major damage to victims have thus far been avoided due to CARR’s lack of technical sophistication,” a line that, for any hacker, may hurt even worse than sanctions.

**FBI Gains Access to Trump Shooter’s Locked Phone**

For anyone who thought the locked phone of would-be Trump assassin Thomas Crooks was about to lead to another standoff between the FBI and the tech industry’s privacy advocates—standoff over. Immediately following the assassination attempt, which ended when Crooks was shot and killed by police, Crooks’ locked Android phone was unlocked by the FBI, the Bureau announced last weekend. Though the FBI didn’t reveal how it was able to crack the phone, Bloomberg reported later this week that law enforcement used “unreleased technology” from the phone-hacking software company Cellebrite.

**Security Researcher Shows Traffic Lights Are Hackable—and Gets a Legal Threat**

Hacking traffic lights has long been one of Hollywood’s favorite ideas of cyber mayhem, from the _Italian Job_ to _Live Free or Die Hard_. If only cyber defenders had known all along that they could prevent all that traffic hacking with a strongly worded letter from their lawyer.

This week, Andrew Lemon, a researcher for security firm Red Threat, published a pair of blog posts that outline how it would be possible to hack traffic light systems sold by the company Econolite due to a lack of authentication in their web interface. While the software had safeguards in place that would have prevented tampering with the lights to cause collisions, a hacker could nonetheless have messed with their configuration to cause traffic jams, Lemon found. When Lemon reported the issues to Econolite, however, its parent company, Q-Free, responded in a letter that not only didn’t suggest it would fix the issue—it said it no longer sells the systems—but also threatened Lemon by pointing out his hacking research was potentially illegal. A company spokesperson told TechCrunch, which broke the story, that municipalities that use the vulnerable system should not leave the traffic light software exposed online and should buy newer systems to replace them.

**North Korean Hackers Steal $230 Million in Crypto From WazirX Exchange**

Another week, another nine-figure injection of digital funds into the world’s most authoritarian country. WazirX, India’s largest cryptocurrency exchange, was hacked this week and robbed of nearly a quarter-billion dollars in crypto, largely in the form of SHIB, a Shiba Inu-themed cryptocurrency. Crypto-tracing firm Elliptic quickly tied the attack to North Korean hackers. That absurd and disturbing crime adds significantly to the $1.4 billion that hackers have stolen in crypto so far this year, which was already on pace to double last year’s total cryptocurrency thefts.

The Feds Say These Are the Russian Hackers Who Attacked US Water Utilities

Swindlers are spinning up bogus websites in an attempt to dupe people with “CrowdStrike support” scams following the security firm's catastrophic software update.

The security firm CrowdStrike inadvertently caused mayhem around the world on Friday after deploying a faulty software update to the company's Falcon monitoring platform that bricked Windows computers running the product. Fallout from the incident will take days to resolve, and the company is warning that, as system administrators and IT staff work on remediation, another threat is looming: predatory digital scams attempting to capitalize on the crisis.

Researchers on Friday afternoon began warning that attackers are reserving domain names and starting to spin up websites and other infrastructure to run “CrowdStrike Support” scams targeting the company's customers and anyone who might be impacted by the chaos. CrowdStrike's own researchers also warned about the activity on Friday and published a list of domains seemingly registered to impersonate the company.

“We know that adversaries and bad actors will try to exploit events like this,” CrowdStrike founder and CEO George Kurtz wrote in a statement. “I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates."

Attackers inevitably take advantage of prominent global events as well as topical issues in specific geographic areas to try to trick people into sending them money, steal target account credentials, or compromise victims with malware.

“Threat actors invariably attempt to capitalize on any major event,” says Brett Callow, managing director of cybersecurity and data privacy communications at FTI Consulting. “Whenever an organization experiences an incident, it's something customers and business partners should be prepared for.”

While most individuals are not personally responsible for addressing CloudStrike-related computer outages, the incident is ripe for exploitation because some of the IT professionals working on remediation could be desperate for solutions. In most cases, the fix for impacted computers involves individually booting and correcting each one—a potentially time-consuming and logistically difficult process. And for small-business owners who don't have access to extensive IT expertise, the challenge may be particularly daunting.

Researchers, including those from CrowdStrike intelligence, have thus far seen attackers sending phishing emails or making phone calls where they pretend to be CrowdStrike support staff and selling software tools that claim to automate the process of recovering from the faulty software update. Some attackers are also pretending to be researchers and claiming to have special information vital to recovery—that the situation is actually the result of a cyberattack, which it's not.

CrowdStrike emphasizes that customers should confirm that they are communicating with legitimate company staff members and only trust the company's official corporate communications.

“Speedy alerts to employees outlining potential risks will help,” Callow says of how CloudStrike customers should work to defend themselves. "Forewarned is forearmed."

Don't Fall for CrowdStrike Outage Scams

The Coalition for Secure AI is a consortium of influential AI companies aiming to develop tools to secure AI applications and set up an ecosystem for sharing best practices.

Source: ElenaBS via Alamy Stock Photo

The largest and most influential artificial intelligence (AI) companies are joining forces to map out a security-first approach to the development and use of generative AI.

The Coalition for Secure AI, also called CoSAI, aims to provide the tools to mitigate the risks involved in AI. The goal is to create standardized guardrails, security technologies, and tools for the secure development of models.

"Our initial workstreams include AI and software supply chain security and preparing defenders for a changing cyber landscape," CoSAI said in a statement.

The initial efforts include creating a secure bubble and systems of checks and balances around the access and use of AI, and creating a framework to protect AI models from cyberattacks, according to Google, one of the coalition's founding members. Google, OpenAI, and Anthropic own the most widely used large language models (LLMs). Other members include infrastructure providers Microsoft, IBM, Intel, Nvidia, and PayPal.

"AI developers need — and end users deserve — a framework for AI security that meets the moment and responsibly captures the opportunity in front of us. CoSAI is the next step in that journey, and we can expect more updates in the coming months," wrote Google's vice president of security engineering, Heather Adkins, and Google Cloud's chief information security officer, Phil Venables.

**AI Safety as a Priority**

AI safety has raised a host of cybersecurity concerns since the launch of ChatGPT in 2022. Those include misuse for social engineering to penetrate systems and the creation of deepfake videos to spread misinformation. At the same time, security firms, such as Trend Micro and CrowdStrike, are now turning to AI to help companies root out threats.

AI safety, trust, and transparency are important as results could steer organizations into faulty — and sometimes harmful — actions and decisions, says Gartner analyst Avivah Litan.

"AI cannot run on its own without guardrails to rein it in — errors and exceptions need to be highlighted and investigated," Litan says.

AI security issues could multiply with technologies such as AI agents, which are add-ons that generate more accurate answers from custom data.

"The right tools need to be in place to automatically remediate all but the most opaque exceptions," Litan says.

US President Joe Biden has challenged the private sector to prioritize AI safety and ethics. His concern was around AI's potential to propagate inequity and to compromise national security.

In July 2023, President Biden issued an executive order that required commitments from major companies that are now part of CoSAI to develop safety standards, share safety test results, and prevent AI's misuse for biological materials and fraud and deception.

CoSAI will work with other organizations, including the Frontier Model Forum, Partnership on AI, OpenSSF, and MLCommons, to develop common standards and best practices.

MLCommons this week told Dark Reading that in fall this year it will release an AI safety benchmarking suite that will rate LLMs on responses related to hate speech, exploitation, child abuse, and sex crimes.

CoSAI will be managed by OASIS Open, which, like the Linux Foundation, manages open source development projects. OASIS is best known for its work around the XML standard and for the ODF file format, which is an alternative to Microsoft Word's .doc file format.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Tech Giants Agree to Standardize AI Security

A defective CrowdStrike kernel driver sent computers around the globe into a reboot death spiral, taking down air travel, hospitals, banks, and more with it. Here’s how that’s possible.

Only a handful of times in history has a single piece of code managed to instantly wreck computer systems worldwide. The Slammer worm of 2003. Russia’s Ukraine-targeted NotPetya cyberattack. North Korea’s self-spreading ransomware WannaCry. But the ongoing digital catastrophe that rocked the internet and IT infrastructure around the globe over the past 12 hours appears to have been triggered not by malicious code released by hackers, but by the software designed to stop them.

A software update from cybersecurity company CrowdStrike appears to have inadvertently disrupted IT systems globally.

Two internet infrastructure disasters collided on Friday to produce disruptions around the world in airports, train systems, banks, health care organizations, hotels, television stations, and more. On Thursday night, Microsoft’s cloud platform Azure experienced a widespread outage. By Friday morning, the situation turned into a perfect storm when the security firm CrowdStrike released a flawed software update that sent Windows computers into a catastrophic reboot spiral. A Microsoft spokesperson tells WIRED that the two IT failures are unrelated.

The cause of one of those two disasters, at least, has become clear: buggy code pushed out as an update to CrowdStrike’s Falcon monitoring product, essentially an antivirus platform that runs with deep system access on “endpoints” like laptops, servers, and routers to detect malware and suspicious activity that could indicate compromise. Falcon requires permission to update itself automatically and regularly, since CrowdStrike is constantly adding detections to the system to defend against new and evolving threats. The downside of this arrangement, though, is the risk that this system, which is meant to enhance security and stability, could end up undermining it instead.

“It's the biggest case in history. We’ve never had a worldwide workstation outage like this,” says Mikko Hyppönen, the chief research officer at cybersecurity company WithSecure. Around a decade ago, Hyppönen says, widespread outages were more common due to the spread of worms or trojans. More recently, global outages have happened on the “server side” of systems, meaning outages often stem from cloud providers such as Amazon’s Web Services, internet cable cuts, or authentication and DNS issues.

CrowdStrike CEO George Kurtz said on Friday that the issues were caused by a “defect” in code the company released for Windows. Mac and Linux systems were not affected. “The issue has been identified, isolated and a fix has been deployed,” Kurtz said in a statement, adding the problems were not the result of a cyberattack. In an interview with NBC, Kurtz apologized for the disruption and said it may take some time for things to be back to normal.

The widespread Windows outages have been linked to a software update from cybersecurity giant ​​CrowdStrike. It is believed the issues are not linked to a malicious cyberattack, cybersecurity officials say, but rather stem from a misconfigured/corrupted update that CrowdStrike pushed out to its customers.

Security and IT analysts searching for the root cause of the gargantuan outage say that it appears to be related to a “kernel driver” update to CrowdStrike’s Falcon software. Kernel drivers are the software components that allow applications to interact with Windows at its deepest level, the core of the operating system known as its kernel. That highly sensitive level of access is necessary for security software, so that it can run prior to any malicious software installed on the system and access any part of the system where hackers might seek to plant their code. As malware has improved and evolved, it has pushed defense software to require constant connection and more extensive control.

That deeper access also introduces a far higher possibility that security software—and updates to that software—will crash the whole system, says Matthieu Suiche, head of detection engineering at the security firm Magnet Forensics. He compares running malicious code detection software at the kernel level of an operating system to “open-heart surgery.”

Yet it’s nonetheless surprising that a kernel driver update would be able to cause such a massive global computer crash, says Costin Raiu, who worked at Russian security software firm Kaspersky for 23 years and led its threat intelligence team before leaving the company last year. During his years at Kaspersky, he says, driver updates for Windows software were closely scrutinized and tested for weeks before they were pushed out.

More importantly, they require that Microsoft also vet the code and cryptographically sign it, suggesting that Microsoft, too, may well have missed whatever bug in CrowdStrike’s Falcon driver triggered this outage. “It’s surprising that with the extreme attention paid to driver updates, this still happened,” says Raiu. “One simple driver can bring down everything. Which is what we saw here.”

A Microsoft spokesperson told WIRED that the “CrowdStrike update was responsible for bringing down a number of IT systems globally,” and added that “Microsoft does not have oversight into updates that CrowdStrike makes in its systems,” without further explanation of whether Microsoft does in fact inspect and sign kernel driver updates.

Raiu adds that even so, CrowdStrike is far from the only security firm to trigger Windows crashes with a driver update. Updates to Kaspersky and even Windows’ own built-in antivirus software Windows Defender have caused similar Blue Screen of Death crashes in years past, he notes. “Every security solution on the planet has had their CrowdStrike moments,” Raiu says. “This is nothing new but the scale of the event.”

Cybersecurity authorities around the world have issued alerts about the disruption, but have similarly been quick to rule out any nefarious activity by hackers. “The NCSC assesses that these have not been caused by malicious cyber attacks,” Felicity Oswald, CEO of the UK’s National Cyber Security Center, said. Officials in Australia have come to the same conclusion.

Nevertheless, the impact has been sweeping and dramatic. Around the world, the outages have been spiraling as companies, public bodies, and IT teams race to fix bricked machines, which involves manually taking machines through a series of corrective steps, including rebooting. In the UK, Israel, and Germany, health care services and hospitals saw systems that they use to communicate with patients disrupted, and canceled some appointments. Emergency services in the US using 911 have reportedly had problems with their lines too. In the earliest hours of the outages, some TV stations, including Sky News in the UK, stopped live news broadcasts.

Global air travel has been one of the most impacted sectors so far. Huge lines formed at airports around the world, with one airport in India using handwritten boarding passes. In the US, Delta, United, and American Airlines grounded all flights at least temporarily, with a dramatic graphic showing air traffic plummeting above the US.

The catastrophic situation reflects the fragility and deep interconnectedness of the internet. Numerous security practitioners told WIRED that they anticipated or even worked with clients to attempt to protect against a scenario where defense software itself caused cascading failures as a result of malicious exploitation or human error, as is the case with CrowdStrike. “This is an incredibly powerful illustration of our global digital vulnerabilities and the fragility of core internet infrastructure,” says Ciaran Martin, a professor at the University of Oxford and the former head of the UK’s National Cyber Security Center.

The ability of one update to trigger such massive disruption still puzzles Raiu. According to Gartner, a market research firm, CrowdStrike accounts for 14 percent of the security software market by revenue, meaning its software is on a wide array of systems. Raiu suggests that the Falcon update must have triggered crashes in other parts of web infrastructure, which could have multiplied the disaster. “CrowdStrike is big, but it can’t be this big,” Raiu says. “Airports, critical infrastructure, hospitals. It cannot be just CrowdStrike everywhere. I suspect we’re seeing a combination of factors, a cascading effect, a chain reaction.”

Hyppönen, from WithSecure, says his “guess” is that the issues may have happened due to “human error” in the update process. “An engineer at CrowdStrike is having a really bad day,” he says. Hyppönen suggests that CrowdStrike could have shipped software different to what they had been testing or mixed up files, or there could’ve been a combination of different factors. “Software like this has to go through extensive testing,” Hyppönen says. “That's what we do. That's what CrowdStrike, of course, does. You have to be really careful about what you ship, which is tough to do because security software is updated very frequently.”

While many of the impacts of the outage are ongoing and still unraveling, the nature of the problem means that individually impacted machines may need to be rebooted manually rather than through an automated process. “It could be some time for some systems that just automatically won’t recover,” CrowdStrike CEO Kurtz told NBC.

The company’s initial “workaround” guidance for dealing with the incident says Windows machines should be booted in a safe mode, a specific file should be deleted, and then rebooted. “The fixes we’ve seen so far mean that you have to physically go to every machine, which will take days, because it’s millions of machines around the world which are having the problem right now,” says Hyppönen from WithSecure.

As system administrators race to contain the fallout, the larger existential question of how to prevent another, similar crisis looms large.

“People may now demand changes in this operating model,” says Jake Williams, vice president of research and development at the cybersecurity consultancy Hunter Strategy. “For better or worse, CrowdStrike has just shown why pushing updates without IT intervention is unsustainable.”

_Update 7/19/2024, 11am ET: Added comment from Microsoft saying that the Azure outage and the CrowdStrike kernel driver issue are unrelated._

_Update 7/19/2024, 12:30pm ET: Added further comment from Microsoft about its lack of oversight of CrowdStrike's updates._

_Update 7/19/2024, 3:45pm ET: Updated to clarify that Amazon Web Services was not impacted by the CrowdStrike update, according to the company._

How One Bad CrowdStrike Update Crashed the World’s Computers

A faulty software update from cybersecurity vendor Crowdstrike crippled countless Microsoft Windows computers across the globe today, disrupting everything from airline travel and financial institutions to hospitals and businesses online. Crowdstrike said a fix has been deployed, but experts say the recovery from this outage could take some time, as Crowdstrike's solution needs to be applied manually on a per-machine basis.

A faulty software update from cybersecurity vendor **Crowdstrike** crippled countless **Microsoft Windows** computers across the globe today, disrupting everything from airline travel and financial institutions to hospitals and businesses online. Crowdstrike said a fix has been deployed, but experts say the recovery from this outage could take some time, as Crowdstrike’s solution needs to be applied manually on a per-machine basis.

A photo taken at San Jose International Airport today shows the dreaded Microsoft “Blue Screen of Death” across the board. Credit: Twitter.com/adamdubya1990

Earlier today, an errant update shipped by Crowdstrike began causing Windows machines running the software to display the dreaded “Blue Screen of Death,” rendering those systems temporarily unusable. Like most security software, Crowdstrike requires deep hooks into the Windows operating system to fend off digital intruders, and in that environment a tiny coding error can quickly lead to catastrophic outcomes.

In a post on Twitter/X, Crowdstrike CEO **George Kurtz** said an update to correct the coding mistake has been shipped, and that Mac and Linux systems are not affected.

“This is not a security incident or cyberattack,” Kurtz said on Twitter, echoing a written statement by Crowdstrike. “The issue has been identified, isolated and a fix has been deployed.”

Posting to Twitter/X, the director of Crowdstrike’s threat hunting operations said the fix involves booting Windows into Safe Mode or the Windows Recovery Environment (Windows RE), deleting the file “C-00000291\*.sys” and then restarting the machine.

The software snafu may have been compounded by a recent series of outages involving Microsoft’s **Azure** cloud services, _The New York Times_ reports, although it remains unclear whether those Azure problems are at all related to the bad Crowdstrike update. **Update, 4:03 p.m. ET:** Microsoft reports the Azure problems today were unrelated to the bad Crowdstrike update.

A reader shared this photo taken earlier today at Denver International Airport. Credit: Twitter.com/jterryy07

**Matt Burgess** at _Wired_ writes that within health care and emergency services, various medical providers around the world have reported issues with their Windows-linked systems, sharing news on social media or their own websites.

“The US Emergency Alert System, which issues hurricane warnings, said that there had been various 911 outages in a number of states,” Burgess wrote. “Germany’s University Hospital Schleswig-Holstein said it was canceling some nonurgent surgeries at two locations. In Israel, more than a dozen hospitals have been impacted, as well as pharmacies, with reports saying ambulances have been rerouted to nonimpacted medical organizations.”

In the United Kingdom, NHS England has confirmed that appointment and patient record systems have been impacted by the outages.

“One hospital has declared a ‘critical’ incident after a third-party IT system it used was impacted,” Wired reports. “Also in the country, train operators have said there are delays across the network, with multiple companies being impacted.”

Reactions to today’s outage were swift and brutal on social media, which was flooded with images of people at airports surrounded by computer screens displaying the Microsoft blue screen error. Many Twitter/X users chided the Crowdstrike CEO for failing to apologize for the massively disruptive event, while others noted that doing so could expose the company to lawsuits.

Meanwhile, the international Windows outage quickly became the most talked-about subject on Twitter/X, whose artificial intelligence bots collated a series of parody posts from cybersecurity professionals pretending to be on their first week of work at Crowdstrike. Incredibly,Twitter/X’s AI summarized these sarcastic posts into a sunny, can-do story about Crowdstrike that was promoted as the top discussion on Twitter this morning.

“Several individuals have recently started working at the cybersecurity firm Crowdstrike and have expressed their excitement and pride in their new roles,” the AI summary read. “They have shared their experiences of pushing code to production on their first day and are looking forward to positive outcomes in their work.”

The top story today on Twitter/X, as brilliantly summarized by X’s AI bots.

This is an evolving story. Stay tuned for updates.

Global Microsoft Meltdown Tied to Bad Crowdstrike Update

As threat actors get smarter about how they target employees, the onus is on organizations to create a strong line of defense — and the human element is a critical component.

Masha Sedova, VP, Human Risk Strategy, Mimecast

July 19, 2024

4 Min Read

Source: Yuliya Volkovska via Alamy Stock Vector

COMMENTARY

As the stakes of cyberattacks continue to rise, organizations are throwing more and more money at innovative new services and equipment to thwart them. But, at the same time, many are still taking a customary, one-size-fits-all approach to securing perhaps the most critical threat vector: the human element. There's little to be gained by spending more on locks and security guards if someone unknowingly leaves the door open for robbers into the building.

Year after year, the human element consistently ranks among the greatest risk factors in cybersecurity — it is projected to play a central role in 68% to 90% of breaches in 2024 — and the standard practice of mandated security awareness trainings isn't driving improvement, as stolen credentials, data leaks, and targeted phishing emails remain prevalent. To address this critical vulnerability, chief information security officers (CISOs) must take a more data-driven, tailored approach to mitigating human risk that goes beyond just training — one that requires human-by-design cybersecurity.

**Quantifying Risk**

Security awareness training helps, but it doesn't complete the job, as it treats every employee the same. In reality, some users are highly adept at sniffing out threats, while others require additional support. Some subsets of users are targeted with great regularity, while others receive very few phishing attempts. As such, a human-centric security approach must begin with a detailed understanding of the organization's distribution of risk.

The first step is pinning down those at the company who are most at risk. Studies have found that just 8% of employees cause 80% of incidents, and many in this subset typically are repeat offenders. Certain individuals are also targeted more frequently, due to their prominence: Managers receive 2.5 times more phishing emails on average than non-managers, and the rate of attempts goes up for all employees the longer they remain at a company, nearly doubling every three years.

These figures can vary widely between organizations, so it's key for businesses to perform their own analysis. This can be done by analyzing data that's often overlooked — like the logs generated by security endpoints when they prevent employees from executing malware — and gathering patterns from it. In the ideal framework, security administrators should be able to pull data from all manner of security tools to understand what good or risky security decisions users make on an ongoing basis and build a profile on users' individual security risk.

**Managing Risk**

Much like financial institutions with credit scores or insurance companies with premiums, organizations can then begin leveraging these risk scores to create a personalized, adaptive approach to security, beginning with tailored training.

Rather than making all employees complete the same generic security awareness modules (which, let's be honest, most people will just blow through with little attention paid), individuals who have proven themselves a low risk can instead be served a light slate of policy reminders and checklists. Those on the opposite end of the spectrum, who are either frequently targeted or will be, can be mandated to take more rigorous training with a focus on the topics related to the risks they face.

With detailed insights into behavior patterns, organizations can also reward good security practices with recognition. They can then take steps to stem bad habits with interventions like adaptive nudges — personalized messages sent out at the right time, or context to prevent users from falling victim to attacks — or strategies like tighter email security filtering, stricter browsing permissions, or reducing the time that multifactor authentication tokens are valid on at-risk users' machines.

It's important that these practices are carried out with transparency so employees know how the security team plans on using this collected data. When security teams take a constructive stance — for example, by sending out report cards that affirm positive behavior and suggest areas to improve — employees almost universally respond with openness and appreciation. For the small percentage of users in the high-risk group, extra care should be taken to explain how the additional training and adaptive measures are designed to help them get better.

**Tracking Improvement**

Collecting and analyzing security events also allows administrators to take a more data-driven approach to measuring results and, ideally, improvement. By gauging their baseline, security teams can then track the number of risky behaviors occurring on the network over time and dial in the best methods of "bubble wrapping" subsets of the user base to reduce future occurrences.

This measurability stands in stark contrast to conventional human risk mitigation practices (i.e., simple awareness training), which can often take the form of a black hole in terms of understanding impact and, in turn, return on investment (ROI). With an objective, outcomes-first approach, CISOs can both deliver security improvement and clearly demonstrate the success of the investment to the rest of the C-suite.

As threat actors get smarter about how they target employees, the onus is on organizations and their cybersecurity partners to create a strong line of defense — and the human element is a critical component. Companies that take a more intelligent, personalized approach to curbing risky behavior will stand the best chance of safeguarding their organizations against cyberattacks, all while making more efficient use of their security budgets.

**About the Author(s)**

VP, Human Risk Strategy, Mimecast

Masha Sedova, co-founder of Elevate Security, has made her mark in cybersecurity through her practical and human-centered approach to the field. Under her leadership, Elevate Security's innovative platform significantly reduced user-related risks for enterprises. This led to its acquisition by Mimecast in 2024 where she now serves as VP of human risk strategy.

In Cybersecurity, Mitigating Human Risk Goes Far Beyond Training

According to Mandiant, among the many cyber espionage tools the threat actor is using is a sophisticated new dropper called DustTrap.

Source: Travel mania via Shutterstock

One of China's more prolific threat groups, APT41, is carrying out a sustained cyber espionage campaign targeting organizations in multiple sectors, including global shipping and logistics, media and entertainment, technology, and the automotive industry.

The advanced persistent threat (APT) actor appears to have launched the new campaign sometime in early 2023. Since then, the group has successfully infiltrated multiple victim networks and maintained prolonged access on them, Google's Mandiant security group said this week in a joint analysis with Google's Threat Analysis Group (TAG). Most of the affected organizations are located in the United Kingdom, Italy, Spain, Taiwan, Thailand, and Turkey.

APT41 is sort of an umbrella descriptor for a collective of China-based threat actors engaged in cyber espionage, supply chain attacks, and financially motivated cybercrime around the globe since at least 2012. Over the years security researchers have identified multiple subgroups as being part of the APT41 collective, including Wicked Panda, Winnti, Suckfly, and Barium. These groups have stolen trade secrets, intellectual property, healthcare related data and other sensitive information from US organizations and entities around the word on behalf of the Chinese government. In 2020, the US government indicted five members of APT41 for participating in or contributing to attacks on more than 100 companies worldwide. Those charges have done little to deter the group's activities so far, however.

**APT41's Widespread Geographic Impact**

Nearly all but one of the targeted organizations in the shipping and logistics sector were based in the Middle East and Europe, while all organizations that APT41 targeted in the media and entertainment sector were located in Asia. Many victims within the shipping and logistics sectors have operations across multiple continents, either as subsidiaries or affiliates of large multinational companies in the same sector, Mandiant researchers said.

"An analysis of victim organizations within specific sectors reveals a notable geographic distribution," Mandiant researchers said in its blog post.

Further, "Mandiant has detected reconnaissance activity directed towards similar organizations operating within other countries such as Singapore," the security vendor wrote. "At the time of the publication, neither Mandiant nor Google TAG have any indicators of these organizations being compromised by APT41, but it could potentially indicate an expanded scope of targeting."

**Custom Cyber Espionage Tools**

Mandiant researchers also said it had observed APT41 actors using a range of custom tools in its ongoing campaign, including those for dropping malware on target systems, establishing backdoors, moving laterally in compromised networks, and exfiltrating data from them. The tools include two Web shells for persistence, called AntsWord and BlueBeam, which the threat actor has been using to download a dropper called DustPan, which in turn attempts to load the Beacon post-compromise tool on victim systems.

In addition to this, Mandiant said it observed APT41 use a hitherto unseen multi-stage plugin framework called DustTrap for decrypting malicious payloads and executing them in memory so as to enable communication between the compromised system and APT-41 controlled systems and infrastructure. "DustPan has been used by APT41 as far back as 2021, but DustTrap was first seen in this activity," says Ben Read, head of cyber espionage analysis at Mandiant.

Other tools that APT41 actors have effectively deployed in the current campaign include malware dubbed SQLULDR2 for copying data from Oracle Databases and PineGrove for exfiltrating large volumes of data from a compromised network to a OneDrive account for subsequent analysts.

"APT41 has always had a global mandate, so while their targeting in this campaign likely reflects current PRC priorities, the widespread nature is consistent with what we have seen previously from them," Read says.

So far, Mandiant has found no evidence to suggest that APT41 are seeking to monetize their attacks in the current campaign in any way. "However, we do not have full insight into the post compromise activity, so can't say for sure."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's APT41 Targets Global Logistics, Utilities Companies

Attackers are more likely to target critical infrastructure industries and, when they do, they cause more disruption and ask higher ransoms, with the median payment topping $2.5 million.

Source: Have a nice day Photo via Shutterstock

When ransomware targeted the city of Dallas, Texas last year, it took down city services, the municipal water utility's ability to bill and read meters, and emergency services. The city required more than a month to bring all its systems back online.

Dallas is not alone. In 2023, two-thirds of critical infrastructure operators (67%) in the oil, energy, and utility sectors suffered a ransomware attack, compared to 59% of all industries, according to a survey by Sophos. In addition, attacks on those critical-infrastructure sectors affected an average of 62% of systems, far higher than the 49% of systems across all industries impacted during a ransomware attack.

In fact, the groups collectively tie healthcare as the second-most impacted sectors, with only federal government agencies impacted more often, says Chester Wisniewski, global field CTO at Sophos.

"This sector needs to recognize this as a serious risk and position themselves to not be so vulnerable to ransom demands," he says. "This isn't impossible work. Ultimately it's about getting the basics right, just like in previous years."

Critical infrastructure sectors have been perennial favorites of ransomware gangs, dating back to the Colonial Pipeline incident and even earlier. Ransomware cases in the industrial sector almost doubled between 2022 and 2023 to 1,484 attacks, from 804 incidents, according to data from the NCC Group, a cybersecurity consultancy.

The industrial sector — under which critical-infrastructure companies fall — manages essential services, and disruptions can have severe consequences, prompting quick ransomware payments, says Ian Usher, associate director of threat intelligence operations and service innovation for the NCC Group.

"Organizations that provide a public service or support critical infrastructures are more attractive for ransomware attacks because they face external pressure to restore operations," he says.

**What Makes a Successful Industrial Ransomware Attack?**

Most ransomware attacks against companies in the critical-infrastructure sectors of oil, energy and utilities succeeded through exploiting software vulnerabilities, which accounted for 49% of successful attacks versus 35% the previous year, according to Sophos's report. Compromised credentials (27%) and malicious emails (14%) rounded out the top-3 vectors.

A critical measure is how often an attack led to data being encrypted. In 2023, eight in 10 attacks resulted in encrypted data, the same as the previous year, but significantly higher than the previous two years, says Sophos' Wisniewski.

"This is worrying," he says. "These numbers should be improving as the adoption of extended detection and response (XDR) and managed detection and response (MDR) is becoming increasingly common."

The impact of ransomware attacks are often brutal for businesses. The average respondent in Sophos's survey required more than a month to recover. For the first time, more companies paid the ransom (61%) than used backups for recovery, even while the median payment jumped to $2.54 million. The average cost of recovery from an incident topped $3 million in 2023, matching the previous year. (Note, while Sophos's report is labeled 2024, the data is from 2023, so Dark Reading uses the latter year.)

**Don't Be The Low-Hanging Cyber Fruit**

Organizations that fail to adopt simple technologies, such as multi-factor authentication (MFA), and fail to keep up with software updates, will likely find themselves targeted not just once, but multiple times, says Sophos' Wisniewski.

While the high rate of ransom payments really stood out this year, organizations should no longer consider paying cybercriminals as a solution, he says.

"There isn't a way to buy your way out of situations like a ransomware attack," Wisniewski says. "In rare cases, the payment can expedite recovery, but it is the exception, not the rule ... You are almost guaranteed not to get all of your files back, and you will still need to rebuild ... your systems."

The government needs to help set cybersecurity standards for the critical infrastructure sectors, says NCC Group's Usher. Currently, under the Cyber Incident Reporting for Critical Infrastructure Act passed in 2022, critical-infrastructure operators are required to report significant cyber events within 72 hours and disclose ransom payments within 24 hours, he says.

"The government can...ensure consistent cybersecurity standards across critical infrastructure," he says. "A continued lack of alignment will only serve to create an ever more complex Web of rules. This will likely be counterproductive to delivering better cyber resilience, and contribute to the problem of cybersecurity compliance becoming a 'tick box' exercise."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware Has Outsized Impact on Gas, Energy &amp; Utility Firms

The latest version of the Cloud Security Alliance's certification provides a comprehensive catalog of essential skills that cybersecurity professionals need to master.

Source: Ronald Candonga via Pixabay

The Cloud Security Alliance (CSA) has released the Certificate of Cloud Security Knowledge (CCSK) v5, the latest version of its vendor-neutral, cloud security training and certificate.

Designed for security analysts, compliance managers, security engineers, architects, and administrators, the CCSK provides training on topics including cloud incident response, application security, and data encryption. Certification is widely regarded as a benchmark for demonstrating cloud security knowledge and skills.

The "program provides a survey of the most important topics cybersecurity professionals will face day in and day out and is complementary to virtually any other education available," the CSA said.

The CCSK v5 is a "substantial update to CCSK v4," according to CSA. It includes in-depth information, recommendations, and best practices to secure cloud architecture, cloud native security, workloads, virtual networking, data protection, DevSecOps, zero trust, and generative artificial intelligence (GenAI). The CCSK also covers serverless/function-as-a-service, application security, continuous integration and continuous delivery (CI/CD), automation, identity and access management, and incident response.

In addition, CSA has published corresponding security guidance material for the CCSK v5. Students also have access to a variety of training modules, the CCSK v5 Prep Kit, an online self-paced option (which can be completed in 10 hours) and instructor-led classes. Security pros have 120 minutes long to take the exam — a half hour more than the older program's 90 minutes. It is expected to cost $445, though the fee is waived for veterans, according to the CSA.

The CCSK v5 includes "vital information" about managing risks, achieving compliance, optimizing organizational cloud security strategies, and understanding the shared responsibility model between the cloud provider and customer. The GenAI tool CCSK Orb is included in CCSK v5, as well.

CSA Updates Cloud Security Certificate, Training

Learn about critical threats that can impact your organization and the bad actors behind them from Cybersixgill’s threat experts. Each story shines a light on underground activities, the threat actors involved, and why you should care, along with what you can do to mitigate risk. 
In the current cyber threat landscape, the protection of personal and corporate identities has become vital.

_Learn about critical threats that can impact your organization and the bad actors behind them from Cybersixgill's threat experts. Each story shines a light on underground activities, the threat actors involved, and why you should care, along with what you can do to mitigate risk._

In the current cyber threat landscape, the protection of personal and corporate identities has become vital. Once in the hands of cybercriminals, compromised credentials and accounts provide unauthorized access to corporations' sensitive information and an entry point to launch costly ransomware and other malware attacks.

To properly mitigate threats stemming from compromised credentials and accounts, organizations need identity intelligence. Understanding the significance of identity intelligence and the benefits it delivers is foundational to maintaining a secure posture and minimizing risk.

There is a perception that security teams and threat analysts are already overloaded by too much data. By these measures, another stream of cyber threat intelligence will only further bog down their workflows and overwhelm their ability to take meaningful action.

However, when threat intelligence is contextual and relevant to the specific organization and its attack surface, the issue of data overload is removed. When identity intelligence is added to the mix, security teams can easily discover compromised credentials in the cybercriminal wild, and take preventive measures before damage is done. Here's how.

****Why You Need Identity Intelligence****

Organizations are composed of individuals, each of whom can be a potential target for identity-related threats. Compromised credentials are one of the most common and effective ways for threat actors to achieve their goals, with millions of credentials being leaked and sold on underground markets annually.

The ways that cybercriminals get their hands on credentials vary. Phishing schemes – deceptive emails designed to trick recipients into divulging their credentials – in one way. Another method that's gaining in popularity is Stealer Malware. Stealers are a category of malware that harvest credentials such as usernames, passwords, cookies, and other data from infected systems.

Want to learn more? Watch our on-demand webinar **Unveiling the Power of Identity Intelligence.** Or download our eBook on **Identifying Leaked Credentials**.

Other tactics include brute force attacks, where threat actors use tools to automatically generate passwords and then try them out one by one to access a user account, and social engineering tactics, in which threat actors manipulate users into giving away sensitive information. According to some estimates, by trying one million random combinations of emails and passwords, attackers can potentially compromise between 10,000 and 30,000 accounts.

Research shows that in 2022, the average cost of a data breach resulting from stolen or compromised credentials was $4.5 million, a number that continues to rise. Can your organization afford such a significant risk?

Robust security measures like multi-factor authentication (MFA) and consistent, stringent employee training and enforcement of data protection policies can help make companies less vulnerable to this type of threat. However, missteps happen. And when they do, security teams must be immediately alerted when any compromised access is discovered on dark web marketplaces. This is where identity intelligence comes in.

****The Role of Identity Intelligence in Combating Identity Threats****

With rich threat intelligence derived from millions of data points across underground sources in the clear, deep, and dark web, organizations can access rich data and intelligence about compromised credentials and accounts, and take preventive measures. As already stated, these leaked credentials give threat actors an easy entry point into the organization, impacting the business, its employees, and customers—individuals whose personal information can be compromised and sold underground.

Cybersixgill's Identity Intelligence is unique in that it's enhanced with machine learning and AI. It alerts organizations when credentials are detected as leaked or posted for sale, providing detailed context and information to aid in threat mitigation. In essence, we give security teams a streamlined view of their organizations' risks, exposing identity theft, leaked credentials, including usernames and passwords, and typosquatting activity.

Using our threat intelligence, security teams can help determine the likely cause of the data breach and intercept the sale of stolen credentials and credit cards to protect employees and customers. Users can set up customizable alerts to notify them of leaked credential data on the deep, dark web from sources including instant messaging apps, IRC chats, and limited-access dark web forums and marketplaces.

****Conclusion****

Safeguarding personal and corporate identities is paramount in today's cyber threat landscape, where compromised credentials can lead to significant security breaches and financial losses. Identity intelligence is a crucial tool, offering contextual and relevant threat data that helps organizations detect and respond to compromised credentials effectively.

With Cybersixgill's machine learning and AI-enhanced identity intelligence, security teams can preemptively identify and mitigate risks, ensuring robust protection for both employees and customers. Ultimately, the strategic implementation of identity intelligence fortifies an organization's defenses and fosters a proactive approach to cybersecurity, minimizing potential damages from identity-related threats.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel