The Institute for Security and Technology's UnDisruptable27 project connects technology firms with the public sector to strengthen US cyber defenses in case of attacks on critical infrastructure.

Source: Nico El Nino via Alamy Stock Photo

What would a worst-case scenario look like for your town? The power grid going out, leaving your community without electricity for days on end? Or a disruption to the local water supply? Or a cyberattack on the emergency medical response system and medical facilities, leaving people stranded, without access to care during life-threatening situations? 

These are the kinds of scenarios that UnDisruptable27 seeks to prepare for–cyberattacks against critical infrastructure in local communities across the United States–focusing on four principal areas: water and wastewater; emergency medical care and hospital services; food supply chains; and local power supplies. 

The program is led by the Institute for Security and Technology, a nonprofit think tank that seeks to connect the technology world and the public sector, and kicked off this summer with a pilot program, funded by a $700,000 grant from Craig Newmark Philanthropies as part of the organization’s Cyber Civil Defense initiative. The initial phase will focus on the nexus of water and emergency medical care. The project is spearheaded by Josh Corman, Executive in Residence at IST and co-founder of I am The Cavalry and CyberMedSummit. 

"Whether it’s food or shelter or warmth, everyone relies on infrastructure to live. Bad actors know that, too. This isn’t alarmism. It’s a very real threat our country faces today. It’s all our job to push governments and utilities and companies to be better on this stuff. That means extra work for maybe understaffed IT, and they can get very annoyed with me, okay if it helps prepare for the worst," Craig Newmark says. "In the meantime, I’m putting my money where my mouth is."

The project’s initial phase involves engaging stakeholders and listening to their concerns and limitations, whether they’re financial, technical or a combination of the two, says Megan Stifel, Chief Strategy Officer for the Institute for Security and Technology.

Like the scramble to prepare for Y2K, the UnDisruptable27 initiative benefits from having a tangible timeline, whether any specific threats materialize, Stifel says. 

The call-to-action was spurred by public hearings earlier this year where Congress and U.S. government cybersecurity leaders explored the potential threats to infrastructure posed by China’s Volt Typhoon group or other state-sponsored actors. The project's goal is to make critical infrastructure supporting basic human needs "undisruptable" by 2027. 

"We are seeing more disruptions, larger disruptions, longer disruptions, and more public life- and safety-affecting disruptions. And that's not okay. That trajectory is unsustainable," says Corman. He calls areas like water and power delivery systems and other infrastructure "target-rich and cyber-poor," meaning they represent a massive attack surface, yet lack the resources to adequately protect themselves from cyberattacks. 

"If we see hybrid conflict on top of the disruption trend that we already see, the average citizen is not prepared," Corman says. "We don't want panic and we don't want preppers, but what we do think is no one should be blindsided or surprised by this, and we can make choices between now and an era of potential heightened geopolitical context or conflict context."

To help stress the need and get the public onboard, UnDisruptable27 is taking a page from the natural disaster preparedness playbook and leveraging communications strategies and narrative to influence communities to prepare. 

"We really haven't reached the public, and that's why the public continues to be disrupted and surprised every time there's a Crowd Strike or NotPetya or an Ascension Health," Corman says. "So we're going to go down to meet owners and operators of these critical infrastructure sectors, municipal leadership in the last mile in these communities, and possibly, and probably even citizens directly for this education campaign. And what that means is we have to meet them where they are."

The group chose to initially focus on the intersection of water and health care because it’s already in the public eye, according to Corman. 

One potential resource for local communities could come in the form of help from the Consortium of Cyber Security Clinics, a network of university-based clinics that train students to do direct engagement with under-resourced organizations who need help regarding their cybersecurity maturity. While in its early phases, Corman and UnDisruptable27 will identify areas of need and connect with municipalities and utilities. In later stages, the group hopes to partner with the clinics to connect those needing help with resources. 

Smaller organizations in local communities are incredibly vulnerable, says Sarah Powazek, Program Director of Public Interest Cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity. These under-resourced communities can provide very attractive targets for cyber attackers, and projects like UnDisruptable27 have the potential to have significant impact.

“I think that the most important institutions to protect aren't always the largest. I think we're really missing this network of care at the community level. And I think we're missing a strategy to help them protect themselves in a long term sustainable fashion. And I think that the UnDisruptable project is going to be one of many initiatives that is needed to help serve these institutions,” Powazek says.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

UnDisruptable27 Project Wants to Shore Up Critical Infrastructure Security

Private Cloud Compute is an entirely new kind of infrastructure that, Apple’s Craig Federighi tells WIRED, allows your personal data to be “hermetically sealed inside of a privacy bubble.”

The generative AI boom has, in many ways, been a privacy bust thus far, as services slurp up web data to train their machine learning models and users’ personal information faces a new era of potential threats and exposures. With the release of Apple’s iOS 18 and macOS Sequoia this month, the company is joining the fray, debuting Apple Intelligence, which the company says will ultimately be a foundational service in its ecosystem. But Apple has a reputation to uphold for prioritizing privacy and security, so the company took a big swing. It has developed extensive custom infrastructure and transparency features, known as Private Cloud Compute (PCC), for the cloud services Apple Intelligence uses when the system can't fulfill a query locally on a user's device.

The beauty of on-device data processing, or “local” processing, is that it limits the paths an attacker can take to steal a user's data. The data never leaves the computer or phone, so that's what the attacker has to target. It doesn't mean an attack will never be successful, but the battleground is defined and constrained. Giving data to a company to process in the cloud isn't inherently a security issue—an unfathomable amount of data moves through global cloud infrastructure safely every day. But it expands that battlefield immensely and also creates more opportunities for mistakes that inadvertently expose data. The latter has particularly been an issue with generative AI given the unintended ways that a system tasked with generating content may access and share information.

With Private Cloud Compute, Apple has developed an array of innovative cloud security technologies. But the service is also significant for pushing the limits of what is an acceptable business proposition for a cloud service, seemingly prioritizing secure architecture over what would be most technically efficient or economical.

“We set out from the beginning with a goal of how can we extend the kinds of privacy guarantees that we’ve established with processing on-device with iPhone to the cloud—that was the mission statement," Craig Federighi, senior vice president of software engineering at Apple, tells WIRED. “It took breakthroughs on every level to pull this together, but what we’ve done is achieve our goal. I think this sets a new standard for processing in the cloud in the industry.”

To remove many of the potential attack points and pitfalls that cloud computing can introduce, Apple says its developers focused on the idea that “security and privacy guarantees are strongest when they are entirely technically enforceable” rather than implemented through policies.

In other words, you can have a plate of cupcakes on the counter and make a policy for yourself that you're not going to eat any of them. Or you could have a policy that you never make or buy cupcakes. But the Private Cloud Compute approach would be to move to a town with no bakeries, rip out your kitchen, and close your credit cards to prevent yourself from buying Easy Bake Ovens. That way there's no question about your cupcake access or the possibility of accidental cupcake hoarding.

**Starting Fresh**

Apple created purpose-built servers running Apple processors for PCC and developed a custom PCC server operating system that's a stripped down, hybrid version of iOS and macOS. The scheme incorporates hardware and software security features the company has developed for Macs and iPhones over the past two decades.

Unlike these consumer devices, though, PCC servers are as bare-bones as possible. For example, they don't include “persistent storage,” meaning that they don't have a hard drive that can keep processed data long-term. They do incorporate Apple's dedicated hardware encryption key manager known as the Secure Enclave and randomize each file system's encryption key at every boot up as well. This means that once a PCC server is rebooted, no data is retained and, as an additional precaution, the entire system volume is cryptographically unrecoverable. At that point, all the server can do is start fresh with a new encryption key.

PCC servers also use Apple's Secure Boot to validate the integrity of the operating system and use a code verification feature the company debuted with iOS 17, known as Trusted Execution Monitor. Instead of using Trusted Execution Monitor in the usual way for oversight, though, PCC runs it in a much stricter mode where once the server restarts and completes the boot sequence, the system locks down and can't load any new code whatsoever. Essentially, all the software the server needs to run gets pummeled with checks and validation and then goes into an envelope that's sealed before user requests and data can begin to process through.

More broadly, Apple says it completely replaced its normal server management tools for PCC. For example, most cloud platforms have policies and controls to prevent unauthorized access, but they also build “break in case of emergency”-type options so highly trusted system administrator accounts can take quick action in case of a bug or failure. In keeping with Apple's focus on technically enforceable guarantees versus policy guarantees, PCC doesn't allow privileged access and drastically limits remote management options.

In recent years, Apple took a major security step by offering its users end-to-end encryption for iCloud backups, in which the company simply holds data in its cloud infrastructure for its customers and doesn't have the technical capability to decrypt and read that data. With current technology, such a scheme is impossible to implement for generative AI because the system needs to process the inputs to give an output. For example, if you want Apple Intelligence to give you a summary of all the text messages and emails you've received in the past three hours, the system needs access to those messages. End-to-end encryption would make that access virtually impossible.

Apple says it is still committed to doing as much Apple Intelligence processing as possible on-device, and a brand new iPhone 16 with its A18 chip, for example, will be able to do more AI processing locally than an iPhone 15 with an A16 chip. Still, the reality seems to be that Apple will need to do a substantial amount of Apple Intelligence processing in the cloud—hence the investment in developing PCC. (In iOS 18.1, users can go to Settings > Privacy & Security > Apple Intelligence Report to view a log of which requests are processed on device versus in the cloud.)

“What was really unique about the problem of doing large language model inference in the cloud was that the data had to at some level be readable by the server so it could perform the inference. And yet, we needed to make sure that that processing was hermetically sealed inside of a privacy bubble with your phone," Federighi says. “So we had to do something new there. The technique of end-to-end encryption—where the server knows nothing—wasn’t possible here, so we had to come up with another solution to achieve a similar level of security.”

Still, Apple says that it offers “end-to-end encryption from the user’s device to the validated PCC nodes, ensuring the request cannot be accessed in transit by anything outside those highly protected PCC nodes.” The system is architected so Apple Intelligence data is cryptographically unavailable to standard data center services like load balancers and logging devices. Inside a PCC cluster, data is decrypted and processed, but Apple emphasizes that once a response is encrypted and sent on its journey to the user, no data is retained or logged and none of it is ever accessible to Apple or its individual employees.

**Open Book, Closed System**

Apple says the overarching vision for PCC is that an attacker should have to compromise the entire system—a difficult thing to do at all much less without being detected—in order to target a specific user's personal data. Even if an attacker could physically compromise an individual live PCC node, the system is devised with an anonymous relay feature so the queries and data on any one node can't be connected to individual users.

It all sounds pretty groovy, but the notoriously secretive company seems to be aware that professing to do all of these things and claiming to offer technical guarantees is ultimately only compelling with proof and transparency. So PCC includes an external auditing mechanism that serves a crucial dual purpose.

Apple is making every production PCC server build publicly available for inspection so people unaffiliated with Apple can verify that PCC is doing (and not doing) what the company claims, and that everything is implemented correctly. All of the PCC server images are recorded in a cryptographic attestation log, essentially an indelible record of signed claims, and each entry includes a URL for where to download that individual build. PCC is designed so Apple can't put a server into production without logging it. And in addition to offering transparency, the system works as a crucial enforcement mechanism to prevent bad actors from setting up rogue PCC nodes and diverting traffic. If a server build hasn't been logged, iPhones will not send Apple Intelligence queries or data to it.

PCC is part of Apple's bug bounty program, and vulnerabilities or misconfigurations researchers find could be eligible for cash rewards. Apple says, though, that since the iOS 18.1 beta became available in late July, no on has found any flaws in PCC so far. The company recognizes that it has only made the tools to evaluate PCC available to a select group of researchers so far.

Multiple security researchers and cryptographers tell WIRED that Private Cloud Compute looks promising, but they haven't spent significant time digging into it yet.

“Building Apple silicon servers in the data center when we didn’t have any before, building a custom OS to run in the data center was huge,” Federighi says. He adds that “creating the trust model where your device will refuse to issue a request to a server unless the signature of all the software the server is running has been published to a transparency log was certainly one of the most unique elements of the solution—and totally critical to the trust model.”

To questions about Apple's partnership with OpenAI and integration of ChatGPT, the company emphasizes that partnerships are not covered by PCC and operate separately. ChatGPT and other integrations are turned off by default, and users must manually enable them. Then, if Apple Intelligence determines that a request would be better fulfilled by ChatGPT or another partner platform, it notifies the user each time and asks whether to proceed. Additionally, people can use these integrations while logged into their account for a partner service like ChatGPT or can use them through Apple without logging in separately. Apple said in June that another integration with Google's Gemini is also in the works.

Apple said this week that beyond launching in United States English, Apple Intelligence is coming to Australia, Canada, New Zealand, South Africa, and the United Kingdom in December. The company also said that additional language support—including for Chinese, French, Japanese, and Spanish—will drop next year. Whether that means that Apple Intelligence will be permitted under the European Union's AI Act and whether Apple will be able to offer PCC in its current form in China is another question.

“Our goal is to bring ideally everything we can to provide the best capabilities to our customers everywhere we can,” Federighi says. “But we do have to comply with regulations, and there is uncertainty in certain environments we’re trying to sort out so we can bring these features to our customers as soon as possible. So, we’re trying.”

He adds that as the company expands its ability to do more Apple Intelligence computation on-device, it may be able to use this as a workaround in some markets.

Those who do get access to Apple Intelligence will have the ability to do far more than they could with past versions of iOS, from writing tools to photo analysis. Federighi says that his family celebrated their dog’s recent birthday with an Apple Intelligence–generated GenMoji (viewed and confirmed to be very cute by WIRED). But while Apple's AI is meant to be as helpful and invisible as possible, the stakes are incredibly high for the security of the infrastructure underpinning it. So how are things going so far? Federighi sums it up without hesitation: “The rollout of Private Cloud Compute has been delightfully uneventful.”

Apple Intelligence Promises Better AI Privacy. Here’s How It Actually Works

An attacker with authenticated access to VICIdial version 2.14-917a as an agent can execute arbitrary shell commands as the root user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

VICIdial 2.14-917a Remote Code Execution

In the "PixHell" attack, sound waves generated by pixels on a screen can transmit information across seemingly impenetrable air gaps.

Source: Miscellaneoustock via Alamy Stock Photo

A newly devised covert channel attack method could undermine diligently devised air gaps at highly sensitive organizations.

In industrial control systems security, the term "air gap" is contested. It typically describes a total physical separation between networks — a literal gap through which no Wi-Fi signals, wires, etc., can pass. The most critical military, government, and industrial sites use air gaps to prevent Internet-based cyber threats from penetrating the kinds of networks that protect state secrets and human lives.

But any medium capable of transmitting information can, in theory, be weaponized to transmit the bad kind. Mordechai Guri of Israel's Ben-Gurion University has long researched ways of crossing air gaps with sound waves: via computer fans, hard disk drives, CD/DVD drives, and more. His latest attack scenario, "Pixhell," enables data theft using sounds produced by specially generated, rapidly shifting bitmap patterns on an LCD screen.

**How Pixhell Works**

It's midnight, and everyone working at the top secret intelligence facility has long gone home for the night, when all of a sudden a computer screen flashes with what appears to be random noise, as if it's missing a signal. It isn't missing a signal — the apparent noise is the signal.  

Pixhell only works if an attacker can infect or control at least one device on each side of an air gap.

Air gaps typically connect critical networks with less critical networks, so the latter half of that job might be achieved by an Internet-based attack, while the former will require more stringent measures. Still, a machine behind an air gap can be infected in any number of ways: via supply chain compromise, a removable drive in the hands of a malicious or unwitting insider, or assorted other options.

Then, with no other obvious means of communicating — not Wi-Fi, Bluetooth, a speaker, or anything else — a computer can be made to transmit information over an air gap via the sounds generated by its screen.

Simplified, LCD screens have capacitors — which store and release electrical charge — and inductors — which help manage the voltage to those capacitors. While they're working, these components generate the faintest of high-pitched frequencies, inaudible to the human ear.

However, "Speakers and microphones generally have a frequency range that is broader than human hearing," explains Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. "The high end of the frequency range is where you can encode the greatest amount of information — the largest number of bits per second — and it's ultrasound. Dogs might freak out in the room, but humans can't hear it."

In experiments, the Pixhell malware manipulated pixels on a screen in such a way as to cause its inductors and capacitors to vibrate at specific frequencies. In so doing, they generated sound waves translating stolen, encoded data to the machine on the other side of an air gap, with varying fidelity at distances of up to two and a half meters. As Ginter puts it, "An attacker can send information from either computer to the other's microphone, and you can be sitting in the room and not realize information is being communicated."

**The Wide World of Covert Channel Attacks**

Besides acoustics, there are any number of other, equally creative means to carry out covert channel attacks in theory.

"It's been reported that with sufficient effort, you can use Ethernet wiring as software-defined radio transmitters and receivers," Ginter notes. Some 20 years ago, 56-kilobit-per-second modems had an LED on the front so users could see if their data was moving. Ginter says you could turn the LED on when there was a one bit being transmitted, or off when it was a zero bit. "And it turned out that the LED was extremely responsive — so responsive that if you had a fast enough camera or detector, you could actually detect every bit that was being sent through the modem by watching the LED," he adds. 

Countless other fun examples can be found in the annals of computer research archives. "Some computers have the ability to do detailed measurements on the voltage that's coming into the battery. And what that means is that if you have two computers plugged into the same circuit, even if they're using different outlets, one computer can consume more power briefly and less power a fraction of a second later, and the other one can detect these very tiny changes in voltage, so they can signal to each other that way. Even though they're electrically connected to different networks, they're both connected to the same power," he explains.

**What the Best Air Gaps Look Like**

For the overwhelming majority of organizations, a physical air gap is sufficient to protect against even high-level adversaries, who aren't likely to pull off Pixhell-style attacks.

Those few most sensitive sites on the planet that have to worry about covert channel attacks — spy agencies, military headquarters, power plants — have already dedicated significant time and resources to building not just air gaps, but air gaps that make these scenarios impractical.

"At some extremely sensitive OT sites, they will have all of the OT equipment in one server room, and they'll have the IT equipment in another server room down the hall. And the only connection between the server rooms is a single fiber-optic connection that is a unidirectional gateway from OT to IT," Ginter explains.

Past that, he adds, the greater the distance between communicating computers, the more difficult it is to exploit covert channels. "If it's an electrical \[channel you're worried about\], you've got electrical noise between rooms. If it's audible, there are closed doors in the way. If it's temperature, you can heat up the room in a region very slightly \[at intervals\], so there's so much thermal noise that it becomes impractical to send any information out." The operative idea is signal-to-noise ratio (SNR): How much noise does one have to generate to make a covert channel attack impractical?

Whether such science-fiction-level defenses are warranted will depend on the organization at risk. "Some of the countermeasures were given for scientific discussion, but they are less practical to deploy in real life," Guri says. As an example, he points out that acoustic jammers would stop Pixhall right in its tracks: "Such a noise jammer may work in countering the attack, but it will make the environment too noisy for people to work."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Air-Gapped Networks Vulnerable to Acoustic Attack via LCD Screens

Cybercriminals target Trump’s digital trading cards using phishing sites, fake domains, and social engineering tactics to steal sensitive…

Cybercriminals target Trump’s digital trading cards using phishing sites, fake domains, and social engineering tactics to steal sensitive data. Scammers create fake URLs mimicking the official site to deceive collectors.

Cybercriminals are now aiming at your digital collectable cards, with former President Donald Trump‘s new digital trading cards being the latest target. Since launching, Trump’s digital trading cards, which offer exclusive digital assets and real-life experiences, have generated substantial attention among collectors and supporters.

According to cybersecurity firm Veriti, malicious actors are using phishing sites, fake domains and various social engineering tactics to trick users into revealing sensitive information or installing malware.

One example of a fake domain is trumpdigitaltradingcards/.xyz, which mimics the official URL (collecttrumpcards/.com) but with subtle differences. Another instance is a fake site from the Democratic Party, which surfaced under the domain collecttrunpcards/.com in which the domain uses an “N” replacing the “M” in “Trump”).

Fake websites (Screenshot: Veriti)

****But how do these scams work?****

Attackers are using traditional phishing tactics, including email phishing and domain typosquatting, to lure in victims. Email phishing involves sending emails that appear to be from legitimate sources, and promoting limited-time offers on Trump’s digital cards, which often contain malicious links that lead to phishing websites.

“Attackers are leveraging the popularity of these trading cards to exploit users’ curiosity and desire to acquire them,” explained Veriti in its report shared with Hackread.com ahead of publishing on Tuesday. “The scams range from fake websites that look almost identical to the official site to more traditional phishing emails promising limited-time offers.”

****Not The First Time****

Trump has been used as bait for cybercrime before, and his supporters have been targeted in financial scams multiple times. In July of this year, scammers stole donations from his supporters by setting up fake and malicious websites.

In another scam, hackers used a fake Trump assassination story to steal cryptocurrency from his supporters. In January 2021, a phishing video link tied to Trump’s election campaign was found spreading the QNode RAT malware.

Nevertheless, if digital collectable cards are your passion, it’s essential to be aware of the associated risks. By staying alert and taking necessary precautions, you can protect yourself from phishing scams and your personal information from scammers. Follow these simple tips to stay secure:

*   Use common sense; it’s the best defence against any kind of attack.
*   Look for HTTPS, which adds a layer of security to your browsing experience.
*   Double-check URLs before entering any personal information, as phishing sites often use slight variations in spelling to fool users.
*   Be cautious of unsolicited emails, and instead of clicking directly on the link, navigate to the official website by typing in the URL manually.
*   Follow Hackread.com for the latest news on cybersecurity and online scams.

1.  **Trump campaign website defaced with “site seizure” notice**
2.  **Fake Trump’s scandal video campaign spreading QNode RAT**
3.  **Researcher logs into Trump’s Twitter with password MAGA2020**
4.  **Federal Agency that maintains secure COMM for Trump HACKED**
5.  **2 arrested for Hacking DC Security Cams Before Trump Inauguration**

Hackers Use Fake Domains to Trick Trump Supporters in Trading Card Scam

An attack dubbed "WordDrone" that uses an old flaw to install a backdoor could be related to previously reported cyber incidents against Taiwan's military and satellite industrial supply chain.

Source: Ron Ardity via Alamy Stock Photo

Attackers are weaponizing an "ancient" version of Microsoft Word in a recent wave of attacks on Taiwanese drone makers that's delivering malware aimed at cyber espionage and disrupting the military- and satellite-related industrial supply chains.

Researchers from the Acronis Threat Research Unit have discovered an attack they've dubbed "WordDrone" that uses a dynamic link library (DLL) side-loading technique common in the installation process of Microsoft Word, to install a persistent backdoor called ClientEndPoint on infected systems.

The Acronis team members discovered the unusual attack vector when they investigated a customer escalation from Taiwan "about a strangely behaving process of an ancient version of Microsoft Word," they wrote in a blog post published Sept. 10.

"Three files were brought to the system: a legitimate copy of Winword 2010, a signed wwlib.dll file, and a file with a random name and file extension," they wrote in the post. "Microsoft Word was used to side load the malicious 'wwlib' DLL, which acts as a loader for the actual payload, the one residing inside the encrypted file with a random name."

They eventually found similar two-stage attack scenarios across multiple environments between April and July this year. The first stage of the attacks focuses on Windows desktop machines, while the second stage sees attackers trying to move over to Windows servers, the researchers said.

**Similarities to "TIDrone" Campaign**

It's unclear if the attack vector is related to a similar wave of cyber incidents against Taiwanese drone makers by a threat actor dubbed "TIDrone" reported by researchers at Trend Micro. That actor, linked to other Chinese-speaking threat groups, uses enterprise resource planning (ERP) software or remote desktop tools to deploy proprietary malware.

Similarly, the WordDrone attack also appears to have an ERP component, the researchers said. While they couldn't find "definitive evidence about how attackers were gaining initial access," the first appearance of the malicious files in the attack was inside the folder of a popular Taiwanese ERP software called Digiwin.

"Upon further investigation, we found multiple components of Digiwin … being deployed in the target environments," the researchers wrote. Moreover, some of Digiwin's components contained known vulnerabilities like CVE-2024-40521, a remote code execution (RCE) flaw with a CVSS score of 8.8.

"Based on all the information collected, we believe that there is high probability of exploitation or a supply chain attack being involved with the ERP software in question," the researchers noted.

**Targeting a Side-Loading Flaw**

The attack leverages a side-loading vulnerability in an old version of Winword (v14.0.4762.1000) allowing attackers to use it to load a DLL that has a name matching the original supplied by Microsoft.

"In the very same directory where Winword was located, we could see only two additional files, a ... DLL called wwlib.dll, which is normally part of a standard Microsoft Office installation package — this time having an unusually small size — and another file called 'gimaqkwo.iqq' which already looked suspicious," the researchers explained.

Upon further inspection, the wwlib library turned out to be acting as a loader with the sole purpose of reading the main payload that is stored in the encrypted "gimaqkwo.iqq" file in the same directory, they said. The file name of the payload — the ClientEndPoint backdoor — is stored in an encrypted form in the loader.

The backdoor has functionality typical to this type of malware, including the ability to listen in on user sessions, send and receive commands from the attacker-controlled command and control (C2), and exfiltrate data and send it back to the C2. It also has a proxy configuration mode in which one infected host can receive data and commands from another infected host on the local network while only one of them is in direct communication with the C2.

**Why Target Taiwanese Drone Makers?**

The fact that two separate security research teams have been investigating a spate of cyberattacks against Taiwanese drone makers brings up the question of motive on the part of attackers, which the Acronis team attempted to address.

Drone manufacturing has increased remarkably in Taiwan since 2022, with significant financial backing from the government, the researchers noted. There currently are about a dozen Taiwanese companies in the space  — often providing components for original equipment manufacturers (OEMs) — and even more if the country's global aerospace industry is taken into consideration, they said.

This investment in drone manufacturing and the considerable technological prowess of Taiwan, as well as its position as a US ally, "make them a prime target for adversaries interested in military espionage or supply chain attacks," the researchers observed.

"The extreme growth of the drone industry in the past decade also had an unfortunate side effect — even consumer models are used for military purposes now," they wrote in the post.

The research team shared their intelligence with Taiwan's appropriate cybersecurity authorities and included a list of indicators of compromise (IoCs) in the blog post. As drone makers of all sizes could be targeted by WordDrone attacks, defenders should be mindful of any suspicious activity, especially as it relates to older versions of Microsoft Word that might be present in their environment. Small businesses in the sector in particular should be mindful and shore up defenses, the researchers wrote, "as traditional AV solutions are no longer efficient against the type of advanced threats they might face in the near future."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Ancient' MSFT Word Bug Anchors Taiwanese Drone-Maker Attacks

Researchers flagged a pair of Gallup site XSS vulnerabilities.

Source: Kristoffer Tripplaar via Alamy Stock Photo

UPDATE

Editor's Note: Dark Reading has become aware that a portion of the original Checkmarx research on these vulnerabilities is in dispute, prompting us to retract sections of our reporting below.

As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the company's website that left it vulnerable to misuse by malicious actors.

Cybersecurity researchers with Checkmarx explained in a report on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report the XSS flaws — the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.

The flaws do not impact any of Gallup’s internal data or polling.

**Gallup's Cross-Site Scripting Vulnerabilities**

In the case of the first reflected XSS flaw, the researchers found that "the /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page."

In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page.

To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.

This post was updated at 11:30AM ET on Sept. 11, 2024, to reflect that the bugs affected the website, not the Gallup Poll itself.

Another update was made at 4:53PM ET on Sept. 11, 2024 to clarify that neither vulnerability could have allowed attacker access to Gallup.com infrastructure and did not put internal data at risk of compromise.

A third update was made at 1:03PM ET on Sept. 12, 2024, to remove sections of the article that were based on now-disputed portions of the original Checkmarx blog.

Gallup Addresses XSS Bugs in Website

Researchers flagged a pair of Gallup polling site XSS vulnerabilities that could have allowed malicious actors to execute arbitrary code, access sensitive data, or take over a victim account.

Source: Kristoffer Tripplaar via Alamy Stock Photo

UPDATE

As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the company's website that left it vulnerable to malicious actors.

Both flaws presented the opportunity for adversaries to perform actions on behalf of users.

These weaknesses are particularly concerning heading into a US election season that is already being widely targeted by misinformation. Just this week, for instance, the US Department of Justice accused Russia of a $10 million disinformation campaign that sought to barrage social media with enough bad information to sway the presidential election in November.

Cybersecurity researchers with Checkmarx explained in a report on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report the XSS flaws — the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.

Cross-scripting flaws allow an attacker to use the URL address bar to insert unauthorized script into a page. For this attack, a target would be sent a malicious URL that looks exactly like a Gallup.com page. Once the victim clicks on the link, they are taken to a page indiscernible from the real thing֫—except in this instance the attacker controls the content displayed.

While these flaws do not impact any of Gallup’s internal data or polling, the bugs could be used by bad actors to spoof convincing looking Gallup.com site pages with misleading information. At scale, a convincing Gallup-branded page could be used spread misinformation to millions of people at once. Of particular concern to the Checkmarx team is that with a trusted name like Gallup behind the bad information, the campaign could appear incredibly convincing—a particularly dangerous risk during election season.

"In an era where misinformation and identity theft pose significant threats, the security of survey platforms is crucial, particularly during pivotal global election cycles," the Checkmarx team wrote. "Gallup, the leading survey company, quickly addressed security vulnerabilities that could be exploited to facilitate the dissemination of false information and compromise the personal data of users."

**Gallup's Cross-Site Scripting Vulnerabilities**

In the case of the first reflected XSS flaw, the researchers found that "the /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page."

Exploitation of the vulnerability could allow malicious actors to execute code in the targeted user's navigation session to perform various actions on their behalf, the researchers added.

"It's important to note that this endpoint is commonly used to access Gallup surveys, which may make users more susceptible to exploitation," the Checkmarx team wrote. "This could lead to unauthorized access to personally identifiable information (PII), manipulation of user preferences, and other detrimental actions."

In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page, giving a malicious actor another opportunity to perform tasks disguised as the target users and even take over the account altogether.

To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.

"The prevalence of misinformation was identified as the top global risk in 2024 by the World Economic Forum’s 'Global Risks Report 2024,'" Checkmarx vice president of security research Erex Yalon says. "\[It's important to\] secure software that is prone to exploits of malicious actors, educate and close the knowledge gap, and hopefully safeguard the integrity of the election process."

This post was updated at 11:30AM ET on Sept. 11, 2024, to reflect that the bugs affected the website, not the Gallup Poll itself.

Another update was made at 4:53PM ET on Sept. 11, 2024 to clarify that neither vulnerability could have allowed attacker access to Gallup.com infrastructure and did not put internal data at risk of compromise.

Gallup.com Bugs Open Door to Election Misinformation

**How could an attacker exploit this vulnerability?**

An attacker with basic user permissions can send specially crafted requests to modify the configuration of an Azure CycleCloud cluster to gain Root level permissions enabling them to execute commands on any Azure CycleCloud cluster in the current instance and in some scenarios, compromise administrator credentials.

CVE-2024-43469: Azure CycleCloud Remote Code Execution Vulnerability

**How do I get the update for Outlook for IOS?**

1.  Tap the Settings Icon
2.  Tap the iTunes & App Store
3.  Turn on AUTOMATIC DOWNLOADS for Apps

**Alternatively**

1.  Tap the App Store Icon
2.  Scroll down to find Microsoft Outlook
3.  Tap the Update button

Tag

#ios