AnyDesk version 7.0.15 suffers from an unquoted service path vulnerability.

    # Exploit Title: AnyDesk 7.0.15 - Unquoted Service Path PrivilegeEscalation# Date: 2024-04-01# Exploit Author: Milad Karimi (Ex3ptionaL)# Contact: miladgrayhat@gmail.com# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# Vendor Homepage: http://anydesk.com# Software Link: http://anydesk.com/download# Version: Software Version 7.0.15# Tested on: Windows 10 Pro x641. Description:The Anydesk installs as a service with an unquoted service path runningwith SYSTEM privileges.This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.2. ProofC:\>sc qc anydesk[SC] QueryServiceConfig SUCCESSSERVICE_NAME: anydesk        TYPE               : 10  WIN32_OWN_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe"--service        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : AnyDesk Service        DEPENDENCIES       : RpcSs        SERVICE_START_NAME : LocalSystemC:\>systeminfoOS Name:  Microsoft Windows 10 ProOS Version: 10.0.19045 N/A Build 19045OS Manufacturer: Microsoft Corporation

AnyDesk 7.0.15 Unquoted Service Path

At the Microsoft Security Response Center (MSRC), our mission is to protect our customers, communities, and Microsoft from current and emerging threats to security and privacy. One way we achieve this is by determining the root cause of security vulnerabilities in Microsoft products and services. We use this information to identify vulnerability trends and provide this data to our Product Engineering teams to enable them to systematically understand and eradicate security risks.

At the Microsoft Security Response Center (MSRC), our mission is to protect our customers, communities, and Microsoft from current and emerging threats to security and privacy. One way we achieve this is by determining the root cause of security vulnerabilities in Microsoft products and services. We use this information to identify vulnerability trends and provide this data to our Product Engineering teams to enable them to systematically understand and eradicate security risks. We also publish these trends publicly to share our learnings and best practices, for example in Pursuing Durably Safe Systems Software. 

For decades, we have used our own proprietary taxonomy to describe vulnerability root cause. Today, we are pleased to announce a significant shift: we will now publish root cause data for Microsoft CVEs using the Common Weakness Enumeration (CWE™) industry standard. We believe adopting CWE will better serve our customers, developers, and security practitioners across the industry. This standard will facilitate more effective community discussions about finding and mitigating these weaknesses in existing software and hardware, while also minimizing them in future updates and releases. Ultimately, our commitment to CWE represents a meaningful step toward a more cyber-secure world.  This work is core to the goals of Microsoft’s Secure Future Initiative (SFI), outlining our engineering priorities to transforming software development, implementing new identity protections, and improving transparency and faster vulnerability response, as articulated by Charlie Bell, Executive Vice President, Microsoft Security. The CWE is a community-developed list of common software and hardware weaknesses. A “weakness” refers to a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. Below is an example of Microsoft Windows CVE, including information related to CWE.  

 As an industry, we cannot manage what we cannot measure. Providing accurate CWEs for our own vulnerabilities, as well as encouraging our industry peers to do the same, is key to systematically understanding, mitigating, and eliminating whole classes of vulnerabilities. Other industries, such as the medical and transportation sectors, are adept at categorizing and reporting facts, both positive and negative. Our industry and customers will benefit from greater transparency and interoperability through CWE adoption. 

Additionally, the CWE information provided will not only be displayed in the Microsoft Security Update Guide but will also be available in the SUG CVRF API and instantiated on CVE.org and NVD.nist.gov.  

As always, we look forward to your feedback which you can provide by clicking on the rating banner at the bottom of every CVE page in the Security Update Guide. 

Lisa Olson, Senior Program Manager, Security Release

Toward greater transparency:  Adopting the CWE standard for Microsoft CVEs

By Waqas
Another day, another data breach targeting critical infrastrcuture in the United States!
This is a post from HackRead.com Read the original post: US Environmental Protection Agency Allegedly Hacked, 8.5M User Data Leaked

The U.S. Environmental Protection Agency (EPA) is suffering a major data breach allegedly by a hacker known as USDoD. The breach, affecting over 8.5 million users, raises concerns about identity theft, cyber espionage, and the chilling effect on environmental reporting.

The U.S. Environmental Protection Agency (EPA) is facing a significant security breach, carried out by a hacker operating under the alias USDoD. This alleged breach has resulted in the exposure of personal and sensitive information belonging to more than 8.5 million users, including both customers and contractors.

The data breach was brought to light on the morning of Sunday, April 7, 2024. Notably, USDoD has a history of engaging in high-profile data breaches, with previous incidents including the exposure of data from **87,000 members of InfraGard**, a sensitive security program funded by the FBI and dedicated to safeguarding critical infrastructure in the United States.

> _“Hello Breachforums, this is your favorite TA and today Im proud to say that Im releasing epa.gov database of contact list. This is their entire contact of Critical Infra not only for the USA but for the entire globe.”_
> 
> USDoD

Regarding the alleged data breach at the EPA, the hacker claims that they have successfully compromised and leaked the entire database of the agency. Analysis conducted by Hackread.com indicates that the data provided by USDoD appears to be legitimate; however, conclusive verification can only be provided by the U.S. Environmental Protection Agency.

USDoD on Breach Forums (Screenshot credit: Hackread.com)

Meanwhile, a review of the leaked file reveals a 500MB Zip archive containing three CSV files labelled “Contact,” “Inter\_Contact,” and “Staff.” An assessment of these files reveals the presence of the following information:

****Contact File (3,726,130 Records)****

*   Zipcodes
*   Full names
*   Fax numbers
*   Phone numbers
*   Email addresses
*   Mailing addresses
*   Country, city, States

****Inter\_Contact File (9,952,374 Records)****

*   Zipcodes
*   Full names
*   Phone numbers
*   Email addresses
*   Email domains
*   Country, City, State
*   Company name and address

****Staff File (3,325,973 Records)****

*   Zipcodes
*   Fill names
*   Job titles
*   Company names
*   Email addresses
*   Business Addresses
*   Phone numbers
*   Related industries
*   Country, city and States

Following the removal of duplicate records, the total number of accounts involved in the breach stands at nearly 8.5 million, specifically 8,460,182. Hackread.com has notified the U.S. Environmental Protection Agency (EPA) and CISA regarding the data breach. Any response received from either of the agencies will lead to an update to this article.

Screenshot from the leaked data (Credit: Hackread.com)

****The Good and Bad news****

The good news amidst this breach is the absence of passwords. However, the seriousness of the situation can be understood by the fact that the leaked data is now circulating within Russian hacker and cybercrime forums. This development not only opens doors for state-sponsored cyber espionage but also poses serious risks of identity theft, phishing scams, and targeted marketing campaigns.

Furthermore, the exposure of information regarding facilities or individuals reporting environmental violations raises serious concerns. Such disclosures could potentially deter future reporting and impede the EPA’s effectiveness in enforcing regulatory measures.

****Devastating** **First Quarter of 2024 for US So Far****

The first quarter of 2024 has proven to be quite challenging for the United States, a nation that holds influential global power and consequently becomes an attractive target for cybercriminals. Despite **ongoing efforts to strengthen its critical infrastructure**, the country has faced a surge in successful cyber attacks, resulting in widespread disruption and compromise.

In January, EquiLend, a prominent financial technology firm, fell victim to a large-scale ransomware attack. As a result, **it was confirmed that** the incident also led to a data breach, exposing sensitive employee information.

March witnessed the cyber attack from **IntelBroker hacker against Acuity Inc**., a federal contractor, resulting in the exposure of critical records belonging to U.S. Citizenship and Immigration Services (USCIS) and U.S. Immigration and Customs Enforcement (ICE). Although initially denied, Acuity Inc. eventually **acknowledged the hack**.

**In February**, the same hacker targeted the security of Los Angeles International Airport, compromising the personal data of 2.5 million private plane owners. Shortly thereafter, **in March**, American Express disclosed a significant data breach involving third-party contractors, impacting its cardholders.

The latest alleged data breach occurred **on April 4, 2024**, when the IntelBroker hacker leaked personal data belonging to over 22,000 Home Depot employees on BreachForums.

1.  Data Sec: Congress Bans Staff Use of Microsoft’s AI Copilot
2.  US, China Exposed Most Databases Among 308,000 Found
3.  Sony Data Breach via MOVEit Flaw Affects Thousands in US
4.  Vietnamese DarkGate Malware Targets META Accounts in US
5.  Adobe ColdFusion Flaw Used by Hackers to Access US Govt Servers

US Environmental Protection Agency Allegedly Hacked, 8.5M User Data Leaked

Plus: Microsoft scolded for a “cascade” of security failures, AI-generated lawyers send fake legal threats, a data broker quietly lobbies against US privacy legislation, and more.

It’s been a week since the world avoided a potentially catastrophic cyberattack. On March 29, Microsoft developer Andres Freund disclosed his discovery of a backdoor in XZ Utils, a compression tool widely used in Linux distributions and thus countless computer systems worldwide. The backdoor was inserted into the open source tool by someone operating under the persona “Jia Tan” after years of patient work building a reputation as a trustworthy volunteer developer. Security experts believe Jia Tan is the work of a nation-state actor, with clues largely pointing to Russia, although definitive attribution for the attack is still outstanding.

In early 2022, a hacker operating under the name “P4x” took down the internet of North Korea, after the country’s hackers had targeted him. This week, WIRED revealed P4x’s true identity as Alejandro Caceres, a 38-year-old Colombian American. Following his successful attack on North Korea, Caceres pitched the US military on a “special forces”-style offensive hacking team that would carry out operations similar to the one that made P4x famous. The Pentagon eventually declined, but Caceres has launched a startup, Hyperion Gray, and plans to further pursue his controversial approach to cyberwarfare.

In mid-February, millions of people lost internet access after three undersea cables in the Arabian Sea were damaged. Some blamed Houthi rebels in Yemen, who had been attacking ships in the region, but the group denied it had sabotaged the cables. But the rebel attacks are still likely to blame—albeit, in a bizarre way. A WIRED analysis of satellite images, maritime data, and more found that the cables were likely damaged by the trailing anchor of a cargo ship that the Houthi rebels had bombed. The ship drifted for two weeks before finally sinking, crossing paths with the cables at the time they were damaged.

The myth that Google Chrome’s Incognito mode provides adequate privacy protections can finally be put to rest. As part of a settlement over Google’s Incognito privacy claims and practices, the company has agreed to delete “billions” of records collected while users browsed in Incognito mode. It will also further clarify how much user data can be collected by Google and third parties while Incognito is enabled, and take further steps to protect user privacy. There are other privacy-focused browsers that can replace Chrome. But if you’re still using it, make sure to update it to patch some serious security flaws.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A 58-year-old hospital systems administrator pleaded guilty this week to US federal charges after he was caught using another man’s name for more than 30 years. Matthew David Keirans allegedly stole the identity of William Woods in 1988, when the two men worked at a hot dog cart in Albuquerque, New Mexico, according to the US Attorney's Office for the Northern District of Iowa. Over the decades, Keirans obtained employment, bank accounts, loans, and insurance, and paid taxes, under the Woods name. Keirans even had a child whose last name is Woods.

The real William Woods, meanwhile, reportedly learned that someone else was using his identity in 2019. At the time, Woods was unhoused and living in Los Angeles. He contacted a bank where “William Woods” had an account, providing his real Social Security card and California ID card to prove his identity. However, he could not answer the security questions to gain access. The bank called Keirans—who was pretending to be Woods—and Keirans convinced the bank employee that the real Woods should not have access to the accounts. The Los Angeles Police Department then arrested the real Woods and charged him with identity theft after Keirans provided officers with false documents and information.

In a nightmarish twist, during judicial proceedings, the real Woods accurately maintained that “William Donald Woods” was his true identity, prompting the court to order him to a mental institution. The real Woods ultimately spent 428 days in jail and 147 days in a mental hospital before his release.

The real Woods then continued to work to regain his true identity, eventually contacting authorities after learning that Keirans worked at a hospital in Iowa City. Investigators later confirmed the real Woods’ identity after obtaining a DNA test. Confronted with the evidence, Keirans confessed to a series of crimes and now faces a maximum sentence of 32 years in prison, a $1.25 million fine, and five years of supervised release.

**US Review Board Slams Microsoft for ‘Cascade of Avoidable Security Failures’**

The White-House mandated Cyber Safety Review Board issued a scathing report against Microsoft this week, accusing the tech giant of failing to stop a “preventable” intrusion by China-backed hackers of hundreds of Microsoft Exchange Online email accounts. To gain access to email accounts belonging to 22 organizations and 500 individuals worldwide, the hackers, known as Storm-0558, stole a Microsoft cryptographic key. The CSRB report chastises the company for failing to detect “the compromise of its cryptographic crown jewels,” inadequate security practices, and a “corporate culture that deprioritized both enterprise security investments and rigorous risk management,” among a “cascade” of other defeats.

The report also found that Microsoft still does not know how Storm-0558 obtained its key, accusing the company of making false statements after it initially claimed that the key was accidentally included in an April 2021 “crash dump.” The company has since updated its explanation of the intrusion to say that it still does not know how the hackers obtained the key. The CSRB issued 25 recommended steps that Microsoft—a major government contractor whose systems protect highly sensitive information—should take to better protect its systems.

**AI-Generated Lawyers Caught Spewing Fake Legal Threats**

The owner of the website Tedium received legal threats from a nonexistent “law firm” charging the publication with a copyright violation. The thing is, the “lawyers” behind the complaint were AI-generated. The “law firm” accused Tedium of using a photograph without the owner’s consent, and a "copyright infringement" notice offered to supposedly settle the matter, if only Tedium would agree to properly credit the photo’s “owner” and link out to their website. This was, of course, a backlink scam designed to boost the SEO ranking of the fake copyright holder’s page. Only this time, the scam was bolstered by a cast of AI-generated characters: a hot-shot team of young, "skilled lawyers" purportedly specializing in creative rights and commercial law.

**Data Behemoth Enlists Lobbyists Against Effort in US to Limit Deals With Spies**

An internal feud is underway in the US Congress over the fate of a beleaguered spy program called Section 702 and the commercial deals that US intelligence agencies have struck in recent years with global data brokers, purchasing information that government agents typically need a warrant to obtain. Consequently, the UK owner of LexisNexis—an “amalgam of publishers and data brokers, stitched together into a single information giant”—has retained the services of a Washington, DC, lobbying firm to engage with federal lawmakers over “potential privacy, data security, breach notification, data broker, and FISA reform legislation.” Politico reports that the company, RELX, previously used the firm, Venable, to combat privacy legislation aimed at restricting the kinds of personal data companies are allowed to sell to law enforcement.

**‘Weapon Scanners’ Eyed by New York’s Surveillant Mayor Boasts Abysmal Track Record**

New York City mayor Eric Adams is hastening his crusade against subway violence with a plan to test weapons scanners that claim to use artificial intelligence to detect whether commuters are carrying blades and firearms. Documents obtained by Hell Gate reveal what Adams failed to disclose at a press conference last week: that data already in the city’s hands show the technology is only rarely useful. After police officers permitted to carry firearms were factored out of one study at a Bronx hospital, the scanners were found to be accurate less than 1 percent of the time. (All told, more than 85 percent of the time, the scanners cast false suspicion on New Yorkers who were found to be unarmed.) The move by Adams follows New York governor Kathy Hochul’s deployment of hundreds of National Guard soldiers in the city’s subway systems. Adams first addressed a spate of homicides and stabbings across the city in March by sending hundreds of police officers underground to search commuters' bags at well over 100 subway stations—a tactic that roused resistance from a few locals this week who smashed ticket machines and disabled security cameras at a midtown station to protest the surveillance surge.

Identity Thief Lived as a Different Man for 33 Years

By Deeba Ahmed
Wiz.io, known for its cloud security expertise, and Hugging Face, a leader in open-source AI tools, are combining their knowledge to develop solutions that address these security concerns. This collaboration signifies a growing focus on securing the foundation of AI advancements.
This is a post from HackRead.com Read the original post: Vulnerabilities Exposed Hugging Face to AI Supply Chain Attacks

Cybersecurity firm Wiz.io found that AI-as-a-service (aka AI Cloud) platforms like Hugging Face are vulnerable to critical risks, which allow threat actors to escalate privileges, gain cross-tenant access, and potentially take over continuous integration and continuous deployment (**CI/CD**) pipelines. 

**Understanding The Problem**

AI models require a strong GPU, often outsourced to AI service providers similar to consuming cloud infrastructure from AWS/GCP/Azure. **Hugging Face**’s service is called Hugging Face Inference API.

Wiz Research could compromise the service running custom models by uploading their malicious model and using container escape techniques, allowing cross-tenant access to other customers’ models stored in Hugging Face.

The platform supports various AI model formats, two prominent ones being **PyTorch** (Pickle) and Safetensors. Python’s Pickle format is known for being unsafe and allowing remote code execution upon deserialization of untrusted data although Hugging Face assesses Pickle files uploaded to their platform, highlighting those they deem dangerous.

However, researchers cloned a legitimate Pickle-based model (**gpt2**), modified it to run a reverse-shell upon loading, and uploaded the hand-crafted model as a private model. They interacted with the model using the Inference API feature, obtaining a reverse shell and discovered that crafting a PyTorch model that executes arbitrary code is straightforward, whereas uploading their model to Hugging Face allowed them to execute code inside the Inference API.

****Potential Risks****

The potential impact is devastating as attackers could access millions of private AI models and apps. Two critical risks include shared inference infrastructure takeover risk, where malicious models run untrusted inference infrastructure, and shared CI/CD takeover risk, where malicious AI applications may attempt to take over the pipeline and execute a supply chain attack after taking over the **CI/CD cluster**.

Furthermore, adversaries can attack AI models, **AI/ML applications**, and inference infrastructures using various methods. They can use inputs that cause false predictions, incorrect predictions, or malicious models. AI models are often treated as black-box and used in applications. However, there are few tools to verify the integrity of a model, so developers must be cautious when downloading them.

“Using an untrusted AI model could introduce integrity and security risks to your application and is equivalent to including untrusted code within your application” Wiz Research’s **report** explained.

****Hugging Face- Wiz Research Join Hands****

Open-source artificial intelligence (AI) hub Hugging Face and Wiz.io have collaborated to address the security risks associated with AI-powered services. The joint effort highlights the importance of proactive measures to ensure the responsible and secure development and deployment of AI technologies.

Commenting on this, **Nick Rago**, VP of Product Strategy at Salt Security added that _“_Securing the critical cloud infrastructure that houses AI models is crucial and the findings by Wiz are significant. It is also imperative that security teams recognize the vehicle in which AI is trained and serviced is an API, and rigorous security must be applied at that level to ensure the security of AI supply chains.”

****A Concerning Scenario****

This discovery comes at a time when concerns are already raised regarding data safety under AI-based tools. The AvePoint survey shows that less than half of organizations are confident they can use AI safely, with 71% concerned about data privacy and security before implementation, and 61% worried about internal data quality.

Despite the widespread use of AI tools like ChatGPT and Google Gemini, fewer than half have an AI Acceptable Use Policy. Additionally, 45% of organizations experienced unintended data exposure during AI implementation.

The widespread adoption of AI across various industries necessitates strong security measures. These vulnerabilities could potentially allow attackers to manipulate AI models, steal sensitive data, or disrupt critical operations.

1.  Airbus EFB App Vulnerability Risking Aircraft Data
2.  Vulnerability Exposed Ibis Budget Guest Room Codes
3.  CISA Urges Patching Microsoft SharePoint Vulnerability

Vulnerabilities Exposed Hugging Face to AI Supply Chain Attacks

By Deeba Ahmed
New Byakugan Malware Steals Data, Grants Remote Access & Uses OBS Studio to Spy! Fortinet reveals a phishing campaign distributing Byakugan malware disguised as a PDF. Don't click! Learn how to stay safe.
This is a post from HackRead.com Read the original post: Beware the Blur: Phishing Scam Drops Byakugan Malware via Fake PDF

Cybersecurity firm Fortinet alerts users of a phishing scam campaign distributing the Byakugan malware. This malware steals sensitive information and grants attackers remote access to infected Windows devices.

****Malware Found in PDF File:****

In January 2024, FortiGuard Labs discovered a PDF file in Portuguese language distributing Byakugan, a multi-functional malware. Researchers found a blurred table in the PDF and instructions for the victims to click a malicious link to view the content.

Screenshot of the PDF files used in the attack and the installer embedded in the downloader (Credit: Fortinet)

Once clicked, the downloader drops a file titled require.exe, which is its copy. Then a clean installer is downloaded to the temp folder followed by a DLL, which is executed via DLL-hijacking to run require.exe to download the main module. 

The downloader, named “require.exe” and located in the temp folder, executes the copy and not the Reader\_Install\_Setup.exe, and exhibits different behaviour in both files. Byakugan’s main module is downloaded from thinkforce.com, a C2 server that may also serve as an attacker’s control panel, with a login page on port 8080.

AhnLab SEcurity Intelligence Center (ASEC) also discovered an Infostealer disguised as an Adobe Reader installer through a fake PDF file in Portuguese, urging users to download Adobe Reader, which led to the execution of a malicious file Reader\_Install\_Setup.exe.

It further creates two malicious files and runs a Windows system file, msdt.exe as an administrator, loading the malicious BluetoothDiagnosticUtil.dll and loading the malicious DLL file. The threat actor can bypass User Account Control (UAC) via DLL hijacking. 

****Byakugan Malware Key Features****

Byakugan is a node.js-based malware that uses OBS Studio to monitor the target’s desktop and perform various functions. It has several libraries, including a screen monitor, miner, keylogger, file manipulation, and browser information stealer. 

Moreover, Byakugan can choose between mining with CPU or GPU to prevent system overloading and downloads from popular miners like **Xmrig**, t-rex, and NBMiner. It also stores data in the kl folder and can steal information about “cookies, credit cards, downloads, and auto-filled profiles,” researchers wrote.

Byakugan also has **anti-analysis** features, such as pretending to be a memory manager and setting the path to the Windows Defender’s exclusion path. Additionally, it drops a task scheduler configuration file into the Defender folder, enabling it to execute automatically when starting up. However, this newer variant does not download the software from its domain.

Infection flow (Credit: Fortinet)

****How to Stay Safe?****

Threat actors are using both clean and malicious components in malware, such as Byakugan, making detection difficult, FortiGuard researchers noted, Therefore, to stay protected from phishing attacks and such deceptive malware, users must be cautious with emails, and verify sender legitimacy.

Additionally, use strong passwords and **two-factor authentication,** keep software updated, and prefer installing security software that can detect and block phishing emails/malware. Avoid clicking on links or downloading attachments from suspicious emails, and contacting the sender directly.

1.  Tycoon Linked to Phishing Attacks on US Schools
2.  Microsoft Warns of New Tax Returns Phishing Scam
3.  Dropbox Abused in Phishing Scam to Steal SaaS Logins
4.  New iMessage Phishing Scam Hits Postal Service Users
5.  Phishing Scam Hooks META Businesses with Trademark Threats

Beware the Blur: Phishing Scam Drops Byakugan Malware via Fake PDF

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Dealing with a Ramadan cyber spike; funding Internet security; and Microsoft's Azure AI changes.

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner:**

*   How CISOs Can Make Cybersecurity Awareness a Long-Term Priority for Boards
    
*   Global: Cybersecurity Threats Intensify in the Middle East During Ramadan
    
*   Funding the Organizations That Secure the Internet
    
*   How Soccer's 2022 World Cup in Qatar Was Nearly Hacked
    
*   Microsoft Beefs Up Defenses in Azure AI
    
*   Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed
    
*   Why Cybersecurity Is a Whole-of-Society Issue
    

**How CISOs Can Make Cybersecurity Awareness a Long-Term Priority for Boards**

Commentary by Shaun McAlmont, CEO, NINJIO Cybersecurity Awareness Training

Cybersecurity is far more than a check-the-box exercise. To create companywide buy-in, CISOs need to secure board support, up their communication game, and offer awareness-training programs to fight social engineering and help employees apply what they've learned.

CISOs play a vital role in building stakeholder support for cybersecurity across the company — including when it comes to earning long-term support for awareness training from their boards. Winning strategies include communicating cybersecurity concepts in an engaging and non-technical way, and showing board members that cybersecurity programs offer significant ROI.

This column lays out five ways that CISOs can show boards that it's time to prioritize cybersecurity:

1.  Know how to communicate with non-technical audiences. Cybersecurity is an intimidating subject for non-technical audiences, but it doesn't have to be. CISOs can make a comprehensible and convincing case for cybersecurity by pointing to the devastating real-world consequences of successful cyberattacks, for instance.
    
2.  Focus on the entire cyber-impact chain. Cyberattacks can lead to severe reputational damage, disrupted operations, legal and regulatory consequences, and crippling effects on the health of the company's workforce.
    
3.  Stress the human element. CISOs stress that 74% of all breaches involve a human element — an alarming reminder that social engineering remains one of the most powerful weapons in the cybercriminal arsenal.
    
4.  Outline how awareness-training programs can be measured. CISOs need to make accountability a central pillar of their case for awareness training. When board members see that cybersecurity spending is paying off, CISOs will be able to maintain support.
    
5.  Secure long-term support. Because the cyber threat landscape is always shifting, companies have to keep employees updated on the latest cybercriminal tactics — such as the use of AI to craft convincing and targeted phishing messages at scale.
    

Read more: How CISOs Can Make Cybersecurity a Long-Term Priority for Boards

Related: CISOs Struggle for C-Suite Status Even as Expectations Skyrocket

**Cybersecurity Threats Intensify in the Middle East During Ramadan**

By Alicia Buller, Contributing Writer, Dark Reading

How security teams in the region fortify their defenses amid short-staffing — and increased DDoS, phishing, and ransomware campaigns — during the Muslim holy month.

The ninth month of the Muslim calendar is observed around the world, as followers take the time to reflect and practice fasting, and cybersecurity teams often operate with skeletal staffing. Ramadan is also a period where Muslim shoppers tend to up their spending on specialty foods, gifts, and special offers.

All of this also creates a perfect storm for bad actors to conduct fraudulent activities and scams. Endpoint-protection firm Resecurity has observed a significant increase in cyber malevolence during Ramadan, which began on March 10. The company estimates the total financial impact from these cyberattacks and cyberscams against the Middle East has reached up to $100 million so far during this year's Ramadan.

Middle East-based companies can step up cybersecurity with extra vigilance and outsourced support amid shortened working hours and increased ecommerce activity.

"Many organizations proactively enhance their outsourced contracts during this period, particularly focusing on bolstering 24/7 security operations," says Shilpi Handa, associate research director of security, Middle East, Turkey, and Africa (META) at IDC, adding that deploying a remote and diverse workforce is particularly advantageous during Ramadan as around-the-clock security shifts can be fully covered by a mix of Muslim fasters and non-Muslim staff.

Read more: Cybersecurity Threats Intensify in the Middle East During Ramadan

Related: Middle East Leads in Deployment of DMARC Email Security

**Funding the Organizations That Secure the Internet**

By Jennifer Lawinski, Contributing Writer, Dark Reading

Common Good Cyber is a global consortium connecting nonprofit, private sector, and government organizations to fund organizations focused on securing Internet infrastructure.

There's no single entity responsible for maintaining and securing the Internet. Instead, that task falls upon a diverse group of organizations and individuals that preserve this public utility with little funding, or by subsisting on tight budgets. The stakes are incredibly high, but the amount of resources available for keeping this infrastructure secure falls short.

"Key components of the Internet are maintained by volunteers, nonprofits, and NGOs, and others who work with razor-thin budgets and resources," said Kemba Walden, president of Paladin Global Institute and former US acting national cyber director. "Consider this: The underpinnings of our digital infrastructure, the infrastructure that enables civil society to thrive in our economy today and to grow, rest on a network of volunteers, nonprofits, NGOs and others."

An initiative called Common Good Cyber is finding new ways to build adequate funding into law and policy, business policies and government, and other funding vehicles sufficient to meet the common need for cybersecurity. Ideas include creating joint funding organizations; federated fundraising for nonprofits; inventorying who is doing what to support the Internet's infrastructure; and a hub or accelerator to provide resources to the groups securing the Internet.

Read more: Funding the Organizations That Secure the Internet

Related: Neglecting Open Source Developers Puts the Internet at Risk

**How Soccer's 2022 World Cup in Qatar Was Nearly Hacked**

By Jai Vijayan, Contributing Writer, Dark Reading

A China-linked threat actor had access to a router configuration database that could have completely disrupted coverage, a security vendor says.

About six months before the 2022 FIFA World Cup soccer tournament in Qatar, a threat actor — later identified as China-linked BlackTech — quietly breached the network of a major communications provider for the games and planted malware on a critical system storing network device configurations.

The breach remained undetected until six months after the games, during which the cyber-espionage group gathered up an unknown volume of data from targeted customers of the telecommunications provider — including those associated with the World Cup and vendors providing services for it.

But it's the "what else could have happened" that's the really scary part: The access that BlackTech had on the telecom provider's system would have allowed the threat actor to completely disrupt key communications — including all streaming services associated with the game. The fallout from such a disruption would have been substantial in terms of geopolitical implications, brand damage, national reputation, and potentially hundreds of millions of dollars in losses from the licensing rights and ads negotiated prior to the World Cup.

Read more: How Soccer's 2022 World Cup in Qatar Was Nearly Hacked

Related: NFL, CISA Look to Intercept Cyber Threats to Super Bowl LVIII

**Microsoft Beefs Up Defenses in Azure AI**

By Jai Vijayan, Contributing Writer, Dark Reading

Microsoft adds tools to protect Azure AI from threats such as prompt injection, as well as to give developers the capabilities to ensure generative AI apps are more resilient to model and content manipulation attacks.

Amid growing concerns about threat actors using prompt injection attacks to get generative AI (GenAI) systems to behave in dangerous and unexpected ways, Microsoft's AI Studio is rolling out resources for developers to build GenAI apps that are more resilient to those threats.

Azure AI Studio is a hosted platform that organizations can use to build custom AI assistants, copilots, bots, search tools, and other applications, grounded in their own data.

The five new capabilities that Microsoft has added — or will soon add — are Prompt Shields, groundedness detection, safety system messages, safety evaluations, and risk and safety monitoring. The features are designed to address some significant challenges that researchers have uncovered recently — and continue to uncover on a routine basis — with regard to the use of large language models (LLMs) and GenAI tools.

"Generative AI can be a force multiplier for every department, company, and industry," said Microsoft's chief product officer of responsible AI, Sarah Bird. "At the same time, foundation models introduce new challenges for security and safety that require novel mitigations and continuous learning."

Read more: Microsoft Beefs Up Defenses in Azure AI

Related: Forget Deepfakes or Phishing: Prompt Injection is GenAI's Biggest Problem

**Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed**

By Jai Vijayan, Contributing Writer, Dark Reading

So far this year, Ivanti has disclosed a total of 10 flaws — many of them critical — in its remote access products, and one in its ITSM product.

Ivanti CEO Jeff Abbott this week said his company will completely revamp its security practices even as the vendor disclosed another fresh set of bugs in its vulnerability-riddled Ivanti Connect Secure and Policy Secure remote access products.

In an open letter to customers, Abbott committed to a series of changes the company will make in the coming months to transform its security operating model following a relentless barrage of bug disclosures since January. The promised fixes include a complete do-over of Ivanti's engineering, security, and vulnerability management processes and implementation of a new secure-by-design initiative for product development.

How much these commitments will help stem growing customer disenchantment with Ivanti remains unclear given the company's recent security track record. In fact, Abbot's comments came one day after Ivanti disclosed four new bugs in its Connect Secure and Policy Secure gateway technologies and issued patches for each of them.

Read more: Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed

Related: Feds to Microsoft: Clean Up Your Cloud Security Act Now

**Why Cybersecurity Is a Whole-of-Society Issue**

Commentary by Adam Maruyama, Field CTO, Garrison Technology

Working together and integrating cybersecurity as part of our corporate and individual thinking can make life harder for hackers and safer for ourselves.

We are drowning in vulnerabilities: Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), at a recent Congressional hearing on Chinese cyber operations, said simply that "we've made it easy on" attackers through poor software design. But it will take a whole-of-society effort to reshape the market for cybersecurity to create technologies that are both high-performing and secure.

As CISA articulated in its Secure by Design initiative, secure coding by vendors is the first step to creating technologies that are both secure and usable. But businesses must realize, as Easterly put it, that "cyber-risk is business risk" by incorporating cybersecurity into all their business practices. In particular, by increasing the stature of CISOs and giving them holistic cybersecurity oversight of the entire business, particularly procurement decisions, companies can incorporate cybersecurity as an organic step in business processes.

Meanwhile, cybersecurity and IT professionals — two closely related but often clashing groups — must come together to build networks that are both secure and functional for their users. And, the final piece of a whole-of-society approach to cybersecurity is both the most difficult and the most critical: integrating cybersecurity into the day-to-day lives of citizens through things like multifactor authentication.

Read more: Why Cybersecurity Is a Whole-of-Society Issue

Related: NIST Wants Help Digging Out of Its NVD Backlog

CISO Corner: Ivanti's Mea Culpa; World Cup Hack; CISOs &amp; Cyber Awareness

Improving security in the applications that drive the digital economy is a necessary undertaking, requiring ongoing collaboration between the public and private sectors.

Neatsun Ziv, CEO & Co-Founder, Ox Security

April 5, 2024

4 Min Read

Source: Martin Shields via Alamy Stock Photo

COMMENTARY

The recent publication "Back to the Building Blocks: A Path Toward Secure and Measurable Software" by the White House Office of the National Cyber Director (ONCD) provides additional detail and strategic direction supporting the National Cybersecurity Strategy released in March 2023. The strategy intends to shift a much greater share of responsibility for cybersecurity to software vendors, service providers, and other entities that develop software applications. This latest report provides a more specific direction by emphasizing an aggressive shift to memory-safe programming languages with software development practices.

**The Memory Safety Imperative**

Traditional programming languages are frequently the weak link in software development, with memory safety vulnerabilities leading to significant incidents. Despite comprehensive code reviews and other security measures, these vulnerabilities persist, accounting for up to 70% of security issues in these languages. A shift toward memory-safe programming languages, as advised by the Cybersecurity and Infrastructure Security Agency's (CISA) road map, is a critical step toward developing software that is secure by design.

**Navigating Legacy System Complexities**

One of the most daunting challenges in this strategic shift is addressing the legacy systems developed in C and C++. These legacy systems are not only numerous but often critical to the operations of many organizations. Rewriting these systems in modern, memory-safe languages can be expensive and complex, resulting in the downtime of critical business processes.

Moreover, memory safety vulnerabilities are primarily observed at the operating system level, affecting significant platforms like Microsoft and Linux. This categorization of issues at the runtime level, rather than the application level, underscores the broader challenge in cybersecurity: the pursuit of advanced security measures must be balanced against the practicalities and costs of implementing these changes, especially for established systems.

**Economic and Technical Considerations**

Many organizations face formidable costs associated with overhauling older systems. Changing coding protocols is not only a technical decision but also a strategic one to ensure the security of the digital infrastructure of the future. As a result, decision-makers considering when to undertake the transition must evaluate the immediate financial and operational impacts versus the long-term benefits.

Fortunately, technological innovations have already been developed that can reduce the cost and disruption of transitioning to safer code. For instance, code analysis tools can analyze legacy applications and semi-autonomously identify instances where C or Python code runs without proper isolation. And because of recent advances in compiler technology, even worst-case unsafe coding practices can be protected if written in an older language. These developments should significantly lessen the barriers to adopting safe coding practices for organizations of any size.

**A Collaborative Effort Toward a Secure Future**

Policymakers and vendors must collaborate closely to balance enhancing security with maintaining essential software services. Embracing memory-safe programming languages, as recommended by the ONCD, is a crucial step in this journey and is integral to advancing our collective cybersecurity. 

Several industry leaders have already made significant investments in memory-safe languages. Examples include: 

*   Mozilla's Rust programming language: With its emphasis on memory safety, Rust offers a solid alternative to traditional programming languages that marries security and performance.
    
*   Microsoft's investment in Rust: Recognizing that older languages have limitations, Microsoft has embraced Rust and used it in several new projects where memory safety was a concern.
    
*   Google's memory safety efforts: Google has invested considerable resources into finding and mitigating memory safety vulnerabilities and has called for using memory-safe languages in new developments. Last week, Google released a new research report, "Secure by Design: Google's Perspective on Memory Safety," advocating for a secure-by-design strategy. The report focuses on adopting languages with robust memory safety features and acknowledges the limitations of evolving C++ to meet these standards.
    

**Moving Forward: Practical Steps to Meet the ONCD Recommendations**

The path in the latest ONCD report is challenging, but rich with opportunity. It demands practical steps from all actors within the software development and cybersecurity ecosystems, including:

*   Education and training: Organizations must commit to teaching their teams about memory-safe languages and secure development practices, ensuring that developers can make the necessary changes.
    
*   Gradual transition plans: Organizations should create plans for transitioning legacy systems to memory-safe and manageable languages. They should address the most critical areas first and phase the project slowly to minimize operational disruption.
    
*   Leveraging automation tools: Organizations should use modern code analysis tools and compilers that automatically find and remediate unsafe code practices while reducing the burden of manual processes.
    
*   Policy and governance: Organizations must develop explicit governance constructs that bake in memory safety and secure development practices throughout the software development lifecycle.
    
*   Community and collaboration: Importantly, organizations should reach outside their walls and the broader tech community in forums, partnerships, and open source projects to share the knowledge, challenges, and solutions around memory safety that come with this journey.
    

Improving security in the applications that drive the digital economy is a lofty and complex but necessary undertaking requiring ongoing collaboration between the public and private sectors. The ONCD's latest report is a solid next step in articulating the strategy; however, more will is needed to realize the vision. Transitioning to memory-safe coding languages for new applications and updating legacy code are enormous challenges. However, progress is being made with recent advancements in software analysis and compiler technologies and commitments demonstrated by many global technology leaders.

**About the Author(s)**

CEO & Co-Founder, Ox Security

Neatsun Ziv is the CEO and Co-Founder of Ox Security, the end-to-end software Active ASPM Platform. Prior to that, he was the VP of Cyber Security at Check Point, where he oversaw all cyber initiatives. His team was one of the first to respond to SolarWinds, NotPetya, and other major attacks, working closely with Interpol, Local CERT, and other enforcement agencies. Neatsun is a passionate and seasoned entrepreneur with vast cybersecurity experience. He served in the IDF Cyber Intelligence Unit and is a frequent speaker at global forums, including RSA and CPX, among others. Neatsun holds a B.Sc. from Israel's Open University (honors) and an MBA from the Technion (Magna Cum Laude).

White House's Call for Memory Safety Brings Challenges, Changes &amp; Costs

Cloud-native application protection platforms (CNAPPs) sidestep siloed security and embed security into the earliest stages of application development.

Source: John Williams RF via Alamy

Multicloud security is an enormously complex undertaking, requiring security teams to correlate thousands of daily security alerts across disparate platforms to efficiently and accurately respond to emergent threats. Rather than relying on a series of third-party point solutions — which often struggle to integrate and communicate with one another — to protect your multicloud environment, we recommend prioritizing native security solutions that can embed seamlessly within your environment.

A cloud-native application protection platform (CNAPP) is a unified platform that simplifies securing cloud applications throughout their life cycles. Originally coined by Gartner, this all-in-one platform connects traditionally siloed security and compliance capabilities into a single user interface. At their core, CNAPPs allow security teams to embed security into the earliest stages of the application development process and deploy more robust protections for cloud workloads and data.

There are many use cases where a cloud-native solution will have a natural edge over third-party solutions. We have picked a few common scenarios to showcase capabilities that are hard to replicate with a customized or third-party solution. This list is meant to be representative, not exhaustive.

**1\. Monitoring Your Cloud Management Layer**

The cloud management layer is a crucial service connected to all of your cloud resources. That also makes it a potential target for attackers. Consequently, we recommend security operations teams monitor the resource management layer closely.

Since cloud service providers (CSPs) do not allow integration with this layer, the capabilities provided by third-party solutions are severely limited and rely solely on the availability of logs/events, like Azure Diagnostics and AWS CloudTrail.

**2\. Detecting Near Real-Time Threats With Zero or Minimal Impact on Workloads**

As you leverage more native architecture patterns, your usage of native storage, like object storage and native SQL, will grow. As a result, these services often represent an attack target.

Because CSPs do not allow native integration with these services, organizations often struggle to detect malware as soon as an object is uploaded to a storage account without introducing latency or further risks to their workloads. We also see this same issue present when trying to detect sensitive data across databases and object stores without allowing access to a third-party solution. Native cloud security offerings do not have these limitations.

**3\. Inherent Coverage of Workloads as You Scale or Modernize**

Native solutions are deployed at the account or subscription level, integrate natively with other cloud services, and cover a vast variety of usage patterns. Often, these solutions do not require any agent and are push-button. When cloud architecture teams decide to migrate from a virtual machine-based deployment to one that's container-based, organizations can rest assured that the workload is protected from the start.

**4\. Integrating with Your Native Pipelines**

When organizations deploy cloud workloads, they can integrate the native solution at the code repository level. This ensures they are checking appropriate risks at each level — for example, code scanning as part of code merges or image scanning on push. Native solutions also allow organizations to manifest validation before container deployment.

**5\. Maintaining Your Access-Related Blast Radius**

When organizations deploy a third-party solution, that solution requires its own set of roles that need to be monitored. Users will also most likely need to be managed within the third-party solution itself. This adds additional monitoring requirements for security teams that are not needed when deploying native solutions. Because native solutions already integrate with other cloud services and leverage predefined roles, security teams don't need to worry about any additional risks being introduced into their environments.

As we have seen, CNAPPs have a unique value proposition for integrating in your cloud security portfolio, either as the primary solution or as a complement to your existing cloud security posture management (CSPM).

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Reconsider Your CNAPP Strategy Using These 5 Scenarios

Latest campaign underscores wide-ranging functionality and staying power of a decade-old piece of information-stealing malware.

Source: David Chapman via Alamy

More than 11,000 Australian companies were targeted in a recent wave of cyberattacks that rely on an aging but still dangerous malware strain dubbed Agent Tesla.

Prospective victims were bombarded by booby-trapped emails with lures about purchasing goods and order delivery inquiries that came with a malicious attachment. Victims who were tricked into opening the attachment exposed their Windows PCs to Agent Tesla infections.

Agent Tesla is a remote access Trojan (RAT) that first surfaced in 2014. The malware is widely distributed and frequently used by a variety of threat actors, including cybercriminals and spies, according to researchers at Check Point Software.

Alexander Chailytko, cybersecurity, research, and innovation manager at Check Point, says threat actors have "developed a level of trust" in Agent Tesla's capabilities.

"Its reliability, coupled with its diverse range of functionalities for data exfiltration and information theft, makes it a preferred choice among cybercriminals," Chailytko explains.

The malware offers a range of data exfiltration methods and stealing capabilities that target the most commonly used software, ranging from browsers to FTP clients. Recent updates to the malware offer tighter integration with platforms such as Telegram and Discord, which makes it easier for crooks to run hacking campaigns.

Agent Tesla was in the news last year, when cybercriminals exploited a 6-year-old Microsoft Office remote execution flaw to sling Agent Tesla.

**Anatomy of an Agent Tesla Hack**

An analysis by security researchers from Check Point published in a blog post this week offered one of the most detailed inspections of the methodology of an Agent Tesla-based phishing campaign to date. Their work offers a postmortem on a high-volume series of attacks launched in November 2023 against mostly Australian and American targets.

Check Point said a threat actor dubbed "Bignosa" first installed Plesk (for hosting) and Round Cube (email client) onto a hosted server. The attackers then disguised the Agent Tesla payload using a package called Cassandra Protector that hid the malicious code and controlled its delivery.

Cassandra Protector bundles a variety of options that allow cybercriminals to configure sleep time before execution. Among other functions, it controls the text in the fake dialogue box that appears when victims open a malicious file.

Once Agent Tesla was "protected" this way, Bignosa converted the malicious .NET code into an ISO file with a ".img" extension before attaching the resulting file to the spam emails.

Next, Bignosa connected to the newly configured machine via a remote access network protocol connection, created an email address, logged in to webmail, and launched the spam run using a pre-prepared target list. According to Check Point, "a few successful infections" hit Australia in a first wave of the attack.

**Down Under**

The threat actors behind the Agent Tesla malware campaign were primarily targeting Australian businesses, as shown by the presence of a mailing list file named "AU B2B Lead.txt" on their machines.

"This suggests a deliberate effort to compile and target email addresses linked to Australian business entities, potentially for the purpose of infiltrating corporate networks with the goal of extracting valuable information for financial exploitation," Check Point's Chailytko says.

Bignosa also worked with another more proficient cybercriminal, who immodestly goes by "Gods," in a campaign to hack into Australian and US-based businesses, the researchers found.

Gods offered advice to Bignosa on the content of malicious spam text, according to Jabber chat logs uncovered by the security researchers.

Like with other cybercriminals, the duo struggled with elements of their cybercrime campaign, according to evidence uncovered by Check Point.

In multiple instances, Bignosa wasn't able to clean his machine from the Agent Tesla test infections, so the hapless hacker had to call on remote access from Gods for assistance.

Check Point said it believes that Bignosa is Kenyan and Gods is a Nigerian with a day job as a Web developer.

**How to Block Agent Tesla Infections**

The Agent Tesla-based spear-phishing campaign highlighted by Check Point underscores the still-prevalent threat posed by the mature malware.

Businesses should maintain up-to-date operating systems and applications by promptly installing patches and utilizing other security measures. Commercial spam filtering and blocklist tools can help minimize the volume of junk traffic that appears in user inboxes, according to Check Point.

Even so, end users must exercise caution when encountering unexpected emails containing links, particularly from unfamiliar senders. According to Check Point, that's where regular employee training and education programs can bolster cybersecurity awareness.

**About the Author(s)**

John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo

Tag

#microsoft