The 2024 ISC2 Cybersecurity Workforce Study found that amid a tightening job market and dynamic cyber-threat environment, ongoing staffing and skills shortages are putting organizations at serious risk. Can AI move the needle in defenders' favor?

Source: Helen Sessions via Alamy Stock Photo

Even though 90% of organizations have unfilled positions or underskilled workers on their cybersecurity teams, hiring for those jobs has, for the first time in six years, ground to a halt.

That's according to the 2024 ISC2 Cybersecurity Workforce Study, which found that the global workforce has held steady at 5.5 million people year-over-year, recording just a negligible 0.1% increase from 2023 (though some pockets of increased cyber hiring remain).

To put that in perspective, last year, the cybersecurity workforce grew 8.7% year-on-year, despite declining investment in technology and cyber platforms.

The main driver for 2024's job market inertia is straightforward: a lack of budget for adding head count and upskilling. A full 67% of respondents to the ICS2 survey cited budget as their top cause for staffing shortages, replacing last year's No. 1 cited reason for empty positions, which was a lack of qualified talent.

Even though 74% of respondents said the threat landscape is the most challenging they have experienced in the past five years, "professionals are feeling the impact of declining investments in the cybersecurity workforce, including budget cutbacks and layoffs, \[which affects\] workforce satisfaction, the development of organizational security, the adoption of new technologies, and more," according to the report.

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

Source: 2024 ISC2 Cybersecurity Workforce Study

Indeed, ISC2 found that cybersecurity job satisfaction has fallen from 74% in 2022 to 66% in 2024. Furthermore, respondents said that worker shortages were their biggest challenge over the past 12 months, but there's no end in near-term sight. They also predicted that shortages will continue to be a significant challenge over the next two years.

"As economic conditions continue to impact workforce investment, this year’s Cybersecurity Workforce Study underscores that many organizations are putting their cyber teams under significant strain, risking burnout and attrition as job satisfaction rates fall,” said ISC2 acting CEO and CFO Debra Taylor, in a statement.  

Meanwhile, more than half of those surveyed (58%) believe a shortage of skills puts their organization at significant risk; 59% of respondents agree that skills gaps have already substantially affected their ability to secure their organizations. The statistics bear this out: ISC2 found that organizations with critical or significant skills gaps are almost twice as likely to experience a material breach compared with organizations that reported no skills gaps.

The good news is that out of those already in cyber-related jobs, three-quarters (73%) said they're focused on building their cybersecurity skill set, with 48% interested in learning more AI-related skills (more than one-third of respondents cited AI as the biggest skills shortfall on their teams).

Related:Noma Launches With Plans to Secure Data, AI Life Cycle

About half (52%) said they're focused on hanging on to their positions by becoming a more strategic contributor to their organizations.

**AI to the Cyber Job Rescue?**

If there's a silver lining to the perceived staffing shortage, respondents believe it will come from the year's hottest buzz category: generative artificial intelligence (GenAI).  

ISC2 respondents said that AI and automation will have the most significant impact on their ability to secure their organizations. A full 68% agree that within the next two years, they will be able to use GenAI effectively as part of their roles. And a large majority (80%) said their cybersecurity skill set will be more important in an AI-driven world.

"AI is viewed by professionals as a solution to strengthen their organizations' security and create new efficiencies for their teams," Taylor said. "They also view effectively managing risk associated with AI adoption and its strategic importance to their organization’s future success as career growth opportunities for themselves and their peers. Organizations and cybersecurity leaders must recognize how AI can contribute to creating more resilient security teams, especially while economic challenges persist."

Related:Zenity Raises $38M Series B Funding Round to Secure Agentic AI

Already, 45% of respondents' teams are using AI in cybersecurity tools. ISC2 found the top five use cases to be:

*   Augmenting common operational tasks (56%)
    
*   Speeding up report writing and incident reporting (49%)
    
*   Simplifying threat intelligence (47%)
    
*   Accelerating threat hunting (43%)
    
*   Improving policy simulations (41%)
    

That said, the lack of a clear GenAI strategy was cited as one of the top barriers to its organizational adoption by nearly half (45%) of all participants. And just how AI will affect the kinds of expertise a future cyber workforce will need remains unclear.

According to the report, "AI is a game changer for two main reasons. First, experts predict AI will be able to replace some of the technical skills needed in cybersecurity. Second, and arguably more important, no one is certain how AI will manifest in cybersecurity since they currently cannot predict what skills, if any, it will replace. As a result of this uncertainty, hiring managers aren’t rushing to hire more specialized workers. Instead, they are prioritizing nontechnical skills, like problem-solving, that will be transferable through the increased use of AI."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Cybersecurity Job Market Stagnates, Dissatisfaction Abounds

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

130.0.2849.68

10/31/2024

130.0.6723.91/.92

CVE-2024-10488: Chromium: CVE-2024-10488 Use after free in WebRTC

CVE-2024-10487: Chromium: CVE-2024-10487: Out of bounds write in Dawn

Cybersecurity researchers uncovered the “Xiū gǒu” phishing kit targeting users in the UK, US, Spain, Australia, and Japan.…

Cybersecurity researchers uncovered the “Xiū gǒu” phishing kit targeting users in the UK, US, Spain, Australia, and Japan. Active across public, postal, and banking sectors, the kit mimics legitimate services to harvest data.

Cybersecurity researchers at Netcraft have discovered a new phishing kit in action named “Xiū gǒu,” which has been actively targeting unsuspecting users in the UK, US, Spain, Australia, and Japan since September 2024.

This kit, notable for its unique branding and interactive features, has been identified in over 2,000 phishing websites, exposing both individuals and organizations across different sectors to the risk of being compromised.

The phishing kit, dubbed “Xiū gǒu” (修狗) after the Mandarin Chinese internet slang “xiū gǒu,” which translates to “doggo,” currently focuses on scams related to motorists, government payments, and postal services. The admin panel and associated Telegram account feature a cartoon dog mascot holding a soda bottle, adding an element of entertainment to the otherwise malicious tool.

According to the technical blog post shared with Hackread.com ahead of publishing on Thursday, Xiū gǒu’s front end utilizes Vue.js for both phishing pages and the admin panel, while the back end is powered by Golang through the SynPhishServer executable. This combination allows for a more active and harder-to-detect phishing infrastructure.

The kit has been deployed across more than 1,500 IP addresses and phishing domains, targeting victims with scams related to motorists, government payments, and postal services. Organizations in the public sector, postal, digital services, and banking sectors have been particularly vulnerable. Some of the notable impersonations include the following:

*   **Evri**
*   **Linkt**
*   **USPS**
*   **Lloyds**
*   **Services Australia**
*   **New Zealand Post**
*   **UK Government (gov.uk and DVSA)**

Threat actors using Xiū gǒu leverage Cloudflare’s anti-bot and hosting obfuscation capabilities to evade detection. They often register domains with the “.top” top-level domain (TLD), choosing names that relate to their scams, such as ‘parking’ or ‘living,’ or incorporating parts of the target brand’s name.

The attack flow typically begins with a Rich Communications Services (RCS) message containing a shortened link, which directs victims to a phishing website designed to mimic legitimate sites like gov.uk. Bots are redirected to non-malicious sites to further obfuscate the activity. Once victims enter their personal and payment details, the information is exfiltrated to Telegram via a bot set up by the fraudster.

Fake UK Government parking fine payment page powered by Xiū gǒu phishing kit (Screenshot: Netcraft)

Fake USPS package release page powered by Xiū gǒu phishing kit (Screenshot: Netcraft)

Netcraft’s research provides a window into the minds of the kit’s authors stating, “Our research provides an interesting perspective into the minds and methods of the authors behind the kits and we can see by xiū gǒu’s use of specific scripting languages as well as the inclusion of user tutorials._“_

_“_The author has also chosen to measure and analyze the use of their kit, most likely so that they can optimize and improve their competitiveness over time. We also get a sense of how—as with the doggo mascot—authors inject personality and humour into their kits, leaving their own distinctive mark_.”_

The Xiū gǒu phishing kit remains active and is part of an ongoing global campaign targeting both businesses and individuals. To protect yourself, use caution with unsolicited messages and follow these steps to avoid becoming its next victim:

*   **Verify Links Before Clicking**: Always hover over links in emails or texts to check the actual URL, and avoid clicking shortened links unless verified. Phishing kits often use misleading URLs to trick users.
*   **Be Careful with Personal Information**: Avoid entering sensitive information on websites reached through unsolicited messages, especially if the site requests personal or payment details.
*   **Enable Multi-Factor Authentication (MFA)**: MFA adds an extra layer of protection. Even if a phishing kit collects your credentials, MFA can help prevent unauthorized access to your accounts.
*   **Use Anti-Phishing Software**: Many anti-phishing tools can detect suspicious sites and prevent you from accessing them, even if you accidentally click on a phishing link.
*   **Educate Yourself on Phishing Tactics**: Stay informed about common phishing strategies and indicators, like unusual language or suspicious domain names, which can help you identify threats before they become issues.

1.  **EvilProxy Phishing Kit Hits 100+ Firms as It Bypasses MFA**
2.  **Chinese ‘Smishing Triad’ Group Hits Pakistan with SMS Phishing**
3.  **V3B Phishing Kit Steals Logins and OTPs from EU Banking Users**
4.  **FishXProxy Phishing Kit Makes Phishing Ready for Script Kiddies**
5.  **EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Flaw**
6.  **Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks**

New Xiū gǒu Phishing Kit Hits UK, US, Japan, Australia Across Key Sectors

Cisco Talos' Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our

Thursday, October 31, 2024 11:29

Cisco Talos' Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**NVIDIA Graphics remote out-of-bounds execution vulnerabilities**

_Discovered by Piotr Bania._

NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

Talos discovered multiple out-of-bounds read vulnerabilities in Nvidia that could be triggered remotely in virtualized environments, via web browser, potentially leading to disclosure of sensitive information and further memory corruption. Researchers used RemoteFX; while recently deprecated by Microsoft, some older machines may still use this software.

Advisories related to these vulnerabilities:  
TALOS-2024-1955 (CVE-2024-0121)  
TALOS-2024-2012 (CVE-2024-0117)  
TALOS-2024-2013 (CVE-2024-0118)  
TALOS-2024-2014 (CVE-2024-0120)  
TALOS-2024-2015 (CVE-2024-0119)

**LevelOne wireless SOHO router vulnerabilities**

_Discovered by Patrick DeSantis and Francesco Benvenuto_.

Eleven vulnerabilities of different types were discovered in the LevelOne WBR-6012 SOHO router.

The LevelOne WBR-6012 is a low-cost wireless SOHO router, marketed as an easy-to-configure and operate internet gateway for homes and small offices.

Talos discovered these vulnerabilities in the R0.30e6 version of the router:

TALOS-2024-1979 (CVE-2024-28875,CVE-2024-31151): Hard-coded credentials exist in the web service, allowing attackers to gain unauthorized access during the first 30 seconds post-boot. Used with other vulnerabilities that force a reboot, time restrictions for exploitation can be greatly reduced. An undocumented user account with hard-coded credentials also exists.

TALOS-2024-1981 (CVE-2024-24777): A cross-site request forgery vulnerability exists in the web application, and a specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious web page to trigger this vulnerability.

TALOS-2024-1982 (CVE-2024-31152): An improper resource allocation vulnerability exists due to improper resource allocation within the web application. A series of HTTP requests can cause a reboot, which could lead to network service interruptions and access to a backdoor account.

TALOS-2024-1983 (CVE-2024-32946): A cleartext transmission vulnerability exists, and sensitive information is transmitted via FTP and HTTP services, exposing it to network sniffing attacks.

TALOS-2024-1984 (CVE-2024-33699): A weak authentication vulnerability exists in the web application firmware, which allows attackers to change the administrator password to gain higher privileges without knowing the current administrator password.

TALOS-2024-1985 (CVE-2024-33603): An information disclosure in the web application allows unauthenticated users to access an undocumented verbose system log page and obtain sensitive data, such as memory addresses and IP addresses for login attempts. This flaw could lead to session hijacking due to the device's reliance on IP addresses for authentication.

TALOS-2024-1986 (CVE-2024-33626): A web application information disclosure vulnerability can reveal sensitive information, such as the Wi-Fi WPS PIN, through a hidden page accessible by an HTTP request. Disclosure of this information could enable attackers to connect to the device's Wi-Fi network.

TALOS-2024-1996 (CVE-2024-23309): An authentication bypass vulnerability results from the web application’s reliance on client IP addresses for authentication. Attackers can spoof an IP address to gain unauthorized access without a session token.

TALOS-2024-1997 (CVE-2024-28052): A buffer overflow vulnerability can be caused by specially crafted HTTP POST requests with URIs containing 1,454 or more characters, not starting with “upn” or “upg”.

TALOS-2024-1998 (CVE-2024-33700): An improper input validation within the FTP functionality can enable attackers to cause denial of service through a series of malformed FTP commands.

TALOS-2024-2001 (CVE-2024-33623): A denial-of-service vulnerability, triggered by multiple types of specially crafted HTTP POST requests, will cause the router to crash.

NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities

The issue of GitHub data protection is increasingly discussed among developers on platforms like Reddit, X, and HackerNews.…

The issue of GitHub data protection is increasingly discussed among developers on platforms like Reddit, X, and HackerNews. This year alone, GitHub has been in the news multiple times due to malware incidents, high-severity vulnerabilities, and data deletion events, all of which pose risks to users’ data.

How can developers secure their GitHub environments? While widely recommended practices include least-privilege access controls, routine testing, API authentication, frequent rotation of access tokens, and using SSH keys, backups deserve particular focus. Establishing a reliable GitHub backup system is essential for safeguarding data effectively.

****Why back up your GitHub account?** **

According to The State of DevOps Threats Report by GitProtect.io, the number of incidents that impacted GitHub users in 2023 grew by over 21%. And around 13.94% of events that took place had a major impact on the service. 

If you check Q1 and Q2 of 2024, you will see that there have already been 70+ incidents that influence GitHub users in various ways. Just to note, in 2023 there were 160+ different incidents, starting from major impact to maintenance. 

Why is it important to back up your GitHub environment? Anything can happen, and it’s always wise to prepare for worst-case scenarios. In such cases, having a backup can help by:

*   Protect GitHub repositories and metadata against outages and other unpredictable threats, as it allows the restoration of a copy to another location and ensures workflow and business continuity, 

*   Safeguard against human errors, like accidental deletion of files, 

*   Ensure data recoverability in case of a ransomware attack, as backup is the final line of protection, 

*   Fulfill the Shared Responsibility Model which defines the roles and responsibilities of GitHub and its users. Here it’s worth mentioning that GitHub data protection is the user’s duty. In GitHub Terms of Service, it’s written: “You are responsible for keeping your Account secure while you use our Service. We offer tools such as two-factor authentication to help you maintain your Account’s security, but the content of your Account and its security are up to you.” 

*   Meet security compliance and data retention requirements, as the majority of security protocols and compliance regulations require organizations to have longer retention times, backup, and Disaster Recovery guarantees. GDPR, HIPAA, PCI DSS, FedRAMP, ISO/IEC 27001, FINRA, HITECH, NIS 2 Directive, etc. – they all require organizations to have a backup. 

****Top 10 tips to make sure your GitHub backup plan is effective** **

Considering all the threats, an effective backup plan should help to foresee any disaster scenario and guarantee that all the GitHub account data won’t be lost. 

****Tip 1: Full data coverage** **

Efficient backup should include all the repositories, and metadata, such as issues, pull requests, issue comments, webhooks, wiki, labels, deployment keys, projects, pipelines, and Git LFS. It will help to ensure complete repo integrity and full data protection. 

****Tip 2: Backup automation** **

It’s important to have the possibility to automate backup processes by scheduling backup policies at the most appropriate time and frequency. For example, set up a backup plan that triggers a copy every 4 hours.  

****Tip 3: Various backup performance schemes** **

Not to overload your storage, you should have the option to define different rotation and performance schemes for every backup copy you set up. They may be full, incremental, or differential backup copies. 

****Tip 4: Multi-storage consistency** **

By having a few copies in different storage locations, you can eliminate any risk of a disaster and meet the 3-2-1 backup rule which requires to have at least 3 backup copies in 2 or more storage locations, with 1 offsite. 

Moreover, when it comes to storage destinations, you should be able to back up your repository and other related data to both local and cloud storage instances. 

****Tip 5: Backup replication** **

Having a few copies in various locations isn’t enough. You should make sure that you can enable replication between backup storage destinations. In this case, all the copies will be consistent and in the event of failure, you will be able to restore your data from any of the storage instances if one of them fails to run. 

****Tip 6:  Long-term retention** **

Retention is closely related to compliance and data recovery from any point in the past. By default, GitHub stores build logs for 90 days. However, it might be not enough for those organizations that operate in regulated industries or require much longer retention times. 

A backup solution should help solve this issue by allowing long-term or even unlimited retention. Thus, an organization will be able to recover its data from any point in time, for example, from 3 or 5 years prior. 

****Tip 7: Transparent management and monitoring** **

Not all team members should have the same access to backups. Hence, the backup software should allow you to set various roles and assign different responsibilities to your team members. For example, there may be those, who are either responsible for setting up GitHub backups, triggering recovery in case of a failure, only viewing backup performance, or system administrators who can operate without restrictions.  

What is more, you should always get notifications when your backup or restore was performed with details and statuses. There can be different ways of notifications – email, Slack, webhooks as well as a dedicated console with all data-driven information, tasks, SLA, and compliance reports. 

****Tip 8: In-flight and at-rest encryption** **

Your GitHub repo and metadata should be protected at every stage – in-flight, during the transmission, and at rest. Moreover, as an additional security measure, you should be able to set your personal encryption key. 

Also, your device should have no information about the encryption key, it should receive it only during the backup performance to keep up with the zero-encryption approach.  

****Tip 9: Ransomware protection** **

As backup is a final line of defence, it must be ransomware-proof. Immutable storage that helps keep data in a non-executable format, every-scenario-ready Disaster Recovery, encryption should be arranged and work as a clock to ensure your GitHub data protection and recoverability. Moreover, backup software should guarantee secure access authorization, for example, via SAML SSO protocols. 

****Tip 10: Restore and Disaster Recovery** **

Having a consistent GitHub backup should mean that you can restore your data in any event of failure – ransomware attack, service outage, infrastructure downtime, etc. The backup solution should allow you to restore your data fully or granularly – only selected metadata or repositories. 

Regarding the restore destinations, the solution should also foresee any event of failure. Thus, you should have the option to recover your GitHub data to the same or a new GitHub account, to your local machine, or cross-over recovery to another Git hosting platform, like GitLab, Bitbucket, or Azure DevOps. 

What’s more, during the recovery process, you shouldn’t overwrite the existing data but have the opportunity to restore it as a new file. 

****Is my GitHub backup effective?** **

To ensure that your backup processes are efficient, your backup should respond to the mentioned tips. 

However, how to build your backup strategy for your GitHub environment is the question you should answer taking into account your security and compliance requirements, the size of your GitHub ecosystem, the evaluation of data loss risks, and others. 

You can go with the “Download zip” files and folders option or backup scripts, however, they won’t ensure automation, proper protection against ransomware, and restore capabilities. In this case, all the responsibility over GitHub data protection is on your side. 

Alternatively, you can use a dedicated backup software, like GitProtect.io for GitHub, that will help you both share your duties over GitHub data protection and ensure your data is accessible and recoverable in any disaster scenario. With scheduled automated backup procedures, full data coverage, data residency of your choice, ransomware protection, and advanced disaster recovery measures, the backup provider brings peace of mind that every line of your source code is secured.

1.  **How To Safeguard Your Data With Cloud MRP System**
2.  **How to Hide Tables in SQL Server Management Studio**
3.  **How to Recover Deleted Emails from Exchange Server?**
4.  **Cloud Solutions Transform Software Quality Assurance**
5.  **How to Choose the Best Analytics Tools for Mobile Apps**
6.  **How To Craft The Perfect Data Loss Prevention Strategy**
7.  **How to Install Microsoft Exchange Updates with Reliability**
8.  **Insights on Google Cloud Backup, Disaster Recovery Service**

How To Create a Complete GitHub Backup

Ubuntu Security Notice 7076-2 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7076-2October 31, 2024linux-azure-fde-5.15 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Microsoft Azure Network Adapter (MANA) driver;  - Watchdog drivers;  - Netfilter;  - Network traffic control;(CVE-2024-45016, CVE-2024-38630, CVE-2024-45001, CVE-2024-27397)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.15.0-1074-azure-fde  5.15.0-1074.83~20.04.1.1  linux-image-azure-fde           5.15.0.1074.83~20.04.1.51After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7076-2  https://ubuntu.com/security/notices/USN-7076-1  CVE-2024-27397, CVE-2024-38630, CVE-2024-45001, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1074.83~20.04.1.1

Ubuntu Security Notice USN-7076-2

Ubuntu Security Notice 7021-5 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7021-5October 31, 2024linux-azure-fde vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - GPU drivers;  - BTRFS file system;  - F2FS file system;  - GFS2 file system;  - BPF subsystem;  - Netfilter;  - RxRPC session sockets;  - Integrity Measurement Architecture(IMA) framework;(CVE-2024-27012, CVE-2024-38570, CVE-2024-42228, CVE-2024-41009,CVE-2024-39494, CVE-2024-42160, CVE-2024-39496, CVE-2024-26677)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1073-azure-fde  5.15.0-1073.82.1  linux-image-azure-fde-lts-22.04  5.15.0.1073.82.50After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7021-5  https://ubuntu.com/security/notices/USN-7021-4  https://ubuntu.com/security/notices/USN-7021-3  https://ubuntu.com/security/notices/USN-7021-2  https://ubuntu.com/security/notices/USN-7021-1  CVE-2024-26677, CVE-2024-27012, CVE-2024-38570, CVE-2024-39494,  CVE-2024-39496, CVE-2024-41009, CVE-2024-42160, CVE-2024-42228Package Information:  https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1073.82.1

Ubuntu Security Notice USN-7021-5

Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware.

Thursday, October 31, 2024 09:37

*   Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
*   The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. 
*   This campaign abuses Google's Appspot\[.\]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine to avoid network security product detections. 
*   Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption, hiding malicious code in resource data to expand the file size to over 700 MB, and embedding LummaC2 or Rhadamanthys information stealers into legitimate binaries. 

**Phishing email campaign targets Taiwan **

Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. 

The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are: 

*   IMAGE COPYRIGHTED.exe 
*   \[Redacted\] 的影片內容遭到侵犯版權.exe (translates to “\[Redacted\]'s video content has been copyright infringed.exe”) 
*   版權侵權信息- \[Redacted\] Media Co Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Co Ltd.exe”) 
*   版權侵權信息- \[Redacted\] Media Group Inc.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Group Inc.exe”) 
*   版權侵權信息- \[Redacted\] Technology Group.exe (translates to “Copyright Infringement Information - \[Redacted\] Technology Group.exe”) 
*   版權侵權信息- \[Redacted\] Co. Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Co. Ltd.exe”) 
*   \[Redacted\] Online -宣布侵權.exe (translates to “\[Redacted\] Online - declare infringement.exe”) 

The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign. 

Additionally, we observed two phishing emails masquerading as notices from a well-known industrial motor manufacturer and a famous online shopping store in Taiwan. The emails claim that the company’s legal representatives have issued a notice to a Facebook page administrator alleging copyright infringement due to the unauthorized use of their images and videos for product promotion. The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance. Last but not least, with these two emails, we can easily identify that the threat actor uses the same template with minor modifications, such as changing the company name, legal department information, address, and website.  

Phishing email impersonating a well-known industrial motor manufacturer. 

Phishing email impersonating a famous online shopping store. 

**Attribution **

Talos observed an unknown image printing EPS file within the encrypted archive, with the filename "Support." Based on the file name and file size, it is likely that all encrypted archives we found on VirusTotal, which we have not been able to decrypt, contain the same EPS files inside. Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website. However, there is no strong evidence that it was created by an author from that region.   

Support EPS file metadata. 

The support EPS file preview image in this campaign (left) and the image we found from the internet (right). 

**Actor infrastructure **

The threat actor is abusing Google's Appspot.com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. When the victim clicks on the download link, it initially connects to Appspot.com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the malicious archive. The actor is using the third-party data storage service as a download server to deceive network defenders.  

Malware download link. 

We also discovered that the actor is using multiple command and control (C2) domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing.  

C2 domain DNS requests. 

**Malware infection summary **

The infection chain begins with a phishing email containing a malicious download link. When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file. Once the malware is decrypted and the fake PDF executable is run, it will execute the embedded LummaC2 or Rhadamanthys information stealer, which then collects the victim’s credentials and data, sending them back to the C2 server. 

The malicious RAR file usually contains a fake PDF executable malware and an image printing file, but we observed a few malicious RAR files that contain an additional DLL file. However, without the correct password, we are not able to extract the malicious RAR file and analyze it. 

The RAR file contains a fake PDF and an image printing file.  

The RAR file contains a fake PDF, an image printing file, and additional DLL file. 

The fake PDF executable malware variant was delivered as a payload in this campaign. This malware will embed LummaC2 or Rhadamanthys information stealers into legitimate binary and the legitimate binary including iMazing Converter, foobar2000, Punto Switcher, PDF Visual Repair, LedStatusApp, and PrivacyEraser. Below shows one of the file details of the fake PDF executable. 

Fake PDF file detail information. 

**LummaC2 stealer and its loader **

LummaC2 Stealer is a type of malware designed to exfiltrate sensitive information from compromised systems. It can target system details, web browsers, cryptocurrency wallets, and browser extensions. Written in C, this malware is sold on underground forums. To avoid detection and analysis, it employs various obfuscation methods. The malware connects to a C2 server to receive instructions and transmit the stolen data. 

The loader for LummaC2 changes the execution flow of the binary malware, causing it to invoke an unknown library to execute the malicious code functions. This strategic modification complicates detection and analysis efforts. Once these malicious functions are invoked, the malware utilizes the CreateFileMappingA API to write the payload into a mapped memory block, effectively hiding it within the system's memory. After successfully mapping the payload, the malware then executes it. 

Call to an unknown library to execute the malicious code functions. 

When the malware begins executing the shellcode in memory, it first decrypts the second half of the program block, which contains part of the shellcode loader and the LummaC2 malware execution file. Once the decryption is complete, it will call the VirtualAllocate API to allocate a memory block, write the information stealer's execution file to that block, and then execute it.   

Jump code to shellcode block. 

 

 

Encrypted shellcode (left side) and decrypted shellcode (right side). 

We also collected all of the build IDs of the LummaC2 in this campaign and below are the screenshots of the LummaC2 stealer alert message box and its POST message. 

Alert message shown to the user when executing LummaC2. 

POST message with act=life and url path /api. 

Build ID: 

*   sTDsFx--Socks 
*   iAlMAC--ghost 

**Rhadamanthys stealer and its loader **

Rhadamanthys is a sophisticated information stealer that emerged in 2022 and is sold on underground forums. This comprehensive stealer malware is capable of gathering system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from various other applications. It employs numerous anti-analysis techniques, complicating analysis efforts and hindering its execution in sandbox environments. 

We observed the Rhadamanthys loader in this campaign contains 10 sections in its binary structure. Despite the presence of multiple sections, the threat actor specifically targets the .rsrc section to insert the malicious code. This section is heavily obfuscated to conceal the malicious activities and make analyses more challenging. The choice of the .rsrc section is strategic, as it is typically associated with resource data like icons and menus, making it less likely to raise immediate suspicion.  

The loader of Rhadamanthys binary structure sections. 

After analysis, we discovered that the Rhadamanthys loader employs several sophisticated techniques to ensure its persistence and evasion. Initially, the loader copies itself and writes the file to “C:\\Users\\\[user\]\\Documents\\lumuiUpdater\\ffUpdaar.exe”. In order to avoid detection by antivirus programs and sandbox environments, it expands the file size to over 700 MB. This significant increase in file size is intended to bypass heuristic and signature-based detection mechanisms commonly used by security products, which may struggle to process such large files effectively. 

The loader copies itself to the lumuiUpdater folder. 

Furthermore, the loader is configured to start automatically by modifying the Windows Registry. It writes an entry to “HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” and key name value “sausageLoop”, a registry key that specifies programs to be launched during the system startup. This registry modification ensures that the malicious loader is executed every time the victim's computer restarts, thereby maintaining its persistence on the infected system. 

The loader is configured to start automatically. 

Finally, the loader executes the legitimate system process "%Systemroot%\\system32\\dialer.exe" and injects Rhadamanthys' payload into it. This process injection technique allows the malware to run its malicious code within the context of a legitimate system process, further evading detection. Additionally, it uses mutex objects to ensure that only one instance of the malware runs on the infected host. Below is the list of mutex names we observed in this campaign, which has also been disclosed in previous reporting by other. 

*   Global\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\1\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\2\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\3\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\4\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\5\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\6\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\7\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\8\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64167-64169. 

**IOC **

IOCs for this research can also be found at our GitHub repository here.

Threat actors use copyright infringement phishing lure to deploy infostealers

The Russian-backed group is using a novel access vector to harvest victim data and compromise devices in a large-scale intelligence-gathering operation.

Source: Funtap via Shutterstock

"Midnight Blizzard," a threat group linked to Russia's foreign intelligence service, is stoking more concern than usual for both its sheer scope and its use of a new tactic for harvesting information and gaining control of victim systems.

Microsoft this week said its threat intelligence group observed Midnight Blizzard actors sending out thousands of spear-phishing emails to targeted individuals at more than 100 organizations worldwide since Oct. 22.

**Large-Scale Campaign**

Besides its wide scope, the campaign is noteworthy for Midnight Blizzard's use of a digitally signed Remote Desktop Protocol (RDP) configuration file in its spear-phishing emails. The RDP file connects to a server controlled by a threat actor; when the file is opened, it allows the attacker to harvest user credentials and detailed system information to aid further exploit activity.

"The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of zero trust," Microsoft said on its threat intelligence group blog this week. "Microsoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the UK, Europe, Australia, and Japan."

Midnight Blizzard — aka Cozy Bear, APT29, and UNC2452 — has been the proverbial thorn in the side of security organizations for some years now. The group's many victims include SolarWinds, Microsoft, HPE, multiple US federal government agencies, and diplomatic entities worldwide. Its well-documented tactics, techniques, and procedures (TTPs) include using spear phishing, stolen credentials, and supply chain attacks for initial access. Midnight Blizzard actors have also targeted vulnerabilities in widely used networking and collaboration technologies such as those from Fortinet, Pulse Secure, Citrix, and Zimbra to gain an initial toehold on a target network.

**Bidirectional Connection**

The RDP file in the Microsoft, AWS, and zero-trust themed emails in Midnight Blizzard's latest campaign allows the attacker to establish a quick, bidirectional connection with a compromised device. The threat actor is using it to harvest a range of information including user credentials, files, and directories on the victim system and connected network drives; information from connected smart cards and other peripherals; Web authentication credentials; and clipboard data. The RDF file is signed with a LetsEncrypt certificate to lend it an air of legitimacy. "This access could enable the threat actor to install malware on the target's local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access Trojans (RATs) to maintain access when the RDP session is closed," Microsoft cautioned.

Stephen Kowski, field CTO at SlashNext, says Midnight Blizzard's use of signed RDP files in its current campaign is significant. Signed RDP files can bypass traditional security controls since they appear to come from a legitimate source, he points out.

"This technique is particularly cunning because RDP files are commonly used in business environments, making them less likely to raise immediate suspicion, while the legitimate signature helps evade standard malware detection systems," he says. He advocates that organizations scan all email attachments in real time, with a particular focus on RDP files and other seemingly legitimate Microsoft-related content. "The use of legitimately signed files creates a significant blind spot for conventional security tools that rely heavily on signature-based detection or reputation scoring," Kowski advises.

**Mitigating the Threat**

Microsoft has released a list of indicators of compromise for the new Midnight Blizzard campaign, including email sender domains, RDP files, and RDP remote computer domains. It has recommended that security teams review their organizational email security settings and antivirus and anti-phishing measures; turn on Safe Links and Safe Attachments settings in Office 365; and enable measures for quarantining sent email if needed. Other recommendations include using firewalls to block RDP connections, implementing multifactor authentication, and strengthening endpoint security configurations.

Venky Raju, field CTO at ColorTokens, says the campaign is a reminder why organizations need to maintain a tight rein over the use of Microsoft's remote desktop. While it can be useful to share devices, folders, and clipboard content over an RDP session, it gives attackers a way into a user's device. "Signing the RDP configuration file may prevent email security systems from classifying the email as having a suspicious link or attachment. It may also reduce the warnings presented by the RDP client," he points out.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#microsoft