Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

Every person in this scene is just so joyful that we can't help by wonder, what are they so happy about? Send us a cybersecurity-related caption to describe the above scene and our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Jan. 17 deadline:

*   Via social media: X, Bluesky, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 gift card — to Dr. Dana Hackley for sending us the winning caption for last month's "Meeting of Minds" cartoon. Some noteworthy contenders included "'Welcome to BYOD: Bring Your Own Duvet,'" "SOCs in bed, yes, or no? Inquiring CISOs want to know!" and "Next on todays meeting, retiring EoL tech…" A big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: Sneaking Around

This Tech Tip outlines what enterprise defenders need to do to protect their enterprise environment from the new NTLM vulnerability.

Roy Akerman, VP of Identity Security Strategy, Silverfort

December 20, 2024

4 Min Read

Source: Supapixx via Alamy Stock Photo

A new zero-day vulnerability in NTLM discovered by researchers at 0patch allows attackers to steal NTLM credentials by having a user view a specially crafted malicious file in Windows Explorer — no need for the user to open the file. These password hashes can be used for authentication relay attacks or for dictionary attacks on the password, both for identity takeover.

NTLM refers to a suite of old authentication protocols from Microsoft that provide authentication, integrity, and confidentiality to users. While NTLM was officially deprecated as of June, our research shows that 64% of Active Directory user accounts regularly authenticate with NTLM — evidence that NTLM is still widely used despite its known weaknesses.

The flaw is exploitable even in environments using NTLM v2, making it a significant risk to enterprises that have not yet moved to Kerberos and are still relying on NTLM. Considering Microsoft may not patch this issue for a while, enterprise defenders should take steps to mitigate the vulnerability in their environments. This Tech Tip outlines how dynamic access policies, a few hardening steps, and multifactor authentication (MFA) can help limit attempts to exploit this vulnerability. Upgrading the protocol, where possible, could eliminate the issue completely.

**What Is the NTLM Vulnerability?**

When a user views a malicious file in Windows Explorer — whether by navigating to a shared folder, inserting a USB drive containing the malicious file, or just viewing a file in the Downloads folder that was automatically downloaded from a malicious Web page — an outbound NTLM connection is triggered. This causes Windows to automatically send NTLM hashes of the currently logged-in user to a remote attacker-controlled share.

These NTLM hashes can then be intercepted and used for authentication relay attacks or even dictionary attacks, granting attackers unauthorized access to sensitive systems. Attackers can also potentially use the exposed passwords to access the organization's software-as-a-service (SaaS) environment due to the high rates of synced users.

The issue impacts all Windows versions from Windows 7 and Server 2008 R2 up to the latest Windows 11 24H2 and Server 2022.

The fundamental problem with NTLM lies in its outdated protocol design. NTLM transmits password hashes instead of verifying plaintext passwords, making it vulnerable to interception and exploitation. Even with NTLM v2, which uses stronger encryption, the hashes can still be captured and relayed by attackers. NTLM's reliance on weak cryptographic practices and lack of protection against relay attacks are key weaknesses that make it highly exploitable. Moreover, NTLM authentication does not support modern security features, such as MFA, leaving systems open to a variety of credential theft techniques, such as pass-the-hash and hash relaying.

**What Defenders Need to Do**

To mitigate this vulnerability, Microsoft has updated previous guidance on how to enable Extended Protection for Authentication (EPA) on LDAP, Active Directory Certificate Services (AD CS), and Exchange Server. On Windows Server 2022 and 2019, administrators can manually enable EPA for AD CS and channel binding for LDAP. There are scripts provided by Microsoft to activate EPA manually on Exchange Server 2016. Where possible, update to the latest Windows Server 2025 as it ships with EPA and channel binding enabled by default for both AD CS and LDAP.

Some organizations may still be dependent on NTLM due to legacy systems. Those teams should consider additional authentication layers, such as dynamic risk-based policies, for protecting existing NTLM legacy systems against exploitations.

Harden LDAP configurations. Configure LDAP to enforce channel binding and monitor for legacy clients that may not support these settings.

Check impact on SaaS. If you are unsure whether there are applications or clients in your environment that rely on NTLMv2, you can use Group Policy to enable the Network Security: Restrict NTLM: Audit incoming NTLM traffic policy setting. This will not block NTLMv2 traffic but will log all attempts to authenticate using NTLMv2 in the Operations Log. By analyzing these logs, you can identify which client applications, servers, or services still rely on NTLMv2, so you can make targeted adjustments or updates.

Using Group Policy to limit or disable NTLM authentication via the Network Security: Restrict NTLM setting will reduce the risk of fallback scenarios where NTLM is unintentionally used.

Monitor SMB traffic. Enabling SMB signing and encryption can help prevent attackers from impersonating legitimate servers and triggering NTLM authentication. Blocking outbound SMB traffic to untrusted networks will also reduce the risk of NTLM credential leakage to rogue servers. Implement network monitoring and alerting for unusual SMB traffic patterns, particularly outbound requests to unknown or untrusted IP addresses.

Leave NTLM behind. NTLM has been deprecated. Administrators should audit NTLM usage to identify which systems still rely on NTLM. Organizations should prioritize transitioning those systems away from NTLM to more modern authentication protocols, such as Kerberos. Once a more modern protocol is in place, implement MFA to add an additional layer of protection.

Taking these steps will help organizations address the fundamental flaws in NTLM and improve their security posture.

**About the Author**

VP of Identity Security Strategy, Silverfort, Silverfort

Roy Akerman is the VP of Identity Security Strategy at Silverfort and former co-founder and CEO of Rezonate. Prior to Rezonate, Roy served as VP of Product and Innovation at Cybereason, responsible for growing 3 new business lines on cloud security, mobile defense, and XDR. Roy is leading product incubations and new business initiatives, fusing the practices of advanced Technology, Psychology, and Business in forming new disruptive products and anti-disciplinary innovation teams. Akerman is blending business and innovation practices acquired in his MIT and business journey with problem-solving and tech approaches based on his Government and Military experience. Roy has 20 years of experience in Cybersecurity, as one of the senior leaders and founders of NISA - the Israeli Equivalent to the NSA/Cyber Command, retired as the chief of global cyber operations. In this role, Roy and his teams ran global counter-cyber defense operations for Israel’s Cyber Defense, built cutting-edge cyber security tech. They established partnerships and alliances with numerous states and business partners.

How to Protect Your Environment From the NTLM Vulnerability

Dual Russian-Israeli national Rostislav Panev was arrested last August and is facing extradition to the US for playing a critical role in LockBit's RaaS activities, dating back to the ransomware gang's origins.

Source: Peter Werner via Alamy Stock Photo

NEWS BRIEF

A newly unsealed criminal complaint by US law enforcement shows they have been working to dismantle the LockBit ransomware-as-a-service group for several years, including a previously undisclosed arrest of one of the operation's lead developers in Israel last August.

Rostislav Panev, a 51-year-old with dual Russian-Israeli citizenship, is facing extradition to the US to face charges along with two others accused of similarly working for LockBit, not just to develop the ransomware itself but also tools used by affiliates. For his part, Panev is accused of working on LockBit ransomware from its beginnings in 2019, eventually creating one of the most prolific ransomware operations in the world, according to the Justice Department's statement about the arrest.

Panev, according to the Justice Department, at the time of his arrest had admin credentials for LockBit's Dark Web online repository with the ransomware's source code, as well as the source code for an affiliate tool called "StealBit" used to exfiltrate stolen data. His laptop also had he access credentials for the LockBit control panel used by affiliates. The Justice Department's statement adds that Panev confessed to his role in the LockBit ransomware operation.

"The Justice Department’s work going after the world’s most dangerous ransomware schemes includes not only dismantling networks, but also finding and bringing to justice the individuals responsible for building and running them," Attorney General Merrick Garland said in a statement about the arrests. "Three of the individuals who we allege are responsible for LockBit’s cyberattacks against thousands of victims are now in custody, and we will continue to work alongside our partners to hold accountable all those who lead and enable ransomware attacks."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

LockBit Ransomware Developer Arrested in Israel

While a number of threat groups have used TP-Link bugs to infiltrate networks, a proposed ban of the company's popular routers is more about geopolitics than actual cybersecurity — and that may not be a bad thing.

Source: metamorworks via Shutterstock

With US government agencies and lawmakers reportedly considering a ban on TP-Link's products in the United States, one might think the company would rank high on the list of networking vendors with the most vulnerabilities currently being exploited by cyberattackers.

Not by a long shot.

The Chinese firm, whose products are popular among consumers and small businesses, currently has two security issues gracing the Known Exploited Vulnerabilities (KEV) list curated by the Cybersecurity and Infrastructure Security Agency (CISA), compared with 74 for Cisco Systems, 23 for Ivanti, and 20 for D-Link.

Yet US government officials' concern is less about known vulnerabilities, and more about unknown risks, including its routers' popularity in the United States — where it accounts for about two-thirds of the market — and the degree to which the company is beholden to China's government.

While no researcher has called out a specific backdoor or zero-day vulnerability in TP-Link routers, restricting products from a country that is a political and economic rival is not unreasonable, says Thomas Pace, CEO of extended Internet of Things (IoT) security firm NetRise and a former head of cybersecurity for the US Department of Energy.

"The value to me \[of a ban\] is almost more around economic policy value than pure technical cybersecurity value," he says. "To me, there is value in saying you shouldn't buy these things because of X, Y, and Z reasons \[and to make it\] more difficult for small businesses, or whoever, to get their hands on devices from these companies."

Related:BlackBerry to Sell Cylance to Arctic Wolf

**TP-Link — Not a Vulnerability Stand-Out**

In April 2024, one of two TP-Link vulnerabilities attracted the most vulnerability scanning by threat actors, according to an analysis by cloud and application-security firm F5. The issue, a command injection vulnerability for TP-Link's Archer AX21 router (CVE-2023-1389), allows an unauthenticated attacker to easily compromise a device via a simple POST request.

TP-Link ranks low on the list of networking vendors with known exploited vulnerabilities. Source: Author from CISA data

In another incident, security firm Check Point Software Technologies discovered that TP-Link devices were also compromised with an implant known as Camaro Dragon. The implanted components were discovered in modified TP-Link firmware images, and not the original software shipped by the company, says Itay Cohen, research lead at Check Point Research.

Yet Cohen stresses that the implants were written in a firmware-agnostic manner and not specific to any particular product or vendor.

"It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks," he says. "Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers."

Related:Versa Introduces Integrated Endpoint Data Loss Prevention in SASE Solution

The threat posed by such vulnerabilities and implants are real, but the data from the KEV catalog shows that other manufacturers are just as likely to have their vulnerabilities exploited — and there are more of them. The lesson is that vulnerabilities in embedded devices are not unique to any one manufacturer or country of origin, says Sonu Shankar, chief product officer at Phosphorus Cybersecurity, an extended IoT cybersecurity provider.

"Nation-state actors frequently exploit weaknesses in devices from companies worldwide, including those sold by American manufacturers," he says. "Devices lacking basic security hygiene — such as the use of strong passwords, timely firmware patching, or proper configurations — can become easy targets for cyberattacks."

TP-Link stressed this fact in a statement sent to Dark Reading.

"Many brands of consumer electronics are targeted by hackers, and we support government efforts to hold all producers to the same standard," a company spokesperson said. "We welcome opportunities to engage with the federal government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the American market, American consumers, and addressing US national security risks."

Related:Test Your Cyber Skills With the SANS Holiday Hack Challenge

**China's Government Oversight Is Pervasive**

But those assertions may be minimizing the influence of the Chinese government on the company's operations: Most Western companies do not understand the degree to which Chinese officials monitor China's business sectors — and cybersecurity firms — as a component of government policy and national strategy, NetRise's Pace says.

"It's a totally different business culture," he says. "There is a member of the PRC in every company — that's not even like an opinion, it's just how it is. And if you think they're not there to exert their influence, then you're just an unbelievably naive person, because that's exactly what they do, \[including\] for the purposes of intelligence gathering."

Threat intelligence analysts have flagged the Chinese government national strategy documents and evidence showing their increasing efforts to compromise rival nations' infrastructure — such as the attacks by Volt Typhoon and Salt Typhoon.

"In recent years we see Chinese threat actors’ increasing interest in compromising edge devices, aiming to both build resilient and more anonymous C2 infrastructures, and to gain a foothold in certain targeted networks," Check Point stated in its analysis, but added that the "discovery of the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk."

China's networking products are not alone in being targeted by the US government, which also banned the products of antivirus firm Kaspersky because of national security concerns, given that it's a Russian company.

**The Global Cyber Reality of Home Routers: Buyer Beware**

Companies and consumers should do their due diligence, keep their devices up to date with the latest security patches, and consider whether the manufacturer of their critical hardware may have secondary motives, says Phosphorus Cybersecurity's Shankar.

"The vast majority of successful attacks on IoT are enabled by preventable issues like static, unchanged default passwords, or unpatched firmware, leaving systems exposed," he says. "For business operators and consumer end-users, the key takeaway is clear: adopting basic security hygiene is a critical defense against both opportunistic and sophisticated attacks. Don’t leave the front door open."

For companies worried about the origin of their networking devices or the security their supply chain, finding a trusted third party to manage the devices is a reasonable option. In reality, though, almost every device should be monitored and not trusted, says NetRise's Pace.

"It's a crazy world that exists when it comes to device security," he says. "You're accepting this device that you know nothing about — and that you really can't know anything about — unlike Windows \[or another operating system\] ... where you can also install three agents and a firewall in front of it to mitigate the risk of the software."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

US Ban on TP-Link Routers More About Politics Than Exploitation Risk

Combating nation-state threat actors at the enterprise level requires more than just cyber readiness and investment — it calls for a collaborative effort.

Adam Finkelstein, Senior Vice President of Global Client Leadership, Sygnia

December 20, 2024

5 Min Read

Source: Pablo Lagarto via Alamy Stock Photo

COMMENTARY

Cyber warfare often mirrors traditional conflict, but as global geopolitical tensions continue to rise, the landscape of nation-state cyber-threat actors has shifted significantly. Recent events have spurred altered tactics, targets, and patterns of state-sponsored cyberattacks. While historically these threat actors focused primarily on critical infrastructure and government entities like energy grids and transportation, today's nation-state threat actors have expanded their scope further into the enterprise. 

This evolving threat landscape now demands that businesses strengthen their security posture and prepare for sophisticated nation-state-level attacks. The urgency is real — just recently, adversary groups like Velvet Ant, GhostEmperor, and Volt Typhoon have been spotted targeting major organizations, attempting to exfiltrate sensitive data and wreak havoc on critical systems. It's clear nation-state threat actors are moving out of the shadows and into the spotlight, and their threats are no longer on the horizon — they are at our doorstep. 

**Expanding Targets: Enterprises Under Siege**

In the past 12 months, an escalation of traditional conflicts has driven a rise in cyberattacks. For instance, as Iran supplies more weapons to Russia, and the US and Europe continue to impose additional sanctions against the country while arming Ukraine with advanced military capabilities, we can expect to see a rise in cyberattacks across various sectors. The vulnerability of critical infrastructure to cyber threats and heightened geopolitical tensions can be seen following the 2021 Colonial Pipeline attack, where prior agreements between US President Biden and Russian President Vladimir Putin to reduce cyberattacks on critical infrastructure were quickly abandoned with the eruption of the Ukraine war. 

As organizations digitize their services and operations, the interconnected nature of global business and infrastructure — and the vast amount of sensitive data they collect and store — have also made a wider range of enterprises attractive targets to nation-state threat actors. We are seeing increasing evidence of nation-state attacks, in unsuspecting industries like law, media, telecommunications, healthcare, retail, and supply chain logistics because of the sensitive data they are handling.

These companies hold high-value intellectual property, i.e., client information, patents, and proprietary contracts, and are often connected to wider networks of affiliates and vendors. A single cyberattack could grant the "keys to kingdoms" — undetected access to hundreds of critical systems and sensitive data — which is then leveraged by government-backed entities to gain a foothold in new markets and undercut competition. 

**Mission vs. ROI: Differentiating Nation-State Threat Actors From Ransomware Groups**

The key to defending yourself against a nation-state threat is first recognizing the different motives and goals of the threat actor. Unlike ransomware groups who are predominantly driven by financial return on investment (ROI) and, therefore, opt to target hundreds of businesses, waiting for one to bite, nation-state attackers are extremely well-resourced, mission-driven, and focused on long-term goals like stealing trade secrets, military intelligence, or high-profile personal information. Other motives include misinformation operations, disruption of critical infrastructure, and state financial gain under the guise of ransomware attacks. 

**Understanding the Technical Prowess of Nation-State Actors**

Nation-state threat actors have the time, technical expertise, and perseverance to achieve their specific goals — they have planned a highly targeted operation to gain knowledge through stealthy and persistent means, often moving laterally across networks to avoid detection, and reinfiltrating networks multiple times after being eradicated. They work diligently to hide their tracks from digital forensics and will go as far as to modify security logs, disable tools, encrypt systems, and alter timestamps, making it more difficult to attribute and differentiate their group, and hamper investigations.

Chinese-Nexus threat group, deemed Velvet Ant by Sygnia, demonstrated exceptional persistence by establishing and maintaining several footholds within its victim's environment — leveraging new techniques and the use of different technologies to evade detection. One method used for this persistence was exploiting a legacy F5 BIG-IP appliance, which was exposed to the Internet and leveraged as an internal command and control (C&C) system. The primary objective of this campaign was to maintain access to the target network for espionage purposes.

Similarly, a Demodex rootkit known to be used by GhostEmperor, a sophisticated nation-state actor first identified by Kaspersky in 2001, had resurfaced in the enterprise, attempting to carry out a wide-scale attack in 2023. The threat actor compromised servers, workstations, and user accounts by deploying the advanced rootkit and leveraging open source tools available on the Internet to communicate with a network of command-and-control (C2) servers, to avoid attribution.

**Navigating a More Complex Cyber Landscape**

Detecting and combating nation-state threat actors in the enterprise is an ongoing war, not just a battle. The most cyber-mature organizations assess and safeguard critical digital assets, prioritize network visibility, and take actionable steps consistently to strengthen their cyber resilience and hygiene in advance of a cyberattack. Other examples of key strategies include:

*   Regularly rehearsing various threat scenarios to clearly define response roles, at both technical and executive levels, and ensure a seamless and coordinated approach within the most critical first 24 hours of a crisis.
    
*   Utilizing and optimizing their security stack, prioritizing investment in tools that detect anomalies and offer both a holistic and a granular view of their networks and systems — because you can't find what you can't look for.
    
*   Looking into threat detection tools with AI and automation capabilities as part of their defense strategies to reduce costs and speed up digital forensic investigations.
    

Combating nation-state threat actors at the enterprise level requires more than just cyber readiness and investment — it calls for a collaborative effort. Before a crisis occurs, organizations should proactively build relationships with government agencies and industry peers. By fostering open communication and sharing insights and experiences, businesses can strengthen the wider security community and enhance collective defenses against these sophisticated nation-state-level threats.

**About the Author**

Senior Vice President of Global Client Leadership, Sygnia

Adam Finkelstein serves as the senior vice president of global client leadership at Sygnia. With more than two decades of expertise in directing business development and overseeing extensive security initiatives on a global scale, Finkelstein advises clients worldwide, including numerous Fortune 500 and Forbes Global 2000 companies. In his role, he oversees all aspects of Sygnia's client development, working hand-in-hand to proactively enhance their cyber resilience and thwart attacks within their networks.

How Nation-State Cybercriminals Are Targeting the Enterprise

During holidays and slow weeks, teams thin out and attackers move in. Here are strategies to bridge gaps, stay vigilant, and keep systems secure during those lulls.

Source: Anastasia Nelen via Unsplash

Experienced security leaders know that attackers are patient. 

Attackers can infiltrate corporate chat systems like Slack or Microsoft Teams and just ... watch. For months, they monitor conversations, learn who the experienced staff are, and take notes on upcoming vacation plans and each team member's communication style. Then when the company shifts to a skeleton crew — perhaps during a major holiday or summer break — they strike.

For one organization, this silent reconnaissance had devastating results, says Ed Skoudis, president of the SANS Institute and founder of Counter Hack. An attacker posed as a trusted colleague in a chat channel and tricked a junior employee into making critical configuration changes while many team members were on vacation. The employee, isolated and eager to help, had no reason to doubt someone who was inside the company's trusted environment. The attacker's patience, timing, and social engineering created a perfect storm — one that underscores the need for verification, vigilance, and better operational safeguards during periods of reduced staffing.

Whether it is the slow week between Christmas and New Year's Day in Western countries, the European summer break in August, or other periods during the year when large numbers of employees go on vacation, organizations with a global footprint must maintain cybersecurity continuity during regional slowdowns. Holidays like Lunar New Year in Asia and the Eid feast days in the Middle East often mean fewer workers overseeing critical operations. When part of the workforce scales down, attackers ramp up.

"This is a very hard problem," says Skoudis, noting that fewer people at the helm leaves organizations vulnerable to attack. Security leaders have the challenge of protecting their environments when half the security team is offline.

**Why Cybercriminals Like Holidays**

With remote workforces, companies have fewer touchpoints with employees. Add holidays to the mix, and security teams face a slew of potential risks during these times.

"Attackers go on crime sprees during the holidays," Skoudis says. "They know organizations are downscaling operations. Combine that with staff who may be junior, unfamiliar with procedures, or isolated, and you have an ideal time for attackers to strike."

Beyond direct threats, these slow periods also exacerbate operational gaps. Patching schedules, configuration monitoring, and incident response times can lag.

It's not just defense, says Chris Niggel, a regional CSO at Okta. It's about making sure operations continue to run smoothly when teams are short-staffed.

"The biggest challenge is making sure that your teams can maintain the service-level agreements and are able to react to threats quickly, even when the teams are smaller," Niggel says.

For example, the critical vulnerability in Log4j was discovered toward the end of December 2021, a time when many organizations were operating with minimal staff. Addressing the flaw required immediate and prompt action, and many businesses struggled to respond quickly enough. Attackers, well aware of the delays in response, seized the window of opportunity to exploit unpatched systems.

"Teams were already thin, but still had to react," Niggel says. "That's where having solid communication plans and fallback strategies is essential."

Niggel also notes that organizations that fared better during Log4j had prepared for such scenarios by implementing automated monitoring tools, preemptive patching plans, and clear escalation paths for when key personnel were unavailable. These measures ensured that vulnerabilities could be prioritized and addressed, even with a reduced workforce.

**Preparation Is Key to Bridging the Gaps**

By identifying risks, training employees, leveraging technology, and strategically distributing workloads, companies can create a safety net that protects both systems and operations. The key is not waiting until the last minute; preparations must be in place before staff members sign off.

Organizations can mitigate holiday risks with proactive strategies:

*   Create a plan in advance. Identify staffing levels and clearly outline escalation paths. "It's like Tetris blocks," Skoudis says. "You need to fill the hours, define decision-makers, and avoid leaving critical choices to the most junior staff."
    
*   Always verify. Train employees to verify requests for urgent actions, particularly during downtime. Skoudis recommends simple measures: callback phone numbers, video chats to confirm identity, and using photos in a corporate directory. Never trust a message at face value, he says. "You're looking to get more measures of verification that this person is who they say they are," he says.
    
*   Deploy technology and automation. Automate alerts and verifications to reduce human error. Niggel says Okta's method of notifying employees about unusual log-ins includes automation that allows security to focus on important signals. "If an employee logs in from a unique location, they'll get a message in Slack," he says. "If an employee is logging in from grandma's house, they can click yes to verify."
    
*   Freeze changes for critical systems. Code and configuration freezes during slow periods reduce operational risks. "A freeze requires extra effort to make changes," Skoudis says. "It prevents attackers and limits the chance of accidental mistakes."
    
*   Adopt a "follow-the-sun" model. Multinational organizations can distribute workloads across time zones. Mark Lance, head of DFIR at GuidePoint Security, suggests using teams in regions where holidays are not being observed. "It's about balance," he says. "When one region steps back, another steps up."
    

**Culture, Collaboration, and a Healthy Dose of Paranoia**

The human element is also critical to any security plan — even when fewer employees are on the clock. Lance says fostering collaboration and reducing isolation during skeleton crew periods is key to defense.

"Better decisions happen when you're not alone," Lance says.

Having escalation paths and ensuring junior employees know where to turn when something feels off can make all the difference. Niggel agrees, emphasizing the importance of properly training staff on how to handle these types of situations.

"Policies exist for a reason," he says. "Employees need to know they can fall back on established processes and ask for help."

Vigilance must remain high, no matter the season. Attackers don't take breaks — and neither should enterprise defenses. While companies can't always predict when an attack might occur, preparedness, verification, and smart staffing strategies help bridge security gaps when part of the team is off. As holiday seasons and global events come and go, staying one step ahead requires a mix of technology, planning, and teamwork.

"Always be suspicious," Skoudis says. "If something feels wrong, verify it. You might stop a disaster."

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Managing Threats When Most of the Security Team Is Out of the Office

Cyberattacks against OT/ICS engineering workstations are widely underestimated, according to researchers who discovered malware designed to shut down Siemens workstation engineering processes.

Source: Constantine Johnny via Alamy Stock Photo

NEWS BRIEF

Operational technology (OT) and Industrial control systems (ICS) are increasingly exposed to compromise through engineering workstations. A new malware developed to kill stations running Siemens systems joins a growing list of botnets and worms working to infiltrate industrial networks through these on-premises, Internet-connected attack vectors.

Forescout researchers reported the discovery of the Siemens malware, which they called "Chaya\_003." But that's hardly an isolated case. The researchers also found two Mitsubishi engineering workstations compromised by the Ramnit worm, they explained in a new report.

"Malware in OT/ICS is more common than you think — and engineering workstations connected to the Internet are targets," the Forescout team warned.

Researchers from SANS said engineering workstation compromise accounts for more than 20% of OT cybersecurity incidents, the report noted. Botnets targeting OT systems, which the report said includes Aisuru, Kaiten, and Gafgyt, rely on Internet-connected devices to infiltrate networks.

Engineering workstations make excellent targets for cyberattack because they are on-premises stations running traditional operating systems as well as specialized software tools provided by vendors such as the Siemens TIA portal or Mitsubishi GX Works, the Forescout team wrote.

To defend against these campaigns, OT/ICS network operators should ensure engineering workstations are protected and that there is adequate network segmentation, and implement an ongoing threat monitoring program.

The report acknowledges malware developed specifically for OT environments is relatively rare compared with efforts put behind enterprise compromises, "but there’s little room to sleep easily if you’re a security operator in OT or manage industrial control system security," the researchers added.

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

OT/ICS Engineering Workstations Face Barrage of Fresh Malware

Fortinet has patched CVE-2023-34990 in its Wireless LAN Manager (FortiWLM), which combined with CVE-2023-48782 could allow for unauthenticated remote code execution (RCE) and the ability to read all log files.

Source: Konstantin Nechaev via Alamy Stock Photo

NEWS BRIEF

Fortinet has finally patched a critical security vulnerability in its Wireless LAN Manager (FortiWLM) that could allow unauthenticated sensitive information disclosure. And, when chained with another issue, it could lead to remote code execution (RCE), a researcher warned.

The bug (CVE-2023-34990, CVSS 9.6) was first disclosed in March, when it was described as an "unauthenticated limited file read vulnerability" without a CVE.

"This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system," Horizon3.ai security researcher Zach Hanley, who reported the bug to Fortinet, noted in March. He has confirmed to Dark Reading that the bug patched this week is the same issue.

He added, "Luckily for an attacker, the FortiWLM has very verbose logs — and logs the session ID of all authenticated users. Abusing the above arbitrary log file read, an attacker can now obtain the session ID of a user and login and also abuse authenticated endpoints."

NIST's National Vulnerability Database (NVD) has noted that the flaw can also be used to "execute unauthorized code or commands via specially crafted Web requests" — thanks to the access it provides to those authenticated endpoints.

The bug affects FortiWLM versions 8.6.0 through 8.6.5 (fixed in 8.6.6 or above) and versions 8.5.0 through 8.5.4 (fixed in 8.5.5 or above).

**Combining Fortinet Vulnerabilities to Achieve RCE**

Hanley back in March flagged a potential exploit chain as well: When CVE-2023-34990 is combined with an authenticated command-injection bug that Fortinet patched last year (CVE-2023-48782, CVSS 8.8), it becomes another recipe for RCE.

This second issue allows an attacker who has used CVE-2023-34990 to gain access to an authenticated endpoint to, from there, inject a crafted malicious string in a request to the /ems/cgi-bin/ezrf\_switches.cgi endpoint that will be executed with root privileges.

"Combining both the unauthenticated arbitrary log file read and this authenticated command injection, an unauthenticated attacker can obtain remote code execution in the context of root," Hanley explained. "This endpoint is accessible for both low privilege users and admins."

Admins should patch the Fortinet appliances ASAP, given the vendor's status as a most-favored cyberattack target.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Fortinet Addresses Unpatched Critical RCE Vector

A newly discovered vulnerability, CVE-2024-53677, in the aging Apache framework is going to cause major headaches for IT teams, since patching isn't enough to fix it.

Source: ZUMA Press, Inc. via Alamy Stock Photo

A critical, stubborn new vulnerability in Apache Struts 2 may be under active exploitation already, and fixing it isn't as simple as downloading a patch.

Struts 2 is an open source framework for building Java applications. Though long past its prime, Struts 2 remains common in older legacy systems across industries. In fact, its prevalence combined with its agedness is what makes its newly discovered vulnerability — CVE-2024-53677, CVSS 9.5 — so tricky. As its components have withered, and newer technologies and security practices have moved on, fixing any newly arising issues like this can require more than just a standard patch. 

"The risk lies in the fact that older applications are less likely to be integrated with a modern CI/CD pipeline," explains Chris Wysopal, chief security evangelist at Veracode. "As a result, updating the Struts 2 library, building and deploying a new version of a vulnerable application requires more manual effort and takes significantly longer. This significant effort will result in a longer window of vulnerability, during which attackers may exploit and take advantage of this weakness."

Wysopal assesses, "It is likely that we will see the exploitation of this vulnerability for weeks, as organizations find and fix all instances of Struts 2 usage."

Related:Delinea Joins CVE Numbering Authority Program

**RCE Bug in Apache Struts 2**

This same time last year, nearly to the day, a Struts 2 vulnerability with a "critical" 9.8 score in the Common Vulnerability Scoring System (CVSS) was disclosed to the public. CVE-2023-50164 resulted from attackers' ability to manipulate file upload parameters, opening the door to path traversal. Under certain conditions an attacker could upload a specially crafted malicious script in order to achieve remote code execution (RCE) on a server.

CVE-2024-53677 is CVE-2023-50164 regen. It, too, lies in Struts 2's File Upload Interceptor component, responsible for handling file uploads, and enables RCE via path traversal. In a blog post, Johannes Ullrich of the SANS Institute speculated that an inadequate patch for CVE-2023-50164 led to this latest déjà vu.

He also observed active exploitation attempts from one IP address, which utilized a public proof-of-concept (PoC). The attacker played with the vulnerability by uploading "a one-liner script that is supposed to return 'Apache Struts.' Next, the attacker attempts to find the uploaded script. The exploit attempt is very close to the original PoC. Since then, a slightly improved exploit has been uploaded to the same GitHub repository," he wrote.

Related:Does Desktop AI Come With a Side of Risk?

Typically in situations such as this, organizations are advised to apply patches as soon as possible. In the case of CVE-2024-53677, the story isn't quite as simple.

Organizations do need to upgrade to the latest version of Struts, 6.7.0 — or, at least, 6.4.0, released in the wake of CVE-2023-50164, which deprecated the File Upload Interceptor at issue. The fix isn't backward compatible, however, Apache noted in its security bulletin. IT teams will need to migrate to the newfangled Action File Upload Interceptor, and adjust how their existing applications handle file uploads by diligently rewriting their code to make use of it.

"It's not a simple version bump," warns Saeed Abbasi, manager of vulnerability research at Qualys. "It requires code rewrites, configuration adjustments, and can break existing logic and dependencies. In complex environments, removing all traces of the legacy interceptor poses significant challenges due to intricate plug-in chains and layered frameworks. This complexity is further compounded by the need for extensive regression testing."

**The Potential Scope of Impact for CVE-2024-53677**

The national centers for cybersecurity in Australia, Belgium, Canada, Singapore, and the UK have all released urgent security warnings regarding CVE-2024-53677. That this issue has attracted so much attention may not be obvious at first, since Struts 2 is so rarely used by developers today. It does, however, live on in legacy systems worldwide.

Related:Citizen Development Moves Too Fast for Its Own Good

In the 2000s, Struts 2 was king among Java Web frameworks. By 2007 it was receiving nearly 350,000 downloads per month. Its webpage received millions of monthly visits; even its newsletter had thousands of subscribers. Today, Wysopal says, "It no longer has mainstream appeal and is rarely chosen for new projects. Its presence is more an artifact of historical adoption rather than active popularity."

"Its 'kingdom' is confined to those stable, older applications in conservative industries — particularly finance, insurance, government, and large-scale manufacturing or logistics — often in organizations and regions that are regulated and less likely to modernize," he says. Case in point: a Struts 2 vulnerability was at the heart of the infamous 2017 Equifax breach.

Just how common is Struts 2 in legacy systems in 2024? Abbasi reports that within the first 24 hours following the disclosure of CVE-2024-53677, Qualys "observed tens of thousands of vulnerable instances, reflecting the breadth and urgency of the challenge."

To his view, "The persistence of Struts 2 in critical systems, long after more secure frameworks have emerged, illustrates the ongoing struggle enterprises face with technical debt. Many organizations run versions of Struts past their end-of-life, without proper planning which compounds the impact of new vulnerabilities. Enterprises need solid attack surface management, along with lifecycle management strategies, ensuring that critical frameworks are regularly updated, and deprecated components are swiftly phased out."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Orgs Scramble to Fix Actively Exploited Bug in Apache Struts 2

Modern identity verification (IDV) approaches aim to connect digital credentials and real-world identity without sacrificing usability.

Source: Carlos Castilla via Alamy Stock Photo

Just about everyone is familiar with the annoying process of becoming locked out of an account and needing to reset a password. Whether it's forgetting a log-in after months of disuse or being forced to prove your identity to regain access, the experience can be frustrating, time-consuming, and — ironically — less secure than the original authentication process.

"People lose their credentials all the time. Resetting passwords is manual and often less secure than the regular process," says Bruce Schneier, who recently joined the advisory board of Nametag, which focuses on challenges such as artificial intelligence (AI) manipulated documents and remote user verification. The need for robust identity verification (IDV) solutions has become one of the most pressing challenges for organizations today, he says.

One of the biggest security challenges enterprises have to deal with is to reliably verify who someone is, especially in a digital world. Attackers are increasingly exploiting weak identity systems to steal credentials, impersonate users, and gain access to sensitive data. Recent advances in cyber threats, including AI-driven deepfakes and credential theft, have outpaced many legacy verification methods.

"Identification answers, 'Who are you?' Authentication says, 'Prove it,' and authorization tells us, 'What can you do?'" Schneier says, noting that identity verification sits at the intersection of people, technology, and trust.

While authentication systems like two-factor verification can confirm credentials, they often fail to answer the bigger question of identity. For example, traditional systems, such as passwords, scanned documents, or biometric authenticators, can be vulnerable to fraud and tampering. Schneier notes that early fingerprint scanners could be fooled with "gummy finger replicas," and face recognition systems could be tricked with simple photographs. 

These weaknesses underscore the more pervasive challenge of bridging what Schneier calls the "keyboard-to-chair" gap — ensuring that the physical person matches their digital credentials. These days, adversaries are adopting increasingly sophisticated techniques to steal credentials so that their activities look like they are being performed by legitimate users.

Deepfake technology has introduced a new layer of concern, where AI-generated images or videos can mimic biometric data convincingly. The result is a growing risk landscape where IDV failures fuel financial fraud, ransomware attacks, and nation-state cyber-espionage.

Beyond the security risks, weak identity verification comes with significant costs for organizations. Credential loss and resets remain one of the largest IT burdens for businesses, consuming time and resources. Onboarding new users poses similar challenges, especially for enterprises needing to verify employees, customers, or partners at scale. Inefficient IDV systems result in delays, poor user experience, and a reliance on insecure methods, like manually uploading identification documents.

Any solution to identity verification must address these emerging threats head-on, Schneier says.

"This will be an arms race between attackers and defenders," he adds.

**What Makes Modern IDV Different?**

IDV companies like Nametag are focused on balancing robust security, scalability, and usability while keeping pace with the increasingly sophisticated tools used by threat actors, Schneir says. Modern solutions incorporate multiple layers of verification to address emerging threats. For example, Nametag's Deepfake Defense technology detects and blocks AI-generated identity documents and advanced injection attacks — both of which have become critical pain points as deepfakes and synthetic media evolve.

Traditional methods also typically require users to manually upload identification documents, creating friction and vulnerabilities that adversaries can exploit. Requiring users to download additional apps or software to verify their identity is a common deterrent to adoption, Schneier says.

In addition to thwarting sophisticated attacks, modern IDV systems can streamline practical use cases for enterprises, including automating credential recovery processes, onboarding new employees or customers, and verifying users for sensitive transactions or account access.

“This to me solves a corporate pain problem — and that's the cost of regenerating people's credentials when they lose them or onboarding new users," Schneier says. "It's better, faster, and more secure.”

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Source

DARKReading