Factory automation software from Mitsubishi Electric and Rockwell Automation could be subject to remote code execution (RCE), denial-of-service (DoS), and more.

Source: frans lemmens via Alamy Stock Photo

Critical security vulnerabilities affecting factory automation software from Mitsubishi Electric and Rockwell Automation could variously allow remote code execution (RCE), authentication bypass, product tampering, or denial-of-service (DoS).

That's according to the US Cybersecurity and Infrastructure Security Agency (CISA), which warned yesterday that an attacker could exploit the Mitsubishi Electric bug (CVE-2023-6943, CVSS score of 9.8) by calling a function with a path to a malicious library while connected to the device — resulting in authentication bypass, RCE, DoS, or data manipulation.

The Rockwell Automation bug (CVE-2024-10386, CVSS 9.8), meanwhile, stems from a missing authentication check; a cyberattacker with network access could exploit it by sending crafted messages to a device, potentially resulting in database manipulation.

The critical vulnerabilities are two out of several issues affecting Mitsubishi's and Rockwell Automation's smart-factory portfolios, all listed in CISA's Halloween disclosure. Both industrial control systems (ICS) suppliers have issued mitigations for manufacturers to follow in order to avoid future compromise.

The noncritical bugs include:

*   An out-of-bounds read that could result in DoS (CVE-2024-10387, CVSS 7.5) also affects the Rockwell Automation FactoryTalk ThinManager.
    
*   A remote unauthenticated attacker may be able to bypass authentication in Mitsubishi Electric FA Engineering Software Products by sending specially crafted packets (CVE-2023-6942, CVSS 7.5). And the Mitsubishi Electric portfolio is also vulnerable to several lower-severity bugs, CISA noted.
    
*   An authentication bypass vulnerability in the Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (CVE-2023-2060, CVSS 8.7) exists in its FTP function on EtherNet/IP modules. Weak password requirements could allow a remote, unauthenticated attacker to access the module via FTP by dictionary attack or password sniffing. Meanwhile, several other lower-severity issues also affect the platform, CISA noted.
    

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

Manufacturers should apply patches and mitigations as soon as possible, given that smart factories are among the most-targeted ICS sectors. The news also comes as nation-state attacks on US critical infrastructure have ramped up, with CISA warning that both Russian and Chinese advanced persistent threats (APTs) show no signs of letting up their assaults on utilities, telecoms, and other high-value targets. Canada as well recently warned of sustained cyber assaults from China on its critical infrastructure footprint.

Related:IT Security Centralization Makes the Use of Industrial Spies More Profitable

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Critical Auth Bugs Expose Smart Factory Gear to Cyberattack

As organizations centralize IT security, the risk of espionage is silently becoming a more profitable threat.

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

In recent years, large-scale financial and reputational damages have taught organizations the value of IT security. From corporations to universities, many organizations employ advanced security measures, such as implementing multifactor authentication, conducting regular ISO 27001 audits, providing social engineering training, and even conducting penetration tests and red-team exercises. Beyond this, to prevent unaffiliated devices from roaming freely in their networks, many organizations ask individuals to register their devices and apply security policies on them, such as using complex passwords. 

This is where the game suddenly changes: Security decisions being centralized completely to the organization's IT team poses significant risks. Specifically, our key argument is that this issue will likely increase the use of espionage techniques to compromise systems. 

Consider the following scenario: An executive of a large organization enrolls in a part-time master's program. To access university resources and emails, she connects her personal Windows laptop to the university's network (i.e., Settings > Accounts > Access work or school). Now, her laptop is managed by the university's mobile device management (MDM) system. If she asks about this, the IT team will assure her that this setup is mainly for ensuring updates and strong password policies — and this is all true. 

But what she probably will not be told is that now they have the technical capability to do much more. Many IT teams self-impose limitations on what they can do bring-your-own-device (BYOD) situations to respect user privacy. However, these limitations are policy-based and can easily be reconfigured by a rogue employee. For instance, if such an individual decides to install a program, wipe her disks, or run a script to steal her files, they can adjust the MDM policies to do so. Worse yet, an IT team member who has gone rogue is not only able to do anything she can do on her machine but can also do anything she can do on her company's network. 

**Risk Across Sectors**

While we used the example of a university in this case, obviously this scenario is not limited to educational institutions; The same risks exist across sectors such as healthcare, corporations, and even gaming. Whenever an IT team is allowed to centrally control IT security, such as through an MDM system, there is potential for abuse. 

Given this, traditional espionage techniques — in particular, planting an employee into the IT team or broader organization — become a viable model for criminal enterprises. In fact, unlike most other criminal endeavors that offer similar levels of potential monetary gains (e.g., stealing from a bank), this is not only less risky but also requires much less personnel (e.g., just one individual who deceives their way into the IT team). 

This is because, in most cases, espionage completely bypasses security controls, by capitalizing on the trust placed in IT teams. In contrast, trying to hack into a hardened system comes with all kinds of hurdles. For instance, you can try to use a zero-day exploit, but it would cost exorbitant amounts of money. Exploit brokers such as Zerodium pay large sums (e.g., $2.5 million) to buy a zero-day, and then add their profits to the sum while selling it. In contrast, the price of planting a spy, especially within a lower-risk environment like a school or public hospital, is significantly lower. Furthermore, planting a spy in the organization can provide information and access for extended periods. 

Therefore, this trend toward centralized IT control makes the use of industrial spies a more profitable and less risky proposition. After all, how many organizations — let alone universities, schools, or public hospitals — can effectively root out a highly trained professional spy embedded within their IT team? 

Furthermore, this centralization trend is expanding beyond enterprise environments. For example, many multiplayer games employ anti-cheating measures that operate at the kernel level, granting full access to the gaming company's IT team. One way to hack hundreds of thousands of users, therefore, is hiring a sophisticated team of hackers to reverse engineer the anti-cheat engine for countless hours to find a zero-day vulnerability. Generally, though, planting someone into the gaming company is a much cheaper alternative. 

**How Do We Design Our Systems Better?**

In response, we need to improve the design of our systems in at least three ways.

*   First, systems must be designed with decentralization in mind; highly centralized systems come with the threat of a single point of critical failure.
    
*   Second, information security should not be confined to IT teams; we have to embed the zero-trust mindset into all organizational functions, ranging from HR (e.g., recruitment practices) to managerial decision-making.
    
*   Finally, for IT admins today, the top-level concern is the breach of the servers and domain controllers. However, unwarranted access to personal devices must become another top concern beyond the compromise of the organization's own servers. 
    

Ultimately, we must recognize that the centralization of IT security elevates espionage to a critical threat, marking the next phase in the evolution of information security. 

**About the Authors**

Reader (Associate Professor) in Digital Innovation and Information Security, King's College London

Aybars Tuncdogan is a reader (associate professor) in digital innovation and information security at King’s College London. He is also a research affiliate of the King’s AI Institute and a member of both the Cybersecurity Research Centre (King’s Informatics Department) and the Cyber Security Research Group (King’s War Studies Department). 

Lecturer (Assistant Professor) in Marketing, University of Sussex

Fulya Acikgoz is a lecturer (assistant professor) in marketing at the University of Sussex. Her research covers a wide range of topics with a particular focus on technology and innovation marketing and management in different contexts. Her work has been published in high-impact journals. She is also the co-author of the book Blockchain for Tourism and Hospitality Industries.

IT Security Centralization Makes the Use of Industrial Spies More Profitable

When a CISO can articulate risk in context to the business as a whole, development teams can better prioritize their activities.

Source: JHENG YAO LIN via Alamy Stock Photo

COMMENTARY

When it comes to making a difference to business performance, chief information officers (CIOs) are investing in application development and improvements to software. According to Gartner, 60% of companies plan to spend more on software, with 52% of companies increasing their spend on software to improve productivity. Analyst firm Omdia points to modernization and investment in applications as a critical goal, due to the cost of maintaining existing technology stacks over time. 

For chief information security officers (CISOs), these investments represent a significant challenge. How can you keep up with the relentless pace of change taking place, where new IT infrastructures are created, used, and torn down every minute, every day? One CISO I discussed this with described it as like trying to dam a river — impossible to achieve, a thankless task, and one that leaves you considerably more uncomfortable than when you started. Worse, trying to impose standards left them feeling like the "department of no," and antagonistic to the business's overall goals, affecting their internal standing and making them more likely to be ignored. 

So, we can't go against this pace of change. Instead, how can we understand developer velocity and the goals that these teams have? How can we get ahead of these changes so we can apply security at the source, and what is in that approach for us? 

**Starting at the Beginning**

Understanding the software development process in your organization is a good place to begin looking at how you can insert security measures into the mix. How do those teams manage their requests, requirements, and changes over time, and how does their life cycle work? How do those teams work faster and more efficiently, and what steps are they taking to improve their performance?  

For CISOs, each phase in the software development process is a potential place to insert security into the conversation. Yet many developers are wary of security asks. The reason for this? Security often gives them huge volumes of change requests, with no guidance beyond "This needs to be fixed." This can lead to resentment at the additional work, as the business is already asking them to deliver new functionality or services. 

To improve this situation, look at the overall goals that all the teams involved have to deliver on, and what information can directly benefit them. Developers want to build, and the business wants those results as fast as possible. For CISOs, the guidance here is to enable that pace of change, or at least get out of the way. To make this work in practice, security teams must look at what they can automate so that it delivers security results directly into the developer workflow. 

Developers themselves live in code. They don't want any manual tasks in their processes, let alone in processes that are dictated to them by outside teams. To get over this hurdle, put your security approach into that code workflow so that it gets applied by default to any part of the development environment within those tools that are already in use. A security defect can then be flagged for fixing to that developer in the same way as a code component not compiling properly, or an API integration failing.  

**Moving Up the Stack**

The security sector has been keen to promote more secure development and design practices in software. The promise here is that fixing issues earlier in the process is cheaper in the long run than doing so later in the process, whether that is in production or in later test and deployment phases. The secure-by-design mantra is brilliant in theory. However, developers are moving so fast that this framework will be hard to apply and keep up on its own.

Instead, we must treat software security as a methodology. We can still support developers in making changes as fast as the business needs, let developers know about issues, and then try to fix those problems before they hit production. However, that is not enough on its own. One CISO in France let me know that he had successfully implemented security checks and controls for the company's containerized applications only during the build phase. In theory, this would mean that any image developers deployed should be secure through into production without the requirement for checks in later stages. Yet his team members found that they still faced problems in production, and vulnerabilities and misconfigurations were still occurring. The issue was that those containers would drift over time, where they would then need to be remediated, or as sometimes happens, the risk is accepted and those images are in run time with known issues.  

This is where CISOs can come into their own — by providing context. Articulating risk in context to the business as a whole, or to specific platforms or departments, allows development teams to prioritize their activities. Additionally, it empowers teams to continuously improve their coding practices and build more secure applications faster. Security teams are then only providing guard rails versus slowing down developer velocity — security can then get out of the way, while still reducing risk and putting remediation efforts where they are needed. The end result? When the CISO really needs to communicate around risk, the rest of the business is more likely to pay attention. 

**About the Author**

Managing Director for EMEA North, Qualys

Matt Middleton-Leal is Managing Director for EMEA North at Qualys, a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions designed to streamline and consolidate customer’s security and compliance solutions in a single platform. Qualys helps organizations build security into digital transformation initiatives for greater agility, better business outcomes, and substantial cost savings. Matt has over 20 years' experience in the cybersecurity industry with a deep understanding of both customers' and suppliers' needs. Matt is also a Certified Information Systems Security Professional (CISSP®).

Developer Velocity &amp; Security: Can You Get Out of the Way in Time?

"See one, teach one, do one" takes a page out of the healthcare playbook to reduce human vulnerabilities where they matter most in cybersecurity.

Source: Ben3images via Alamy Stock Photo

COMMENTARY

In healthcare, the "see one, teach one, do one" model refers to an incremental learning process: Trainees first observe a procedure, then learn to teach it to others, then perform it themselves. This framework can be applied to cybersecurity by encouraging employees, especially those identified as high-risk users, to progress through a similar cycle of observation and education, followed by a combination of tool implementation and practice. This approach fosters a deep understanding of cybersecurity risks, increases tool efficiency, and empowers users to mitigate risks actively.

As organizations accumulate a growing array of cybersecurity tools, many fail to consider that their riskiest users can be the weakest link in their defenses. Reach Security's analysis reveals that 80% to 90% of threats relate to just 3% to 5% of the organization's user population. This is further complicated if you consider that roughly 20% of the users in a company's most attacked group change monthly.

These users, whether high-profile executives, employees with privileged access, or those who engage in risky behavior, have the potential to cause significant damage, either through negligence or intentional actions.

By focusing on high-risk individuals, organizations can address the root causes of many cybersecurity threats, allowing them to allocate resources more effectively and reduce reliance on sprawling security tools that attempt to protect everyone equally.

When it comes to managing the riskiest users, the "see one, teach one, do one" methodology can guide a more human-centered approach to cybersecurity. This model can be applied to not only help users understand the risks they face but also enable them to become advocates for cybersecurity within the organization. It also it reduces overall risk and tool sprawl.

**See One: Observation and Awareness**

The first stage of the process is to identify the most attacked people (MAP), which can be done using a solution that provides visibility into the data that teams already have in place. For instance, syncing the central record of identity (e.g. Active Directory, Azure Active Directory, Google Workspace, Okta) can uncover high-risk user data.

Once these high-risk users — such as CEOs, senior executives, and IT personnel with elevated privileges — are identified, security teams can provide personalized demonstrations of how they might be targeted, showcasing real-world examples, such as phishing emails tailored to executives or potential data breaches from insecure networks. In addition, executives can observe how inadequate use of multifactor authentication (MFA) or improper handling of sensitive data can increase their exposure to threats.

The "see one" stage is crucial for both identifying the MAP and helping those users gain a baseline awareness of the specific threats they face.

**Teach One: Educating Others**

In the second phase, high-risk users transition from observers to educators. The "teach one" phase helps break down silos within an organization by fostering a shared responsibility for cybersecurity. For instance, an executive who has learned the dangers of targeted phishing can then relay that information to their team, strengthening collective awareness.

Teaching cybersecurity concepts to others creates a ripple effect, reducing the reliance on technical tools by embedding good security practices into the organization's daily behavior.

**Do One: Practice and Implementation**

Finally, the "do one" phase focuses on real-world application. Organizations face the dual challenge of pinpointing high-risk users and integrating data from multiple security tools to monitor these risks over time. This can be further complicated by the necessity to continuously update and enhance security measures across the enterprise to stay ahead of evolving threats. With continuous monitoring, teams can better identify and track shifts in the threat landscape, ensuring that those in the MAP are always under watch. Finally, putting forth a holistic security strategy that is both user- and device-aware will ensure that protective measures are as personalized and effective as possible.

Knowing where risk lives introduces an ability to focus. An ability to focus allows teams to see the biggest impact on the smallest number of folks. From there that focus group learns and teaches. Once they have knowledge, they're open to ways in which they can be protected — and can use the security controls in the most efficient ways possible.

**A Different Approach to Risk-Based Management**

Managing human-based cybersecurity risk requires a shift toward a more focused strategy that considers the riskiest users in your organizations. By identifying and supporting the riskiest users with the "see one, teach one, do one" model, organizations can reduce vulnerabilities where they matter most.

**About the Author**

CEO & Co-Founder, Reach Security

Garrett's career has included leadership roles in SaaS Product Management, plus Go-To-Market at industry leaders like Palo Alto Networks, as well as hands-on threat analysis, training, & consulting at firms including HBGary. While at Palo Alto Networks, Garrett was responsible for the WildFire product supporting its growth from launch to more than 60,000 customers.

The Overlooked Importance of Identifying Riskiest Users

The threat actors deceive their victims by impersonating the legal teams of companies, well-known Web stores, and manufacturers.

Source: Andrea Danti via Alamy Stock Photo

An unknown threat actor is targeting Facebook businesses and advertising account users in Taiwan through a phishing campaign, using decoy emails and fake PDF filenames.

These dupes are designed to impersonate a company's legal team and lure the victim in with its falsified details, convincing them to download and execute malware.

In addition, the bad actors sent phishing emails from a well-known industrial motor manufacturer and a famous online store in Taiwan, claiming copyright infringement by the business.

"The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance," said Cisco Talos researchers, which observed the scams in action.

They said the threat actors also use a variety of techniques and tools to evade antivirus detection and sandbox analysis, such as shellcode encryption, code obfuscation, and embedding LummaC2 and Rhadamanthys information stealers into legitimate binaries.

Lumma Stealer is a malware designed to exfiltrate information from compromised systems, targeting system details, Web browsers, and browser extensions, among other data.

Rhadamanthys is a sophisticated infostealer sold on underground forums that first emerged two years ago. It gathers system information, credentials, cryptocurrency wallets, passwords, cookies, and data from other applications. 

This phishing campaign has been ongoing since at least July; the initial vector of the campaign is a malware download link included in a phishing email using typical decoys in traditional Chinese, indicating that the target victims are Chinese speakers.

Facebook Businesses Targeted in Infostealer Phishing Campaign

The 2024 ISC2 Cybersecurity Workforce Study found that amid a tightening job market and dynamic cyber-threat environment, ongoing staffing and skills shortages are putting organizations at serious risk. Can AI move the needle in defenders' favor?

Source: Helen Sessions via Alamy Stock Photo

Even though 90% of organizations have unfilled positions or underskilled workers on their cybersecurity teams, hiring for those jobs has, for the first time in six years, ground to a halt.

That's according to the 2024 ISC2 Cybersecurity Workforce Study, which found that the global workforce has held steady at 5.5 million people year-over-year, recording just a negligible 0.1% increase from 2023 (though some pockets of increased cyber hiring remain).

To put that in perspective, last year, the cybersecurity workforce grew 8.7% year-on-year, despite declining investment in technology and cyber platforms.

The main driver for 2024's job market inertia is straightforward: a lack of budget for adding head count and upskilling. A full 67% of respondents to the ICS2 survey cited budget as their top cause for staffing shortages, replacing last year's No. 1 cited reason for empty positions, which was a lack of qualified talent.

Even though 74% of respondents said the threat landscape is the most challenging they have experienced in the past five years, "professionals are feeling the impact of declining investments in the cybersecurity workforce, including budget cutbacks and layoffs, \[which affects\] workforce satisfaction, the development of organizational security, the adoption of new technologies, and more," according to the report.

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

Source: 2024 ISC2 Cybersecurity Workforce Study

Indeed, ISC2 found that cybersecurity job satisfaction has fallen from 74% in 2022 to 66% in 2024. Furthermore, respondents said that worker shortages were their biggest challenge over the past 12 months, but there's no end in near-term sight. They also predicted that shortages will continue to be a significant challenge over the next two years.

"As economic conditions continue to impact workforce investment, this year’s Cybersecurity Workforce Study underscores that many organizations are putting their cyber teams under significant strain, risking burnout and attrition as job satisfaction rates fall,” said ISC2 acting CEO and CFO Debra Taylor, in a statement.  

Meanwhile, more than half of those surveyed (58%) believe a shortage of skills puts their organization at significant risk; 59% of respondents agree that skills gaps have already substantially affected their ability to secure their organizations. The statistics bear this out: ISC2 found that organizations with critical or significant skills gaps are almost twice as likely to experience a material breach compared with organizations that reported no skills gaps.

The good news is that out of those already in cyber-related jobs, three-quarters (73%) said they're focused on building their cybersecurity skill set, with 48% interested in learning more AI-related skills (more than one-third of respondents cited AI as the biggest skills shortfall on their teams).

Related:Noma Launches With Plans to Secure Data, AI Life Cycle

About half (52%) said they're focused on hanging on to their positions by becoming a more strategic contributor to their organizations.

**AI to the Cyber Job Rescue?**

If there's a silver lining to the perceived staffing shortage, respondents believe it will come from the year's hottest buzz category: generative artificial intelligence (GenAI).  

ISC2 respondents said that AI and automation will have the most significant impact on their ability to secure their organizations. A full 68% agree that within the next two years, they will be able to use GenAI effectively as part of their roles. And a large majority (80%) said their cybersecurity skill set will be more important in an AI-driven world.

"AI is viewed by professionals as a solution to strengthen their organizations' security and create new efficiencies for their teams," Taylor said. "They also view effectively managing risk associated with AI adoption and its strategic importance to their organization’s future success as career growth opportunities for themselves and their peers. Organizations and cybersecurity leaders must recognize how AI can contribute to creating more resilient security teams, especially while economic challenges persist."

Related:Zenity Raises $38M Series B Funding Round to Secure Agentic AI

Already, 45% of respondents' teams are using AI in cybersecurity tools. ISC2 found the top five use cases to be:

*   Augmenting common operational tasks (56%)
    
*   Speeding up report writing and incident reporting (49%)
    
*   Simplifying threat intelligence (47%)
    
*   Accelerating threat hunting (43%)
    
*   Improving policy simulations (41%)
    

That said, the lack of a clear GenAI strategy was cited as one of the top barriers to its organizational adoption by nearly half (45%) of all participants. And just how AI will affect the kinds of expertise a future cyber workforce will need remains unclear.

According to the report, "AI is a game changer for two main reasons. First, experts predict AI will be able to replace some of the technical skills needed in cybersecurity. Second, and arguably more important, no one is certain how AI will manifest in cybersecurity since they currently cannot predict what skills, if any, it will replace. As a result of this uncertainty, hiring managers aren’t rushing to hire more specialized workers. Instead, they are prioritizing nontechnical skills, like problem-solving, that will be transferable through the increased use of AI."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Cybersecurity Job Market Stagnates, Dissatisfaction Abounds

Chinese APTs lurked in Canadian government networks for five years — and that's just one among a whole host of threats from Chinese bad actors.

Source: tunasalmon via Alamy Stock Photo

Chinese state-backed actors have become Canada's most pressing cyber threat, with the People's Republic of China (PRC) collecting data from Canada's government networks for the past five years.

The Canadian Centre for Cyber Security's National Cyber Threat Assessment calls Beijing's cyber operations "second to none," and noted that at least 20 Canadian government agencies and departments have been breached by PRC state-backed actors. The cyberattackers are mainly attempting to gain information that could lead to strategic, economic, and diplomatic advantages — a play that has only grown in its intensity due to escalating tensions between the West and the PRC.

The center assured the public that the federal government networks that were compromised have since been resolved, but it warned that the threat actors who are responsible for the intrusions are now very familiar with these networks, and could be back to try again. It also stressed that the PRC's aggressive cyber campaigns represent some of the most sophisticated and active threats Canada is facing.

On a related note, the center's researchers also found that the cyber landscape around critical infrastructure in Canada is growing and becoming more complex and unpredictable, with a cast of a variety of threat actors from cybercriminals to hacktivists targeting the sector.

"We assess that our adversaries very likely consider civilian critical infrastructure to be a legitimate target for cyber sabotage in the event of a military conflict," reads their report.

Other key findings include adversaries using network attacks and online information campaigns to disrupt and shape public opinion, and the center flagged ransomware as the top cybercrime threat that Canada's critical infrastructure must grapple with.

**About the Author**

Canada Grapples With 'Second-to-None' PRC-Backed Threat Actors

The prominent state-sponsored advanced persistent threat (APT), aka Jumpy Pisces, appears to be moving away from its primary cyber-espionage motives and toward wreaking widespread disruption and damage.

Source: DD Images via Shutterstock

One of North Korea's most prominent state-sponsored threat groups has pivoted to using Play ransomware in recent attacks, signifying the first time the group has partnered up with an underground ransomware network. Worryingly, it sets the stage for future high-impact attacks, researchers surmise.

According to Palo Alto Networks' Unit 42, which tracks the advanced persistent threat (APT) as Jumpy Pisces (aka Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2), Andariel is now working with the Play ransomware gang, but whether it's as an initial access broker (IAB) or affiliate of the ransomware group is not clear, the researchers observed in a blog post on Oct. 31. Previously, Andariel was associated with a ransomware strain called "Maui" that's been active since at least 2022.

Unit 42 researchers believe the group is responsible for a Play ransomware attack discovered last month in which attackers gained initial access to a network via a compromised user account several months before, in May. Andariel moved laterally after its initial network breach and maintained persistence by spreading the open source tool Sliver and its unique custom malware, DTrack, to other hosts via the Server Message Block (SMB) protocol, according to Unit 42. Months later, in early September, it deployed the Play payload.

Related:Cybersecurity Training Resources Often Limited to Developers

"This shift in their tactics, techniques and procedures (TTPs) signals deeper involvement in the broader ransomware threat landscape," Unit 42 researchers wrote in the post. "This development could indicate a future trend where North Korean threat groups will increasingly participate in broader ransomware campaigns, potentially leading to more widespread and damaging attacks globally."

**Ransomware in Transition?**

Play ransomware, maintained and deployed by a group tracked as Fiddling Scorpius, made its claim to fame by targeting the city of Oakland, Calif., in February 2023 with a crippling attack. It then quickly rose up the threat ranks to become a major player in the game.

Some researchers have suggested that Fiddling Scorpius has transitioned from mounting its own attacks to a ransomware-as-a-service (RaaS) model, according to Unit 42. However, the group itself has announced on its Play ransomware leak site that it does not provide a RaaS ecosystem, according to the researchers. If this is true, then Andariel most likely acted as an IAB in the attack rather than an affiliate, they said.

Either way, "network defenders should view … \[the\] activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance," according to Unit 42.

Related:Codasip Donates Tools to Develop Memory-Safe Chips

There were several clues in the attack sequence that point to collaboration between Andariel and the Play ransomware. For one, the compromised account that attackers used for initial access and subsequent spreading of Andariel's signature tools, including Silver and Dtrack, was the same one used prior to ransomware deployment.

"The ransomware actor leveraged the account to abuse Windows access tokens, move laterally and escalate to SYSTEM privileges via PsExec," according to the post. "This eventually led to the mass uninstallation of endpoint detection and response (EDR) sensors and the onset of Play ransomware activity."

The researchers also observed command-and-control (C2) communication with the Silver malware the day before Play ransomware was deployed. Moreover, Play ransomware attacks are known for leaving tools in the in the folder C:\\Users\\Public\\Music, and some tools used prior to ransomware deployment in the Andariel attack also were located there, the researchers noted.

**Defenders Beware Rising North Korean Ransomware Threat**

Andariel has been active for several years and has mounted a number of high-profile attacks that have targeted critical defense, aerospace, nuclear, and engineering companies as well as global managed service providers.

Related:Samsung Zero-Day Vuln Under Active Exploit, Google Warns

Andariel is controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, which is involved in the nation's illicit arms trade and responsible for its malicious cyber activity. The group's antics already have drawn the attention of international law enforcement, including the US National Security Agency (NSA), which considers the group an ongoing threat to various industry sectors, particularly in the US, South Korea, Japan, and India.

The US Department of State's Rewards for Justice (RFJ) is even offering a reward of up to $10 million for information that could lead it to Rim Jong Hyok, a key player in Andariel's management structure, or any co-conspirators in the group.

Given the need for worldwide organizations to be on alert, Unit 42 included a list of indicators of compromise (IoCs) in its blog post. The researchers advised that defenders leverage the latest threat intelligence to identify malware on networks, and advanced URL filtering and DNS security products to spot known URLs and domains associated with Andariel's malicious activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Andariel Pivots to 'Play' Ransomware Games

Application security teams from Fortune 500 companies are already using Noma's life cycle platform, which offers organizations data and AI supply chain security, AI security posture management, and AI threat detection and response.

Source: BillionPhotos.com via Adobe Stock Photo

The rapid adoption of artificial intelligence (AI) and machine learning (ML) tools in enterprises has put the pressure on security teams to secure the data and AI life cycle. Organizations can be compromised via misconfigured data pipelines, insecure MLOps tools, and vulnerable and malicious open source models.

Noma emerged from stealth today with a platform to help organizations manage the risks around AI applications. The platform offers organizations with end-to-end AI discovery, security, protection, and compliance. Noma deploys across any cloud-based, software-as-a-service, or self-hosted environment, and does not require agents or code changes, the company said.

Noma protects against supply chain risks, such as vulnerable data pipelines, unscanned code in data science environments, misconfigured MLOps tools, and sensitive data used for model training. The platform also protects organizations vulnerable and malicious models, runtime prompt injection, and other threats.

The Noma platform is already in use by paying customers, including Fortune 500 companies.

As part of the launch, Noma announced $32 million in series A funding from Ballistic Ventures and "dozens of strategic angel investors." The company had a previously undisclosed seed round less than a year ago. Noma's co-founders, Niv Braun and Alon Tron, have experience leading security and data science teams, the company said.

Noma Launches With Plans to Secure Data, AI Life Cycle

Knee-jerk reactions to major vendor outages could do more harm than good.

Source: SOPA Images Limited

COMMENTARY

The now-infamous July CrowdStrike outage sparked global chaos and countless conversations about vendor security. Despite the industry noise and myriad headlines about the outage — and its potential cost of more than $5 billion to Fortune 500 companies alone — there is a bigger picture we must consider. And that is how, as an industry, we understand the risks involved and respond to major outages and other cybersecurity crises. 

While the CrowdStrike outage was a freak accident, it's likely not the last time we'll witness this kind of meltdown from a major technology provider. As our digital ecosystems become further interconnected and enterprises increasingly put their trust in singular vendors, business leaders will have to grapple with the inevitability of similar events, whether from a simple outage or a malicious hack. In every case along that spectrum, however, these leaders must avoid knee-jerk reactions that could ultimately do more harm than good. Blindly switching to a new vendor or making drastic changes to IT and security processes could introduce security holes that exacerbate vulnerabilities in an organization's overall security posture, rather than improving it.  

Instead of immediately jumping ship, here are the three things companies should do in the wake of a CrowdStrike-like event to ensure business continuity and high operational standards.  

**1\. Assess Vendors' Overall Reliability and Risk**

Switching vendors after an incident isn't as simple — or as beneficial — as it may seem. Before switching, businesses must evaluate both the existing and potential vendor, and assess each vendor's overall reliability and risk. For instance, Resilience customer data shows that despite the July incident, CrowdStrike Falcon is highly effective. It has the lowest percentage of material claims of endpoint detection and response (EDR) vendors in Resilience's portfolio, with fewer than 3% of clients with Falcon experiencing a cyber-insurance claim with losses. Of course, no company can — or should — claim the ability to avoid 100% of incidents, but in these kinds of deliberations, it's critical to put a vendor's long-term track record into perspective. On the flip side, however, if a vendor shows a consistent history of outages or vulnerabilities (as has VPN provider Ivanti, of late), poor performance or communication, and long delays in remediation, an incident could be the helpful forcing factor in considering the benefits of trying something new.  

It's also important to note the costs of switching vendors that go beyond sticker price, such as implementation time, staff training costs, and adjusting workflows to incorporate the new system and meet business needs. These third-party risk considerations must be considered, with leadership weighing the business interruption costs of an outage with the existing vendor against the total costs that come with making a switch.  

**2\. Avoid Radical Changes to the Update Process**

This particular outage raised the issue of update cadence and testing frequency, with many arguing that the affected organizations should have taken a more cautious, thorough approach to testing the update before rolling it out. But delaying updates is a calculated risk, and not necessarily one that most companies should be taking. Antivirus and EDR signatures are designed to counter quick-breaking, emerging threats toward existing systems, so while you can decide to wait to allow the days or weeks it may take to fully test the update, you may be leaving your systems vulnerable to new exploits in the process. Threat actors only grow faster and more sophisticated in their approaches, so quick security updates are more crucial than ever. The risk of taking additional precautions in testing may not be worth it for every company, especially since most updates happen seamlessly. After all, part of the reason CrowdStrike made headlines was because the outage was so out of the ordinary. 

In a perfect world, where bad actors weren't a consistent threat and update processes took no extra time, following the typical best practice of testing each and every update that comes from each and every vendor might be feasible. But in the real world, changes to the update process are likely to slow down your defenses. Ultimately, there is no one-size-fits-all answer, and the best approach will depend on the specific organization and its risk tolerance.  

**3\. Don't Panic**

It's tempting to liken incidents like CrowdStrike to natural disasters (such as catastrophic hurricanes), but that oversimplification distracts from the heart of the issue. While many insurers use this analogy to describe cyber events, it's neither accurate nor useful, as it becomes an apples-to-oranges comparison that frames cyber incidents or outages as one-sided and world-ending. But the reality is far different. There's no tangible way for individuals to prevent or mitigate the intensity of category hurricanes or tornadoes, but there are certainly simple, actionable steps we can take to mitigate the financial impact of an outage or counteract the negative effects of a potential attack. This includes implementing proper cyber hygiene, transferring financial risk through cyber insurance, and having a detailed cybersecurity action plan in the event of an attack or outage. It's not only feasible but essential that companies take these steps to remain operable and functioning in the midst of an incident.  

In short, decision-makers across the board can't allow themselves to make reactive or fear-based decisions on their security posture directly following a cyber incident. These knee-jerk reactions could lead to greater complications and introduce a host of new vulnerabilities just waiting to be exploited. Instead, leaders must focus on understanding the root cause of the incident, learning from it, and making risk-driven decisions that mitigate the greatest financial loss and improve their organization's overall cyber resilience. This includes taking a proactive approach and incorporating third-party risk management into business continuity planning. That way, you'll be able to avoid catastrophic interruptions to your day-to-day business and maintain continuity and resilience in the face of a cyber incident. 

**About the Author**

CEO & Co-Founder, Resilience

Vishaal Hariprasad, best known as "V8," co-founded what is now known as Resilience in 2016 to bridge the divide between cyber insurance and cybersecurity. As a licensed insurance broker and producer, as well as a veteran of both the US Air Force and the cybersecurity industry, Vishaal brings the leadership skills he honed in his years with the military to his position as CEO for Resilience. After graduating from the United States Air Force Academy, V8 was commissioned to military service as a Cyber Operations Officer for the Air Force. Hariprasad is an Iraq War veteran and a recipient of a Bronze Star Medal. In 2012, he co-founded Morta Security, which was acquired by Palo Alto Networks, where he then served as a threat intelligence architect. In 2015, V8 was tapped to serve as a founding partner at the Pentagon's newly established Defense Innovation Unit Experimental (DIUx) in Mountain View, California, an office under the Secretary of Defense charged with leveraging commercial technology to solve defense challenges. V8 holds a B.A. in Mathematics from the US Air Force Academy and an M.S. in Information Technology from Virginia Polytechnic Institute and State University (Virginia Tech).

Source

DARKReading