Aligning an organization’s appetite for risk with cybersecurity strategies is a critical challenge CISOs face, one that requires balancing technical controls and business needs. Achieving that balance demands a capacity to adapt to changing risk environments. But as the CrowdStrike outage showed, well-prepared systems can encounter unforeseen issues, highlighting why cybersecurity strategies need to consider the broader implications of the organization’s risk tolerance.

In many cases, it requires direction from the board, but this is by no means a given. While managing organizational risk falls squarely within the purview of the board, 85% of CISOs believe the board should offer clear guidance on organization’s risk tolerance for them to act on, according to the IANS State of the CISO 2024 Benchmark Report. However, just 36% are being given this direction, despite regular, recurring board access offering CISOs more confidence in alignment between the company’s risk profile and the security mandate.

“The people who have more face time and stronger relationships with the board and executive leadership have a sense of where the organization is in terms of risk and what it takes to build a good security program,” says Wolfgang Goerlich, CISO at Oakland County and IANS faculty member.

When CISOs are left out of board-level conversations, the opposite is true. “The further we are from the executive conversations, the less dialed in the risk tolerance can be and the less business focused our treatment plans can be,” Goerlich says.

Without regular board engagement, CISOs need to adopt a different strategy and guide the conversation, lay down the parameters and take feedback on their programs, according to Goerlich. He argues that peers can provide important risk tolerance signals. “I don’t think your primary goal should be ‘How do I get more board time?’ It should be ‘How do I better understand the 360-degree relationships I have to make sure my risk tolerance decisions and the risk scenarios I’m putting forward echo and make sense to my peers?’”

Risk tolerance versus risk appetite

The essence of the question is ‘How much risk are we willing to take on?’ and the answer is in quantifying risk tolerance and distinguishing it from risk appetite. “Risk appetite can be highly variable, it can vary among board members and understanding it tends to be very much about intuition on the part of the CISO,” Goerlich says.

On the other hand, risk tolerance needs to be a guided discussion around a particular objective or a risk scenario, where a CISO can develop a hypothesis. “If you can be explicit, if you can describe it well, then you can really have a good conversation to get everyone on the same page as to what that risk is and what you need to do about it.”

The recommendation is for CISOs to consider the potential organizational ramifications and wider public outrage of an incident and avoid trying to get board members to give guidance on the technical detail. “Unless they are a technical board member, they’re looking to us as CISOs to really understand and control that,” says Goerlich.

The risk conversation

To lead the risk conversation and work towards alignment, CISOs need to quantify cyber risk and develop mature risk reporting practices, according to Mary Carmichael, director of strategy, risk, and compliance advisory at Momentum Technology. Carmichael, who as a member of ISACA’s CRISC certification committee, is at the forefront of developing risk frameworks, says using data from industry sources like the IBM cost of data breach report helps in understanding the probability and potential impact of cyber risks. “This is crucial for sectors like healthcare and education, which are often under-invested in cybersecurity.”

Organizations need to improve their understanding of risk, particularly as the board is ultimately accountable for risk oversight, which they may delegate authority to management. “Management, not just the CISO, is responsible for understanding the potential risks to operations and working with the CISO on control requirements,” Carmichael says.

Proper risk assessments and strategic planning are essential for aligning risk tolerance with business objectives. There needs to be more education about what risk management is, who owns the risk and having risk assessments built into the strategic planning process, according to Carmichael. This should include scenario analysis to assess the financial impact of cyber incidents. Risk scenarios help estimate potential losses from cyber incidents, including evaluating reputational, financial, and operational impacts to present to executive leadership.

Organizations need to war-game cyber incidents, from external attacks to internal threats, drawing on news and recent breaches to understand and mitigate emerging risks.

Admittedly, there’s always the prospect of a black swan event that no one’s really expecting or is fully prepared for. A case in point is the CrowdStrike event, triggered by an update gone wrong that had a worldwide impact. “Who would have expected CrowdStrike to bring down 10 million computers worldwide and create a global outage?” Carmichael says.

Nonetheless, it serves as a reminder for CISOs that these events change organizational risk tolerance and going forward they may need to include strategies for complete digital destruction scenarios, whether it’s a direct cyber-attack or a system outage brought on by a third-party. “Simulate complete system outages to test recovery plans and prioritize critical systems, and see if, worst case scenario, you’re able to [at] least recover from backups,” she says.

Risk and information security committees for sound planning

One way for CISOs to align cybersecurity strategies with organizational risk tolerance is strategic involvement across the organization. “By forming risk committees and engaging in business discussions, CISOs can better understand and address the risks associated with new technologies and initiatives, and support the organization’s overall strategy,” Carmichael says.

An information security committee is vital to this mission, according to Carl Grifka, MD of SingerLewak LLP, an advisory firm that specializes in risk and cybersecurity. “There needs to be a regular assessment of not just the cybersecurity environment, but also the risk tolerance and risk appetite, which is going to drive the controls that we’re going to put in place,” Grifka tells CSO.

The committee operates as a cross-functional team that brings together different members of the business, including the executive, IT, security and maybe even a board representative on a more regular basis. Organizations low on the maturity level probably need to meet every couple of weeks, especially if they’re in a remediation phase and working to reduce gaps in the security posture. “The committee becomes that apparatus you can use to communicate as you go,” Grifka says.

For those higher on the maturity level, having a committee in place provides a mechanism for review and response to the changing risk landscape. “It should be regularly reporting on the state of information security within the organization,” Grifka says.

With a large and growing list of responsibilities and short tenure, it can be challenging for CISOs to know the business deeply. The committee is a useful forum to help CISOs understand what’s going on across the organization. “Ideally they should really have the pulse of the business,” Grifka says.

To help make the task less daunting, actively building relationships with other business leaders will help CISOs come to grips with what’s happening and build trust. “Having that rapport, hopefully they’ll pick up the phone to say ‘hey, we’re thinking of doing this’ and the CISO gets to know about it,” Grifka adds. “Other business leaders should feel comfortable to engage you in those water cooler moments.”

Next comes the maturity assessment

By understanding the business deeply, it’s easier to translate its risk tolerance into the security posture. Doing so requires a mature framework and not accepting more risk than you’re willing to as an organization.  

It starts with maturity level assessments, mapping controls against industry frameworks and defining the level of maturity the organization desires and then translating that into the specific controls. “You shouldn’t be spending to put in significantly more controls than you need because that would then reduce efficiency and add additional cost,” Grifka says.

Finding the balance is necessary, but it’s by no means a static set-and-forget position. “It needs to be dynamic because what makes sense today might not make sense two years from now, and so the process needs to be regularly adjusted,” he says.

How CISOs can help the organizational growth through collaboration

A cyber risk is a business risk and it needs to be addressed with IT control. One of the challenges, however, is that CISOs must come to grips with the meaning of these risks. The risk isn’t the unpatched vulnerability, it’s the ramifications of the risk to the business, Goerlich tells CSO. “Our ability as security leaders to elevate the risk scenario and lead the conversation around tolerance is predicated on us putting that risk within the business context and the product we’re selling.”

Goerlich suggests that your knowledge as a CISO plays a part in coming to grips with this, whereby those CISOs with a GRC background tend to be better at tying the security risk to business risk because they understand the compliance obligations, while those from a SecOps path may struggle more.

Nonetheless, CISOs need to be conscious of the business operating environment and draw on appropriate metrics to illustrate how risk is being managed. The goal is to show the risk is coming down and the CISO has implemented a treatment plan that works. To do this effectively, CISOs will need stronger business acumen, according to the IANS report, and increasingly this includes offering constructive ways to support risk as a business opportunity. “That business acumen is understanding the business ramifications of the risk, not the technical underpinnings,” Goerlich says.

However, Goerlich believes ‘positive risk’ is something that security leaders have found very difficult to identify and capitalize on. “In part, it’s because the downsides of cyber are so great and the upside is nothing bad happened,” says Goerlich. He encourages CISOs to develop stronger partnerships with other technical leaders to understand business objectives and identify the associated risks. This includes partnering with the CIO or the CTO to find ways to accomplish something because it can be a tricky path to go on your own.

For too long, CISOs and cybersecurity teams have been known as the department that says ‘no’ and for being very risk averse, says Carmichael. But if business is all about seizing opportunities, growth means embracing and managing risk, whether it’s in the form of new technologies like AI and IoT, new applications, expanding into new markets or acquiring new businesses.

To shake off this reputation, CISOs and cybersecurity leaders need to constructively support the organization in its growth plans. “Part of the CISO’s remit now is how do we make sure the business is protected while moving these initiatives forward,” Carmichael says.

A zero-day flaw in open source browser, Chromium, which was patched recently, was exploited by a financially motivated North Korean threat actor, Citrine Sleet, to deliver the FudModule rootkit.

The vulnerability, tracked as CVE-2024-7971, is a type confusion flaw in the V8 JavaScript and WebAssembly engine that received a critical rating of CVSS 8.8 out of 10.

“On August 19, 2024, Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium to gain remote code execution (RCE),” said a Microsoft Threat Intelligence report. “Our ongoing analysis and observed infrastructure lead us to attribute this activity with medium confidence to Citrine Sleet.”

The report added that the FudModule rootkit has historically been shared between Citrine Sleet and Diamond Sleet (formerly Zinc), another North Korean threat actor known to target media, defense, and information technology (IT) industries globally.

RCE to deliver FudModule

The report explained that victims were directed to a Citrine Sleet-controlled exploit domain voyagorclub[.]space. While the exact method used for directing the victims is unknown, Social Engineering is suspected as it is a common Citrine Sleet technique. Once a target is connected to the domain, the zero-day RCE exploit for CVE-2024-7971 is achieved.

“After the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded, and then loaded into memory,” Microsoft added in the report.

The sandbox escape exploit (CVE-2024-38106) used in the process is a Windows Kernel vulnerability Microsoft fixed on August 13.

After the sandbox escape exploit succeeded, the main FudModule rootkit ran in memory. This rootkit uses direct kernel object manipulation (DKOM) to interfere with kernel security, operates only from user mode, and modifies the kernel using a kernel read/write capability, Microsoft added.

Citrine Sleet is financially motivated

Citrine Sleet, also tracked as AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, is a financially motivated threat actor primarily targeting organizations and individuals managing cryptocurrency, for financial gain.

“As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it,” the report added.“The threat actor creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to distribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application based on legitimate applications.”

The threat actor was previously linked to the 3CX supply chain attack affecting six million customers. For the attack, Citrine Sleet had used a trojanized X-TRADER application for malware delivery and info-stealing, and had additionally used the kit to breach two critical infrastructure organizations in the energy sector.

Microsoft has recommended swift patching of both CVE-2024-7971 and CVE-2024-38106 to protect against Citrine Sleet exploitations.

According to a Sophos survey of 5,000 IT and cybersecurity leaders released in April, 59% of organizations have been hit by a ransomware attack in 2023, from which 56% paid a ransom to get their data back.

And the amounts paid were not trivial. In 63% of cases the ransom demand was for $1 million or more — $4.3 million, on average. Of the 1,097 respondents who shared their payment details, the average payment was $4 million — up from $1.5 million in 2023.

What is ransomware?

Ransomware is a type of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the encrypted data.

Many organizations are paying ransom

According to a report released in July by Semperis, based on a survey of 900 IT and security leaders, ransomware attacks disrupted business operations for 87% of companies.

But paying ransomware is a losing game. Of those who were hit, 74% were hit multiple times, sometimes within the span of the same week. And of those who paid up, 72% paid more than once. In fact, 32% of victims paid ransoms four or more times last year.

And, to rub salt into the wound, 35% of organizations who paid up didn’t receive decryption keys or had other problems with recovering files and assets.

Ransomware has been around for a long time. Why are we still paying for it? Part of the reason is the lack of backups — specifically, the lack of usable backups. Backups must be safe from malware, quick and easy to recover, and include not just important files and databases but also key applications, configurations, and all the technology needed to support an entire business process. Most importantly, backups should be well-tested.

Here are eight steps to ensure a successful recovery from backup after a ransomware attack.

1. Keep the backups isolated

According to the Sophos survey, in 94% of cases ransomware actors attempted to compromise the backups. And 57% of those attempts were successful. When attackers were able to successfully compromise the backups, the average ransom payment was $2.3 million — compared to $1 million for companies whose backups weren’t compromised.

In addition, companies whose backups were compromised were twice as likely to pay the ransoms — 67% versus 36%. Those with compromised backups also had eight times higher recovery costs, separate from the ransom payments — $3 million versus $375,000.

“We do see some of our clients that have on-prem backups that they run themselves, as well as cloud-based ones,” says Jeff Palatt, former vice president for technical advisory services at MoxFive, a technical advisory services company. “But ideally, if someone has both, they don’t cascade. If the encrypted files get written to the local backup solution and then get replicated to the cloud, that doesn’t do you any good.”

Some cloud-based platforms include versioning as part of the product for no additional cost. For example, Office 365, Google Docs, and online backup systems like iDrive keep all previous versions of files without overwriting them. Even if ransomware strikes, and the encrypted files are backed up, the backup process just adds a new, corrupted version of the file—it doesn’t overwrite the older backups that are already there.

Technology that saves continuous incremental backups of files also means that there’s no loss of data when ransomware hits. You just go back to the last good version of the file before the attack.

2. Use write-once storage techniques

Another way to protect backups is to use storage that can’t be written over. Use either physical write-once-read-many (WORM) technology or virtual equivalents that allow data to be written but not changed. This does increase the cost of backups since it requires substantially more storage. Some backup technologies only save changed and updated files or use other deduplication technology to keep from having multiple copies of the same thing in the archive.

According to a report released in June by Veeam, many companies are already using immutable storage. According to the survey, 70% of companies use hardened disks on-premises and 89% use immutable clouds. However, of the overall backup storage used by companies, only 54% is immutable. That means that the rest is at high risk from ransomware.

3. Keep multiple types of backups

“In many cases, enterprises don’t have the storage space or capabilities to keep backups for a lengthy period of time,” says Palatt. “In one case, our client had three days of backups. Two were overwritten, but the third day was still viable.” If the ransomware had hit over, say, a long holiday weekend, then all three days of backups could have been destroyed. “All of a sudden you come in and all your iterations have been overwritten because we only have three, or four, or five days.”

Palatt suggests that companies keep different types of backups, such as full backups on one schedule combined with incremental backups on a more frequent schedule.

4. Protect the backup catalog

In addition to keeping the backup files themselves safe from attackers, companies should also ensure that their data catalogs are safe. “Most of the sophisticated ransomware attacks target the backup catalog and not the actual backup media, the backup tapes or disks, as most people think,” says Amr Ahmed, EY America’s infrastructure and service resiliency leader.

This catalog contains all the metadata for the backups, the index, the bar codes of the tapes, the full paths to data content on disks, and so on. “Your backup media will be unusable without the catalog,” Ahmed says. Restoring without one would be extremely hard or impractical. Enterprises need to ensure that they have in place a backup solution that includes protections for the backup catalog, such as an air gap.

5. Back up everything that needs to be backed up

When Alaska’s Kodiak Island Borough was hit by ransomware in 2016, the municipality had about three dozen servers and 45 employee PCs. All were backed up, says the company’s former IT supervisor Paul VanDyke, who ran the recovery effort. All servers were backed up, that is, except one. “I missed one server that had assessed property values,” he says.

The ransom demand was small by today’s standards, just half a Bitcoin, which was then worth $259. He paid the ransom, but only used the decryption key on that one server, since he didn’t trust the integrity of the systems restored with the attackers’ help. “I assumed everything was dirty,” he says. Today, everything is covered by backup technology.

Larger organizations also have a problem ensuring that everything that needs to be backed up is actually backed up. According to the Veritas survey, IT professionals estimate that, on average, they wouldn’t be able to recover 20% of their data in the event of a complete data loss. It doesn’t help that many companies, if not all companies, have a problem with shadow IT.

“People are trying to do their jobs in the most convenient and efficient way possible,” says Randy Watkins, CTO at Critical Start. “Oftentimes, that means running under the radar and doing things yourself.”

There’s only so much companies can do to prevent loss when critical data is sitting on a server in a back closet somewhere, especially if the data is used for internal processes. “When it comes to production, it usually hits the company’s radar somewhere,” says Watkins. “There’s a new application or a new revenue-generating service.”

Not all systems can be easily found by IT so that they can be backed up. Ransomware hits, and then suddenly things are no longer working. Watkins recommends that companies do a thorough survey of all their systems and assets. This will usually involve leaders from every function, so that they can ask their people for lists of all critical systems and data that needs to be protected.

Often, companies will discover that things are stored where they shouldn’t be stored, like payment data being stored on employee laptops. As a result, the backup project will often run concurrent with a data loss prevention project, Watkins says.

6. Back up entire business processes

Ransomware doesn’t just affect data files. Attackers know that the more business functions they can shut down, the more likely a company is to pay a ransom. Natural disasters, hardware failures, and network outages don’t discriminate either.

After they were hit by ransomware, Kodiak Island’s VanDyke had to rebuild all the servers and PCs, which sometimes included downloading and re-installing software and redoing all the configurations. As a result, it took a week to restore the servers and another week to restore the PCs. In addition, he only had three spare servers to do the recovery with, so there was a lot of swapping back and forth, he says. With more servers, the process could have gone faster.

A business process works like an orchestra, says Dave Burg, cybersecurity leader at EY Americas. “You have different parts of the orchestra making different sounds, and if they’re not in sequence with each other, what you hear is noise.”

Backing up just the data without backing up all the software, components, dependencies, configurations, networking settings, monitoring and security tools, and everything else that is required for a business process to work can make recovery extremely challenging. Companies too often underestimate this challenge.

“There’s a lack of understanding of the technology infrastructure and the interconnections,” says Burg. “An insufficient understanding of how the technology really works to enable the business.”

The biggest infrastructure recovery challenges after a ransomware attack typically involve rebuilding Active Directory and rebuilding configuration management database capability, Burg says. It used to be that if a company wanted a full backup of its systems, not just data, that it would build a working duplicate of its entire infrastructure, a disaster recovery site. Of course, doing so doubled the infrastructure costs, making it cost prohibitive for many businesses.

Today, cloud infrastructure can be used to create virtual backup data centers, one that only costs money while it is being used. And if a company is already in the cloud, setting up a backup in a different availability zone—or a different cloud—is an even simpler process. “These cloud-based hot-swap architectures are available, are cost effective, and are secure, and have a great deal of promise,” says Burg.

7. Use hot disaster recovery sites and automation to speed recovery

According to Sophos, only 35% of ransomware victims are fully recovered within a week — down from 47% in 2023 and 52% in 2022. And a third takes a month or longer to recover. “I know companies who are spending a lot of money on tapes and sending them off to Iron Mountain,” says Watkins. “They don’t have the time to wait an hour to get the tapes back and 17 days to restore them.”

A hot site, one that’s available at the switch of a key, would solve the recovery time problem. With today’s cloud-based infrastructure, there’s no reason not to have one.

“It’s a no-brainer,” says Watkins. “You can have a script that copies your infrastructure and stands it up in another availability zone or another provider altogether. Then have the automation ready to go so that you hit play. There’s no restore time, just 10 or 15 minutes to turn it on. Maybe a full day if you go through testing.”

Why aren’t more companies doing this? First, there’s a substantial cost to the initial setup, Watkins says. “Then you need that expertise in house, that automation expertise and cloud expertise in general,” he says. “Then there are things like security controls that you need to set up ahead of time.”

There are also legacy systems that don’t transfer to the cloud. Watkins points to oil and gas controllers as an example of something that can’t be replicated in the cloud.

For the most part, the initial cost of setting up the backup infrastructure should be a moot point, Watkins says. “Your cost to set up the infrastructure is much less than paying the ransomware and dealing with the reputation damage.”

For companies struggling with this, one approach could be to focus on the most critical business processes first, suggests Tanner Johnson, principal analyst for data security at Omdia. “You don’t want to buy a million-dollar lock to protect a thousand-dollar asset,” he says. “Define what your crown jewels are. Establish a hierarchy and priority for your security team.”

There’s a cultural barrier to investing proactively in cybersecurity, Johnson admits. “We are a reactionary society, but cybersecurity is finally being seen for what it is: an investment. An ounce of prevention is worth a pound of cure.”

8. Test, test, and test again

“A lot of people are approaching backups from a backup point of view, not a recovery point of view,” says Mike Golden, senior delivery manager for cloud infrastructure services at Capgemini. “You can back up all day long, but if you don’t test your restore, you don’t test your disaster recovery, you’re just opening yourself to problems.”

This is where a lot of companies go wrong, Golden says. “They back it up and go away and are not testing it.” They don’t know how long the backups will take to download, for example, because they haven’t tested it. “You don’t know all the little things that can go wrong until it happens,” he says.

It’s not just the technology that needs to be tested, but the human element as well. “People don’t know what they don’t know,” Golden says. “Or there’s not a regular audit of their processes to make sure that people are adhering to policies.”

When it comes to people following required backup processes and knowing what they need to do in a disaster recovery situation, the mantra, Golden says, should be “trust but verify.”

What steps should companies take if they’ve experienced a ransomware attack

The US Cybersecurity and Infrastructure Security Agency (CISA) has a framework for companies to follow that covers the main steps that need to be taken after a ransomware attack.

Evaluate the scope of damage: The first step is to identify all affected systems and devices. That can include on-premises hardware as well as cloud infrastructure. CISA recommends using out-of-band communications during this stage, such as phone calls, to avoid letting the attackers know that they have been discovered and what actions you are planning to take.

Isolate systems: Remove affected devices from the network or turn off their power. If there are several affected systems or subnets, take them offline at the network level, or power down switches or disconnect cables. However, powering down devices might destroy evidence stored in volatile memory, so should be a last resort. In addition, protectively isolate the most mission-critical systems that are still untouched from the rest of the network.

Triage affected systems for recovery: Prioritize systems critical for health or safety, revenue generation, and other critical business services as well as the systems that they depend on. Restore from offline, encrypted backups and golden images that have been tested to be free of infection.

Execute your notification plan: Depending on your cyber incident response and communications plan, notify internal and external teams and stakeholders. These can include the IT department, managed security service providers, cyber insurance company, corporate leaders, customers, and the public, as well as government agencies in your country. If the incident involved a data breach, follow legal notification requirements.

Containment and eradication: Collect system images and memory captures of all affected devices, as well as relevant logs and samples of related malware and early indicators of compromise. Identify ransomware variant and follow recommended remediation steps for that variant. If data has been encrypted, consult federal law enforcement for possible decryptors that may be available. Secure networks and accounts against further compromise, since the attackers may still have their original access credentials or obtained more during the breach. In addition, extended analysis should be conducted to find persistent infection mechanisms to keep them from reactivating.

How long does it take to recover from ransomware?

According to Sophos, only a minority of ransomware victims recover in a week or less. On average, 35% took less than a week. About a third took between a week and a month. And the final third, 34%, took a month or more to recover. Only 7% of victims recovered in less than a day — and 8% of victims took three months or longer.

Recovery times are significantly reduced, however, if a company has good backups.

If a company’s backups were also compromised, only 25% of companies recovered in less than a week. But if the backups were not compromised, 46% of companies took less than a week to get back on their feet.

Ransomware best practices for prevention

CISA has a detailed list of best practices for preventing ransomware.

Backups: CISA recommends maintaining offline, encrypted backups of critical data and testing these backups and recovery procedures on a regular basis. Enterprises should also have golden images of critical systems, as well as configuration files for operating systems and key applications that can be quickly deployed to rebuild systems. Companies may also consider investing in backup hardware or backup cloud infrastructure to ensure business continuity.

Incident response plan: Enterprises should create, maintain, and regularly exercise a cyber incident response plan and associated communication plan. This plan should include all legally required notifications, organizational communications procedures, and make sure that all key players have hard copies or offline versions of this plan.

Prevention: CISA recommends that companies move to a zero-trust architecture to prevent unauthorized access. Other key preventative measures include minimizing the number of services exposed to the public, especially frequently targeted services like remote desktop protocol. You should conduct regular vulnerability scanning, regularly patch and update software, implement phishing-resistant multi-factor authentication, implement identity and access management systems, change all default admin usernames and passwords, use role-based access instead of root access accounts, and check the security configurations of all company devices and cloud services, including personal devices used for work. CISA also has specific recommendations for protecting against the most common initial access vectors, such as phishing, malware, social engineering, and compromised third parties.

The information security industry has been trying for years to improve the participation of and respect for women in the cyber community, with some rising to CSO positions.

But with International Women in Cyber Day being celebrated Sunday, Sept. 1, one US-based CISO thinks things may be going backwards for women in the profession.

“I was very positive until about a year and a half ago,” Olivia Rose, head of Rose CISO Group, a virtual CISO provider, and faculty member at Boston-based management consulting firm IANS Research, said in an interview this week. 

“We’ve seen a shift in the past year and a half where women are leaving cybersecurity in droves. That’s the only way to describe it. I hear or speak to at least two to three women a week who are either giving up completely and leaving tech, or they’re going out on their own and starting a cybersecurity company like I did,” she says.

Creating your own firm may sound like a positive. But, Rose said, many who go private do it “because they feel propelled to do so” due to the way they’re treated by colleagues or employers.

And it’s the middle and senior managers who tend to be the ones leaving, she added.

Lynn Dohm, executive director of US-based Women in Cybersecurity (WiCyS), agrees, adding that many women with between six and 10 years of infosec experience hit a glass ceiling in their careers.

“Things have stalled,” she said. In 2014, around when WiCyS was formed, women accounted for an estimated 11% of the global infosec workforce. Ten years later, that percentage is estimated at between 20% and 24%.

Lisa Kearney, head of the Canada-based Women in Cybersecurity Society, thinks the situation for women in infosec has improved in the past five years, but she still sees high drop-out rates among women early in their careers in Canada.

Women in Cyber Day “shines a spotlight on the vital contributions and acknowledges the achievements of women in cybersecurity,” Kearney said. “[The day] also serves as a reminder that diversity is not just about equity. It’s necessary for innovation and effective problem-solving.”

WiCyS’ Dohm believes Women in Cyber Day is important not only to honor the talent women bring to cybersecurity but also to let women explore the possibility of a cybersecurity career. It also allows the message to be spread that diverse cybersecurity teams make the organization more secure by allowing different voices and perspectives to be heard — especially at a time when unexpected challenges pop up daily. A study for WiCyS released earlier this year shows the lack of diversity is a symptom of lack of inclusion in the workforce, she said.

“It hasn’t been the easiest industry to break into,” she said. “Although we’ve moved the needle ever so slightly, there’s still more work that needs to be done.”

Sexism still a barrier

Despite significant shortages of cybersecurity talent around the globe, women still face an uphill climb establishing infosec careers, with sexism in the male-dominated field still a barrier.

Rose of Rose CISO Group has been in the infosec industry for 22 years, including holding CISO positions at Mailchimp and Amplitude. Over that time, she has experienced more than her share of toxic behavior.

“I’ve been called every name in the book, except for one, to my face and behind my face,” she said. “At one company where it was all men, I was called the cockroach because I refused to die, I refused to leave. I said, ‘You’re not getting rid of me until I’m ready to go.’”

“You [as a woman] have to have a very thick skin and a spine of steel to last a very long time in this industry,” she said. “Every woman I know who is a leader has the same — very tough skin and a spine of steel.”

Women in cybersecurity statistics

The ISC2, a nonprofit offering training and certifications for cybersecurity professionals, estimates that women represent 20% to 25% of the global cybersecurity workforce. According to its April survey of 2,400 women in infosec roles, on average only 23% of current cybersecurity teams are female, with 11% of survey respondents saying they had no other women on their security teams. 

Another finding: Female respondents earn around 5% less than their male colleagues, with an average salary of US$109,609 compared to US$115,003 for men — a pay gap despite the fact that women respondents hold advanced degrees (master’s and doctorate-level qualifications) at significantly higher rates than men, while they hold cybersecurity certifications at equal rates.

One positive finding from the survey: Women hold executive titles in cybersecurity at a similar rate to men, with 16% of women reporting a manger-level title and 7% holding director-level roles.

Discouraging workplace cultures

WiCyS’ aforementioned “State of Inclusion in Cybersecurity” report found that women continue to face numerous unfavourable experiences that contribute to their overall feeling of exclusion in the workplace, negatively impacting their job satisfaction, productivity, and retention.

“In particular, we find that women are especially impacted by lack of respect and by lack of career opportunities,” the researchers wrote. “We also find that workplace experiences result most frequently from leadership and direct managers, but that peers also play a significant role, particularly in terms of being disrespectful.”

Examples of bad experiences women relayed included:

• “After introducing myself, I have had individuals ask to speak to ‘a guy who works in IT’ instead of me.”
• “Colleagues would play pornographic movies as I arrived to meetings. One time a colleague played a movie like this when we were meeting with a customer.”
• “My male peers received more pats on the back for far lesser accomplishments than me.”

Just over 1,000 employees, approximately 35% of whom were men and 65% women, participated in the survey. Forty-eight percent of female respondents said they were experiencing issues related to career and personal growth at their employer, significantly more than the 26% of men who report similar experiences.

Recommendations to the C-suite

ISC2 offers several tips for management to help increase women’s participation and satisfaction in cybersecurity:

• Set specific hiring, recruitment, and advancement metrics. Security leaders should help establish targets to promote a workforce that closely reflects the diversity of the general population.
• Make pay equity a priority. CISOs should actively monitor pay equity for all roles within their organization to ensure salary and benefits are aligned based on role requirements and experience — and to make adjustments as needed.
• Eliminate inequities around advancement. Security leaders must support women in defining their goals and ensure they have equal access to development opportunities to reach leadership roles. Greater representation of women in senior positions inspires other women.
• Focus on the “I” in DEI. Many organizations understand what diversity and equity mean, but emphasizing inclusion will help address feelings of not belonging and feeling inauthentic, which in turn help on the retention front.

“I love being a women in this industry,” Rose said. “It’s been a really rough ride. There have been a lot of ups and downs. I’ve had to work harder than a lot of people — like any woman leader will tell you. But my mantra has always been, ‘I’m not leaving until I’m ready to go’ because I love this industry. And I’m good at it. So I’ve stuck in there. But unfortunately, many women are giving up and leaving.”

Like seemingly everyone else, threat actors are increasingly adopting generative artificial intelligence (genAI) as a business tool. Recent findings by security researchers at Netcraft have revealed what it called “a mass universal scaling up of genAI being used as a content creation tool for fraudulent websites.”

In a blog post published Thursday, Netcraft noted that it has been identifying thousands of websites per week that use AI-generated content, with steady growth in the technology’s use. In late July, however, there was a spike in the number of sites that continued into the first week of August before subsiding.

Netcraft attributed this to a single threat actor who was setting up fake shopping sites and using genAI to write product descriptions.

“This and the broader growth in activity between March and August appears to indicate a mass universal scaling up of genAI being used as a content creation tool for fraudulent websites, with a notable spike showing in the realm of online stores,” Netcraft said in its post.

Malicious content is becoming more convincing

“This has led to an abundance of malicious websites, attracting victims not only because of the sheer volume of content but also because of how convincing that content has become.“

It is no longer possible, the report said, to decide that a website or email is legitimate simply because it’s written in professional English.

However, there can be clues in the email or on the site. Netcraft said that sometimes threat actors accidentally include large language model (LLM) outputs in the fraudulent emails. For example, a phishing email it encountered, claiming to contain a link to a file transfer of family photos, also included the phrase, “Certainly! Here are 50 more phrases for a family photo.”

“We might theorize that threat actors, using ChatGPT to generate the email body text, mistakenly included the introduction line in their randomizer,” Netcraft said. “This case suggests a combination of both genAI and traditional techniques.”

Telltale evidence still shows which phishing emails are fake

Another phishing email it viewed would have been credible — had it not been for the sentence at the beginning, which included the LLM introduction line, “Certainly, here’s your message translated into professional English.” And a fake investment website touting the phoney company’s advantages looked good, except for the headline saying, “Certainly! Here are six key strengths of Cleveland Invest Company.”

“There’s no honor among thieves, of course,” Netcraft observed. “Just as criminals are happy to siphon credentials from other phishing sites, we’ve observed that when they see a convincing LLM-generated template, they may replicate the content almost verbatim.”

For example, the “Cleveland Invest” website text was replicated (complete with LLM response) from another fake text created for “Britannic Finance”. In this case, the threat actor appeared to then use an LLM to adjust the text, using synonyms for some terms.

Netcraft has also seen LLM-generated sites for fake shops and fake pharmacies designed for search engine optimization (SEO), to pull in more victims. Again, it cited a site on which the LLM’s response to the request was leaked on the site, with discussion points followed by “this outline should give you a good start …”, and a reminder to include SEO keywords in the title, headings, and body of the text.

And all this is just the tip of an ever-growing iceberg. “The report speaks to only one area of cyber threat that’s being augmented by generative AI capabilities: gaining initial access to a victim, namely through phishing,” said Brian Jackson, principal research director at Info-Tech Research Group.

“Unfortunately, that’s only one small part of the full scope of augmented threats we’re seeing, thanks to LLMs,” Jackson says. “Whole new taxonomies of cyber threat techniques are being added to threat frameworks thanks to LLMs.”

LLMs are being used to conduct reconnaissance

Examples include using LLMs to conduct reconnaissance, such as searching and summarizing a potential victim’s publicly available materials and potential vulnerabilities. “OpenAI has banned state-sponsored accounts for doing exactly this,” Jackson says. “Then, there is the attempt to exploit LLMs themselves through prompt injection and jailbreak, etc.” He pointed to an exhaustive list of techniques via MITRE ATLAS.

This coincides with Netcraft’s findings. “There are many more [examples], with conclusive evidence pointing to the large-scale use of LLMs in more subtle attacks,” the post said. “The security implication of these findings is that organizations must stay vigilant; website text written in professional English is no longer a strong indicator of its legitimacy. With genAI making it easier to trick humans, technical measures like blocking and taking down content are becoming increasingly critical for defending individuals and brands.” 

And, said Jackson, “from my perspective, it’s not the same old threats being augmented with AI that are most alarming. We already have defined techniques to help mitigate those. Rather, it’s the net new cyber threats from generative AI that could really catch organizations off guard.”

“As we’ve already seen, most of us expect that when an executive video calls us, we can trust that it’s really them giving us instructions, Jackson says. “That’s just no longer the case, as generative AI can effectively make deepfakes with limited available training data.”

The August 21 cyberattack on the US oilfield services contractor Halliburton is now feared to be a ransomware attack, according to an email reportedly sent to the company’s suppliers.

BleepingComputer accessed a copy of an email sent and reported that they had been able to confirm one of the indicators of compromise (IOCs) shared within the email “to be a RansomHub ransomware encryptor.”

Halliburton is one of the biggest oil service companies globally, responsible for most of the world’s largest fracking operations.

RansomHub encrypter found

The analysis of IOCs shared in the email, containing filenames and IP addresses, reportedly revealed a Windows executable named maintenance.exe, the one confirmed to be a RansomHub encryptor.

The connection, however, had already been made in several social media rumors but no evidence had yet been presented. Emails sent to Halliburton by CSO for comments did not elicit a response at the time of publishing this article.

“We are reaching out to update you about a cybersecurity issue affecting Halliburton,” said the email to suppliers. “As soon as we learned of the issue, we activated our cybersecurity response plan and took steps to address it, including (1) proactively taking certain systems offline to help protect them, (2) engaging the support of leading external advisors, including Mandiant, and (3) notifying law enforcement.”

Incidentally, the FBI and CISA have released a joint advisory on the Ransomhub Ransomware variant, calling it a formidable service model attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV.

“Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors,” CISA added in the advisory.

Halliburton sent into shutdown

The cyberattack had pushed Halliburton to shut down a few of its systems while it investigated the incident, according to the company’s SEC filing. Generating invoices and purchasing orders was temporarily affected but a workaround has since been made available, according to the email.

“On August 21, 2024, Halliburton Company became aware that an unauthorized third party gained access to certain of its systems,” the oilfield services giant said in the filing. “The Company’s response efforts included proactively taking certain systems offline to help protect them and notifying law enforcement.” Additionally, the company launched an internal investigation with the “support of external advisors to assess and remediate the unauthorized activity”, the filing added.

Viruses and other malware spreading for sinister or baffling reasons has been a staple of cyberpunk novels and real-life news stories alike for decades. And in truth, there have been computer viruses on the internet since before it was the internet.

Mikko Hyppönen, chief research officer at WithSecure, has been fighting malware and cybercrime since the 1990s. Computer viruses have evolved from a nuisance to a potential national security threat over that period.

“The major shift in malware outbreaks occurred around 2003-2004,” Hyppönen tells CSO. “Before that, most attacks were created by hobbyists for fun. Some of the self-replicating worms from that era had no purpose other than to spread as quickly and widely as possible. Since then, most malware has been developed by organized crime groups or governments, and attacks have become much more targeted.”

This article will take a look at some of the most important milestones in the evolution of malware: These entries each represent a novel idea, a lucky break that revealed a gaping security hole, or an attack that turned to be particularly damaging — and sometimes all three.

1. Creeper virus (1971)
2. Brain virus (1986)
3. Morris worm (1988)
4. ILOVEYOU worm (2000)
5. Mydoom worm (2004)
6. Zeus trojan (2007)
7. Stuxnet (2010)
8. CryptoLocker ransomware (2013)
9. Emotet trojan (2014)
10. Mirai botnet (2016)
11. Industroyer (2016)
12. Petya ransomware/NotPetya wiper (2016/2017)
13. WannaCry (2017)
14. Clop ransomware (2019-present)
15. Darkside (2021)

1. Creeper virus (1971)

Computer pioneer John von Neumann’s posthumous work Theory of Self-Reproducing Automata, which posited the idea of computer code that could reproduce and spread itself, was published in 1966. Five years later, the first known computer virus, called Creeper, was a written by Bob Thomas. Written in PDP-10 assembly language, Creeper could reproduce itself and move from computer to computer across the nascent ARPANET.

Creeper did no harm to the systems it infected — Thomas developed it as a proof of concept, and its only effect was that it caused connected teletype machines to print a message that said “I’M THE CREEPER: CATCH ME IF YOU CAN.” We’re mentioning it here despite its benign nature because it was the first, and set the template for everything that followed. Shortly after Creeper’s release, Ray Tomlinson, best known for implementing the first email program, wrote a rival program called Reaper that spread from computer to computer eliminating Creeper’s code.

2. Brain virus (1986)

Creeper was designed to leap across computer networks, but for most of the 1970s and ’80s that infection vector was in limited simply because most computers operated in isolation. What malware did spread from computer to computer did so via floppy disks. The earliest example is Elk Cloner, which was created by a 15-year-old as a prank and infected Apple II computers. But probably the most important of this generation of viruses was one that came to be known as Brain, and started spreading worldwide in 1986.

Brain was developed by computer programmers (and brothers) Amjad and Basit Farooq Alvi, who lived in Pakistan and had a business selling medical software. Because their programs were often pirated, they created a virus that could infect the boot sector of pirated disks. It was mostly harmless but included contact information for them and an offer to “disinfect” the software.

Whether they could actually “fix” the problem isn’t clear, but as they explained 25 years later, they soon started receiving phone calls from all over the world, and were shocked by how quickly and how far Brain had spread (and how mad the people who had illegally copied their software were at them, for some reason). Today Brain is widely regarded as the first IBM PC virus, so we’re including it on our list despite its benign nature, and the brothers still have the same address and phone number that they sent out 25 years ago.

3. Morris worm (1988)

1988 saw the advent of a piece of malware called Morris, which could claim a number of firsts. It was the first widespread computer worm, which meant it could reproduce itself without needing another program to piggyback on. It targeted multiple vulnerabilities to help it spread faster and further. While not designed to do harm, it was probably the first malware to do real substantive financial damage, more than earning its place on this list. It spread incredibly swiftly — within 24 hours of its release, it had infected 10% of all internet-connected computers — and created multiple copies of itself on each machine, causing many of them to grind to a halt. Estimates of the costs of the attack ranged into the millions.

The worm is named after its creator Robert Morris, who was a Cornell grad student at the time and meant it as a proof-of-concept and demonstration of widespread security flaws. Morris didn’t anticipate that it would spread so quickly or that its ability to infect individual computers multiple times would cause so much trouble, and he tried to help undo the damage, but it was too late. He ended up the unfortunate subject of another first: The first person convicted under the 1986 Computer Fraud and Abuse Act.

4. ILOVEYOU worm (2000)

Unlike the previous malware creators on this list, Onel de Guzman, who was 24 in 2000 and living in the Philippines, crafted his creation with straightforward criminal intent: he couldn’t afford dialup service, so he built a worm that would steal other people’s passwords so he could piggyback off of their accounts. But the malware so cleverly took advantage of a number of flaws in Windows 95 — especially the fact that Windows automatically hid the file extensions of email attachments so people didn’t realize they were launching executable files — that it spread like wildfire, and soon millions of infected computers were sending out copies of the worm and beaming passwords back to a Filipino email address. It also erased numerous files on target computers, causing millions of dollars in damage and briefly shutting down the UK Parliament’s computer system.

de Guzman was never charged with a crime, because nothing he did was illegal in the Philippines at the time, but he expressed regret in an interview 20 years later, saying he never intended the malware to spread as far as it did. He also ended up being something of a pioneer in social engineering: the worm got its name because it spread with emails with “ILOVEYOU” in the subject line. “I figured out that many people want a boyfriend, they want each other, they want love, so I called it that,” de Guzman said.

5. Mydoom worm (2004)

Mydoom may be 20 years old, but still holds a number of records including the fastest-spreading computer worm ever. The Mydoom worm infected computers via email, then took control of the victim computer to email out more copies of itself, and did it so efficiently that at its height it accounted for a quarter of all emails sent worldwide, a feat that’s never been surpassed. The infection ended up doing an estimated $50 billion in damages.

The creator and ultimate purpose of Mydoom remain mysteries today. In addition to mailing out copies of the worm, infected computers were also used as a botnet to launch DDoS attacks on the SCO Group (a company that aggressively tried to claim intellectual property rights over Linux) and Microsoft, which led many to suspect some rogue member of the open source community. But nothing specific has ever been proven. 

6. Zeus trojan (2007)

Zeus was first spotted in 2007, at the tail end of the Web 1.0 era, but it showed the way for the future of what malware could be. A Trojan that infects via phishing and drive-by downloads from infected websites, isn’t just one kind of attacker; instead, it acts as a vehicle for all sorts of malicious payloads. Its source code and operating manual leaked in 2011, which helped both security researchers and criminals who wanted to exploit its capabilities.  

You’ll usually hear Zeus referred to as a “banking Trojan,” since that’s where its variants focus much of their energy. A 2014 variant, for instance, manages to interpose itself between a user and their banking website, intercepting passwords, keystrokes, and more. But Zeus goes beyond banks, with another variation slurping up Salesforce.com info.

7. Stuxnet (2010)

Stuxnet – the world’s first cyber-weapon – was a sophisticated worm that targeted industrial control systems. It was the first malware capable of causing physical damage to industrial equipment. Reports attribute the malware’s creation to a joint US and Israeli operation targeting industrial control systems used in Iran’s nuclear facilities at Nanantz.

Stuxnet exploited multiple previously unknown Windows zero-day vulnerabilities to infect Windows systems before spreading across a network, scanning for controlling programmable logical controllers (PLC) using Siemens Step7 software.

The main target for the malware was covertly procured systems used by the Iranians to control high-speed Uranium gas enrichment centrifuges. Once infected these systems were accelerated and slowed outside of normal operating conditions, effectively thrashing delicate machinery. Stuxnet sent false feedback to the system’s controller to hide the damage it had caused.

The malware, which spread internationally beyond its intended target, starkly illustrated the vulnerability of critical infrastructure to cyber-attacks.

8. CryptoLocker ransomware (2013)

Zeus could also be used to create botnets of controlled computers held in reserve for some later sinister purpose. The controllers of one such botnet, called Gameover Zeus, infected their bots with CryptoLocker, one of the earliest prominent versions of what became known as ransomware. Ransomware encrypts many of the files on the victim’s machine and demands a payment in cryptocurrency in order to restore access.

CryptoLocker became famous for its rapid spread and its powerful asymmetric encryption that was (at the time) uniquely difficult to break. It also became famous due to something unusual in the malware world: a happy ending. In 2014, the US DoJ and peer agencies overseas managed to take control of the Gameover Zeus botnet, and restore the files of CryptoLocker victims free of charge. Unfortunately, CryptoLocker spread via good old-fashioned phishing as well, and variants are still around.

9. Emotet trojan (2014)

Emotet is another piece of malware whose functionality has shifted and changed of the years that it has remained active. In fact, Emotet is a prime example of what’s known as polymorphic malware, with its code changing slightly every time it’s accessed, the better to avoid recognition by endpoint security programs. Emotet is a Trojan that, like others on this list, primarily spreads via phishing (repeat after us: do not open unknown email attachments).

Emotet first appeared in 2014, but like Zeus, is now a modular program most often used to deliver other forms of malware, with Trickster and Ryuk being two prominent examples. Emotet is so good at what it does that Arne Schoenbohm, head of the German Federal Office for Information Security, calls it the “king of malware.”

10. Mirai botnet (2016)

All the viruses and other malware we’ve been discussing so far have afflicted what we think of as “computers” — the PCs and laptops that we use for work and play. But in the 21st century, there are millions of devices with more computing power than anything that Creeper could have infected. These internet of things (IoT) devices are omnipresent, ignored, and often go unpatched for years.

The Mirai botnet was actually similar to some of the early malware we discussed because it exploited a previously unknown vulnerability and wreaked far more havoc than its creator intended. In this case, the malware found and took over IoT gadgets (mostly CCTV cameras) that hadn’t had their default passwords changed. Paras Jha, the college student who created the Mirai malware, intended to use the botnets he created for DoS attacks that would help settle scores in the obscure world of Minecraft server hosting, but instead he unleashed an attack that focused on a major DNS provider and cut off much of the US east coast from the internet for the better part of a day.

11. Industroyer (2016)

Industroyer is a sophisticated malware framework linked to attacks on Ukraine’s power grid. An attack using Industroyer resulted in a significant power outage affecting a fifth of Kyiv for about an hour in December 2016.

Previous malware variants, most notable Stuxnet, targeted industrial control systems but Industroyer (or Crash Override) was the first to specifically target equipment associated with electrical distribution.

12. Petya ransomware/NotPetya wiper (2016/7)

The ransomware Trojan dubbed Petya started afflicting computers in 2016. Though it had a clever mechanism for locking down its victims’ data — it encrypts the master file table, which the OS uses to find files — it spread via conventional phishing scams and wasn’t considered particularly virulent.

It would probably be forgotten today if not for what happened the following year. A new self-reproducing worm variant emerged that used the NSA’s leaked EternalBlue and EternalRomance exploits to spread from computer to computer. Originally distributed via a backdoor in a popular Ukrainian accounting software package, the new version — dubbed NotPetya — quickly wreaked havoc across Europe. The worst part? Though NotPetya still looked like ransomware, it was a wiper designed wholly to ruin computers, as the address displayed where users could send their ransom was randomly generated and did no good. Researchers believe that Russian intelligence repurposed the more ordinary Petya malware to use as a cyberweapon against Ukraine — and so, in addition to the massive damage it caused, NotPetya earns its place on this list by illustrating the symbiotic relationship between state sponsored and criminal hackers.

13. WannaCry (2017)

The notorious WannaCry ransomware worm affected more than 200,000 Windows computers across 150 countries when it was unleashed in May 2017. The spread of the malware resulted in substantial disruptions in critical services, including healthcare in general and the UK’s National Health Service in particular, before its spread was contained. Other victims included Telefonica in Spain, FedEx and Nissan.

WannaCry exploited a vulnerability in Microsoft’s SMBv1 network protocol called EternalBlue, which was developed by the NSA and leaked by hacking group Shadow Brokers. The malware spread without user interaction across unprotected systems against the, then recently discovered, vulnerability and end-of-life Windows XP machines.

UK security researcher Marcus Hutchins accidentally discovered a “kill switch” domain that stopped the malware spreading once he registered it.

US authorities blamed a named suspect of North Korea for the attack in September 2018. North Korea denies any responsibility.

Although WannaCry caused massive disruption its creators made little money, as little at $80,000 by some estimates, from their nefarious actions because of flaws in the malware’s design and implementation. These shortcomings included an inability to automatically verify payments or decrypt files even after payment.

14. Clop ransomware (2019)

Clop (sometimes written Cl0p) is another ransomware variant that emerged on the scene in 2019 and grown increasingly since, to the extent that it was dubbed one of the top malware threats of 2022. In addition to preventing victims from accessing their data, Clop allows the attacker to exfiltrate that data as well. McAfee has a breakdown of the technical details, including a review of ways it can bypass security software.

What makes Clop so interesting and dangerous, however, is not how it’s deployed, but by whom. It’s at the forefront of a trend called ransomware as a service, in which a professionalized group of hackers does all the work for whoever will pay them enough (or share in a percentage of the ransomware riches they extract from victims). The earlier entries in this list are from a day when the internet was for hobbyists and lone wolves; today, it seems even cybercrime is largely the province of governments and the professionals.

15. Darkside (2021)

The Darkside ransomware-as-a-service operation emerged in 2020, gaining infamy a year later with the attack on Colonial Pipeline in May 2021.

The attack led to fuel shortages across the southeastern United States. Colonial Pipeline agreed to pay the criminals who carried out the attack 75 bitcoin (around $4.4 million at the time) in return for a decryption key. Even after receiving the key it took several days to fully restore systems.

The Darkside gang became cyber enemy number one due to the assault, which resulted in increased efforts to combat ransomware.

More on malware:

• New campaign uses malware ‘cluster bomb’ to effect maximum impact
• CISA opens its malware analysis and threat hunting tool for public use
• Surge in “hunter-killer” malware poses significant challenge to security teams

There is nothing like attending a face-to-face event for career networking and knowledge gathering, and we don’t have to tell you how helpful it can be to get a hands-on demo of a new tool or to have your questions answered by experts. Fortunately, plenty of great conferences are coming up in the months ahead. If keeping abreast of security trends and evolving threats is critical to your job — and we know it is — then attending some top-notch security conferences is on your must-do list for 2024.

From major events to those that are more narrowly focused, this list from the editors of CSO, will help you find the security conferences that matter the most to you. We’ll keep it updated with new conferences so check back often. While we don’t expect this calendar to be comprehensive, we do aim to have it be highly relevant. If there’s something we’ve missed, let us know. You can email your additions, corrections and updates to Samira Sarraf>.

September 2024

Korea Blockchain Week, Seoul, Korea: 1-7 September

CISO Dinner, Tokyo, Japan: 2 September

EMEA Google Cloud Security Summit, virtual: 3 September

15th Annual Billington Cybersecurity Summit, Washington, DC: September 3-6

Information Security Network, New Jersey, US: 4 September

Counter-Insider Threat Symposium, Washington, D.C.: 4-5 September

INFOSEK, Nova Gorica, Slovenia: 4-6 September

Charlotte Cybersecurity Conference, Virtual and Charlotte, North Carolina: September 5

Blue Team Con 2024, Chicago, Illinois: September 5 – 8

SECtember 2024, Washington, US: September 10

FIDO APAC Summit, Kuala Lumpur, Malaysia: September 10-11

Aotearoa AI Summit, Auckland, New Zealand: 11 September

Identity Week, Washington, DC: September 11 – 12

DC/Baltimore Cybersecurity Conference, TBD, September 12

CrowdStrike Fal.Con, Las Vegas, Nevada: September 16 – 19

Cybersecurity Summit, London, UK: September 17

SecureWorld Detroit, Detroit, Michigan: September 18

*Security Forum Finland, TBD Finland: September 18

Non-Human Identity Conference, New York, US: 18 September

International Cryptographic Module Conference, San Jose, California: September 18 – 20

Cyberhagen, virtual and Copenhagen, Denmark: September 19

Des Moines Cybersecurity Conference, Virtual and Des Moines, Iowa: September 19

ECS UK Enterprise Cyber Security, London, UK: 19 September

Gartner Security & Risk Management Summit, London, UK: September 23 – 25

Global Security Exchange (GSX), Orlando, Florida: September 23 – 25

InfoSec World, Lake Buena Vista, Florida: September 23 – 25

International Cyber Expo, London, UK: September 24 – 25

*Security Forum Norway, TBD Norway: September 25

Relativity Fest, Chicago, Illinois: September 25 – 27

SecureWorld St. Louis, St. Louis, Missouri: September 26

Cybersecurity Summit Africa, Virtual: September 26

*Security Forum Denmark, TBD Denmark: September 26

Cybersecurity Summit Canada East, Toronto, Ontario: September 26

BSidesCLT, Charlotte, North Carolina: September 28 – 29

* This event is presented by Foundry, the parent company of CSO.

October 2024

Identity Management (IDM) Europe, Utrecht, Netherlands: October 2

MSSN CTRL, Virginia, US: 2-4 October

Columbus Cybersecurity Conference, Virtual and Columbus, Ohio: October 3

SecureWorld Dallas, Dallas, Texas: October 3

*Security Forum Netherlands, Amsterdam, Netherlands; October 3

Toronto Cybersecurity Conference, Toronto, Ontario: October 3

BSidesSantaFe, Santa Fe, New Mexico: October 5

Innovate Cybersecurity Summit, Scottsdale, Arizona: October 6-8

Securing New Ground, New York, New York: October 8 – 9

IDC Digital Strategy & Cybersecurity Roadshow Colombia, TBD, Columbia: October 10

SecureWorld Denver, Denver, Colorado: October 10

POLAR, Quebec city, Canada, October 12

ISC2 Security Congress, Virtual and Las Vegas, Nevada: October 14 – 16

Authenticate 2024 The FIDO Conference, California, US: October 14-16

SentinelOne OneCon24, Las Vegas, Nevada: October 14 – 17

National Cyber Security Strategy Confex (CyberGov), London, UK: October 15

Boston Cybersecurity Conference, Virtual and Boston, Massachusetts: October 17

Government Cybersecurity Summit, Washington, DC: October 17

Vancouver Cybersecurity Conference, Vancouver, British Columbia: October 17

CISO Engage Offsite, TBD: October 18 – 19

*CSO50 Conference + Awards, Fort McDowell, Arizona: October 21 – 23

it-sa, Nuremberg, Germany: October 22 – 24

SecureWorld New York City, New York, New York: October 22 – 24

LASCON 2024, TBD: October 22 – 25

SecTor, Toronto, Ontario: October 23 – 26

*Security and Cloud Forum, Porto, Portugal: October 24

IDC CISO Roundtable, Riyadh, Saudi Arabia: October 29

Phoenix Cybersecurity Conference, Virtual and Phoenix, Arizona: October 30

CISO-CIO Forum, La Jolla, US: October 30

Global CISO Forum, Georgia, US: 30-31 October

* This event is presented by Foundry, the parent company of CSO.

November 2024

BSidesChicago, Chicago, Illinois: November 2

Identity Management (IDM) UK, London, UK: November 5

SecureWorld Seattle, Seattle, Washington: November 6 – 7

CrowdStrike Fal.Con, Amsterdam, Netherlands: November 6-7

Financial Services Cybersecurity Summit, New York, New York: November 7

Mexico City Cybersecurity Conference, Mexico City, Mexico: November 7

Cybersecurity Summit, Mumbai, India: November 13

Canada Virtual Cybersecurity Summit, Virtual: November 14

IDC Digital Strategy & Cybersecurity Roadshow Central America, TBD, Mexico: November 14

IT/OT Cybersecurity Summit: Germany, Frankfurt, Germany: November 14

Nashville Cybersecurity Conference, Virtual and Nashville, Tennessee: November 14

Tanium Converge, Virtual and Orlando, Florida: November 18 – 21

Identity Management (IDM) Nordics, Stockholm, Sweden: November 19

ISC East, New York, New York: November 19 – 21

San Diego Cybersecurity Conference, Virtual and San Diego, California: November 21

Global Cyber Conference, Zurich, Switzerland: November 26 – 27

Enterprise Security & Risk Management (ESRM) UK, London, UK: November 28

December 2024

Houston Cybersecurity Conference, Virtual and Houston, Texas: December 4

Dallas Cybersecurity Conference, Dallas, Texas: December 5

Virtual IOT and OT Security Summit, Virtual: December 5

Forrester Security & Risk, Baltimore, Maryland: December 9 – 11

Gartner Identity & Access Management Summit, Grapevine, Texas: December 9 – 11

Atlanta Cybersecurity Conference, Virtual and Atlanta, Georgia: December 11

Planet Cyber Sec Conference, Long Beach, US: December 11

Financial Virtual Cybersecurity Summit, Virtual: Dec 12

The concept of the secure access service edge (SASE) is one that many organizations have embraced in recent years. A challenge for some enterprise adopters, however, is a lack of control, as some SASE technologies rely on a vendor managing data in the cloud.

That’s a challenge Fortinet is now aiming to solve with the latest updates to its Unified SASE portfolio, announced this week. The network security vendor unveiled a sovereign SASE technology that it says will provide organizations with more control than a typical SASE deployment. Fortinet is also jumping on the generative AI bandwagon with enhancements to its FortiAI technology, which is getting updated to help manage and orchestrate SD-WAN infrastructure. 

Continue reading on Network World.

F5 this week said it’s working with Intel to offer customers a way to develop and securely deliver AI-based inference models and workloads.

Specifically, the companies will combine the security and traffic-management capabilities from F5’s NGINX Plus suite with Intel’s distribution of OpenVINO toolkit and Intel’s infrastructure processing units (IPUs). The package will offer customers protection, scalability, and performance for advanced AI inference development, the vendors said.

Read more on Network World.

Warnings went out this week to infosec leaders about two groups of Iranian threat actors attacking American and other organizations.

The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Defense Department’s Cyber Crime Centre said a group of Iranian hackers are working with ransomware gangs on attacks.

“The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access,” said the joint report. “They work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims.” 

This gang calls itself Br0k3r or xplfinder, but is known by researchers by a number of other names, including  Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm.

Interestingly, after getting network access and stealing data, it doesn’t tell the ransomware gangs it is associated with the government of Iran.

In fact, the report said, the contact with ransomware gangs likely isn’t sanctioned by the Iranian government. This conclusion comes because Pioneer Kitten members have been caught worrying about government monitoring of their cryptocurrency movements.

Separately, Microsoft warned that an Iranian state-sponsored threat actor has been deploying a new custom multi-stage backdoor to hack into government and private sector organizations in the US and the United Arab Emirates.

Both reports include indicators of compromise that defenders should watch for.

Pioneer Kitten attack

The CISA/FBI report said Pioneer Kitten is going after organizations across several sectors in the US, including government, education, finance, healthcare, and defense. It’s also targeting other countries, including Israel, Azerbaijan, and the United Arab Emirates.

It looks for holes in VPNs that could lead to lateral movement on corporate networks. For example, as of July it has been scanning for IP addresses hosting Check Point Security Gateways, probing for devices potentially vulnerable to CVE-2024-24919. It’s a vulnerability disclosed by Check Point in May in all of its Security Gateways with IPsec VPN in Remote Access VPN community enabled, and in the Mobile Access software blade.

As of April, Pioneer Kitten members have been scanning IP addresses hosting Palo Alto Networks’ PAN-OS and GlobalProtect VPN devices as well. The actors were likely conducting reconnaissance and probing for devices vulnerable to CVE-2024-3400. This group has also exploited unpatched Citrix Netscaler and BIG-IP F5 devices.

After exploiting vulnerable devices, the gang captures login credentials using web shells, then plants a backdoor. The stolen credentials are then used to get admin passwords to log into domain controllers and other infrastructure. Eventually they create local accounts, request exemptions from zero-trust applications for tools they want to deploy, and steal data.

Then the actors strike deals with ransomware gangs (including NoEscape, Ransomhouse, and AlphV/ BlackCat]). In exchange for a percentage of the ransom payments, the ransomware gangs or affiliates get access to victim networks.

The FBI and CISA warn that Pioneer Kitten is known to leverage information obtained through intrusions into cloud-computing resources associated with victim organizations. “The actors have used this cloud infrastructure to conduct further cyber operations targeting other organizations … The FBI and CISA warn that if these actors compromised your organization, they may be leveraging your cloud services accounts to conduct malicious cyber activity and target other victims. The FBI has observed instances of the actors using compromised cloud service accounts to transmit data stolen from other compromised organizations.”

Recommendations

The FBI and CISA recommend that all organizations:

• review available logs for IP addresses listed in the report for indications of attacker traffic within their IT network;
• apply patches and/or mitigations for CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519. Patching may be insufficient to mitigate malicious activity if a network has already been compromised by these actors while the network device was vulnerable. Additional investigation into the use of stolen credentials (e.g., via the web shell on Netscaler devices) is strongly encouraged to identify threat actor attempts to establish footholds on other parts of the network;
• check IT systems for the unique identifiers and techniques used by the actors when operating on compromised networks, including creation of specific usernames, use of NGROK and Ligolo, and deployment of web shells in specific directories;
• check IT systems for outbound web requests to files.catbox[.]moe and ***.ngrok[.]io.

Peach Sandstorm attack

In its report, Microsoft said an Iranian gang it believes operates on behalf of the Iranian Islamic Revolutionary Guard Corps. is going after American federal and state departments, oil and gas producers, satellite service providers, communications equipment makers, and educational institutions.

It dubbed this gang Peach Sandstorm. Under Microsoft’s naming convention, all groups associated with Iran have the suffix “Sandstorm.”

Its activity “is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operation,” the report said.

Among the gang’s main tactics are password spray attacks. These are attacks that involve trying to authenticate to an account using a single password or a list of commonly used passwords.

As far back as 2021, targeted individuals were discovered on LinkedIn and possibly then tricked by social engineering lures on the site.

What’s new, Microsoft said, is that, between April and July, Peach Sandstorm has used new tactics. They include leveraging fraudulent Microsoft Azure subscriptions for command and control — Microsoft has alerted affected organizations and disrupted this abuse of Azure — and deploying a new custom multi-stage backdoor Microsoft calls Tickler.

Defenders should watch for an archive file named Network Security.zip, which includes an .exe with the Tickler malware, and for a Trojan dropper named sold.dll.

Here’s another example of Peach Sandstorm tactics detailed by Microsoft: After hacking into a European defense organization, the gang moved laterally using the Windows SMB (Server Message Block) protocol. This protocol, which is used for sharing files, printers, and other resources on a network, has been misused by many threat actors. Microsoft offers this advice to network admins for preventing SMB from being used as an attack tool.

In another attack, against a Middle East-based satellite operator, Peach Sandstorm compromised a user using a malicious ZIP file delivered via a Microsoft Teams message, followed by dropping Active Directory (AD) Explorer and taking an AD snapshot. An AD snapshot is a read-only, point-in-time copy of the AD database and related files, which can be used for various legitimate administrative tasks. These snapshots can also be exploited by threat actors for malicious purposes.

Recommendations

To harden networks against Peach Sandstorm, the report offers a wide number of recommendations. These include:

• resetting account passwords and revoking session cookies for any accounts targeted with a password spray attack. Make sure any multifactor authentication setting changes made by an attacker on an account are also revoked;
• for those using Azure, implement the Azure Security Benchmark;
• give employees only the access privileges they need for their roles;
• secure remote access applications such as Windows RDP or Virtual Desktop with MFA.

Google has announced new compensation incentives for people who find vulnerabilities in the Chrome browser as part of the company’s Chrome Vulnerability Reward Program (VRP).

The increases to its Chrome bug reward structure follow increases Google made last month for “exceptional quality” reports of flaws in a range of Alphabet offerings, including Gmail and Nest. The changes ensure Google and Alphabet continue to rank among the top bug bounty programs again this year.

This week’s Chrome VRP announcement includes an overhaul of the company’s reward structure for memory corruption vulnerabilities, with compensation up to US$250,000 for demonstration of remote code execution (RCE) in a non-sandboxed process. Reporters who do so are eligible for an additional US$55,000 if they also demonstrate renderer RCE as well.

Other levels of compensation, without RCE, include demonstrating a controlled write or a memory corruption.

The baseline for bugs that do not demonstrate such “higher-quality reports” range from US$7,000 to US$25,000.

Last year, the total payouts in Google’s bug hunter program were US$10 million dollars, distributed among 632 people from 68 countries. Just over a third of the sum ($US3.4 million) concerned Android vulnerabilities. The second largest expenditure (US$2.1 million) concerned Chrome bugs.

News of the increased bug bounties for Chrome came a day after Google announced that a critical Chrome bug was exploited in the wild after a patch was released. The vulnerability (CVE-2024-7965) involves the V8 JavaScript and WebAssembly engine and carries a CVSS rating of 8.8 out of 10. Discovery of CVE-2024-7965 was credited to TheDog as part of Google’s bug bounty program. TheDog received US$11,000 for the report.

Google has faced at least nine zero-days in Chrome this year, with four Chrome zero-days patched in May alone.

The VRP program also spelled out reward categories for non-memory corruption bugs based on report quality. These include “high quality and high impact” flaws, “high quality and moderate impact” vulnerabilities, and baseline, lower-impact issues. The bugs are also tiered to include universal cross-site scripting (UXSS), security UI spoofing, user information disclosure, local privilege escalation, web platform privilege escalation, and exploitation mitigation bypass. Payouts decrease in order of this tiering.

The Chrome VRP team also provides examples of low-, moderate-, and high-impact bugs.

In total, Google has paid out US$59 million since its bug hunter programs were launched in 2010. In 2022, a record year, US$12 million was paid out.

Days on from his arrest at Paris Le Bourget airport last Saturday, it looks as if Telegram founder and CEO Pavel Durov will be spending more time in France than he bargained for.

On Wednesday, French prosecutors formally charged Durov with being complicit in allowing the Telegram platform to be used for wide-ranging internet criminality.

As trailed in the arrest announcement, the charges include organized crime, drug crime, fraud, and the distribution of child abuse imagery.

But what could turn out to be the most significant charge of all is that Durov failed to cooperate with the authorities investigating this criminal activity on Telegram when requested to do so.

The authorities have yet to document which specific requests were made and allegedly ignored. That will emerge in time.

French authorities began a preliminary inquiry in February, with the investigation taking a more serious turn in early July.

Presumably last weekend Durov thought he was landing in France for a few days. That now looks as if it could be months at least.

Although released from custody, Durov was required to post bail of €5 million ($5.5 million) and told to remain in France and to report to a police station twice per week.

The end of impunity?

Pavel Durov is not a household name in the way that Elon Musk is. Nevertheless, his arrest is a significant moment for this part of the tech industry. Clearly, something has changed.

Hitherto, the assumption has been that if a messaging platform is used for criminality this is simply a reflection of the way all platforms are abused by somebody.

It seems that some police, prosecutors and governments have grown weary of this regime, which has been the status quo since the early days of the commercial Internet.   

So why pick on Telegram when other messaging platforms are also abused by criminals? The answer probably has to do with what Telegram is and the way the company operates.

Uniquely, Telegram is part messaging platform in the mode of WhatsApp and part a social network which can be used to broadcast via both public and private groups.

This unusual dual nature, combined with the company’s modus operandi of refusing to bend to the will of governments (including, in the past, Durov’s native Russia) has allowed it to build a reputation as a bit of a wild west.

On Telegram, it can seem as if anything goes, including politically extremist content that might be more easily detected and taken down if it were published elsewhere.

Importantly, with its development based in Dubai and St Petersburg, Telegram isn’t an American company. For prosecutors, both inside and outside of the US, that has become an issue.

Should the authorities want to grab metadata such as the IP address of a specific user on a social media, messaging or email platform, companies registered in the US and many other countries are required by law to comply with that request. That covers companies such as Meta, X, Google, Apple and Microsoft.

The French charges allege that Telegram, in contrast, hasn’t been cooperating with similar requests sent to Dubai. If that reflects Durov’s outlook, it has turned out to be a misjudgement.

Telegram, je t’aime

Ironically, Telegram is also used by some of the people who now find themselves caught in the middle of the political storm surrounding Durov’s arrest.

That includes the President of France, Emmanuel Macron, and some of his cabinet members, all of whom are enthusiastic Telegram users according to a report from Politico.  

To anyone who understands how Telegram security works, this will come as a surprise. Unlike end-to-end-encrypted apps such as WhatsApp and Signal, by default Telegram uses server-side encryption.

In theory, that means that Telegram could decrypt messages sent over the platform if it wants to, including any politically sensitive ones sent by Macron and his colleagues, as the creator of the Signal E2EE app Moxie Marlinspike pointed out on Twitter. “With one query, the Russian Telegram team can get every message the French president has ever sent or received to his contacts,” he wrote.

By design, Telegram retains copies of all messages on its servers.

“For the French politicians and cabinet members, it is kind of too late to do anything. Even if they try to delete all their messages now, the Telegram team can just mark the messages as ‘deleted’ so that they no longer display to the user — but not actually delete the data they retain access to,” Marlinspike wrote.

The US Department of State is offering a reward of $2.5 million for information leading to the arrest of Volodymyr Kadariya, the cybercriminal associated with an alleged scheme to transmit the Angler Exploit Kit (AEK) along with other malware.

“The US Department of State is offering a reward of up to $2.5 million for information leading to the arrest and/or conviction in any country of Volodymyr Kadariya for his alleged participation in a significant malware organization,” said the reward notice.

Government officials and employees are not eligible for the reward, the notice further added.

AEK malware delivery toolkit

The Angler Exploit Kit (AEK) was a widely used toolkit that allowed cybercriminals to exploit vulnerabilities in web browsers (including Internet Explorer, Chrome, and Firefox), and their plugins (such as Adobe Flash, Java, and Silverlight).

“At times during the scheme, the Angler Exploit Kit was a leading vehicle through which cybercriminals delivered malware onto compromised electronic devices,” said the US Justice Department in the August 12 unsealing of indictment. “The conspirators also allegedly enabled the delivery of “scareware” ads that displayed false messages claiming to have identified a virus or other issue with a victim Internet user’s device.”

The payloads delivered by Angler typically included various types of malware, such as ransomware (like CryptoWall and TeslaCrypt), banking trojans, information stealers, and other forms of malicious software designed to either steal data or hold systems hostage for ransom.

Angler employed advanced evasion techniques, including checking for virtual machines and sandbox environments to avoid detection by security researchers, leading to its popularity and significance in the cybersecurity community. Angler’s activities ceased abruptly in mid-2016, reportedly, due to law enforcement actions in Russia against cybercriminals allegedly linked to Angler.

First charged in 2023

The Belarusian and Ukrainian hacker was first indicted in the District of New Jersey in June 2023, for using malvertising and other means to deliver malware, scareware, and online scams to “millions of unsuspecting Internet users in the United States and elsewhere,” from October 2013 through March 2022.

The indictment, however, was unsealed only on August 12, 2024. The indictment against Kedariya also involved two other cybercriminals, Belarussian and Ukrainian dual-national Maksim Silnikau, and Russian national, Andrei Tarasov.

Both of Kedariya’s co-conspirators, after their indictment in 2023, faced significant legal actions. While the details of Tarasov’s extradition status or any further legal proceedings are less clear, Silnikau was recently extradited to the US from Poland and faces a mandatory minimum of two years and a maximum penalty of 20 years in prison.

A few other high-profile cybercrime arrests sought by the US government in exchange for significant rewards recently include the bounties placed on Maksim Yakubets (up to $5 million), Evgeniy Bogachev (up to $3 million), and Park Jin Hyok (up to $5 million).

If you’ve been in cybersecurity for the past five to 10 years, you’ve probably heard the term “threat-informed defense.” Simply stated, a threat-informed defense focuses security teams, technologies, and budgets on those threats most likely to impact a particular organization, industry, geography, etc.

The concept basically aligns with the famous (and often referenced) quote from Sun Tzu: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

To put this in cybersecurity terms, security teams need to monitor the tactics, techniques, and procedures (TTPs) of their adversaries, understand how these TTPs could be prevented or detected by their security controls, and then make any adjustments necessary to cover gaps in their defenses.

The concept of a threat-informed defense is often associated with the MITRE ATT&CK framework, a universally accessible, continuously updated knowledge base for modeling, detecting, preventing and fighting cybersecurity threats based on cybercriminals’ known adversarial behaviors. By using the MITRE ATT&CK navigator (or similar tools) security teams get a visual representation of adversary TTPs which they can then compare to their security controls and defensive strategies.

These few paragraphs provide a basic understanding of a threat-informed defense — what it is, how it works, and why it may be beneficial. Most security professionals get this right away, but while the concept may be easy to grasp, operationalizing a threat-informed defense remains an elusive goal for some organizations. Alas, many cyber-threat intelligence programs remain haphazard and tactical, preventing organizations from moving forward with additional layers of a threat-informed defense.

What can be done? I recently spoke with several organizations about how they were approaching a threat-informed defense. Yes, there were many detours and lessons learned along the way, but I found that successful security teams were doing the following:

Establishing and continuously improving their threat intelligence lifecycle

A threat intelligence lifecycle is generally described across six phases:

1. Direction and planning.
2. Data collection.
3. Processing.
4. Analysis and production.
5. Intelligence dissemination.
6. Feedback.

To get this right, you must define the threats and threat actors you want to track, collect, process, and analyze the associated intelligence, create and distribute reports to the right stakeholders, and then gather their feedback to make sure they are getting what they need.

Immature organizations struggle at one or several of the phases — they don’t get input from the business, get buried by the volume of threat intelligence, produce overly technical reports, etc. It’s hard but getting this foundation working is critical for establishing an effective threat-informed defense.

Using threat intelligence for exposure management

Everyone knows the expression, “an ounce of prevention is worth a pound of cure.” A threat-informed defense supports this aphorism by aligning threat intelligence and exposure management. Assuming organizations are doing vulnerability scanning across systems, applications, attack surfaces, cloud infrastructure, etc., they will come up with lists of tens of thousands of vulnerabilities.

Even big, well-resourced enterprises can’t remediate this volume of vulnerabilities in a timely fashion, so leading firms depend upon threat intelligence to guide them into fixing those vulnerabilities most likely to be exploited presently or in the near future.

Some vulnerability management tools from vendors such as Cisco (Kenna), Nucleus Security, and ServiceNow provide this functionality, but proactive organizations go the extra mile and develop expertise for comparison of vulnerabilities with evolving threats across the entire IT infrastructure.

Driving detection engineering

As previously mentioned, a threat-informed defense involves understanding adversary TTPs, comparing these TTPs to existing defenses, identifying gaps, and then implementing compensating controls. These last steps equate to reviewing existing detection rules, writing new ones, and then testing them all to make sure they detect what they are supposed to.

Rather than depending on security tool vendors to develop the right detection rules, leading organizations invest in detection engineering across multiple toolsets such as XDR, email/web security tools, SIEM, cloud security tools, etc.

CISOs I spoke with admit that this can be difficult and expensive to implement. Open standards like Sigma and YARA can help, but many firms need further assistance from service providers, or specific tools from vendors like Anvilogic, CardinalOps, Detecteam, or SOC Prime.

Promoting threat hunting

Once a CTI lifecycle is running well, it will provide intelligence that can be used as a basis for automated and manual threat hunting. Some firms use scripting here while others create runbooks for SOAR tools, but the basic concept is to automate the discovery of indicators of compromise (IoCs) that have been seen on the network (by SIEM tools, EDR/XDR/NDR, firewalls, cloud logs, etc.).

This process will likely trigger more advance threat hunts using other methodologies like the diamond model, pyramid of pain, and so forth, where L3 SOC analysts search for malicious and often, sophisticated patterns and behaviors.

Pursuing continuous testing

As another saying goes, “testing leads to failure and failure leads to understanding.” For a threat informed defense, leading organizations turn to continuous red teaming and penetration testing with in-house experts, service provider contracts, automated tools, or even creating a cyber-range with firms like Cyberbit.

The goal? Find the places where they believe they are protected but aren’t. Continuous testing bridges the Sun Tzu gap between knowing the adversary and knowing yourself. As continuous testing gains acceptance and momentum, many firms leverage this process to establish purple teams to further align threats with defenses.

Establishing a threat informed defense isn’t easy, and many of the firms I spoke with stumbled along the way, but each firmly proclaimed that it was worth the effort. Security pros crowed about better security efficacy and more efficient operations while CISOs said that a threat-informed defense made sense to business executives and corporate boards, by providing a much more focused view of cybersecurity coverage and necessary investments. This alone made their threat-informed defense strategies beneficial.

According to security researchers, the BlackByte ransomware group has been more active in exploiting organizations than previously thought.

Security researchers from Cisco Talos have found evidence that the number of victims listed by BlackByte on its data leak site in recent months represents just 20% to 30% of the group’s successful compromises. Moreover, recently investigated attacks have revealed changes in BlackByte’s tactics, as well as a new variant of its file encryptor.

“During investigation of a recent BlackByte attack, Cisco Talos Incident Response (Talos IR) and Talos threat intelligence personnel noted close similarities between indicators of compromise (IOCs) discovered during the investigation and other events flagged in Talos’ global telemetry,” researchers from Cisco’s Talos group wrote in a new report. “Further investigation of these similarities provided additional insights into BlackByte’s current tradecraft and revealed that the group has been significantly more active than would appear from the number of victims published on its data leak site.”

Ransomware gangs maintain websites where they list compromised organizations along with proof that they obtained sensitive data from their systems. By doing so, ransomware groups can more easily practice double extortion — file encryption and data exfiltration — to pressure victims into paying ransoms.

It’s not clear why BlackByte doesn’t publish all successful compromises on its data leak site. It could be to avoid attracting too much attention, or it could be that some victims agree to pay before listing them is needed. It’s also possible that not all successful compromises by BlackByte result in data exfiltration.

For example, in the attack Cisco Talos investigated, the researchers found evidence that BlackByte’s custom data exfiltration tool, ExByte, might have been deployed, but they couldn’t confirm with a high degree of certainty that data was actually exfiltrated.

Suspected Conti offshoot learning from past mistakes?

BlackByte is a ransomware-as-a-service (RaaS) operation that first appeared in late 2021 and is a suspected offshoot of Conti, a top ransomware group that disbanded in May 2022 after attracting too much attention and making a series of operational missteps.

After Russia invaded Ukraine in February 2022, many ransomware and cybercrime gangs declared themselves neutral, especially given that many had members in both Russia and Ukraine, as well as other CIS countries. But Conti publicly sided with Russia and threatened to target Western critical infrastructure in retaliation, which likely made some affiliates to want to distance themselves from the operation.

Not long after, a security researcher leaked tens of thousands of messages from Conti’s internal communications system, giving the world a deeper look into how the operation was run. This operational security failure likely alienated even more affiliates.

Finally in April 2022, the group launched a major attack that crippled 27 Costa Rican government organizations causing disruptions in the country’s customs and taxes platforms, impacting foreign trade and payroll payments. In response, the US State Department put up a $10 million reward for information about the identity or location of Conti’s leaders, as well as $5 million for information leading to the arrest of any Conti co-conspirator from any country. This likely sealed the group’s fate and made being associated with it highly undesirable for any cybercriminal.

With Conti affiliates abandoning ship and joining other RaaS operations, BlackByte, Black Basta, and KaraKurt quickly stood out as three new groups that adopted code, tools, and tactics very similar to those previously associated with Conti. If BlackByte is indeed run by former Conti members, it wouldn’t be surprising that they don’t want to attract too much attention to themselves.

BlackByte embraces new tactics and tools

While BlackByte has maintained the same tactics, techniques and procedures (TTPs) since its inception, the most recent attacks have revealed new tactics and the evolution of others. For example, the group is known for deploying a self-propagating wormable ransomware encryptor customized for each victim with hardcoded SMB and NTLM credentials stolen from inside the targeted network.

While this tactic is still in use, the file encryptor has been re-engineered over time in multiple programming languages: Go, .NET, and finally C++. The latest variant observed by Cisco Talos adds the “blackbytent_h” extension to encrypted files.

The group was also known for deploying several legitimate but vulnerable drivers on compromised systems to abuse them for privilege escalation and other tasks. For this technique, known as bring your own vulnerable driver (BYOVD), BlackByte has been known to use three specific drivers: RtCore64.sys, a driver originally used by the MSI Afterburner system overclocking utility; DBUtil_2_3.sys, a driver that is part of the Dell Client firmware update utility; and gdrv.sys, a driver that is part of the GIGABYTE Tools software for GIGABYTE motherboards.

In recent attacks the group added a fourth driver called zamguard64.sys, which is part of the Zemana Anti-Malware (ZAM) application. This driver has a vulnerability that can be used to terminate other processes and is used to disable EDR products on victim computers.

Another observed change is that the group relied on using the victim’s authorized remote access mechanism such as the Windows Remote Desktop Protocol (RDP) to connect to other systems instead of deploying commercial remote administration tools like AnyDesk.

The initial access into the victim organization was achieved through a compromised VPN account that likely fell victim to brute-force credential guessing attempts, but the group has been known to exploit vulnerabilities in publicly facing servers in the past, such as the ProxyShell flaw in Microsoft Exchange.

Finally, the group was seen exploiting the CVE-2024-37085 authentication bypass vulnerability in VMware ESXi within days of its public disclosure. This vulnerability gives members of an Active Directory group called “ESX Admins” control over virtual machines on ESXi hosts. The BlackByte attackers were seen creating this group after gaining access to domain admin accounts in victim environments.

“This highlights the speed with which ransomware groups like BlackByte can adapt their TTPs to incorporate newly disclosed vulnerabilities, and the level of time and effort put into identifying potential avenues for advancing an attack,” the Talos researcher said.

Mitigation

Cisco Talos recommends that companies implement multifactor authentication for all remote and cloud connections and to audit their VPN configurations. Organizations should also set up alerts for changes in Active Directory privileged groups and to limit or disable the use of NTLM inside their networks. Microsoft is deprecating NTLM as an authentication protocol in favor of Kerberos.

SMBv1, another legacy protocol, should also be disabled and newer versions of SMB should have signing and encryption enforced. Any vendor accounts and remote access features that are not being used should also be disabled and detections for unauthorized Windows Defender policies and Group Policy Objects should be deployed on systems.

Defenders are being warned that a tool used by several ransomware gangs to sabotage the functions of endpoint protection software has been updated, with at least one attacker using a new capability to wipe endpoint detection and response (EDR) software from a victim’s IT system.

Researchers at Sophos said this month they saw evidence during an investigation of an attack in July that the toolset — which has been dubbed Poortry or BurntCigar by some researchers – was used to delete EDR components completely, instead of just terminating their processes as in previous attacks. This will help clear the way for installation of ransomware.

While Trend Micro last year reported Poortry had added this feature, Sophos said this was the first time the cybersecurity company had seen the EDR-killing capability used.

Poortry/BurntCigar, first discovered by Mandiant, is a malicious kernel driver used in conjunction with a loader dubbed Stonestop that attempts to bypasses Microsoft Driver Signature Enforcement. Both the driver and the loader are heavily obfuscated by commercial or open-source packers, such as VMProtect, Themida or ASMGuard.

The driver tries to disguise itself by using the same information in its properties sheet as a driver for a commercially available program called Internet Download Manager, by Tonec Inc.. But, Sophos said, it isn’t this software package’s driver – the attackers merely cloned the information from it.

Ransomware gangs known to use Poortry include Cuba, BlackCat, Medusa, LockBit and RansomHub, Sophos says.

The Sophos report stressed that since Microsoft closed a loophole that allowed the Poortry creators to use custom kernel-level drivers signed through Microsoft’s attestation signing process, the developers have added new features and functions to evade detection.

These include using Signature Timestamp Forging or obtaining a valid leaked non-Microsoft digital certificate, the report said. In the past 17 months, threat actors swapped the signing certificate they used for their executables at least nine times.

Sophos has seen a threat actor deploy variants of Poortry on different machines within a single estate during an attack. These variants contain the same payload, but are signed with a different certificate than the driver first used during the attack. In August 2023, for example, attackers initially got into an organization through a remote access tool named SplashTop. As soon as the attackers were on the network, they deployed Poortry and Stonestop. Fortunately, in this case the signer name, “bopsoft,” was already known as a stolen certificate, and was blocked by the target firm’s defenses.

But within 30 seconds, the attackers loaded a different Poortry driver, this one signed by “Evangel Technology (HK) Limited.” This attempt, too, was blocked.

In another recent attack Sophos investigated, the Poortry loader was signed with a certificate with the name “FEI XIAO” and dated Thursday, August 8. Sophos said it has “high confidence” the timestamp was forged.

“What was once a relatively simple tool for unhooking ‘troublesome’ endpoint protection components has become, in and of itself, a Swiss Army Knife of malicious capabilities abusing a virtually limitless supply of stolen or improperly used code signing certificates in order to bypass Driver Signature Verification protections,” Sophos said.

In addition to the EDR-killing power, Sophos said Poortry has evolved into something akin to a rootkit that also has finite controls over a number of different API calls used to control low-level operating system functionality. 

Cisco on Tuesday announced plans to acquire Robust Intelligence, a security startup with a platform designed to protect AI models and data throughout the development-to-production lifecycle. It’s paying an undisclosed amount to acquire the company, which Cisco has previously invested in through its Cisco Investments portfolio.

Robust Intelligence’s expertise in AI model security and governance complements Cisco’s products, and the acquisition will accelerate the roadmap for Cisco Security Cloud, according to Tom Gillis, senior vice president and general manager of Cisco’s security business group. “The combination of Cisco and Robust Intelligence means that we can deliver advanced AI security processing seamlessly into the existing data flows, by inserting it into Cisco security and networking products,” Gillis wrote in a blog post announcing the acquisition.

Read more on Network World.

A critical vulnerability has been reported in WPML — a multilingual WordPress plugin with more than a million installations globally — that allows remote code execution on affected WordPress sites.

The vulnerability tracked as CVE-2024-6386 received a CVSS rating of 9.9 out of 10 and affects all versions of the plugin before 4.6.13.

“The WPML Multilingual CMS Plugin for WordPress is susceptible to an Authenticated (Contributor+) Remote Code Execution (RCE) vulnerability through a Twig server-side template injection,” security researcher “stealthcopter,” who received a $1,639 for discovering the bug, said in a blog post.

RCE through Twig SSTI

Twig server-side template injection (SSTI) is a type of security vulnerability that occurs when user input is improperly handled and directly inserted into a Twig template, a popular PHP templating engine. Remote code execution can be achieved when a web application allows the user (an attacker) to inject malicious payloads into the Twig template without proper sanitization or escaping.

“The vulnerability lies in the handling of shortcodes within the WPML plugin,” stealthcopter added. “Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leading to server-side template injection (SSTI).”

Shortcodes in WordPress enable users to easily add dynamic content, such as galleries, forms, buttons, or custom content blocks, to posts, pages, or widgets without needing to write complex code.

The vulnerability is now patched

The plugin maintainers, OnTheGoSystems, fixed the issue in an August 20 update.

“This WPML release fixes a security vulnerability that could allow users with certain permissions to perform unauthorized actions,” OnTheGoSystems said in a blog post. “This issue is unlikely to occur in real-world scenarios.”

It requires users to have editing permissions in WordPress, and the site must use a very specific setup, the blog post added. Plugin users are advised to still apply the patch to defend against potential threats.

“WPML is the most popular WordPress multilingual plugin to create and manage translations and build a multilingual website,” read a WordFence blog post. Wordfence is a WordPress security solutions provider, with a WordPress bug bounty program, the one stealthcopter used to report the vulnerability. “As with all remote code execution vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques,” the post added.

CISOs looking for new IT hires already struggle with talent market shortages and bridging cybersecurity skills gaps. But now they face a growing challenge from an unexpected source: sanctions-busting North Korean software developers posing as potential hires.

North Korea is actively infiltrating Western companies using skilled IT workers who use fake identities to pose as remote workers with foreign companies, typically but not exclusively in the US.

These North Korean IT workers use fake identities, often stolen from real US citizens, to apply for freelance contracts or remote positions.

The schemes are part of illicit revenue generation efforts by the North Korean regime, which faces financial sanctions over its nuclear weapons program, as well as a component of the country’s cyberespionage activities.

Multimillion-dollar fake worker cell busted

The US Treasury department first warned about the tactic in 2022. Thosands of highly skilled IT workers are taking advantage of the demand for software developers to obtain freelance contracts from clients around the world, including in North America, Europe, and East Asia.

“Although DPRK [North Korean] IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK’s malicious cyber intrusions,” the Treasury department warned.

“These IT workers often rely on their overseas contacts to obtain freelance jobs for them and to interface more directly with customers,” it adds.

North Korean IT workers present themselves as South Korean, Chinese, Japanese, or Eastern European, and as US-based teleworkers. In some cases, DPRK IT workers further obfuscate their identities by creating arrangements with third-party subcontractors

In the two years since the Treasury department’s warning examples of the ruse in action are emerging increasingly.

For example, Christina Chapman, a resident of Arizona, faces fraud charges over an elaborate scheme that allegedly allowed North Korean IT workers to pose as US citizens and residents using stolen identities to obtain jobs at more than 300 US companies.

US payment platforms and online job site accounts were abused to secure jobs at more than 300 companies, including a major TV network, a car manufacturer, a Silicon Valley technology firm, and an aerospace company. “Some of these companies were purposely targeted by a group of DPRK IT workers,” according to US prosecutors, who add that two US government agencies were “unsuccessfully targeted.”

According to a DoJ indictment, unsealed in May 2024, Chapman ran a “laptop farm,” hosting the overseas IT workers’ computers inside her home so it appeared that the computers were located in the US. The 49-year-old received and forged payroll checks, and she laundered direct debit payments for salaries through bank accounts under her control. Many of the overseas workers in her cell were from North Korea, according to prosecutors.

An estimated $6.8 million were paid for the work, much of which was falsely reported to tax authorities under the name of 60 real US citizens whose identities were either stolen or borrowed.

US authorities have seized funds related to scheme from Chapman as well as wages and monies accrued by more than 19 overseas IT workers.

Job search platform entraps unsuspecting companies

Ukrainian national Oleksandr Didenko, 27, of Kyiv, was separately charged over a years-long scheme to create fake accounts at US IT job search platforms and with US-based money service transmitters.

“Didenko sold the accounts to overseas IT workers, some of whom he believed were North Korean, and the overseas IT workers used the false identities to apply for jobs with unsuspecting companies,” according to the DoJ.

Didenko, who was arrested in Poland in May, faces US extradition proceedings. US authorities have seized the upworksell.com domain of Didenko’s company.

KnowBe4 gets a lesson in security awareness

How this type of malfeasance plays out from the perspective of a targeted firm was revealed by security awareness vendor KnowBe4’s candid admission in July that it unknowingly hired a North Korean IT spy.

The new hire was promptly detected after he infected his work laptop with malware before going to ground when the incident was detected and refusing to engage with security response staff.

The software engineer, hired to join KnowBe4’s internal IT AI team, passed video-based interviews and background checks. The “job seeker was using a valid but stolen US-based identity.” Crucially, it subsequently emerged, the picture on the application was “enhanced” using AI tools from a stock image photo.

The new hire had failed to complete his induction process, so he had no access to KnowBe4’s systems; as a result, no data breach occurred. “No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems,” according to the vendor, which is treating the whole incident as a “learning experience.”

‘Thousands’ of North Korean IT workers seeking jobs

A growing and substantial body of evidence suggests KnowBe4 is but one of many organizations targeted by illicit North Korean IT workers.

Last November security vendor Palo Alto reported that North Korean threat actors are actively seeking employment with organizations based in the US and other parts of the world. During an investigation in a cyberespionage campaign, Palo Alto’s researchers discovered a GitHub repository containing fake resumes, job interview question and answers, a scan of a stolen US Permanent Resident Card, and copies of IT job opening posts from US companies, among other resources.

“Resumes from these files indicate targets include a wide range of US companies and freelance job marketplaces,” according to Palo Alto.

Mandiant, the Google-owned threat intel firm, reported last year that “thousands of highly skilled IT workers from North Korea” are hunting work.

“These workers acquire freelance contracts from clients around the world … although they mainly engage in legitimate IT work, they have misused their access to enable malicious cyber intrusions carried out by North Korea,” according to Mandiant.

Email addresses used by Park Jin Hyok, a notorious North Korean cyberspy linked to the development of WannaCry and the infamous $81 million raid on Bangladesh Bank, appeared on job sites prior to Park’s US indictment for cybercrimes. “In the time between the Sony attack [2014] and the arrest warrant issued, PJH was observed on job seeker platforms alongside [other North Korean] DPRK’s IT workers,” according to Mandiant.

More recently, CrowdStrike reported that a North Korean group it dubbed “Famous Chollima” infiltrated more than 100 companies with imposter IT pros. Phony workers from the alleged DPRK-nexus group, whose targets included aerospace, defense, retail, and technology organizations predominantly in the US, performed enough to keep their jobs while attempting to exfiltrate data and install legitimate remote monitoring and management (RMM) tools to enable numerous IP addresses to connect to victims’ systems.

Detection is ‘challenging’

Using chatbots, “potential hires” are perfectly tailoring their resumes, and further leverage AI-created deepfakes to pose as real people.

Crystal Morin, former intelligence analyst for the US Air Force turned cybersecurity strategist at Sysdig, told CSOonline that North Korea is primarily targeting US government entities, defence contractors, and tech firms hiring IT workers.

“Companies in Europe and other Western nations are also at risk,” according to Morin. “North Korean IT workers are trying to get jobs either for financial reasons — to fund the state’s weapons program — or for cyberespionage.”

Morin added: “In some cases, they may try to get jobs at tech companies in order to steal their intellectual property before using it to create their own knock-off technologies.”

“These are real people with real skills in software development and not always easy to detect,” she warned.

Naushad UzZaman, co-founder and CTO of Blackbird.AI, told CSOonline that although the technology to deepfake video in real-time is “not there yet” advances in the technology are only likely to make life easier for counterfeit job applicants.

“You can imagine something like a Snapchat filter that would allow someone to present themselves as someone else,” according to UzZaman. “Even if that happens, you’d likely get glitches in the video that would offer tell-tale signs of interference.”

Countermeasures

IT managers and CISOs need to work with their colleagues in human resources to more closely vet applicants. Additional technical controls might also help.

Here’s some suggestions for recommended process improvements:

• Conduct live video-chats with prospective remote-work applicants and ask them about their work projects

• Look for career inconsistencies in resumes or CVs

• Check references by calling the referee to confirm any emailed reference

• Confirm supplied residence address

• Review and strengthen access controls and authentication processes

• Monitor supplied equipment for piggybacking remote access

Post-hire checks need to continue. Employers should be wary of sophisticated use of VPNs or VMs for accessing company system, according to KnowBe4. Use of VoIP numbers and lack of digital footprint for provided contact information are other red flags, the vendor added.

David Feligno, lead technical recruiter at managed services provider Huntress, told CSOonline: “We have a multiple-step process for trying to verify if a background looks too good to be true — meaning is this person stealing someone else’s profile and claiming as their own, or simply lying about their current location. We first check if the candidate has provided a LinkedIn profile that we can review against their current resume. If we find that the profile location does not match the resume — says on resume NYC, but on LinkedIn profile says Poland — we know this is a fake resume.

“If it is the same, did this person just create a LinkedIn profile recently and have no connections or followers?”

Huntress also checks that an applicants’ supplied phone number is valid, as well as running a Google search on them.

“All of the above will save you a great deal of time, and if you see anything that does not match, you know you are dealing with a fake profile, and it happens a lot,” Feligno concluded.

Brian Jack, KnowBe4’s CISO, agrees that fake remote employees and contractors are something every organization needs to worry about, adding: “CISO’s should review the organization’s hiring processes and ensure that their overall risk management practices are inclusive of hiring.”

Hiring teams should be trained to ensure they are checking resumes and references more thoroughly to be sure the person they are interviewing is real and is who they say they are, Jack advises. Best would be to meet candidates in person along with their government-issued ID or using trusted agents, such as background checking firms — especially as use of AI enters into the mix of hiring schemes such as these.

“One thing I like to do as a hiring manager is ask some questions that would be hard to prepare for and hard for an AI to answer on the fly, but easy for a person to talk about if they were who they claim to be,” Jack says.