Before you enjoy this week’s dose of clarity, make sure to click that subscribe button if you haven’t already. You won’t want to miss our next issue!

Feature Story

Ransomware Targeting Critical Infrastructure. Costs, Consequences, and the Hidden Management Crisis

Ransomware attacks on critical infrastructure have evolved into a complex and growing threat. Sectors like energy, water, and healthcare are especially vulnerable due to the essential services they provide and the aging operational technology (OT) systems they rely on. In 2024, ransomware incidents in these sectors have shown no sign of slowing, with organizations reporting staggering financial impacts. A 2024 survey by Claroty revealed that more than 45% of organizations impacted by ransomware faced losses exceeding $500,000, and some incidents cost up to $1 million. In fact, the energy and water sectors saw their median recovery costs soar to $3 million per attack​.

The ransomware landscape has become more fragmented, partly due to law enforcement actions and exit scams by major groups like ALPHV/BlackCat and LockBit. This fragmentation has led to an increase in less-experienced affiliates, particularly in complex environments like operational technology (OT). These affiliates often take longer to deploy ransomware, which increases the risk to critical infrastructure. According to Secureworks' 2024 State of the Threat report, while the median dwell time for ransomware intrusions is about 2.5 days, some attacks have gone undetected for over 135 days before ransomware was deployed. Such prolonged dwell times are especially dangerous for OT environments, which typically lack the specialized, continuous monitoring needed to detect these slow-moving intrusions.

A less-discussed but critical issue is how these environments are managed. Many organizations continue to rely on overburdened IT teams to secure both their corporate infrastructure and OT systems. The State of the Threat report illustrates how ransomware groups, like Rhysida, exploit vulnerable systems, often using easily accessible malware to compromise OT environments. The complexities of OT—often involving legacy technology that can't be easily patched—require specialized skills that many IT teams, juggling enterprise and OT responsibilities, simply don’t have.

While IT teams can manage corporate systems with relative efficiency, OT environments demand a completely different approach. Many OT systems are older, less frequently updated, and rely on protocols unfamiliar to most IT personnel. This lack of specialized knowledge creates vulnerabilities that ransomware groups can easily exploit. In fact, the report found that in over 50% of incidents handled by Secureworks, gaps in basic security practices such as multi-factor authentication (MFA) and patch management played a key role in initial ransomware access.

NoFluff’s Take: The Unseen Cost of Overburdened IT in Critical Infrastructure

Ransomware targeting critical infrastructure is not just about technical vulnerabilities or ransom amounts—it’s about how these systems are fundamentally mismanaged. The complexity of operational technology (OT) systems is often overlooked by organizations that rely on their existing IT teams to secure them. These IT teams are already stretched thin, managing corporate infrastructure, and now expected to handle OT systems that have vastly different requirements.

This bifurcation of responsibility can have catastrophic consequences. The Secureworks State of the Threat report illustrates how newer ransomware affiliates are becoming involved in attacks due to the fragmentation of larger groups. These less experienced attackers are making mistakes that extend dwell times, leading to more severe damage before ransomware is even deployed​. Meanwhile, OT environments, which often rely on legacy systems and require specialized protocols, remain ill-equipped to detect or respond to these threats due to the lack of dedicated security teams.

IT teams, tasked with handling corporate networks, simply don’t have the capacity to manage the nuanced demands of critical OT systems. The State of the Threat report shows that in over half of the incidents analyzed, basic security gaps—like unpatched vulnerabilities or poor MFA implementations—were the root cause of ransomware access​. These are issues that, in theory, could be addressed by an overburdened IT team, but the reality is that OT systems require more attention and expertise than IT teams can reasonably provide while balancing enterprise infrastructure responsibilities.

The real issue is that OT systems operate under conditions completely different from traditional IT infrastructure—they are older, less frequently updated, and harder to secure without causing service disruptions. Instead of investing in dedicated security teams with specialized knowledge, many organizations delegate these critical responsibilities to their already overstretched IT staff. This lack of focused attention creates a perfect storm where ransomware thrives. OT environments become vulnerable, exposing critical assets to ransomware attacks with potentially devastating consequences​.

Until organizations recognize that OT environments require more than just add-on duties for their IT departments, the risk posed by ransomware will continue to escalate. The attacks will only become more complex and chaotic as ransomware groups fragment and evolve. Without dedicated security teams to focus solely on securing these vulnerable OT systems, critical infrastructure will remain a prime target for ransomware actors who are quick to exploit any gaps in protection.

#ransomware, #criticalinfrastructure, #OTsecurity

References

1. SecurityWeek: Ransomware Hits Critical Infrastructure Hard, Costs Adding Up

2. Recorded Future: Outmaneuvering Rhysida: How Advanced Threat Intelligence Shields Critical Infrastructure from Ransomware

3. SANS Institute: SANS Institute 2024 Survey Reveals Progress and Gaps in ICS/OT Cybersecurity for Critical Infrastructure

4. IndustrialCyber: OTORIO Report Reveals Significant Disruption From Cyber Attacks, Growing Concerns in OT Security Landscape

5. Claroty: https://web-assets.claroty.com/resource-downloads/cps-survey-business-disruptions.pdf

Breaking News

Internet Archive Hacked: 31 Million User Accounts Exposed

The Internet Archive, an institution vital to preserving the web's history, has confirmed a breach impacting 31 million users. Following a Distributed Denial of Service (DDoS) attack, hackers accessed sensitive user data including email addresses, usernames, bcrypt-hashed passwords, and password change timestamps. The hack is believed to have occurred on September 28, 2024, and was disclosed publicly by security expert Troy Hunt. Affected users can check their information through "Have I Been Pwned?"

The hacking group “SN_Blackmeta” claimed responsibility, but their motivations remain unclear. In response, the Internet Archive temporarily took its systems offline, disabled compromised JavaScript libraries, and began upgrading its security.

NoFluff's Take: Safeguarding the Internet’s Memory

This attack on the Internet Archive represents more than just a technical breach—it is a hit on a resource fundamental to the public good. The Internet Archive serves as a digital memory of our online history, providing free access to millions of books, websites, and other media that are otherwise lost to time. Disrupting its operations can be seen as undermining efforts to preserve the public's access to knowledge. While attacks on commercial entities may come with clear financial motivations, attacks on the Internet Archive signal broader concerns. The breach emphasizes the fragility of digital preservation, reminding us that even public goods can become targets in an increasingly turbulent digital landscape.

CISO Takeaways

• Recognize public service platforms as high-value targets: The breach highlights that even non-commercial entities like the Internet Archive, which serve as digital repositories, are not immune to significant attacks, often driven by ideological or political motivations.

• Speed of post-breach transparency builds trust: The Internet Archive’s quick public disclosure and system updates are a reminder that rapid, clear communication with affected users is crucial for managing the fallout of breaches.

• Prepare for multi-faceted attacks: This incident involved defacement, DDoS, and data theft, illustrating the importance of planning for a combination of attack vectors, not just a single threat type.

Security Engineer Thoughts

• Mitigate third-party library vulnerabilities: The defacement via a JavaScript library emphasizes the importance of continuously auditing and securing third-party components, which can often be an easy entry point for attackers.

• Bcrypt strengthens password security but isn’t infallible: While bcrypt was used to hash passwords, it’s critical to also ensure that password strength policies are enforced, as even bcrypt-hashed passwords can be cracked if weak.

• Implement robust DDoS defenses for public platforms: The sustained DDoS attacks that followed the breach highlight the need for more resilient infrastructure capable of withstanding high-volume traffic surges, especially for services with a wide public reach.

#databreach, #internetarchive, #DDoS

References

1. Bleeping Computer: Internet Archive hacked, data breach impacts 31 million users

2. Tom's Hardware: Internet Archive hacked and 31 million user accounts leaked — hacking group 'SN_Blackmeta' claims responsibility

3. SecurityWeek: 31 Million Users Affected by Internet Archive Hack

Latest Research

Disrupting AI-Driven Influence and Cyber Operations

OpenAI recently released a detailed report on their efforts to combat malicious use of their AI models in influence and cyber operations. Since the beginning of 2024, OpenAI has disrupted over 20 covert operations globally. The actors misused OpenAI’s models for tasks such as content generation (articles, social media posts), debugging code, and even social engineering campaigns, often aimed at influencing political narratives across multiple platforms. Notably, some campaigns attempted to create fake online engagement, but OpenAI’s internal safety systems prevented many of these operations from fully realizing their goals.

The threat actors mixed AI-generated content with traditional methods to engage in influence operations. OpenAI identified and disrupted notable campaigns like "Bad Grammar," a Russian operation targeting Ukraine and other regions, and "CyberAv3ngers," an Iranian group focused on industrial control systems (ICS). Despite the sophisticated nature of these activities, none of these influence operations achieved meaningful engagement or reach, according to OpenAI’s analysis.

NoFluff's Take: AI's Limited Reach in Political Influence

While these operations are troubling, the report underscores an important point: AI tools, by themselves, do not automatically lead to effective influence. OpenAI’s findings suggest that even advanced AI-driven campaigns have not yet managed to break through to authentic communities or cause widespread engagement. This indicates that traditional forms of content distribution, audience building, and human-driven narratives still play a critical role in influence operations. The real danger may come from blending AI's productivity gains with well-orchestrated human strategies, which could make future operations more effective if not detected early.

CISO Takeaways

• Safety by Design: OpenAI’s internal safeguards—designed to prevent the misuse of their models—play a pivotal role in detecting malicious behavior before it can cause harm. CISOs should prioritize AI model safety when integrating generative AI tools into their organizations, ensuring they have built-in features to mitigate risk.

• Industry Collaboration: The disruptions OpenAI achieved were heavily aided by collaboration with industry peers and the open-source community. CISOs should push for threat intelligence sharing across sectors to strengthen defenses against evolving threats, especially in the context of AI-driven campaigns.

Security Engineer Thoughts

• AI Usage in Cyber Operations: Many adversaries are leveraging AI not just for influence campaigns but also for vulnerability research and scripting support. Engineers should be aware that AI tools are increasingly being weaponized for technical reconnaissance, scripting, and debugging. It is crucial to implement monitoring systems to detect unusual queries and activities that could indicate malicious use of AI within your systems.

• Code Debugging for Malicious Purposes: Some threat actors used AI to debug code for offensive activities, such as developing malware. Engineers should integrate robust auditing tools to monitor for patterns indicative of threat actors using internal or external AI systems for these purposes.

#AIsecurity, #InfluenceOperations, #Cyberthreats

References

1. OpenAI: An update on disrupting deceptive uses of AI

Tools

Vulnerability Analysis for Container Security

NVIDIA’s Vulnerability Analysis for Container Security is a tool designed to address the growing challenges of managing vulnerabilities in containerized environments. The tool integrates NVIDIA’s Inference Microservices (NIM) and Morpheus SDK to automate the detection and triage of Common Vulnerabilities and Exposures (CVEs). It accelerates the traditionally slow process of vulnerability assessment by leveraging large language models (LLMs) to generate task-specific checklists and provide actionable insights to security teams, reducing the time from days to seconds.

Despite the promise of speed and automation, there are still some concerns about the quality and reliability of its output. The effectiveness of the tool heavily depends on the accuracy of the data sources it taps into, and it remains to be seen how well the tool performs in complex real-world environments where nuance in vulnerability management is critical. Public feedback on its precision in different deployment scenarios is limited, suggesting that organizations should approach its use with caution.

NoFluff’s Take: Great Potential, But Real-World Testing Needed

NVIDIA’s solution could be a game-changer for organizations struggling with large-scale container deployments, especially in environments where CVE management is a bottleneck. By integrating this tool into CI/CD pipelines, companies can enhance their continuous monitoring and vulnerability remediation efforts without introducing significant delays.

However, the tool’s AI-driven outputs should not be fully trusted without careful validation. The automated analysis may be prone to false positives or may miss nuanced vulnerabilities, particularly in more complex container environments. Security teams should remain vigilant and continue to exercise human oversight, using the tool as a supplementary aid rather than a full replacement for manual processes. The real test will come from its performance in varied environments, where it will need to demonstrate consistent accuracy and reliability.

In an example of using the tool, it was unable to determine the kernel version—an essential detail to assess whether the CVE applied—but still arrived at the conclusion that the vulnerability was "not exploitable." This creates a concern that the tool may be providing conclusions without fully analyzing all the necessary context. The missing kernel version was crucial in determining whether the system was at risk, highlighting the need for careful human review when critical data is absent.

#containers, #vulnerabilitymanagement, #automatedsecurity

References

1. NVIDIA NIM: Vulnerability Analysis for Container Security

2. NVIDIA: NIM Agent Blueprints

If you’re not already one of our regulars then that Subscribe button below has your name on it ;) See you next week!

All views and opinions expressed therein are solely the authors’ own and do not reflect those of any employers past or present.

NoFluffSec is a Bitsavant LLC publication