APT37's Air-Gap Breakthrough and Why Your Event Security Strategy Needs an Upgrade

Page content

APT37’s Air-Gap Breakthrough and Why Your Event Security Strategy Needs an Upgrade

I’ve been tracking some concerning developments this week that really highlight how our threat models need to evolve. North Korean APT37 has broken new ground with air-gapped network compromises, while major events are facing wireless and drone threats that most security teams aren’t prepared for. Let me walk you through what’s happening and why it matters for all of us.

North Korea Cracks the Air-Gap Problem

The most significant story is APT37’s new toolkit specifically designed to breach air-gapped networks. Zscaler ThreatLabz discovered five new tools that show these North Korean hackers have solved one of cybersecurity’s oldest challenges: how do you move data between isolated systems and internet-connected ones?

What makes this particularly clever is their approach. Instead of trying to bridge the air gap directly, they’re using removable drives as the conduit. The malware spreads via USB drives and other portable media, establishing a covert surveillance capability that can exfiltrate data even from systems that have never touched the internet.

This isn’t just theoretical anymore. BleepingComputer reports that these tools are actively being deployed in the wild. For those of us managing critical infrastructure or handling classified information, this represents a fundamental shift in how we need to think about network isolation.

The traditional assumption that air-gapped equals secure just took a major hit. We’re going to need much stricter controls around removable media, better endpoint monitoring on isolated systems, and honestly, a complete rethink of what “isolated” actually means in practice.

FreePBX Infections Show Patch Management Reality

While we’re dealing with sophisticated nation-state actors, sometimes the biggest headaches come from basic security hygiene failures. The Shadowserver Foundation found over 900 Sangoma FreePBX instances still infected with web shells from attacks that started back in December.

Here’s what’s frustrating: this vulnerability has been known for months. The fact that 401 of these compromised systems are in the U.S. alone tells us that patch management is still our Achilles heel. These aren’t zero-day exploits or advanced persistent threats – this is attackers exploiting a command injection vulnerability that should have been patched ages ago.

The geographic distribution is telling too, with Brazil, Canada, Germany, and France all showing significant infection numbers. It suggests this is a global problem with VoIP security practices, not just isolated incidents.

Major Events Face New Threat Vectors

Speaking of evolving threats, Dark Reading highlighted something that should concern anyone involved in event security: cities hosting major events like the FIFA World Cup need to expand their security focus beyond traditional physical and cyber threats to include wireless and drone-based attacks.

This makes complete sense when you think about it. Large events create massive wireless footprints with thousands of connected devices, temporary network infrastructure, and limited time for proper security hardening. Add drones to the mix – both as potential attack vectors and surveillance platforms – and you’ve got a security nightmare.

The challenge is that most event security teams are still thinking in terms of perimeter defense and traditional IT security. They’re not equipped to handle sophisticated wireless attacks or drone-based surveillance and disruption. We need specialized teams and equipment for RF monitoring, drone detection and mitigation, and wireless network security that goes far beyond standard WiFi protection.

The Bigger Picture

What ties these stories together is how our threat landscape continues to expand in directions that challenge traditional security models. APT37 is breaking air gaps, basic vulnerabilities remain unpatched for months, and major events face attack vectors that didn’t exist a decade ago.

SecurityWeek’s roundup also mentions Russian cyberattacks supporting missile strikes and Predator spyware bypassing iOS security indicators, which reinforces how cyber operations are becoming integrated into broader conflict scenarios.

For those of us in the security field, this means we can’t afford to get comfortable with our current approaches. The North Korean air-gap breakthrough alone should prompt every organization with isolated systems to reassess their security controls. The FreePBX situation reminds us that basic security hygiene remains critical even as threats become more sophisticated.

And if you’re involved in event security, it’s time to start thinking about wireless and drone threats as seriously as you think about traditional physical security concerns.

Sources