Five years after a Russian APT infiltrated a software update to gain access to thousands of SolarWinds customers, the board has voted unanimously to sell at a top valuation and plans for uninterrupted operations.

Source: SOPA Images Limited via Alamy Stock Photo

NEWS BRIEF

SolarWinds, the software and IT company that faced a major supply chain cyberattack in 2020, today announced that it will be acquired by Turn/River Capital for $4.4 billion, or $18.50 per share.

Along with unanimous approval from its board of directors, the transaction also received written approval from Thoma Bravo and Silver Lake, SolarWinds' majority shareholders with a combined 65% of the outstanding voting securities.

SolarWinds will become a privately held company, no longer listed on the New York Stock Exchange, though it will continue to operate under the name SolarWinds and stay headquartered in Austin, Texas.

"This successful transaction and exciting partnership are testaments to our employees' outstanding work of building exceptional solutions and delivering great customer success," said Sudhakar Ramakrishna, president and CEO of SolarWinds, in a statement. "We are confident that Turn/River's expertise and growth orientation will help us ensure SolarWinds continues to drive innovation and deliver even greater value for customers and stakeholders."

**The Sunburst Attack Continues to Burn**

In 2020, roughly 33,000 of SolarWinds' customers were impacted in a major supply chain attack, affecting thousands of organizations as well as the US government. The breach targeted the SolarWinds Orion management system, where it is believed that Nobelium, a nation-state hacking group, gained access to the company's networks in September 2019.

The attackers inserted malicious code, known as Sunburst, into the Orion system, infecting a software update that led to the compromise of all software builds for versions 2019.4 HF 5 through 2020.1.1. More than 18,000 SolarWinds customers installed these updates, creating a domino effect in those that fell victim to the attack. Years later, in 2023, the Securities and Exchange Commission (SEC) charged SolarWinds and its CISO Tim Brown with fraud and internal control failures, alleging that by ignoring warnings about the company's vulnerable cybersecurity posture, Brown knowingly left the company unprotected.

This breach has had lasting impacts in the cybersecurity industry, and though the attack occurred nearly five years ago, the SEC continues to review the details. Last October, the SEC charged four companies — Unisys, Avaya Holdings Corp., Checkpoint, and Mimecast — for what the regulator said were intentional attempts to minimize the impact of the hack to their systems. It also vowed to deter other companies from submitting vague data breach disclosures after major events like SolarWinds.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

SolarWinds to Go Private for $4.4B

Developers are pulling in publicly available ASP.NET keys into their environments, without realizing that cyberattackers can use them for clandestine code injection.

Source Hilda DeSanctis via Alamy Stock Photo

NEWS BRIEF

Website developers are unwittingly putting their companies at risk by incorporating publicly disclosed ASP.NET machine keys from code documentation and repositories into their applications, Microsoft is warning.

The tech giant has issued an alert on the insecure practice, after observing threat actors in December using a static, known ASP.NET machine key to deploy the Godzilla post-exploitation cyberattack framework, known for stomping all over corporate environments.

The attack vector involves manipulating ViewState, which represents the state of a webpage when it was last processed on the server. If threat actors can get ahold of ASP.NET keys, they can craft a malicious ViewState, send it to a targeted website via a POST request to be loaded, and can thus compromise the environment via code injection.

"Once it's processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used," a Microsoft post on the concern explained. "The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS Web server."

Microsoft has uncovered at least 3,000 publicly disclosed keys that could be used for these types of attacks, which lowers the bar for exploitation significantly.

"Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on Dark Web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification," according to the post.

To prevent attack, Microsoft recommends that organizations do not copy keys from publicly available sources and to regularly rotate keys in any event.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Microsoft: Thousands of Public ASP.NET Keys Allow Web Server RCE

Security questionnaires serve as essential tools for building connections and trust in the digital realm. They help in…

Security questionnaires serve as essential tools for building connections and trust in the digital realm. They help in identifying potential vulnerabilities to protect data privacy and meet cybersecurity standards. In this article, we will see what is a **security questionnaire** and what is the proper method to create an automated security questionnaire.

****What are Security Questionnaires?****

Security questionnaires are sets of questions designed to assess the ability of an organization to protect data against cybersecurity threats. They help in the evaluation of risks and vulnerabilities to protect their organization’s sensitive information. 

****What is Covered in a Security Questionnaire?****

A Security Questionnaire covers different elements of cybersecurity, including network security, data protection measures, access controls, **incident response**, and compliance requirements. 

Other areas covered include: 

*   Datacenter Security
*   Infrastructure Security
*   Hiring and personnel policies
*   Security Incident Management
*   Application & Interface Security
*   Audit Assurance and Compliance
*   Encryption and Key Management 
*   Identity and Access Management
*   Governance and Risk Management
*   Threat and Vulnerability Management
*   Business Continuity Management & Operational Resilience
*   The program addresses Supply Chain Management and its focus on Transparency and Accountability.

****Best Practices for Security Questionnaire****

The security questionnaire’s difficulties can be controlled using various methods that eliminate these challenges. Below are some of the best practices for preparing security questionnaires:

****Remove irrelevancies:** **

You should eliminate those questions that do not apply to your specific circumstances. The process requires gathering supporting data to prove the non-applicability of those specific questions. You should get clarification about confusing questions before you give full responses to everything. Companies that do not answer all parts of the questionnaire questions put customer business relationships at risk.

****Keep it short and sweet:** **

Text responses should be brief and transparent in their evaluation of weaknesses and strengths. Involve subject matter experts, communicate openly with partners, and ask for clarification to produce accurate assessment data for assessors.

****Have a remediation plan on deck:** **

A detailed remediation strategy should be prepared to address security issues that emerge from questionnaires. Demonstrate ongoing efforts to align security posture with customer expectations. Discuss the potential for another assessment questionnaire after implementing new controls. Taking responsibility for control gaps and providing a remediation plan shows honesty, accountability, and a proactive approach to earning customer trust.

****Limitations of Security Questionnaires** **

While security questionnaires provide valuable insights, they have inherent limitations:

**Self-reported data:** The responses that rely on accuracy may not reflect reality. 

**Point-in-time assessment:** The questionnaires provide static security data that fails to track real-time changes and threats that emerge between assessments.

**Outdated information:** Responses can quickly become obsolete in fast-evolving technology systems.

**Lack of context:** Questionnaire-based data sometimes fails to uncover specific details about an organization’s security situation and its particular risks.

****Conclusion****

Companies understand that security questionnaires have become indispensable for protecting their valuable assets and data against emerging digital threats in the modern digital era. The questionnaires serve their purpose as **essential assessment tools** that allow stakeholders to determine how well threats are guarded and where security holes might exist. The answers to security questions become complicated when businesses operate without established plans.

This article has recommended practices for security questionnaire development and automation approaches that help businesses improve security protection and shorten compliance time

Image via Freepik

Best Practices for Preparing and Automating Security Questionnaires

PRESS RELEASE

A five-count criminal indictment was unsealed today in federal court in New York charging a Canadian man with exploiting vulnerabilities in two decentralized finance protocols to fraudulently obtain about $65 million from the protocols’ investors.

According to court documents, from 2021 to 2023, Andean Medjedovic, 22, allegedly exploited vulnerabilities in the automated smart contracts used by the KyberSwap and Indexed Finance decentralized finance protocols. Medjedovic borrowed hundreds of millions of dollars in digital tokens, which he used to engage in deceptive trading that he knew would cause the protocols’ smart contracts to falsely calculate key variables. Through his deceptive trades, Medjedovic was able to, and ultimately did, withdraw millions of dollars of investor funds from the protocols at artificial prices, rendering the victims’ investments essentially worthless.

Medjedovic also allegedly laundered the proceeds of his fraudulent schemes through a series of transactions designed to conceal the source and ownership of the funds, including through swap transactions, “bridging transactions,” and the use of a digital assets “mixer.” With others, Medjedovic also allegedly schemed to open accounts with digital assets exchanges using false and borrowed identifying information to conceal the source and true ownership of the proceeds. In around November 2023, after executing the KyberSwap exploit, Medjedovic also allegedly attempted to extort the victims of the KyberSwap exploit through a sham settlement proposal, in which he demanded complete control of the KyberSwap protocol and the decentralized autonomous organization that oversaw the KyberSwap protocol in exchange for returning 50 percent of the digital assets that he fraudulently obtained through his scheme.

Medjedovic is charged with one count of wire fraud, one count of unauthorized damage to a protected computer, one count of attempted Hobbs Act extortion, one count of money laundering conspiracy, and one count of money laundering. If convicted, he faces a maximum penalty of 10 years in prison on the unauthorized damage to a protected computer count and 20 years in prison on each of the other counts. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division, U.S. Attorney John J. Durham for the Eastern District of New York, Chief Guy Ficco of IRS Criminal Investigation (IRS-CI), Special Agent in Charge William S. Walker of Homeland Security Investigations (HSI) New York, and Assistant Director in Charge James E. Dennehy of the FBI New York Field Office made the announcement.

IRS-CI, HSI, and the FBI New York Field Office are investigating the case, with valuable assistance provided by U.S. Customs and Border Protection’s New York Field Office and the Justice Department’s Office of International Affairs. The Justice Department also thanks the Netherlands’ Public Prosecution Service and Cybercrime Unit — the Hague of the Dutch National Police for their significant assistance with the investigation.

Trial Attorney Tian Huang of the Criminal Division’s Fraud Section, who is a member of the National Cryptocurrency Enforcement Team (NCET), and Assistant U.S. Attorneys Nicholas Axelrod and Andrew Reich for the Eastern District of New York are prosecuting the case. SEC Enforcement Attorney Daphna A. Waxman, formerly a member of the NCET, provided significant assistance.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Canadian Man Charged in $65M Cryptocurrency Hacking Schemes

PRESS RELEASE

With a staggering 5263 attacks, 2024 saw the highest volume of ransomware attacks observed since 2021, according to a new report from cybersecurity consulting firm, NCC Group.

In a turbulent year for the cyber landscape, with high-impact attacks on sophisticated nation-state espionage campaigns, attack volume continued to rise. 

LockBit remains top threat actor despite takedown

The infamous threat group LockBit was the top actor of 2024, accounting for 10% (526) of all attacks. However, it’s overall activity declined compared to 2023, with LockBit’s takedown earlier in 2024.

RansomHub followed closely behind. Accountable for 501 attacks, it became the most dominant threat actor in the second half of the year.

Uptick in most regions

North America experienced over half of all attacks in 2024 (55%). Overall, most regions witnessed a rise in attacks, including Asia, South America, and Oceania. Rising global geopolitical tensions and high payouts for ransomware attacks are likely to have attributed to increase across regions. 

Industrials remains a top target

With its crucial role in the global economy, Industrials experienced 27% (1424) of all ransomware attacks in 2024, increasing 15% from 2023. Attacks in the sector have caused mass disruption, affecting critical infrastructure and services and causing material downtime.

Law enforcement whack-a-mole 

There are some encouraging signs that the international community has stepped up efforts to recognise and address the threats posed by cyber adversaries. Notable examples include coordinated law enforcement actions against cybercriminal networks such as Operations Cronos, Magnus, Destabilise, and Serengeti.

Despite short term law enforcement crack downs, threat actors continued to emerge quickly after intervention - LockBit was operating again only five days after its takedown. And with warnings from the group that it will be back in full force by February 2025, it’s evident that governments and law enforcement need to do more to prevent the reemergence of these groups.

Matt Hull, global head of Threat Intelligence at NCC Group said: “The cyber security landscape in 2024 presented unprecedented challenges. The scale and complexity of cyber incidents tested the resilience of businesses and institutions globally. Looking ahead, these challenges are set to escalate as cyber criminals and nation-state actors increasingly exploit the growing integration of technology into all aspects of life.

“Key concerns such as third-party compromises, cloud vulnerabilities, and insecure APIs remain critical. We also can’t ignore the rapid advances in artificial intelligence (AI) that are giving rise to new cybercriminal tactics. And the geopolitical dimension of cyber security adds to the ever-changing threat landscape, with nation-states posing significant risks to critical infrastructure.

“In the face of these challenges, businesses, governments, and individuals must stay vigilant and proactive. By understanding the risks and acting today, we can collectively work towards a more secure digital future.”

2024 Breaks Records With Highest Ever Ransomware Attacks

**Databarracks Launches Air Gap RecoverDatabarracks Launches Air Gap Recover**

PRESS RELEASE

Databarracks has announced the launch of Air Gap Recover, a new service that provides enhanced protection against cyber threats, including ransomware attacks.

Designed specifically for cloud-native environments, Air Gap Recover provides isolated, air-gapped data protection and automated failover to guarantee rapid recovery from any cyber attack.

“Traditional data protection solutions don’t work for cloud-native systems and businesses,” said James Watts, Managing Director of Databarracks.

“Native cloud tools are designed more for simplicity than resilience and lack the functionality you need to fully protect your data. Enterprise backup solutions, on the other hand, struggle to scale and can’t handle the volume of data stored in modern cloud systems. Whichever you choose, your recovery is compromised – it either takes too long to restore operations or, in a worst-case scenario, you’re left with no clean copy of data to recover from at all.

“Air Gap Recover addresses these shortcomings. It’s equipped to protect the petabytes of data and globally distributed architectures within cloud-native environments – allowing for complex cloud-scale recovery.

“In 2025, cyber remains the number one threat to business continuity. We know it is no longer a question of “if” but “when”. But no matter the scale or severity of the cyber event – and cloud-native environments are not immune – Air Gap Recover ensures your critical data is protected. If the worst happens – your cloud account is breached, and your data is encrypted or deleted – you failover instantly to a secure and separate account. Your business stays operational while others would scramble to recover.”

Key features include:

*   Advanced air-gapped security: Data is stored in immutable, isolated cloud accounts to protect against ransomware and other cyber threats.
    
*   Automated failover: Provides immediate cross-region failover to a segregated cloud account, ensuring instant recovery with near-zero downtime.
    

Stepping in where traditional solutions fall short, Air Gap Recover sets a new standard for cloud-native data protection to further strengthen Databarracks’ IT resilience offering.

About Databarracks

Databarracks is the technology and business resilience specialist.

In 2003, we launched one of the world’s first managed Backup services to bring indestructible resilience to mission-critical data.

Today, we deliver award-winning IT resilience and continuity services. We help organisations get the most out of the cloud and protect their data, wherever it lives.

And we back this up with unbeatable support. There’s no such thing as ‘above and beyond’ for our engineers because they only work to one standard: to keep your systems running perfectly.

Enterprise-class continuity, security, and resilience. Accessible for all. 

You May Also Like

Databarracks Launches Air Gap Recover

A year after Google and Yahoo started requiring DMARC, the adoption rate of the email authentication specification has doubled; and yet, 87% of domains remain unprotected.

Source: Tapati Rinchumrus via Shutterstock

A year after Google and Yahoo forced bulk email senders to implement the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard, the rate of the adoption of DMARC among domains has doubled, although many of the same email threats continue to successfully deliver payloads or redirect unwary users to phishing sites.

The increase in adoption started in February 2024, when Google and Yahoo started requiring bulk email senders — defined as any company sending more than 5,000 email messages daily — to use DMARC. The email authentication standard uses two authentication specifications — Sender Policy Framework (SPF) and DomainsKeys Identified Mail (DKIM) — to confirm that an email comes from an authorized email server and on behalf of the purported sender. The technology makes it much more difficult to spoof email from a legitimate company or brand.

In the past year, adoption has increased by about 2.3 million domains, but that still leaves about 87% of domains without a DMARC record, according to data published by cyber-resilience firm Red Sift on Feb 5. Adoption is also uneven, with organizations in Austria, Japan, and Indonesia seeing some of the highest growth and publicly traded companies making the most significant gains.

Related:Microsoft: Thousands of Public ASP.NET Keys Allow Web Server RCE

While doubling the adoption rate of DMARC is a significant success, the private sector needs to do better, says Sean Costigan, managing director of resilience strategy at Red Sift.

"DMARC is considered an indicator of cyber maturity in many sectors, and we are still in the early days — healthcare, for example, is struggling to surpass 40% to 50% adoption," he says, adding that "widely, properly managed DMARC adoption will reduce spoofing, phishing and other forms of cybercrime."

Source: Red Sift

Google, for example, has seen a significant reduction in questionable email. In 2024, Gmail users saw 265 billion fewer unauthenticated emails, or about 65% less. During the 2024 holidays, a season that typically sees a massive spike in phishing attacks, users encountered 35% fewer scams, says Neil Kumaran, group product manager at Google.

"We think these improvements represent a huge boost in the health of the email ecosystem overall," he says. "We are actually seeing the industry embrace these requirements, seeing how important they are to increase the healthy ecosystem for everybody."

**DMARC Adoption Likely to Accelerate**

Large email senders are not the only groups quickening the pace of DMARC adoption. The latest Payment Card Industry Data Security Standard (PCI DSS) version 4.0 requires DMARC for all organizations that handle credit card information, while the European Union's Digital Operational Resilience Act (DORA) makes DMARC a necessity for its ability to report on and block email impersonation, Red Sift's Costigan says.

Related:Abandoned AWS Cloud Storage: A Major Cyberattack Vector

"Mandatory regulations and legislation often serve as the tipping point for most organizations," he says. "Failures to do reasonable, proactive cybersecurity — of which email security and DMARC is obviously a part — are likely to meet with costly regulatory actions and the prospect of class action lawsuits."

Overall, the authentication specification is working as intended, which explains its arguably rapid adoption, says Roger Grimes, a data-driven-defense evangelist at security awareness and training firm KnowBe4. Other cybersecurity standards, such as DNSSEC and IPSEC, have been around longer, but DMARC adoption has outpaced them, he maintains.

"DMARC stands alone as the singular success as the most widely implemented cybersecurity standard introduced in the last decade," Grimes says.

**Subdomain Attacks Exploit Gaps**

Yet that does not mean that threats have diminished. Attackers have adapted, Grimes says. Typically, attackers will just use lookalike domains — or use creative punctuation to create confusion — and fool the end user while still sending messages from an authenticated domain.

Related:Name That Toon: Incentives

"Since the creation and wide-scale adoption of DMARC, the percentage and number of phishing emails claiming to be from a particular legitimate domain are significantly less, perhaps just a few percent of what they used to be," Grimes says. "Unfortunately, phishers just created new illegitimate domains, often with lookalike names, that they then applied DMARC on so that the new, illegitimate domains passed DMARC inspection."

One technique used to dodge DMARC is "subdomail," where attackers seek out SPF records that include unregistered domains, and then take control of the orphaned domains as a way to conduct massive spamming campaigns. In one case, an SPF record for msnmarthastewartsweeps.com "included" two domains, allowing any authorized mail servers listed in those domain records to send authenticated email. In the Sender Policy Framework, the "include" keyword allows on domain to specify that those domains' lists of authenticated email servers should be trusted. For msnmarthastewartsweeps.com, that resulted in nearly 18,000 domains being authorized to send email on behalf of the domain.

Because the email messages make it past DMARC checks, they are more likely to successfully impersonate other companies, says Red Sift's Costigan.

"SubdoMailing exploits gaps in DMARC safeguards, allowing attackers to send emails from subdomains that pass both SPF and DMARC checks," he says. "These messages appear legitimate and are incredibly deceptive."

**BIMI on Deck for Email Security**

Still, companies gain much more visibility into their email by using DMARC, as the standard includes a reporting function that allows companies — or service providers on their behalf — to track email failures. Thus, companies should rapidly move from "none" to "quarantine" to "reject" as their policy, experts say.

In addition, companies should also look to take the next step, moving to Brand Indicators for Message Identification or BIMI, which allows companies to present a logo to email recipients. BIMI requires strict DMARC, however, and only about a third of domains currently comply, according to Red Sift's data.

While none of these technologies solve the problem of malicious emails, they all give companies and their email service providers more reliable signals to use to filter out unwanted messages and potential attacks, says Google's Kumaran. DMARC adoption does not boil down to "authenticated mail is good, and unauthenticated email is bad," he says.

"The idea is that authentication gives you confidence of the source of the message, and then you can start to do a better job of classification and actually providing protections to users," Kumaran says. "So I think it's a very desirable behavior if 100% of attacks are actually authenticated, because it makes the job of protecting people — and gives those the folks working in defending — stronger signals on which to operate."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Google's DMARC Push Pays Off, but Email Security Challenges Remain

A cybercriminal calling themselves emirking is offering 20 million OpenAI accounts for sale on a Dark Web forum

A cybercriminal acting under the monicker “emirking” offered 20 million OpenAI user login credentials this week, sharing what appeared to be samples of the stolen data itself.

Post by emirking

A translation of the Russian statement by the poster says:

> “When I realized that OpenAI might have to verify accounts in bulk, I understood that my password wouldn’t stay hidden. I have more than 20 million access codes to OpenAI accounts. If you want, you can contact me—this is a treasure.”

The statement suggests that the cybercriminal found access codes which could be used to bypass the platform’s authentication systems. It seems unlikely that such a large amount of credentials could be harvested in phishing operations against users, so if the claim is true, emirking may have found a way to compromise the _auth0.openai.com_ subdomain by exploiting a vulnerability or by obtaining administrator credentials.

While emirking looks like a relatively new user of the forums (they joined in January 2025), that doesn’t necessarily mean anything. They could have posted under another handle previously and switched because of security reasons.

Millions of users around the world rely on OpenAI platforms like ChatGPT and other GPT integrations.

With the allegedly stolen credentials, cybercriminals could possibly access sensitive information provided during conversations and queries with OpenAI. This stolen data could prove useful in targeted phishing campaigns and financial fraud. But the stolen credentials could also be used to abuse the OpenAI API and have the victims pay for their usage of OpenAI’s “Plus” or “Pro” features. However, other users of the same dark web forum claimed that the posted credentials did not provide access to the ChatGPT conversations of the leaked accounts.

True or not, this comes at a bad time for OpenAI after Microsoft recently investigated accusations that DeepSeek used OpenAI’s ChatGPT model to train DeepSeek’s AI chatbot.

**What can users do?**

If you fear that this breach might include your credentials you should:

*   Change your password.
*   Enable multi-factor authentication (MFA).
*   Monitor your account for any unusual activity or unauthorized usage.
*   Beware of phishing attempts using the information that might be stolen as part of this breach.

BreachForums, the Dark Web forum where the accounts were offered for sale was offline at the time of writing, so we were unable to verify any claims ourselves. We will do so when the opportunity arises and keep you posted, so stay tuned.

 20 Million OpenAI accounts offered for sale 

UpGuard discovers exposed Ollama APIs revealing DeepSeek model adoption globally. See where these AI models are running and the security risks involved.

Cybersecurity researchers at third-party risk management firm UpGuard have identified a vulnerability surrounding exposed Ollama APIs, which provide access to running AI models. These exposed APIs not only pose security risks for model owners but also offer a unique opportunity to gauge the adoption rate and geographic distribution of specific AI models, such as **DeepSeek**.

**Ollama** is an AI model framework that simplifies interaction with models by providing a user-friendly interface for selecting and downloading models. However, as per UpGuard’s research, shared exclusively with Hackread.com ahead of its release, the API can be exposed to the public internet; its functions to push, pull, and delete models can put data at risk and unauthenticated users can also bombard models with requests, potentially causing costs for cloud computing resource owners. Existing vulnerabilities within Ollama could also be exploited. 

According to UpGuard’s **research**, there is already evidence of the vulnerability being exploited, with targeted IPs being tampered with.

  
A screenshot provided by UpGuard to Hackread.com shows an Ollama instance where the models appear to have been deleted.

Researchers expressed concern that Ollama APIs are likely used by hobbyists on home or small business internet connections or university networks and these systems can be easily compromised and incorporated into botnets for future attacks.

UpGuard also analyzed the distribution of DeepSeek models across different parameter sizes running on exposed Ollama APIs. The 14b and 7b options (representing models with 14 billion and 7 billion parameters) were the most commonly observed among the exposed DeepSeek models, suggesting that many users are opting for these mid-range models.

Approximately seven thousand IP addresses currently expose Ollama APIs, indicating an over 70% rise in three months, since in its survey **Laava** found four thousand IP addresses in November 2024. Out of these exposed IPs, 700 are running some version of DeepSeek. Specifically, 334 are utilizing models from the deepseek-v2 family, while 434 are running the newer deepseek-r1 model. 

Geographically, the highest concentration of IPs running DeepSeek models is located in China (171 IP addresses, representing 24.4%), followed by the U.S. (140 IP addresses, or 20%), and Germany (90 IP addresses, or 12.9%). 

Furthermore, the distribution of DeepSeek models within the US by Internet Service Provider (ISP) analysis reveals a diverse range of providers, from large entities like Google LLC and AT&T Enterprises LLC to smaller providers and universities. Also, researchers found the highest concentration of DeepSeek instances in China, the US, and Germany, with other countries contributing smaller percentages.

> _“There are really two things that surprised us in this research: how fast exposed Ollama APIs are growing, and how quickly DeepSeek has spread. Either of those could have big consequences in the future.”_
> 
> Greg Pollock, Director of Research and Insights – Upguard

It is worth noting that DeepSeek has been restricted by entities like the **US Navy**, the state of **Texas**, **NASA**, and Italy over concerns of possible data leakage to the Chinese government. While these concerns may not apply to open-source models, most users are unlikely to scrutinize the code, UpGuard researchers noted along with identifying potential risks within the models themselves.

Therefore, to prevent **AI data leakage**, it is essential to audit one’s attack surface for exposed Ollama APIs and remain aware of which models or AI products can be crucial in third-party risk management.

7,000 Exposed Ollama APIs Leave DeepSeek AI Models Wide Open to Attack

As the cost of data breaches continues to climb, the role of user and entity behavioral analytics (UEBA) has never been more important.

Jackie Wyatt, Adjunct Professor of Cyber Studies, University of Tulsa

February 7, 2025

4 Min Read

Source: Igor Stevanovic via Alamy Stock Photo

COMMENTARY

Last year, the cost of a data breach rose 10%, from $4.4 million to $4.8 million, as stated by IBM's annual "Cost of a Data Breach Report." According to cybersecurity firm Vectra AI, more than 70% of security operations center (SOC) leaders fear that a real attack will be hidden under an overwhelming flood of false-positive alerts and other security noise. The resulting burnout may be contributing to the labor shortage plaguing the industry. 

As the cost of data breaches continues to climb along with the deluge of meaningless alerts on an increasingly stressed workforce, the role of behavioral analytics in cybersecurity, or user and entity behavioral analytics (UEBA), has never been more important. That role is even more critical for schools, government agencies, and hospitals and other healthcare facilities. These entities play crucial roles in our day-to-day lives but operate with limited resources. They tend to have smaller cybersecurity teams and less money, amplifying the potential perils of a breach. In fact, the smaller the team, the greater the need for UEBA, which has a number of benefits.

**Weeds Out the Noise **

In the absence of behavioral analytics, every login and machine connection can result in an alert for the SOC. Without the ability to differentiate true threats from false positives, every threat detected is treated with high priority, which may cause the true positives to either get missed or not be addressed in a timely fashion. In places like schools, government offices, and medical facilities the consequences of missing an actual threat are monumental. These establishments thrive on their reputation while accumulating critical information that could mean life or death for a person.   

The danger of alert fatigue is real, causing SOC analysts to eventually ignore certain signals or attempt to address them all with no sense of which ones indicate actual risk. UEBA tracks access patterns across people, machines, and systems; eventually detecting and alerting the SOC only when there's a true risk. Not only does this approach cut out alert noise, it also limits the information bombarding the security team, reduces false positives, and virtually eliminates alert fatigue so analysts can focus on important alerts. Using behavioral analytics to detect the patterns that are normal makes it much easier to spot the ones that aren't. 

**Allows for Prioritization**

Using UEBA is already a no-brainer for many SOCs, but it has not been implemented for most hospitals, government institutions, and schools. Analyzing behavior patterns could have an even bigger payoff for those types of entities, in part because their teams are small. With a fully functioning, automated UEBA system, analysts know alerts are far more likely to be credible and worth their time to investigate. 

When discussing pattern detection and automation, AI naturally springs to mind. This makes perfect sense because UEBA is an excellent use case for AI. The kind of public sector/public good entities that have the most limited resources are best suited to leverage the power of AI combined with UEBA. It could virtually eliminate the disadvantage of fewer resources because a well-trained AI would only surface credible threats for human vetting. AI is not susceptible to alert fatigue, burnout, or the lure of a higher salary elsewhere. An automated system may be able to handle threat response, however its greatest potential lies in prioritizing potential threats for SOC analysts to analyze them more efficiently. This saves engineers and analysts countless hours, since they do not have to craft rules and queries to achieve the desired outcome.

**Reduces Risk **

It may be difficult for some executives to wrap their heads around placing an automated system at the heart of their security operations. Some worry about all the company data being in one place. Others fear AI might miss something, but it seems that the risk of a small and overwhelmed team subject to burnout is greater. While it's possible for a problem to surface with AI, it's more likely that a problem will arise with stressed out people.  

Some companies have already seen the benefit of involving AI in their security operations. About 70% of those that responded to a Vectra AI survey said AI has already reduced burnout and increased threat detection and response abilities. Imagine moving the needle that much for the places that instruct our kids, provide healthcare, and keep the lights on. 

**About the Author**

Adjunct Professor of Cyber Studies, University of Tulsa

Jackie Wyatt is an adjunct professor of cyber studies at the University of Tulsa and a cybersecurity operations analyst at QuikTrip. Jackie received a master’s degree in cybersecurity from Maryville University. She holds the Certified Enterprise Defender (GCED) certification and Coin from SANS, marking her as an expert in network defense and incident response. Her combination of advanced education and hands-on experience makes her a valuable figure in the cybersecurity field.

Latest News