Government ministries keep falling victim to relatively standard-fare cyber-espionage attacks, like this latest campaign with hazy Chinese links.

Source: Mint Images Limited via Alamy Stock Photo

A Chinese-language advanced persistent threat (APT) has been spying on government ministries across the eastern hemisphere.

The first signs of it date back to late August of last year. Back then, the as-yet-unidentified group began to use a modified version of Gh0st RAT, nicknamed "SugarGh0st RAT," to spy on targets in South Korea, as well as the Ministry of Foreign Affairs in Uzbekistan. Since then, Cisco Talos revealed in a new blog post, the group now called "SneakyChef" has been cooking up new campaigns across more countries.

Based on its lure documents, likely targets for the campaign have included:

*   Ministries of foreign affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan
    
*   The ministries of agriculture and forestry, and fisheries and marine resources in Angola
    
*   The Saudi Arabian embassy in Abu Dhabi
    

Talos has not attributed SneakyChef to any particular government itself. They did note, however, the Chinese language preferences present in its code, its use of SugarGh0st RAT — particularly, though not exclusively popular among Chinese threat actors — and the similar profile of its targets.

**Sneaky Chef's Latest Servings**

Where early campaigns utilized malicious RAR files embedded in LNK files for initial infection, now SneakyChef prefers self-extracting RARs (SFX RAR). The shift offers some modest benefits.

"RAR files just got official support in Windows 11, so for anything prior to Windows 11, you need to have extra software to be able to extract the file," explains Nick Biasani, Cisco Talos' head of outreach. "A self-extracting RAR file eliminates the need for extra software, so it probably increases the likelihood of infection."

Among the goodies SFX RAR drops: a decoy document, a dynamic link library (DLL) loader, some encrypted malware — either SugarGh0st RAT or SneakyChef's newest tool, SpiceRAT — and a malicious Visual Basic (VB) script for establishing persistence.

The decoys are legitimate, scanned documents relating in some way to the targeted ministry or embassy. They'll describe some kind of government business, most often an upcoming meeting or conference. Notably, Talos was unable to find any of the documents used in recent campaigns on the open web. (This might indicate they were themselves obtained via espionage.)

When it comes to government cyberespionage, "What we commonly see is that this would be the 'first wave.' This actor is not typically highly sophisticated, they're more aiming to send a lot of lures and get a lot of people infected so they can get initial footholds and start gathering data," Biasani says. Then, when they need access to a specific, extra-secured government body. "That's when you start seeing the more sophisticated elements of these attacks play out."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'SneakyChef' APT Slices Up Foreign Affairs With SugarGh0st

PRESS RELEASE

June 18, 2024 – FS-ISAC, the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, today announced its 2024 Board of Directors.

Four new Directors and two incumbents have been named to join nine existing Board Directors. The Board oversees FS-ISAC’s global activity and coordinates with FS-ISAC’s Europe Board of Directors and UK Strategic Subsidiary Board. Kris Fador, Chief Information Security Officer for Bank of America, will serve as the Board’s Chair.

The newly elected Directors are:

*   Kristina Dorville, Chief Information Security Officer, Truist Insurance Holdings
    
*   Debbie Janeczek, Chief Security Officer, Technology Executive, Swift
    
*   Susan Koski, Chief Information Security Officer and Head of Enterprise Information Security, PNC
    
*   Bethany Netzel, Managing Director, Operational Resilience and Global Security, CME Group
    
*   The two re-elected incumbents are:
    
*   Kyle Davis, Cyber Fusion Center Principal, Target Corporation
    
*   Steve Sparkes, Chief Information Security Officer, Scotiabank
    

“FS-ISAC’s work is critical in educating the financial services industry on the latest cybersecurity threats and developing best practices to ensure the trust of clients, customers, regulators, investors and other key stakeholders,” said Kris Fador, Chief Information Security Officer for Bank of America. “It’s a privilege to chair this important organization and have this elite group of top security experts join the FS-ISAC Board of Directors to help strengthen the security of the global financial system.”

"The financial services sector is extremely dynamic and FS-ISAC provides critical information and intelligence sharing that strengthens our collective practices and resilience," said Bethany Netzel, Managing Director of Operational Resilience and Global Security at CME Group. "I am pleased to join the FS-ISAC board and work alongside other industry leaders to maintain our strong relationships and manage evolving risks."

Elections took place during a critical year for the financial services industry, marked by rapidly evolving technology and rising geopolitical tension. The deep cybersecurity and resilience expertise of the Board will directly support FS-ISAC’s work in real-time information sharing, strategic incident response, and managing emerging risks. 

“Through nearly a decade of working with FS-ISAC, I’ve seen first-hand the value of global information sharing in defending the sector from escalating cyber threats,” said Debbie Janeczek, Chief Security Officer, Swift. “We must employ a multifaceted approach that encompasses technical solutions, strategic preparation, and industry collaboration to defend against the changing threat landscape. I look forward to continuing my service of protecting the financial sector in this capacity.”

“With the increased use of digital technology in the financial services industry, the work of FS-ISAC is paramount to protecting financial institutions and their clients against global cyber threats,” said Steve Sparkes, EVP, Chief Information Security Officer and Enterprise Platforms, Scotiabank. “I am proud to have been re-elected to the FS-ISAC board, which brings together professionals in support of cyber resilience through the shared commitment of protecting client data.”

“The complexity of the risks facing the financial sector continues to grow, and our Board of Directors ensures our work evolves in accordance with the needs of our member firms and the people they serve,” said Steven Silberstein, CEO, FS-ISAC. “I welcome the new additions to the Board as we work together to reinforce trust in the global financial system.”

Board candidates submit applications to the Board Nominating Committee, who then nominate a slate chosen for leadership qualifications, demonstrated commitment to FS-ISAC’s work, and diversity of skillset, experience, sub-sector, geography, and background. The nominees are then elected by FS-ISAC’s membership. 

FS-ISAC thanks the Directors at the end of their term for their contributions and continued commitment to ensuring the security of the global financial services sector. 

Join the new Board of Directors at FS-ISAC’s Americas Fall Summit in Atlanta, October 27 – 30, 2024. To register, click here. 

About FS-ISAC

FS-ISAC is the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, protecting the financial institutions and the people they serve. Founded in 1999, the organization’s real-time information sharing network amplifies the intelligence, knowledge, and practices of its members for the financial sector’s collective security and defenses. Member financial firms represent $100 trillion in assets in 75 countries.

FS-ISAC Announces Appointments to Global Board of Directors

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Inside China's civilian hacker army; outer space threats; and NIST 2.0 Framework secrets for success.

Source: Emre Akkoyun via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner:**

*   France Seeks to Protect National Interests With Bid for Atos Cybersec
    
*   Multifactor Authentication Is Not Enough to Protect Cloud Data
    
*   Global: Bug Bounty Programs, Hacking Contests Power China's Cyber Offense
    
*   Catching Up on Innovation With NIST CSF 2.0
    
*   Space: The Final Frontier for Cyberattacks
    
*   Addressing Misinformation in Critical Infrastructure Security
    

**France Seeks to Protect National Interests With Bid for Atos Cybersec**

By Jai Vijayan, Contributing Writer, Dark Reading

By offering to buy Atos' big data and cybersecurity operations. Paris is trying to make sure key technologies do not fall under foreign control.

The government of France's recent bid to acquire the big data and cybersecurity division of Atos for some $750 million is an indication of the financially beleaguered company's vital importance to the country's defense interests.

It's a move that analysts say is about retaining domestic control over technology integrated into sensitive government, defense industrial base systems, supercomputers for simulating nuclear bomb tests, and a range of other critical infrastructure. Atos is also the primary cybersecurity provider to the upcoming Olympic Games in Paris.

Importantly, if the deal goes through, the French government will have a direct stake in a company that can help significantly bolster its technology and cybersecurity capabilities. "It makes sense for the French government to upgrade its defenses," says Mike Janke, co-founder of DataTribe. "For years, we have seen governments invest in critical companies through numerous means, but it has been rare for them to buy a company. We'll see if this emerges as a trend."

Read more: France Seeks to Protect National Interests With Bid for Atos Cybersec

Related: Airbus Calls Off Planned Acquisition of Atos Cybersecurity Group

**Multifactor Authentication Is Not Enough to Protect Cloud Data**

By Robert Lemos, Contributing Writer, Dark Reading

Ticketmaster, Santander Bank, and other large firms have suffered data leaks from a large cloud-based service, underscoring that companies need to pay attention to authentication.

Over the past month a ransom gang possibly related to ShinyHunters or Scattered Spider, stole reams of customer records from Ticketmaster and Santander Bank and put it up for sale, asking for millions for the data. Both companies acknowledged the breaches after the postings.

The cause of the data leaks — and at least 163 other breaches — appears not be the use of stolen credentials and poor controls on multifactor authentication (MFA) for Snowflake cloud accounts.

But, while the theft of data from Snowflake's systems could have been prevented by MFA, the companies' failures go beyond the lack of that single control. Businesses using cloud services can learn important lessons from the latest spate of cloud breaches, researchers stress.

Read more: Multifactor Authentication Is Not Enough to Protect Cloud Data

Related: Snowflake Cloud Accounts Felled by Rampant Credential Issues

**Global: Bug Bounty Programs, Hacking Contests Power China's Cyber Offense**

By Robert Lemos, Contributing Writer, Dark Reading

With the requirement that all vulnerabilities first get reported to the Chinese government, once-private vulnerability research has become a goldmine for China's offensive cybersecurity programs.

China's cybersecurity experts over the past decade have evolved from hesitant participants in global capture-the-flag competitions, exploit contests, and bug bounty programs to dominant players in these arenas — and the Chinese government is applying those spoils toward stronger cyber-offensive capabilities for the nation.

Its civilian hackers have directly benefited China's cyber-offensive programs and are one example of the success of China's cybersecurity pipeline, which the government created through its requirement that all vulnerabilities be directly reported to government authorities, says Eugenio Benincasa, senior researcher at the Center for Security Studies (CSS) at ETH Zurich, in a new report.

"By strategically positioning itself as the final recipient in the vulnerability disclosure processes of civilian researchers, the Chinese government leverages its civilian vulnerability researchers, among the best globally, on a large scale and at no cost," he says.

Read more: Bug Bounty Programs, Hacking Contests Power China's Cyber Offense

Related: China APT Stole Geopolitical Secrets From Middle East, Africa & Asia

**Catching Up on Innovation With NIST CSF 2.0**

Commentary by Jamie Moles, Senior Technical Manager, ExtraHop

The updated framework is an equalizer for smaller organizations to meet the industry at its breakneck pace of innovation.

The National Institute of Standards and Technology's Cybersecurity Framework 2.0 (NIST CSF 2.0) provides an important roadmap for reexamining security initiatives, fending off evolving threats, and preparing to meet today's innovations with a more guided approach. While just a framework, it can be used to inform three critical changes all organizations should make in the year ahead.

1\. Building a New Approach to Securing Infrastructure: A strong governance strategy establishes all people, process, and organizational concerns for cybersecurity. This includes the development of a cybersecurity strategy and policies, oversight for the strategy and policies, controls for supply chain, and more.

2\. Investing to Fit Specific Business Needs: NIST CSF 2.0 can help determine areas and levels of risk, and from there, organizations can decide on the right solutions.

3\. Developing an Organizationwide Approach to Security Hygiene: While the right tools are essential, a critical part of NIST CSF 2.0's "Protect" focuses on awareness, training, and identity and access management as critical safeguards to managing risk.

Read more: Catching Up on Innovation With NIST CSF 2.0

Related: NIST Releases Cybersecurity Framework 2.0

**Space: The Final Frontier for Cyberattacks**

By Jai Vijayan, Contributing Writer, Dark Reading

A failure to imagine — and prepare for — threats to outer-space related assets could be a huge mistake at a time when nation-states and private companies are rushing to deploy devices in a frantic new space race.

A distributed denial-of-service (DDoS) attack this week disabled electronic door locks across a major lunar settlement, trapping dozens of people indoors and locking out many more in lethal cold. The threat actor behind the attack is believed responsible for also commandeering a swarm of decades-old CubeSats last year and attempting to use them to trigger a chain reaction of potentially devastating satellite crashes.

Neither "incident" has happened, of course. Yet. But they well could, sometime in the not-too-distant future, and now is the time to start thinking about and planning for them.

Assessing capabilities in cybersecurity is never easy, and it’s even worse for the space domain because of the inherent national-security concerns that may classify much of that information. Space cybersecurity is shrouded in mystery from the start, which isn't surprising since space launches started as military missions.

But security by obscurity will not be an option for long.

Read more: Space: The Final Frontier for Cyberattacks

Related: The European Space Agency Explores Cybersecurity for Space Industry

**Addressing Misinformation in Critical Infrastructure Security**

By Roman Arutyunov, Co-Founder & Senior Vice President, Products, Xage Security

As the lines between the physical and digital realms blur, widespread understanding of cyber threats to critical infrastructure is of paramount importance.

The Francis Scott Key Bridge collapse in Baltimore, Md., in late March sent shockwaves through the country. Almost immediately, there was widespread speculation and conspiracy theories regarding its cause, including fears of a cyberattack. Although investigations ruled out deliberate sabotage, the incident raised public concern about the vulnerability of physical infrastructure. Some members of Congress even called for further investigation into the possibility of malicious code being involved.

The incident highlighted a general lack of awareness regarding the reality and scale of cyber-risks to critical infrastructure. While physical incidents capture headlines and public attention, silent, invisible attacks on critical infrastructure remain poorly understood.

Theorizing can distort public understanding of cyber threats, undermine trust in legitimate news sources, and complicate efforts to educate the public and stakeholders about the fundamental nature of cyber threats and the necessary precautions to mitigate them. The public's reaction to the Francis Scott Key Bridge collapse demonstrates the collective anxiety about cyber threats to critical infrastructure.

Read more: Addressing Misinformation in Critical Infrastructure Security

Related: Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

CISO Corner: Critical Infrastructure Misinformation; France's Atos Bid

PRESS RELEASE

DALLAS and TOKYO, June 18, 2024— VicOne, an automotive cybersecurity solutions leader, today announced that its xNexus and xZETA solutions are available in AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS). xNexus is a next-generation vehicle security operations center (VSOC) platform and xZETA is an automotive vulnerability and software bill of materials (SBOM) management system. These safeguard the automotive software supply chain with unique zero-day threat intelligence, providing accurate, contextualized, and actionable insights for risk assessment.

AWS customers will now have access to VicOne’s solutions directly within AWS Marketplace. VicOne provides AWS customers with the ability to streamline the purchase and management of xNexus and xZETA within their AWS Marketplace account. 

“In various ways, our listing in AWS Marketplace is another of our efforts to help automotive manufacturers to securely put in place all of the many high-quality solutions they need across a globally scoped software supply chain for SDVs (software-defined vehicles),” said Max Cheng, chief executive officer of VicOne. “By accessing VicOne solutions, customers, MSSPs (managed security service providers) and other partners can more efficiently and simply offer our products to protect the automotive software supply chain against zero-day vulnerabilities and cyberattacks.” 

xNexus integrates with VicOne’s in-vehicle VSOC sensor, leveraging a unique large language modeling (LLM) approach to provide customized reporting to support VSOC teams. xNexus provides VSOC teams with actionable and contextualized attack paths based on different stakeholders’ needs. The capabilities delivered by VicOne’s next-gen VSOC platform accelerate threat investigations, enable confident response to attacks, and effectively reduce the burden of chasing false alarms. 

xZETA is an automotive vulnerability and SBOM management system that scans vehicle software to identify zero-day, undisclosed, known, and customer-discovered vulnerabilities, along with CWE, malware, and advanced persistent threats. Through xZETA’s patent-pending VicOne Vulnerability Impact Rating (VVIR) technology, external and internal insights are integrated to prioritize high-risk vulnerabilities. This enables swift identification of high-risk issues and formulation of corresponding strategies. Information feeds back into Threat Analysis and Risk Assessment (TARA) results to ensure alignment with ISO/SAE 21434 processes and maintain continuous monitoring.

Services will be available in Japan as soon as it is ready.

To learn more about the VicOne solutions available in AWS Marketplace, please visit here.

About VicOne

With a vision to secure the vehicles of tomorrow, VicOne delivers a broad portfolio of cybersecurity software and services for the automotive industry. Purpose-built to address the rigorous needs of automotive manufacturers and suppliers, VicOne solutions are designed to secure and scale with the specialized demands of the modern vehicle. As a Trend Micro subsidiary, VicOne is powered by a solid foundation in cybersecurity drawn from Trend Micro’s 30+ years in the industry, delivering unparalleled automotive protection and deep security insights that enable our customers to build secure as well as smart vehicles. For more information, visit vicone.com.

You May Also Like

VicOne Solutions for Detection of Zero-Day Vulnerabilities and Contextualized Attack Paths

The nonprofit Security Alliance is providing funds to protect security researchers who illegally access crypto assets with the aim of improving security.

Source: Nazarii Karkhut via Alamy Stock Photo

Thieves have stolen cryptocurrency worth billions of dollars from cryptocurrency exchanges and wallets. As security researchers probe the defenses of cryptocurrency platforms, an industry group is partnering with the Security Research Legal Defense Fund to ensure that these researchers are protected from legal threats.

In February, platforms including the Ethereum and Filecoin foundations; crypto-focused venture funds, like Paradigm and a16z crypto; and others — which have been battered by successive years with multibillion-dollar heists — formed the nonprofit Security Alliance to address the specific security needs of their industry. The group has launched various initiatives to improve companies' resilience, such as the emergency response bot Seal 911, the Security Alliance Information Sharing and Analysis Center, and now the Whitehat Legal Defense Fund.

Researchers who follow the principles of the Whitehat Safe Harbor Agreement and face legal expenses incurred by their actions can apply to the Security Research Legal Defense Fund (SRLDF) for money earmarked by crypto donors. To be eligible, the researcher must show financial need, have hacked in good faith for the purposes of vulnerability disclosure, and aimed to avoid harm to the public with the goal of improving the security of computers or software. The SRLDF board must approve any funding decisions.

While discerning the difference between good-faith and bad-faith efforts might, in theory, seem difficult, in practice bad-faith actors tend to make themselves clear. Earlier this week, for example, the Kraken crypto-trading platform alleged that a security researcher found a security flaw and filed for a bug bounty, but also refused to return funds stolen as part of testing the concept. That application for legal funding would probably not fare well.

**About the Author(s)**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Legal Defense Fund Covers Crypto Research

Experts aren’t unanimous about whether the AI-powered search startup’s practices could expose it to legal claims ranging from infringement to defamation—but some say plaintiffs would have strong cases.

Earlier this week, WIRED published a story about the AI-powered search startup Perplexity, which Forbes has accused of plagiarism. In it, my colleague Dhruv Mehrotra and I reported that the company was surreptitiously scraping, using crawlers to visit and download parts of websites from which developers had tried to block it, in violation of its own publicly stated policy of honoring the Robots Exclusion Protocol.

Our findings, as well as those of the developer Robb Knight, identified a specific IP address almost certainly linked to Perplexity and not listed in its public IP range, which we observed scraping test sites in apparent response to prompts given to the company’s public-facing chatbot. According to server logs, that same IP visited properties belonging to Condé Nast, the media company that owns WIRED, at least 822 times in the past three months—likely a significant undercount, because the company retains only a small portion of its records.

We also reported that the chatbot was bullshitting, in the technical sense. In one experiment, it generated text about a girl following a trail of mushrooms when asked to summarize the content of a website that its agent did not, according to server logs, attempt to access.

Perplexity and its CEO, Aravind Srinivas, did not substantively dispute the specifics of WIRED’s reporting. “The questions from WIRED reflect a deep and fundamental misunderstanding of how Perplexity and the Internet work,” Srinivas said in a statement. Backed by Jeff Bezos’ family office and by Nvidia, among others, Perplexity has said it is worth a billion dollars based on its most recent fundraising round, and The Information reported last month that it was in talks for a new round that would value it at $3 billion. (Bezos did not reply to an email; Nvidia declined to comment.)

After we published the story, I prompted three leading chatbots to tell me about the story. OpenAI’s ChatGPT and Anthropic’s Claude generated text offering hypotheses about the story’s subject but noted that they had no access to the article. The Perplexity chatbot produced a six-paragraph, 287-word text closely summarizing the conclusions of the story and the evidence used to reach them. (According to WIRED's server logs, the same bot observed in our and Knight’s findings, which is almost certainly linked to Perplexity but is not in its publicly listed IP range, attempted to access the article the day it was published, but was met with a 404 response. The company doesn't retain all its traffic logs, so this is not necessarily a complete picture of the bot's activity, or that of other Perplexity agents.) The original story is linked at the top of the generated text, and a small gray circle links out to the original following each of the last five paragraphs. The last third of the fifth paragraph exactly reproduces a sentence from the original: “Instead, it invented a story about a young girl named Amelia who follows a trail of glowing mushrooms in a magical forest called Whisper Woods.”

This struck me and my colleagues as plagiarism. It certainly appears to satisfy the criteria set out by Poynter Institute—including, perhaps most stringently, the seven-to-10 word test, which proposes that it’s “hard to incidentally replicate seven consecutive words that appear in another author’s work.” (Kelly McBride, a Poynter SVP who has described this test as being useful in identifying plagiarism, did not reply to an email.)

“If one of my students turned in a story like this, I would take them before the academic dishonesty committee for plagiarism,” said John Schwartz, professor of practice at the University of Texas at Austin’s journalism school, after reading the original story and the summary. “I find this just too close. When I was reading the Perplexity version, I just thought, there’s an echo in here.”

Perplexity and Srinivas, the company’s CEO, did not respond to a detailed request for comment in which they were presented with the criticisms experts made of the company for this story.

Bill Grueskin, professor of professional practice at Columbia Journalism School, wrote in an email that the summary looked to be “pretty much ok” for a chatbot identified as such, but that it was hard to say because he hadn’t had time to read the original WIRED story. “Quoting a sentence verbatim without quote marks is bad, of course,” he wrote. “I'd be pretty mortified if a news org ran an AI summary like this without disclosing the source—or worse, pretending it came from a human.” (Perplexity, of course, isn’t claiming this material came from a human.)

Perhaps luckily for Perplexity and its backers, this is a literal academic debate. Plagiarism is a concept pertaining to professional ethics, important in contexts like journalism and academia where being able to identify the source of information is of fundamental importance but of no legal significance in itself. If a rival studio releases a film containing a reasonable chunk of footage from _Inside Out 2_, Disney would sue not for plagiarism but for copyright infringement; similarly, a letter Forbes reportedly sent Perplexity threatening legal action is said to mention “willful infringement” of Forbes’ copyrights. Here, legal experts say, Perplexity is on somewhat safer ground—probably.

“In terms of the copyright, this is a tough call,” says James Grimmelmann, professor of digital and information law at Cornell University. On one hand, he argues, the summary is reporting facts, which cannot be copyrighted; but on the other, it does partially duplicate the original and summarize the details found in it. “It’s not a slam dunk copyright case, but it’s not trivial, either. It’s not frivolous.”

Grimmelmann sees a host of potential issues for Perplexity, among them consumer protection, unfair advertising, or deceptive trade practices claims he believes could be made against a company that says it respects the Robots Exclusion Protocol but doesn’t follow it. (The standard is voluntary but widely adhered to.) He also thinks it could be vulnerable to a claim of misappropriation of hot news, in which a publisher argues that a competitor summarizing its material before it’s had a chance to commercially benefit from it, or in a way that undermines its value to paying subscribers, is infringing on its copyright. Perplexity’s evident ability to circumvent paywalls “is a bad fact for them,” he says, as is the fact that its system is automated.

Grimmelmann also says that Perplexity may be forfeiting the protection of Section 230 of the Communications Decency Act. This is the law that, among other things, protects search engines like Google from liability for defamation when they link to defamatory content because they are services passing on information from other content providers; as he sees it, Perplexity is similarly shielded as long as it accurately summarizes material. (Whether AI-generated material enjoys 230 protection at all is a matter of debate.)

“They’d only get in trouble if they summarized the story incorrectly and made it defamatory when it wasn’t before. That’s something that they actually would be at legal risk for, especially if they don’t credit the original source clearly enough and people can’t easily go to that source to check,” he says. “If Perplexity’s edits are what make the story defamatory, 230 doesn’t cover that, under a bunch of case law interpreting it.”

In one case WIRED observed, Perplexity’s chatbot did falsely claim, albeit while prominently linking to the original source, that WIRED had reported that a specific police officer in California had committed a crime. (“We have been very upfront that answers will not be accurate 100% of the time and may hallucinate,” Srinivas said in response to questions for the story we ran earlier this week, “but a core aspect of our mission is to continue improving on accuracy and the user experience.”)

“If you want to be formal,” says Grimmelmann, “I think this is a set of claims that would get past a motion to dismiss on a bunch of theories. Not saying it will win in the end, but if the facts bear out what Forbes and WIRED, the police officer—a bunch of possible plaintiffs—allege, they are the kinds of things that, if proven and other facts were bad for Perplexity, could lead to liability.”

Not all experts agree with Grimmelmann. Pam Samuelson, professor of law and information at UC Berkeley, writes in an email that copyright infringement is “about use of another’s expression in a way that undercuts the author’s ability to get appropriate remuneration for the value of the unauthorized use. One sentence verbatim is probably not infringement.”

Bhamati Viswanathan, a faculty fellow at New England Law, says she’s skeptical the summary passes a threshold of substantial similarity usually necessary for a successful infringement claim, though she doesn’t think that’s the end of the matter. “It certainly should not pass the sniff test,” she wrote in an email. “I would argue that it should be enough to get your case past the motion to dismiss threshold—particularly given all the signs you had of actual stuff being copied.”

In all, though, she argues that focusing on the narrow technical merits of such claims may not be the right way to think about things, as tech companies can adjust their practices to honor the letter of dated copyright laws while still grossly violating their purpose. She believes an entirely new legal framework may be necessary to correct for market distortions and promote the underlying aims of US intellectual property law, among them to allow people to financially benefit from original creative work like journalism so that they’ll be incentivized to produce it—with, in theory, benefits to society.

“There are, in my opinion, strong arguments to support the intuition that generative AI is predicated upon large scale copyright infringement,” she writes. “The opening ante question is, where do we go from there? And the greater question in the long run is, how do we ensure that creators and creative economies survive? Ironically, AI is teaching us that creativity is more valuable and in demand than ever. But even as we recognize this, we see the potential for undermining, and ultimately eviscerating, the ecosystems that enable creators to make a living from their work. That’s the conundrum we need to solve—not eventually, but now.”

Perplexity Plagiarized Our Story About How Perplexity Is a Bullshit Machine

Ticketmaster, Santander Bank, and other large firms have suffered data leaks from a large cloud-based service, underscoring that companies need to pay attention to authentication.

Source: Frost79 via Shutterstock

A cybercriminals group known as UNC5537 has been on a tear.

Over the past month, the ransom gang, possibly related to ShinyHunters or Scattered Spider, stole more than 560 million customer records from Ticketmaster and posted it for sale on its reconstituted leak site, BreachForums, on May 28, asking for $500,000. Two days later, the group claimed to have stolen 30 millions account records from Spain-based Santander Bank, asking for a cool $2 million. Both companies acknowledged the breaches after the postings.

The cause of the data leaks — and at least 163 other breaches — appears not to be a vulnerability but the use of stolen credentials and poor controls on multifactor authentication (MFA), according to a June 10 analysis by incident-response firm Mandiant, part of Google.

"Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment," Mandiant stated in its analysis. "Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials."

While the theft of data from Snowflake's systems could have been prevented by MFA, the companies' failures go beyond the lack of that single control. Businesses using cloud services need to make sure that they have visibility into their attack surfaces, quickly removing the accounts of former employees and contractors and reducing the avenues through which opportunistic attackers could compromise systems, networks, or services, says Chris Morgan, senior cyber threat intelligence analyst at cloud-native security platform provider ReliaQuest.

"The biggest lesson learned is that threat actors do not need to employ sophisticated techniques," he says. "Targeting the low-hanging fruit — in this case, insecure credentials — can be achieved with little effort from the threat actor but provides ample opportunities."

Here are five lessons from the latest spate of cloud breaches.

**1\. Start With MFA and Then Go Beyond**

There is a lot of room for growth in the adoption of MFA. While 64% of workers and 90% of administrators used MFA, according to a report released a year ago, more than six out of every 10 organizations have at least one root user or administrator without MFA enabled on an account, according to Orca Security's "2024 State of Cloud report."

Businesses need to get to a consistent — and verifiable — 100%, says Ofer Maor, co-founder and chief technology officer at cloud-security firm Mitiga.

Companies should "make sure MFA is enforced and required, and if using \[single sign-on\], make sure non-SSO login is disabled," he says. "Go beyond traditional MFA \[and\] turn on additional security measures, such as device- \[or\] hardware-based authentication for sensitive infrastructure."

Organizations should also put access control lists (ACLs) in place, restricting where users can access a cloud service or at least enabling reviews of access logs on a daily basis to spot any anomalies.

This further limits the ability of cyberattackers, says Jake Williams, faculty analyst and cybersecurity practitioner at analyst firm IANS Research.

"Really, for pretty much any cloud infrastructure ... it is a best practice to restrict what IP addresses folks can come from," he says. "If you can't, then access reviews are all the more important to make sure that people aren't coming from someplace you don't expect."

**3\. Maximize Visibility Into Cloud Services**

Companies need to also have a meaningful way of continuously monitoring for applications. Log data, access activity, and services that aggregate data sources into a complete picture can help companies detect and prevent attacks, like those on Snowflake.

In addition, organizations need to be able to alert on specific behavior or threat detections — an approach that would have detected the cybercriminals' attempts at accessing their cloud data, says Brian Soby, CTO and co-founder at AppOmni, a software-as-a-service security posture management firm.

"While security operations teams are spread thin and generally don't have the opportunity to develop deep expertise in the various applications used by their companies, their tooling and security platforms should have quickly identified these issues," he says. "In this scenario, there were certainly anomalous logins from unusual locations and the connection of highly questionable attacker applications to customer Snowflake instances."

**4\. Don't Rely on Your Cloud Providers' Defaults**

While cloud-service providers like to emphasize that security is a shared responsibility model, unless an attacker breaches the cloud provider's infrastructure or software — such as in last year's vulnerabilities in Progress Software's MoveIT Cloud service and MoveIT Transfer software — the responsibility almost always falls onto the customer.

Yet, often cloud providers prioritize usability over security, so companies should not rely on their providers' defaults to be secure. There is a lot that Snowflake, for example, could have done to make managing MFA easier, include turning on the security control by default, says Mitiga's Maor.

"What enables this attack to be successful, and at this scale, is that the default setting of Snowflake accounts does not require MFA, meaning once you get a compromised username and password, you can get full access immediately," he says. "Normally, high-sensitivity platforms would require users to enable MFA. Snowflake not only does not require MFA but also makes it very hard for administrators to enforce this."

**5\. Check Your Third Parties**

Finally, companies should also note that — even if they are not using Snowflake or another cloud service — a third-party provider may use the service for its back end, exposing their data to risk, says IANS Research's Williams.

"Your data may be in Snowflake, even if you're not using it," he says. "That's the complexities of supply chains today ... you're giving your data to a third-party service provider, who is then putting it into Snowflake and may or may not be using best practices."

Organizations should reach out to all of their service providers with access to their data and ensure that they are taking the proper steps to protect that information, Williams says.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Multifactor Authentication Is Not Enough to Protect Cloud Data

A cybercriminals is giving 1 million data records from the Ticketmaster breach away for free, saying that Ticketmaster refused to pay

The cybercriminal acting under the name “Sp1d3r” gave away the first 1 million records that are part of the data set that they claimed to have stolen from Ticketmaster/Live Nation. The files were released without a price, for free.

When Malwarebytes Labs first learned about this data breach, it happened to be the first major event that was shared on the resurrected BreachForums, and someone acting under the handle “ShinyHunters” offered the full details (name, address, email, phone) of 560 million customers for sale.

The same data set was offered for sale in an almost identical post on another forum by someone using the handle “SpidermanData.” This could be the same person or a member of the ShinyHunters group.

Following this event, Malwarebytes Labs advised readers on how to respond and stay safe. Importantly, even when a breach isn’t a “breach”—in that immediate moment when the details have yet to be confirmed and a breach subject is readying its public statements—the very news of the suspected breach can be used by advantageous cybercriminals as a phishing lure.

Later, Ticketmaster confirmed the data breach.

Bleeping Computer spoke to ShinyHunters who said they already had interested buyers. Now, Sp1d3r, who was seen posting earlier about Advance Auto Parts customer data and Truist Bank data, has released 1 million Ticketmaster related data records for free.

Post by Sp1d3r

In a post on BreachForums, Sp1d3r said:

> “Ticketmaster will not respond to request to buy data from us.
> 
> They care not for the privacy of 680 million customers, so give you the first 1 million users free.”

The cybercriminals that are active on those forums will jump at the occasion and undoubtedly try to monetize those records. This likely means that innocent users that are included in the first million released records could receive a heavy volume of spam and phishing emails in the coming days.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check your exposure**

While matters are still unclear how much information was involved, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 First million breached Ticketmaster records released for free 

### Impact

The LDAP testing endpoint allows to change the Connection URL independently of and without having to re-enter the currently configured LDAP bind credentials. An attacker with admin access (permission manage-realm) can change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker.
As a consequence, an attacker who has compromised the admin console/compromised a user with sufficient privileges can leak domain credentials and can now attack the domain.

### Acknowledgements

Special thanks to Simon Wessling for reporting this issue and helping us improve our project

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-5967

**Keycloak leaks configured LDAP bind credentials through the Keycloak admin console**

Low severity GitHub Reviewed Published Jun 21, 2024 in keycloak/keycloak • Updated Jun 21, 2024

**Package**

maven org.keycloak:keycloak-ldap-federation (Maven)

**Affected versions**

\= 25.0.0

<= 22.0.11

\>= 23.0.0, <= 24.0.5

**Patched versions**

25.0.1

22.0.12

24.0.6

**Impact**

The LDAP testing endpoint allows to change the Connection URL independently of and without having to re-enter the currently configured LDAP bind credentials. An attacker with admin access (permission manage-realm) can change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker.  
As a consequence, an attacker who has compromised the admin console/compromised a user with sufficient privileges can leak domain credentials and can now attack the domain.

**Acknowledgements**

Special thanks to Simon Wessling for reporting this issue and helping us improve our project

**References**

*   GHSA-c25h-c27q-5qpv
*   https://nvd.nist.gov/vuln/detail/CVE-2024-5967
*   https://access.redhat.com/security/cve/CVE-2024-5967
*   https://bugzilla.redhat.com/show\_bug.cgi?id=2292200

Published to the GitHub Advisory Database

Jun 21, 2024

Last updated

Jun 21, 2024

GHSA-c25h-c27q-5qpv: Keycloak leaks configured LDAP bind credentials through the Keycloak admin console

Audit compliance not only demonstrates commitment to data security and privacy but also builds trust with customers and stakeholders.

Jason Miller, No-code Evangelist & Principal Consultant, Creatio

June 21, 2024

4 Min Read

Source: NicoElNino via Alamy Stock Photo

COMMENTARY

The data collected through the growing adoption of digital technologies presents enterprises with a chance to enhance their engagement strategies and a gives them a duty to ensure the security of customer information.  

A recent survey conducted by McKinsey shows the growing awareness among consumers about privacy rights, with 87% of respondents indicating they would not do business with an organization if they had concerns about its security practices. Given this increasing public awareness, the approach businesses take toward managing data and privacy can serve as a key differentiator and even provide a strategic advantage in the marketplace.  

Service Organization Control 2 (SOC 2) is an auditing procedure that ensures service providers securely manage data to protect the privacy of their clients and the interests of the organization. It serves as a benchmark for service-oriented businesses to showcase their dedication to the highest standards of data security. 

**Steps Toward SOC 2 Type II Compliance**

Achieving SOC 2 Type II compliance can be a daunting task. Here's a comprehensive road map to assist companies in navigating this journey more smoothly: 

**1\. Understand the Requirements  **

Understanding the specific requirements of SOC 2 Type II involves familiarizing yourself with the five trust service criteria (TSC) — security, availability, processing integrity, confidentiality, and privacy — and determining which apply to your organization's operations. 

**2\. Conduct a Gap Analysis **

A thorough gap analysis, covering all aspects of your operations, from IT infrastructure to employee training programs, helps identify areas where your current controls may fall short of SOC 2 standards. Automate this process by collecting data across various systems and generating reports that highlight discrepancies between current practices and SOC 2 standards. 

**3\. Develop and Implement Controls **

Following your gap analysis, develop applications or workflows that address identified gaps without the need for extensive coding — including automating compliance processes, enhancing data protection measures, or streamlining access controls — making it easier to tailor solutions to your organization's specific needs.  

**4\. Document Policies and Procedures **

Documentation is a critical component of SOC 2 Type II compliance. It's not enough to have controls in place; you must also have documented policies and procedures that describe how these controls are implemented and maintained. Creating and managing documentation can help organize policies and procedures in an easily accessible manner, ensuring that they are up to date and readily available for both your team and auditors. 

**5\. Engage in Continuous Monitoring **

SOC 2 Type II requires evidence of continuous monitoring and effectiveness of controls over time. Set up automated monitoring systems to track the performance of your controls in real-time, alerting you to any issues immediately, which helps in maintaining continuous compliance and addressing problems promptly.

**6\. Choose a Qualified Auditor **

Selecting the right auditor is crucial for a successful SOC 2 Type II audit. Look for auditors with experience in your industry and a deep understanding of the SOC 2 framework. The right auditor will not only assess your compliance but can also provide insights that help improve your security posture. 

**7\. Prepare for the Audit **

Preparation is key to a successful audit. Organize documentation, controls evidence, and compliance reports in a centralized database. This ensures that all necessary information is easily accessible and can be presented efficiently during the audit. 

**8\. Continuous Improvement **

Compliance with SOC 2 Type II is not a one-time event but an ongoing commitment. By automating this process, you can enable quick adjustments to workflows, policies, and controls, allowing your organization to stay agile and adapt to new threats, regulatory changes, or business growth, without the need for extensive coding resources.  

**Secure the Future with Customers' Trust  **

Achieving SOC 2 Type II compliance is a significant undertaking, but enterprises can improve the efficiency and accuracy of audits by streamlining data collection, verification, and anomaly detection processes via unified workflow automation, automated reports and dashboards, and single-source data storage that eliminates out-of-sync or duplicate data. Audit compliance is an investment in a company's future. It not only demonstrates the commitment to data security and privacy but also builds trust with customers and stakeholders. By following these steps and fostering a culture of continuous improvement, organizations can navigate the SOC 2 Type II compliance process more effectively and establish themselves as leaders in data security.

**About the Author(s)**

No-code Evangelist & Principal Consultant, Creatio

Jason Miller is a digital leader and no-code evangelist who enables companies to improve their operations through no-code technology and helps drive value in their business workflows with a focus on productivity, automation, and higher customer engagement. With more than 15 years of experience in technological solutions spanning various industries, he has helped numerous organizations bring their projects to life by delivering a unique view into how the advent of digital technologies can vastly increase the pace of change in business environments.

Latest News