The networking company found liable for illegally gathering user data for targeted advertising by the Irish Data Protection Commission.

Source: Iain Masterton via Alamy Stock Photo

LinkedIn earned itself a €310 million ($335 million) fine by European Union regulators on Oct. 24 for its violations of the General Data Protection Regulation (GDPR) data privacy rules.

Ireland's Data Protection Commission (DPC) cited concerns regarding the lawfulness, fairness, and transparency of personal data processing for the professional networking site's advertising purposes.

As LinkedIn's lead privacy regulator, the DPC reported that it carried out an investigation and found that LinkedIn did not have lawful basis to be compiling data to target its users with ads, ultimately breaching GDPR. This investigation was launched following a complaint initially made by the French Data Protection Authority.

"The inquiry examined LinkedIn's processing of personal data for the purposes of behavioural analysis and targeted advertising of users who have created LinkedIn profiles (members)," according to a DPC press release. "The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million."

LinkedIn asserts that it believes it has been in compliance with the rules but acknowledges that it will work to ensure its ad practices meet the requirements.

**About the Author**

LinkedIn Hit With $335M Fine for Data Privacy Violations

Kremlin intelligence carried out a wide-scale phishing campaign in contrast to its usual, more targeted operations.

Source: Design Pics Inc via Alamy Stock Photo

Russia's premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.

APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the world's most notorious threat actor. An arm of the Russian Federation's Foreign Intelligence Service (SVR), it's best known for the historic breaches of SolarWinds and the Democratic National Committee (DNC). Lately, it has breached Microsoft's codebase and political targets across Europe, Africa, and beyond.

"APT29 embodies the 'persistent' part of 'advanced persistent threat,'" says Satnam Narang, senior staff research engineer at Tenable. "It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations."

Along these same lines, the Computer Emergency Response Team of Ukraine (CERT-UA) recently discovered APT29 phishing Windows credentials from government, military, and private sector targets in Ukraine. And after comparing notes with authorities in other countries, CERT-UA found that the campaign was actually spread across "a wide geography."

That APT29 would go after sensitive credentials from geopolitically prominent and diverse organizations is no surprise, Narang notes, though he adds that "the one thing that does kind of stray from the path would be its broad targeting, versus \[its typical more\] narrowly focused attacks."

**AWS and Microsoft**

The campaign, which dates back to August, was carried out using malicious domain names designed to seem like they were associated with Amazon Web Services (AWS). The emails sent from these domains pretended to advise recipients on how to integrate AWS with Microsoft services, and how to implement zero trust architecture.

Despite the masquerade, AWS itself reported that the attackers weren't after Amazon, or its customers' AWS credentials.

What APT29 really wanted was revealed in the attachments to those emails: configuration files for Remote Desktop, Microsoft's application for implementing the Remote Desktop Protocol (RDP). RDP is a popular tool that legitimate users and hackers alike use to operate computers remotely.

"Normally, attackers will try to brute force their way into your system or exploit vulnerabilities, then have RDP configured. In this case, they're basically saying: 'We want to establish that connection \[upfront\],'" Narang says.

Launching one of these malicious attachments would have immediately triggered an outgoing RDP connection to an APT29 server. But that wasn't all: The files also contained a number of other malicious parameters, such that when a connection was made, the attacker was given access to the target computer's storage, clipboard, audio devices, network resources, printers, communication (COM) ports, and more, with the added ability to run custom malicious scripts.

**Block RDP**

APT29 may not have used any legitimate AWS domains, but Amazon still managed to interrupt the campaign by seizing the group's malicious copycats.

For potential victims, CERT-UA recommends strict precautions: not just monitoring network logs for connections to IP addresses tied to APT29 but also analyzing all outgoing connections to all IP addresses on the wider Web through the end of the month.

And for organizations at risk in the future, Narang offers simpler advice. "First and foremost, don't allow RDP files to be received. You can block them at your email gateway. That's going to kneecap this whole thing," he says.

AWS declined to provide further comment for this story. Dark Reading has also reached out to Microsoft for its perspective.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Russia's APT29 Mimics AWS Domains to Steal Windows Credentials

Four companies — Avaya, Check Point, Mimecast, and Unisys — have been charged by the SEC for misleading disclosures in the aftermath of the 2020 SolarWinds compromise.

Source: Ascannio via Alamy Stock Photo

The initial attack might be years old, but regulators at the Securities and Exchange Commission (SEC) are still sifting through the details of the 2020 SolarWinds breach. This week, the SEC announced it has charged four companies for what the agency determined was an intentional effort to minimize the impact of the hack to their systems.

Unisys was dealt the largest civil penalty — $4 million — for its disclosure practices, as well as for controls violations.

"The SEC's order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data," the SEC announcement of the fines read. "The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls."

Unisys has not responded to Dark Reading's request for comment.

Avaya Holdings Corp. agreed to pay $1 million for its statements that admitted a threat actor has accessed what the company characterized at the time as a "limited number" of company email messages, but failed to mention the company was also aware that 145 files in its cloud environment were also compromised, according to the SEC.

Avaya, similarly to the other fined companies, said in its statement the company is glad to put this issue to rest.

"We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls," according to a statement from Avaya provided to Dark Reading. "Avaya continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations."

Check Point was intentionally vague in its disclosures, according to the SEC, which fined the software company $995,000. Check Point's statement maintains the company acted earnestly but is glad to move on.

"The SEC's announcement concerns the same issue that we discussed in a 6-K from December 2023, regarding our settlement discussions on the 2020 SolarWinds Orion cyber vulnerability and the question of whether this should have been reported in Check Point's 2021 20-F Annual Report filing," the Check Point statement read. "As mentioned in the SEC's order, Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed. Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world."

The SEC dealt the lightest penalty to Mimecast, which will pay $990,000, for "failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed," the SEC said.

Mimecast said in a statement that the company acted transparently, adding that it is no longer a publicly traded company under SEC jurisdiction, but nonetheless will continue to comply with the SEC enforcement.

"In responding to the incident in 2021, Mimecast made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected," the Mimecast statement read. "We believed that we complied with our disclosure obligations based on the regulatory requirements at that time. As we responded to the incident, Mimecast took the opportunity to enhance our resilience. While Mimecast is no longer a publicly traded company, we have cooperated fully and extensively with the SEC. We resolved this matter to put it behind us and continue to maintain our strong focus on serving our customers."

**SEC Trying to Deter Vague Data Breach Disclosures**

The intention of the charges and subsequent fines is to deter other companies from taking the same "half-truth" communications approach following a breach, the SEC explained.

"Downplaying the extent of a material cybersecurity breach is a bad strategy," Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit said in a statement. "In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized."

The lesson companies should take from this SEC enforcement action is that regulators are looking for technically precise disclosures, according to cybersecurity attorney Beth Burgin Waller.

"Companies can no longer rely on generalizations or hypotheticals," she adds. "The challenge for many companies will be thinking of post-ligation risk from all angles including later data breach class actions or customer lawsuits."

This new enterprise cybersecurity terrain will require chief information security officers to work more closely legal teams, Burgin Waller says.

"The SEC is creating tension for many companies post-incident by forcing disclosure of details very early on in an incident investigation that will be cited back to the business in future litigation," she adds. "CISOs need to be prepared to work closely with in-house and outside counsel on SEC cyber-incident materiality determinations, especially in light of the technical precision required of companies in these enforcement announcements."

SEC Fines Companies Millions for Downplaying SolarWinds Breach

Eight months after the breach occurred, Change Healthcare has finally sent out millions of notices of compromised data to affected individuals.

Source: Jim West via Alamy Stock Photo

For the first time since being breached, United Healthcare has admitted to the number of individuals affected by the Change Healthcare ransomware attack — a staggering 100 million people.

The incident occurred in February, yet Change Healthcare didn't send out a notification warning to those impacted until June. In May, Andrew Witty, CEO of UnitedHealth, hinted at the massive scale of the breach, estimating that it was possible a third of all American health data had been compromised in the ransomware attack.

The breach has caused wave after wave of issues and prompted numerous calls for action regarding the state of cybersecurity in the healthcare sector. The ransomware attack was perpetrated at the hands of BlackCat/ALPHV, which Change Healthcare ultimately decided to pay off in order to get its systems back up and running. 

But the breaches didn't stop there. The company faced yet another attack, this time at the hands of RansomHub, which demanded a payment for the 4TB of data it stole, most of it medical records and financial data belonging to US military personnel. RansomHub has threatened to sell the sensitive information to the highest bidder.

After testifying in Congress in May, Change Healthcare revealed it had paid $22 million in ransom to the attackers who compromised its systems in February. It also revealed that the attackers were able to use previously compromised credentials to get into Change Healthcare’s system, which was not protected with multifactor authentication (MFA). Overall, the revelations in the hearing pointed to a lack of security maturity, leading to easy access for the attackers and a breach that caused delays in healthcare services.

"UnitedHealth is a very large, very complex entity from a systems point of view, and the regulatory framework is equally large and complex — considering all the variables and processes involved — the time frame for confirmation seems within reason," Dan Ortega, security strategist at Anomali, wrote in an emailed statement. "However, this doesn't mean that it's acceptable from an operational efficiency or public safety standpoint."

For the 100 million Americans affected by this breach who have received notice of their compromised data, their information that was stolen includes health insurance data; health information such as medical records, prescriptions, test results, images, diagnoses, and more; billing, claims, and financial and banking information; and Social Security numbers, driver's license information, and passport numbers.

UnitedHealth Reveals 100M Compromised in Change Healthcare Breach

Cybersecurity is mission-driven, meaningful work that coincides with the service branches' goals to protect, defend, and create a safer world.

Source: William Mullins via Alamy Stock Photo

COMMENTARY  
When I stepped foot onto Mountain Home Air Force Base in 2003, I had no way of knowing how much my technical and leadership skills would flourish over the course of my career in the US Air Force — but I did know I had found a group of disciplined, mission-driven individuals who were all working toward a common goal. And that was special. 

When it came time to transition out of the military last year, I was faced with not only leaving the branch of service I had dedicated my entire professional life to but also having to find who I was and what career path I wanted to pursue for myself. That's no easy task when you've been entrenched in a team-oriented environment for years at a time — in my case, 20. I was afraid I'd never find that sense of community again … until I found the cybersecurity field.  

**Where It All Began**

I attended community college for about a year before I enlisted in the Air Force and began working as a data maintenance technician. I eventually integrated with the Air Force's network team, where I got my feet wet in IT. Over the next 10 years, I worked on small clandestine networks up to enterprise-level, before the military shifted its focus to securing networks.  

The further I ventured into securing domains, the stronger my passion grew for that area. During my time stationed at MacDill Air Force Base, I worked for the Joint Communications Support Element (JCSE), and one of my supervisors approached me about the Certified Information Systems Security Professional (CISSP) certification from ISC2. He saw that I had what it took to sit for the exam, and I began the process. 

**Five Letters and 600 Podcast Episodes Later**

The CISSP certification was not only a testament to the hard work that I had put in throughout my career, but it also served as a key to my progression in the field. It changed my position in the game and my accessibility to opportunities. When having a conversation with those more senior than me, I felt confident and highly respected with the weight of that CISSP by my name. 

I believe to this day that the CISSP is what led me to being able to secure my first job in the corporate world, and acted as a launching pad for my podcast, "The Other Side of the Firewall." That podcast has grown my network monumentally, and having that validation by my name makes it easy to have conversations with everyone from entry-level professionals to CEOs of major companies. We're now more than 600 episodes into the podcast and counting. However, the journey to get to where I am today hasn't all been rainbows and butterflies. 

**The Highs and Lows**

One of the easier components of making the military-to-corporate transition was the networking aspect. During my time in the military, I had worked with phenomenal clients who supported me even after I swapped lace-up boots for a suit. Despite the fact that I was looking for a job at a historically bad time for the tech industry (the early 2023 layoff wave), my connections landed me a job at a data privacy and security company in Georgia.  

My boss at this company was a US Marine veteran, who was able to lead me through what ended up being the hardest part of my switch to corporate life: the lingo. I had to learn to explain how the technical skills I gained in the military translated to be applicable to the clients I was working for in the private sector. Having someone to guide me through that transition from the military to the corporate world who knew how to break me out of my military jargon comfort zone was life changing. 

**Why Cyber?**

I highly encourage anyone transitioning out of the military and looking for a mission-driven line of work to explore the cybersecurity field. With the rate that emerging technologies and the threat landscape are evolving, the demand for cybersecurity professionals is at an all-time high. It's a mission-driven, meaningful line of work that coincides with your service branches' goals to protect, defend, and create a safer world.  

Explore entry-level certifications such as the ones through ISC2, trainings and bootcamps that can help you get a foot in the door, and don't give up if the transition to the corporate world isn't seamless. Cybersecurity is a field that offers continued opportunities to increase your skills, learn from those around you, and make changes that have a direct impact on securing our increasingly digital world. As veterans transition into civilian life and look to find stable, fulfilling careers, I encourage them to give cybersecurity a shot. It's where I've found my tribe again, and I'm forever thankful for the people and programs that helped me along the way. 

**About the Author**

Information Technology Security Analyst, Buddobot

Ryan Williams Sr. is a seasoned cybersecurity consultant and virtual chief information security officer (vCISO) specializing in helping businesses navigate complex governance, risk, and compliance (GRC) challenges. By day, he serves as an IT security analyst for Buddobot, supporting the Independent Verification & Validation (IV&V) division of the US Department of Housing and Urban Development's Office of the Chief Information Officer (OCIO). Nights and weekends, Ryan leads RAM Cyber Consulting and Assessments LLC, delivering tailored cybersecurity solutions such as NIST CSF 2.0 readiness assessments, cyber policy writing, and consulting services to safeguard organizations across various industries.

My Journey From the Air Force to Cybersecurity

Renewable energy firms deal with a large cyberattack surface area, given the distributed nature of power generation and more pervasive connectivity.

Source: KanawatTH via Shutterstock

Renewable energy companies lag behind their more traditional peers when it comes to the cybersecurity readiness of their infrastructure, raising concerns that attackers targeting critical infrastructure could find easier prey among "green" energy firms.

In a study of 250 energy companies worldwide, oil and natural-gas firms scored the highest — with the average company scoring a 94, or "A" — while the lowest scores belonged to renewable energy companies, which scored a median of 85, or a "B." Green energy firms tend to have distributed generation infrastructure (such as rooftop solar or wind turbines) and are usually more Internet-connected than traditional energy companies — both attributes that can undermine their defensive posture, says Ryan Sherstobitoff, senior vice president for threat research at SecurityScorecard, the cybersecurity risk firm that conducted the study.

Overall, the attack surfaces between traditional energy infrastructure and renewable energy infrastructure can be quite different, he says.

"Oil and gas have legacy technologies, but these legacy technologies are most likely not Internet-facing," Sherstobitoff says. "Whereas the cybersecurity posture of renewable energy may not necessarily be \[to the level of other\] critical infrastructure itself ... but nonetheless has public-facing portals and other public-facing issues."

The concerns come as the US and other countries invest in green energy infrastructure and scramble to put in place more cybersecurity defenses to protect their critical infrastructure. Nation-state groups have targeted the critical infrastructure of the US and its allies, and while the distributed nature of green energy generation could mitigate widespread outages, their Internet connections represent a weak point, according to the SecurityScorecard report, which was in collaboration with consultancy KPMG.

**Distributed Green Systems Harder to Defend**

Overall, the energy sector did quite well in the survey of firms. Of the 250 organizations on which data was collected, 81% either scored an A or B. Only 8% of energy firms showed signs of compromise in their external infrastructure, but two-thirds of the breaches were connected to third-party partners, SecurityScorecard reported.

Attacks could prevent renewable energy companies from managing their generation sites to disrupting consumers' power, Sherstobitoff says.

"You could imagine disrupting the ability for these renewable energy devices to connect back and phone home, then you have chaos, because then they can't check in, can't get their status," he says. "If \[the infrastructure\] depends on getting a status code in order to function, it needs to connect back ... that's another breaking function."

Already, some green energy infrastructure has fallen prey to attackers. Charging stations for electric vehicles typically require connectivity, which makes them vulnerable to both compromise and disruption. In 2022, pro-Ukrainian hacktivists compromised chargers in Moscow to display messages of support for Ukraine. In 2019, a solar firm could no longer manage its 500 megawatts of wind and solar sites in the western US after a denial-of-service attack targeted an unpatched firewall, the FBI stated in a Private Industry Notification (PIN) in July.

The risk could extend all the way to homeowners, who increasingly have adopted rooftop solar and need to be connected to be able to deliver their solar power and be credited.

"This issue will only become more important as small solar systems continue to grow. When every house is a power plant, every house is a target," Morten Lund, of counsel for Foley & Lardner LLP, wrote in a brief directed at energy companies. "In many ways, the distributed nature of solar energy provides significant protection against catastrophic failures. But without sufficient protection at the project level, this strength quickly becomes a weakness."

**Third-Party Suppliers Cause Concern**

The energy sector is also open to greater third-party risk, with 47% of breaches of energy companies involving a third party, compared with 29% across all industries. In addition, many green energy projects tend to be locally managed or developed by a smaller startup, which could raise risks, especially as the US rushes to adopt more green infrastructure, the FBI stated in its PIN.

"With federal and local legislature advocating for renewable energies, the industry will expand to keep pace, providing more opportunities and targets for malicious cyber actors," the FBI stated.

The US National Strategy for Cyberspace calls out renewable energy as a key industry to defend online. Rich countries tend to have better defenses than poorer economies, as they have better regulations and organizations have more budget to spend on security.

Regulations continue to be the top reason energy firms invest in cybersecurity, with nearly half of companies (49%) citing regulatory requirements among their top three reasons for assigning budget, compared with 38% citing a cybersecurity incident or near miss affecting their company, according to risk management consultancy DNV's "Energy Cyber Priority 2023" report.

"Most renewable sites have not been developed with cybersecurity in mind, but several companies are picking up quickly," says Auke Huistra, DNV Cyber's industrial and operational technology cybersecurity director. "From our engagements, we have seen immature but also mature green energy companies. What we do see is that \[cybersecurity gets\] more and more attention ... driven by incidents in the industry as well as regulations."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Cybersecurity Isn't Easy When You're Trying to Be Green

Vulnhuntr is a Python static code analyzer that uses Claude AI to find and explain complex, multistep vulnerabilities.

Source: ProtectAI via GitHub

Researchers at Protect AI have released Vulnhuntr, a free, open source static code analyzer tool that can find zero-day vulnerabilities in Python codebases using Anthropic's Claude artificial intelligence (AI) model.

The tool, available on GitHub, provides detailed analysis of the code, proof-of-concept exploits for the vulnerabilities identified, and confidence ratings for each flaw, Protect AI said in its announcement.

Vulnhuntr breaks the codebase into smaller chunks rather than overwhelming the large language model's (LLM) context window size by loading in the entire file at once. The tool uses prompt-engineering techniques to feed highly detailed, vulnerability-specific prompts into Claude, at which point the AI asks for additional code snippets until it has gathered enough information to map the application from user input to server output. This way, the LLM can analyze the entire call chain — which encompasses connections between files, functions, and variables across a project — without losing context. This level of analysis means the AI doesn't just stop when it finds risky code, but rather investigates how that code interacts with the rest of the project, which the research team says helps decrease false positives and negatives.

The tool currently focuses on the following types of vulnerabilities that can be exploited remotely: arbitrary file overwrite (AFO), local file inclusion (LFI), server-side request forgery (SSRF), cross-site scripting (XSS), insecure direct object references (IDOR), SQL injection (SQLi), and remote code execution (RCE).

Vulnhuntr's team says the tool has already discovered more than a dozen zero-day vulnerabilities in popular Python projects on GitHub, including gpt\_academic, FastChat, and Ragflow. Vulnhuntr flagged a RCE flaw in the machine learning library Ragflow, which has already been fixed.

Open Source LLM Tool Sniffs Out Python Zero-Days

Amazon's open source Cloud Development Kit generates dangerously predictable naming patterns that could lead to an account takeover.

Source: Dzianis Hill via Alamy Stock Photo

The Amazon Web Services Cloud Development Kit (CDK), a popular open source tool, allows cyber teams to conveniently build software-defined cloud infrastructure with widely used programming languages, such as Python and JavaScript. But here's the problem: During deployment and by default, AWS CDK creates a "staging" S3 bucket with a dangerously predictable naming convention that, if exploited by threat actors, could lead to total administrative access to the associated account.

In a new report, researchers from Aqua said AWS confirmed the vulnerability affected about 1% of CDK users. AWS subsequently notified those effected by the issue in mid-October. Versions of CDK v2.148.1 or earlier require users to take action.

"A key takeaway for open source projects that rely on AWS is to ensure they don't use predictable bucket names," says Yakir Kadkoda, lead security researcher with Aqua. "They should provide an option for users to modify the bucket name that the open source project creates for its operation or implement a check on the bucket owner to avoid such vulnerabilities."

There's no way to know if the vulnerability, which doesn't have an associated CVE number, has been exploited in the wild, Kadkoda adds.

**What Is S3 Bucket Namesquatting and Bucket Sniping?**

The vuln is introduced during the bootstrapping process, the report explained, during which AWS creates an S3 staging bucket for storing a variety of deployment assets. Because the name of these AWS S3 buckets follow a pattern: cdk-{qualifier}-assets-{account-ID}-{Region}, the team found all adversaries need to break into any of these buckets is the account identification number, and region — the only fields that change from bucket to bucket.

Not only does this let attackers break into an existing S3 bucket, they can also create an entirely new S3 bucket.

"If the attacker sets up the bucket ahead of time, when the user later tries to bootstrap the CDK from a specific region, they will encounter an error during the process because the CDK bucket that the bootstrap process attempts to create already exists," the Aqua report added. "The documentation advises selecting a non-default qualifier."

This is a tactic the report calls "S3 bucket namesquatting" or "bucket sniping" and gives the threat actor the ability to execute malicious code inside the target AWS account.

"As a reminder, the CDK staging bucket contains CloudFormation templates," the report added. "If an attacker gains access to the CDK staging bucket of other users, these files can be easily tampered with and backdoored, enabling the injection of malicious resources into the victim’s account during deployment."

This latest report expands on Aqua's previous analysis of the danger of configuring S3 buckets with easily guessed names into open source tools.

"This research emphasizes the importance of not using predictable bucket names and keeping the AWS account ID secret to avoid being vulnerable to these types of issues in the future," Kadkoda advises.

AWS's Predictable Bucket Names Make Accounts Easier to Crack

PRESS RELEASE

BOSTON, Oct. 23, 2024 (GLOBE NEWSWIRE) -- Grip Security, the leader in SaaS identity risk management, today released its research report, “2025 SaaS Security Risks.” The report reveals that traditional security measures are no longer sufficient to address the growing risks from unmanaged SaaS applications and user accounts. Alarmingly, 90% of SaaS applications and 91% of AI tools within organizations remain unmanaged, underscoring a widespread vulnerability that continues to grow.

As SaaS reliance expands, Grip's research highlights the limitations of traditional security strategies in combating the “SaaS risk creep” – the gradual increase of vulnerabilities from unmanaged applications and their associated accounts. Key findings from the report include:

*   The number of SaaS applications used in an enterprise increased by 40% over the last two years
    
*   SaaS applications per employee have steadily risen, marking an 85% increase in number of accounts per user
    
*   73% of provisioned users never use their SaaS application license
    
*   ChatGPT was found in 96% of analyzed organizations, and usage has increased 24x since its launch
    
*   42% of popular AI applications have SAML capabilities, but 80% of these apps are not managed and federated with the SAML protocol
    

“The sheer volume of unmanaged SaaS apps and AI tools we found in organizations shows the large gap between perceived and actual security,” said Lior Yaari, co-founder and CEO of Grip Security. “Businesses need real-time visibility into these applications and a risk governance program to manage their risks to stay ahead of the curve.”

The Growing Challenges of Shadow SaaS  
A major concern highlighted in the report is the rise of Shadow SaaS and Shadow AI—applications used without IT’s visibility or control. These applications put organizations at risk of data breaches, non-compliance issues, operational inefficiencies and confidential information leaks. As Gartner projects that by 2027, 75% of employees will use technologies outside IT’s oversight, organizations must rethink their SaaS security strategies to address the growing risk of unmanaged applications.

Despite billions spent on addressing SaaS-related risks, existing security solutions like CASBs have proven inadequate. These tools fail to keep up with the complexities of modern SaaS environments, generating excessive data noise and false positives that hinder security teams from focusing on real threats.

"As SaaS continues to grow, businesses can't afford to rely on outdated tools. A holistic, identity-driven approach is now critical to ensure SaaS security and risk management," added Yaari. "The consequences of inaction are too severe—it's time for enterprises to address this risk proactively and rethink their security strategies to match the speed of SaaS adoption."

Need for a New Approach  
Today’s SaaS-reliant organizations urgently need to move beyond traditional security tools. As highlighted by industry experts, business-led IT is driving much of this growth. As a result, responsibility for managing SaaS risks can no longer fall solely on IT and security teams—it requires collaboration across departments, including business app owners and end users, to effectively manage SaaS risks at scale. A flexible, identity-centric approach that empowers employees while controlling risk is the only way forward in this evolving landscape.

Without this shift, organizations will remain vulnerable to security breaches. High-profile incidents like those at Snowflake and Microsoft demonstrate the dangers of unmanaged SaaS environments, Shadow SaaS and dangling access. Companies that proactively adjust to these evolving SaaS trends will be better equipped to protect sensitive data, ensure compliance, optimize financial resources and foster innovation while minimizing associated risks.

Methodology  
The findings from Grip’s SaaS Security Risks report are based on anonymized data from Grip SaaS Security Control Plane (SSCP) solution. This includes insights from over 29 million SaaS user accounts, 1.7 million identities and 23,987 SaaS applications posing potential risk.

To get additional insights on 2025 SaaS and AI tool security risks, download Grip Security’s full report.

Information on the Grip SaaS Security Control Plane Platform is available online.

About Grip Security  
Grip Security is a pioneer in SaaS identity risk management, providing innovative solutions to help enterprises address the security risks associated with widespread SaaS adoption. The company’s SaaS Security Control Plane platform helps companies discover, prioritize, secure and orchestrate the mitigation and remediation of risks. The innovative approach of leveraging identity as the key control point allows companies to secure all SaaS applications and empowers enterprises to embrace SaaS adoption securely.

Grip Security Releases 2025 SaaS Security Risks Report

PRESS RELEASE

WASHINGTON, Oct. 24, 2024 /PRNewswire/ -- Hunter Strategy, a leading cybersecurity and technology consulting firm, today announced the addition of renowned cybersecurity expert Jake Williams to its leadership team. Williams joins as Vice President of Research and Development and Managing Director of Hunter Labs, bringing his extensive expertise to drive innovation and growth within the company.

Jake Williams, widely known as "MalwareJake," is a distinguished thought leader in cybersecurity. His impressive career includes founding Rendition Infosec, serving as a tactical operator for the NSA's Tailored Access Operations unit, and contributing as a sought-after speaker and instructor for SANS Institute and major cybersecurity conferences.

In his new role, Williams will spearhead Hunter's "Labs" division, an innovative incubation services lab designed to offer comprehensive solutions for family investment offices, private equity firms, and venture capitalists. Hunter Labs will focus on performing complex research in emerging technologies, conducting independent verification and validation of cutting-edge solutions, providing technical product advisory services, and executing deep technical due diligence for potential investments and acquisitions.

"We are exceptionally proud to welcome Jake Williams to the Hunter Strategy team," said Matt Triner, CEO of Hunter Strategy. "Jake's unparalleled expertise and visionary approach will be instrumental in accelerating our growth at the intersection of cutting-edge research and practical, market-driven solutions. His leadership of Hunter Labs will enable us to provide even greater value to our clients and partners in the rapidly evolving cybersecurity landscape."

Williams expressed his enthusiasm for joining Hunter Strategy, stating, "I'm excited to lead Hunter Labs and work alongside the talented team at Hunter Strategy. Our goal is to push the boundaries of cybersecurity research and development, creating innovative solutions that address the complex challenges facing organizations today. Hunter Labs will be at the forefront of identifying and nurturing the next generation of cybersecurity technologies."

Hunter Strategy is a premier cybersecurity and technology consulting firm dedicated to providing innovative solutions to complex security challenges. With a team of industry-leading experts, Hunter Strategy offers a wide range of services, including cybersecurity consulting, technology implementation, and now, through Hunter Labs, cutting-edge research and development.

You May Also Like

Source

DARKReading