Traditional practices are no longer sufficient in today's threat landscape. It's time for cybersecurity professionals to rethink their approach.

Malleswar Reddy Yerabolu, Senior Security Engineer, North Carolina Department of Health and Human Services

October 18, 2024

5 Min Read

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY  
In today's interconnected digital landscape, supply chain attacks are no longer an anomaly — they're a persistent, growing threat. From SolarWinds to Kaseya, high-profile breaches have demonstrated that attackers are increasingly exploiting vulnerabilities in the supply chain to infiltrate targets at scale. For cybersecurity professionals, the days of relying on traditional vendor risk management are over. A broader, more proactive approach to securing the supply chain is required — one that goes beyond checklists and questionnaires. 

**The Shortcomings of Traditional Vendor Risk Management**

Historically, organizations have relied on static risk assessments and due diligence processes to evaluate their suppliers. This involves vetting vendors using questionnaires, compliance audits, and sometimes even on-site assessments. While these methods help ensure compliance with industry regulations and basic cybersecurity hygiene, they are no longer enough to combat today's sophisticated supply chain attacks. 

The major flaw of traditional vendor risk management is that it assumes security is a one-time evaluation rather than an ongoing process. A vendor might pass an initial audit, but what happens when it updates its software or onboards a third-party subcontractor? Additionally, static assessments rarely account for zero-day vulnerabilities or the rapid evolution of threat landscapes. In short, by the time an assessment is complete, the information is often outdated. 

**Proactive Supply Chain Monitoring: A New Paradigm**

A more effective approach to supply chain security involves continuous, real-time monitoring of vendors. Rather than waiting for the next audit or questionnaire cycle, organizations should be leveraging tools that provide up-to-date visibility into their vendors' cybersecurity postures. 

There are several ways this can be accomplished: 

*   Third-party risk management platforms: Platforms like BitSight and Security Scorecard allow organizations to monitor the external security posture of their vendors continuously. These platforms aggregate data from public sources, including open vulnerabilities, SSL configurations, and even mentions of potential breaches, to give security teams real-time insights into potential risks. 
    
*   Threat intelligence integration: By integrating threat intelligence feeds into the vendor risk management process, organizations can identify whether any vendors are being actively targeted by attackers, or if their infrastructure is compromised. This dynamic approach goes beyond static questionnaires, allowing organizations to act quickly in response to emerging threats. 
    
*   Continuous penetration testing: Routine penetration testing is no longer a luxury; it's a necessity. Regular testing of vendors' systems ensures that vulnerabilities are identified and mitigated before attackers can exploit them. With the increasing automation of penetration testing tools, this process can be made continuous rather than sporadic.
    

**Blockchain for Enhanced Supply Chain Transparency**

Another innovative solution to supply chain security challenges is the use of blockchain for transparency and traceability. Blockchain technology allows for the creation of immutable audit trails, making it possible to trace the origin of every component in the supply chain. This can be especially valuable in industries like pharmaceuticals or critical infrastructure, where counterfeit products or compromised components can have catastrophic consequences. 

By using blockchain, organizations can verify that every link in the supply chain adheres to security standards and hasn't been tampered with. In addition, smart contracts on blockchain can enforce compliance, triggering alerts or even actions (such as revoking access) when deviations from agreed-upon standards occur. 

**Managing Access: A Dynamic Approach to Vendor Permissions**

One critical element of supply chain cybersecurity that is often overlooked is how vendors access internal systems. Traditional models grant vendors broad access to systems and data, often far beyond what is necessary. This presents a significant risk, as compromising a single vendor's account could grant an attacker the keys to an organization's entire network. 

A more dynamic approach involves implementing zero-trust principles, where vendors are granted the minimum necessary permissions, and access is constantly reevaluated. This can be done through: 

*   Granular access control: Leveraging role-based access controls (RBAC) or even attribute-based access controls (ABAC) ensures that vendors have access only to the resources they need at any given time. 
    
*   Behavioral monitoring: Continuous monitoring of vendor behavior within your systems can help detect abnormal activity that might indicate a compromise. AI-driven anomaly detection tools can provide early warning signs that a vendor's account has been hijacked. 
    
*   Just-in-time access: Some organizations are adopting just-in-time (JIT) access, where vendors are granted temporary access to systems only when required, and access automatically expires after a predefined period. This minimizes the risk of persistent backdoors being left open. 
    

**Collaboration Across the Supply Chain**

Lastly, improving supply chain security requires collaboration between all stakeholders. Organizations must foster a culture of shared responsibility, where security is not viewed as the sole responsibility of individual vendors but as a collective effort. This can be achieved through: 

*   Security scorecards for vendors: Regularly sharing security posture reports with vendors encourages transparency and accountability. These reports can highlight areas where vendors need to improve and set clear expectations for remediation. 
    
*   Vendor security workshops: Hosting workshops or training sessions for vendors can help elevate their understanding of modern security practices and ensure that their teams are equipped to mitigate risks. 
    

**A Call to Action**

The time has come for cybersecurity professionals to rethink their approach to supply chain security. Traditional vendor risk management practices are no longer sufficient in today's threat landscape. By adopting continuous monitoring, leveraging blockchain for transparency, and implementing dynamic access control, organizations can build more resilient supply chains that are harder for attackers to compromise. 

Ultimately, securing the supply chain is not just about protecting your vendors — it's about safeguarding your entire business ecosystem. 

**About the Author**

Senior Security Engineer, North Carolina Department of Health and Human Services

Malleswar Reddy Yerabolu is a senior security engineer with more than seven years of experience in vulnerability management, threat analysis, and security architecture across financial, hospitality, government, and communication sectors. He specializes in leveraging AI, machine learning (ML), and natural language processing (NLP) to enhance threat detection and automate security processes. His research focuses on integrating AI and NLP to optimize cybersecurity solutions. Malleswar’s innovative approach helps organizations reduce risks and strengthen their defenses against evolving cyber threats. He holds a master’s degree in computer engineering from California State University.

Supply Chain Cybersecurity Beyond Traditional Vendor Risk Management

PRESS RELEASE

October 17, 2024: OpenAI is projected to generate over $10 billion in revenue next year, a clear sign that the adoption of generative AI is accelerating. Yet, most companies struggle to deploy large AI models in production. With the steep costs and complexities involved, nearly 90% of machine learning projects are estimated never to make it to production. Addressing this pressing issue, Simplismart is today announcing a $7m funding round for its infrastructure that enables organizations to deploy AI models seamlessly. Like the shift to cloud computing, which relied on tools like Terraform and mobile app development fueled by Android, Simplismart is positioning itself as the critical enabler for AI’s transition into mainstream enterprise operations.   
The series A funding round was led by Accel with participation from Shastra VC, Titan Capital, and high-profile angels, including Akshay Kothari, Co-Founder of Notion. This tranche, more than ten times the size of their previous round, will fuel R&D and growth for their enterprise-focused MLOps orchestration platform.  
The company was co-founded in 2022 by Amritanshu Jain, who tackled cloud infrastructure challenges at Oracle Cloud, and Devansh Ghatak, who honed his expertise on search algorithms at Google Search. In just two years, with under $1m in initial funding, Simplismart has outperformed public benchmarks by building the world’s fastest inference engine. This engine allows organizations to run machine learning models at lightning speed, significantly boosting performance while driving down costs.  
Simplismart’s fast inference engine allows users to leverage optimized performance for all their model deployments. For example, Its software-level optimization helps run Llama3.1 (8B) at an impressive throughput of >440 tokens per second. While most competitors focus on hardware optimisations or cloud computing, Simplismart has engineered this breakthrough in speed within a comprehensive MLOps platform tailored for on-prem enterprise deployments - agnostic towards choice of model and cloud platform.  
“Building generative AI applications is a core need for enterprises today. However, the adoption of generative AI is far behind the rate of new developments. It’s because enterprises struggle with four bottlenecks: lack of standardized workflows, high costs leading to poor ROI, data privacy, and the need to control and customise the system to avoid downtime and limits from other services,” said Amritanshu Jain, Co-Founder and CEO at Simplismart  
Simplismart’s platform offers organizations a declarative language (similar to Terraform) that simplifies fine-tuning, deploying, and monitoring genAI models at scale. Third-party APIs often bring concerns around data security, rate limits, and utter lack of flexibility, while deploying AI in-house comes with its own set of hurdles: access to computing power, model optimisation, scaling infrastructure, CI/CD pipelines, and cost efficiency, all requiring highly skilled machine learning engineers. Simplismart’s end-to-end MLOps platform standardizes these orchestration workflows, allowing the teams to focus on their core product needs rather than spending numerous manhours building this infrastructure.  
Amritanshu Jain added: “Until now, enterprises could leverage off-the-shelf capabilities to orchestrate their MLOps workloads since the quantum of workloads, be it the size of data, model or compute required, was small. As the models get larger and the workload increases, it will be imperative to have command over the orchestration workflows. Every new technology goes through the same cycle: exactly what Terraform did for cloud, android studio for mobile, and Databricks/Snowflake did for data.”  
“As GenAI undergoes its Cambrian explosion moment, developers are starting to realise that customizing & deploying open-source models on their infrastructure carries significant merit; it unlocks control over performance, costs, customizability over proprietary data, flexibility in the backend stack, and high levels of privacy/security”, said Anand Daniel, Partner at Accel. “We were happy to see that Simplismart’s team saw this opportunity quite early, but what blew us away was how their tiny team had already begun serving some of the fastest-growing GenAI companies in production. It furthered our belief that Simplismart has a shot at winning in the massive but fiercely competitive global AI infrastructure market.”  
Solving MLOps workflows will allow more enterprises to deploy genAI applications with more control. They want to manage the tradeoff between performance and cost to suit their needs. Simplismart believes that providing enterprises with granular Lego blocks to assemble their inference engine and deployment environments is key to driving adoption. 

You May Also Like

Ex-Oracle, Google Engineers Raise $7m From Accel for Public Launch of Simplismart to Empower AI Adoption

PRESS RELEASE

WASHINGTON, DC (October 15, 2024) – The Consortium for School Networking (CoSN) today announced that the Illinois Learning Technology Center (LTC), a program of the Illinois State Board of Education, has partnered with CoSN on a program to improve student data privacy practices in their school districts. By joining the CoSN Trusted Learning Environment (TLE) State Partnership Program, Illinois is helping to ensure that K-12 education institutions across the states are equipped with the necessary tools, training, and guidance to build and improve their school districts’ student data privacy programs.

LTC joins the North Carolina Department of Instruction and the South Carolina Department of Education in partnering with CoSN on this important work.

By subscribing to the TLE Partnership Program, LTC will be providing free TLE Seal applications to all districts in their state.  In addition, the TLE State Partnership Program makes available exclusive data privacy benchmarking reports that provide aggregate measures of the state’s district privacy programs compared with aggregate measures from TLE Seal recipients across 25 specific privacy practices, as well as CoSN’s student data privacy resources designed to support areas of growth for the districts in protecting the privacy of more than 1.85 million students. The CoSN TLE Seal is a national distinction awarded to school districts demonstrating a tangible commitment to protecting student data privacy through modern, rigorous policies and practices.

“Protecting student privacy is a top priority in Illinois. By joining CoSN’s Trusted Learning Environment State Partnership Program—a program backed by one of the leaders in the K-12 technology space—we can enhance our understanding of district privacy needs and offer stronger support," said Tim McIlvain, Executive Director of the Learning Technology Center. "We’re excited to provide 851 districts with access to CoSN’s expert guidance and resources, which will strengthen privacy protections for all Illinois students.”

CoSN’s TLE State Partnership Program provides state education agencies with: 

*   Exclusive state data privacy benchmarking reports that provide aggregated measures of district student data privacy practices as compared with those of current TLE Seal recipients.
    
*   Resources to support improvements across common areas of challenge for the states’ districts and updated benchmarking reports to measure improvements.
    
*   Unlimited free applications for the TLE Seal for districts in the state.
    

Additional supports can include student data privacy training and seats in CoSN’s Certified Education Technology Leader (CETL®) preparation and exam.

“With the increasing complexity of today’s technological environment, protecting student data privacy is imperative. We are delighted to welcome the Learning Technology Center of Illinois to the CoSN TLE State Partnership Program, and to providing Illinois districts with vital tools, training, and resources to help better protect their student information and foster a culture committed to enhancing privacy practices,” said Keith Krueger, CEO of the Consortium for School Networking.

As the only privacy framework designed specifically for K-12 school districts, earning the CoSN TLE Seal requires that districts have taken measurable steps to implement, maintain, and improve organization-wide student data privacy practices. All TLE Seal recipients are required to demonstrate that improvement through a reapplication process every two years.

About CoSN 

CoSN is the premier professional association designed to meet the needs of K-12 edtech leaders, their teams, and other district leaders. CoSN provides thought leadership resources, community, best practices, and advocacy tools to help edtech leaders succeed in the digital transformation. CoSN represents over 13 million students and continues to grow as a powerful and influential voice in K-12 education. For more information, visit CoSN.org.

About the CoSN Trusted Learning Environment State Partnership Program

The CoSN Trusted Learning Environment (TLE) State Partnership Program is designed to measure and improve district student data privacy practices across all districts in the state. Through survey-based benchmarking, CoSN is able to aggregate district privacy performance across the 25 requirements of the CoSN Trusted Learning Environment Seal Program. CoSN provides comparisons of these results to the aggregated results of TLE Seal recipients. CoSN then provides each  state with resources that are ready-made for its districts, providing guidance to improve the top three areas of weakness. The process is repeated on a cycle to continuously build up privacy practices across all districts. States are also provided with free TLE applications for all districts, providing the opportunity for districts to gain additional, customized feedback on their privacy programs and earn recognition for their efforts. For more information, visit CoSN.org/TLEpartner.

About the Learning Technology Center

The Learning Technology Center (LTC) is a state-wide organization dedicated to supporting schools and districts in Illinois with technology integration, professional development, and digital learning initiatives. Through innovative programs, expert guidance, and collaborative partnerships, the LTC empowers educators and administrators to leverage technology for improved teaching and learning outcomes. With a focus on areas such as artificial intelligence, digital citizenship, cybersecurity, and infrastructure, the LTC is committed to helping schools navigate the evolving landscape of educational technology. Learn more at ltcillinois.org.

Illinois Joins CoSN's Trusted Learning Environment (TLE) State Partnership Program for Student Data Privacy

PRESS RELEASE

Brussels, 16 October 2024 – Swift today announced that it is rolling out new AI-enhanced fraud detection to help the global payments industry step up its defence as bad actors grow increasingly sophisticated. Available from January 2025, the service is the result of extensive collaboration with banks from around the world and a successful pilot earlier this year.   

The new capability builds on Swift’s existing Payment Controls Service — used by many small and medium-sized financial institutions — by drawing on pseudonymised data from the billions of transactions that flow over the Swift network each year to identify and flag suspicious transactions so that action can be taken in real-time. 

The rollout is part of Swift’s broader collaboration with its global community of more than 11,500 banks and financial institutions to test how AI can solve cross-industry challenges. With global industry estimates putting the total cost of fraud in financial services at USD 485 billion in 2023 alone , Swift is focused on using AI to give financial institutions stronger and more accurate insights into instances of potentially fraudulent activity.

Jerome Piens, Chief Product Officer at Swift, said: “Bad actors are using increasingly sophisticated tactics to commit financial crime, and the global financial industry needs to raise its defences higher to ensure their customers can continue to transact globally with confidence. Swift has a long track record of supporting our community by staying one step ahead to maintain the security and resilience that our network is known for - and now we’re doing so again by harnessing the latest technology.”

Since February, Swift has been working with leading global financial institutions to explore how federated learning, combined with privacy-enhancing technologies, could enable market participants to share information without revealing their proprietary data. The group has so far developed a number of fraud detection use cases which are set to be tested in a sandbox environment. 

The rollout of this enhanced service is a key milestone in Swift’s strategic vision to make end to end international transactions instant and frictionless, while maintaining trust, security and compliance.

"Collaboration across the banking sector is crucial to enhancing fraud detection, and by sharing data and leveraging AI, we empower ourselves to stay ahead. At BNP Paribas, we are fully committed to supporting Swift’s innovative initiative in that regard, as it marks a key step forward in protecting the integrity of our financial ecosystem." 

Olivier Nautet, Head of Cybersecurity, BNP Paribas; Nicolas Trimbour, Head of Fraud Prevention, Cash Management, BNP Paribas, and Su Yang, Head of Artificial Intelligence, Transaction Banking, BNP Paribas

“Standard Bank Group, Africa’s biggest bank by assets, has participated in Swift’s initiative for AI fraud detection capability to enhance the security of its customers’ transactions. The technology will identify suspicious patterns in real-time, reducing fraud-risk and ensuring a safer banking experience for clients. By leveraging the power of AI, Standard Bank Group reaffirms its commitment to innovation and safeguarding the financial assets of its clients - who are our main asset.”  

John McHugh, Head Operations Control – CIB at Standard Bank

Swift to Launch AI-Powered Fraud Defence to Enhance Cross-Border Payments

The scammers used real-time deepfakes in online dating video calls to convince the victims of their legitimacy.

Source: Mike via Adobe Stock

Hong Kong police arrested 27 people Monday for their involvement in a deepfake scam operation, stealing $46 million from the scam's victims.

The scammers used AI face-swapping technology to create female personas for online dating, using tools to alter their appearance and voices. 

They then contacted their victims via social media platforms using these AI-generated photos of people with made-up personalities, occupations, and backgrounds.

However, the victims began requesting video calls to become more familiar with the person they were communicating with, prompting the scammers to turn to real-time deepfakes, which transformed the scammers into attractive women, adding legitimacy to the fraud and gaining the trust of those that were being duped.

"The syndicate presented fabricated profit transaction records to victims, claiming substantial returns on their investments," said Fang Chi-kin, head of the New Territories South regional crime unit.

The victims realized that they had been scammed after attempting to withdraw money from their accounts without success.

The police seized computers, phones, and just over $25,000 in funds and luxury watches from the crime ring's headquarters, a 4,000-square-foot building in Hong Kong.

They also arrested six individuals who were recruited to set up cryptocurrency trading platforms, five of whom were reportedly potentially associated with Sun Yee On, a crime gang that operates in Hong Kong and China.

These developments come in the wake of a recent United Nations Office on Drugs and Crime report warning of the technological advancements crime syndicates are making to carry out cyber fraud in Asia, such as the use of deepfake technology. Some 10 different deepfake software providers were identified, selling their services via Telegram to criminal groups in Southeast Asia.

Hong Kong Crime Ring Swindles Victims Out of $46M

Days after facing a major breach, the site is still struggling to get fully back on its feet.

Source: Postmodern Studio via Alamy Stock Photo

The Internet Archive, a nonprofit digital library website, is beginning to come back online after a data breach and distributed denial-of-service (DDoS) attacks, prompting a week of its systems going offline.

Founded in 1996 by Brewster Kahle, the archive offers users free access to a historical Web collection, known as the Wayback Machine. This including access to more than 150 billion webpages, nearly 250,000 movies, 500,000 audio items, and more.

This free access to these seemingly unlimited resources all came to a halt on Oct. 9, when hackers stole and leaked the account information of a reported 31 million users. 

The users were met with a pop-up that read, "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!"

HIBP is the "Have I Been Pwned" site that allows users to look up whether their personal information has been compromised in a data breach.

The Internet Archive site went offline in an effort to try to prevent such attacks from continuing to happen. Founder Brewster Kahle reported on social platform X that this process would take days, if not weeks.

"The @internetarchive's Wayback Machine resumed in a provisional, read-only manner. .... Please be gentle."

And in an update yesterday, he reported that Wayback Machine is running strong, though the team is still working to bring Internet Archive items and other services online safely.

**DDoS Mania**

Netscout, which has conducted analyses on the breach, reported that its researchers observed 24 DDoS attacks against the Autonomous System Number (ASN) 7941, the ASN used by the Internet Archive project. The first attack lasted more than three hours, and during the attack, three IP addresses used by Internet Archive received DDoS attack traffic.

"These kinds of attacks energize adversaries, and they often attempt to replicate the feat," the Netscout researchers reported. 

Bruno Kurtic, co-founder, president, and CEO of Bedrock Security, notes that perhaps these kind of breaches are inevitable.

"Perimeters will be breached, vulnerabilities will be exploited … attackers will eventually be at the front door of your data stores," he says. "For most enterprises, the first and fundamental gap is not knowing where their data is. Data is fluid, it moves, it sprawls, and it is created at an exponential rate."

To protect that data, Kurtic advises "proactive policy management," as well as detection of movement, encryption, and hashing.

"Monitoring access and continuously scanning to update classifications at hundreds-of-petabytes scale is hard but essential," he adds.

Internet Archive Slowly Revives After DDoS Barrage

As the unique challenges of AI zero-days emerge, the approach to managing the accompanying risks needs to follow traditional security best practices but be adapted for AI.

Dan McInerney, Lead AI Threat Researcher, Protect AI

October 17, 2024

3 Min Read

Source: Blackboard via Alamy Stock Photo

COMMENTARY

With artificial intelligence (AI) and machine learning (ML) adoption evolving at a breakneck pace, security is often a secondary consideration, especially in the context of zero-day vulnerabilities. These vulnerabilities, which are previously unknown security flaws exploited before developers have had a chance to remediate them, pose significant risks in traditional software environments.  

However, as AI/ML technologies become increasingly integrated into business operations, a new question arises: What does a zero-day vulnerability look like in an AI/ML system, and how does it differ from traditional contexts?

**Understanding Zero-Day Vulnerabilities in AI**

The concept of an "AI zero-day" is still nascent, with the cybersecurity industry lacking a consensus on a precise definition. Traditionally, a zero-day vulnerability refers to a flaw that is exploited before it is known to the software maker. In the realm of AI, these vulnerabilities often resemble those in standard Web applications or APIs, since these are the interfaces through which most AI systems interact with users and data. 

However, AI systems add an additional layer of complexity and potential risk. AI-specific vulnerabilities could potentially include problems like prompt injection. For instance, if an AI system summarizes one's email, then an attacker can inject a prompt in an email before sending it, leading to the AI returning potentially harmful responses. Training data leakage is another example of a unique zero-day threat in AI systems. Using crafted inputs to the model, attackers may be able to extract samples from the training data, which could include sensitive information or intellectual property. These types of attacks exploit the unique nature of AI systems that learn from and respond to user-generated inputs in ways traditional software systems do not.

**The Current State of AI Security**

AI development often prioritizes speed and innovation over security, leading to an ecosystem where AI applications and their underlying infrastructures are built without robust security from the ground up. This is compounded by the fact that many AI engineers are not security experts. As a result, AI/ML tooling often lacks the rigorous security measures that are standard in other areas of software development. 

From research conducted by the Huntr AI/ML bug bounty community, it is apparent that vulnerabilities in AI/ML tooling are surprisingly common and can differ from those found in more traditional Web environments built with current security best practices.

**Challenges and Recommendations for Security Teams**

While the unique challenges of AI zero-days are emerging, the fundamental approach to managing these risks should follow traditional security best practices but be adapted to the AI context. Here are several key recommendations for security teams: 

*   Adopt MLSecOps: Integrating security practices throughout the ML life cycle (MLSecOps) can significantly reduce vulnerabilities. This includes practices like having an inventory of all machine learning libraries and models in a machine learning bill of materials (MLBOM), and continuous scanning of models and environments for vulnerabilities. 
    

*   Perform proactive security audits: Regular security audits and employing automated security tools to scan AI tools and infrastructure can help identify and mitigate potential vulnerabilities before they are exploited. 
    

**Looking Ahead**

As AI continues to advance, so too will the complexity associated with security threats and the ingenuity of attackers. Security teams must adapt to these changes by incorporating AI-specific considerations into their cybersecurity strategies. The conversation about AI zero-days is just beginning, and the security community must continue to develop and refine best practices in response to these evolving threats. 

**About the Author**

Lead AI Threat Researcher, Protect AI

Dan McInerney is Lead AI Threat Researcher at Protect AI. He has 15 years of experience in red-team security, written dozens of security tools, and is a top-ranked Python GitHub developer. As a senior penetration tester, Dan has focused on novel attacks in emerging fields such as 3D printing and machine learning, and is credited with seven CVEs in AI tools. He teaches penetration testing and is a highly rated BlackHat instructor.

4 Ways to Address Zero-Days in AI/ML Security

US officials disrupted the group's DDoS operation and arrested two individuals behind it, who turned out to be far less intimidating than they were made out to be in the media.

Source: Firoze Edassery via Alamy Stock Photo

A federal grand jury has indicted two Sudanese nationals for their role in operating and controlling one of the most notorious hacktivist groups of recent years.

US officials allege that Ahmed Salah Yousif Omer — just 22 years old — and his brother Alaa Salah Yusuuf Omer, 27, were behind Anonymous Sudan (aka Storm-1359), a threat actor responsible for more than 35,000 distributed denial of service (DDoS) attacks worldwide since early 2023. In the US alone, it has clogged up websites belonging to major technology companies like Microsoft and Riot Games, the Cedars-Sinai Medical Center in Los Angeles — an event which caused an eight-hour disruption to patient care — and major government agencies like the FBI, State Department, Department of Defense, and Department of Justice (DoJ). It's believed that these attacks have caused at least $10 million in damages.

For their roles in "operating and controlling" Anonymous Sudan, Ahmed and Alaa were each charged with one count of conspiracy to damage protected computers. Ahmed also earned three counts for damaging protected computers.

The elder brother faces a maximum sentence of five years in federal prison, should he be found guilty. The younger: life behind bars.

"It's easy to be anonymous, and to hide yourself for a short period of time when visibility is limited," says Adam Meyers, head of counter adversary operations with CrowdStrike, which contributed to the DoJ investigation. "But the longer that things go on, the more that you do, the harder it is to keep up that facade."

**The Latest in Operation PowerOFF**

For years now, law enforcement authorities from the United States, United Kingdom, Germany, Poland, and the Netherlands have been collaborating as part of "Operation PowerOFF," to shutter DDoS-for-hire operations worldwide. PowerOFF has earned some high-profile successes since, including the arrests of the admins behind Webstresser — then the world's leading DDoS marketplace — back in 2018, a successful shutdown of 50 DDoS-for-hire platforms late in 2022, and another wave of "booter site" takedowns the following year. Then, early this year, authorities turned their sights on Anonymous Sudan.

Hacktivist groups, by their nature, are typically louder and easier to read than groups which put more emphasis on stealth and subtlety. "These guys were operating openly on Telegram. They were recruiting. They were talking about what they were up to. They were involved in things like #OpIsrael, and collaborating with groups like KillNet on some pro-Russia attacks. So they weren't hiding in the shadows," Meyers says.

Beyond that, he adds, "They did have some of what we would call OpSec issues, where they thought that they were being a little bit more discreet than they actually were."

With help from the Big Pipes working group — a PowerOFF collaboration between law enforcement and private sector partners — authorities identified assets belonging to Anonymous Sudan, and insights into the brothers at the top of the pyramid. Then in March, US authorities obtained court-authorized warrants to seize the tooling and infrastructure belonging to Anonymous Sudan. The FBI shut up key components of the group's sophisticated Distributed Cloud Attack Tool (DCAT) (aka Skynet, Godzilla, InfraShutdown), including the computer servers used to launch its attacks, those used to relay attack commands to its broader network of connected computers, and online accounts containing the group's source code.

**Not-So-Anonymous Sudan**

During its approximately year-long reign of terror, Anonymous Sudan had been connected with and attributed to a variety of different groups and interests. Some researchers suggested that it was merely a front for the Russian hacktivist collective KillNet. Others went further, suggesting that the group is backed by the Russian state.

"That was a misconception that many folks believed and parroted, with little supporting evidence," explains Chad Seaman, principal security researcher and team lead at Akamai SIRT, which also participates in PowerOFF through the Big Pipes working group. "Mostly this theory seemed to be rooted in their affiliation with KillNet, which as disclosed in the indictment details, seems to be more \[borne of\] an anti-west ideological alignment, and kind of turned into a marketing decision, in part aimed at driving business to their booter services they were selling at the time, due to KillNet's notoriety at the time."

There were some understandable reasons behind those connections: the scale of the operation, its sophistication, its apparent motives, etc. "Take into account their seemingly oddly aligned support of Russian hacktivist groups, being a new group that seemingly sprung up overnight, their ability to launch debilitating attacks, and an assumption that their operations were being paid for to the tune of hundreds of thousands of dollars a month in compute expenses, it's an easy theory to rationalize," he says.

However, he adds, "Attribution is often hard and messy work, and short of very compelling evidence to support such claims, it should always be eyed with a bit of suspicion until proof is provided. This isn't the first time, and it won't be the last, that we've seen theorized attribution fall victim to reality when more pieces of the puzzle fall into place."  

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Anonymous Sudan Unmasked as Leaders Face Life in Prison

Has the role of chief privacy officer become something more than it was? And is it still a role that just one person can handle?

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

The role of the CPO — chief privacy officer — is at a crossroads. A rapidly growing number of data breaches, continually evolving regulations, and the increasing complexity of digital ecosystems have made a robust, privacy-first approach to managing data more critical for businesses than ever before. The role of a CPO was once clear-cut: Ensure compliance with privacy laws, manage data collection practices, and mitigate data risks. Now, CPOs are balancing more responsibilities than ever. Privacy has an impact on every realm of the business. So, is a CPO still a CPO, or is the role something greater? And, is it a role that just one person can handle?  

**The Expanding Scope of the CPO**

In a recent episode of my podcast, "The Privacy Insider," Google's outgoing chief privacy officer, Keith Enright, remarked that the data privacy role has expanded so much, it requires a jack of all trades. In many organizations, the CPO might manage privacy, but also aspects of security, data ethics, and even AI governance. Privacy does play a role in all these areas. But can a CPO — or chief information security officer (CISO), or chief data officer (CDO), or chief AI officer — wear all these hats and have them fit? 

Whatever mix of letters that follows the C, many companies are striving for the same goal. They want a member of the C-suite whose mandate encompasses a broader responsibility: Be the steward of data governance, protection, compliance, and ethical use. That someone with any of the above backgrounds could be overseeing all of the above responsibilities shows how intertwined the technologies, data, and risks have become. Maybe that one job should be a more integrated team effort.  

**Guarding the Wall Together **

For example, think about a data breach. Responsibility for preventing a data breach typically falls on the CISO. If a hacker pierces a company's systems, that's a security failure. But the reality of a rapidly changing threat landscape is that once you secure against one threat, another one is right behind it. For many companies, data breaches aren't an "if," but a "when." How are you protecting what's behind the wall? Good data privacy practices are good security. Are you identifying, safeguarding, and minimizing your most sensitive data? CISOs work hard on fortifying the wall, but if someone breaks through and there's nothing to steal, you've contained the immediate damage, and also the reputational and regulatory damage that can follow. Protecting an organization on all sides calls for a tightly integrated strategy.  

**And Then There's AI **

The rise of AI presents some unique challenges: What are the ethical implications of AI? Can you trust it? What's the recourse if sensitive data winds up in an AI model? Many companies turn to the CPO for guidance on the ethical use of these technologies, particularly around issues of consent, bias, and transparency. But AI governance is typically the domain of the CISO or the CDO, not the CPO. For now, no one person should own AI, because at this point in time, AI touches everything. Everyone shares the responsibility for using it wisely. 

However, CPOs can play an important role in charting a path for AI, aside from ensuring companies use it in a privacy-forward way. The ethics of using sensitive data — and as we are seeing with the European Union AI Act, the consequences of misusing it — are similar whether the offender is human or machine. Clear insight on handling and protecting sensitive data and experience with General Data Protection Regulation (GDPR) readiness can help privacy pros guide the business in managing AI's complexities. 

**The CPO as Partner**

Managing risk in a modern organization is the ultimate balancing act. Sometimes it's all hands on deck to shore up cybersecurity, sometimes it's sensitive data protection, sometimes it's AI. Privacy, security, governance, and the rest are all critical to maintain the balance, no matter what the challenge is. There may be a CPO, there may not be a CPO. Privacy management might be centralized or distributed across the business. But that doesn't change the importance of data privacy management in helping to shore up system security, define AI governance, build trust, and mitigate risk. The best role a CPO can play is in demonstrating the value of a strong privacy program to make the whole business stronger. 

**About the Author**

Founder & CEO, Osano

Arlo Gilbert is the founder and CEO of Osano, a data privacy company focused on simplifying compliance for businesses and helping them protect consumer data. He has been building successful technology companies for more than 25 years and has seen firsthand the importance of building trust and using data responsibly. He believes that consumer data privacy isn’t just good for business — it’s a fundamental right.

Is a CPO Still a CPO? The Evolving Role of Privacy Leadership

A MOIS-aligned threat group has been using Microsoft Exchange servers to exfiltrate sensitive data from Gulf-state government agencies.

Source: Daniren via Alamy Stock Photo

An Iranian threat actor has been ramping up its espionage against Gulf-state government entities, particularly those within the United Arab Emirates (UAE).

APT34 (aka Earth Simnavaz, OilRig, MuddyWater, Crambus, Europium, Hazel Sandstorm) is a group that has been previously tied to the Iranian Ministry of Intelligence and Security (MOIS). It's known to spy on high-value targets in major industries across the Middle East: oil and gas; finance; chemicals; telecommunications; other forms of critical infrastructure; and governments. Its attacks have demonstrated a sophistication befitting its targets, with suites of custom malware and an ability to evade detection for long periods of time.

Recently, Trend Micro has observed a "notable rise" in APT34's espionage and theft of sensitive information from government agencies, most notably within the UAE. These newer cases have featured a new backdoor, "StealHook," which uses Microsoft Exchange servers to exfiltrate credentials useful for escalating privileges and performing follow-on supply chain attacks.

**APT34's Latest Activity**

Recent APT34 attacks have begun with Web shells deployed to vulnerable Web servers. These Web shells allow the hackers to run PowerShell code, and download or upload files from or to the compromised server.

One tool it downloads, for example, is ngrok, legitimate reverse proxy software for creating secure tunnels between local machines and the broader Internet. APT34 weaponizes ngrok as a means of command-and-control (C2) that tunnels through firewalls and other network security barricades, facilitating its path to a network's Domain Controller.

"One of the most impressive feats we've observed from APT34 is their skill in crafting and fine-tuning stealthy exfiltration channels that allow them to steal data from high profile sensitive networks," notes Sergey Shykevich, threat intelligence group manager at Check Point Research, which recently uncovered an APT34 espionage campaign against Iraqi government ministries. In its prior campaigns, the group has mostly secured its C2 communications via DNS tunneling and compromised email accounts.

To obtain greater privileges on infected machines, APT34 has been exploiting CVE-2024-30088. Discovered through the Trend Micro Zero Day Initiative (ZDI) and patched back in June, CVE-2024-30088 allows attackers to gain system-level privileges in Windows. It affects multiple versions of Windows 10 and 11, and Windows Server 2016, 2019, and 2022, and received a "high" severity 7 out of 10 score in the Common Vulnerability Scoring System (CVSS). That rating would've been higher, but for the fact that it requires local access to a system, and isn't simple to exploit.

APT34's best trick, though, is its technique for abusing Windows password filters.

Windows allows organizations to implement custom password security policies — for example, to enforce good hygiene among users. APT34 drops a malicious DLL into the Windows system directory, registering it like one would a legitimate password filter. That way, if a user changes their password — a good cybersecurity practice to do often — APT34's malicious filter will intercept it, in plaintext.

To complete its attack, APT34 calls on its newest backdoor, StealHook. StealHook retrieves domain credentials that allow it into an organization's Microsoft Exchange servers. Using the targeted organization's servers and stolen email accounts, the backdoor can now exfiltrate stolen credentials and other sensitive government data via email attachments.

**Follow-On Risks of APT34 Attacks**

"The technique of abusing Exchange for data exfiltration and C&C is very effective and hard to detect," says Mohamed Fahmy, cyber threat intelligence researcher at Trend Micro. "It has been used for years in \[APT34's\] Karkoff backdoor, and most of the time it evades detection."

Besides exfiltrating sensitive account credentials and other government data, APT34 has also been known to leverage this level of access in one organization to carry out follow-on attacks against others tied to it.

For some time now, Fahmy says, the threat actor has "fully compromised a specific organization, and then used its servers to initiate a new attack against another organization (having a trust relationship with the infected one). In this case, the threat actor can leverage Exchange to send phishing emails."

He adds that government agencies in particular often relate to one another closely, "so the threat actor could compromise this trust."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading