Researchers say the attacks are easy to perform, difficult to contact, nearly unrecognizable, and "entirely preventable."

Source: Panther Media GmbH via Alamy Stock Photo

More than a dozen Russian cybercriminals are taking advantage of opening in the Domain Name System (DNS) by deploying the "Sitting Ducks" attack that targets DNS providers.

In this kind of attack, a threat actor gains unauthorized access to a registered domain and conducts whatever activity they please, including impersonating the legitimate owner. This activity ranges from malware delivery and phishing campaigns to brand impersonation and data exfiltration. And the pool of exploitable domains is not small; the researchers at Infoblox and Eclypsium estimate that there are more than 1 million susceptible domains on any given day, with multiple ways to identify each of them.  

The attacks, according to the researchers, are easy to perform, difficult to contact, nearly completely unrecognizable, and most of all are "entirely preventable."

"While DNS serves as the backbone for Internet communication, it is often overlooked as a strategic attack surface," the researchers said. "Published attack vectors against DNS may be dismissed as inevitable and not receive the same level of mitigation as a software bug, creating a perfect attack surface for malicious actors."

To stop these kinds of attacks, the researchers recommend that domain name owners evaluate their risk, especially for domains 10 years or older. The researchers provide information on their blog post for how to evaluate a domain and mitigate risks to their DNS services.

**About the Author**

'Sitting Ducks' Attacks Create Hijacking Threat for Domain Name Owners

The prolific ransomware group has shifted away from phishing as the method of entry into corporate networks, and is now using initial access brokers as well as its own tools to optimize its most recent attacks.

Source: Ciaobucarest via Alamy Stock Photo

The enormously successful Black Basta ransomware group has pivoted to using new custom tools and initial access techniques as part of a shift in strategy in the wake of last year's takedown of the Qakbot botnet.

The evolution of the group, which has compromised more than 500 victims and counting, demonstrates the resilience of threat groups who have had to shift tactics on the fly due to law enforcement and other disruptions, yet still somehow continue to flourish in their cybercriminal operations, experts said.

Black Basta's initial claim to fame was its prolific use of Qakbot, which it distributed via sophisticated and evolving phishing campaigns. As an initial access Trojan, Qakbot could then deploy a host of publicly available open source tools and ultimately the gang's namesake ransomware. However, about a year ago, the Qakbot botnet was largely put out of commission (though it has since reappeared) in a federal law-enforcement campaign called Operation Duck Hunt, forcing the group to find new modes of access to victim infrastructure.

Initially, Black Basta continued to use phishing and even vishing to deliver other types of malware, such as Darkgate and Pikabot, but quickly began seeking alternatives to conduct further malicious activity, researchers from Mandiant revealed in a blog post this week.

The group, which Mandiant tracks as UNC4393, has now settled into a "transition from readily available tools to custom malware development as well as \[an\] evolving reliance on access brokers and diversification of initial access techniques" in recent attacks, Mandiant researchers wrote in the post.

**'SilentNight' Resurgence**

One of the new methods for initial access involves the deployment of a backdoor called SilentNight, which the group used in 2019 and 2021, respectively, before putting it on the shelf until last year. Earlier this year, the group began using it again in malvertising efforts, the researchers said, marking "a notable shift away from phishing," which previously was the “only known means of initial access,” they wrote in the post.

SilentNight is a C/C++ backdoor that communicates via HTTP/HTTPS and may utilize a domain generation algorithm for command and control (C2). It has a modular framework that allows for plug-ins to provide "versatile functionality, including system control, screenshot capture, keylogging, file management, and cryptocurrency wallet access," the researchers wrote. It also targets credentials through browser manipulation.

Once Black Basta gains access to target environments, the group uses a combo of living-off-the-land (LotL) techniques and an assortment of custom malware for persistence and lateral movement before deploying ransomware, the researchers found.

"UNC4393's goal is to gather as much data as quickly as possible followed by exfiltration of the collected data to engage in multi-faceted extortion, leveraging the threat of data leakage to pressure victims into paying ransom demands," the researchers noted.

**Custom Tools to Optimize Attacks**

One of the first new tools deployed after gaining initial access is called Cogscan, which seems to have replaced open source tools previously used by the group, such as Bloodhound, Adfind, and PSNmap to help map out victim networks and identify opportunities for either lateral movement or privilege escalation.

Cogscan is a .NET reconnaissance tool used to enumerate hosts on a network and gather system information, and is internally referred to as "GetOnlineComputers" by Black Basta itself, the researchers observed.

Another notable new tool that allows Black Basta to speed up its deployment of ransomware is Knotrock, a .NET-based utility. Knotrock creates a symbolic link on network shares specified in a local text file; after creating each symbolic link, Knotrock executes a ransomware executable and provides it with the path to the newly created symbolic link.

"Ultimately, Knotrock serves a dual purpose: it assists the existing Basta encryptor by providing network-communication capabilities, and streamlines operations by proactively mapping out viable network paths, thereby reducing deployment time and accelerating the encryption process," the Mandiant researchers wrote.

The malware represents an evolution in UNC4393's operations in that it boosts its capabilities "by expediting the encryption process to enable larger-scale attacks and significantly decreasing its time to ransom," they noted.

Other new tools observed in recent attacks include tunneling technology for command-and-control (C2) communications dubbed Portyard, and a memory-only dropper that decrypts an embedded resource into memory called DawnCry, the researchers said.

**Black Basta: A Significant Threat Remains**

Changes to Black Basta’s initial access and tooling demonstrate a "resilience" in the group that shows it will continue to remain a threat against "organizations of all sizes," even if it’s moving away from phishing, which is one of the most successful forms of cybercrime, one security expert noted.

"Given the success of this gang, there's no doubt they have a considerable amount of funds stocked away in their war chest, allowing them to develop their own tools and improve their ability to attack," says Erich Kron, security awareness advocate at security firm KnowBe4.

Indeed, Black Basta’s ability to adapt and innovate in its use of new tools and techniques means that defenders, too, also must be proactive and fortify their security measures with the latest technology and threat intelligence available, the Mandiant researchers said.

Defensive measures for organizations Kron recommends include "employee education and training to counter social engineering; strong data loss prevention controls to keep data from being stolen; a good endpoint detection and response system that can possibly spot and stop attempts to encrypt files from infected computers; and immutable and tested backups to allow for quick recovery in the event of system encryption."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Black Basta Develops Custom Malware in Wake of Qakbot Takedown

A malvertising campaign uses phishing to steal legitimate account pages, with the endgame of delivering the Lumma stealer.

Source: Hocus Focus Studio via iStock

Attackers are hijacking pages on Facebook to lure victims into downloading a legitimate artificial intelligence (AI) photo editor, but then serving up a widely distributed infostealer to rob users of their credentials instead.

The malvertising campaign, discovered by researchers at Trend Micro, exploits the popularity of AI and combines a variety of popular threat tactics, including phishing, social engineering, and the use a legitimate utility in a malicious way. The ultimate payload is the Lumma stealer, which targets sensitive information, including user credentials, system details, browser data, and extensions.

The attack hinges on the abuse of paid Facebook promotions, which attackers have leveraged to lure users into engagement and ultimately deliver malware, the researchers noted in a blog post today.

“Once the attacker gains control of the page, ads are posted promoting the AI photo editor, leading victims to download an endpoint management utility disguised as the photo editor,” Trend Micro threat researcher Jaromir Horejsi wrote.

Attackers also are taking advantage of the current attention on AI technology and tools associated with it by using these tools "as lures for malicious activities, which includes phishing scams, deepfakes, and automated attacks," he wrote.

So far, the malicious package associated with the campaign has generated about 16,000 downloads on Windows and 1,200 on macOS. However, the macOS version redirects to the Apple website instead of an attacker-controlled site, suggesting that attackers are only targeting Windows users with the campaign.

**Phishing Leads to Hijacked Pages**

A typical attack in the campaign starts before a potential victim even sees an ad. Attackers begin by sending phishing messages to owners of the targeted social media page to gain control of the page for their own malicious use. The sender account typically looks like an empty profile with randomly generated user names.

The phishing links in the messages are sent either as direct links or personalized link pages, such as linkup.top, bio.link, s.id, and linkbio.co, among others. Sometimes attackers even abuse Facebook's open redirect URL for these links to appear more legitimate.

If the page operator clicks on the links, they are presented with a screen to verify their information with a "Business Support Center" for Meta developers. Clicking on that screen's "Verify Your Information Here" link leads to a fake account protection page, "which in several subsequent steps, asks users for the information necessary to log in and take over their account, such as their phone number, email address, birthday, and password," Horejsi explained.

After the target provides this info, the attacker steals the profile and begins creating and posting malicious ads for an AI photo editor with links to a fake domain that uses the name of a legitimate tool, such as Evoto.

"The fake photo editor web page looks very similar to the original one, which helps in tricking the victim into thinking that they are downloading a photo editor," Horejsi wrote.

However, what a user who takes the bait actually downloads is the freely available ITarian endpoint management software. The attacker, using a series of back-end processes controls, ultimately controls the victim's machine to download the final payload, the Lumma stealer.

**Avoiding Compromise**

There are a number of ways that people can avoid falling victim to the campaign and threats that abuse social media pages, which not only can compromise users but also lead to secondary attacks via stolen credentials that act as initial entry into enterprise infrastructure, according to Trend Micro.

Social-media users should enable multifactor authentication on all their accounts to add an extra layer of protection against unauthorized access, as well as regularly update and use strong, unique passwords across all accounts.

Organizations also should regularly practice education and awareness to let their employees know of the dangers lurking on social media while accessing corporate networks, as well as how to identify suspicious messages and links associated with phishing attacks.

Finally, both organizations and individual users should monitor their accounts for any unusual behavior, such as unexpected login attempts or changes to account information. Organizations should employ some kind of detection and response mechanisms.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Hijack Facebook Pages, Promote Malicious AI Photo Editor

Significant upcoming legislation promises to tighten the screws on cyber incident response in Australia, mirroring CIRCIA in the US.

Source: Bonaventura via Alamy Stock Photo

Australian companies may soon have to disclose to the government any ransom payments they surrender to ransomware attackers.

It wasn't so long ago that Australia's government was considering an outright ban on ransom payments across the country. That idea didn't survive, but a slightly softer rule was floated in a national cybersecurity strategy document published last November. In just a single sentence buried deep in that document, the government signaled its intention that "To stay ahead of the threat, we will co-design with industry options to legislate a no-fault, no-liability ransomware reporting obligation for businesses."

That obligation seems to be part of the country's upcoming Cyber Security Act, which is expected to be brought before parliament during its next sitting in just a couple of weeks' time.

Following an interview with Clare O'Neil — who, until Monday, was Australia's Minister for Home Affairs — the Australian Broadcasting Corporation (ABC) reported that businesses making more than $3 million AUD ($1.96 million US) in annual revenue will be forced to report their ransom payments. However, the fines for noncompliance are purportedly just $15,000.

Dark Reading has contacted Australia's Department of Home Affairs to confirm reports about the new rule.

"The goal with such laws is to allow governments to have insight into funds going to bad actors, in order to be able to track those payments and hopefully bring criminals to justice," explains Beth Burgin Waller, chair of the Cybersecurity & Data Privacy practice at Woods Rogers Vandeventer Black (WRVB).

In Australia's case, "The proposed bill appears to mirror what we are seeing in the United States from CIRCIA (the Cyber Incident Reporting for Critical Infrastructure Act of 2022), which requires that covered entities report ransom payments within 24 hours of making a ransom payment to CISA," she explains. "The Australian proposed law is broader, though, in the sense that it appears to be for any business making a ransom payment, whereas it appears CIRCIA covers only 'covered entities,' which the current proposed CIRCIA regulations broadly define."

**Will Forcing Ransom Disclosure Work?**

Australia has been rocked by some major cyberattacks in recent years. In 2022, a breach of millions of consumer records struck the telecommunications company Optus. Shortly thereafter, a case of similar scope hit the health insurance provider Medibank. Last year, a cyber disruption downed four core ports around the country for a weekend. And there have been more.

The toll to Australia's economy has been significant. As former minister O'Neil noted in a forward to the 2023–2030 Australian Cyber Security Strategy, a cyber incident is reported to the government every six minutes. (Of course, that doesn't include all the incidents that don't get reported.) Ransomware, meanwhile, is responsible for $3 billion worth of damage to Aussie organizations annually, and cyberattack costs are rising 14% per annum.

Any hard and fast rules that help curb the problem inevitably affect different organizations differently. On one hand there are larger companies, which can handle the costs involved and stand to benefit the most from clearer regulations.

"With laws like this popping up locally across the globe, it creates a patchwork quilt of compliance for multi-national organizations with perhaps a headquarters in the United States but significant operations in Australia," Waller says.

Smaller organizations, meanwhile, have fewer resources to dedicate to cybersecurity, and less money to pay fines when they fall short. According to ABC, the Australian Chamber of Commerce and Industry (ACCI) trade organization supports parts of the upcoming Cyber Security Act, but proposes that the minimum revenue threshold for businesses affected by the reporting rule should be $10 million.

**Incentive for Stronger Cyber Defenses**

The hope, regardless, is that any potential negative side effects will be outweighed by greater visibility for law enforcement, and more effective incentives for companies to better themselves.

"Mandatory disclosures may prompt a reassessment of corporate practices regarding negotiations with cybercriminals," says Anne Cutler, cybersecurity evangelist at Keeper Security. "With the knowledge they must disclose any ransom payments, business leaders may be persuaded to invest more heavily in preventive measures and robust incident response plans to avoid the financial and reputational scrutiny that comes with public disclosure."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Australian Companies Will Soon Need to Report Ransom Payments

DEV#POPPER is back, looking to deliver a comprehensive, updated infostealer to coding job seekers by way of a savvy social engineering gambit.

Source: sakkmesterke via Alamy Stock Photo

The North Korea-based DEV#POPPER campaign is back, with an updated malware and social engineering arsenal that it's using to target software developers worldwide for data theft.

That's according to research from the Securonix Threat Research team, which found in an analysis today that the known threat group is casting a wider net than ever before, having added Linux and macOS variants to its malware toolbox in addition to its existing Windows binary.

The campaign, which focused primarily on South Korea before, has spread out globally, and is also active in Europe, the Middle East, and North America.

It's unclear as to the level of specific targeting the campaign is using, but there are overlaps with other efforts by North Korean actors to use fake recruiting in state-sponsored attacks.

"I would imagine that the ultimate goal for the attackers is conducting a successful operation against an individual on a corporate or company-owned endpoint," says Tim Peck, senior threat researcher at Securonix. "Based on the malware used, its primary purpose is theft. Typically, with financially motivated attacks, we see either ransomware or cryptominers being used."

**Targeting Developers With Social Engineering**

To lure in their victims, DEV#POPPER threat actors pose as interviewers looking to hire software developers for nonexistent positions. When someone applies, they send off a .ZIP file to the target that purports to be an npm package to be used for testing the applicant's coding skills.

"The use of practical-style interviews makes for an easy medium for the attackers to run malicious code on the interviewee's system," Peck notes. "Given the practical nature of developer interviews, it would not be uncommon to be asked to compile or execute code, as opposed to most other types of interviews. In such a use case, it would generally not raise suspicions for the interviewee."

When the interviewee extracts and executes the contents of the package, a well-hidden line of JavaScript code executes, which kicks off the infection chain, the researchers explained in their analysis of the campaign. "The .ZIP file contains dozens of legitimate files, making identifying potential foul play difficult to spot if it's missed by any installed antivirus."

Antivirus, by way, may indeed miss it: the malicious file, which is obfuscated in multiple ways, has just a 3/64 vendor detection rate on VirusTotal as of the Securonix blog post being published today.

The level of savvy scamming is notable: "In this particular attack, the lengths that the threat actors go through to pull off their social engineering scheme is quite bold," says Peck. "If you think about it, the amount of work needed to host fake job interviews goes way beyond traditional compromise actions such as blasting out phishing emails, for example."

**DEV#POPPER's Cyberattack Routine & Updated Malware**

The malware strategy is not just now multiplatform, but is also more sophisticated than its predecessor, according to Securonix.

After deobfuscating the script, the researchers were able to detect the campaign's command-and-control address (C2), as well as a number of malicious functions. The latter includes a fresh main function, dubbed "M," which orchestrates data extraction and code execution on different operating systems.

"It begins by identifying the platform, constructs paths and variables, and then calls appropriate extraction functions based on the detected OS," according to the analysis.

Other functions are in charge of sending the stolen data to the C2, collecting system and geolocation information, and assigning unique identifiers to each infected host (which allows the server to track which data came from which machine). Another function downloads next-stage payloads, while another new addition performs directory traversal, which includes filters to exclude certain files and directories from extraction (in order to appear more legitimate).

Securonix researchers noted that after the script was executed on a compromised host, the attackers then fetched a series of additional payloads culminating in an updated version of a Python script that DEV#POPPER has used before. This performs the actual theft of various sensitive files, plus keylogging and surveillance; one new capability is the ability to steal browser cookies, credit-card information entered into websites, and data for any installed browser extensions.

"The risk of running this kind of information-stealer malware on a business endpoint could be catastrophic," Peck says. "Considering the information stolen, the threat actors would almost immediately have access to all of the user's active browser sessions, cookies, and passwords. Additionally, they would have remote access to the endpoint allowing them to embed themselves deeper or attempt to move laterally into other systems that the user might have access to."

While it's difficult for businesses to protect against this type of attack, given that they might not be aware that a target is job-hunting, awareness training is always an option on the defensive side.

"First, if you're employed and actively interviewing, never conduct the interview on a company-owned appliance," Peck warns. "Second, though job interviews are oftentimes stressful situations, maintain a security-focused mindset. Social engineering attacks can be difficult to spot, however if the request seems odd or out of the norm, don't be afraid to back out of a request for fear of rejection or making a situation awkward."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

North Koreans Target Devs Worldwide With Spyware, Job Offers

PRESS RELEASE

BRATISLAVA — July 31, 2024 — ESET, a global leader in cybersecurity, today announced the introduction of the cloud version of ESET Secure Authentication, the multifactor authentication module of the ESET PROTECT Platform. With the new offering, ESET customers can consolidate their security stack and have endpoint protection and multifactor authentication (MFA) provided natively from one vendor with a single pane of glass experience, offering unparalleled flexibility and ease of use, utilizing a wide range of authentication methods in one effective and affordable solution for companies of all sizes.

“We understand how poor password hygiene can lead to devastating data breaches,” said Michal Jankech, Vice President of SMB and MSP segment at ESET. “With the cloud version of ESET Secure Authentication, ESET aimed to provide a solution that is flexible, scalable, easy to deploy, and above all, effective and affordable for companies of all sizes, boosting business data protection while reducing total cost of ownership, in an effort to deliver superior business value to our customers.” 

In today’s cybersecurity landscape, one of the most common ways hackers can gain access to a company’s data is through weak or stolen passwords gathered via automated bots, phishing, or targeted attacks. To protect against such threats, in addition to just protecting normal users’ logins to critical services, businesses can implement an advanced MFA solution to prevent unauthorized administrative access. ESET Secure Authentication provides an easy way for businesses of all sizes to implement MFA across commonly utilized systems such as VPNs, Remote Desktop Protocol, Outlook Web Access, and operating system logins. It supports technologies such as mobile apps with push notifications, hardware tokens, FIDO keys, and other custom methods.

The cloud version of ESET Secure Authentication will be available through the ESET PROTECT Elite subscription tier, and as a standalone solution without any change in pricing. The solution will be immediately available for new customers, and available to all North America customers later in Q4 2024. 

 About ESET

ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyberthreats — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X.

You May Also Like

ESET Reveals Latest Cloud-Native Authentication Solution

PRESS RELEASE

SEATTLE -- July 31, 2024 – Protect AI, a leader in AI security, today announced the acquisition of SydeLabs, which specializes in the automated attack simulation (red teaming) of generative AI (GenAI) systems. This strategic acquisition enhances Protect AI's platform ability to test and improve LLM security and extends the company’s lead as the only provider of end-to-end AI security solutions.

SydeLabs: A Leader in AI Red Teaming

Generative AI and LLM adoption are revolutionizing industries. LLMs are being integrated into critical end user applications such as customer service, finance and healthcare. However the complexity and scale of the technology has exacerbated security concerns that traditional application security processes simply can not keep up with or address effectively. 

SydeLabs was founded less than a year ago by former product and engineering leads from Google and MPL, and has quickly established itself as a pioneer in the field of AI security. Based in Bangalore, India, SydeLabs has developed SydeBox, a cutting-edge product designed to provide comprehensive vulnerability assessments for GenAI systems. The talented team from SydeLabs will join Protect AI where they will continue to add local talent in Bangalore to complement our Seattle and Berlin based teams.

“Protect AI is continuously looking to add products to our AI security posture management platform that help our customers build a safer AI-powered world,” said Ian Swanson, CEO of Protect AI. “The acquisition of SydeLabs extends the Protect AI platform with unmatched red teaming capabilities and immediately provides our customers with the ability to stress test, benchmark and harden their large language models against security risks.” 

SydeBox will be integrated into the Protect AI Platform and rebranded as Protect AI Recon. Recon identifies potential vulnerabilities in LLMs, ensuring enterprises can deploy AI applications with confidence. Key features of Recon include no-code integration, model-agnostic scanning, and detailed threat profiling across multiple categories. Recon uses both an attack library and LLM agent based solution for red teaming and evaluating the security and safety of GenAI systems. Protect AI Recon aligns perfectly with the growing demand for robust AI security solutions, driven by formal guidance from NIST, MITRE, OWASP and CISA, as well as mandates like the Executive Order on AI Safety and Security and the EU AI Act.

“The combination of SydeLabs’ SydeBox and Protect AI’s platform provides customers a comprehensive defense-in-depth solution for building, managing, testing, deploying and monitoring LLMs,” said Ruchir Patwa, co-founder of SydeLabs. “We couldn’t be more excited about joining the Protect AI mission and the prospect of what we can achieve in terms of helping companies of all sizes adopt and deploy more secure LLMs and AI applications.”

The new Recon product will enable Protect AI to meet growing customer demand for robust AI security solutions. Customers will benefit from detailed threat profiling across jailbreaks, prompt injection attacks, input manipulations and other attack vectors, which are crucial for maintaining the integrity and security of AI systems. Recon covers six of the OWASP Top 10 for LLM applications.

“Recon, formally SydeBox, has enabled us to identify and fix security blindspots before deploying our GenAI solutions to ensure we are building the most secure and safe LLM powered applications, and that products we serve our customers are free from any security or safety loopholes,” Said Kiran Darisi, CTO and cofounder, AtomicWork.

This acquisition and new product, Recon, further enhances Protect AI’s position as the leader in the AI security market and AI Security Posture Management (AI-SPM) solutions, differentiating it from competitors and solidifying its market presence. More specifically when used alongside Layer, Protect AI’s LLM observability and monitoring solution, Recon enables organizations to harden the implementation of LLMs against the spectrum of emerging security concerns associated with GenAI usage. Partners and stakeholders will also gain from the enhanced security capabilities, ensuring that the entire AI ecosystem is better protected against potential threats.

About SydeLabs

SydeLabs is a pioneering AI security company specializing in automated red teaming for GenAI systems. Founded by former leaders from Google and MPL, SydeLabs has developed SydeBox, a leading product designed to identify and mitigate vulnerabilities in LLMs. SydeLabs’ products have been adopted by enterprises to make GenAI models and applications safe and secure, giving them the confidence to deploy these systems to production. The company is headquartered in Bangalore. 

About Protect AI

Protect AI empowers organizations to secure their AI applications with comprehensive AI Security Posture Management (AI-SPM) capabilities, enabling them to see, know, and manage their ML environments effectively. The Protect AI Platform offers end-to-end visibility, remediation, control, and governance, safeguarding AI/ML systems from security threats and risks. Founded by AI leaders from Amazon and Oracle, Protect AI is backed by top investors, including Acrew Capital, boldstart ventures, Evolution Equity Partners, Knollwood Capital, Pelion Ventures, 01 Advisors, StepStone Group, Samsung, and Salesforce Ventures. The company is headquartered in Seattle, with offices in Berlin and Bangalore. For more information, visit our website and follow us on LinkedIn and Twitter.

Protect AI Acquires SydeLabs to Red Team Large Language Models

PRESS RELEASE

NEW YORK, July 31, 2024 /PRNewswire/ -- Trustmi today released The State of Business Payment Security in the U.S. report. The results detail the findings of 516 finance professionals, including CFOs, treasurers, and accounts payable professionals, about the state of their business payment security processes. According to the survey, 22% of respondents have already been targeted by AI-driven deepfake and executive impersonation attacks. With the rise of generative AI, attackers are deploying increasingly sophisticated cyberattacks that pose new challenges for finance and cybersecurity teams.

While AI-driven attacks are gaining momentum, companies continue to contend with existing threats. Fifty percent said they experienced business payment fraud resulting from human error and 42% reported fraud from business email compromise (BEC) attacks. Other fraud sources include social engineering schemes (almost 20%) and employee collusion (nearly 16%).

According to Trustmi's research, a lack of visibility over payment processes persists. Nearly 58% of respondents had a fraud prevention solution, yet they lacked visibility into payment fraud activity. This includes insights into how much money they lost due to payment fraud in the past 12 months.

According to the research:

*   Less than one-third (28%) knew with certainty that their organization had experienced business payment fraud.
    
*   Nearly 22% of respondents did not know if their organization had experienced business payment fraud.
    
*   48% did not know how many times their organization had been targeted with payment fraud attempts in the past 12 months.
    
*   51% did not know how much money their organization had lost due to payment fraud.
    

"Finance teams face unprecedented challenges when it comes to payment fraud, battling emerging AI-powered threats while trying to identify and stop losses stemming from avoidable human error," said Shai Gabay, Trustmi co-founder and CEO. "To overcome these issues, businesses need AI-powered, end-to-end fraud prevention technology capable of automating their B2B payment processes while providing the visibility required to prevent fraud from all attack vectors and loss from needless human errors."

The survey found that many businesses lack automated business payment processes. Only 32% currently operate automated payment processes. Most (41%) automate some aspects of their workflow, while nearly 27% still rely on manual operations. This lack of automation creates even greater challenges for businesses with payment processes that involve multiple technology solutions. According to the research, 54% reported that their payment processes involve up to five technology solutions, with 12% using up to 10 solutions and 7% relying on 15 or more solutions within their payment technology stack.

Trustmi helps companies protect their bottom line by eliminating losses from cyberattacks, internal collusion, and human error and ensuring payments go to the right place. Trustmi enables finance and security teams to secure payment processes and manage vendors by connecting payment data and activity across an organization's siloed systems more effectively and efficiently. Trustmi's platform is a flexible solution that layers seamlessly onto existing systems to secure payments across the entire flow, boosting efficiency and reducing manual work. The easy-to-use interface allows full control so businesses can run their payment process without changing or interrupting their workflows.

Access The State of Business Payment Security in the U.S. report here.

About Trustmi  
Trustmi is the only end-to-end payment security solution that helps businesses protect their bottom line by eliminating losses from cyberattacks, internal collusion, and human error. Trustmi's flexible and modular solution offers businesses complete control to use only the tools they need for securing their payment processes and managing their vendors. Founded in 2021 by Shai Gabay and Eli Ben Nun, Trustmi is headquartered in Tel Aviv with an office in New York City. For more information, visit https://www.trustmi.ai/.

You May Also Like

AI-Driven Executive Impersonations Emerge As Significant Threat to Business Payment Processes

Malicious actors could potentially exploit this vulnerability if they gain physical access to a user's device.

Source: Anatolii Babii via Alamy Stock Photo

Apple released updates for a variety of its products to patch recent vulnerabilities found in Siri, the Apple iOS digital assistant.

The vulnerabilities could allow an attacker to steal information through a locked device because when a device is locked, there are still voice commands that the digital assistant can process and may allow access to contacts and other sensitive data.

In its latest round of fixes, Apple restricted these options to prevent malicious actors from exploiting the vulnerability, even if they have physical access to a device.

In addition to the iPhone, the company patched a similar vulnerability in Apple Watch, iOS, iPadOS, and the macOS Ventura.

Users should update to the latest software version of iOS and iPadOS, iOS 17.6, or iPadOS 17.6, to mitigate these bugs by going to settings, general, and then software update.

**About the Author(s)**

Siri Bug Enables Data Theft on Locked Apple Devices

The sustained cyberattack, likely made worse by a mitigation snafu, disrupted several Azure cloud services for nearly eight hours on July 30.

Source: DD Images via Shutterstock

Microsoft blamed an implementation error for amplifying the impact of a distributed denial-of-service (DDoS) attack yesterday, which ended up disrupting the company's Azure cloud services for nearly eight hours.

The attack affected several Azure offerings, including Azure App Services, Azure IoT Central, Application Insights, Log Search Alerts, and Azure Policy. The disruption, which began at around 7:45 a.m. ET and lasted until 3:43 p.m. ET, also impacted the main Azure portal and a subset of Microsoft 365 and Microsoft Purview data-protection services.

**DDoS Cyber-Defense Error Under Investigation**

In an event summary yesterday, Microsoft described the DDoS attack as causing an "unexpected usage spike \[that\] resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds." The spike caused intermittent service errors, timeouts, and sudden latency increases.

More concerningly in some ways, "while the initial trigger event was a DDoS attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it."

Microsoft has not specifically identified the mistake that exacerbated the DDoS attack. But according to its description of the events of July 30, the initial network configuration changes the company made to support DDoS mitigation efforts may have led to some unexpected "side effects." The company implemented an updated approach that it first rolled out in thbe Asia-Pacific region and Europe, and then deployed in the Americas after validating the approach worked.

"Our team will be completing an internal retrospective to understand the incident in more detail," Microsoft said. "We will publish a Preliminary Post Incident Review (PIR) within approximately 72 hours, to share more details on what happened and how we responded."

**Inadvertent Errors in DDoS Mitigation**

Rody Quinlan, staff research engineer at Tenable, says there are several ways an organization can mess up a DDoS mitigation effort.

"Organizations can inadvertently amplify cyberattacks through various implementation errors, such as misconfigured rate limiting, inefficient load balancing, firewall misconfigurations, overly aggressive security rules, inadequate resource scaling, incorrect traffic filtering, and dependence on single points of failure," he says. "These errors can lead to blocked legitimate traffic, overloaded servers, bottlenecked firewalls, and critical services being taken offline."

And while Microsoft's initial response might have contributed to its Azure service problems this week, the incident is another reminder of how effective DDoS attacks remain for adversaries looking to disrupt and degrade a target's online presence.

A Cloudflare report earlier this year identified a 117% increase year-over-year in network-layer DDoS attacks. Part of the reason for that is a specific increase in DDoS attacks that targeted retail, shipping, and public relations websites on and around Black Friday and the holiday shopping season in general. However, many of the attacks have also been by groups looking to send out a specific message or convey a particular political stance. Cloudflare, for example, said it has observed a massive increase in DDoS attacks that target Taiwanese, Israeli, and Palestinian sites amid geopolitical tensions in those areas, and attacks on environmental sciences websites.

**DDoS Attacks Adopt "Smash & Grab" Tactics**

"Trends in DDoS are often cyclical, but currently we’re seeing attacks grow larger in size, and shorter in duration," says Donny Chong, director at DDoS security vendor Nexusguard. "Our most recent data suggests that attack sizes increased by an average of 183% last year, with an average size of 0.80Gbps," he says. At the same time, between 2022 and 2023, the average duration of DDoS attacks dropped to just over 101 minutes. Currently, 81% of DDoS attacks last less than 90 minutes, Chong says.

"Part of this decrease in attack duration is due to attackers becoming more and more efficient when inflicting disruption on business," likely because they are using artificial intelligence (AI) to automate some attacks. But the shorter attack durations are also likely due to mitigation technologies, Chong says. "\[Attackers\] are finding it increasingly difficult to sustain prolonged disruptions. So, rather than a prolonged siege, it's now more a case of ‘smash and grab,'" he says.

Quinlan says the key to mitigating DDoS disruption is having a real-time traffic analysis capability, scalable cloud infrastructure, redundant systems, and intelligent load balancing to prevent overload. "Proper rate limiting, throttling, and WAFs \[Web application firewalls\] filtering malicious traffic, and regular software and hardware vulnerability remediation is crucial to protect systems," Quinlan says. "An effective incident-response plan and collaboration with Internet service providers and security providers enhance detection and mitigation capabilities."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading