The inside story of the teenager whose “swatting” calls sent armed police racing into hundreds of schools nationwide—and the private detective who tracked him down.

The School Shootings Were Fake. The Terror Was Real

The fast growing region has its own unique cyber issues — and it needs its own talent to fight them.

Source: Panther Media via Alamy Stock Photo

COMMENTARY

The Middle East is undergoing a digital transformation that is as rapid as it is remarkable. Tech multinationals are investing big in the region as Dubai, Riyadh, and Abu Dhabi strive to establish themselves as global innovation hubs.   

But this increased digitization comes with an increased risk of cyberattacks — and businesses throughout the Middle East are at risk of being caught with their guard down.

The pace of digital growth in countries throughout the Middle East has far outstripped cybersecurity talent in the region, leaving organizations fatally exposed. While some businesses resort to outsourcing their cybersecurity measures to tech giants and their tools, this hands-off approach is risk-prone.

The Middle East now sits squarely in the firing line. With cyberattacks emboldened by AI, robust cybersecurity defenses are more crucial than ever. Businesses must move away from outsourcing and focus on building strong in-house defenses by investing in tool-based approaches and heavily leveraging in-house hiring, upskilling, and talent retention practices.

**Victims of Their Own Success?**

The commercial success of locations like Dubai, Abu Dhabi, and Saudi Arabia has transformed them into potential hotbeds for cybercrime. Distributed denial-of-service (DDoS) attacks on Middle Eastern countries have risen 75% in the past year, with the UAE and Saudi Arabia taking the brunt of the blow. 

Related:Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

The UAE alone falls victim to around 50,000 cyberattacks a day. And it comes at a cost: in 2023, cyberattacks cost businesses, organizations, and public bodies more than $8 million per incident.

The uptick in cyberattacks is only exacerbated by changing patterns in the cybercrime landscape. The rise of AI has lowered the barrier to entry for would-be hackers, allowing those with even the most novice skills to carry out a full-scale attack. Meanwhile, the proliferation of cybercrime as a service (CaaS), offering services like DDoS-for-hire, means threat actors now need little more than an intention to launch a cyberattack. In this new era of cybercrime, where there's a will, there's a way.

The current cybersecurity skills gap seen throughout the Middle East is leaving companies exposed and vulnerable to bad actors. Over half the companies in the EMEA region have attributed cybersecurity breaches to a lack of skills and training, while 70% of business leaders believe that skills shortages create a whole host of additional cybersecurity risks for companies to address.

**AI Muddles Outsourced Security Equation**

Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Too many businesses attempt to remedy this lack of talent by outsourcing their cybersecurity to third parties. While this might have been effective when countries like the US were the main target for threat actors, that's no longer the case.   

The rise of AI-enhanced cyberattacks presents a new host of threats that businesses outsourcing cybersecurity won't necessarily be able to tackle. Not only has AI made it easier for threat actors to carry out cyberattacks, it's also made the attacks themselves more sophisticated and more malicious.

AI-enhanced malware is stealthier, making it harder to detect a breach of IT infrastructure. Automated phishing attacks enable bad actors to target a larger number of potential victims, while the phishing attacks themselves are highly tailored to their targets.

It is crucial that Middle Eastern businesses — particularly those in the UAE and Saudi Arabia — are on top of their cybersecurity measures. They cannot sit back and outsource cybersecurity with the assumption that the risk is also transferred. Instead, they must take an active approach to their cybersecurity measures by building up a strong in-house cybersecurity team that can identify, respond to, and deal with threats in an effective and timely manner. 

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

Bringing cybersecurity in-house mitigates the risks that can crop up when relying on outsourced defenses, such as slow response times. Instead, in-house cybersecurity teams will have their fingers on the pulse of the business's security framework, as well as a thorough understanding of business specifics, enabling them to react quickly to threats.

But to achieve this, businesses must invest heavily in new and pre-existing IT talent to close the Middle East's skills gap — and this should be done with a particular focus on hiring and retention practices.

**Retention Is Tough in Smaller Talent Pool**

Over half of organizations globally say they struggle to recruit candidates with cybersecurity experience. Difficulties in hiring cybersecurity talent are compounded by trouble retaining cybersecurity staff, throwing employers into a vicious cycle of hiring and re-hiring. In the Middle East, where the digital economy is still young, this is of particular concern — the talent pool is finite, and companies cannot afford to lose out on promising employees.   

To combat this, corporations in the Middle East should turn their attention to the fresh talent coming out of universities throughout the Middle East and around the world. By forming partnerships with universities and offering attractive graduate schemes, businesses can tap into dense talent pools brimming with promising cybersecurity talent.

Graduates are eager to learn and willing to mold to the company ethos, making them the ideal choice for corporations looking to build up a dedicated in-house cybersecurity team.

Investing in apprenticeship schemes is another option for companies. Although more hands-on, companies will be able to train candidates from the ground up, ensuring the candidate's skills and knowledge are strongly aligned with the business's cybersecurity needs.

**Learning & Development Must Be Fostered**

Retaining this talent is just as crucial as bringing them on board in the first place.  Alongside the usual retention tactics, such as competitive pay packets and desirable benefits, companies must invest heavily in continuous learning and development (L&D) opportunities throughout the employee's career.  

Poor training — or a lack of training altogether — is a surefire way to lose employees. Conversely, 94% of employees say they would stay longer with an employer that invested in L&D. In a fast-changing, continually developing industry like cybersecurity, L&D is especially vital.

Investing in training sessions and development courses for cybersecurity employees will ensure they're kept up to date with any changes in the threat and security landscape. And, in the process, employees will feel as if the company is giving them opportunities to develop their skills and abilities, rounding them out into highly experienced cybersecurity professionals.

Investing in staff as a cybersecurity tactic shouldn't begin and end with cybersecurity staff. Deploying a company-wide cybersecurity upskilling program is a vital first step — and a simple way of ruling out one of the greatest causes behind cybersecurity breaches: human error. Negligence, a lack of awareness, or simple mistakes can lead to vulnerabilities and breaches, even in the most robust systems. Upskilling is a vital step companies must take to mitigate this risk.

With the rising rate of cyberattacks in the Middle East, corporations cannot afford to sit back and wait until they become the next big victim of a data breach or DDoS attack.

Companies can't rely solely on third-party cybersecurity measures — they must build up comprehensive in-house defenses. Businesses need to act now and double their investments in cybersecurity talent, paying particular mind to up-and-coming graduate talent.

**About the Author**

Founder, PG Advisors Ltd.

Partha Gopalakrishnan is a leading business transformation expert with more than 25 years of experience directing global teams to drive digital growth. He also has his own firm, PG Advisors, which offers board advisory and non-executive director services for prominent analysts and PE Firms. 

Partha has served in executive leadership positions with some of the world’s largest technology firms and global systems Integrators, including 17 years with Infosys, followed by a tenure at Tech Mahindra. He has completed executive education programs at the Stanford University Graduate School of Business and The Wharton School of the University of Pennsylvania.

Cybersecurity Lags in Middle East Business Development

AI tools will enable significant productivity and efficiency benefits for organizations in the coming year, but they also will exacerbate privacy, governance, and security risks.

Source: Anggalih Prasetya via Shutterstock

Most industry analysts expect organizations will accelerate efforts to harness generative artificial intelligence (GenAI) and large language models (LLMs) in a variety of use cases over the next year.

Typical examples include customer support, fraud detection, content creation, data analytics, knowledge management, and, increasingly, software development. A recent survey of 1,700 IT professionals conducted by Centient on behalf of OutSystems had 81% of respondents describing their organizations as currently using GenAI to assist with coding and software development. Nearly three-quarters (74%) plan on building 10 or more apps over the next 12 months using AI-powered development approaches.

While such use cases promise to deliver significant efficiency and productivity gains for organizations, they also introduce new privacy, governance, and security risks. Here are six AI-related security issues that industry experts say IT and security leaders should pay attention to in the next 12 months.

**AI Coding Assistants Will Go Mainstream — and So Will Risks**

Use of AI-based coding assistants, such as GitHub Copilot, Amazon CodeWhisperer, and OpenAI Codex, will go from experimental and early adopter status to mainstream, especially among startup organizations. The touted upsides of such tools include improved developer productivity, automation of repetitive tasks, error reduction, and faster development times. However, as with all new technologies, there are some downsides as well. From a security standpoint these include auto-coding responses like vulnerable code, data exposure, and propagation of insecure coding practices.

"While AI-based code assistants undoubtedly offer strong benefits when it comes to auto-complete, code generation, re-use, and making coding more accessible to a non-engineering audience, it is not without risks," says Derek Holt, CEO of Digital.ai. The biggest is the fact that the AI models are only as good as the code they are trained on. Early users saw coding errors, security anti-patterns, and code sprawl while using AI coding assistants for development, Holt says. "Enterprises users will continue to be required to scan for known vulnerabilities with \[Dynamic Application Security Testing, or DAST; and Static Application Security Testing, or SAST\] and harden code against reverse-engineering attempts to ensure negative impacts are limited and productivity gains are driving expect benefits."

**AI to Accelerate Adoption of xOps Practices**

As more organizations work to embed AI capabilities into their software, expect to see DevSecOps, DataOps, and ModelOps — or the practice of managing and monitoring AI models in production — converge into a broader, all-encompassing xOps management approach, Holt says. The push to AI-enabled software is increasingly blurring the lines between traditional declarative apps that follow predefined rules to achieve specific outcomes, and LLMs and GenAI apps that dynamically generate responses based on patterns learned from training data sets, Holt says. The trend will put new pressures on operations, support, and QA teams, and drive adoption of xOps, he notes.

"xOps is an emerging term that outlines the DevOps requirements when creating applications that leverage in-house or open source models trained on enterprise proprietary data," he says. "This new approach recognizes that when delivering mobile or web applications that leverage AI models, there is a requirement to integrate and synchronize traditional DevSecOps processes with that of DataOps, MLOps, and ModelOps into an integrated end-to-end life cycle." Holt perceives this emerging set of best practices will become hyper-critical for companies to ensure quality, secure, and supportable AI-enhanced applications.

**Shadow AI: A Bigger Security Headache**

The easy availability of a wide and rapidly growing range of GenAI tools has fueled unauthorized use of the technologies at many organizations and spawned a new set of challenges for already overburdened security teams. One example is the rapidly proliferating — and often unmanaged — use of AI chatbots among workers for a variety of purposes. The trend has heightened concerns about the inadvertent exposure of sensitive data at many organizations.

Security teams can expect to see a spike in the unsanctioned use of such tools in the coming year, predicts Nicole Carignan, vice president of strategic cyber AI at Darktrace. "We will see an explosion of tools that use AI and generative AI within enterprises and on devices used by employees," leading to a rise in shadow AI, Carignan says. "If unchecked, this raises serious questions and concerns about data loss prevention as well as compliance concerns as new regulations like the EU AI Act start to take effect," she says. Carignan expects that chief information officers (CIOs) and chief information security officers (CISOs) will come under increasing pressure to implement capabilities for detecting, tracking, and rooting out unsanctioned use of AI tools in their environment.

**AI Will Augment, Not Replace, Human Skills**

AI excels at processing massive volumes of threat data and identifying patterns in that data. But for some time at least, it remains at best an augmentation tool that is adept at handling repetitive tasks and enabling automation of basic threat detection functions. The most successful security programs over the next year will continue to be ones that combine AI's processing power with human creativity, according to Stephen Kowski, field CTO at SlashNext Email Security+.

Many organizations will continue to require human expertise to identify and respond to real-world attacks that evolve beyond the historical patterns that AI systems use. Effective threat hunting will continue to depend on human intuition and skills to spot subtle anomalies and connect seemingly unrelated indicators, he says. "The key is achieving the right balance where AI handles high-volume routine detection while skilled analysts investigate novel attack patterns and determine strategic responses."

AI's ability to rapidly analyze large datasets will heighten the need for cybersecurity workers to sharpen their data analytics skills, adds Julian Davies, vice president of advanced services at Bugcrowd. "The ability to interpret AI-generated insights will be essential for detecting anomalies, predicting threats, and enhancing overall security measures." Prompt engineering skills are going to be increasingly useful as well for organizations seeking to derive maximum value from their AI investments, he adds.

**Attackers Will Leverage AI to Exploit Open Source Vulns**

Venky Raju, field CTO at ColorTokens, expects threat actors will leverage AI tools to exploit vulnerabilities and automatically generate exploit code in open source software. "Even closed source software is not immune, as AI-based fuzzing tools can identify vulnerabilities without access to the original source code. Such zero-day attacks are a significant concern for the cybersecurity community," Raju says.

In a report earlier this year, CrowdStrike pointed to AI-enabled ransomware as an example of how attackers are harnessing AI to hone their malicious capabilities. Attackers could also use AI to research targets, identify system vulnerabilities, encrypt data, and easily adapt and modify ransomware to evade endpoint detection and remediation mechanisms.

**Verification, Human Oversight Will Be Critical**

Organizations will continue to find it hard to fully and implicitly trust AI to do the right thing. A recent survey by Qlik of 4,200 C-suite executives and AI decision-makers showed most respondents overwhelmingly favored the use of AI for a variety of uses. At the same time, 37% described their senior managers as lacking trust in AI, with 42% of mid-level managers expressing the same sentiment. Some 21% reported their customers as distrusting AI as well.

"Trust in AI will remain a complex balance of benefits versus risks, as current research shows that eliminating bias and hallucinations may be counterproductive and impossible," SlashNext's Kowski says. "While industry agreements provide some ethical frameworks, the subjective nature of ethics means different organizations and cultures will continue to interpret and implement AI guidelines differently." The practical approach is to implement robust verification systems and maintain human oversight rather than seeking perfect trustworthiness, he says.

Davies from Bugcrowd says there's already a growing need for professionals who can handle the ethical implications of AI. Their role is to ensure privacy, prevent bias, and maintain transparency in AI-driven decisions. "The ability to test for AI’s unique security and safety use cases is becoming critical," he says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

6 AI-Related Security Trends to Watch in 2025

Organizations in the region should expect to see threat actors accelerate their use of AI tools and mount ongoing "harvest now, decrypt later" attacks for various malicious use cases.

Source: Tero Vesalainen via Shutterstock

If incidents this year are any indication, deepfakes and “harvest now, decrypt later” attacks spurred by the growing adoption of quantum computing projects are among the many concerns that organizations in the Asia-Pacific (APAC) region will need to deal with in 2025.

Over the past year, cybercriminals operating in the APAC region have increasingly leveraged AI to launch sophisticated campaigns — such as AI-generated phishing emails, adaptive malware, and deepfakes. The attacks have undermined trust in critical communications and exacerbated social tensions, says Clement Lee, security architect and evangelist at Check Point Software Technologies, Asia Pacific.

**An Increase in Deepfakes & Quantum Computing-Related Cyberattacks**

"This was starkly demonstrated during recent elections seen across APAC: in India where deepfakes fueled widespread disinformation; in Indonesia, where a doctored deepfake video aimed to stir anti-China sentiment; and in Hong Kong, a finance worker who was duped into sending $25 million by a deepfake impersonation of company executives," Lee says. As these tactics start extending from political spheres into the corporate realm, businesses must adopt AI-driven security defenses to counter them, Lee notes.

Simon Green, president of Asia, Pacific, and Japan at Palo Alto Networks, described the APAC region as being on the cusp of a "perfect storm of AI-driven cyber threats" heading into 2025. Attacks featuring deepfake audio and video will likely be the most visible manifestations of the trend, he noted.

Related:Middle East Cyberwar Rages On, With No End in Sight

"We can expect deepfakes to be used alone or as part of a larger attack much more often in 2025," Green said. The use of audio deepfakes in particular is likely to increase over the next 12 month, as technology for highly credible voice cloning becomes more easily accessible.

**AI-Focused Cybersecurity Preparations**

Expect also to see more organizations in the APAC region looking for ways to better protect their data as they implement AI-enabled projects.

"Our customers are asking how they can get more value out of their data, while maintaining robust security, especially as they look to benefit from GenAI products like Microsoft Copilot," adds Max McNamara, vice president and managing director Australia and New Zealand at AvePoint.

"This starts with having secure, accessible data, ensuring you can scale with solutions that don't compromise your security posture, and rigorously adhering to increasingly complex regulatory standards," he says. APAC organizations will increasingly be looking to ensure their data is not just accessible, but also fundamentally secure within their borders, he notes.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

"Our customers are asking how they can get more value out of their data, while maintaining robust security, especially as they look to benefit from GenAI products like Microsoft Copilot," McNamara says, adding that this starts with having secure, accessible data, ensuring you can scale with solutions that don't compromise your security posture, and rigorously adhering to increasingly complex regulatory standards.

**Quantum Projects Will Drive Increase in Harvest Now, Decrypt Later Attacks**

The growing number of quantum computing projects in the APAC region is likely going to fuel an increase in "harvest now, decrypt later" attacks as well. Such attacks involve adversaries collecting and storing currently encrypted data with the intention of decrypting it in the future, when quantum computers become powerful enough to break today's encryption standards. The attacks pose a significant threat to sensitive information that needs to remain secure for extended periods of time.

According to Fortune Business Insights, Asia Pacific is the fastest growing quantum computing market in the world, with multiple companies including IBM, Microsoft, Google, Alibaba, Baidu, JSR, and D-Wave systems currently involved in large regional quantum software and hardware projects. One example is a new quantum computing cloud platform that Alibaba has deployed in collaboration with the Chinese Academy of Sciences. Some quantum projects in the APAC region are happening at a national level, such as India's US-funded National Mission on Quantum Technologies & Applications, and Singapore's Quantum Engineering Programs.

Related:Governments, Telcos Ward Off China's Hacking Typhoons

"The advent of quantum computing threatens to render current encryption standards obsolete, risking exposure of sensitive data and compromising critical infrastructure," Lee says. "Quantum-resistant cryptography will gain traction as organizations prepare for future decryption threats."

Organizations in the APAC region should expect increased interest in harvest now, decrypt later attacks from a wide range of adversaries, including nation-state-backed threat actors, according to Palo Alto Networks' Green. The attacks will pose a threat to governments and businesses, civilian and military communications, critical infrastructure, and organizations developing quantum projects, Green said. Organizations concerned about the trend should develop a quantum resistant road map that includes deployment of quantum resistant tunnelling, stronger crypto libraries and quantum key distribution, according to Palo Alto Networks.

Richard Sorosina, chief technology security officer and vice president of solution architecture at Qualys' EMEA & APAC operations, believes that the fast-evolving and increasingly sophisticated nature of the APAC threat landscape will likely accelerate ongoing consolidation of security capabilities at many organizations in the region. He expects organizations will increasingly move toward a unified security platform approach that will provide both a centralized view of risk across the organization and mechanisms to remediate that risk when found. Many of these efforts will be "driven by a need to reduce complexity, increase operational efficiency, enhance detection and response capabilities, and reduce overall cost," Sorosina says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Deepfakes, Quantum Attacks Loom Over APAC in 2025

Sometimes it feels like burnout is an inevitable part of working in cybersecurity. But a little bit of knowledge can help you and your staff stay healthy.

Source: Magdalena Iordache via Alamy Stock Photo

"A quarter of cybersecurity leaders want to quit," hollered the headline of a study sponsored by global cybersecurity company Black Fog. While that is suggestive of stress or morale problems at the higher levels of security teams, the more alarming numbers came later in the press release, below the graphic: 45% of security leaders have used drugs or alcohol to relieve work pressure in the past year, and 69% have "withdrawn from social activities."

That's starting to sound more like burnout than stress.

The reason it's important to distinguish the cause of self-destructive behavior at work is that short-term stress and burnout have different treatments and timelines. According to a journal article by Arno van Dam, 80% of people suffering short-term stress are back at work in six to 12 weeks. Burnout patients, however, take more than a year to recover; one quarter to one half of patients still haven't recovered after two to four years.

**What Is Cybersecurity Burnout?**

To discern burnout, it's helpful to have a standard definition. While the US list of maladies, Diagnostic and Statistical Manual of Mental Disorders (aka the DSM), still doesn't include work-related burnout as a diagnosis as of version 5, the World Health Organization (WHO) sees it differently. The WHO's alternative resource, International Statistical Classification of Diseases and Related Health Problems (aka the ICD), has a code for burnout — QD85 — and defined it in the context of work/unemployment problems:

Related:Emerging Threats & Vulnerabilities to Prepare for in 2025

> "Burnout is a syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed. It is characterized by three dimensions: 1) feelings of energy depletion or exhaustion; 2) increased mental distance from one's job, or feelings of negativism or cynicism related to one's job; and 3) a sense of ineffectiveness and lack of accomplishment."

According to the van Dam article, burnout happens when an employee buries their experience of chronic stress for years. The people who burn out are often formerly great performers, perfectionists who exhibit perseverance. But if the person perseveres in a situation where they don't have control, they can experience the kind of morale-killing stress that, left unaddressed for months and years, leads to burnout. In such cases, "perseverance is not adaptive anymore and individuals should shift to other coping strategies like asking for social support and reflecting on one's situation and feelings," the article read.

"I wrestle with burnout pretty regularly, escalated thanks to neurodivergence," says Ian Campbell, senior security operations engineer at DomainTools. Burnout is also a condition familiar to the neurodivergent, especially autistic people. Autistic burnout, a term used mostly by that community, entails chronic exhaustion, losing the use of skills, and a lowered tolerance for stimuli. The role it might play in the better-known work burnout is unknown, but the similarity of symptoms is interesting.

Related:Name That Toon: Sneaking Around

Campbell sees the interplay from the inside. "Autism, depression, and anxiety are a wickedly effective combination in encouraging burnout. Hyperfocus can lead to working far too much and ignoring work/life balance," he says. "Depression and anxiety are self-perpetuating, exquisitely engineered to set up feedback cycles hard to break away from, and that can be doubly toxic around work — the depression saying things won't get better, the anxiety pressing you to work longer, harder, be more useful and less expendable."

Bryan Kissinger, chief information security officer (CISO) and senior VP at Trace3, adds, "People also need to have the courage to say to their managers or coworkers, 'Hey, I need a break.'"

**Handling Staff Burnout on Security Teams**

"Sometimes it's very challenging" to tell when someone's burning out, Kissinger says. He tells the story of one employee who kept their stress to themselves until it was almost too late: "They were ready to leave because they were burning out, and I said, 'This is the first I've heard about it. Can we bring on some contractors to help us moderate the workload?'"

Related:How Nation-State Cybercriminals Are Targeting the Enterprise

When asked how he helps his staff fend off burnout, Kissinger describes a hands-on approach. "I audit their day. A lot of people either tend to get roped into things ... or volunteer for things," he says. "What are the one or two things that need to be done today, and what can be done Monday or later next week?"

Jill Knesek, CISO at BlackLine, has a team of about 30 people, and has a quarterly one-on-one with each of them. "I offer more if they want more, and if you want to do monthly or every six weeks, then please do," she says. "I just try to take the time with each person on the team to make them feel important and empowered. And I know that there's opportunities for them, even if it's not maybe what they're doing today."

If a person's team is not supportive of work/life balance, that can exacerbate the issue.

Knesek says, "I want to make sure they know that I know what they're doing and I care about what they're doing and I can help guide them. So they feel important, and they feel like the really important things get noticed by leadership."

**How Cyber Staff Handles Work Pressure**

"Taking all my holiday was a big help," says Terence Eden, who moved from civil service to start his own consultancy, Open Ideas, which affords him much more control over his schedule and work/life balance. "And doing it in big chunks, not just a day or two, allowed me to reset."

Resetting from the buildup of stress is an important part of disrupting the path to burnout, as Knesek knows well. She says, "I encourage my team all the time to make sure their work-life balance is always good. Recharging your batteries is really important, and I am an important representative of that, right? So if I don't do it and everybody says, 'Well, Jill never takes \[paid time off\] but she tells us to do it. But does she really mean that? Because she's not taking it.'"

Employees sometimes scoff at the wellness programs companies put out as an attempt to keep people healthy. "Most 'corporate' solutions — use this app! attend this webinar! — felt juvenile and unhelpful," Eden says. And it does seem like many solutions fall into the same quick-fix category as home improvement hacks or dump dinner recipes.

Christina Maslach's scholarly work attributed work stress to six main sources: workload, values, reward, control, fairness, and community. "If any are lacking or out of sync, you may be headed toward exhaustion, cynicism, and the feeling of being ineffective," said this article presenting a two-minute burnout assessment tool.

An even quicker assessment is promised by the Matches Measure from Cindy Muir Zapata. "The graphic she offered in her paper is a six-point and eight-point spectrum of matches, from unlit, to singed, to burned, to disintegrated," read an article on HR Dive. A worker looks at the layout of matches and picks the one that shows how burned out they feel.

But Campbell has an idea for how to handle wellness better: "So my first and strongest recommendation to everyone is this: psychotherapy."

"Professionals will help a lot more than any quick hack to keep you running for another few weeks — therapy allows you to vent out what's building up, gain insight on your own status and choices, and plan for future burnout occurrences," he adds. "It doesn't make everything magically better, but you learn the tools to keep treading water, then tools to swim against counterproductive currents, and more."

"The time to start learning and building the tool sets is before the burnout hits, or at least before it becomes a true crisis," he adds.

**Hope in a Hopeless Place**

If worse comes to worst, and burnout hits, the van Dam article found hope in the study of disaster survivors. No matter how awful the disastrous events they went through, people tend to perceive some good coming from their trauma. This post-traumatic growth falls into three categories of benefits: changes in self-perception, in relationships, and in life philosophy.

The article built on that to posit post-burnout growth as well. "Many former burnout patients report that they have learned from their burnout and that their life is better now than before their burnout," Campbell explains. "They know better who they are and what is important to them in life; they spend more time with their friends and families; and they changed their priorities. Many former burnout patients allow themselves to enjoy life more and to be happy."

And again, he has some advice, particularly for the neurodivergent people: hack your needs to make yourself comfortable. "There are a thousand ways to optimize your own senses, and it's something we as a culture often fail at. Whether you're neurodivergent, neurotypical, or something else entirely — find the best sensory augments that allow you to work, and the better we'll all be protecting, hacking, investigating, hunting, and more."

Defining &amp; Defying Cybersecurity Staff Burnout

From zero-day exploits to 5G network vulnerabilities, these are the threats that are expected to persist over the next 12 months.

In 2024, we at Dark Reading covered a variety of attacks, exploits, and, of course, vulnerabilities across the board. Here, we recount 10 emerging threats organizations should be prepared for — as detailed by Dr. Jason Clark in "10 Emerging Vulnerabilities Every Enterprise Should Know," a Dark Reading webinar — as they continuously rise and develop in 2025.

**Zero-Day Exploits**

Zero-days and their increase in volume across the cybersecurity landscape is a particularly concerning trend, as there is no patch for these bugs when they're discovered. Attackers are also able to exploit systems using these vulnerabilities undetected, as safeguards have not been put in place by organizations or enterprises yet.

High-profile zero-day vulnerabilities include Log4Shell, tracked as CVE-2021-44228, a critical RCE bug within Log4j's Java Naming and Directory Interface (JNDI). By exploiting the vulnerability, attackers were able to easily take control of vulnerable systems, a considerable threat as Log4j is used in nearly every Java application.

Other vulnerabilities include PrintNightmare and Proxyshell, both remote execution flaws that were exploited quickly and widely, according to Clark.

"The rise in zero-day exploits is partly driven by just more sophisticated threat actors," Clark said in the Dark Reading webinar. "This can include things like nation-states and also using them in targeted attacks."

Chad Graham, cyber incident response team (CIRT) manager at Critical Start, however, believes that advancements with AI will change the landscape in 2025.

"Both attackers and defenders will rely on AI-driven tools to automate the search for hidden software flaws," Graham says. "This shift will likely result in a more dynamic cybersecurity landscape, where continuous innovation and adaptation become the norm."

**Supply Chain Attacks**

Supply chain attacks remain an active threat and tend toward the severe as their impact cascades on to multiple parties: customers, suppliers, and other third parties. Attackers exploit a trusted resource and ultimately gain access to not just one organization, but multiple. These kinds of threats remain concerning as organizations depend more and more on outsourcing services.

The best known example is the SolarWinds breach, which impacted the SolarWinds Orion system, at the hands of a group known as Nobelium. More than 30,000 organizations — including state and federal agencies — used the Orion network management system, resulting in the backdoor malware compromising thousands of data, network, and systems.

Tracked as CVE-2020-10148 with a CVSS score of 9.8, the authentication bypass bug allowed an unauthenticated attacker to execute API commands. The attackers in question were advanced persistent threat (APT) actors who infiltrated into the SolarWinds’ supply chain to insert a backdoor.

"The complexity of modern supply chains makes it challenging to secure all the dependencies," Clark said in the webinar. "This underscores the need for rigorous third-party risk management."

In the year ahead, Dana Simberkoff, chief risk, privacy, and information security officer at AvePoint, believes that there will be a sharpened focus on supply chains and third-party risk management.

"The CrowdStrike incident wasn't just a wake-up call — it was a stark reminder that in our interconnected ecosystem, one weak link can trigger a catastrophic chain reaction," Simberkoff says.

**Remote Work Infrastructure Exploits**

Since 2020 and the COVID-19 pandemic, organizations have leaned into remote and hybrid work offerings, increasing the risk of cybersecurity threats and becoming a significant concern. Attackers focus on vulnerabilities that allow users to engage in remote work such as VPNs, remote desktop protocols (RDPs), and phishing attacks through platforms such as Zoom and Microsoft Teams.

There have been several notable incidents in which VPNs and RDPs were leveraged, allowing threat actors to gain access to enterprise systems and networks. In addition, remote workers are often operating from less secure environments, causing an uptick in phishing attacks as the threat actors try to take advantage of these blind spots.

"The shift to remote work has expanded the overall attack surface, Clark said in the webinar. "Remote workers often need more security controls than those that are working \[onsite\], which can lead to significant vulnerabilities."

Recent examples of vulnerabilities remote and hybrid work vulnerabilities include CVE-2024-38199, a remote code execution vulnerability (RCE) in the Windows or Line Printer Deamon (LPD) Service, and CVE-2024-21433, a Windows Print Spooler elevation of privilege vulnerability.

"Remote work infrastructure will continue to be a prime target for cybercriminals in 2025, with an increase in sophisticated attacks on cloud services, VPNs, and collaboration tools," says Stephen Kowski, field CTO at SlashNext Email Security+. "We'll likely see more AI-powered threats designed to bypass traditional security measures, exploiting vulnerabilities in interconnected devices and home networks."

**Exploitation of AI and Machine Learning Systems**

With the rise of AI and its increasing use amid the public, comes widespread risk of exploitation from attackers. Clark noted of adversarial attacks, data poisoning, and model inversion attacks that are at the forefront of emerging threats for AI and machine learning (ML) systems in particular. 

The nature of some ML systems requires feeding a system information for the best results, the system becoming more familiar with the user over time. When attacks target these systems, it can lead to unauthorized access to sensitive data stored and processed within these tools, as well as incorrect predictions or biased decisions.

"AI models will be key areas of exploitation in 2025," says Rom Carmel, co-founder and CEO at Apono. "As AI and machine learning become integral to identity verification systems, attackers will find ways to poison AI models or bypass them."

AI can also simply be manipulated for malicious ends, as seen when an AI deepfake robocall was created to impersonate US President Joe Biden to encourage individuals not to vote in the New Hampshire's Democratic primary, an event that could have had severe consequences on the US electoral process.

"The threat landscape is evolving with the rapid adoption of AI and ML," Clark said in the webinar. "Attackers increasingly focus on these systems to undermine their reliability and exploit vulnerability."

**Cloud Misconfigurations**

As organizations continue to shift their operations to the cloud, it will continue to emerge as a space for threat actors to thrive, often due to the cloud simply not being set up correctly.

Common examples of threats that circulate within the cloud are publicly accessible S3 buckets, misconfigured security groups in AWS, and exposed databases.

"Cloud misconfigurations can have severe impacts related to data breaches, unauthorized access to critical systems, financial loss, and reputational damage," Clark said. He added that the complexity of these environments is going to increase leading to more frequent configuration errors.

In the past, Amazon and Microsoft cloud environments have exposed customer data, such as viewing habits, names, email addresses, email content, and phone numbers. The leaks aren't due to vulnerabilities but misconfigurations ranging from insecure read-and-write permissions to inaccurate access lists and misconfigured policies.

"To successfully prevent cloud breaches in 2025, companies need to focus on three key areas: visibility, access control, and continuous monitoring," says Jason Soroko, senior fellow at Sectigo. "Cloud environments are dynamic, so your security needs to be dynamic too."

**IoT Device Vulnerabilities**

IoT devices are allowing for emerging threats to thrive, being easy targets for threat actors to exploit, whether it be due to weak default passwords, lack of encryption, or insecure firmware.

Common attacks that IoT devices face are data theft, network breaches, and distributed denial-of-service (DDoS) attacks. A recent example emerged in the Common Unix Printing System (CUPS) for managing printers and print jobs. The series of vulnerabilities, tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 could allow bad actors to stage DDoS attacks within seconds for less than 1 cent while using an available cloud platform.

"Just the sheer volume of connected devices really exacerbates the threat," Clark noted in the webinar. "Securing these devices becomes really challenging due to their diversity and often limited processing power for adding security features."

And as the use of IoT, OT, and 5G networks continues to rise, organizations will need cyber threat intelligence (CTI) to extend beyond traditional IT environments, says Callie Guenther, senior manager, cyber threat research at Critical Start. "This expansion, which will continue throughout 2025, will add complexity to CTI, requiring more granular insights and specific intelligence data."

**Cryptographic Weaknesses**

According to Clark, cryptographic weaknesses continue to pose a significant threat because these kinds of vulnerabilities undermine the foundation of secure communication and data protection. These weaknesses often manifest in one of two ways: flaws in encryption algorithms, or how the algorithms are implemented.

"The rising threat is kind of compounded by the fact that as computational capability advances, that previously secure crypto standard now becomes increasingly more vulnerable," Clark said in the webinar.

He recommended regularly updating cryptographic libraries, and enforcing strong encryption protocols to avoid exploitation attempts like man-in-the middle attacks, data integrity issues, and the exposed sensitive information.

Just recently, Acros Security discovered a vulnerability, similar to CVE-2024-38030, that enables an attack in which a vulnerable device is coerced into sending NTLM hashes, which is the cryptographic version of a user's password, to a threat actor.

"We have never before required from \[cloud service providers\] such granular and detailed information on the type of encryption in use, but customers (government and non-government customers alike) will require this level of detail to ensure their encryption standards are being met," says Philip George, executive technical strategist at InfoSec Global Federal.

**API Security Gaps**

More organizations are relying on APIs to connect systems; however, these APIs are at risk when they have flaws in the design or the implementation of the APIs. Attackers are able to breach systems through unauthorized access, allowing them to manipulate certain restricted actions.

A notable example of this is the exposure of user data through Facebook’s API, though these flaws are also abundant in other sectors such as healthcare or financial services. 

Gaps in API security ultimately serve as a launchpad, often for data breaches which can lead to the loss of sensitive information, unauthorized transactions, reputational damage, and significant financial loss.

"The threat is escalating as API is becoming more prevalent, increasing the number of potential attack surfaces," Clark said. "To mitigate these risks, it's essential to secure your API endpoints, enforce robust authentication mechanisms, and regularly update and audit API access."

A Docusign API was recently used in a wide-scale phishing campaign due to its "API-friendly environment," which is beneficial for businesses but also provides a way for bad actors to conduct malicious operations. The flaw could ultimately could have led to instances of fraud, though there are ways for users to avoid and detect such API abuse.

In the coming year, the cyber landscape will continue to evolve, API being in the forefront of these changes.

"We anticipate a rise in sophisticated API attacks using automation, artificial intelligence, and advanced evasion techniques to exploit vulnerabilities and bypass traditional security measures," says Eric Schwake, director of cybersecurity strategy at Salt Security. "One significant risk will stem from the exploitation of API misconfigurations, which often occur due to the fast pace of development and deployment. This situation will challenge organizations to adopt a more proactive and comprehensive approach to API security."

**Ransomware Evolution**

"We could do a whole webinar on ransomware," Clark said in the webinar, which raises the question: Can ransomware even be considered an emerging threat? 

The answer is yes, though ransomware attacks have become one of the most disruptive and costly cyberattacks out there largely due to their rapid evolution.

One of the most notable ransomware attacks occurred on Colonial Pipeline, which shut down its entire operations for the first time, leading to fuel shortages and four states on the East Coast declaring a state of emergency. The ransomware attack prompted action from national security and the executive branch and forced a reevaluation of the nation's critical infrastructure security.

Threat actors know they can win big when demanding ransoms from organizations, such as those in the healthcare sector, which will pay these high prices in order to help patients in need.

"As these attacks are becoming more targeted and, frankly, aggressive, it's crucial to start to implement backup strategies that are robust, strengthen your overall incident response plans, and continuously educate your employees on recognizing and avoiding things like phishing attempts that can often serve as an entry point for ransomware," Clark said in the webinar.

Backups may not always be an option, according to Brandon Williams, chief technology officer at Conversant Group.

"Some threat actors have moved to deleting data as part of their normal motions," he says. "If this gains traction in 2025, organizations will not have a method to recover by simply paying a ransom and hoping to get a working decryption tool. The only method of recovery will be backups; however, data shows that backups do not typically survive these breaches."

**5G Network Vulnerabilities**

5G networks are being rapidly deployed, and with them come threat actors' awareness and exploitation of its vulnerabilities. Attackers are increasingly able to target 5G infrastructure with ease, and these open the door for even bigger threats such as large-scale DDoS attacks, unauthorized data access, and disruption of our critical services.

"As we consider the rising threat, the global rollout of 5G brings an increasing number of connected devices," Clark said in the webinar. "The rising number amplifies their attack risk, particularly given their reliance on cloud-native infrastructures."

At Black Hat 2024 in Las Vegas, seven Penn State University researchers detailed how mobile devices are at risk of data theft and denial of service due to 5G technology vulnerabilities. Threat actors use these resources simply by providing someone with an Internet connection, allowing easy access to spying, phishing, and more. 

"Vulnerabilities such as lack of initial broadcast message authentication, spectrum slicing, silent downgrade, and unsecured DNS paging currently affect 5G networks," says Mayuresh Dani, manager, security research, at Qualys Threat Research Unit. "In the year to come, these will continue affecting 5G networks and vulnerabilities in unsecured base stations will multiply snooping attacks."

Emerging Threats &amp; Vulnerabilities to Prepare for in 2025

As organizations on the continent expand their use of digital technologies, they increasingly face many of the same threats that entities in other regions have had to deal with for years.

Source: Golden Dayz via Shutterstock

Rising Internet adoption and digital transformation initiatives are exposing organizations in Africa to a growing range of cyber threats.

One manifestation of the trend is a steady increase in distributed denial-of-service (DDoS) attacks on organizations in a handful of North African countries — which also happen to be the ones with the highest Internet penetration rates in the region.

**Surge in DDoS Activity**

A recent analysis of threat activity data during the first half of 2024 by Netscout showed a 30% increase in DDoS attacks in the Middle East and Africa overall compared with the previous quarter. Countries that experienced the largest growth in DDoS attacks included Algeria, Morocco, Tunisia, and Egypt.

Morocco, which has a 90% Internet penetration rate, reported 61,000 DDoS attacks during the first half of 2024, which was the highest number of DDoS attacks in the region during the period. A plurality of the attacks — 16,461 — targeted wireless telecom producers in the region; more than 6,000 were directed at wired telecom companies; and the rest affected organizations across multiple industry sectors.

Organizations in Egypt, another country in the region with a high Internet penetration rate, collectively experienced some 45,108 DDoS attacks in the first half of the year, with wired telecom carriers being the most frequently targeted entities, followed by wireless carriers and educational institutions. Netscout found some of the highest bandwidth attacks during the time period in Egypt, with the biggest one clocking in at a hefty 332.96 Gbit/s.

Related:China's 'Evasive Panda' APT Debuts High-End Cloud Hijacking

The story with Tunisia, which experienced 4,511 DDoS attacks in the first six months, was similar in terms of victimology: most victims were wired or wireless telecom providers. However, Netscout found threat actors deploying a larger number of DDoS attacks against Tunisian organizations than organizations in other countries. The largest such attack type involved a startling 27 vectors, including Apple Remote Management Service, Connection-less Lightweight Directory Access Protocol (CLDAP) , Constrained Application Protocol (COAP), and Domain Name System (DNS) amplification techniques for significantly increasing the power of an attack.

**Geopolitical Tensions, "Online-Ness" Drive Cyber Activity**

"These attacks can be attributed in part to businesses in countries such as Morocco, Tunisia, Egypt, Libya, and Algeria increasing their online presence over the past year," says Richard Hummel, director of threat intelligence at Netscout. "While digital transformation is generally a cause for celebration, unfortunately, it also means that more devices and services can be disrupted by attacks."

Related:'SloppyLemming' APT Abuses Cloudflare Service in Pakistan Attacks

A larger attack surface, however, is not the only reason for the increased DDoS activity in Africa and the Middle East, Hummel says. "Geopolitical tensions in these regions are also fueling a surge in hacktivist activity as real-world political disputes spill over into the digital world," he says. "Unfortunately, hacktivists often target critical infrastructure like government services, utilities, and banks to cause maximum disruption."

And DDoS attacks are by no means the only manifestation of the new threats that organizations in Africa are having to contend with as they broaden their digital footprint.

**Growing Cyber-Espionage, Cybercrime Risks**

The Africa Center for Strategic Studies in a recent report assessed that the increasing spread of IT, communications, and related technologies in the region is rapidly amplifying and altering threats against organizations — and raising national security challenges in the process. The center, which is a US Department of Defense institution, expects that over the next few years organizations in Africa will have to contend with a many of the same cyber threats that entities in other regions of the world have had to contend with for years.

Related:IDF Has Rebuffed 3B Cyberattacks Since Oct. 7, Colonel Claims

One of them is cyber espionage. "Cyberspace has fundamentally changed the methods and means through which states gather information on one another and their citizens," the Africa Center report noted. "Though the most significant cyberespionage concerns in Africa have centered around China, espionage and surveillance capabilities are rapidly diffusing across the continent."

Attacks on critical infrastructure and financially motived attacks by organized crime are other looming concerns. In the center's assessment, Africa's government networks and networks belonging to the military, banking, and telecom sectors are all vulnerable to disruptive cyberattacks. Exacerbating the concern is the relatively high potential for cyber incidents resulting from negligence and accidents.

Organized crime gangs — the scourge of organizations in the US, Europe, and other parts of the world, present an emerging threat to organizations in Africa, the Center has assessed.  "Growing internet penetration rates in Africa has both led to new kinds of cyber-dependent criminal activities, such as business email compromise or romance scams, as well transformed the financing and market dynamics of more traditional organized crime networks." Supply chain attacks are another major and emerging concern, especially given the high reliance on foreign suppliers among organizations in Africa.

Agnidipta Sarkar, vice president and CISO advisory at ColorToken, says organizations in Africa are going to come under growing pressure to implement defenses against new cyber threats, even as they embark on their digital transformation journey.

"The ability to continue business operations, despite cyberattacks, will encourage investments in the region," he predicts. "Effectively reporting breaches will emerge as a highly sought-after capability for CISOs, especially \[for\] those who can."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

DDoS Attacks Surge as Africa Expands Its Digital Footprint

Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access restricted data without proper authorization. The lack of server-side validation exacerbates the issue, as the application relies on client-side information for authentication.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-995c-qww8-64fj: Oqtane Framework Incorrect Access Control vulnerability

## Description

When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. This is exacerbated if ->stateless() is used in the Socialite configuration, bypassing state verification and making the exploit easier. Developers should ensure that users explicitly confirm account linking and avoid configurations that skip critical security checks.

## Resolution
Socialstream v6.2 introduces a new custom route that requires a user to "Confirm" or "Deny" a request to link a social account.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-3q97-vjpp-c8rp

**Socialstream has a Potential Account Takeover Vulnerability in Social Account Linking Due to Missing User Consent After OAuth Callback**

High severity GitHub Reviewed Published Dec 20, 2024 in joelbutcher/socialstream • Updated Dec 20, 2024

**Package**

composer joelbutcher/socialstream (Composer)

**Affected versions**

< 6.2.0

**Description**

When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. This is exacerbated if ->stateless() is used in the Socialite configuration, bypassing state verification and making the exploit easier. Developers should ensure that users explicitly confirm account linking and avoid configurations that skip critical security checks.

**Resolution**

Socialstream v6.2 introduces a new custom route that requires a user to "Confirm" or "Deny" a request to link a social account.

**References**

*   GHSA-3q97-vjpp-c8rp
*   joelbutcher/socialstream@ae4dc39

Published to the GitHub Advisory Database

Dec 20, 2024

Last updated

Dec 20, 2024

GHSA-3q97-vjpp-c8rp: Socialstream has a Potential Account Takeover Vulnerability in Social Account Linking Due to Missing User Consent After OAuth Callback

During holidays and slow weeks, teams thin out and attackers move in. Here are strategies to bridge gaps, stay vigilant, and keep systems secure during those lulls.

Source: Anastasia Nelen via Unsplash

Experienced security leaders know that attackers are patient. 

Attackers can infiltrate corporate chat systems like Slack or Microsoft Teams and just ... watch. For months, they monitor conversations, learn who the experienced staff are, and take notes on upcoming vacation plans and each team member's communication style. Then when the company shifts to a skeleton crew — perhaps during a major holiday or summer break — they strike.

For one organization, this silent reconnaissance had devastating results, says Ed Skoudis, president of the SANS Institute and founder of Counter Hack. An attacker posed as a trusted colleague in a chat channel and tricked a junior employee into making critical configuration changes while many team members were on vacation. The employee, isolated and eager to help, had no reason to doubt someone who was inside the company's trusted environment. The attacker's patience, timing, and social engineering created a perfect storm — one that underscores the need for verification, vigilance, and better operational safeguards during periods of reduced staffing.

Whether it is the slow week between Christmas and New Year's Day in Western countries, the European summer break in August, or other periods during the year when large numbers of employees go on vacation, organizations with a global footprint must maintain cybersecurity continuity during regional slowdowns. Holidays like Lunar New Year in Asia and the Eid feast days in the Middle East often mean fewer workers overseeing critical operations. When part of the workforce scales down, attackers ramp up.

"This is a very hard problem," says Skoudis, noting that fewer people at the helm leaves organizations vulnerable to attack. Security leaders have the challenge of protecting their environments when half the security team is offline.

**Why Cybercriminals Like Holidays**

With remote workforces, companies have fewer touchpoints with employees. Add holidays to the mix, and security teams face a slew of potential risks during these times.

"Attackers go on crime sprees during the holidays," Skoudis says. "They know organizations are downscaling operations. Combine that with staff who may be junior, unfamiliar with procedures, or isolated, and you have an ideal time for attackers to strike."

Beyond direct threats, these slow periods also exacerbate operational gaps. Patching schedules, configuration monitoring, and incident response times can lag.

It's not just defense, says Chris Niggel, a regional CSO at Okta. It's about making sure operations continue to run smoothly when teams are short-staffed.

"The biggest challenge is making sure that your teams can maintain the service-level agreements and are able to react to threats quickly, even when the teams are smaller," Niggel says.

For example, the critical vulnerability in Log4j was discovered toward the end of December 2021, a time when many organizations were operating with minimal staff. Addressing the flaw required immediate and prompt action, and many businesses struggled to respond quickly enough. Attackers, well aware of the delays in response, seized the window of opportunity to exploit unpatched systems.

"Teams were already thin, but still had to react," Niggel says. "That's where having solid communication plans and fallback strategies is essential."

Niggel also notes that organizations that fared better during Log4j had prepared for such scenarios by implementing automated monitoring tools, preemptive patching plans, and clear escalation paths for when key personnel were unavailable. These measures ensured that vulnerabilities could be prioritized and addressed, even with a reduced workforce.

**Preparation Is Key to Bridging the Gaps**

By identifying risks, training employees, leveraging technology, and strategically distributing workloads, companies can create a safety net that protects both systems and operations. The key is not waiting until the last minute; preparations must be in place before staff members sign off.

Organizations can mitigate holiday risks with proactive strategies:

*   Create a plan in advance. Identify staffing levels and clearly outline escalation paths. "It's like Tetris blocks," Skoudis says. "You need to fill the hours, define decision-makers, and avoid leaving critical choices to the most junior staff."
    
*   Always verify. Train employees to verify requests for urgent actions, particularly during downtime. Skoudis recommends simple measures: callback phone numbers, video chats to confirm identity, and using photos in a corporate directory. Never trust a message at face value, he says. "You're looking to get more measures of verification that this person is who they say they are," he says.
    
*   Deploy technology and automation. Automate alerts and verifications to reduce human error. Niggel says Okta's method of notifying employees about unusual log-ins includes automation that allows security to focus on important signals. "If an employee logs in from a unique location, they'll get a message in Slack," he says. "If an employee is logging in from grandma's house, they can click yes to verify."
    
*   Freeze changes for critical systems. Code and configuration freezes during slow periods reduce operational risks. "A freeze requires extra effort to make changes," Skoudis says. "It prevents attackers and limits the chance of accidental mistakes."
    
*   Adopt a "follow-the-sun" model. Multinational organizations can distribute workloads across time zones. Mark Lance, head of DFIR at GuidePoint Security, suggests using teams in regions where holidays are not being observed. "It's about balance," he says. "When one region steps back, another steps up."
    

**Culture, Collaboration, and a Healthy Dose of Paranoia**

The human element is also critical to any security plan — even when fewer employees are on the clock. Lance says fostering collaboration and reducing isolation during skeleton crew periods is key to defense.

"Better decisions happen when you're not alone," Lance says.

Having escalation paths and ensuring junior employees know where to turn when something feels off can make all the difference. Niggel agrees, emphasizing the importance of properly training staff on how to handle these types of situations.

"Policies exist for a reason," he says. "Employees need to know they can fall back on established processes and ask for help."

Vigilance must remain high, no matter the season. Attackers don't take breaks — and neither should enterprise defenses. While companies can't always predict when an attack might occur, preparedness, verification, and smart staffing strategies help bridge security gaps when part of the team is off. As holiday seasons and global events come and go, staying one step ahead requires a mix of technology, planning, and teamwork.

"Always be suspicious," Skoudis says. "If something feels wrong, verify it. You might stop a disaster."

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Tag

#acer