Building on its broad security portfolio, Microsoft's new exposure management is now available in the Microsoft Defender portal, with third-party-connectors on the way.

Source: Wavebreak Media ltd via Alamy Stock Photo

Microsoft is the latest big name to add continuous threat exposure management (CTEM) to its formidable security portfolio with the release of its new Microsoft Security Exposure Management offering. Microsoft made the announcement at its annual Microsoft Ignite conference this week.

Security experts describe CTEM, or proactive exposure management, as a programmatic and unified approach to detecting and mitigating threats. Gartner predicts that by 2026, organizations that embrace CTEM will see two-thirds fewer breaches.

Enterprise Strategy Group principal analyst Tyler Shields describes exposure management as the next iteration of vulnerability management.

"It's centered on the overlap of continuous asset discovery and management, threat and exposure analysis, and vulnerability discovery," Shields says. "If you can understand the assets you have, the state they are in, the vulnerabilities that exist, and the active threats against them, you are all prepared to secure your environment."

Microsoft initially introduced Security Exposure Management in March as a technical preview. It is now available in the Microsoft Defender portal, included with its E5 licenses, and as an option for various other Microsoft 365 licenses.

**Unified Views of Attack Surfaces**

With its entry, Microsoft seeks to enable defenders to prevent successful attacks by providing comprehensive and unified views of their organizations' broad attack surfaces, allowing them to take a more proactive approach to identifying and mitigating threats.

"Exposure management is critical for enabling teams to understand the posture of the organization, and it helps security teams see all the potential attack paths to critical assets as if they were looking through it, through the eyes of the attacker," said Vasu Jakkal, Microsoft's corporate VP for compliance, identity management, during the opening session at Ignite, which took place in Chicago.

The tooling is designed to identify attack paths and evaluate vulnerabilities in the context of an organization's critical assets in a more proactive and expansive manner than traditional vulnerability and threat detection offerings. Security Exposure Management uses Microsoft's new exposure graph APIs to identify attack paths and evaluate vulnerabilities in the context of critical assets.

Analysts say Microsoft's entry is poised to reshape the competitive environment of exposure management solutions offered by Cisco/Splunk, CrowdStrike, Palo Alto Networks Rapid7, Tenable, Trend Micro, and Wiz, as well as various others that provide more specialized capabilities.

"Exposure management is becoming an incredibly competitive market, and Microsoft is demonstrating that it wants to be a leader in this space," says Omdia principal analyst Andrew Braunberg.

Adds Forrester senior analyst Erik Nost, since Microsoft is initially allowing access to exposure management through a variety of licensing options, customers will have widespread access to insights.

"The data Microsoft possesses on existing customer environments without needing to ingest third-party data is the biggest opportunity for Microsoft to set it apart from competitors," Nost says. "Microsoft is building a platform that integrates a very broad set of security posture management telemetry."

**Building an Ecosystem of External Connections**

While the initial release is available and included with various Microsoft 365 and Microsoft Defender licenses and will ingest telemetry from those offerings, Microsoft announced it will enable integration with competing external third-party tools, including Qualys, Rapid7, Tenable, and ServiceNow's CMDB.

Microsoft released public preview versions of its third-party connectors, slated to become generally available next quarter.

Unlike Microsoft telemetry, which customers can ingest at no additional cost, they will incur charges to gather data from external sources, said Microsoft product director Brjann Brekkan, during a session on security exposure management at Ignite.

"We don't own that data," Brekkan explained. "We need to charge a little bit of cost to bring that third-party signal in, to attach those new data points from those services as well. But this is there for you to unify your data."

Security Exposure Management collects data through these connectors and normalizes it through its exposure graph, which maps relationships and exposes new attack paths. In a blog post, Brekkan said this provides "comprehensive attack surface visibility."

Microsoft exposure management also provides insights on the most critical assets, Internet exposure, and context related to business applications incorporated from the connected tools. Customers can view the integrated data, which can be visualized through the Attack Map tool or analyzed using advanced hunting queries via KQL (Kusto Query Language), Microsoft's Azure-based tool designed to identify anomalies in large data sets.

The offering now consists of three primary tools:

*   Attack Surface Management: Defenders have access to continuous views of their organization's attack surface. Notably, the tool identifies the most critical assets and those that are the prime targets of attackers
    
*   Attack Path Analysis: Security teams can visualize and prioritize high-risk attack paths, particularly those targeting those critical assets
    
*   Unified Exposure Insights: Administrators can view their organization's threat exposure, allowing them to prioritize risks and tie remediation priorities with business imperatives.
    

Omdia's Braunberg says it remains to be seen how many customers will build their exposure management strategies around Microsoft's offering, it is likely many will evaluate it, especially considering its potentially low cost.

"As per Microsoft's usual playbook, exposure management is attractive because it pulls together a lot of existing Microsoft functionality into an integrated solution with small incremental costs," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Microsoft Highlights Security Exposure Management at Ignite

PRESS RELEASE

AUCKLAND, New Zealand and READING, UK – November 19, 2024 – Endace, the world leader in packet capture, announces the formation of a new company in the Kingdom of Saudi Arabia to continue expansion in the Middle East, further demonstrating Endace’s commitment to the Middle East Region.

Having successfully deployed a number of very large infrastructure projects in the Kingdom of Saudi Arabia (KSA) and the United Arab Emirates, Endace is expanding its footprint in the region with the establishment of a new Middle East Regional Headquarters – Endace Arabia LLC – located in Riyadh, Kingdom of Saudi Arabia. Endace will build a local team to assist customers in the Middle East to secure their mission critical networks by leveraging Endace’s Always-On packet capture.

“This is an extremely significant market,” says Endace CEO, Stuart Wilson. “Endace products are already deployed in mission-critical networks across the Globe to secure critical infrastructure against cyberattacks. With our close partnership with StarLink we are uncovering strong growth opportunities for Endace capabilities in Defense, Government, Critical Infrastructure and Enterprise across the Middle East region.”

“It’s encouraging to see organizations in the Middle East recognizing the critical importance of cybersecurity and prioritizing investments to implement the foundations of robust cyber defense for critical infrastructure. They are not only adopting but in many cases actually defining global best practice,” Wilson says.  “StarLink has proven to be a fantastic partner in the region, providing local expertise and broad reach in promoting the adoption of Endace technology.”

“StarLink and Endace have been collaborating strategically in Saudi from the very first project.  With Endace now incorporated and expanding its local team, we can jointly provide this critical technology for cyber defense to a much wider set of customers across the region.  We are looking forward to a closer and stronger collaboration,” says Mohammad Abou Okdeh, Regional Director for KSA at StarLink Saudi Arabia.

About Endace

Endace’s scalable, always-on packet capture gives Network Operations and Security teams the deep visibility they need for fast, accurate incident investigation with rich forensic evidence at their fingertips from all their tools. EndaceProbes provide enterprise-class packet sniffing in on-prem, public and private cloud environments, with rapid, centralized search and one-click access to full pcap data from leading security and performance solutions (including Palo Alto Networks, Fortinet, Cisco, Splunk, Elastic, and many others). Analyze network traffic using a single, unified console across all on-premise, private, or public cloud infrastructure for total hybrid cloud visibility.  Capture every packet. See every threat. www.endace.com

Endace Establishes Middle East Regional Headquarters in Saudi Arabia

Starting in 2025, the RSAC Innovation Sandbox Top 10 Finalists will each receive a $5 million investment to drive cybersecurity innovation.

SAN FRANCISCO, Nov. 21, 2024 /PRNewswire/ -- RSA Conference™, the world's leading cybersecurity conferences and expositions, today announced that starting in April 2025, the Top 10 Finalists in the RSAC Innovation Sandbox (ISB) contest will receive financing to help them further accelerate innovation to fight the next generation of cybersecurity threats. The investment program will provide these startups with additional capital to deliver solutions that help organizations defend against the increasing volume and complexity of cybersecurity attacks.

The RSAC™ ISB contest, celebrating its 20th anniversary in 2025, has become the world's premier showcase for the cybersecurity startup community. Some of the most successful cybersecurity innovators have competed in the RSAC ISB contest in order to highlight their game-changing ideas that have disrupted the cybersecurity industry. The contest has grown to receive roughly 150 applicants annually, forming an important source of innovation and ideation that has been essential in addressing ever-changing cybersecurity challenges. More than 750 investors, cybersecurity leaders, entrepreneurs and members of the media join the packed audience to watch the ISB event live.

The RSAC ISB contest has become a preeminent platform within the cybersecurity community, providing increased visibility and awareness to the Top 10 Finalists each year. Since the RSAC ISB contest's inception, companies named as Top 10 Finalists have collectively raised over $16.4 billion\* in investments and been involved in over 90 merger and acquisition transactions. Each year, a panel of independent judges selects the Top 10 Finalists after reviewing the applicants' submissions. At RSA Conference in San Francisco, each Top 10 Finalist presents an overview of their business, and a winner is selected by an independent panel of judges drawn from the cybersecurity community. Starting in 2025, the Top 10 Finalists will each receive a $5 million uncapped Simple Agreement for Future Equity (SAFE) investment, provided by affiliates of Crosspoint Capital Partners.

"Attackers are constantly adapting and changing their tradecraft. Continuous innovation from cybersecurity startups is essential to global cyber defense," said Dr. Hugh Thompson, Executive Chairman and long-serving program chair of RSA Conference, and Managing Partner of Crosspoint Capital Partners. "Historically, the RSAC Innovation Sandbox competition has anointed winners in cybersecurity long before they became winners in the marketplace. We are excited to introduce simplified, founder-friendly financing for the companies selected by the independent and neutral process of the RSAC Innovation Sandbox to further fuel cybersecurity innovation."

For many industry-leading cybersecurity companies, the ISB platform has been an important part of their journey. "When Wiz participated in the RSAC Innovation Sandbox contest in 2021, we were a young company in an emerging cybersecurity category," said Anthony Belfiore, Chief Security and Strategy Officer of Wiz. "The exposure that we received from the ISB platform and RSA Conference helped us attract more customers earlier in our journey. This was extremely helpful for us. This new investment program is a game-changer."

The investment program is delivered as an uncapped SAFE, which provides an immediate capital infusion while maintaining future fundraising flexibility. "Post Series A investment, subsequent rounds have trended to be larger with multiple investors. A valued security investor like Crosspoint Capital with the deep operational experience of their founding partners would be welcomed into the cap table," said Theresia Gouw, co-founding partner, Acrew Capital.

In addition to the investment capital, RSAC is also developing a new forum, the RSAC Founders Circle, to provide past and present ISB Top 10 Finalists with additional exposure, coaching, mentorship, and connections with the CISO community. This initiative will also serve as a powerful alumni network for these distinguished entrepreneurs. Multiple ISB finalists have gone on to become standalone public companies while others become attractive acquisitions for platform assets. These previous Top 10 Finalists include leading cybersecurity innovators such as: Wiz, Imperva, SentinelOne, Talon Cyber Security, Phantom Cyber, and Hidden Layer.

Additional details on the RSAC ISB submission process for qualifying candidates will be made available in January 2025.

RSAC's Commitment to the Cybersecurity Community

RSAC has a heritage of supporting important investments for the community through former and existing programs, including the RSAC Innovation Sandbox, RSAC Security Scholar, child online safety, College Day, community philanthropic activities during the Conference and Conference scholarships to underrepresented communities through its vast network of partners. A portion of the returns received from the investments made in the Top 10 Finalists will be used by RSAC to support the cybersecurity community.

\*Indicates latest numbers according to Crunchbase

Additional Quotes: 

Nasrin Rezai, SVP and Chief Information Security Officer, Verizon – RSAC Innovation Sandbox Judge

"CISOs like me who are constantly trying to sort through the barrage of new cybersecurity entrants are always looking for a signal on who to spend time with and which solutions to try," said Nasrin Rezai, SVP and Chief Information Security Officer, Verizon and returning ISB judge. "The rigorous process of picking these Top 10 Finalists creates a signal to the market of who to pay attention to."

Dean Sysman, Co-Founder and CEO, Axonius – RSAC 2019 Innovation Sandbox Winner 

"One of the best things you want to achieve as a startup in the cybersecurity world is to be a part of the RSAC Innovation Sandbox contest," said Dean Sysman, Co-Founder and CEO, Axonius. "RSA Conference is the most important place where cybersecurity business, ideas, and products get introduced, talked about, and reviewed. The recognition and validation that winning ISB provides coming from that esteemed judging panel was instrumental in people trusting that we would follow through in what we promised we would do for them. There is nothing to lose by applying. Winning it sets you apart in a very differentiated and unique way while pushing the industry to look at you in a new light."

Rehan Jalil, CEO, Securiti AI – RSAC 2020 Innovation Sandbox Winner

"Making it into the RSAC ISB Top 10 and then winning the contest sends a very strong signal to not only the venture capitalists but the industry at large. The panel of judges for the ISB competition is very diverse, and they each evaluate startups with a different lens, which ultimately helps you as a company be judged more holistically. Winning ISB put us on the map, boosting our brand and increasing customer engagement. Whether you raise money before the contest or after, you get community interest in potentially making a jump to the next stage once you make it into the Top 10," said Rehan Jalil, CEO of Securiti AI, RSAC 2020 Innovation Sandbox Winner.

Oliver Friedrichs, Founder and CEO, Pangea and Founder and CEO, Phantom Cyber – RSAC 2023 Innovation Sandbox Finalist and RSAC 2016 Innovation Sandbox Winner

"Being a Finalist puts you on the map and separates you from the pack," said Oliver Friedrichs, Founder and CEO of Pangea, RSA Conference 2023 Innovation Sandbox Finalist and Founder and CEO of Phantom Cyber, RSAC 2016 Innovation Sandbox Winner. "If you're a new, relatively unknown entity, it's a great way to launch your company on the big stage. The attention you get being a Top 10 Finalist attracts venture capitalists, strategic investors, and enterprise customers who are all trying to understand what these new companies are doing and how they can help me. This new investment program for the Top 10 Finalists is a testament to the quality and potential of these companies. This added funding provides an even greater long-term financial impact for these startups and further extends their runway." 

Dave Chen, co-head of Global Technology Investment Banking at Morgan Stanley – RSAC Innovation Sandbox Judge

"Several of the companies that have been selected to the ISB Top 10 have gone on to become juggernauts in cybersecurity. The Innovation Sandbox competition is where some of the biggest stories in cybersecurity begin," said Dave Chen, co-head of Global Technology Investment Banking at Morgan Stanley. "I'm honored to be a judge for the 2025 contest."

Ben Colman, Co-Founder and CEO, Reality Defender – RSAC 2024 Innovation Sandbox Winner 

"For over a year, we had board members, investors, and clients encourage us to apply to the Innovation Sandbox contest," said Ben Colman, Co-Founder and CEO of Reality Defender and winner of the RSA Conference 2024 Innovation Sandbox contest. "We applied with no expectations, made it to the Top 10, and quickly realized our fellow Finalists were almost all pure play cybersecurity companies — something we thought was our disadvantage as a cybersecurity company focused on AI, but ultimately proved to be why we won. Awarding future winners with an uncapped SAFE note now makes applying to RSAC Innovation Sandbox a truly game-changing proposition."

Paul Kocher, Independent Researcher, Investor and Marconi Prize winner – RSAC Innovation Sandbox Judge

"The Innovation Sandbox contest is a fantastic event and terrific driver for bringing new technology to market — and for entrepreneurs it's an opportunity to present to the ideal audience," said Paul Kocher, RSAC ISB Judge, Investor, Independent Researcher and Marconi Prize winner. "I've served as a judge for most of the contest's 20 years, and have seen first hand how it raises Finalists' profiles, helping start-ups build enthusiasm with customers, investors, and new hires. Although the strong field of applicants makes the selection process challenging, I appreciate the Conference and judges' commitment to ensuring the neutrality and independence of the evaluation and selection process."

About RSA Conference

RSA Conference™ is the premier series of global events and year-round learning for the cybersecurity community. RSAC is where the security industry converges to discuss current and future concerns and have access to the experts, unbiased content, and ideas that help enable individuals and companies advance their cybersecurity posture and build stronger and smarter teams. Both in-person and online, RSAC brings the cybersecurity industry together and empowers the collective "we" to stand against cyberthreats around the world. RSAC is the ultimate marketplace for the latest technologies and hands-on educational opportunities that help industry professionals discover how to make their companies more secure while showcasing the most enterprising, influential, and thought-provoking thinkers and leaders in cybersecurity today. For the most up-to-date news pertaining to the cybersecurity industry visit www.rsaconference.com. Where the world talks security.

RSA Conference 2025 Innovation Sandbox Contest Celebrates 20th Anniversary

PRESS RELEASE

SAN FRANCISCO, Nov. 21, 2024 /PRNewswire/ -- VISO TRUST, a leader in AI-powered third-party risk management (TPRM), today announced the closing of its latest funding round of $7M in additional funding, bringing the total raised to $24M, with participation from both existing investors, Bain Capital Ventures, Work-Bench, Sierra Ventures, and Lytical Ventures, and new investors, Allstate Strategic Ventures, Cisco Investments, EnvisionX Capital, and Scale Asia Ventures.

This funding will further VISO TRUST's mission to transform TPRM through an adaptive AI-driven platform, bringing enhanced security intelligence and seamless third-party risk management to enterprises worldwide.

Enhancing Third-Party Risk Management with Integrated Security Intelligence

VISO TRUST's AI-powered platform delivers real-time, evidence-based assessments by intelligently collecting, analyzing, and continuously monitoring artifacts from vendors. This approach removes friction for vendors, eliminates the manual analysis burden for TPRM professionals, and enables comprehensive, high-quality assessments. The platform analyzes control presence, testing methodologies, exceptions, Nth-party references, and more, allowing security teams to focus on strategic initiatives.

VISO TRUST's AI-driven automation platform has become the industry benchmark for third-party risk management for industry leaders like Upwork, Instacart, Notion, and Bain Capital. By leveraging intelligent automation, VISO TRUST reduces vendor assessment and onboarding time by up to 90%, cutting TPRM hours to mere minutes per vendor and enabling enterprises to achieve comprehensive risk management at scale. With rapid assessments completed in just 5-7 days and a remarkable 98% vendor adoption rate, the platform empowers organizations to make informed, proactive risk decisions.

Paul Valente, CEO of VISO TRUST, commented on the funding round:

"We're excited to assemble a set of complementary and deep tech investors to advance our mission of transforming third-party risk management. This funding will enable us to accelerate the innovation of our platform, creating a robust ecosystem that integrates security intelligence and aligns with today's complex business workflows."

An investment in Next-Generation Monitoring and Response

VISO TRUST is at the forefront of next-generation monitoring, aggregating and analyzing diverse sources of vendor intelligence, including breach advisories, Software Bill of Materials (SBOM), and SEC filings. The platform provides real-time insights, enabling teams to make data-driven decisions, respond swiftly to emerging threats, and maintain continuous compliance, offering a distinct advantage in managing evolving cyber risks across the cloud-first, AI-driven enterprise landscape. This funding round will allow VISO TRUST to scale its unique artifact-based platform, creating an adaptable AI governance framework focused on real risk reduction.

"VISO TRUST's platform reshapes governance, risk, and compliance, enabling organizations to streamline vendor risk assessments and manage evolving cyber risks with agility in an increasingly complex digital landscape leveraging AI," said Janey Hoe, vice president, Cisco Investments. "As part of Cisco's AI Fund, we are excited to help accelerate VISO TRUST's mission to enhance security intelligence and real-time monitoring capabilities for enterprises worldwide."

VISO TRUST continues to build a future in governance, risk, and compliance where AI not only strengthens security but empowers organizations to navigate the dynamic and high-stakes digital landscape with resilience and precision.

About VISO TRUST

VISO TRUST is an AI-driven third-party risk management platform transforming traditional vendor risk assessments through automation and acceleration. Our platform provides continuous monitoring, risk remediation, Nth-party intelligence, and seamless workflow integrations, serving a global customer base across sectors like financial services, healthcare, and technology. VISO TRUST helps organizations mitigate the risks of vendor relationships at scale.

For more information, visit www.visotrust.com or contact \[email protected\].

VISO TRUST Secures $24M to Accelerate Innovation in AI-Powered Third-Party Risk Management

The Threat Source Newsletter is back! William Largent discusses bidirectional communication in the SOC, and highlights new Talos research including the discovery of PXA Stealers.

Thursday, November 21, 2024 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

Bidirectional communication is foundational to a well-built team regardless of environment. It’s critical in information security to be able to drive a conversation up the ladder and down and not lose the critical elements. One of the most difficult challenges that cyber security teams face is making sure that everyone that is in a decision-making space is aware of the highly technical challenges that the evolving threat landscape dictates. Navigating the challenges that come in continually evolving the team and it’s tools to defend is often a much greater challenge. I’m going to help you with those conversations. In both directions. By talking about drumming. I know, I don’t have the pro wrestling takes that Jon came to the table with, so you’re going to have to run with me Constant Reader.  

I’m going to choose drumming to outline an easy way to identify some complex issues and talk about them in both directions and drumming is a little easier to identify for non-musicians and FAR less contentious than a spicy guitar opinion. Ok, so let’s start with a simple concept.  

 Sounds difficult. Is difficult.    
Sounds difficult. Is easy.   
Sounds easy. Is difficult.     
Sounds easy. Is easy.  

 Sounds difficult. Is difficult. This one is easy – Tomas Haake from Meshuggah playing Bleed is a perfect example. Polyrhythms, stamina, speed, interdependence, and complexity. This sounds difficult. It is difficult. Only the criminally insane attempt to learn how to play this song.  

Sounds easy. Is easy. Take Phil Rudd and pick any AC/DC song from Back in Black. The perfect example of sounds easy, is easy. Perfectly in the pocket.  

Sounds easy. Is difficult. This one is harder and will cause someone to wellackshully and I assure you I do not care. I’m going to give two examples, Jeff Porcaro of Toto playing Rosanna and Vinnie Colaiuta playing Seven Days with Sting. Both of these songs are immensely easy to listen to and don’t seem like there’s anything challenging going on. Until you try to play along, then you cry and examine all the choices you’ve made in life.  

Sounds difficult. Is easy. This is going to be a sticky situation, but I’d say that you could throw on anything by Travis Barker and Dave Lombardo. Bring it haters. I’m not saying that they are bad drummers – simply that what they do sounds more difficult than it is.  

Ok William, but how does this help me at all?  

When you have information security meetings with people in your organization take a second as you look at the agenda, and your conversation in specific, and think about the groupings above and determine what kind of drumming you are hearing. Depending on your environment and team the topics will fall naturally into these categories – it can be patch and vulnerability management,  EOL devices that need to be replaced, endpoint detection and response, deciding what traffic is actionable and defining that in your SIEM, forensic analysis, threat hunting, event response, the conversations are as malleable as the threat landscape.  

It’s easy to isolate the things in your environment that are very difficult to defend AND take a skilled defender and complex tooling to defend. Those conversations flow with either junior analysts or C-Level executives. This is the “Sounds difficult. Is difficult.” type of conversation. Ditto the “Sounds easy. Is easy.” conversations are easy to have in either direction. The most difficult topics to convey fall into the “Sounds difficult. Is easy.” or “Sounds easy. Is difficult.” In my experience these conversations are usually much easier to deliver in one direction and much more difficult in the other. Jazz guys enjoy the nuance of Colaiuta and can’t wrap their minds around Lombardo while metalheads love him and don’t want to be bothered by ghost notes. By taking a moment to dissect your topic and determine where you are going to run into the “Sounds difficult. Is easy.” or the “Sounds easy. Is difficult.” situation it will allow you to prepare for those more challenging conversations so that you can craft a narrative to best capture the nuance that might be lost in a highly technical conversation with a C-Level exec, or the motivation for waiting for the next financial quarter for new tooling that the analysts really need.  

I’m not going to lie - you can prepare this way and things can still fall on deaf ears, they can still underestimate the lift required because people are fallible but if you prepare just a bit and know your audience you can drag your C-Level into a discussion on polyrhythm and pull your junior analyst up with a little Vinnie Colaiuta and make them all feel like Phil Rudd.   

**The one big thing **

Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. PXA Stealer targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. PXA Stealer also has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts. 

**Why do I care? **

Harvested credentials can allow attackers direct access to your environment without the need to exploit vulnerabilities or face any of your defensive architecture – they can just log in. Cisco Talos Incident Response has observed an increasing number of engagements where this is the case.  

**So now what? **

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against PXA Stealer.   

**Top security headlines of the week **

Attackers are continuing to upload hundreds of malicious packages to the open-source node package manager (NPM) repository in an attempt to infect the devices of developers that rely on these libraries. (Ars Tecnica) 

Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that it's director Jen Easterly will step down from her position on President-elect Donald Trump's Inauguration Day. (Dark Reading) 

Palo Alto Networks has released a patch to fix a critical vulnerability in some instances of its firewall management interfaces. PAN observed threat activity exploiting an unauthenticated remote command execution vulnerability against firewall management interfaces. (Bleeping Computer,  Dark Reading)   

**Can’t get enough Talos? **

*   Unwrapping the emerging Interlock ransomware attack 
*   Talos Takes on Interlock 
*   November Patch Tuesday release contains three critical remote code execution vulnerabilities 
*   It's Taplunk! Talos and Splunk threat researchers meet to put the security world to rights 

**Upcoming events where you can find Talos **

 CyberCon Romania

(Nov 21-22)    
Bucharest, Romania 

 Martin Lee from Cisco Talos will speak on a panel discussion Maintaining Resilience for a Secure Cyber Infrastructure.  

misecCON (Nov. 22)    
Lansing, Michigan 

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting. 

AVAR

(Dec 4-6)    
Chennai, India 

 Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.  

**Most prevalent malware files from Talos telemetry over the past week  **

SHA 256: c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a  

MD5: 3bc6d86fc4b3262137d8d33713ed6082  

Typical Filename: 8c556f0a.dll  

Claimed Product: N/A  

Detection Name: Gen:Variant.Lazy.605353  

 SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a 

MD5: 200206279107f4a2bb1832e3fcd7d64c 

Typical Filename: lsgkozfm.bat 

Claimed Product: N/A 

Detection Name: Win.Dropper.Scar::tpd   

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  

MD5: 71fea034b422e4a17ebb06022532fdde  

Typical Filename: VID001.exe  

Claimed Product: N/A  

Detection Name: RF.Talos.80  

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66  

MD5: 8b84d61bf3ffec822e2daf4a3665308c  

Typical Filename: RemComSvc.exe  

Claimed Product: N/A  

Detection Name: W32.3A2EA65FAE-95.SBX.TG

Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on

When a cybersecurity incident occurs, it's not just IT systems and data that are at risk — a company's reputation is on the line, too.

Source: Panther Media GmbH via Alamy Stock Photo

Question: What value do public relations experts bring to a company during a cybersecurity incident?

Ronn Torossian, founder, 5WPR: The threat of a cyberattack is ever-present, making cybersecurity a top priority for organizations of all sizes. But when a cybersecurity incident occurs, it's not just IT systems and data that are at risk — a company's reputation is on the line, too. This is where public relations (PR) can step in as a critical safeguard. A well-executed cybersecurity PR strategy can help contain the fallout of a cybersecurity breach, maintain stakeholder trust, and position the organization for recovery.

Here are five ways PR professionals can protect a company against damage from a cybersecurity incident.

**1\. Build Trust With Stakeholders Ahead of Time**

PR's role in a cybersecurity incident starts long before a breach happens. Proactive engagement with stakeholders builds a reservoir of goodwill to draw upon in times of crisis. Engagement includes providing regular updates on the company's cybersecurity measures, sharing tips for data protection, and offering insights into industry best practices.

For instance, tech giants like Cisco and IBM consistently communicate their cybersecurity initiatives, positioning themselves as leaders in the space. By doing so, they reinforce their commitment to security. This proactive approach helps set the stage for smoother communication during a crisis.

**2\. Communicate With Transparency and Speed**

The first hours of a cybersecurity breach are crucial. Prompt, transparent communication helps shape public perception and can significantly influence the level of trust that stakeholders place in the company. When an incident occurs, PR teams must work swiftly to inform customers, employees, and partners about what happened, what steps the company is taking, and what they should do next.

A classic negative case study is Equifax's 2017 breach, where delayed communication compounded the public's distrust. Companies that immediately acknowledge a breach and provide clear updates often regain trust faster. Transparency demonstrates accountability and commitment, both of which are key to repairing reputational damage.

**3\. Harness Social Media for Crisis Responses**

Social media is a double-edged sword in the wake of a cybersecurity breach. These digital channels amplify both the reach of the company's crisis communications and the spread of misinformation or negative sentiment. A strong social media strategy is essential for managing the narrative.

PR teams should use platforms like LinkedIn and other digital channels to provide real-time updates, address customer concerns, and reinforce the company's commitment to resolving the issue. These channels offer an opportunity to humanize the brand, which can help mitigate panic and frustration.

**4\. Bring in Cybersecurity Teams for Updates**

Effective crisis communication requires more than just PR expertise. Collaboration with IT and cybersecurity teams ensures that messaging is accurate, clear, and credible.

Cybersecurity experts lend authority to media briefings or stakeholder updates and signal that the situation is under control. PR professionals translate complex technical details into language that resonates with diverse audiences. This partnership helps build confidence in the organization's ability to manage and resolve cybersecurity incidents.

**5\. Rebuild Trust After an Attack**

Long-term organizational recovery from a cybersecurity breach depends on rebuilding trust, which is rooted in ongoing education and advocacy. PR teams can drive awareness campaigns that encourage both internal and external audiences to adopt better cybersecurity practices.

This might involve publishing blogs, hosting webinars, or participating in industry panels to share insights on navigating the evolving threat landscape. Advocacy for stronger industry standards or collaboration on public policy can further position the company as a thought leader committed to enhancing cybersecurity for all.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

How Can PR Protect Companies During a Cyberattack?

An elusive, sophisticated cybercriminal group has used known and zero-day vulnerabilities to compromise more than 20,000 SOHO routers and other IoT devices so far, and then puts them up for sale on a residential proxy marketplace for state-sponsored cyber-espionage actors and others to use.

Source: Jiraroj Praditcharoenkul via Alamy Stock Photo

A cybercriminal group is exploiting vulnerabilities in Internet of Things (IoT) devices and then turning a tidy profit by putting them up for sale on a residential proxy marketplace, where they can be turned into proxy botnets by state-sponsored advance persistent threats (APTs) and other malicious actors.

The gang, tracked as "Water Barghest," has already compromised more than 20,000 IoT devices, including small office and home office (SOHO) routers used by businesses, by using automated scripts to identify and compromise vulnerable devices, according to new research from Trend Micro. The threat actor, which has operated for more than five years (largely under the radar due to a sophisticated automation strategy) discovers vulnerable IoT devices from public Internet-scanning databases such as Shodan, the researchers noted.

Once Water Barghest compromises devices, it deploys proprietary malware called Ngioweb to register the device as a proxy — i.e., a network that puts an intermediary between a client and a server. Water Barghest then lists the device for sale on a residential proxy marketplace for other threat actors to purchase.

The entire cybercriminal process to enslave a target takes as little as 10 minutes, "indicating a highly efficient and automated operation," Trend Micro researchers Feike Hacquebord and Fernando Mercês wrote in the post.

**Selling Proxy Devices as a Cybercrime Business Model**

There is indeed a significant incentive for both espionage-motivated and financially motivated actors to set up proxy botnets to help hide where their malicious activities originate; Russia's Sandworm, for example, recently used the VPNFilter botnet and Cyclops Blink in activities against Ukraine that were elusive for a time before being ultimately disrupted by the FBI, according to Trend Micro.

"These \[botnets\] can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyberattacks," the researchers wrote.

Threat actors can find any IoT device that accepts incoming connections on the open Internet using public scanning services, making it easy for them to compromise ones with known vulnerabilities, or even zero-days, for future use in malicious activities, they wrote. This makes it easy for threat actors like Water Barghest to exploit them for financial gain and further abuse, they added.

**Uncovering the Elusive Botnet-for-Sale Cyber Operation**

Trend Micro discovered Water Barghest's operation during an investigation of the Department of Justice's disruption of a Russian military intelligence botnet that Russian state-sponsored threat group Fancy Bear (aka APT28) used for global cyber espionage.

The researchers examined EdgeRouter devices that had been used by Sandworm, and eventually uncovered Water Barghest's Ngioweb malware and botnet. The group's infrastructure had been up and running for more than five years but had been able to evade detection by security researchers and law enforcement "because of their careful operational security and high degree of automation," the researchers wrote.

"They quietly erased log files from their servers and made forensic analysis more difficult," they wrote. "They removed human error from their operations by automating almost everything. They also removed financial traceability by using cryptocurrency for anonymous payments."

Water Barghest automates each step of the 10-minute process, from initially finding vulnerable IoT devices to ultimately putting them for sale on a residential proxy marketplace. The group first acquires known exploits for flaws in devices, then uses search queries on one of the publicly available Internet-scanning databases to find vulnerable devices and their IP addresses. It then uses a set of data center IP addresses to try the exploits against potentially vulnerable IoT devices.

When one works, the compromised IoT devices download a script that iterates through Ngioweb malware samples compiled for different Linux architectures. When one of the samples runs successfully, Ngioweb will run in memory on the victim’s IoT device, registering it with a command-and-control (C2) server, and then eventually sending it to be listed on a Dark Web marketplace.

Water Barghest has about 17 identities on virtual private servers that continuously scan routers and IoT devices for known vulnerabilities and also upload Ngioweb malware to freshly compromised IoT devices. In this way, Water Barghest has been running a profitable business "for years, with the worker IP addresses changing slowly over time," according to the Trend Micro analysis.

**Protecting SOHO Routers: Limit Exposure to Public Internet**

Trend Micro expects that both the commercial market for residential proxy services and the underground market of proxies will grow in the coming years due to high demand from both APTs and financial cybercriminal groups alike. This growth will pose "a challenge for many enterprises and government organizations around the world" to protect against the anonymization layers behind which these groups hide, the researchers wrote.

While law enforcement has been effective in disrupting proxy botnets, it's better to go directly to the source to combat the problem, and that can be done by addressing the security of IoT devices. Indeed, these devices are notoriously hackable, posing a problem for organizations that must manage increasingly larger networks of them.

"It is important \[for organizations\] … to put mitigations in place to avoid their infrastructure being part of the problem itself," the researchers wrote. They can do this, they added, by limiting the exposure of these devices to incoming connections from the open Internet whenever it is not business-essential.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Water Barghest' Sells Hijacked IoT Devices for Proxy Botnet Misuse

QR codes are disproportionately effective at bypassing most anti-spam filters. Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption.

Wednesday, November 20, 2024 06:00

*   QR codes are disproportionately effective at bypassing most anti-spam filters, as most filters are not designed to recognize that a QR code is present in an image and decode the QR code. According to Cisco Talos’ data, roughly 60% of all email containing a QR code is spam.  
*   Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption. Users could obscure the data modules, the black and white squares within the QR code that represent the encoded data. Alternatively, users could remove one or more of the position detection patterns — large square boxes located in corners of the QR code used to initially identify the code's orientation and position. 
*   Further complicating detection, both by users and anti-spam filters, Talos found QR code images that are “QR code art.” These images blend the data points of a QR code seamlessly into an artistic image so the result does not appear to be a QR code at all. 

Prior to 1994, most code scanning technology utilized one-dimensional barcodes. These one-dimensional barcodes consist of a series of parallel black lines of varying width and spacing. We are all familiar with these codes, like the type you might find on the back of a cereal box from the grocery store. However, as the use of barcodes increased, their limitations became problematic, especially considering that a one-dimensional barcode can only hold up to 80 alphanumeric characters of information. To eliminate this limitation, a company named Denso Wave created the very first “Quick Response“ codes (QR codes). 

QR codes are a two-dimensional matrix bar code that can encode just over 7,000 numeric characters, or up to approximately 4,300 alphanumeric characters. While they can represent almost any data, most frequently we encounter QR codes that are used to encode URLs. 

**Quantifying the QR code problem **

Talos extracts QR codes from images inside email messages and attached PDF files for analysis. QR codes in email messages make up between .01% and .2% of all email worldwide. This equates to roughly one out of every 500 email messages. However, because QR codes are disproportionately effective at bypassing anti-spam filters, a significant number find their way into users’ email inboxes, skewing users’ perception of the overall problem.  

Also, of course, not all email messages with a QR code inside are spam or malicious. Many email users send QR codes as part of their email signature, or you may also find legitimate emails containing QR codes used as signups for events, and so on. However, according to Talos’ data, **roughly 60% of all email containing a QR code is spam**.   

Truly malicious QR codes can be found in a much smaller number of messages. These emails contain links to phishing pages, etc. The most common malicious QR codes tend to be multifactor authentication (MFA) requests used for phishing user credentials. 

An example MFA phishing email utilizing a QR code.

One of the problems that defenders may encounter when dealing with users’ scanning of QR codes received via email, assuming the user’s device is not connected to the corporate wi-fi, is that subsequent traffic between the victim and the attacker will traverse the cellular network, largely outside the purview of corporate security devices. This can complicate defense, because few/no alerts from security devices will notify security teams that this has occurred. 

**Why are malicious QR codes hard to detect? **

Because QR codes are displayed in images, it can be difficult for anti-spam systems to identify problematic codes. Identifying and filtering these messages requires the anti-spam system to recognize that a QR code is present in an image, decode the QR code, then analyze the link (or other data) present in the decoded data. As spammers are always looking for innovative ways to bypass spam filters, using QR codes has been a valuable technique for spammers to accomplish this. 

As anti-spam systems improve their capability to detect malicious QR codes in images, enterprising attackers have instead decided to craft their QR codes using Unicode characters.

__An email containing a QR code constructed from Unicode characters (defanged).__

The graphical parts of the image are contained within a PDF file. The PDF metadata indicates it was created from HTML using the tool wkhtmltopdf. Converting the PDF back into HTML shows the Unicode that is being used to construct the QR code. 

__HTML used to construct a malicious QR Code from Unicode characters.__

**Defanging QR codes **

When sharing malicious URLs, it is common to change the protocol from “http” to “hxxp”, and/or to add brackets (“\[\]”) around one of the dots in the URL. This makes it so browsers and other applications do not render the link as an active URL, ensuring that users do not inadvertently click on the malicious URL. This is a process known as “defanging.” Unfortunately, while defanging URLs is commonplace, many people do not defang malicious QR codes. For example, below is a news article from BBC about criminals who put QR code stickers on parking meters in an attempt to harvest payment credentials from unsuspecting victims. 

__A news article from BBC containing a working QR code (this has been defanged by Talos).__

The problem is that these QR codes can still be scanned, taking visitors to whatever malicious link that the QR code encoded. **To make malicious QR codes safe for consumption, they should be defanged.** 

There are a couple of different ways to do this. One way is to obscure the data modules, the black and white squares within the QR code that represent the encoded data. This is where the data that the QR code represents is located. However, based on Talos’ own research, a far easier way to defang a QR code is to remove one or more of the position detection patterns (a.k.a. finder patterns). These are the large square boxes located in three of the four corners of the QR code, which are used by the QR code scanner to initially identify the code's orientation and position. Removing the position detection patterns renders a QR code unscannable by virtually all scanners. Additional details on how this is achieved, will be covered later in the blog. 

A normal QR code on the left vs. a defanged QR code on the right.

**Be careful what you scan! **

For years, security professionals have encouraged users **not** to click on unfamiliar or suspicious URLs. These URLs could potentially lead to phishing pages, malware or other harmful sites. However, many users do not exercise the same care when scanning an unknown QR code as they do when clicking on a suspicious link. To be clear, scanning an unknown/suspicious QR code is equivalent to clicking on a suspicious URL. 

To complicate the situation even more, there are QR code images that are “QR code art.” These images blend the data points of a QR code seamlessly into an artistic image so the result does not appear to be a QR code at all. The potential danger with QR code art images is that a user could conceivably be tricked into scanning a QR code art image with their camera, and then inadvertently navigate to the linked content without realizing it.

**How to protect yourself from malicious QR codes **

QR codes have become ubiquitous, appearing in email, on restaurant menus, at public events, on retail packaging, in museums, and even public parks and trails. The perfect defense is to avoid scanning any QR codes; however, it can be difficult to avoid scanning these entirely, so users must exercise caution. Scanning a QR code is essentially the same as clicking on an unknown hyperlink, but without the ability to see the full URL beforehand. 

There are several QR code decoders freely available online. Typically, if you can save a screenshot of the QR code, you can upload this image to one of these decoders, and the QR code decoder will tell you what data was encoded inside the QR code. This will allow you to more closely inspect the link. You can also choose to navigate to that URL using an application like Cisco Secure Malware Analytics (Threat Grid). This will allow you to view the content behind the URL from a safe place, without jeopardizing the security of your desktop or mobile device. As always, never enter your username and password into an unknown site. It is better to navigate directly to anywhere you wish to login, rather than clicking on a URL presented to you from an unknown third party.

Malicious QR Codes: How big of a problem is it, really?

The company says no sensitive data was stolen, but federal agencies claim otherwise. CISA and FBI sources said attackers accessed all records of specific customers and the private communications of targeted individuals.

Source: GK Images via Alamy Stock Photo

T-Mobile USA is the latest telecommunications provider to acknowledge it's been targeted by the Chinese advanced persistent threat (APT) known as Salt Typhoon, as part of a widescale and unsettling cyber-espionage operation that hacked numerous US and international telecommunications companies aiming to steal sensitive information.

The second-largest wireless carrier in the US is currently investigating and monitoring a cyberattack "consistent" with the recent activities of the Chinese state-sponsored cyber actor, a company spokesperson told Dark Reading late on Nov. 18 in a statement.

However, so far, the company has "had no evidence of access or exfiltration of any customer or other sensitive information as other companies may have experienced," according to T-Mobile. Moreover, "there have been no significant impacts to T-Mobile systems or data," the company said. T-Mobile, based in Bellevue, Wash., has more than 127.5 million US subscribers.

However, T-Mobile's account differs from reports in which federal agencies said that there is evidence that the threat actor gained access to sensitive data, according to a published report in the Wall Street Journal that cited sources from the FBI and Cybersecurity and Infrastructure Security Agency (CISA).

Related:Akamai Reports Third Quarter 2024 Financial Results

According to those agencies, Salt Typhoon accessed call records of specific customers, private communications of targeted individuals, and information about law enforcement surveillance requests in an effort to gather intelligence on high-ranking US national security and policy officials, the report said.

**T-Mo Cyberattack: Full Impact Yet Unknown**

All in all, the wave of recent attacks by Salt Typhoon that have rocked telecom providers both at home and abroad — including AT&T, Verizon, and Lumen Technologies — is "unnerving," says one industry expert.

"No one is pleased with the idea that the Chinese government has access to information about us from our cellphones, one of the more intimate devices used in our daily life," says Jim Routh, former CISO at Aetna, American Express, and CVS and currently chief trust officer at security firm Saviynt. "The practical reality is that this incident does little to change the risk of a significant impact to US consumers."

As T-Mobile is not yet acknowledging that data was even stolen, let alone what type of data, the full impact of the attack won't be known for some time, Paul Bischoff, consumer privacy advocate at Comparitech, notes. That said, there is a chance it's not as serious as some fear depending on what is revealed, he observes.

Related:Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover

"Metadata like call times and participants, although concerning, is not nearly as scary as state-sponsored threat actors stealing texts and audio messages," Bischoff says.

Still, the national security implications of Chinese threat actors rooting around in the personal data of mobile device users, and then using that data to "island hop into a myriad of government agencies and critical infrastructures … are profound," observes another security expert, Tom Kellermann, senior vice president of cyber strategy at Contrast Security.

"This is the third telecom provider compromised by \[China\] in the last 12 months," Kellermann says. "The systematic campaign of infiltration will take months to root out."

**Further Salt Typhoon Telecom Attacks Imminent?**

Indeed, experts have surmised that the idea behind Salt Typhoon's wave of attacks is to leverage the useful information that can be gleaned from people's personal communications to launch further malicious activity and/or potentially disrupt communications to further China's interests in its political and economic conflict with the US.

"We can expect to see additional attacks by this group in the coming months, as \[it\] works to access the phone lines and records of national security officials and politicians," notes Chris Hauk, consumer privacy champion at Pixel Privacy.

Related:DHS Releases Secure AI Framework for Critical Infrastructure

The incidents are certainly a rude awakening for telecommunications and other critical infrastructure providers, and demonstrate just how vulnerable they are to compromise by organized cybercriminal groups, experts say. Indeed, T-Mobile itself doesn't have the best track record in cybersecurity, Bischoff notes, as just last month the mobile carrier paid a $31.5 million settlement to resolve multiple data breaches that took place over three years.

The threat of imminent further attacks by Salt Typhoon demand that telecom providers act fast to shore up cybersecurity efforts. "We can expect to continue to see attacks like this, as well as traditional ransomware attacks," Hauk notes, "as state actors continue to wage a cyberwar against the United States and its vulnerable infrastructure."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Salt Typhoon Hits T-Mobile as Part of Telecom Attack Spree

ChatGPT, Google Gemini, and Meta AI may be everywhere, but Baby Boomers don't trust the tech or the companies behind it.

Artificial intelligence tools like ChatGPT, Claude, Google Gemini, and Meta AI represent a stronger threat to data privacy than the social media juggernauts that cemented themselves in the past two decades, according to new research on the sentiments of older individuals from Malwarebytes.  

A combined 54% of people between the ages of 60 and 78 told Malwarebytes that they “agree” or “strongly agree” that ChatGPT and similar generative AI tools “are more of a threat than social media platforms (e.g., Facebook, Twitter/X, etc.) concerning personal data misuse.” And an even larger share of 82% said they “agree” or “strongly agree” that they are “concerned with the security and privacy of my personal data and those I interact with when using AI tools.”  

The findings arrive at an important time for consumers, as AI developers increasingly integrate their tools into everyday online life—from Meta suggesting that users lean on AI to write direct messages on Instagram to Google forcing users by default to receive “Gemini” results for basic searches. With little choice in the matter, consumers are responding with robust pushback.  

For this research, Malwarebytes conducted a pulse survey of its newsletter readers in October via the Alchemer Survey Platform. In total, 851 people across the globe responded. Malwarebytes then focused its analysis on survey participants who belong to the Baby Boomer generation.  

Malwarebytes found that:  

*   35% of Baby Boomers said they know “just the names” of some of the largest generative AI products, such as ChatGPT, Google Gemini, and Meta AI.  

*   71% of Baby Boomers said they have “never used” any generative AI tools—a seeming impossibility as Google search results, by default, now provide “AI overviews” powered by the company’s Gemini product. 

*   Only 12% of Baby Boomers believe that “generative AI tools are good for society.”  

*   More than 80% of Baby Boomers said that they worry about generative AI tools both improperly accessing their data and misusing their personal information.  

*   While more than 50% of Baby Boomers said they would feel more secure in using generative AI tools if the companies behind them provided regular security audits, a full 23% were unmoved by proposals in transparency or government regulation. 

****Distrust, concern, and unfamiliarity with AI**  **

Since San Francisco-based AI developer OpenAI released ChatGPT two years ago to the public, “generative” artificial intelligence has spread into nearly every corner of online life.  

Countless companies have integrated the technology into their customer support services with the help of AI-powered chatbots (which caused a problem for one California car dealer when its own AI chat bot promised to sell a customer a 2024 Chevy Tahoe for just $1). Emotional support and mental health providers have toyed with having their clients speak directly with AI chatbots when experiencing a crisis (to middling results). Audio production companies now advertise features to generate spoken text based off samples of recorded podcasts, art-sharing platforms regularly face scandals of AI-generated “stolen” work, and even AI “girlfriends”—and their scantily-clad, AI-generated avatars—are on offer today.  

The public are unconvinced.  

According to Malwarebytes’ research, Baby Boomers do not trust generative AI, the companies making it, or the tools that implement it.  

A full 75% of Baby Boomers said they “agree” or “strongly agree” that they are “fearful of what the future will bring with AI.” Those sentiments are reflected in the 47% of Baby Boomers who said they “disagree” or “strongly disagree” that “generative AI tools are good for society.”  

In particular, Baby Boomers shared a broad concern over how these tools—and the developers behind them—collect and use their data.  

More than 80% of Baby Boomers agreed that they held the following concerns about generative AI tools: 

*   My data being accessed without my permission (86%) 

*   My personal information being misused (85%) 

*   Not having control over my data (84%) 

*   A lack of transparency into how my data is being used (84%) 

The impact on behavior here is immediate, as 71% of Baby Boomers said they “refrain from including certain data/information (e.g., names, metrics) when using generative AI tools due to concerns over security or privacy.”  

The companies behind these AI tools also have yet to win over Baby Boomers, as 87% said they “disagree” or “strongly disagree” that they “trust generative AI companies to be transparent about potential biases in their systems.” 

Perhaps this nearly uniform distrust in generative AI—in the technology itself, in its implementation, and in its developers—is at the root of a broad disinterest from Baby Boomers. An enormous share of this population, at 71%, said they had never used these tools before.  

The statistic is difficult to believe, primarily because Google began powering everyday search requests with its own AI tool back in May 2024. Now, when users ask a simple question on Google, they will receive an “AI overview” at the top of their results. This functionality is powered by Gemini—Google’s own tool that, much like ChatGPT, can generate images, answer questions, fine-tune recipes, and deliver workout routines.  

Whether or not users know about this, and whether they consider this “using” generative AI, is unclear. What is clear, however, is that a generative AI tool created by one of the largest companies in the world is being pushed into the daily workstreams of a population that is unconvinced, uncomfortable, and unsold on the entire experiment.  

****Few paths to improvement**  **

Coupled with the high levels of distrust that Baby Boomers have for generative AI are widespread feelings that many corrective measures would have little impact.  

Baby Boomers were asked about a variety of restrictions, regulations, and external controls that would make them “feel more secure about using generative AI tools,” but few of those controls gained mass approval.  

For instance, “detailed reports on how data is stored and used” only gained the interest of 44% of Baby Boomers, and “government regulation” ranked even lower, with just 35% of survey participants. “Regular security audits by third parties” and “clear information on what data is collected” piqued the interest of 52% and 53% of Baby Boomers, respectively, but perhaps the most revealing answers came from the suggestions that the survey participants wrote in themselves.  

Several participants specifically asked for the ability to delete any personal data ingested by the AI tools, and other participants tied their distrust to today’s model of online corporate success, believing that any large company will collect and sell their data to stay afloat. 

But frequently, participants also said they could not be swayed at all to use generative AI. As one respondent wrote:  

“There is nothing that would make me comfortable with it.”    

Whether Baby Boomers represent a desirable customer segment for AI developers is unknown, but for many survey participants, that likely doesn’t matter. It’s already too late.

Tag

#cisco