Since 2019, MirrorFace has been stealing information from myriad Japanese organizations to gain leverage over Japan in the event of hostilities between the two countries, experts said.

Source: Birgit Korber via Alamy Stock Photo

The National Police Agency and the National Center of Incident Readiness and Strategy for Cybersecurity warned Japanese organizations of a sophisticated Chinese state-backed cyber-espionage effort called "MirrorFace" to steal technology and national security secrets.

Japanese authorities said the advanced persistent threat group (APT) MirrorFace has been operating since 2019.

"By publicizing the modus operandi of 'MirrorFace' cyberattacks, the purpose of this alert is to make targeted organizations, business operators, and individuals aware of the threats they face in cyberspace and to encourage them to take appropriate security measures to prevent the damage caused by cyberattacks from spreading and to prevent damage from occurring in the first place," read a statement from Japanese police.

**MirrorFace Cyberattacks Against Japan**

Japanese law enforcement identified three types of MirrorFace attacks. The earliest and most enduring tactic used by MirrorFace to steal Japanese secrets was an elaborate phishing campaign between 2019 and 2023 aimed at delivering malware to the country's think tanks, governments, and politicians, according to the warning issued by Japan's National Police Agency and translated to English.

In 2023, MirrorFace pivoted to finding vulnerabilities in network devices across healthcare, manufacturing, information and communications, education, and aerospace, the police continued. MirrorFace exploited vulnerabilities in devices that included Fortinet FortiOS and FortiProxy (CVE-2023-28461), Citrix ADC (CVE-2023-27997,) and Citrix Gateway (CVE-2023-3519).

Another phishing campaign began around June 2024 and used basic phishing tactics against the media, think tanks, and Japanese politicians, according to police. And from February 2023 to October 2023, the group was observed exploiting an SQL injection in an external public server to gain access to Japanese organizations.

The revelations about MirrorFace's activities come amid other headline-grabbing Chinese-sponsored cyberattacks against US and global telecom companies, and even the US Department of the Treasury, carried out by a fellow APT group "Salt Typhoon."

MirrorFace appears to operating as a a People's Liberation Army (PLA) cyber-warfare unit, according to Mark Bowling, former FBI special agent and current chief information security and risk officer at ExtraHop.

"Since 2019, the MirrorFace APT has consistently utilized well-crafted spear-phishing campaigns, and used weaponized code/logic such as LODEINFO and MirrorStealer to steal credentials, escalate privileges, and exfiltrate data which could be utilized to better position the PLA in the event of hostilities with Japan," Bowling says.

As geopolitical tensions continue to flare up around the world, Bowling expects to see an increasing uptick in APT activity in kind, particularly by nation-state actors targeting the US.

"The consequences of those strained relations over Ukraine, Taiwan, and the ongoing Iran hostility against Israel though its proxies are now increasingly spilling over into aggressive and relentless digital campaigns," Bowling explains. "There is no doubt threats from nation-state groups will increase in volume and sophistication this year, targeting our critical infrastructure like utilities, telecommunications, and healthcare."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Chinese APT Group Is Ransacking Japan's Secrets

The most recent iteration of the open source infostealer skates by antivirus programs on Macs, using an encryption mechanism stolen from Apple's own antivirus product.

Source: Charles Walker Collection via Alamy Stock Photo

The macOS infostealer "Banshee" has been spotted skating by antivirus programs using a string encryption algorithm it stole from Apple.

Banshee has been spreading since July, primarily via Russian cybercrime marketplaces, where it was sold as a $1,500 "stealer-as-a-service" for Macs. It's designed to steal credentials from browsers — Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex, and Opera — and browser extensions associated with cryptocurrency wallets — Ledger, Atomic, Wasabi, Guarda, Coinomi, Electrum, and Exodus. Plus, it lifts additional information about targeted systems, including software and hardware specifications, and the password needed to unlock the system.

It was far from a perfect tool, widely detected by antivirus programs, thanks in part to its being packaged entirely in plaintext. But on Sept. 26, researchers from Check Point observed a more potent variant. This more successful variant remained otherwise undetected for months, primarily because it was encrypted with the same algorithm used by Apple's Xprotect antivirus tool for macOS.

**Banshee Malware Steals From XProtect**

XProtect is Apple's decade-and-a-half-old anti-malware engine for macOS. To detect and block malware, it uses "Remediator" binaries, which combine various methods and tools for antivirus-ing, including YARA rules, which contain patterns and signatures associated with known threats.

Check Point found that the same encryption algorithm that protects XProtect's YARA rules also concealed the September variant of Banshee.

It's not clear how the malware author — nom de guerre "0xe1" or "kolosain" — gained access to that algorithm.

"It could be that they performed a reverse engineering of the XProtect binaries, or even read relevant publications, but we can't confirm it," Antonis Terefos, reverse engineer at Check Point Research, speculates. "Once the string encryption of macOS XProtect becomes known — meaning the way the antivirus is storing the YARA rules is reverse-engineered — threat actors can easily 'reimplement' the string encryption for malicious purposes," he says.

Either way, the effect was significant. "The majority of the antivirus solutions in VirusTotal detected the initial Banshee samples using plaintext, but once the developer introduced this novel string encryption algorithm, none of the approximately 65 antivirus engines in VirusTotal detected it," he says.

That remained the case for around two months. Then, on Nov. 23, Banshee's source code was leaked on the Russian language cybercrime forum "XSS." 0xe1 shuttered his malware-as-a-service (MaaS) operation, and antivirus vendors incorporated associated YARA rules in due course. But even after that point, Terefos reports, the encrypted Banshee remained undetected by most engines on VirusTotal.

**How Banshee Stealer Is Spreading in Cyberattacks**

Since late September, Check Point has identified more than 26 campaigns spreading Banshee. Broadly speaking, they can be grouped into two clusters.

In three waves of campaigns lasting from mid-October to early November, threat actors spread the infostealer via GitHub repositories. The repositories promised users cracked versions of popular software, like Adobe programs and various image and video editing tools. The malware was concealed behind generic file names such as "Setup," "Installer," and "Update." This same cluster of activity also targeted Windows users with the popular Lumma Stealer.

The remaining campaigns spread Banshee via phishing sites, of one form or another. In these cases, the attackers disguised the malware as various popular software programs, including Google Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram. If a visitor was using macOS, they'd get a download link.

More, varying campaigns could be on the way, now that Banshee has been leaked. Thus, Terefos says, "Despite macOS traditionally being regarded as more secure, Banshee’s success demonstrates the importance for macOS users to remain vigilant and aware of the threats."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

A hack of location data company Gravy Analytics has revealed which apps are—knowingly or not—being used to collect your information behind the scenes.

Some of the world’s most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement.

The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like _Candy Crush_ and dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem—not code developed by the app creators themselves—this data collection is likely happening without users’ or even app developers’ knowledge.

“For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising ‘bid stream,’” rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data.

The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developers to include bundles of code that collected the location data of their users. Many companies have turned instead to sourcing location information through the advertising ecosystem, where companies bid to place ads inside apps. But a side effect is that data brokers can listen in on that process and harvest the location of peoples’ mobile phones.

“This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way,” Edwards says.

Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps.

The list includes dating sites Tinder and Grindr; massive games such as _Candy Crush_, _Temple Run_, _Subway Surfers_, and _Harry Potter: Puzzles & Spells_; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.

The full list can be found here. Multiple security researchers have published other lists of apps included in the data, of varying sizes. Our version is relatively larger because it includes both Android and iOS apps, and we decided to keep duplicate instances of the same app that had slight name variations to make it easier for readers to search for apps they have installed.

Although this dataset came from an apparent hack of Gravy, it is not clear whether Gravy collected this location data itself or sourced it from another company, or which location company ultimately owns it or is licensed to use it.

Much of the location data attached to these app names does not have a time stamp. But there are indications it dates from 2024. One of the apps listed is _Call of Duty: Mobile_, and specifically its Season 5 iteration, which launched in May 2024.

Gravy is a company that powers much of the rest of the location data industry. It collates mobile phone location data from various sources, then sells that to commercial companies or, through its subsidiary Venntel, to US government agencies. Norwegian outlet NRK and I previously revealed the flow of location data from a handful of ordinary apps to Gravy and then to Venntel. Venntel’s clients have included Immigration and Customs Enforcement, Customs and Border Protection, the IRS, the FBI, and the Drug Enforcement Administration.

Venntel has also provided the underlying data for another government-bought surveillance tool called Locate X. 404 Media and a group of other outlets showed last year how that tool, made by a company called Babel Street, could be used to monitor visitors to out-of-state abortion clinics.

But the newly hacked data shows for the first time just how many apps could be part of a location data supply chain, even if their developers are not aware of it. Most app developers and companies included in the list did not respond to a request for comment. Flightradar24 said in an email that it had never heard of Gravy, but that it does display ads, which “help keep Flightradar24 free.”

Tinder said in an email that “Tinder takes safety and security very seriously. We have no relationship with Gravy Analytics and have no evidence that this data was obtained from the Tinder app” but did not answer questions about ads inside the app.

Muslim Pro, one of the Muslim prayer apps included in the list, said in an email that it was not aware of Gravy. “Yes, we display ads through several ad networks to support the free version of the app. However, as mentioned above, we do not authorize these networks to collect location data of our users,” the email said. That does not necessarily mean that a member of the advertising ecosystem can’t extract such data, though. (In 2020 I revealed Muslim Pro was selling its users’ location data to a company called X-Mode, whose clients included US military contractors; Muslim Pro stopped the practice after my reporting.)

A Grindr spokesperson told 404 Media in an email that “Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years. Transparency is at the core of our privacy program, therefore the third parties and service providers we work with are listed here on our website.” Grindr was previously found to have allowed data brokers to obtain its users’ location data.

It’s important that the data appears to be sourced through real-time bidding, because that dictates who is responsible (rogue members of the advertising industry and the tech giants that facilitate that industry), how users can protect themselves (attempting to block ads), and the fact that massive app publishers may not even be aware their users’ data is being harvested and therefore might not know how to stop it. An app developer will know if it implemented location-data-gathering code itself. It might not know that some company, somewhere, is silently listening in on the advertising process and siphoning data from their app.

Surveillance firms can obtain RTB data by acquiring ad tech companies and posing as prospective advertisers. The spy-run location data company doesn’t need to successfully place an ad; instead, it is able to gather data on devices by simply being plugged into that industry. Location data in this case can also include a users’ IP address, which is then geolocated to give their coarse location.

Last January, 404 Media reported on an Israeli surveillance company called Patternz, which was sourcing masses of location data through the RTB process.

In an exposed training video, Patternz showed some of the popular apps it got location data from: 9GAG, Kik, sports app FUTBIN, caller ID apps such as CallApp and Truecaller; and various word, sudoku, and solitaire puzzle games. Every one of these apps are also in the Gravy data. This suggests that Gravy, or wherever Gravy got that data from, also sourced it from interacting with the advertising system rather than location-tracking code baked into the apps.

404 Media shared some of the location data with another security researcher with knowledge of the advertising and location data industries. “It appears that at least some of this data would likely have been sourced from advertising related, real-time bidding,” Krzysztof Franaszek, founder of Adalytics, a digital forensics firm, told 404 Media after reviewing the data. He pointed out some of the user-agents in the file, which show how a user’s device connected to a service, referenced “afma-sdk.” That is a string used by Google’s Mobile Ads SDK (software development kit). In other words, in some cases, it is Google’s advertising platform that is delivering the ads that are eventually leading to this tracking by outside companies and potentially government contractors.

Google did not respond to multiple requests for comment for this article. Neither did Apple.

Franaszek also says that “a significant amount of this geolocation dataset appears to be inferred by IP address to geolocation lookups, meaning the vendor or their source is deriving the user's geolocation by checking their IP address rather than by using GNSS \[Global Navigation Satellite System\]/GPS data. That would suggest that the data is not being sourced entirely from a location data SDK.”

“What we’re seeing here in this data appears to me to be a huge diversity of apps,” Edwards says. “That’s not what you see from an SDK ingestion; that’s what you see from bulk RTB ingestions.”

In December the Federal Trade Commission banned another location data company called Mobilewalla from collecting consumer data “from online advertising auctions for purposes other than participating in those auctions.” In other words, the agency banned Mobilewalla from participating in the RTB process for building datasets on peoples’ devices. The FTC also said Venntel and Gravy collected data without obtaining user consent, ordered the company to delete historical location data, and banned it from selling data related to sensitive areas like health clinics and places of worship, except in “limited circumstances” involving national security or law enforcement.

404 Media has verified the hacked Gravy data in various ways. Some files include credentials for Gravy’s Snowflake instances, a data warehousing tool. 404 Media checked that the URLs in the hacked files do correspond to real Snowflake instances. One file called “users” contains a long list of companies. Some of these firms denied having any relationship with Gravy; Cuebiq, another location data firm mentioned in the file, told 404 Media it “routinely evaluates available data in the market to determine if they are an appropriate fit for our business. Most do not make it past the evaluation stage to production, as was the case here. Cuebiq tested a limited data sample, which was never made available to our customers, and the data was deleted at the end of the limited trial.”

404 Media also sent a section of the data to another data broker called Datonics. “We investigated the matter described in your email, and the segment IDs in those files are those of Gravy, not Datonics,” the company said in an email.

Unacast, which merged with Gravy in 2023, did not respond to multiple requests for comment, both on the hack and whether it or any of its suppliers have derived location data from the real-time bidding process.

Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location

Texas has become a leading enforcer of internet rules. Its latest probe includes some platforms that privacy experts describe as unusual suspects.

Over the past decade, Texas attorney general Ken Paxton has wielded his office’s significant resources to investigate well-known tech giants including Google and Meta over how they moderate content and treat rivals. He helped win settlements against Apple for allegedly misleading users and is suing TikTok for allegedly endangering children's privacy. Now, Paxton’s latest tech investigation includes an expansive number of targets, WIRED has learned.

Rumble, Quora, and WeChat are among the 15 companies from which Texas has demanded answers by next week about their collection and use of data of people under 18 years old. Paxton announced the investigation in a press release last month but named only four of the companies being probed—Character.AI, Red­dit, Insta­gram, and Dis­cord. WIRED obtained the names of additional targeted companies through a public records request. They also include Kick, Kik, Pinterest, Telegram, Twitch, Tumblr, WhatsApp, and Whisper.

Paxton’s office did not respond to requests for comment, including about how it chose which businesses to investigate. But the variety of companies questioned highlights the sprawling reach of a new Texas law aimed at increasing oversight of minors’ use of social media and chat services.

Three experts in youth privacy regulations who have been following Paxton’s enforcement efforts say the new investigation should be treated credibly, and they believe it could result in companies agreeing to improve their practices. The alternative could be up to hundreds of millions of dollars in penalties per company. “When you bring all the statutes together, Texas has a pretty significant hammer,” says Paul Singer, a partner and section chair at the law firm Kelley Drye & Warren.

Spokespeople for Character.AI and Tumblr say they take safety issues seriously. Meta and WeChat declined to comment. Other companies under investigation did not respond to requests for comment.

Paxton launched his probe three days after the families of an 11-year-old girl and 17-year-old boy in Texas sued chatbot startup Character.AI, claiming the company designed its product in an unsafe way that exposed the kids to sexualized and violent responses. In October, a similar case was filed in Florida by the family of a 14-year-old who shot himself to death allegedly following conversations with a Character.AI chatbot. Character.AI later introduced an experience aimed at kids and plans to roll out parental controls.

Other services under investigation including Kik, Instagram, and Discord have faced public scrutiny over their use by children. But less so WeChat, a messaging app popular among Chinese Americans, and Quora, a forum for crowdsourcing information that’s recently expanded into AI chatbots.

Paxton’s interest in Rumble, a YouTube-like website popular among US conservative political commentators, is also perhaps unexpected given his track record of partisan views about social media companies. Rumble has touted itself as a haven for free expression, unlike platforms that engage in allegedly heavier content moderation. Paxton is a Republican and has criticized platforms that unfairly silence Texans.

The privacy experts who spoke with WIRED described Rumble, Quora, and WeChat as unusual suspects but declined to speculate on the rationale behind their inclusion in the investigation. Josh Golin, executive director of the nonprofit Fairplay, which advocates for digital safety for kids, says concerns aren’t always obvious. Few advocacy groups worried about Pinterest, for example, until the case of a British teen who died from self-harm following exposure to sensitive content on the platform, he says.

Paxton’s press release last month called his new investigation “a critical step toward ensuring that social media and AI companies comply with our laws designed to protect children from exploitation and harm.”

The United States Congress has never passed a comprehensive privacy law, and it hasn’t significantly updated child online safety rules in a quarter century. That has left state lawmakers and regulators to play a big role.

Paxton’s investigation centers on compliance with Texas’ Securing Children Online through Parental Empowerment Act, or SCOPE, which went into effect in September. It applies to any website or app with social media or chat functions and that registers users under the age of 18, making it more expansive than the federal law, which covers only services catering to under-13 users.

SCOPE requires services to ask for users’ age and provide parents or guardians power over kids’ account settings and user data. Companies also are barred from selling information gathered about minors without parental permission. In October, Paxton sued TikTok for allegedly violating the law by providing inadequate parental controls and disclosing data without consent. TikTok has denied the allegations.

The investigation announced last month also referenced the Texas Data Privacy and Security Act, or TDPSA, which became effective in July and requires parental consent before processing data about users younger than 13. Paxton’s office has asked the companies being investigated to detail their compliance with both the SCOPE Act and the TDPSA, according to legal demands obtained through the public records request.

In total, companies must answer eight questions by next week, including the number of Texas minors they count as users and have barred for registering an inaccurate birthdate. Lists of whom minors’ data is sold or shared with have to be turned over. Whether any companies have already responded to the demand couldn’t be learned.

Tech company lobbying groups are challenging the constitutionality of SCOPE Act in court. In August, they secured an initial and partial victory when a federal judge in Austin, Texas, ruled that a provision requiring companies to take steps to prevent minors from seeing self-harm and abusive content was too vague.

But even a complete win might not be a salve for tech companies. States including Maryland and New York are expected to enforce similar laws starting later this year, says Ariel Fox Johnson, an attorney and principal of the consultancy Digital Smarts Law & Policy. And state attorneys general could resort to pursuing narrower cases under their tried-and-true laws barring deceptive business practices. “What we see is often information gets shared or sold or disclosed in ways families didn’t expect or understand,” Johnson says. “As more laws are enacted that create firm requirements, it seems to be becoming more clear that not everybody is in compliance.”

Rumble Among 15 Targets of Texas Attorney General’s Child Privacy Probe

Discover how AI revolutionizes cybersecurity with real-time threat detection, adaptive protection, and advanced data protection to combat evolving…

Discover how AI revolutionizes cybersecurity with real-time threat detection, adaptive protection, and advanced data protection to combat evolving cybersecurity risks.

Cybersecurity threats are no longer luxuries of the big corporations and reach every part of our connected world making big and small businesses both vulnerable. With attacks becoming smarter and more sophisticated, traditional security measures frequently can’t keep up.

Enter Artificial Intelligence (AI) and how they have begun to change how we defend against cybersecurity risks. In this article, we’ll talk about how AI powers threat intelligence and strengthen cyber defence strategies so that organizations never find themselves behind the curve of malicious actors.

****The Foundation of AI in Cybersecurity****

AI revolutionized the cybersecurity field by providing tools beyond static defences. AI learns patterns from millions of data and reports the anomalies that were otherwise left unnoticed. Thus, unlike conventional systems, AI developed as an already mature and powerful response to what could be learned in certain usage scenarios with time, also because it doesn’t require any extensive manual configuration, making it perfect for proactive threat intelligence.

One key application is Two-Factor Authentication Methods. In complement to the authentication process, AI analyzes login patterns and signals on unusual access attempts. This can, for example, block login attempts with the correct credentials from risky locations – just another level of security. Integrating machine learning models means both security and user convenience.

****Identifying Threats Before They Strike****

Hence, AI driven cybersecurity is all about being able to predict and react to threats. Using machine learning, we build predictive models that aggregate and analyze data from previous attacks, and then try to detect warning signs before breaches take place. That’s proactive, saves time, and minimizes damage.

For instance, AI tools detect system behaviours in real-time, alerting them of anything unusual and escalating cases, such as an unexpected increase in outbound traffic or unauthorized access to some data. These early warnings help the security teams to do something before the harm is already done. Anomaly detection algorithms and other advanced AI systems mean that even the slightest hints of an attack don’t slip under the radar.

****AI-Powered Defense Mechanisms****

It’s not just detecting threats; it’s defending against threats in real-time. AI-powered automated response systems immediately block attacks. AI helps to quickly and efficiently counteract threats, by enchasing firewalls and neutralizing malware.

A standout example is its role in implementing multi-factor authentication windows. AI aids in physical identity verification more reliably than people could using a manual system by monitoring access requests on devices and across time zones. It’s combined with intelligent firewalls so that attackers are stopped at the gate, and no unauthorized entry is allowed.

****Adapting to Evolving Cyber Threats****

Things change quickly in the cyber threat space but when it comes to AI it changes even faster. The AI is constantly trained using new data in order to counter emerging risks. From ransomware to zero-day exploits, AI systems will evolve to tackle new problems.

Take phishing, for instance. Because AI knows what patterns to look for in the text, as well as sender and email behaviour, as well as embedded links, it has the ability to recognize fraudulent emails. Phishing tactics undergo regular change, where AI’s ongoing process of information digestion and processing means that it keeps a step ahead. However, flexibility had to exist to combat ever-changing attack strategies.

****Protecting Data with AI****

Attackers seek out data, so protecting it is job one. In turn, AI encrypts data more securely and at a faster rate while also being able to detect unauthorized access attempts. For instance, if one wishes to monitor file transfers anywhere sensitive documents are being accessed outside approved parameters, the AI will do this and will alert administrators or supervisors when required.

Offloading the work and analysis of your users allows an organization to better protect its users and secure sensitive data, and is an integral part of AI’s predictive analytics that also prevent data breaches. It analyzes historical trends of high-risk behaviours that could result in leaks. Such measures protect customer trust as well as adherence to data protection laws.

****AI’s Role in Network Security****

Networks are the foundation of any organization’s digital infrastructure, with AI strengthening protection through proper security and traffic monitoring.

An example would be AI-driven tools that can spot abnormal behaviours such as this spike in bandwidth usage. Analyzing such patterns makes AI able to prevent Distributed Denial-of-Service (DDoS) attacks. Besides, the use of AI in access control guarantees that only nominated gadgets connect to the network, making the organization less vulnerable.

****Enhancing Endpoint Protection****

Attackers often use endpoints like laptops, phones, and IoT devices. AI recognizes and microscopically halts threats, preventing such compromises.

Instead, an AI-powered antivirus will see the behaviour of a file rather than just relying on a signature database. This approach guarantees the detection of even new or modified malware. Additionally, through surveillance of user behaviour, and anomalies such as abnormal data downloads, AI ensures an additional security blanket against insider threats.

****Coordinating Incident Responses With AI****

Quick response is crucial when there is a breach. AI allows for better incident management, automating key incidents and leading to faster recovery time. This results in identifying the root cause and neutralizing threats to mitigate damage.

It also helps security teams provide actionable insights with AI. It can simulate what attack paths could be and allows teams to proactively patch vulnerabilities. Being this ready means companies can bounce back quickly and keep operating without losing much time.

****Ethical Concerns and Limitations of AI****

While AI has many benefits, it’s not trouble-free. A very good solution is the usage of machine learning, however ethical considerations, for example in the form of potential bias of the algorithms, can hinder its usage. An example is an AI system trained on biased data that may miss out on threats making organisations vulnerable.

In addition, human oversight may decrease because of over-dependence on automation. Finding a balance between AI manpower and human intervention is something important. With these concepts addressed, AI continues to be a viable position tool in cyber security.

****The Future of AI in Cyber Defense****

As technology develops, AI will assume more and more of a role in cybersecurity. Innovations that are emerging, such as federated learning will make AI systems even more secure and effective. These technologies will work to strengthen interactions between these organizations, putting up more formidable bulwarks against cyber threats.

Ahead, it is important for organizations to invest in AI-powered tools while keeping human expertise intact. A combination of technology and human insight will make our security strong against future next-generation cyber risks.

****Summary****

Cyber defence is being revolutionized by AI, which allows for both real-time threat detection and adaptive protection, as well as a quick response to attacks. Organizations can protect data better, improve security processes, and get ahead of changing risks by integrating AI tools.

Improved detection accuracy and proactive defences work together, and compatibility with tools you may already employ, such as two-factor authentication. As AI remains continuously advancing, the systems stay effective and ethical.

When you combine AI and human expertise, you get strong protection able to handle the cyber challenges you face now and will face in the future and also secure a resilient digital future.

1.  **Key Features Of Threat Intelligence Platforms**
2.  **A Step-by-Step Guide to How Threat Hunting Works**
3.  **ANY.RUN Upgrades Threat Intelligence to Identify Threats**
4.  **Criminal IP and Maltego Expand Threat Intelligence Search**
5.  **Leveraging AI for Enhanced Threat Detection and Prevention**

Harnessing AI for Proactive Threat Intelligence and Advanced Cyber Defense

### Impact
The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.

Example attack scenario:
1. An attacker has stolen the private key for a key published in JWK Set.
2. The publishers of that JWK Set remove that key from the JWK Set.
3. Enough time has passed that the program using the auto-caching HTTP client found in `github.com/MicahParks/jwkset` v0.5.0-v0.5.21 has elapsed its `HTTPClientStorageOptions.RefreshInterval` duration, causing a refresh of the remote JWK Set.
4. The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation.

### Patches
The affected auto-caching HTTP client was added in version `v0.5.0` and fixed in `v0.6.0`. Upgrade to `v0.6.0` or later.

### Workarounds
The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the `HTTPClientStorageOptions.RefreshInterval` to zero (or not specifying the value). Upgrade to `v0.6.0` is advised.

### References
Please see the tracking issue on GitHub for additional details: https://github.com/MicahParks/jwkset/issues/40


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-22149

**JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh**

Low severity GitHub Reviewed Published Jan 9, 2025 in MicahParks/jwkset • Updated Jan 9, 2025

**Package**

gomod github.com/MicahParks/jwkset (Go)

**Affected versions**

\>= 0.5.0, <= 0.5.21

**Impact**

The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.

Example attack scenario:

1.  An attacker has stolen the private key for a key published in JWK Set.
2.  The publishers of that JWK Set remove that key from the JWK Set.
3.  Enough time has passed that the program using the auto-caching HTTP client found in github.com/MicahParks/jwkset v0.5.0-v0.5.21 has elapsed its HTTPClientStorageOptions.RefreshInterval duration, causing a refresh of the remote JWK Set.
4.  The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation.

**Patches**

The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. Upgrade to v0.6.0 or later.

**Workarounds**

The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value). Upgrade to v0.6.0 is advised.

**References**

Please see the tracking issue on GitHub for additional details: MicahParks/jwkset#40

**References**

*   GHSA-675f-rq2r-jw82
*   MicahParks/jwkset#40
*   MicahParks/jwkset#41

Published to the GitHub Advisory Database

Jan 9, 2025

GHSA-675f-rq2r-jw82: JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh

At least 36 Google Chrome extensions for AI and VPN tools have begun delivering info-stealing malware in a widespread attack.

Small businesses and boutique organizations should use caution when leaning on browser-friendly artificial intelligence (AI) tools to generate ideas, content, and marketing copy, as a set of Google Chrome extensions were recently compromised to deliver info-stealing malware disguised as legitimate updates.

Analyzed by researchers at Extension Total, the cybercriminal campaign has managed to take over the accounts of at least 36 Google Chrome extensions that provide AI and VPN services. The compromised extensions include “Bard AI Chat,” “ChatGPT for Google Meet,” “ChatGPT App,” “ChatGPT Quick Access,” “VPNCity,” “Internxt VPN,” and more, which are used by an estimated total of 2.6 million people.

Though these browser extensions borrow the names of the most popular AI tools available today, they are third-party tools that are not developed by Open AI—the company behind ChatGPT—or Google.

In response to the attack, many of the compromised browser extensions removed their tools from the Google Chrome web store to protect users. However, other extensions remain available and in the control of cybercriminals, making them dangerous to download.

There isn’t a startup, small business, or solo practitioner today who can run their operations without a web browser, and the most popular web browser in the world—by far—is Google Chrome.

But this cybercriminal campaign has not compromised Google Chrome itself.

Instead, it has compromised a series of extensions for Google Chrome that could prove attractive to many small businesses looking to harness AI, whether to write email newsletters, edit blogs, or even get ideas for marketing strategies in the new year. These third-party browser extensions, when they were still available, allowed users to directly ask questions to AI tools without needing to navigate away from a current web page.

But with the new attack, those same browser extensions are now delivering fraudulent updates that carry malicious code that can steal an employee’s data.

According to an investigation published by one of the compromised browser extension companies, the malware used in this attack sought data for Facebook Ads accounts. That may sound like a narrow goal, but considering that so many businesses rely on promotion and visibility through Facebook Ads, it isn’t uncommon that this information might be stored on an employee’s computer.

For a full list of compromised extensions, visit here.

Until fixes are released for every compromised extension, warn your employees about which browser extensions are safe to use, and consider creating a policy about only trusting first-party browser extensions for work.

For all other threats, try Malwarebytes Teams, which provides always-on protection against malware, ransomware, spyware, and more, along with 24/7 dedicated, human support.

 Google Chrome AI extensions deliver info-stealing malware in broad attack 

Explore top cybersecurity risks in crypto, including phishing, ransomware, and MitM attacks. Learn practical tips to safeguard your…

Explore top cybersecurity risks in crypto, including phishing, ransomware, and MitM attacks. Learn practical tips to safeguard your digital assets now.

Cryptocurrencies have recently increased in popularity, with more alternatives launched every day. The first cryptocurrency ever developed was Bitcoin, which inspired plenty of other cryptocurrencies to be created and make new waves in the world.

Even though there are various other notable examples in the crypto space, Bitcoin still has the number one position and represents the largest cryptocurrency by market cap. This has made a lot of individuals search for the best crypto exchange from where to buy Bitcoin to add it to their portfolios. 

Cryptocurrencies have brought several advantages to the world, as they have finally offered another solution to fiat money, integrating decentralization into the world. However, even if the popularity of cryptocurrencies has many advantages, it also has a major downside. For example, the price of the major digital coins has increased greatly, and this has attracted a lot of hackers who are trying to steal the funds of innocent people.

So, the crypto space is subjected to various threats, and because of that, before investing, it is imperative to adopt a more cautious approach, as, in this way, you can protect your crypto funds from malicious actors.

To protect your crypto assets, you must know the most common cybersecurity risks in the crypto space. In this way, you can avoid them and protect yourself against everything that might appear on the horizon. To help you a little in this process, we will explore together the most common cybersecurity threats in the crypto ecosystem. Keep reading to discover more. 

****Phishing threats****

One of the most common ways hackers try to steal information is through phishing attacks. In this cybersecurity threat, a malicious actor can use plenty of online means to try to steal information, such as texts, emails, and websites. The hacker will then try to fool users into clicking on this misleading information. But if individuals do that, their crypto funds can be stolen, as these clicks can reveal seed phrases or private keys. 

One of the most common ways hackers want to steal information is when they pretend to be a crypto exchange; in this way, they think they have a bigger chance of making users click on the sent links.

Unfortunately, especially when cryptocurrencies started becoming more popular, many people lost access to their crypto accounts because they fell prey to this kind of scam. This is why anyone wanting to increase the chances of keeping their crypto accounts secure should take measures to help them prevent phishing scams.

One of the best cybersecurity measures for this is to use two-factor authentication (2FA), which can increase resilience against these online threats. Another important security action is to double-check before clicking on a link or email to ensure that the offered details are veritable and that there is no chance of a scam. 

****Ransomware attacks****

Ransomware attacks are also very popular in the crypto industry, and these threats contain malicious malware that can encrypt files that individuals use to access their crypto funds, such as crypto wallets or their private keys.

These attacks will make the data on these files unreadable, and for the owner to have access to these files again, they need to pay in return. And as we’re talking about crypto accounts, in most cases, these malicious actors ask for payment with cryptocurrencies to receive access to their accounts again.

One of the best ways to reduce becoming a victim of these attacks is to use a cold wallet instead of one that functions with internet connectivity or to maintain a regular backup. Another great solution to avoid these cybersecurity attacks is to be cautious before clicking on something, like a link or an email, especially if an unknown or unidentified person sends it. 

****Malware attacks****

Malware attacks can also be dangerous to everyone who holds significant crypto funds. In these attacks, a malicious actor tries to compromise a crypto wallet or infect gadgets to steal cryptocurrencies. A very common malware attack used in the crypto landscape is crypto-jacking, which infiltrates into devices and then uses computing power to mine digital assets. 

In most cases, this leads to high electrical costs, financial losses, or damage to device performance. One of the best measures to protect against these attacks is installing anti-virus software and downloading everything needed only from official or reputable sites. 

****Man-in-the-Middle (MitM)** **

Man-in-the-Middle (MitM) attacks happen when a hacker wants to come between the communication between a crypto exchange and a user, with the final goal of stealing private keys and login credentials. Unfortunately, these attacks can steal crypto funds because hackers can discover sensitive crypto information, like private keys or login credentials.

In this type of attack, the crypto transactions can be sent directly to the hacker’s wallet instead of the right recipient. This is why it is better to refrain from paying with cryptocurrencies when using public WiFi, as in this way, you might encourage your crypto funds to be stolen. 

****Zero-day attacks****

Zero-day attacks are also very common, where hackers exploit every vulnerability they find in crypto platforms, such as hardware wallets or crypto software. If developers don’t discover these vulnerabilities on time, hackers will have everything they need to steal the crypto funds of innocent people. And until developers notice the potential vulnerability, the malicious actors have enough time to steal what they want, bringing enormous losses to individuals worldwide. 

****The bottom line****

Industries from all around the world can deal with hackers who are trying to steal information, but these threats have become even more prevalent in the crypto sphere because of the popularity of digital assets. This is why malicious actors see cryptocurrency as the perfect target, which is why recent attacks on digital coins have become so common.

1.  **AI Can Guess Crypto Seed Phrases in 0.02 Seconds**
2.  **Biggest Crypto Scam Tactics in 2024 – How to Avoid Them**
3.  **The Growing Importance of Secure Crypto Payment Gateways**
4.  **Why Web hosting firms have started to accept crypto payments**
5.  **Blockchain and Smart Contracts in Securing Digital Transactions**

Cybersecurity Risks in Crypto: Phishing, Ransomware and Other Emerging Threats

Data broker Gravy Analytics that collects location data and sells it to the US government has been breached.

Like many other data brokers, Gravy is a company you may never have heard of, but it almost certainly knows a lot about you if you’re a US citizen.

Data brokers come in different shapes and sizes. What they have in common is that they gather personally identifiable data from various sources—from publicly available data to stolen datasets—and then sell the gathered data on. Gravy Analytics specializes in location intelligence, meaning it collects sensitive phone location and behavior data.

One of the buyers is the US government who increasingly circumvents the need to get a warrant by simply buying what they want to know from a data broker. Ironic, given that the FTC sued Gravy Analytics after saying it routinely collects sensitive phone location and behavior data without getting the consent of consumers.

In the complaint last month, the FTC claimed:

> “Respondents {Gravy Analytics and Venntel, a wholly owned subsidiary of Gravy Analytics) have bought, obtained, and collected precise consumer location data and offered for sale, sold, and distributed products and services created from or based on the consumer location data.”

Data brokers have drawn attention this year by leaking several large databases, with the worst being the National Public Data leak. The data breach made international headlines because it affected hundreds of millions of people, and it included Social Security Numbers.

And now, apparently, it’s Gravy Analytics’ turn to be breached. According to 404 Media, cybercriminals breached Gravy Analytics and stole a massive amount of data, including customer lists, information on the broader industry, and location data harvested from smartphones which show peoples’ precise movements.

The cybercriminals claim to have stolen 17TB of data and are threatening to publish the data. Considering the sensitivity of location data for some groups, this breach could potentially be just as significant as the National Public Data leak.

To prove their possession of the data, the cybercriminals have shared three samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.

The researcher that posted this map extracted the names of 3455 apps that leaked this information. Many of these apps are games, but we also noted Tinder and a host of apps that are promoted as TikTok video downloaders.

404 Media reports that the personal data of millions of users is affected.

The Gravy Analytics website is down at the moment of writing and nobody at the company has answered any queries with an official reaction.

The whole ordeal, whether the data will be published or not, proves once again why data brokers should stop trading health and location data.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Massive breach at location data seller: &#8220;Millions&#8221; of users affected 

Torrance, United States / California, 9th January 2025, CyberNewsWire

**Torrance, United States / California, January 9th, 2025, CyberNewsWire**

Criminal IP, a globally recognized Cyber Threat Intelligence (CTI) solution by AI SPERA, has launched its **Criminal IP Malicious Link Detector** add-in on the Microsoft Marketplace. This cutting-edge tool provides real-time phishing email detection and URL blocking for Microsoft Outlook, adding an essential layer of email security in the face of increasing cyber threats.

Advances in generative AI have driven a surge in sophisticated phishing attacks that are increasingly difficult to distinguish from legitimate communications. The Criminal IP Malicious Link Detector combats these threats by analyzing email links in real-time, detecting and blocking phishing URLs and malicious domains. Fully integrated with Microsoft Outlook and available for free, it provides robust protection for both individuals and organizations.

**Case Study: Phishing Email Targeting Cryptocurrency Wallet Users**

In one instance, Criminal IP detected a phishing email targeting Trust Wallet users. The email contained links disguised as official pages, aiming to deceive users into downloading malware. The Criminal IP Malicious Link Detector swiftly identified and blocked these malicious URLs in real-time, averting potential harm.

**Getting Started with the Criminal IP Malicious Link Detector**

Using the tool is straightforward:

1.     **Signing Up:** Creating an account on the Criminal IP platform.

2.    **Installing the Add-In:** Downloading and integrating the add-in from Microsoft Marketplace.

3.    **Start Scanning:** Email links are automatically scanned upon login, with results displayed instantly.

As cyber threats evolve rapidly, the **Criminal IP Malicious Link Detector** ensures the users’ emails are protected against phishing links and malicious URLs. Download it today to stay ahead of emerging cyber risks and strengthen email security.

**About AI SPERA**

AI SPERA, renowned for its advanced solutions, has expanded internationally, with ‘Criminal IP’ as its flagship offering. Operating in more than 150 countries, ‘Criminal IP’ is backed by enterprise-grade security solutions like ‘Criminal IP ASM’ and ‘Criminal IP FDS’. Strategic partnerships with global leaders such as Cisco, VirusTotal, and Quad9 have significantly enhanced ‘Criminal IP’s capabilities. AI SPERA’s ‘Criminal IP’ has recently entered the marketplace of major US data warehousing platforms, including Amazon Web Services (AWS), Microsoft Azure, and Snowflake, expanding its global reach for threat data.

**Contact**

**Michael Sena**  
**\[email protected\]**

Tag

#git