Google has once again pushed its plans to deprecate third-party tracking cookies in its Chrome web browser as it works to address outstanding competition concerns from U.K. regulators over its Privacy Sandbox initiative.
The tech giant said it's working closely with the U.K. Competition and Markets Authority (CMA) and hopes to achieve an agreement by the end of the year.
As part of the

Google Postpones Third-Party Cookie Deprecation Amid U.K. Regulatory Scrutiny

Sources suspect China is behind the targeted exploitation of two zero-day vulnerabilities in Cisco’s security appliances.

Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world.

On Wednesday, Cisco warned that its so-called Adaptive Security Appliances—devices that integrate a firewall and VPN with other security features—had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor.

The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” a blog post from Cisco's Talos researchers reads.

Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests.

Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. “The investigation that followed identified additional victims, all of which involved government networks globally,” the company's report reads.

In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated. It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances.

Cisco has released software updates to patch both vulnerabilities, and advises that customers implement them immediately, along with other recommendations for detecting whether they've been targeted. Despite the hackers' Line Runner persistence mechanism, a separate advisory from the UK's National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers' access. “A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself,” the advisory reads.

The ArcaneDoor hacking campaign represents just the latest series of intrusions to target network perimeter applications sometimes referred to as “edge” devices like email servers, firewalls, and VPNs—often devices intended to provide security—whose vulnerabilities allowed hackers to obtain a staging point inside a victim's network. Cisco's Talos researchers warn of that broader trend in their report, referring to highly sensitive networks that they've seen targeted via edge devices in recent years. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications,” they write. “In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations—critical infrastructure entities that are likely strategic targets of interest for many foreign governments.”

State-sponsored hackers' shift to compromising edge devices has become prevalent enough over the past year that Google-owned security firm Mandiant also highlighted it in its annual M-Trends report earlier this week, based on the company's threat intelligence and incident response findings. The report points to widely exploited vulnerabilities in network edge devices sold by Barracuda and Ivanti and notes that hackers—and specifically espionage-focused Chinese groups—are building custom malware for edge devices, in part because many networks have little or no way to monitor for compromise of the devices. Detecting the ArcaneDoor hackers' access to Cisco ASA appliances, in particular, is “incredibly difficult,” according to the advisory from the UK's NCSC.

Mandiant notes that it has observed Russian state-sponsored hackers targeting edge devices too: It's observed the unit of Russia's GRU military intelligence agency, known as Sandworm, repeatedly hack edge devices used by Ukrainian organizations to gain and maintain access to those victim networks, often for data-destroying cyberattacks. In some cases, the lack of visibility and monitoring in those edge devices has meant that Sandworm was able to wipe a victim network while holding on to its control of an edge device—then hit the same network again.

“They’re systemically targeting security appliances that sit on the edge for access to the rest of the network,” says John Hultquist, Mandiant's head of threat intelligence. “This is no longer an emerging trend. It's established."

Hultquist notes, however, that China is unmatched in its discovery and use of network appliance zero days, like the ones it has used to run rampant through Cisco firewalls over the past several months. He expects more to come, as China's cyberspies continue to turn devices meant to protect target networks against their owners. “It's unlikely these zero days are being produced haphazardly. We suspect a well-resourced, coordinated effort is underway to find and exploit these vulnerabilities,” Hultquist says. “Unfortunately, we'll almost certainly see several more zero-days in security appliances this year.”

'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data.

Source: Nico El Nino via Shutterstock

COMMENTARY

Picture this: It's a Saturday morning, and you made breakfast for your family. The pancakes were golden brown and seemingly tasted OK, but everyone, including you, got sick shortly after eating them. Unbeknown to you, the milk that you used to make the batter expired several weeks ago. The quality of the ingredients impacted the meal, but everything looked fine on the outside.

The same philosophy can be applied to artificial intelligence (AI). Regardless of its purpose, AI's output is directly related to the quality of its input. As the popularity of AI continues to rise, security concerns around the data being fed into AI are coming into question.

A majority of today's organizations are integrating AI into business operations at some capacity — and threat actors are taking note. Over the past few years, a tactic known as AI poisoning has become increasingly prevalent. This new malicious practice involves injecting deceptive or harmful data into AI training sets. The tricky part about AI poisoning is that, despite the input being compromised, the output can initially continue as normal. It isn't until a threat actor gets a firm grip on the data and begins a full-fledged attack that deviations from the norm become obvious. The consequences range from slightly inconvenient to damaging a brand's reputation.

It's a risk affecting organizations of all sizes, even today's most prominent tech vendors. For example, over the past few years, adversaries launched several large-scale attacks to poison Google's Gmail spam filters and even turned Microsoft's Twitter chatbot hostile.

**Defending Against AI Data Poisoning**

Fortunately, organizations can take the following steps to shield AI technologies from potential poisoning.

*   Build a comprehensive data catalog. First, organizations should create a live data catalog that serves as a centralized repository of information that is being fed to its AI systems. Any time new data is added to AI systems, it should be tracked in this index. In addition, the catalog should be able to categorize the data flowing into AI systems by the who, what, when, where, why, and how to ensure transparency and accountability.
    
*   Develop a normal baseline for users and devices interacting with AI data. Once the security and IT teams have a solid understanding of all of the data in AI systems and who has access to it, it's important to develop a baseline of normal user and device behavior.
    

Compromised credentials are one of the easiest ways for cybercriminals to break into networks. All a threat actor has to do is either play a guessing game or buy one of the 24 billion username and password combinations available on the cybercriminal marketplace. Once they have access, a threat actor can easily maneuver their way into accessing AI training datasets.

By establishing user and device baseline behavior, security teams can easily detect abnormalities that might be indicative of an attack. Often, this helps stop a threat actor before an incident escalates into a full-blown data breach. For example, say you have an IT executive who typically works from the New York office and who oversees the AI data training sets. One day, it shows that he is active in another country and is adding large amounts of data to the AI. If your security team already has a baseline of user behavior, they can quickly tell that this is abnormal. Then security could either talk to the executive and verify that he was performing the action or, if he wasn't, temporarily disable his account until the alert is thoroughly investigated to prevent any further damage.

**Taking Responsibility of AI Training Sets**

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data. AI intelligence is intricately linked to the quality of data it processes. Implementing guidelines, policies, monitoring systems, and improved algorithms plays a pivotal role in ensuring the safety and effectiveness of AI. These measures safeguard against potential threats and empower organizations to harness the transformative potential of AI. It is a delicate balance where organizations must learn to leverage AI's capabilities, while remaining vigilant in the face of the ever-evolving threat landscape.

**About the Author(s)**

CISO, Exabeam

Tyler Farrar is the Chief Information Security Officer (CISO) at Exabeam. He graduated from the United States Naval Academy in 2012, and received his Bachelor of Science in Aerospace Engineering. Tyler continued his education at Robert H. Smith School of Business, where he earned a Master of Business Administration in Accounting and Finance.

Fortify AI Training Datasets From Malicious Poisoning

Beware of this malicious ad campaign currently making the rounds. Read our blog for more details and how to protect yourself.

Today, we are looking at a malicious ad campaign targeting Facebook users via Google search. It is well-known that tech support scammers attract new victims by buying ads for certain keywords related to their audience.

What is perhaps less known is how it is even possible to impersonate top brands and get away with it. We will try to respond to the ‘how they do it’ and the ‘why is Google allowing this’ questions.

Such malvertising attacks are not new and the damage they cause to consumers is growing every day. There is no one way to stop all of them, but public reporting will hopefully drive the point home that this needs to be addressed just like other types of fraud or malware.

We have reported the malicious advertiser to Google, but at the time of publishing this campaign was still on.

Justin Poliachik did what many people would do, he opened up a Google search, typed facebook and clicked on the top result. In the video below, he summarizes what happened next:

Thanks to Justin for the shoutout to our blog and explaining what went down! Not sure if Justin was joking, but we don’t believe AI is going to fix malvertising, at least not for the next little while. Instead, we are going to look into more details about one particular technique. In our view, this is actually where the abuse happens the most, and where things could be improved.

**Two paths make cloaking**

As we said, Google seems to have a problem with brand impersonation that may not be easy to solve. We have reported such cases several times before with pretty much the same techniques.

How can Google differentiate a legitimate affiliate from a malicious actor? There are a number of data points about the advertiser via their account: user profile, payment method, budget, etc. We are not privy to those details, but they can certainly help when it comes to fraud.

More importantly, there is the ad itself: vanity URL, display text, tracking template, final URL. What happens when you click on the ad? Are you actually redirected to the URL claimed in the ad? This is a feature that appears to be so easy to abuse, and yet remains unfixed.

In the video below, we walk you through the classic tale of cloaking:

Cloaking is an old technique and in many ways can be used for legitimate purposes. After all, one needs to be able to detect real humans and not bots or crawlers for their hard-earned ad dollars budget.

Threat actors have long identified such services as very helpful tools for their malicious campaigns. True, they, like others don’t want robots, but they also don’t want Google’s scanners or security researchers to expose their malicious schemes.

**Under the hood**

This part is a little more technical, but integral in understanding how malvertising works. As mentioned in the video above, cloaking allows to deliver two different experiences. Genuine humans can be detected from a number of factors: IP address, browser fingerprinting, etc.

A click tracking service can be used to analyze traffic, collect data, etc. All in all, such services are useful in and of themselves, but they can also easily be abused by bad actors. Within the Google ad ecosystem, advertisers will place their URL as a tracking template, and the rest will be handled outside of Google.

One thing that’s interesting is how scammers will abuse the click tracking service as well! All they have to do is redirect to another “legitimate” domain they control and from there decide on the final destination URL.

We can see in the image below that final redirect, which is either the scam page or the actual Facebook site:

**Safeguarding your online experience**

We have seen these malicious ads for years and years. It would be unfair to say that no action has ever been taken, but there is room for improvement. Individual reports from victims are not always actioned based on our experience and that of others. This is frustrating because it appears as if those individual experiences do not matter in the grander scheme of things.

Security vendors also struggle with these scams. Chasing infrastructure from one host to the next or having trouble blocking URLs that abuse legitimate providers is a real thing.

As a user you can protect yourself in various ways:

*   Beware of sponsored results
*   Block ads altogether
*   Recognize scam pages as fake

If you want the piece of mind and have all this covered for you, download our Malwarebytes Browser Guard extension available for different browsers.

 Google ad for Facebook redirects to scam 

Ubuntu Security Notice 6746-1 - It was discovered that Google Guest Agent and Google OS Config Agent incorrectly handled certain JSON files. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6746-1  
April 23, 2024

google-guest-agent, google-osconfig-agent vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS

Summary:

Google Guest Agent and OS Config Agent could be made to crash  
if it open a specially crafted JSON.

Software Description:  
- google-guest-agent: Google Compute Engine Guest Agent  
- google-osconfig-agent: Google OS Config Agent

Details:

It was discovered that Google Guest Agent and Google OS Config Agent incorrectly  
handled certain JSON files. An attacker could possibly use this issue to  
cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
  google-guest-agent              20231004.02-0ubuntu1~23.10.3  
  google-osconfig-agent           20230504.00-0ubuntu2.2

Ubuntu 22.04 LTS:  
  google-guest-agent              20231004.02-0ubuntu1~22.04.4  
  google-osconfig-agent           20230504.00-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6746-1  
  CVE-2024-24786

Package Information:  
  https://launchpad.net/ubuntu/+source/google-guest-agent/20231004.02-0ubuntu1~23.10.3  
  https://launchpad.net/ubuntu/+source/google-osconfig-agent/20230504.00-0ubuntu2.2  
  https://launchpad.net/ubuntu/+source/google-guest-agent/20231004.02-0ubuntu1~22.04.4  
  https://launchpad.net/ubuntu/+source/google-osconfig-agent/20230504.00-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6746-1

It's time to start regulating LLMs to ensure they're accurately trained and ready to handle business deals that could affect the bottom line.

Kevin Bocek, Chief Innovation Officer, Venafi

April 23, 2024

5 Min Read

Source: Bakhtiar Zein via Alamy Stock Photo

COMMENTARY

OWASP recently released its top 10 list for large language model (LLM) applications, in an effort to educate the industry on potential security threats to be aware of when deploying and managing LLMs. This release is a notable step in the right direction for the security community, as developers, designers, architects, and managers now have 10 areas to clearly focus on. 

Similar to the National Institute of Standards and Technology (NIST) framework and Cybersecurity and Infrastructure Security Agency (CISA) guidelines provided for the security industry, OWSAP's list creates an opportunity for better alignment within organizations. With this knowledge, chief information security officers (CISOs) and security leaders can ensure the best security precautions are in place around the use of LLM technologies that are quickly evolving. LLMs are just code. We need to apply what we have learned about authenticating and authorizing code to prevent misuse and compromise. This is why identity provides the kill switch for AI, which is the ability to authenticate and authorize each model and their actions, and stop it when misuse, compromise, or errors occur.

**Adversaries Are Capitalizing on Gaps in Organizations**

As security practitioners, we've long talked about what adversaries are doing, such as data poisoning, supply chain vulnerabilities, excessive agency and theft, and more. This OWASP list for LLMs is proof that the industry is recognizing where risks are. To protect our organizations, we have to course correct quickly and be proactive. 

Generative artificial intelligence (GenAI) is putting a spotlight on a new wave of software risks that are rooted in the same capabilities that made it powerful in the first place. Every time a user asks an LLM a question, it crawls countless Web locations in an attempt to provide an AI-generated response or output. While every new technology comes with new risks, LLMs are especially concerning because they're so different from the tools we're used to.

Almost all of the top 10 LLM threats center around a compromise of authentication for the identities used in the models. The different attack methods run the gamut, affecting not only the identities of model inputs but also the identities of the models themselves, as well as their outputs and actions. This has a knock-on effect and calls for authentication in the code-signing and creating processes to halt the vulnerability at the source.

**Authenticating Training and Models to Prevent Poisoning and Misuse**

With more machines talking to each other than ever before, there must be training and authentication of the way that identities will be used to send information and data from one machine to another. The model needs to authenticate the code so that the model can mirror that authentication to other machines. If there's an issue with the initial input or model — because models are vulnerable and something to keep a close eye on — there will be a domino effect. Models, and their inputs, must be authenticated. If they aren't, security team members will be questioning if this is the right model they trained or if it's using the plug-ins they approved. When models can use APIs and other models' authentication, authorization must be well defined and managed. Each model must be authenticated with a unique identity.

We saw this play out recently with AT&T's breakdown, which was dubbed a "software configuration error," leaving thousands of people without cellphone service during their morning commute. The same week, Google experienced a bug that was very different but equally concerning. Google's Gemini image generator misrepresented historical images, causing diversity and bias concerns due to AI. In both cases, the data used to train GenAI models and LLMs — as well as the lack of guardrails around it — was the root of the problem. To prevent issues like this in the future, AI firms need to spend more time and money to adequately train the models and inform the data better. 

In order to design a bulletproof and secure system, CISOs and security leaders should design a system where the model works with other models. This way, an adversary stealing one model does not collapse the entire system, and allows for a kill-switch approach. You can shut off a model and keep working and protecting the company's intellectual property. This positions security teams in a much stronger way and prevents any further damages. 

**Acting on Lessons From the List **

For security leaders, I recommend taking OWASP's guidance and asking your CISO or C-level execs how the organization is scoring on these vulnerabilities overall. This framework holds us all more accountable for delivering market-level security insights and solutions. It is encouraging that we have something to show our CEO and board to illustrate how we're doing when it comes to risk preparedness. 

As we continue to see risks arise with LLMs and AI customer service tools, like we just did with Air Canada's chatbot giving a reimbursement to a traveler, companies will be held accountable for mistakes. It's time to start regulating LLMs to ensure they're accurately trained and ready to handle business deals that could affect the bottom line. 

In conclusion, this list serves as a great framework for rising Web vulnerabilities and the risks we need to pay attention to when using LLMs. While more than half of the top 10 risks are ones that are essentially mitigated and calling for the kill switch for AI, companies will need to evaluate their options when deploying new LLMs. If the right tools are in place to authenticate the inputs and models, as well as the models' actions, companies will be better equipped to leverage the AI kill-switch idea and prevent further destruction. While this may seem daunting, there are ways to protect your organization amid the infiltration of AI and LLMs in your network.

**About the Author(s)**

Chief Innovation Officer, Venafi

As Chief Innovation Officer, Kevin is leading Venafi’s growth in new innovations, and is at the forefront of Venafi’s cutting-edge machine identity management for workload identity, Kubernetes and AI. He also drives Venafi’s technology ecosystem and developer community to futureproof customer success and is responsible for the company’s Machine Identity Management Development Fund, which has sponsored innovations with more than 50 developers globally. Kevin brings more than 25 years of experience in cybersecurity with industry leaders including RSA Security, PGP Corporation, IronKey, CipherCloud, Thales, nCipher, and Xcert.

Lessons for CISOs From OWASP's LLM Top 10

State-sponsored groups are targeting critical vulnerabilities in virtual private network (VPN) gateways, firewall appliances, and other edge devices to make life difficult for incident responders, who rarely have visibility into the devices.

Source: Wright Studio via Shutterstock

Earlier this year, Mandiant Consulting's incident response team tracked an attack by a China-linked espionage group back to the compromise of an edge device in its client's network, but because the appliance is a closed system, the victim of the attack had to request a forensic image from the maker of the network appliance.

Two months later, the client is still waiting.

This difficulty in detecting — and then investigating — compromises of edge appliances highlights why many nation-state attackers are increasingly targeting firewalls, email gateways, VPNs, and other devices, says Charles Carmakal, CTO for Mandiant Consulting at Google Cloud. The threat groups not only evade detection longer, but even when defenders get wind of the attack, investigating the incident is much more difficult.

It's a problem that Mandiant deals with "all the time," he says.

"We have much better telemetry for Windows computers today, mostly because of the maturity of EDR \[endpoint detection and response\] solutions," Carmakal says. "The telemetry on edge devices ... is often completely nonexistent. To be able to triage and forensically examine the device, you've got to get a forensic image, but you can't just open up the device and pull the hard drive out."

Espionage attackers' shift to exploiting edge devices is one of the major trends that Google Cloud's Mandiant Consulting saw in 2023, according to the M-Trends 2024 report published on April 23. Overall, the company tracked and reported on more than two dozen campaigns and global events in 2023 related to its investigations.

The amount of time an attacker is active on a compromised systems before detection, known as dwell time, continued to shrink — to 10 days in 2023, down from 16 days the previous year. Ransomware accounted for 23% of Mandiant's investigations in 2023, up from 18% in 2022. Companies became aware of most incidents (54%) because a third party — often the attacker themselves, in the case of ransomware — notified the victim.

With ransomware often notifying victims, external detection rose to 54%. Source: Google Cloud's Mandiant

**Attackers Move to Less Visible Environments**

While edge devices require knowledgeable attackers to compromise and control them, these high-availability environments also usually offer their own utilities and features to deal with native formats and functionality. By "living off the land" and using the built-in capabilities, attackers can build more reliable malware and still run less risk of being detected, because of the lack of visibility defenders have into the internal operations of the devices.

"\[M\]any of these devices are put through rigorous testing regimes by the manufacturer during development to ensure their stability," Mandiant stated in the report. "China-nexus malware developers take advantage of the built-in functionality included in these systems ... leveraging native capabilities \[that can\] reduce the overall complexity of the malware by instead weaponizing existing features within that have been rigorously tested by the organization."

In one incident, Mandiant consultants discovered the BoldMove backdoor malware, Chinese attackers crafted to infect a Fortinet device, disabling two logging features and allowing the attacker to remain undetected for a longer period. BoldMove was created specifically for Fortinet environments.

Incident response efforts are also often hampered by the lack of easy access for consultants and defenders to the underlying operating system. With no way to analyze the underlying code to seek out compromised devices, incident responders often cannot determine the root cause of a compromise, says Mandiant's Carmakal.

"Some vendors refuse to give forensic images, \[which\] I understand ... because they have a lot of intellectual property on the device," he says. "Companies need to understand the scope and extent of a compromise, and if it starts on a network device, and you need to look into that."

**Exploit Use Rises, More Data Leak Sites**

Attackers have doubled down on using exploits as the initial access point for attacks, with 38% of attacks Mandiant investigated where it could determine an initial vector starting with an exploit. Phishing, a distant second place, accounted for 17% of the initial actions in an attack. Running a close third, prior compromises inadvertently left exploitable accounted for 15% of all initial access vectors.

"Attackers continue to leverage effective tactics to gain access to target environments and conduct their operations," the Mandiant report stated. "While the most popular infection vectors fluctuate, organizations must focus on defense-in-depth strategies. This approach can help mitigate the impact of both common and less frequent initial intrusion methods."

Finally, Mandiant investigators have also seen data leak sites (DLS) increase over time, which now account for more than a third (36%) of all financially motivated attacks.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Teetering on the Edge: VPNs, Firewalls' Nonexistent Telemetry Lures APTs

The five intelligence sources that power social engineering scams.

Source: LightField Studios Inc. via Alamy Stock Photo

COMMENTARY

Social engineering is one of the most prevalent attack vectors used by cyber scammers to infiltrate organizations. These manipulative attacks typically are executed in four phases: 

1.  Information gathering (attacker gathers information about the target)
    
2.  Relationship development (attacker engages the target and earns their trust)
    
3.  Exploitation (attacker persuades the target to carry out an action)
    
4.  Execution (the information collected through exploitation is operationalized to execute the attack)
    

The first phase obviously is the most important — without the right information, it can be difficult to execute a targeted social engineering attack. 

**Five Sources of Intelligence**

So how do attackers gather data about their targets? There are five sources of intelligence cybercriminals can use to gather and analyze information about their targets. They are:

1\. OSINT (open source intelligence)

OSINT is a technique hackers use to collect and assess publicly available information about organizations and their people. Threat actors can use OSINT tools to learn about their target's IT and security infrastructure; exploitable assets such as open ports and email addresses; IP addresses; vulnerabilities in websites, servers, and IoT (Internet of Things) devices; leaked or stolen credentials; and more. Attackers weaponize this information to launch social engineering attacks.

2\. SOCMINT (social media intelligence)

Although SOCMINT is a subset of OSINT, it deserves a mention. Most people voluntarily expose personal and professional details about their lives on popular social media platforms: their headshot, their interests and hobbies, their family, friends and connections, where they live and work, their current job position, and lots of other details. Using SOCINT tools such as Social Analyzer, Whatsmyname, and NameCheckup.com, attackers can filter social media activity and information about an individual and design targeted social engineering scams. 

3\. ADINT (advertising intelligence)

Say you download a free chess app on your phone. There's a small area on the app that serves location-based ads from sponsors and event organizers, updating users on local players, events, and chess meetups. Whenever this ad gets displayed, the app shares certain details about the user with the advertising exchange service, which includes things like IP addresses, the type of operating system in use (iOS or Android), the name of the mobile phone carrier, the user's screen resolution, GPS coordinates, etc. Typically, ad exchanges store and process this information for serving up relevant ads based on user interest, activity, and location. Ad exchanges also sell this valuable data. What if a threat actor or a rogue government buys this information? That's exactly what intelligence agencies and adversaries have been doing to track activity and hack their targets. 

4\. DARKINT (Dark Web intelligence)

The Dark Web is a billion-dollar illicit marketplace transacting corporate espionage services, DIY ransomware kits, drugs and weapons, human trafficking, et al. Billions of stolen records (personally identifiable information, healthcare records, banking and transaction data, corporate data, compromised credentials) are available for purchase on the Dark Web. Threat actors can purchase off-the-shelf data and mobilize it for their social engineering schemes. They can also choose to outsource professionals who will socially engineer people on their behalf or discover hidden vulnerabilities in target organizations. In addition, there are hidden online forums and instant messaging platforms (such as Telegram) where people can access information about potential targets. 

5\. AI-INT (AI intelligence)

Some analysts are calling AI the sixth intelligence discipline, on top of the five core disciplines. With recent advancements in generative AI technology like Google Gemini and ChatGPT, it's not hard to imagine cybercriminals deploying AI tools to mine, assimilate, process, and filter information about their targets. Threat researchers are already reporting the presence of malicious AI-based tools that are popping up in Dark Web forums such as FraudGPT and WormGPT. Such tools can significantly reduce the research time for social engineers and provide actionable information they can use to execute social engineering schemes. 

**What Can Businesses Do to Mitigate Social Engineering Attacks?**

The root cause of all social engineering attacks is information and the careless handling of it. If businesses and employees can reduce their information exposure, they will lower social engineering attacks by a significant degree. Here's how:

*   Train staff monthly: Using phishing simulators and classroom training, teach employees to avoid posting sensitive or personal information about themselves, their families, their coworkers, or the organization.
    
*   Draft AI-use policies: Make it clear to employees what is acceptable and unacceptable online behavior. For example, prompting ChatGPT with a line of code or proprietary data is unacceptable; responding to unusual or suspicious requests without proper verification is unacceptable.
    
*   Leverage the same tools hackers use: Use the same intelligence sources highlighted above to proactively understand how much information about your organization, your people, and your infrastructure is available online. Develop an ongoing process to reduce that exposure.
    

Good cybersecurity hygiene begins with clamping down on root causes. The root cause behind 80% to 90% of all cyberattacks is attributed to social engineering and bad judgement. Organizations must focus on two things primarily: reducing information exposure and controlling human behavior via training exercises and education. By applying efforts in these two areas, organizations can significantly reduce their threat exposure and the potential downstream impact of that exposure.

**About the Author(s)**

Founder & CEO, KnowBe4, Inc.

Stu Sjouwerman is founder and CEO of KnowBe4, provider of the world’s largest security awareness training and simulated phishing platform used by more than 65,000 organizations around the globe. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses.

Where Hackers Find Your Weak Spots

Thousands of exposed files on a misconfigured North Korean server hint at one way the reclusive country may evade international sanctions.

For almost a decade, Nick Roy has been scanning North Korea’s tiny internet presence, spotting new websites coming online and providing a glimpse of the Hermit Kingdoms’ digital life. However, at the end of last year, the cybersecurity researcher and DPRK blogger stumbled across something new: signs North Koreans are working on major international TV shows.

In December, Roy discovered a misconfigured cloud server on a North Korean IP address containing thousands of animation files. Included in the cache were animation cells, videos, and notes discussing the work, plus changes that needed to be made to ongoing projects. Some images appeared to be from an Amazon Prime Video superhero show and an upcoming Max (aka HBO Max) children’s anime.

The findings and security lapse—detailed in a report by the Stimson Center think tank's North Korea–focused 38 North Project, which helped analyze the findings along with Google-owned security firm Mandiant—provide a glimpse at how North Korea can use skilled IT and tech workers to raise funds for its heavily sanctioned regime. It also comes as US officials increasingly warn about North Korean IT workers infiltrating companies and their outsourcing.

North Korea’s internet is a small—and fragile—space. The repressive nation only has 1,024 IP addresses and around 30 websites that connect to the global internet. While there is a limited internal intranet, only a few thousand of the country’s 26 million people can get on the internet. When they do, it’s highly controlled: These select few North Koreans can use the internet for an hour at a time and have a person sitting next to them approving their use every five minutes.

When Roy discovered the exposed cloud server, it was being updated on a daily basis. Martyn Williams, a senior fellow on the 38 North Project who helped analyze the contents of the server, says the server likely allowed work to be sent to and from North Korean animators. The server itself is still live, but it mysteriously stopped being used at the end of February. While there is a login page, its contents can be accessed without a username and password. “I found the login page after I found all the exposed files,” Roy says.

Inside, the files contained editing comments and instructions in Chinese which were translated to Korean, the researchers write in their report. “For a lot of the animation files, we would find things like spreadsheets with details of the workflow,” Williams says. A sample of the files shared with WIRED show detailed anime images and video clips, with notes for the authors and date stamps on various files. In one instance, the report says, an animator was “asked to improve the shape of the character’s head.”

Based on the documents and drawings, the researchers were able to identify some of the shows and projects the North Koreans were working on. Some of the projects included work from season 3 of the Amazon show _Invincible_, which is produced by California-based Skybound Entertainment. There were also documents linked to Max and Cartoon Network show _Iyanu: Child of Wonder_, produced by YouNeek Studios, as well as files from a Japanese anime series and an animation studio in Japan.

Some file names gave away clues about the series and episode numbers. There were also files and projects the researchers could not identify—including a “bunch of files” with videos of horses and a Russian book on horses, Williams says.

Sanctions placed upon the North Korean regime, for its ongoing human rights abuses and nuclear warfare programs, prohibit US companies from working with DPRK companies or individuals. However, the researchers say it is highly unlikely that any companies involved would have a clue about North Korean animators working on the shows, and there is nothing suggesting the companies violated any sanctions or other laws. “It is likely that the contracting arrangement was several steps downstream from the major producers,” the report says.

Spokespeople for Amazon and Max spokesperson declined to comment for this story. YouNeek Studios did not respond to a request for comment.

“We do not work with North Korean companies, or Chinese companies on _Invincible_, or any affiliated entities, and have no knowledge of any North Korean or Chinese companies working on _Invincible_,” a spokesperson for Skybound Entertainment says. “We take any claims very seriously and have commenced an investigation into this.” In a post on X, the company characterized the findings as “unconfirmed” and said it is working with authorities to investigate.

Williams says it is possible that a front company in China is used to help disguise the activity and involvement of North Koreans. The researchers were able to analyze connections to the exposed server and, despite most having their location masked by a VPN, spotted access from Spain and three Chinese cities. “All three cities are known to have many North Korean–operated businesses and are main centers for North Korea’s IT workers who live overseas,” the report says.

While Williams says the researchers did not find any identifiable names of North Korean organizations buried in the files, the country has a well-established animation company called April 26 Animation Studio, which is also known as SEK Studio. Originally set up in the 1950s, the studio has worked on hundreds of international TV shows and movies.

However, in recent years, the US Treasury Department has sanctioned SEK Studios, individuals linked to it, and various “front companies” that it says are used to “work for foreign customers.” Many of these have links to China, according to the sanctions. “SEK Studio has utilized an assortment of front companies to evade sanctions targeting the government of the DPRK and to deceive international financial institutions,” a statement issued as part of the sanctions in 2021 says.

The main aim of these efforts, says Michael Barnhart, a North Korea researcher at Mandiant, is to raise money for the North Korean regime. The country’s hackers and scammers have stolen and extorted billions of dollars to help fund its military ambitions in recent years, including from huge cryptocurrency heists. In early 2022, the FBI issued a 16-page alert warning companies that remote North Korean freelance IT workers were infiltrating businesses to earn money they could funnel back home.

“The volume is much higher than we were expecting,” Barnhart says of North Korea’s IT workers. They are constantly changing their tactics to avoid being caught, he says. “We had one not too long ago, where during the interview, the person’s mouth was just off-frame. You could tell that someone in the background was speaking on their behalf.” Technically, Barnhart says, companies should verify their remote workers’ devices and make sure that there is no remote software connecting to a company laptop or network. Businesses should also put extra efforts at the hiring stage by training HR staff to detect possible IT workers.

However, he says, increasingly there is a greater crossover between North Korean IT workers and individuals who are members of known hacking groups or classified as advanced persistent threats (APTs). “The more we focus on IT workers, the more we’re starting to see APT operators and efforts blending in with those,” he says. “This might be the most quick learning-on-your-feet, nimble nation-state that I've ever seen.”

North Koreans Secretly Animated Amazon and Max Shows, Researchers Say

PRESS RELEASE

TEL AVIV, Israel -- (BUSINESS WIRE)-- Miggo, a cybersecurity startup introducing the first Application Detection and Response (ADR) platform, announced today $7.5 million in seed funding led by global cybersecurity VC firm YL Ventures with the participation of CCL (Cyber Club London), cybersecurity leaders from Elastic and Everon and former CISOs of Google, Zscaler and Nike. Miggo's ADR platform addresses a critical gap in application security by enabling security teams to detect and respond to targeted application attacks in real-time.

2023 saw a rise in high-profile application attacks that went undetected by traditional tools. The MOVEit, Microsoft SharePoint, Ivanti Gateway and GoAnywhere breaches highlight critical AppSec blind spots of application behavior in runtime and how attackers are hedging their bets on this well-known, ongoing security gap. According to Justin Somaini, Partner at YL Ventures and former CISO of Unity, SAP and Yahoo!, “Applications in production constitute one of the few true blind spots of today’s security programs. Last year’s incidents alone underscore how critically we need to secure the application layer. This is a space that still needs a lot of innovation to address what traditional tools cannot.”

Today, applications are the primary target of nearly 80% of data attacks, according to Verizon’s 2023 Data Breach Investigations Report. More recent shifts to distributed application architecture, which requires multiple chains of trust between different services, have further broadened the domain’s threat landscape. Attackers can manipulate flows between services without detecting existing security sensors like EDR, WAF and CNAPP tools. The only way to identify such malicious activity is with direct views into applications while they're running.

Under the leadership of Daniel Shechter, CEO and co-founder, and Itai Goldman, CTO and co-founder, Miggo developed a platform that analyzes interactions and data flows within applications to detect and mitigate attacks before they can escalate into breaches. "We need to proactively tackle this massive and largely unseen attack surface. Not only do we need precise detection and response for unexpected behaviors directly in live application environments, but also insight and understanding into the inner workings of today’s distributed applications as they run," explained Shechter.

Miggo's technology precisely discovers and maps the architecture of distributed applications to establish behavioral baselines and monitor for deviations from intended design or code execution flows. Leveraging live in-application context, Miggo determines if a deviation indicates that the application is exploitable, under active exploitation or backdoored, and initiates targeted mitigations to contain breaches by pinpointing the offender and affected areas to recommend precise remediation strategies.

The combined ability to detect live threats to applications and respond within the applications themselves are key innovations, according to CISO Mike Melo. “Miggo is finally providing transparency for our most significant attack vector with the exact tools each stakeholder requires to protect and defend mission-critical assets. ADR is the unified solution we need to not only give us application-layer visibility and control but also dramatically lower our mean time to detect and respond to application attacks,” he said.

Discover how Miggo can safeguard your applications against the next generation of cyber threats. Visit miggo.io for more information and to schedule a demo.

About Miggo  
Miggo is the first Application Detection and Response platform, providing the visibility, response and understanding you need to prevent application breaches. Using in-application context to shed light on your biggest attack surface, Miggo’s ADR enables businesses to monitor how applications behave in runtime and stop attackers from manipulating chains of trust between distributed services. With Miggo, monitor application weak spots and identify and mitigate attacks in real-time. Visit miggo.io for more information.

About YL Ventures  
YL Ventures funds and supports visionary cybersecurity entrepreneurs from seed to scale to help them evolve transformative ideas into market-leading companies. The firm accelerates company growth with tailored support through its powerful network of Chief Information Security Officers, global industry leaders and a dedicated team of multidisciplinary experts. Based in Silicon Valley, New York and Tel Aviv, YL Ventures manages five funds with $800M in total AUM. The firm has a track record of seeding cybersecurity unicorns such as Axonius and Orca Security and its portfolio companies have been successfully acquired by high-profile, global industry leaders including Palo Alto Networks, Microsoft, Okta and Proofpoint. In 2022, YL Ventures ranked 8th out of over 250 venture capital firms in PitchBook’s prestigious Global Manager Performance Score League Tables and was the only cybersecurity-focused VC to secure a top 10 spot.

Tag

#google