The MITRE framework's applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.

In 2025, an international fintech firm will face attacks through its hybrid cloud infrastructure by some of the most sophisticated cyber operators on the Internet, targeting the company's Active Directory instance, employees' LinkedIn profiles, and shared code repositories to further their compromises.

A prediction? Not quite.

The scenario is the premise of the latest MITRE ATT&CK Evaluations test, an annual assessment gauntlet that pits cybersecurity firms against the techniques and tactics of the latest cyber threats actors. For vendors, the exercises — conducted by government contractor MITRE — allow them to test their detection, protection, and response capabilities in real-world scenarios to see what can be improved. For cybersecurity professionals, the results of the assessments can help them determine whether they are prepared to defend against sophisticated attacks.

While some vendors tout their detection ratings in the evaluations, the point is less about grades for security software and more about improving companies' defenses and vendors' products, says Lex Crumpton, principal cybersecurity engineer at MITRE.

"ATT&CK Evaluations is more of an adversary-emulation, purple-teaming, collaboration effort, if you will — we assess the vendors tooling on an environment that we build in-house," she says. "They don't know which techniques we are going to choose, or what we're not going to choose, based off of that techniques and scope document."

The MITRE ATT&CK Framework is well-known as a taxonomy of tactics and techniques used by cyberattackers, but every year MITRE also conducts testing of security products against the latest threats targeting organizations. In 2024, for example, the exercise mimicked attacks by the LockBit ransomware-as-a-service group, the Cl0p ransomware gang, and North Korean state-sponsored threat groups, which have commonly used ransomware to fund national goals.

A variety of ransomware attacks were emulated in the test environment, including those targeting Windows and MacOS, MITRE said in a December 2024 statement.

For 2025, one part of the evaluation — known as the Managed Services Evaluation — will focus on "cloud-based attacks, response/containment strategies, and post-incident analysis," according to the organization's scenario outline.

Companies can use the ATT&CK Evaluations in two ways, says Greg Young, vice president of cybersecurity at Trend Micro, which participated in the 2024 Evaluations along with 18 other companies.

"For \[a company's\] purchase decisions, this is one sort of data input — it should not be the only data input because the testing for MITRE is exceptionally narrow against a few techniques and tactics," he says. "For the second part, the tests \[can inform\] companies' own security ops centers and their own red teaming behavior — looking at it and saying, 'Well, what are adversaries using today?'"

**Developing More Realistic Adversaries**

The ATT&CK evaluations use cybersecurity observations and threat reporting from analysts worldwide, collected from both MITRE's in-house cyber threat intelligence team and from the CTI community at large. The group collects information on attacks and selects the adversaries for the evaluations. A red development team creates a set of tools to emulate current techniques used by selected adversaries, while the detection team — the blue team — confirms whether those approaches are legitimate in terms of the evaluation.

MITRE conducts two distinct rounds of testing. One is a managed-service round, in which the organization creates a black-box testing environment, giving no information about the attack to the vendor being evaluated except for the general category of threat. In an enterprise round, the vendor is given the technical scope and potential information about the adversaries, such as whether they are a nation-state, such as China or the DPRK, or using some other tactics.

Like many testing organizations, MITRE has faced some pushback on aspects of its scenarios, Crumpton says.

"One of the biggest comments we had this year is — because we brought in false-positive noise \[such as\] benign user activity — some vendors argued that, 'Hey, this could be deemed malicious activity'," she says. "I think one of the benign use cases was disabling the firewall. One vendor said, 'Hey, the sys admins from our companies would never disable the firewall.'"

**Evaluations Push for Improvement**

Vendors get graded on how they perform, but the focus is on giving information to both the vendors and businesses about how they can improve their defenses, Crumpton says.

"Ultimately, we are there to improve the tools," she explains. "If we're emulating this adversary and we find this technique that your tool can't detect, can we help you improve your tool so that you can now detect that technique? That's something that I think also the customers or the community should look at."

Defenders can take a page from the ATT&CK evaluations as well, creating playbooks to detect and protect against the tested threats, says Trend Micro's Young. During the ATT&CK Evaluation, MITRE logs activity and takes screenshots, giving organizations a detailed picture of the attack unfolding and mapping the steps against the ATT&CK Framework.

"Knowing that adversaries are now using this kind of technique — say, this kind of lateral movement, or they're going to go after this kind of resource — that's exceptionally helpful for \[a company\] designing their defenses," he says. "I almost think there's more value in looking at the \[ATT&CK\] framework than the evaluations, but it depends on your purpose."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

MITRE's Latest ATT&amp;CK Simulations Tackle Cloud Defenses

Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive…

Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive data via Telegram-based C&C.

CloudSEK has discovered a new campaign involving a Trojanized version of the **XWorm RAT** builder. The malware spread through various channels, including file-sharing services (like Mega and Upload.ee), Github repositories (such as LifelsHex/FastCryptor and FullPenetrationTesting/888-RAT), Telegram channels (including HAX\_CRYPT and inheritedeu), and even Youtube and other websites. 

This campaign resulted in compromising over 18,459 devices globally. The stolen data included sensitive information like browser credentials, Discord tokens, Telegram data, and system information from the compromised devices.

“This builder provides attackers with a streamlined tool to deploy and operate a highly capable RAT, which features advanced capabilities like system reconnaissance, data exfiltration, and command execution,” CloudSEK’s **blog post** authored by the company’s Threat Intelligence Researcher, Vikas Kundu, revealed.

Threat actors specifically distributed a modified XWorm RAT builder to target inexperienced attackers (aka **Script Kiddies**). Once installed, the malware exfiltrated sensitive data like browser credentials, Discord tokens, Telegram data, and system information from the victim’s device. It also boasted advanced features like virtualization checks, the ability to modify the registry, and extensive command and control capabilities.

Furthermore, this malware relies on Telegram for its command and control functionality. It used bot tokens and Telegram API calls to receive commands from the attacker and exfiltrate stolen data.

Researchers were able to identify and leverage a “kill switch” functionality within the malware. This functionality was used to disrupt operations on active devices infected with the malware. However, this approach had limitations. Offline machines and Telegram’s rate limiting mechanisms prevented complete disruption.

Based on the investigation, researchers were able to link the threat actor to aliases “@shinyenigma” and “@milleniumrat.” Additionally, they were able to identify associated GitHub accounts and a ProtonMail address.

It is worth noting that XWorm has become a persistent threat with Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) **reporting** its usage in Russian cyber operations against Ukraine in the first half of 2024. 

To protect against such threats, organizations and individuals should use Endpoint Detection and Response (EDR) solutions to detect suspicious network activity and even malware identification.

Additionally, network monitoring using Intrusion Detection and Prevention Systems (IDPS) can block communication between infected devices and the malicious C&C server on Telegram. Proactive measures like blocking access to known malicious URLs and enforcing application whitelisting can prevent malware from being downloaded and executed.

**RELATED ARTICLES**

1.  **P2PInfect: Self-Replicating Worm Hits Redis Instances**
2.  **FBI Warns of HiatusRAT Malware Targeting Webcams and DVRs**
3.  **Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation**
4.  **NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT**
5.  **Black Basta-Style Attack Hits Inboxes with 1,165 Emails in 90 Minutes**

Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices

For the first time in a long while, the federal government and the software sector alike finally have the tools and resources needed to do security well — consistently and cost-effectively.

Source: Vladimir Stanisic via Alamy Stock Photo

COMMENTARY

The federal government is often slow moving when it comes to various technology modernization efforts (thanks to the obstacles posed by resourcing, staffing, and politics), so it's no surprise that a lack of cybersecurity awareness and action has caused federal infrastructure to reach new levels of criticality. 

Year after year we see data breaches become more commonplace, with ransomware plaguing organizations and agencies of all sizes, while foreign adversaries continue to work their way into our networks and most high-value infrastructure. There's a good reason why trust has been slowly eroding across our federal institutions over the past 20 years. But aptly timed in this tumultuous era — and released during his final days in office — is the Biden administration's executive order on Strengthening and Promoting Innovation in the Nation's Cybersecurity. 

My take is that it's certainly good. And it's certainly needed. There's clearly a problem in shoring up our national supply chain. Our adversaries are getting stronger every day, and they're exploiting gaps and weaknesses in our interconnected systems in a way that's very real and urgent. Plus, as our workforce (federal and private) continues to modernize, digitalize, and work from anywhere, our inability to reconcile secure-by-design development with fast work-from-anywhere productivity has created a harsh reality. 

The takeaways from this executive order are the same as ever. People have long deprioritized getting the basics right when it comes to cybersecurity. A history of sporadic and continuous investment in legacy IT has left organizations ripe for and open to attacks. In fact, 90% of organizations lack visibility over all their endpoints at any given time, and in 2024, breaches caused by the successful exploitation of vulnerabilities went up 180% year over year. There remains an evident education, enforcement, and skills gap in cyber. How much longer will it take us to recognize and make the necessary changes to overcome these issues? 

But there are some positives. In my mind, here's why this executive order is different: It comes at a time when there's an actual, viable solution readily available to help the US federal government — and the larger software supply chain — overcome the challenges that have long stifled our collective resilience efforts. AI and automation pose a real and lasting way for the US federal government to shore up resilience, improve the integrity of the software supply chain, and upskill the federal workforce. AI allows organizations working with the federal government to reach a balance between productivity, growth, and security in a way that's never before been possible. 

As written in the executive order, "Artificial intelligence (AI) has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense." AI, when used strategically to analyze, synthesize, and inform security actions — particularly in areas like patch management and vulnerability assessment — not only presents the opportunity to help the federal government achieve resilience, solidifying infrastructure and streamlining operations in the process, but also frees up critical talent to reach new goals and mission critical resilience objectives as they evolve. 

For the first time in a long while, the federal government and the software sector alike finally have the tools and resources needed to do security well — consistently and cost-effectively. Though like anything else in technology, not all of AI is created equal, and thoughtful adoption in addition to rigorous coding, testing, and transparent disclosure practices will be essential to ensure that we as a community and as a software supply chain continue to implement, grow, and refine accordingly. 

Even if this executive order gets overturned, mandates like these serve as a helpful reminder of all that is important — and possible — to prioritize and achieve in this new AI era. While utilizing AI won't be without its challenges, and no development program will ever be perfect, AI offers organizations a unique opportunity to strive for more, strengthen development and compliance practices, and grow, while upskilling the next crop of cybersecurity talent to more proactively get ahead of the next generation of threats. 

**About the Author**

Chief Trust Officer, NinjaOne

Mike Arrowsmith is the Chief Trust Officer at Ninjaone where he leads the organization’s IT, security, and support infrastructure to ensure NinjaOne meets customers’ security and data privacy demands as it scales. Prior to NinjaOne, Arrowsmith held top security roles at Guardant Health and Splunk, where he focused on managing and scaling IT and security teams. Arrowsmith brings a deep understanding of how high-value, fast-growth companies can navigate security challenges, embed a culture of security, and bake in data ethics to everything they do. Most of all, Arrowsmith has an unrelenting focus on customer experiences and is heavily involved in product development at NinjaOne, bringing a "company zero" mentality to his team.

Strengthening Our National Security in the AI Era

PRESS RELEASE

AUSTIN, TX, Jan. 21, 2025 (GLOBE NEWSWIRE) -- Automox launches FastAgent, a breakthrough in modern agent technology designed to deliver unprecedented speed, reliability, and control for IT professionals. 

With reimagined communication protocols, infrastructure, and user-facing functionality, FastAgent modernizes endpoint management to meet the evolving demands of secure enterprise environments.

"FastAgent represents a significant leap forward for IT teams seeking uncompromising reliability and empowered endpoint control," said Jason Kikta, CISO/VP of Product at Automox. "This innovation demonstrates our commitment to simplifying IT operations without sacrificing security or speed."

Key Innovations of FastAgent:

*   Industry-Leading Reliability: Agent-aware command tracking and hyper-efficient backend communication protocols ensure consistent, secure, device-centric management across Windows, macOS, and Linux systems. Persistent outgoing response queuing enables the agent to operate intelligently, even in high-traffic or intermittent connectivity situations. 
    
*   Unparalleled Scalability and Control: FastAgent enhances reliability without compromising security policies. With dynamic reconnection delay, configuration IT teams can tailor agent reconnection attempts for environments with strict network policies, such as those using network access control (NAC) solutions, to maximize reliability and connectivity between Automox and devices. 
    
*   Intuitive User Experience with Automox Tray: Automox Tray provides end users with an intuitive, familiar, and friendly interface for managing system updates and device reboots. This innovative experience maintains security SLAs while delivering transparency and control to end users. 
    

FastAgent's advanced capabilities are built to scale, offering IT decision-makers certainty in maintaining secure, efficient, and consistent configurations across all their Windows, macOS, and Linux endpoints.

Up Next: End-User Empowerment with Automox Tray

Automox Tray redefines the end-user experience between IT and the workforce with an approachable, modern notification system for Windows, macOS, and third-party updates. IT teams can implement deadline-based notifications to streamline updates and reboot processes while ensuring business-critical systems stay compliant and secure.

Enhanced IT Efficiency with Automox FastAgent

FastAgent brings a comprehensive set of industry-leading capabilities:

1.  Redesigned Backend Protocols ensure scalability and low latency. 
    
2.  Persistent Response Queuing enables command delivery under any network condition. 
    
3.  Enhanced Security Controls allow configurable reconnection delays to improve stability in highly controlled environments. 
    

By combining enhanced functionality with industry-leading automation, FastAgent empowers organizations to address key IT challenges, maintain compliance, and improve operational efficiency.

About Automox

Automox is the IT automation platform for modern organizations. Policy-driven human-controlled automation empowers IT professionals to prove vulnerabilities are fixed, slash cost and complexity, win back hours in their days, and delight end users. 360+ Automox Worklet automation scripts make it easy for IT to save time, reduce risk, and thoughtfully automate OS, third-party software, and configuration updates on Windows, macOS, and Linux desktops, laptops, and servers.

Join thousands of IT heroes automating confidence across millions of endpoints with Automox. Learn more at www.automox.com, connect with the Automox Community, or connect with us on Twitter/X, Threads, LinkedIn, Facebook, Reddit, or Instagram.

Automox Releases Endpoint Management With FastAgent

Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This…

Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This article analyses the attack techniques, the capabilities of the SlowStepper malware, and the growing threat posed by this sophisticated APT group. 

Cybersecurity firm ESET has identified a new China-aligned Advanced Persistent Threat (APT) group, dubbed “PlushDaemon,” behind a cyber espionage operation targeting South Korea.

The attack camaign nvolved a **supply chain compromise**, where attackers infiltrated the legitimate update channels of IPany, a popular South Korean VPN software. PlushDaemon then replaced genuine installers with trojanized versions, which upon download and execution, deployed both the legitimate IPany VPN software and a custom backdoor named SlowStepper.

This means, by replacing the genuine installer with a trojanized version, PlushDaemon successfully embedded a malicious backdoor within the software. As per ESET’s **research**, SlowStepper is a feature-rich backdoor boasting over 30 modules. It is designed for extensive surveillance and data collection.

Written in C++, Python, and Go, the malware possesses a wide range of capabilities, including stealing sensitive data such as system information, user credentials, and network configurations, recording audio and video, enabling attackers to monitor their targets’ activities, and gathering detailed information about the victim’s network environment.

Webpage on the IPany site where the malicious installer was available for download (Via ESET)

In addition, the backdoor features advanced persistence mechanisms, such as deploying files that ensure the continued presence of SlowStepper on infected systems and utilizing legitimate tools to sideload malicious code. The trojanized installer utilize advanced communication methods to connect with command-and-control (C&C) servers.

Instead of embedding IP addresses directly within the malware, SlowStepper crafts DNS queries to retrieve TXT records containing base64-encoded, AES-encrypted C&C server addresses. This multi-layered approach makes detection more challenging.

While ESET telemetry revealed manual downloads of the compromised software, suggesting a broad targeting strategy, the attack specifically focused on entities within South Korea’s critical semiconductor and software industries. The timely intervention of ESET, which alerted IPany to the compromised installer, prevented further widespread infection. 

Although only recently discovered, researchers believe the PlushDaemon APT has been active since 2019, consistently building a diverse and powerful arsenal of tools. The sophistication of SlowStepper and the successful execution of this supply chain attack highlight the growing threat posed by this actor. 

To stay safe from these cyber espionage groups there is an urgent need for continuous monitoring. Organizations must prioritize software update channel security and implement stringent verification procedures to ensure the integrity of all updates. Additionally, proactive **threat intelligence** sharing are vital for identifying and mitigating such attacks before they inflict damage.

1.  **Hackers cloned NordVPN website to drop banking trojan**
2.  **Hackers clone ProtonVPN website with password stealer**
3.  **Fake VPN website delivering password-stealing malware**
4.  **N. Korean APT37 Unleashes Dolphin Backdoor on S. Korea**
5.  **Dark web hackers selling S. Korean, US payment card data**

Chinese PlushDaemon APT Targets S. Korean IPany VPN with Backdoor

Abnormal Security uncovers GhostGPT, an uncensored AI chatbot built for cybercrime. Learn how it boosts cybercriminals’ abilities, makes…

Abnormal Security uncovers GhostGPT, an uncensored AI chatbot built for cybercrime. Learn how it boosts cybercriminals’ abilities, makes malicious activities easier to execute, and creates serious challenges for cybersecurity experts.

Artificial intelligence (AI) has revolutionized countless industries, but its potential for misuse is undeniable. While **AI models like ChatGPT** have shown immense promise in various fields, their power can be easily exploited by threat actors through malicious AI chatbots like GhostGPT.

In late 2024, AI-powered email security solutions provider Abnormal Security uncovered this new AI chatbot designed specifically for cybercriminal activities. Dubbed GhostGPT, this malicious AI tool, readily available through platforms like Telegram, empowers cybercriminals with unprecedented capabilities, from crafting sophisticated phishing emails to developing sophisticated malware.

Unlike **traditional AI models** constrained by ethical guidelines and safety measures, GhostGPT operates without such restrictions. This unfettered access to powerful AI capabilities allows cybercriminals to generate malicious content, such as sophisticated phishing emails and malicious code, with unprecedented speed and ease. 

According to Abnormal Security’s analysis, GhostGPT is likely designed using a wrapper to connect to a **jailbroken version of ChatGPT** or an open-source LLM, removing ethical safeguards. This allows GhostGPT to provide direct, unfiltered answers to sensitive or harmful queries that traditional AI systems would block or flag.

This tool significantly lowers the barrier to entry for cybercrime. No longer requiring specialized skills or extensive technical knowledge, even less experienced actors can leverage the power of AI for malicious activities and launch more sophisticated and impactful attacks with greater efficiency.

Furthermore, GhostGPT prioritizes user anonymity, claiming that user activity is not recorded. This feature appeals to cybercriminals seeking to conceal their illegal activities and evade detection.

“GhostGPT is marketed for a range of malicious activities, including coding, malware creation, and exploit development. It can also be used to write convincing emails for business email compromise (BEC) scams, making it a convenient tool for committing cybercrime,” Abnormal Security’s **blog post** revealed.

GhostGPT’s easy availability on Telegram makes it highly convenient for cybercriminals. With a simple subscription, they can immediately start using the tool without the need for complex setups or technical expertise.

Abnormal Security researchers tested GhostGPT’s capabilities by creating a convincing **Docusign phishing** email template. The chatbot demonstrated its ability to trick potential victims, making it a powerful tool for anyone intending to use AI for malicious purposes.

GhostGPT on Telegram (left) – GhostGPT’s ad (right) – (Credit: Abnormal Security)

This is not the first time a chatbot has been created for malicious purposes. In 2023, researchers identified two other harmful chatbots, **WormGPT** and **FraudGPT**, which were used for criminal activities and caused serious concerns within the cybersecurity community.

Nevertheless, the rise in GhostGPT popularity, evidenced by thousands of views on online forums, indicates a growing **interest in AI by cybercriminals**, and the need for innovative cybersecurity measures. The cybersecurity community must continuously innovate and evolve its defences to stay ahead of the curve.

1.  **Malicious Abrax666 AI Chatbot Exposed as Potential Scam**
2.  **AI Generated Fake Obituary Websites Target Grieving Users**
3.  **Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack**
4.  **Facebook Phishing Scam: Messenger Chatbots Stealing Logins**
5.  **Mozilla 0Din Warns of ChatGPT Flaws Enabling Python Execution**

Meet GhostGPT: The Malicious AI Chatbot Fueling Cybercrime and Scams

Joe shares his recent experience presenting at the 32nd Crop Insurance Conference and how it's important to stay curious, be a forever student, and keep learning.

Thursday, January 23, 2025 14:05

Welcome to this week’s edition of the Threat Source newsletter.

Hello friends! Joe here again! I have just returned from the frozen northern tundra of Fargo, North Dakota. This was my first real visit to the frigid climates of the Midwest, and I have to say, they take cold to a new level. I was invited to present on cybersecurity at the 32nd Crop Insurance Conference, hosted by North Dakota State University (go Bisons!).

If you’re wondering why I or anyone would care to discuss cybersecurity in such a niche industry, the answer is simple: Everything is connected to security, even something you wouldn’t think would nominally matter. Agriculture and adjacent industries are roughly 6 percent of our GDP and account for about 10 percent of all U.S. jobs. The trillions of dollars that industry generates are targets for cyber-crime-motivated threat actors and nation-states who would seek to degrade it.

Agriculture is also a deeply underserved community and industry with regard to cybersecurity. And that’s both in general security literacy and security investments. So, I have a soft spot for folks up against threat actors who seek to exploit the most vulnerable, like agriculture industries. If the knowledge I can share will help them and their businesses stay more secure, it’s always worth it.

Pro-tip: If you ever find yourself at a conference, maybe to give a presentation, stay and listen beyond your time on the stage. For security conferences, sure, but for super niche or industry-specific conferences? Even better. I’m not a farmer or in agriculture, but I learned a lot in North Dakota. So, sit through other presentations – the further away from cyber security it is, the better. There’s more to this industry than malware analysis, threat actor cluster tracking, and incident response. For example, at this conference, I learned about climate change affecting agriculture, trade tariffs, agronomics, and insurance. You never know when that knowledge will pay dividends down the road for cybersecurity research. Stay curious, be a forever student, and keep learning.

**The one big thing**

Remember the old meme ‘Good luck, I’m behind seven proxies? Well, it still holds up in this Talos blog post. Proxy chains are something that hit our radar as old as VPNFilter, back in 2018. It’s a smart way to do business if your obscurity is your primary goal. TOR or other proxy solutions may have weaknesses that expose your operations to risk, and that’s why they’re getting more and more crafty about it. And we’ve moved far past generic VPN services for obscurity. Network defenders can find themselves between a rock and a hard place forensically when determining malicious connections to their networks.

**Why do I care?**

This is always going to be a sore point for network defenders. Adversaries are absolutely going to use and abuse any kind of proxy service to launch their attacks from. It’s an absolute given. It goes off the rails when it’s your own employees too. As per the blog post “Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly.”

**So now what?**

Using additional controls and forensic data is a must here. Identity and access management, combined with a mobile device management/application solution is key here. Control as much of your ecosystem as you absolutely can. This isn’t cheap, but it’s most certainly a step up from implementing MFA and hoping for the best.

**Top security headlines of the week**

*   Hold onto your seats – Mirai came in super-hot with a massive 5.6 Tbps DDoS attack. So far, the largest ever recorded. (Hacker News)
*   Here’s some sobering statistics about healthcare data breaches. “Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR \[sic\] Office of Civil Rights. Those breaches have resulted in the exposure or impermissible disclosure of 519,935,970 healthcare records. That equates to more than 1.5x the population of the United States.” (HIPAA Journal) 
*   Businesses are folding a lot more due to cyber-attacks, and mostly at small and medium-sized businesses, which absolutely jives with what we see at Talos. Ransomware cartels love to target the small business. Cyber Insurance may be the saving grace here. (Bloomberg Law) 

**Can’t get enough Talos?**

*   My colleague Martin Lee did an amazing Net Academy series on threat intelligence 101. If you’re a NetAcad member, I highly suggest you watch it! And if not, sign up. It’s free!
*   In running the biggest scam ever, I still get to be on Talos podcasts. Listen to myself and my colleagues discuss crossword puzzles and why Pauly Shore gets a bad rap.

**Upcoming events where you can find Talos **

Cisco Live EMEA (February 9-14, 2025)   
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86  
**VirusTotal:** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**Typical Filename:** endpoint.query  
**Claimed Product:** Endpoint-Collector  
**Detection Name:** W32.File.MalParent

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**VirusTotal:** https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_Detection

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**MD5:** 71fea034b422e4a17ebb06022532fdde  
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Everything is connected to security

While employees want to take advantage of the increased efficiency of GenAI and LLMs, CISOs and IT teams must be diligent and stay on top of the most up-to-date security regulations.

Anuj Jaiswal, Chief Product Officer, Fortanix

January 23, 2025

3 Min Read

Source: LuckyStep48 via Alamy Stock Vector

COMMENTARY

The rapid rise of artificial intelligence (AI) has cast a long shadow, but its immense promise comes with a significant risk: shadow AI.

Shadow AI refers to the use of AI technologies, including AI models and generative AI (GenAI) tools outside of a company's IT-sanctioned governance. As more people use tools like ChatGPT to increase their efficiency at work, many organizations are banning publicly available GenAI for internal use. Among the organizations looking to prevent unnecessary security risks are those in the financial services and healthcare sectors, as well as technology companies like Apple, Amazon, and Samsung.

Unfortunately, enforcing such a policy is an uphill battle. According to a recent report, non-corporate accounts make up 74% of ChatGPT use and 74% of Gemini and Bard use at work. Employees can easily skirt corporate policies to continue their AI use for work, potentially opening up security risks.

The greatest among these is the lack of protection for sensitive data. As of March 2024, 27.4% of data inputted into AI tools would be considered sensitive, an increase from 10.7% at the same time last year. Protecting this information once it is put into a GenAI tool is virtually impossible.

The uncontrolled risk of shadow AI usage reveals the need for stringent privacy and security practices when employees use AI.

It all boils down to data. Data is the fuel of AI, but it is also the most valuable asset to organizations. Stolen, leaked, or corrupted data causes real, tangible harm to a business — regulatory fines from leaking personally identifiable information (PII), costs associated with leaked proprietary information like source code, and an increase in severe security breaches like hacks and malware.

To mitigate risk, organizations must secure their data while it's at rest, in transit, and in use. The counter to risky shadow AI use is having fine control over the information employees feed into large language models (LLMs).

**How Can CISOs Secure GenAI and Company Data?**

Securing sensitive company data is a challenging balancing act for chief information security officers (CISOs) as they weigh the desire for their organizations to take advantage of the perceived value of GenAI while also protecting the sole asset that makes these benefits possible — their data.

So, the question becomes: How do you do this? How do you get the balance right? How do you extract positive business outcomes while protecting the enterprise's most valuable asset?

At a high level, CISOs should look at protecting data through its entire life cycle. This includes:

*   Protecting the data before it is even ingested into the GenAI model
    

*   Ensuring that the data output is completely secured, as this new data will drive the business outcomes and create true value
    

If the data life cycle isn't secure, this becomes a business-critical exposure.

More specifically, a multifaceted approach is necessary to protect sensitive data from being leaked, and though it starts with limiting shadow AI as much as possible, it is just as important to preserve data security and privacy with some basic best practices:

*   Encryption: Data encryption across its life cycle is vital, but it's equally important to manage and store encryption keys securely and separately from the data itself.
    
*   Obfuscation: Use data tokenization to anonymize any sensitive or PII data that could be fed to an LLM. This prevents data that enters the AI pipeline from being corrupted or leaked.
    
*   Access: Apply granular, role-based access controls to data so that only authorized users can see and use the data in plain text.
    
*   Governance: Commit to ethical business practices, embed data privacy across all operations, and remain current on data privacy regulations.
    

As is often the case with most tech advancements, GenAI's ease and convenience come with some fallbacks. While employees want to take advantage of the increased efficiency of GenAI and LLMs for work, CISOs and IT teams must be diligent and stay on top of the most up-to-date security regulations to prevent sensitive data from entering the AI system. Along with making sure workers know the importance of data protection, it is key to mitigate potential risks by taking all measures to encrypt and secure data from the start.

**About the Author**

Chief Product Officer, Fortanix

Anuj Jaiswal is chief product officer at Fortanixa. He is seasoned product and engineering leader with an impressive track record spanning more than 20 years. Anuj previously served as vice president of engineering at Embrace.io and was a pivotal figure at Arkin, a company that caught the attention of VMware and was subsequently acquired in 2016. During his time at Arkin, Anuj played a critical role in the acquisition process, showcasing his strategic vision and technical insight. Before Arkin, Anuj worked as a senior leader at FrontRange Solutions (acquired by Ivanti) and DBO2 (acquired by Predictive Solutions).

Anuj's domain knowledge is extensive, covering crucial areas such as cloud security, network security, cybersecurity, data security and application performance monitoring (APM) for both cloud and mobile applications. His approach to product management — vision, strategy, customer-centric, roadmapping, partnerships, and UX — has consistently resulted in products that drive revenue and growth for organizations while meeting customer needs. Anuj holds a master's degree in computer applications and a bachelor's degree in business administration.

The Security Risk of Rampant Shadow AI

Chinese hacks, rampant ransomware, and Donald Trump’s budget cuts all threaten US security. In an exit interview with WIRED, former CISA head Jen Easterly argues for her agency’s survival.

When I walk into Jen Easterly’s office on a bright January day in Arlington, Virginia, I’m greeted by a giant shark head lurking on the floor. I instantly spot a Rubik’s Cube—an Easterly hallmark—emblazoned with the logo of the organization she’s run for the past three and a half years—the Cybersecurity and Infrastructure Security Agency, or CISA, which President Donald Trump created during his first term.

Easterly, who is 56 years old, jumps to her feet to greet me. The first thing that hits me is her denim pants, which have a dragon on one leg and a serpent on the other. Then she launches into updates on CISA’s animated “Secure Our World” video series and, in the same breath, laments that she hasn’t had time for a private guitar lesson in weeks. Seemingly a regular day on the job for her, except for one thing. As of January 20, Inauguration Day, Easterly’s time at CISA would be over. Trump had fired the agency’s first director, Chris Krebs, after CISA refused to question the integrity of the 2020 election, and Easterly now says she wasn’t asked to stay. Rumors are swirling that CISA programs—or even the entire agency—may soon be on Trump’s chopping block.

The timing couldn’t be worse for the nation to lose its top cybersecurity cop. A Beijing-linked group called Salt Typhoon spent months last year rampaging through American telecoms and siphoning call logs, recordings, text messages, and even potentially location data. Many experts have called it the biggest hack in US telecom history. Easterly and her agency unknowingly detected Salt Typhoon activity in federal networks early last year—warning signs that ultimately sped up the unraveling of the espionage campaign.

The work of banishing Chinese spies from victim networks isn’t over, but the walls are already closing in on CISA. Trump's nominee to run the Department of Homeland Security, Kristi Noem, told a senate committee last week that CISA needs to be “smaller” and “more nimble.” And a day after the inauguration, all members of the Cyber Safety Review Board—who were appointed by Easterly and were actively investigating the Salt Typhoon breaches—were let go.

When Easterly officially became the agency’s second director, in 2021, the government was still reeling from a different blockbuster hack—SolarWinds. Kremlin-backed intruders had compromised widely used software to infiltrate the networks of US agencies and other targets. Helping US institutions defend themselves became an even more urgent and daunting project. CISA doesn’t enforce laws or collect intelligence; its job is to evangelize digital security measures and offer free services, so institutions can see what they need to do to not get hacked or—more realistically—get hacked less badly. Easterly got to work building relationships across the federal government and with state and local officials, corporate executives, and utility managers. In crises like the Salt Typhoon campaign, these relationships are crucial to quickly containing the damage.

It takes a determined person, and perhaps a charismatic one, to build rapport with such a wide-ranging group of people. Easterly has the background for it: She has worked in the Army (with multiple deployments), the National Security Agency, and the National Security Council under Barack Obama, and she spent nearly five years in charge of Morgan Stanley’s global cybersecurity. She also helped establish US Cyber Command within the Department of Defense. Somehow, though, she’s chill. To break the ice, and probably to make an impression, Easterly has leaned into her passions while in office, cubing and jamming with executives and utility operators around the country. And, yes, there’s her eclectic style—high fashion (by cybersecurity standards, anyway) mixed with bell-bottoms and Birkenstocks—but also her quiet, intense obsession with trying to solve the puzzle that is digital defense.

_This interview has been edited for length and clarity, combining on-camera and off-camera portions. Check out_ WIRED’_s YouTube channel_ _for the video._

**You’re in your last days as the director of CISA. How's it going?**

It's a little bittersweet.

**Why are you leaving?**

Well, at the end of the day, I'm a Senate-confirmed political appointee. We serve at the pleasure of the president. I've not been asked to stay.

**There are signs that the Trump administration may be hostile to some of CISA’s goals. Do you think the agency has proven it's valuable?**

We are America's cyberdefense agency, but our budget is less than $3 billion. I think the American people are getting an incredible return on investment. Anybody who looks at it will see that there's been an enormous amount of progress made in reducing risk to the critical infrastructure Americans rely on every hour of every day. We're talking water, power, transportation, communication, finance. It's not a political or partisan issue, and these threats are only getting more complicated, more dangerous. Any stepping back of what we've put in place will be to the detriment of the safety and security of the American people.

**One threat that’s top of mind is Salt Typhoon. How have past foreign espionage campaigns, like Russia’s SolarWinds attacks, informed the work you all are doing?**

What we saw in December 2020, with the revelations about the Russian intrusions into US federal government networks, as well as businesses around the world, was a pretty sophisticated supply-chain espionage operation. I would say the bumper sticker was to finally allow CISA to manage the .gov federal digital assets as one enterprise, not as a disparate tribe of a hundred separate departments and agencies. It's still a work in progress, but what we've put in place across the government over the past three and a half years has given us enormous visibility and has allowed us to detect intrusions much more rapidly, to be able to remediate them and to get ahead of future intrusions.

**It’s concerning how difficult it seems to have been for the telecoms to eradicate the Chinese hackers from their networks.** **Has there been progress in terms of that transparency and insight you're talking about?**

After the revelations of these breaches, we stood up what's called a unified coordination group. So we're responding, the FBI is investigating, folks like the National Security Agency are using what we see in the intelligence to understand the extent and the depth of this intrusion. And we're coming together to work with the victims. We've been doing that for months. This has unfortunately been out in the press a lot—

**I would say fortunately!**

Anything that gets out there has the downside of having adversaries change their tactics. So, while I think the transparency to consumers is important, it also makes it more difficult to then find these actors within the network. I don't expect it to be remediated in the short term.

**What about in the long term?**

Everybody should assume that our adversaries, in particular China, are attempting to go after our critical infrastructure. The private sector, they are on the front lines of this fight, because they own and operate the vast majority of our critical infrastructure. It's why companies need to put collaboration over self-preservation.

I want a future where something like a ransomware attack is a shocking anomaly. Where damaging software vulnerabilities exploited by nation-state actors are as infrequent as plane crashes. A world where the technology that we've come to rely on every hour of every day is first and foremost secure.

**It feels like hackers always find new ways to get where they want to go. Can you win at defense?**

I mean, you're right. Defense is hard. I say that as America's cyber head goalie. And that's why it has to be a team. As much as we work to hunt for and eradicate Chinese actors, our partners need to hold those actors accountable, whether that's through offensive cyber capabilities or indictments or sanctions. But, yes, we're on the defensive side, and it's a challenge.

Former CISA director Jen Easterly left office on Inauguration Day as rumors swirled about the fate of the agency.Photograph: Dana Scruggs

**Right now is a very scary and precarious time in cyberspace.**

I spent a lot of time in counterterrorism, and people would often say, “What keeps you up at night?” But it's really not what keeps me up at night. It's all about what gets you up in the morning. I love my team. I love the mission. Not every day is the best day ever, but you work through the issues, you stay resilient, you stay focused.

**Probably a necessary attitude for this type of work. But I just have to be that guy who asks you one more time: What keeps you up at night?**

A major conflict in Asia—the potential invasion or blockade of Taiwan by the People’s Republic of China—could have very real consequences here in the US. You could see pipelines and water being affected, telecommunications being severed, rail lines, power. That is all part of a very deliberate effort by the People’s Republic of China to incite what they call “societal panic” and to deter our ability to marshal military might and citizen will. We have to acknowledge that disruption may occur.

**Is the public paying too much attention to espionage campaigns like Salt Typhoon? Should we all be more worried about threats to critical infrastructure, like China’s Volt Typhoon?**

We are very focused overall on PRC cyber actors. CISA is one of the few agencies in the government that has been able to find both Volt Typhoon within critical infrastructure as well as Salt Typhoon. In fact, it was our work several months ago to find Salt Typhoon that then led to law enforcement identifying virtual private servers that were being leased by the adversaries, and then that unraveled the wider campaign.

**You and I have talked before about how Ukraine has faced years of punishing digital attacks and, of course, an ongoing kinetic war with Russia. CISA has partnered for a few years now with its counterpart agency in Ukraine. Do you have concerns that the Trump administration won't prioritize that relationship?**

Ukraine is under active assault by a very sophisticated threat actor. What we are learning from how they are dealing with those attacks actually helps us understand and mitigate similar threats to our own infrastructure. Cyber is a borderless space, and what our foreign partners see can absolutely benefit us. We need to ensure that all of us—from the vendors that create technology to companies that buy technology to citizens that consume technology—recognize our shared role in a collective defense of cyberspace and critical infrastructure.

**Do you feel that there are too many cooks in the US federal cybersecurity kitchen? Has that been an issue?**

It really has not. A lot of people have asked that question, but when the SolarWinds incident occurred I was looking at it as both the cyber policy lead for the Biden-Harris transition team and, perhaps more importantly, from my day job at Morgan Stanley. One advisory came out from CISA that was very SolarWinds-specific. We didn't have SolarWinds in our infrastructure. Another one came from NSA that was focused on VMware, and we did have VMware in our systems. It was not clear how these things were connected. And then you would see an FBI private-sector notice about something else. At this point I've already been in government for 27 years. I'd been in the military, the Department of Defense, the intelligence community, the White House. It's like, I know this. I thought I understood the government. And I couldn't make sense of what the government was trying to tell us about this Russian espionage campaign. It was one of the motivating things about coming to CISA. How do we bring together the federal cyber ecosystem?

The relationships with NSA, FBI, and CISA have never been better. Some of that is personalities, but I think we have actually developed institutional connective tissue, so that it will last. It's very, very clear what CISA’s role is. Now, you often talk about, what does the National Security Council do? What does the Office of the National Cyber Director do? I think we've sorted out the relationships at that level with policy and strategy, but really at the operational level where CISA lives, those relationships across the federal cyber ecosystem I think have never been better.

**You said that there is unfinished business as you prepare to leave CISA. Where do you wish you could have done more?**

There’s a lot of unfinished business. We have made an impact through our ransomware vulnerability warning pilot and our pre-ransomware notification initiative, and I’m really proud of that, because we work on preventing somebody from having their worst day. But ransomware is still a problem. We have been laser-focused on PRC cyber actors. That will continue to be a huge problem. I'm really proud of where we are, but there's much, much more work to be done. There are things that I think we can continue driving, that the next administration, I hope, will look at, because, frankly, cybersecurity is a national security issue.

**I have to ask you, there are rumors: Are you or are you not going on tour when you leave CISA?**

You know, I certainly hope to. I played piano and guitar when I was young, but I started taking up electric guitar, and that has become my passion, my obsession. So my big postretirement plan several years from now is to start a bar in lower Manhattan, to have a band. We're going to do magic. We're going to do improv. I'm going to be the bartender.

**And will there be Rubik's Cubes at every table?**

There will be Rubik's Cubes. I'm obsessed with the Rubik's Cube. When I was 11 these things were introduced across the world, and I was a huge puzzler and a video game person. I learned how to solve it, and then I would go to toy stores—I was this little kid with pigtails—and say, “Hey, if I can solve this in less than two minutes, will you give me a free one?” So I was able to amass this whole set of them.

**You must see some sort of connection between that and your day job.**

Ernő Rubik, who invented the thing, said something like, if you are curious, you will find puzzles around you. And if you are determined, you will solve them. And when I think about the incredible technical talent that we have here at CISA, it’s the intellectual curiosity, it’s the hacker mindset, it’s the problem solver. But it's also the determination, the relentless drive to solve the most complicated problems out there.

_Let us know what you think about this article. Submit a letter to the editor at_ _mail@wired.com._

Under Trump, US Cyberdefense Loses Its Head

Cybersecurity researchers have disclosed details of a new BackConnect (BC) malware that has been developed by threat actors linked to the infamous QakBot loader.
"BackConnect is a common feature or module utilized by threat actors to maintain persistence and perform tasks," Walmart's Cyber Intelligence team told The Hacker News. "The BackConnect(s) in use were 'DarkVNC' alongside the IcedID

Tag

#intel