Companies that recognize current market opportunities — from the need to safely implement revolutionary technology like AI to the vast proliferation of cyber threats — have remarkable growth prospects.

Source" Brian Jackson via Alamy Stock Photo

Companies have never faced a wider and more dynamic array of cyber threats than they do right now. From rapidly rising costs associated with data breaches and other cyberattacks to the exploitation of artificial intelligence (AI) to make attacks more effective than ever, the cyber-threat landscape is constantly evolving. This has led to a drastic increase in cybersecurity spending, as well as a wave of innovation in the sector.

As cyberattacks become more targeted and sophisticated, there is a vast and growing market for solutions that help companies address their most vulnerable attack vectors. For example, cybercriminals often steal account names, passwords, and other credentials to launch attacks, which is why identity and access management have become key priorities for companies across many industries. Cybercriminals are also using AI resources such as LLMs to target employees with advanced social engineering attacks that allow them to infiltrate secure networks and steal information.

Cybercriminals and other bad actors such as hostile foreign governments are more motivated than ever to develop powerful cyber capabilities that enable them to hijack data, disrupt operations, and bypass existing cybersecurity protocols. This trend will only gain momentum, and revolutionary technology like AI will function as a force multiplier that makes cyberattacks more destructive and difficult to detect. This is why the cybersecurity industry will continue to see unprecedented demand and investment in the coming years.

**A New Era of Cyberattacks**

Companies are investing heavily in cybersecurity — according to a PwC survey, 77% of companies plan to increase their cyber budgets, while Gartner has projected that information security spending will spike by 15% in 2025. However, these investments haven't yet turned the tide against the onslaught of cyberattacks that are inflicting increasingly severe financial, reputational, and operational costs on companies. A 2024 IBM report found that the average cost of a data breach hit $4.88 million globally this year, a record high and a 10% increase from 2023.

The 2024 Allianz Risk Barometer found that cyber incidents are the top global business risk for the "first time and by a clear margin" — a finding that applies to companies of all sizes. AI is a key driver of this trend, as it has lowered the barriers to entry for cybercriminals around the world. For example, large language models (LLMs) allow cybercriminals to launch advanced phishing attacks regardless of their language skills or technical ability. Hostile foreign governments are using AI to launch cyberattacks as well — Microsoft reported that Russia, North Korea, and China are all using AI for surveillance, scripting, and social engineering.

As cyber threats become more dangerous and dynamic, the market for robust solutions will continue to expand. Companies in the sector will have to leverage emerging technology like AI and develop cybersecurity solutions that address specific vulnerabilities more effectively than their competitors.

**Opportunities in the Cybersecurity Market**

The cybersecurity industry has seen significant fragmentation in recent years as the demand for specialized solutions increases. Particular categories of cyberattacks, such as phishing, call for targeted solutions capable of countering the latest cybercriminal tactics. IBM reported that phishing is one of the most common and financially destructive initial attack vectors, which means cybercriminals are using it to gain access and launch broader cyberattacks. A major goal of phishing attacks is credential theft, which is why stolen or compromised credentials are involved in initial attacks more often than any other individual factor.

Companies like Strata help customers resist phishing attacks and other forms of credential theft with holistic identity and access management solutions. The reliance on legacy systems is one of the most urgent cybersecurity challenges many companies face — a challenge that has become all the more daunting due to the growing risk posed by third-party vendors and other partners. Supply chain cyberattacks are becoming increasingly common — Verizon found that there was a 68% increase in "supply chain interconnection" involved in breaches between 2023 and 2024.

Integrated cybersecurity solutions are critical, as cybercriminals and other bad actors need only  a single access point to infiltrate an organization. Solutions that help customers modernize their cybersecurity infrastructure for the evolving cyber-threat landscape are becoming more vital. Chief information security officers (CISOs) and other cybersecurity leaders need access to simplified solutions that break down silos between IT and security teams, meet increasingly stringent compliance demands, and help them evaluate and address vulnerabilities.

**Maximizing the Impact of Emerging Technology**

While AI is propelling a new wave of cyberattacks, it can also be harnessed to keep companies safer. Companies can use AI to simulate cyberattacks, detect malicious activity, prioritize cyber threats and potential vulnerabilities, and protect data across many different environments. However, AI still faces significant trust issues, due to problems like hallucinations (when LLMs present false information as accurate) and the existence of "black box" machine learning algorithms that don't provide any transparency into their decision-making processes.

According to a recent survey of 6,000 knowledge workers, 54% of AI users don't trust the data used to train AI systems — and more than two-thirds of these workers say they're hesitant to adopt AI. Meanwhile, laws and regulations around AI are becoming stricter all the time. For example, the EU AI Act requires companies to mitigate systemic risks, report cyber incidents, and focus on cybersecurity in their AI implementations.

While the AI trust gap is hindering adoption of the technology and regulations are becoming tougher, this opens a market for companies that provide end-to-end AI governance. At a time when AI adoption is skyrocketing, companies need the infrastructure necessary to ensure compliance and monitor AI systems for potential cyber threats. IBM found that 82% of executives believe "secure and trustworthy AI is essential to the success of their business," but less than a quarter of generative AI projects are being secured.

From the need to safely implement technology like AI to the vast proliferation of cyber threats (many of which are being powered by that very same technology), the cybersecurity industry has reached an inflection point. The companies that recognize these market opportunities have remarkable growth prospects in the coming years.

**About the Author**

General Partner, Titanium Ventures

Marcus Bartram is General Partner at Titanium Ventures (former Telstra Ventures), a San Francisco-based VC firm that differentiates by generating revenue for its portfolio with strategic channel partners and customer relationships as well as by using data science to drive its investment process. Marcus is on the founding team and has led investments in cybersecurity companies like CrowdStrike, Auth0, Anomali, Cequence, CloudKnox, Cofense, CyberGRX, Elastica, vArmour, and Zimperium.

Why the Demand for Cybersecurity Innovation Is Surging

Another day, another hack at T-Mobile! This time, Chinese state-sponsored group Salt Typhoon hacked T-Mobile, targeting US telecoms…

Another day, another hack at T-Mobile! This time, Chinese state-sponsored group Salt Typhoon hacked T-Mobile, targeting US telecoms in a breach spree. The attack exposes vulnerabilities in telecom infrastructure and security.

T-Mobile has become the latest major telecommunications company to fall victim to a large-scale cyberespionage campaign linked to Chinese state-sponsored hackers. The group responsible for the hacking is identified as Salt Typhoon.

This was revealed on 15 November 2024, just a day after the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) **issued a joint advisory** detailing a sophisticated cyberespionage campaign by state-sponsored Chinese hackers that has successfully infiltrated US telecommunications networks.

The advisory confirmed that Chinese state-sponsored actors had compromised the networks of multiple telecommunications providers to steal customer data and intercept private communications.   

****T-Mobile Breach****

According to the Wall Street Journal **report**, hackers were able to breach T-Mobile’s systems and gain access to valuable intelligence, including the cellphone communications of high-value targets,

The group used advanced techniques to infiltrate American telecom infrastructure, including Cisco Systems routers, artificial intelligence or machine learning for their espionage activities and likely obtained call logs, unencrypted texts, and audio from targets, possibly posing national security risks.

While T-Mobile has maintained that no sensitive customer data has been compromised, the possible implications of this breach are hard to ignore. The hackers may have gained access to sensitive information about law enforcement surveillance requests, call records of specific customers, and even private communications of targeted individuals.

“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,” a company spokeswoman told Hackread.com. “We will continue to monitor this closely, working with industry peers and the relevant authorities.”

****Salt Typhoon****

Hackread.com has been following Salt Typhoon’s activities and has observed that this group has been particularly interested in the wiretap systems that telecom companies are legally obligated to maintain for law enforcement purposes.

In October 2024, it was reported that **Salt Typhoon hacked AT&T and Verizon** to access wiretap data. This data, essential for government-mandated surveillance, is a prime target for cybercrime groups seeking to exploit vulnerabilities and gain access to sensitive information.

****T-Mobile Keeps Getting Breached****

It’s important to note that T-Mobile’s cybersecurity practices have received massive **criticism lately** given the frequency of data breaches it has been experiencing. The company settled a $31.5 million FCC settlement for prior breaches, half of which was for security infrastructure improvement.

T-Mobile, owned by Deutsche Telekom, has faced particularly challenging years due to repeatedly being targeted by data breaches. **Back in August 2021**, the company lost data of 49 million T-Mobile account holders, whereas the hackers claimed they stole data of 100 million users.

T-Mobile has also experienced at least six reported data breaches (**1, 2, 3, 4, 5**, **6**) between 2015 and 2023, making it safe to say that a cybersecurity year without a T-Mobile security incident is a rare occurrence.

Nevertheless, the latest T-Mobile breach shows that the company needs to rethink its entire approach to cybersecurity. Telecom companies should focus on stronger security, invest in better threat detection systems, and use reliable encryption to handle cyber threats effectively.

1.  8220 Gang Targets Telecom in Cryptojacking Attack
2.  IoT Botnet DDoS Attacks Threaten Telecom Networks, Nokia
3.  Hackers Breach TPG Telecoms’ Email Host to Steal Client Data
4.  Minor arrest over A1 Telecom data breach and ransom demand
5.  Telecom giant behind routing SMS discloses 5-year-long breach

Chinese Salt Typhoon Hacked T-Mobile in US Telecom Breach Spree

The voluntary recommendations from the Department of Homeland Security cover how artificial intelligence should be used in the power grid, water system, air travel network, healthcare, and other pieces of critical infrastructure.

Source: GK Images via Alamy Stock Photo

The US Department of Homeland Security (DHS) has released recommendations that outline how to securely develop and deploy artificial intelligence (AI) in critical infrastructure. The recommendations apply to all players in the AI supply chain, starting with cloud and compute infrastructure providers, to AI developers, and all the way to critical infrastructure owners and operators. Recommendations for civil society and public-sector organizations are also provided.

The voluntary recommendations in "Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure" look at each of the roles across five key areas: securing environments, driving responsible model and system design, implementing data governance, ensuring safe and secure deployment, and monitoring performance and impact. There are also technical and process recommendations to enhance the safety, security, and trustworthiness of AI systems.

AI is already being used for resilience and risk mitigation across sectors, DHS said in a release, such as AI applications for earthquake detection, stabilizing power grids, and sorting mail.

The framework looks at each role's responsibilities:

*   Cloud and compute infrastructure providers need to vet their hardware and software supply chain, implement strong access management, and protect the physical security of data centers powering AI systems. The framework also has recommendations on supporting downstream customers and processes by monitoring for anomalous activity and establishing clear processes for reporting suspicious and harmful activities.
    
*   AI developers should adopt a secure by design approach, evaluate dangerous capabilities of AI models, and "ensure model alignment with human-centric values." The framework further encourages AI developers to implement strong privacy practices; conduct evaluations that test for possible biases, failure modes, and vulnerabilities; and support independent assessments for models that present heightened risks to critical infrastructure systems and their consumers.
    
*   Critical infrastructure owners and operators should deploy AI systems securely, including maintaining strong cybersecurity practices that account for AI-related risks, protecting customer data when fine-tuning AI products, and providing meaningful transparency regarding their use of AI to provide goods, services, or benefits to the public.
    
*   Civil society, including universities, research institutions, and consumer advocates engaged on issues of AI safety and security, should continue working on standards development alongside government and industry, as well as research on AI evaluations that considers critical infrastructure use cases.
    
*   Public sector entities, including federal, state, local, tribal, and territorial governments, should advance standards of practice for AI safety and security through statutory and regulatory action.
    

"The framework, if widely adopted, will go a long way to better ensure the safety and security of critical services that deliver clean water, consistent power, Internet access, and more," said DHS secretary Alejandro N. Mayorkas, in a statement.

The DHS framework proposes a model of shared and separate responsibilities for the safe and secure use of AI in critical infrastructure. It also relies on existing risk frameworks to enable entities to evaluate whether using AI for certain systems or applications carries severe risks that could cause harm.

"We intend the framework to be, frankly, a living document and to change as developments in the industry change as well," Mayorkas said during a media call.

DHS Releases Secure AI Framework for Critical Infrastructure

Plus: An “AI granny” is wasting scammers’ time, a lawsuit goes after spyware-maker NSO Group’s executives, and North Korea–linked hackers take a crack at macOS malware.

In perhaps the most adorable hacker story of the year, a trio of technologists in India found an innovative way to circumvent Apple’s location restrictions on AirPod Pro 2s so they could enable the earbuds’ hearing aid feature for their grandmas. The hack involved a homemade Faraday cage, a microwave, and a lot of trial and error.

On the other end of the tech-advancements spectrum, the US military is currently testing an AI-enabled machine gun that is capable of auto-targeting swarms of drones. The Bullfrog, built by Allen Control Systems, is one of several advanced weapons technologies in the works to combat the growing threat of cheap, small drones on the battlefield.

The US Department of Justice announced this week that an 18-year-old from California has admitted to making or orchestrating more than 375 swatting attacks across the United States.

Then, of course, there’s the Donald Trump of it all. This week, we published a practical guide to protecting yourself from government surveillance. WIRED has covered the dangers of government surveillance for decades, of course. But when the president-elect is explicitly threatening to jail his political enemies—whoever that may be—now’s probably a good time to brush up on your digital best practices.

In addition to potential dragnet surveillance of US citizens, US Immigration and Customs Enforcement started ramping up its surveillance arsenal the day after Trump won reelection. Meanwhile, experts are expecting the incoming administration to roll back cybersecurity rules instituted under president Joe Biden while taking a harder line against adversarial state-sponsored hackers. And if all this political upheaval has you in the mood to protest, beware: An investigation copublished by WIRED and The Marshall Project found that mask bans instituted in several states add a complicated new layer to exercising freedom of speech.

And that’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

In August 2016, approximately 120,000 bitcoin—at the time worth around $71 million—were stolen in a hack on the Bitfinex cryptocurrency exchange. Then in 2022, as the value of cryptocurrency had rocketed skywards, law enforcement officials in New York arrested husband and wife Ilya Lichtenstein and Heather Morgan in relation to the hack and laundering the much-inflated $4.5 billion of stolen cryptocurrency. (At the time, $3.6 billion of the funds were recouped by law enforcement investigators.)

This week, after pleading guilty in 2023, Lichtenstein was sentenced to five years of jail time for conducting the hack and laundering the profits. With subsequent cryptocurrency spikes and additional seizures related to the hack, the US government has now been able to recover more than $10 billion in assets. A series of operational security failures by Lichtenstein made much of the illicit cryptocurrency easy for officials to seize, but investigators also applied sophisticated crypto-tracing methods to unpick how the funds had been stolen and subsequently moved around.

Aside from the brazen scale of the heist, Lichtenstein and Morgan gained online prominence and ridicule after their arrests due to a series of Forbes articles written by Morgan and rap videos posted to YouTube under the name of “Razzlekhan.” Morgan, who also pleaded guilty, is due to be sentenced on November 18.

**An ‘AI Granny’ Is Wasting Phone Scammers’ Time**

Scammers are increasingly adopting AI as part of their criminal toolkits—using the technology to create deepfakes, translate scripts, and make their operations more efficient. But artificial intelligence is also being turned against the scammers. British telecoms firm Virgin Media and its mobile operator O2 have created a new “AI granny” that can answer phone calls from scammers and keep them talking. The system uses different AI models, according to The Register, that listen to what a scammer says and respond immediately. In one case, the company says it kept a scammer on the line for 40 minutes and has fed others fake personal information. Unfortunately, the system (at least at the moment) can’t directly answer calls made to your phone; instead, O2 created a specific phone number for the system, which the company says it has managed to get placed in lists of numbers that scammers call.

**Alleged NSO Group Spyware Victim Adds NSO Founders and Executive to Lawsuit**

In a new legal strategy for those attempting to hold commercial spyware vendors responsible, lawyer Andreu Van den Eynde, who was allegedly hacked with NSO Group spyware, is directly accusing two of the company’s founders, Omri Lavie and Shalev Hulio, and one of its executives, Yuval Somekh, of hacking crimes in a lawsuit. The Barcelona-based human rights nonprofit Iridia announced this week that it filed the complaint in a Catalan court. Van den Eynde was reportedly a victim of a hacking campaign that used NSO’s notorious Pegasus spyware against at least 65 Catalans. Van den Eynde and Iridia originally sued NSO Group in a Barcelona court in 2022 along with affiliates Osy Technologies and Q Cyber Technologies. “The people responsible for NSO Group have to explain their concrete activities,” a legal representative for Iridia and Van den Eynde wrote in the complaint, which was written in Catalan and translated by TechCrunch.

**North Korea-Backed Hackers Are Exploring New macOS Malware**

Research published this week by the mobile device management firm Jamf found that hackers who have been linked to North Korea have been working to implant malware inside macOS applications built with a particular open-source software development kit. The campaigns focused on cryptocurrency-related targets and involved infrastructure similar to systems that have been used by North Korea’s notorious Lazarus Group. It’s unclear if the activity resulted in actual victim compromise or if it was still in a testing phase.

Financially motivated and state-backed hackers have less occasion to use malware targeting Apple’s Mac computers than hacking tools that infect Microsoft Windows or Linux desktops and servers. So when Mac malware crops up, it’s typically a niche point, but it can also be a revealing indicator of trends and priorities among hackers.

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist

A new report from the Open Software Supply Chain Attack Reference (OSC&R) team provides a framework to reduce how much vulnerable software reaches production.

Neatsun Ziv, CEO & Co-Founder, Ox Security

November 15, 2024

5 Min Read

Source: Andrey Kryuchkov via Alamy Stock Photo

COMMENTARY

The complexity of today's software development — a mix of open source and third-party components, as well as internally developed code — has resulted in an abundance of vulnerabilities for attackers to exploit throughout the software supply chain.

We've seen the direct effects of software supply chain attacks in incidents like the MOVEit and SolarWinds breaches, revealing that no industry sector, size of company, or stage of software development is immune. According to a survey from Enterprise Strategy Group (ESG), 91% of organizations experienced at least one software supply chain security incident in 2023, and 2024 hasn't seemed any better.

Security teams are overwhelmed by the task of sorting through, assessing, and prioritizing the mitigation of tens of thousands of alerts to discern those that pose real risk from those that are benign. In 2023, a group of AppSec experts addressed this problem by launching the Open Software Supply Chain Attack Reference (OSC&R), a freely available, MITRE ATT&CK-like framework to help organizations gain a deeper understanding of their software supply chain vulnerabilities.

The OSC&R community's inaugural report, "OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures," offers a comprehensive analysis of the severity of vulnerabilities across the software supply kill chain. Based on a nine-month analysis of over 100 million alerts, tens of thousands of code repositories, and 140,000 real-world applications, it examines the risk to software supply chains and probes the alignment between the vulnerabilities found in the wild and the focus of AppSec teams today.

The research offers some eye-opening statistics, including that 95% of organizations have at least one high, critical, or apocalyptic risk in their software supply chain, with the average organization having nine such issues. What's more, the OSC&R data shows that many of the most common software supply chain vulnerabilities are tied to fundamental security controls, such as authentication, encryption, publicly available information in logs, and the principle of least privilege. Following are some of the most important takeaways from the report.

**1\. Watch for Run-Time Exposure**

One in five applications was found to contain high, critical, or apocalyptic runtime vulnerabilities during the execution phase of an attack. This makes them prime targets for attackers. Because the most significant software vulnerabilities tend to surface in later attack stages, it's crucial to catch issues early in the software development life cycle.

As such, AppSec and DevOps teams should aim to strengthen application runtime security. This can be accomplished by integrating continuous monitoring and real-time protection mechanisms that focus on the later stages of an attack, when the damage potential is greatest.

**2\. It's Worth Fixing Older Vulnerabilities**

While newer vulnerabilities may grab headlines, older vulnerabilities remain the most common attack vectors when it comes to supply chain security. Techniques like command injection (15.4% of applications), sensitive data in log files (12.4% of applications), and cross-site scripting (11.4% of applications) — as well as slow-burn vulnerabilities like CVE-2024-3094, which targeted the compression utility XZ Utils in major Linux distributions — still wreak havoc in unpatched systems. Attackers continue to successfully use historical tactics and techniques, showing that "old school" vulnerabilities present significant and persistent risks.

To counter these tactics and techniques and drive down the opportunity for attack, organizations should regularly review and update legacy systems and codebases to patch known vulnerabilities. Further, implementing a robust vulnerability management program that includes continuous scanning for both old and emerging threats will harden software to known risks.

**3\. Vulnerabilities That Span Multiple Attack Stages Amplify Damage**

In the OSC&R report data analysis, 36% of applications were found to be vulnerable to exploits in the initial access attack stage, with many overlapping across multiple stages of attack. Indeed, vulnerabilities in initial access stages often open the door for more severe threats, such as persistence and execution exploits.

The data underscores the need for AppSec and DevOps team to bolster defenses across all stages of the attack life cycle, not just in initial phases. Organizations should adopt multilayered security solutions that can detect and neutralize threats at various stages of the kill chain to prevent attackers from moving laterally within systems and causing widespread cyber and business damage.

**Next Steps for AppSec Teams**

One of the questions the inaugural OSC&R report sought to answer was whether what AppSec and DevOps teams focus on matched the vulnerabilities found in the wild. The data reveals that this is not yet the case. Progress is being made, but the high volume of vulnerabilities passing through the supply chain into live applications, and the large percentage of organizations that report supply chain security incidents, indicate that greater focus on proactive software security measures is needed.

In addition, organizations need to do a better job of looking systemically at both their software development processes and the attack lifecycle to identify the places most likely to be at risk. But historical data alone is not the answer. Organizations must implement the tools and processes that give them holistic visibility of their supply chain — from the build stage all the way through runtime, and including the development and testing environments, which are occasionally overlooked.

Further, it's clear that focusing on one or two stages of software development or one stage of the attack lifecycle isn't enough. Businesses must adopt a multilayered, full-lifecycle AppSec strategy — accompanied by tools that can unify all stages — to reduce the probability of attack.

Development and security teams now have a reference they can use to map their programs to known attack vectors and tactics. OSC&R, in effect, sets the foundation for operating a streamlined software security program that reduces the number of vulnerabilities that reach production, enhancing the resiliency of the organization as a whole and easing the fears of breach due to software flaws.

**About the Author**

CEO & Co-Founder, Ox Security

Neatsun Ziv is the CEO and Co-Founder of Ox Security, the end-to-end software Active ASPM Platform. Prior to that, he was the VP of Cyber Security at Check Point, where he oversaw all cyber initiatives. His team was one of the first to respond to SolarWinds, NotPetya, and other major attacks, working closely with Interpol, Local CERT, and other enforcement agencies. Neatsun is a passionate and seasoned entrepreneur with vast cybersecurity experience. He served in the IDF Cyber Intelligence Unit and is a frequent speaker at global forums, including RSA and CPX, among others. Neatsun holds a B.Sc. from Israel's Open University (honors) and an MBA from the Technion (Magna Cum Laude).

Lessons From OSC&amp;R on Protecting the Software Supply Chain

In recent years, artificial intelligence (AI) has begun revolutionizing Identity Access Management (IAM), reshaping how cybersecurity is approached in this crucial field. Leveraging AI in IAM is about tapping into its analytical capabilities to monitor access patterns and identify anomalies that could signal a potential security breach. The focus has expanded beyond merely managing human

How AI Is Transforming IAM and Identity Security

A data broker has confirmed a business contact information database containing 132.8 million records has been leaked online.

A data broker has confirmed a business contact information database containing 132.8 million records has been leaked online.

In February, 2024, a cybercriminal offered the records for sale on a data breach forum claiming the information came from pureincubation\[.\]com.

Cybercriminal offering to sell Pure Incubation data

Pure Incubation was founded in 2012, and the company later rebranded to DemandScience. DemandScience describes itself as “a leading global B2B demand generation company accelerating global growth for clients.”

DemandScience says it specializes in lead generation, content marketing, and software development offering data intelligence and marketing solutions for B2B organizations. That’s a mouthful to describe a data broker that specializes in selling aggregated public data that other companies can use in their marketing campaigns.

When contacted by BleepingComputer about the leak, DemandScience responded by email:

> “Regarding the matter referenced in your email, we have conducted a thorough internal investigation and conclude that none of our current operational systems were exploited. We also conclude that the leaked data originated from a system that has been decommissioned for approximately two years.”

It might not be a current system, but a third-party count of the data still showed around 122 million unique business email addresses. Although at some point when we all have switched jobs, it will become worthless. Maybe that’s why the cybercriminals offered to sell for $6,000.

That the company left a decommissioned system online for a criminal to find and plunder should be grounds for a hefty fine.

Despite DemandScience playing it down, the data is valuable. How else is it making money by gathering it from public records?

**What can you do?**

Any business that meets the definition of data broker must register with the California Privacy Protection Agency (CPPA) annually. The CPPA defines data brokers as businesses that consumers don’t directly interact with, but that buy and sell information about consumers from and to other businesses.

This is good news, because it offers Californians a sort of opt-out opportunity, by filling out this form: https://demandscience.com/privacy-policy-ccpa/

You can check whether your email address was included in this data breach by using Malwarebytes’ free Digital Footprint scan. Fill in the email address you’re curious about and we’ll give you a free report.

This leak also shows how important it can be to have your data removed from data brokers sites like these. To help you, Malwarebytes offers a Personal Data Remover service (US only) that can delete your information from search results, spam lists, people search sites, data brokers, and more.

 122 million people&#8217;s business contact info leaked by data broker 

As alerts pile up, the complexity can overwhelm security professionals, allowing real threats to be missed. This is where vendors must step up.

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

For most of my cybersecurity career, I worked on the vendor side, in presales capacity, helping businesses identify and address security pain points. Now, as an information security engineer, I am on the other side, engaging with security vendors. A typical sales engagement includes pre-sales, proof of concept (PoC), onboarding, and support. While PoCs are useful, the real complexity of a product is understood only when the customer is fully onboarding. 

Although customers are responsible for accurate implementation of systems, vendors must realize they play a key role in guiding them through settings to ensure optimal performance and reduced alert fatigue. 

Achieving 100% efficiency will always be an ongoing challenge, but alert fatigue remains a significant issue. Modern security systems involve multiple components, each generating alerts that require teams to collaborate. And as alerts pile up, the complexity can overwhelm security professionals, allowing real threats to be missed. This is where vendors must step up. 

**The Reality of Alert Fatigue**

Alert fatigue is not new, but the problem becomes bigger as organizations adopt more complex security solutions. These tools detect every potential anomaly, generating a flood of alerts, many of which are low-priority or false positives, obscuring critical signals. 

When faced with hundreds of alerts daily, analysts can become numb, ignoring or delaying important alerts, which leads to security breaches. Vendors currently address only part of the challenge by delivering systems that detect every possible attack are only doing half their job. However, these products alone fall short in helping companies effectively manage the alert flood, often times requiring a managed security service provider (MSSP) to bridge the gap. But they must do a better job helping companies manage the resulting flood of information. 

**Why Vendors Must Take Ownership**

It may be tempting for vendors to shift alert management to customers, but vendors create the underlying logic that generates these alerts, and therefore, they must ensure their tools enable users to respond effectively rather than overwhelming them. 

Here's how vendors need to take lead: 

1.  Smart filtering and prioritization: Vendors should design tools that prioritize high-risk alerts while suppressing noise using machine learning and contextual analytics. This reduces irrelevant notifications. 
    
2.  Automation to reduce manual work: The volume of alerts makes manual intervention impractical. Vendors should offer built-in automation for routine alerts, allowing security engineers to focus on critical ones, such as sinkholing, rate-limiting, blocking malicious IPs, or isolating suspicious files. 
    
3.  Actionable alerts with context: Vendors need to provide meaningful data with each alert, contextualizing it for the customer's environment and offering clear next steps, enabling quicker, more effective responses. 
    
4.  Continuous engagement and customization: Vendors must stay engaged with customers beyond the initial setup, helping tailor systems to meet specific needs. Regular optimization reduces unnecessary alerts and ensures critical threats are identified. 
    
5.  Feedback-based adaptive learning: Vendors should provide solutions that evolve with feedback loops, learning from customer input. False positives or low-priority alert floods should lead to system adjustments, improving accuracy over time. 
    

**The Cost of Ignoring Alert Fatigue**

If vendors fail to address alert fatigue, security teams may miss critical threats, leading to breaches. Overwhelmed staff may burn out, increasing turnover. For vendors, poor alert management can erode customer trust, leading to dissatisfaction and potential churn. 

**Needed: A Partnership for Success**

Alert fatigue is a shared problem, but vendors play the key role in solving it. By offering smarter, more responsive systems, ongoing optimization, and automation with context, vendors help customers focus on what matters the most. 

This isn't just about efficiency — it's about creating a partnership between vendors and customers. Together, they must be able to cut through the noise and be able to provide clarity in the fight against modern cyber threats. Vendors must ensure their solutions don't just alert but empower users to make the best decisions. 

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Security Engineer

Supradeep Bokkasam is a Brisbane-based information security engineer with nearly 20 years of IT experience. He has worked extensively in the content delivery network (CDN) space, focusing on network and application security, identity and access management (IAM), and zero-trust network access (ZTNA). He has worked with organizations across various sectors to identify and safeguard critical assets against cyber threats.

The Vendor's Role in Combating Alert Fatigue

Cloud service providers are getting better at protecting data, pushing adversaries to develop new cloud ransomware scripts to target PHP applications, a new report says.

Instead of solely leaning on leaky buckets and cloud service provider (CSP) vulnerabilities to exfiltrate sensitive data, a fresh crop of cloud-targeting ransomware is aimed instead at exploiting unprotected Web applications to drop encryptors and lock up victims' data.

The pivot to focusing on PHP applications demonstrates the success that CSPs have had in shoring up their environments with policies like AWS's Key Management Service, according to a new report from SentinelOne on the state of cloud ransomware landscape in 2024. CSPs can now ensure that almost no data is really lost, thanks to policies that require a waiting period and confirmation before data can be deleted. There are some fairly exotic malicious workarounds for some of these protections, but attacks can easily be blocked by implementing service control policies, the report said.

**Cloud Ransomware's New Look at Web Applications**

Cloud ransomware operators have started to mine Web applications for opportunities in increasing volumes, according to SentinelOne.

"Web applications are often run via cloud services," SentinelOne's report explained. "Their more minimal nature makes cloud environments a natural hosting point where the applications are easier to manage and require less configuration and upkeep than running on a full operating system. However, Web applications themselves are vulnerable to extortion attacks."

Related:5 Ways to Save Your Organization From Cloud Security Threats

Analysis uncovered new ransomware scripts specifically developed to attack PHP applications — such as a Python script named "Pandora," and another attributed to Indonesian-based threat actor IndoSec group.

"The Pandora script uses AES encryption to target several types of systems, including PHP servers, Android, and Linux," the report added. "The PHP ransom functions encrypt files using AES via the OpenSSL library. The Pandora Python script runs on the Web server, writing the PHP code output to the path pandora/Ransomware with a file name provided as an argument at runtime and appended with the php extension."

The ransom script targeting PHP applications developed by IndoSec uses a PHP backdoor to manage and delete files, according to the report. It searches through directories, reads, and then encodes the file contents using a Web service's API.

"This is an interesting approach because the encryption is provided through a remote service, rather than using native functionality like many other tools," the report noted.

**Using Legitimate Cloud-Native Functions to Steal Data**

Aside from trying to breach them, adversaries have also figured out how to use these cloud services themselves to exfiltrate stolen data, the report explained. SentinelOne offers the example of September Rhysdia and BianLian cloud ransomware attacks that abandoned their historical exfiltration tools like MEGAsync and rclone, and instead used Azure Storage Explorer to download the data. The following month, the LockBit ransomware group was discovered using Amazon's S3 storage to exfiltrate data from Windows and macOS systems, SentinelOne added.

Related:Google AI Platform Bugs Leak Proprietary Enterprise LLMs

In keeping with the trend, the SentinelOne research identified a new Python script on VirusTotal it named "RansomES." This code is designed to infiltrate a Windows system, look for files with extensions that indicate the file contains data, including .doc, .xls, .jpg, .png, or .txt. Once those files have been identified, the RansomES code allows the ransomware attacker to exfiltrate those files to an S3 storage bucket or an FTP site, and encrypt the local versions.

"RansomES is a simple script, and we do not believe it has been used in the wild," the report noted. "The author included an Internet connectivity check to the WannaCry killswitch domain, which may suggest the script was developed by a researcher or someone with an interest in threat intelligence."

Related:2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit

The key to protecting data against Web application cloud ransomware attacks is to assess the overall cloud environment to protect against misconfigurations and overly permissive storage buckets, the report concluded.

"Additionally, always enforce good identity management practices such as requiring MFA on all admin accounts, and deploy runtime protection against all cloud workloads and resources," according to SentinelOne.

Cloud Ransomware Flexes Fresh Scripts Against Web Apps

The CISA and FBI have issued an advisory detailing a sophisticated cyberespionage campaign by state-sponsored Chinese hackers that…

The CISA and FBI have issued an advisory detailing a sophisticated cyberespionage campaign by state-sponsored Chinese hackers that has successfully infiltrated US telecommunications networks.

The US government has exposed a large-scale cyberespionage campaign launched by Chinese state-sponsored hackers. This campaign is mainly targeting critical telecommunications infrastructure in the United States and has resulted in the theft of sensitive data, including call records and private communications of individuals involved in government and political activities.

It is worth noting that this security advisory follows just a month after China’s Salt Typhoon group was accused of hacking AT&T and Verizon, allegedly accessing sensitive wiretap data.

According to the advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), Chinese state-sponsored actors have successfully compromised the networks of multiple telecommunications providers.

> _“Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders.”_
> 
> CISA – FBI

One of the most concerning aspects is the possible impact of this attack on US national security. By targeting telecommunications providers, hackers can gain a trove of sensitive information, including communications between government officials, military personnel, and other high-value targets. The compromised data could be used for intelligence gathering, blackmail, or other malicious purposes.  

The advisory states that the US government has taken steps to mitigate the threat posed by this cyberespionage campaign. CISA and the FBI are working closely with affected telecommunications providers to identify and address vulnerabilities. Additionally, the US government is urging individuals and organizations to take steps to protect themselves from cyber threats. 

****The China Threat****

While the United States is known for targeting Chinese infrastructure, China has also emerged as a persistent threat to US critical infrastructure, with state-sponsored hacking groups repeatedly targeting key sectors.

Last month, Chinese hacking group Salt Typhoon (aka GhostEmperor, FamousSparrow, and Earth Estries) breached the systems of major US telecom companies AT&T, Verizon, and Lumen Technologies, potentially compromising wiretap systems used in criminal investigations. 

Another Chinese state-sponsored threat actor Volt Typhoon hacked Singapore-based Singtel a few days back, probably in preparation for attacks against US wireless carriers, Bloomberg reported. 

Considering the extensive implications of such persistent threats, telecommunications providers must invest in advanced security technologies and train their employees to recognize/respond to cyber threats. Additionally, international cooperation is essential to combat cybercrime and hold cybercriminals accountable.

1.  **United Airlines Hacked by Chinese Group Behind The OPM Breach**
2.  **Chinese SMS Phishing Group Hits iPhone Users in India Post Scam**
3.  **China Hacked Federal Deposit Insurance Corporation with Malware**
4.  **Five Eyes Accuses Chinese APT40 for Hacking Government Networks**
5.  **Critical Vulnerabilities Expose Nearly 1 Million DrayTek Routers Globally**

Tag

#intel