The combined companies will create a seamless ecosystem of trust, governance, risk, and compliance.

Source: Srabin via iStock Photo

NEWS BRIEF

Drata, a trust management platform provider, announced plans on Tuesday to acquire SafeBase to streamline security reviews, strengthen vendor risk management, and maintain customer trust through continuous compliance. The acquisition, valued "at a quarter of a billion dollars," according to a company spokesperson, is expected to close by the end of the month.

Stricter regulatory requirements, increased cloud adoption, and growing dependency on artificial intelligence tools are driving market demand for a "full stack" Trust Management platform, Drata said in a statement. The companies have a "shared vision of being the go-to 'trust layer' between companies," Drata said. The goal is to create a comprehensive trust management platform, combining Drata's compliance automation and vendor risk management capabilities with SafeBase's Trust Center Platform, which streamlines security questionnaires.

SafeBase, founded in 2020 by CEO al Yang and CTO Adar Arnon, helps customers fill out security questionnaires before buying a new piece of software or hardware. These questionnaires can be time-consuming and difficult to complete, especially for more complex products. SafeBase can reduce the time spent on inbound security questionnaires by up to 98%, according to Drata. The company, which raised $33 million in a Series B round last April, counts organizations including CrowdStrike, HubSpot, LinkedIn, T-Mobile, Twilio, and "one-third of the Cloud 100" as customers.

**About the Author**

Drata Acquires SafeBase to Strengthen GRC Portfolio

A CSRF vulnerability has been identified in the ABB Cylon FLXeon series. However, exploitation is limited to specific conditions due to the server's CORS configuration (Access-Control-Allow-Origin: * without Access-Control-Allow-Credentials: true). The vulnerability can only be exploited under the following scenarios:
Same Domain: The attacker must host the malicious page on the same domain as the target server.
Man-in-the-Middle (MitM): The attacker can intercept and modify traffic between the user and the server (e.g., on an unsecured network).
Local Area Network (LAN) Access: The attacker must have access to the same network as the target server.
Subdomains: The attacker can host the malicious page on a subdomain if the server allows it.
Misconfigured CORS: The server’s CORS policy is misconfigured to allow certain origins or headers.
Reflected XSS: The attacker can exploit a reflected XSS vulnerability to execute JavaScript in the context of the target origin.

Title: ABB Cylon FLXeon 9.3.4 Limited Cross-Site Request Forgery (RCE)  
Advisory ID: ZSL-2025-5918  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (3/5)  
Release Date: 11.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

A CSRF vulnerability has been identified in the ABB Cylon FLXeon series. However, exploitation is limited to specific conditions due to the server's CORS configuration (Access-Control-Allow-Origin: \* without Access-Control-Allow-Credentials: true). The vulnerability can only be exploited under the following scenarios:  
Same Domain: The attacker must host the malicious page on the same domain as the target server.  
Man-in-the-Middle (MitM): The attacker can intercept and modify traffic between the user and the server (e.g., on an unsecured network).  
Local Area Network (LAN) Access: The attacker must have access to the same network as the target server.  
Subdomains: The attacker can host the malicious page on a subdomain if the server allows it.  
Misconfigured CORS: The server’s CORS policy is misconfigured to allow certain origins or headers.  
Reflected XSS: The attacker can exploit a reflected XSS vulnerability to execute JavaScript in the context of the target origin.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[11.02.2025\] Public security advisory released.

**PoC**

abb\_flxeon\_csrf1.html

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch

**Changelog**

\[11.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 Limited Cross-Site Request Forgery (RCE)

State-led data privacy laws and commitment to enforcement play a major factor in shoring up business data security, an analysis shows.

Source: Oleckii Mach via Alamy Stock Photo

States are increasingly embracing data privacy regulation, and Kentucky, Rhode Island, and Tennessee are leading the charge. That has earned them high marks from security experts and landed them at the top of the list of states with the lowest rates of data breaches.

These three states are effectively protecting data because of a dual approach of drafting smart data privacy legislation, and then enforcing those laws when appropriate, according to Anonta Khan, who is with DesignRush, the firm that conducted the state data privacy study. Conversely, South Dakota (which got the lowest safety score in the survey, 65.14 out of 100) and Alaska (66.50) rank at the bottom.

"Some states, like Kentucky (the highest rated at 99.32) and Rhode Island (97.14), do a good job protecting data," Khan says. "They have fewer cybercrimes and data leaks. Others, like South Dakota and Alaska, have weak laws and a lot of cyber threats."

However, she stresses, "having strong laws doesn't always mean a state is safe."

It's more nuanced than that.

**Higher Safety Scores Don't Mean Less Cybercrime**

In general, the results of the study suggest that states with less data breach regulation tend to have higher rates of cybercrime overall. That includes Nevada (with a safety score of 77.64), which last year logged 309.7 cyber incidents per 100,000 people, which is more than triple the national average. But there are other contributing factors. Nevada, for instance, has businesses that are attractive targets for hackers, like casinos, Kahn points out.

Related:CISA Places Election Security Staffers on Leave

Going further, California (89.3) has strong privacy laws but high cybercrime rates; that's because hackers are consistently targeting the state's tech sector, Khan explains. Delaware is another state with strong privacy laws that is likewise plagued by high rates of data breaches, being the state where most financial lending services are incorporated.

The takeaway? "This shows that laws need to be enforced well," Khan says.

A similar report from the Electronic Privacy Information Center (EPIC) in late January outlined areas where states should, in its view, take a more aggressive position against companies leaking personal data. And state governments appear to be moving in that direction, with a new wave of reform efforts on the horizon.

**New State-Led Data Privacy Efforts Are Brewing**

Delaware, for example, has kicked off 2025 with its new Data Privacy Protection Act going into effect. Other states, including Iowa, Nebraska, New Hampshire, and New Jersey, are also adding fresh data privacy laws this year and increasing enforcement budgets.

Related:DeepSeek AI Fails Multiple Security Tests, Raising Red Flag for Businesses

States like Texas have also provided a model for aggressive data privacy regulation enforcement. On Jan. 13, Texas Attorney General Ken Paxton filed suit against the Allstate insurance company for what he alleges was an effort to skirt his state's data privacy rules and track citizens' data without consent.

As these new laws come online, Khan and others are optimistic that data privacy practices are improving across the US, thanks to re-upped efforts at the state level. Moving forward, these laws will be tailored to fit emerging technology use cases, Khan adds.

"Artificial Intelligence (AI) is also becoming a bigger issue," Kahn says. "Colorado's Anti-Discrimination in AI Law starts in 2026, and other states are considering similar rules. Meanwhile, lawsuits over website tracking, biometric data, and online privacy will continue in 2025."

Regardless of state of residence, companies should look at this new era of data privacy protection as an opportunity, according to Ojas Rege, senior vice president and general manager of privacy and data governance at OneTrust.

"With 20 distinct US data privacy laws enacted — all with different requirements and obligations — this is a risk most organizations won't want to take," Rege says. "By moving off spreadsheets, bringing in automation, and designating a senior data privacy leader, organizations can proactively comply with the current wave of US state privacy laws. Adopting AI responsibly also requires an effective data privacy program as a starting point and foundation."

Related:XE Group Shifts From Card Skimming to Supply Chain Attacks

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Data Leaks Happen Most Often in These States — Here's Why

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats.

Source: vska via Alamy Stock Photo

COMMENTARY

The Chinese-linked hacking group Salt Typhoon recently was detected lurking in major US telecommunication systems, exposing nearly every American's communications to Chinese intelligence and security services. 

In response, on Dec. 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint statement recommending that American citizens and companies adopt end-to-end encrypted communication tools to avoid exposing sensitive information to China. While this advice is prudent to secure communications, hasty adoption of these technologies could result in regulatory noncompliance for organizations in highly regulated industries. These organizations should carefully examine both their security risk and regulatory obligations as they adopt new security solutions.

**Background: Salt Typhoon**

Salt Typhoon exploited legacy systems throughout the telecommunications industry that were too old to implement modern cybersecurity practices, with some parts dating back to the late 1970s. Commonly accepted baseline cyber protections like multifactor authentication were not implemented. While the scope of this attack is widespread, including voice calls and SMS messages, US intelligence officials noted that communications within encrypted communication applications such as Apple's iMessage, Meta's WhatsApp, and Signal were not exposed.

Salt Typhoon marks one of the most sophisticated attacks on US critical infrastructure in history. US officials have concluded that every major telecommunications provider has been implicated. China remains the most active and persistent cyber threat to the United States, and the Salt Typhoon campaign marks one of the most sophisticated attacks on US critical infrastructure in history. 

**Security vs. Compliance: Adopting End-to-End Encryption Technologies**

US cybersecurity and intelligence officials advised companies and individuals to adopt end-to-end encrypted applications for communications where only the sender and the intended recipients can access the content of the communication. End-to-end encryption works by securing the content of communications using cryptographic keys at both the sender and recipient. The end result is data in transit is secure, rendering the contents of any intercepted or compromised communications indecipherable without the cryptographic key, including by Internet service providers and telecommunications companies — and foreign hackers targeting those entities.

While end-to-end encrypted applications provide obvious advantages for security, many are not designed to comply with the data retention and access requirements imposed upon certain highly regulated industries. 

In the financial services sector, Securities and Exchange Commission (SEC) Rule 17a-4(b)(4) requires that communications received and sent by a member, broker, or dealer that relate to the business of an organization are to be retained for at least three years. Additionally, Section 802 of the Sarbanes-Oxley Act requires accountants who audit or review financial statements to retain records, which include any communications relevant to the audit or review. 

In the healthcare sector, Section 164.312(e) of the Health Insurance Portability and Accessibility Act (HIPAA) requires that covered entities implement technical safeguards to prevent unauthorized access to electronic protected health information (ePHI) that is being transmitted over an electronic communications network. Many encrypted communications applications restrict a covered entity's ability to monitor for or audit unauthorized disclosure of ePHI. Additionally, Section 164.350(j) of HIPAA requires that covered entities retain documentation of any communications containing ePHI for at least six years. 

**Recommendations**

As Salt Typhoon has revealed, unsecured communications of executives and employees across every sector may be targeted by Chinese intelligence services for exploitation. In this new environment, balancing communications security with compliance can be challenging. To appropriately navigate these risks, organizations in every sector should consider three things.

First, organizations should implement end-to-end encryption for all business communications internally and, to the greatest extent practicable, externally. There are numerous mobile and desktop applications currently available that are designed to serve this purpose. For companies in regulated industries, it is important to also consider regulatory retention, monitoring, and auditing requirements when considering these tools. Such organizations should seek to implement solutions that can ensure appropriate encryption standards for messaging, collaboration, and voice and video calls specifically configured to allow for auditing and data preservation. 

Second, organizations should implement policies and procedures to guide the use of encrypted communications. For example, many encrypted communication applications allow users to individually establish time-based purge rules for messages. While valuable for information security, this could render an organization non-compliant with data retention and audit requirements. Where possible, such functions should be disabled for individuals and archiving tools should be in place. Additionally, employees should receive regular training on communications security and regulatory compliance.

Third, a key lesson from Salt Typhoon is that baseline cybersecurity measures still provide meaningful defenses against malicious parties. Cybersecurity measures such as multifactor authentication, use of password managers, encrypting data at rest and in motion, and ensuring that all software and hardware are modern and equipped with the latest updates will give organizations a much stronger cybersecurity posture. 

**Conclusion**

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats. However, in doing so, organizations need to balance the security imperatives with their regulatory obligations. 

**About the Authors**

Co-Leader, Cybersecurity and Data Privacy Practice Group, Buchanan Ingersoll & Rooney

Michael McLaughlin is the co-leader of Buchanan Ingersoll & Rooney’s Cybersecurity and Data Privacy practice group. Michael advises clients in matters involving cybersecurity, public policy, and government relations. Michael helps clients navigate the complexities of cybersecurity, data privacy and the related regulatory landscape. Michael is the co-author of Battlefield Cyber: How China and Russia Are Undermining Our Democracy and National Security.

Jillian Cash, Associate, Corporate Section, Buchanan Ingersoll & Rooney

Jillian Cash is an associate Buchanan’s Corporate Section, where she focuses on a variety of corporate, transactional, and cybersecurity matters.

Kellen Carleton, Associate, Corporate Finance and Technology Group, Buchanan Ingersoll & Rooney

Kellen Carleton is an associate in Buchanan’s Corporate Finance and Technology group where he focuses on a variety of corporate, transactional, and cybersecurity matters.

Salt Typhoon's Impact on the US &amp; Beyond

The popular generative AI (GenAI) model allows hallucinations, easily avoidable guardrails, susceptibility to jailbreaking and malware creation requests, and more at critically high rates, researchers find.

Source: Mundissima via Alamy Stock Photo

Organizations might want to think twice before using the Chinese generative AI (GenAI) DeepSeek in business applications, after it failed a barrage of 6,400 security tests that demonstrate a widespread lack of guardrails in the model.

That's according to researchers at AppSOC, who conducted rigorous testing on a version of the DeepSeek-R1 large language model (LLM). Their results showed the model failed in multiple critical areas, including succumbing to jailbreaking, prompt injection, malware generation, supply chain, and toxicity. Failure rates ranged between 19.2% and 98%, they revealed in a recent report.

Two of the highest areas of failure were the ability for users to generate malware and viruses using the model, posing both a significant opportunity for threat actors and a significant threat to enterprise users. The testing convinced DeepSeek to create malware 98.8% of the time (the "failure rate," as the researchers dubbed it) and to generate virus code 86.7% of the time.

Such a lackluster performance against security metrics means that despite all the hype around the open source, much more affordable DeepSeek as the next big thing in GenAI, organizations should not consider the current version of the model for use in the enterprise, says Mali Gorantla, co-founder and chief scientist at AppSOC.

Related:CISA Places Election Security Staffers on Leave

"For most enterprise applications, failure rates about 2% are considered unacceptable," he explains to Dark Reading. "Our recommendation would be to block usage of this model for any business-related AI use."

**DeepSeek's High-Risk Security Testing Results**

Overall, DeepSeek earned an 8.3 out of 10 on the AppSOC testing scale for security risk, 10 being the riskiest, resulting in a rating of "high risk." AppSOC recommended that organizations specifically refrain from using the model for any applications involving personal information, sensitive data, or intellectual property (IP), according to the report.

AppSOC used model scanning and red teaming to assess risk in several critical categories, including: jailbreaking, or "do anything now," prompting that disregards system prompts/guardrails; prompt injection to ask a model to ignore guardrails, leak data, or subvert behavior; malware creation; supply chain issues, in which the model hallucinates and makes unsafe software package recommendations; and toxicity, in which AI-trained prompts result in the model generating toxic output.

The researchers also tested DeepSeek against categories of high risk, including: training data leaks; virus code generation; hallucinations that offer false information or results; and glitches, in which random "glitch" tokens resulted in the model showing unusual behavior.

Related:Data Leaks Happen Most Often in These States — Here's Why

According to Gorantla's assessment, DeepSeek demonstrated a passable score only in the training data leak category, showing a failure rate of 1.4%. In all other categories, the model showed failure rates of 19.2% or more, with median results in the range of a 46% failure rate.

"These are all serious security threats, even with much lower failure rates," Gorantla says. However, the high failure results in the malware and virus categories demonstrate significant risk for an enterprise. "Having an LLM actually generate malware or viruses provides a new avenue for malicious code, directly into enterprise systems," he says.

**DeepSeek Use: Enterprises Proceed With Caution**

AppSOC's results reflect some issues that have already emerged around DeepSeek since its release to much fanfare in January with claims of exceptional performance and efficiency even though it was developed for less than $6 million by a scrappy Chinese startup.

Soon after its release, researchers jailbroke DeepSeek, revealing the instructions that define how it operates. The model also has been controversial in other ways, with claims of IP theft from OpenAI, while attackers looking to benefit from its notoriety already have targeted DeepSeek in malicious campaigns.

Related:XE Group Shifts From Card Skimming to Supply Chain Attacks

If organizations choose to ignore AppSOC's overall advice not to use DeepSeek for business applications, they should take several steps to protect themselves, Gorantla says. These include using a discovery tool to find and audit any models used within an organization.

"Models are often casually downloaded and intended for testing only, but they can easily slip into production systems if there isn't visibility and governance over models," he says.

The next step is to scan all models to test for security weaknesses and vulnerabilities before they go into production, something that should be done on a recurring basis. Organizations also should implement tools that can check the security posture of AI systems on an ongoing basis, including looking for scenarios such as misconfigurations, improper access permissions, and unsanctioned models, Gorantla says.

Finally, these security checks and scans need to be performed during development (and continuously during runtime) to look for changes. Organizations should also monitor user prompts and responses, to avoid data leaks or other security issues, he adds.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

DeepSeek AI Fails Multiple Security Tests, Raising Red Flag for Businesses

SystemBC RAT now targets Linux, enabling ransomware gangs like Ryuk & Conti to spread, evade detection, and maintain encrypted C2 traffic for stealthy cyberattacks.

Threat analysts have identified a new and emerging threat: a variant of the SystemBC RAT (Remote Access Trojan) that is now actively targeting Linux-based platforms. This development puts corporate networks, cloud infrastructures, and IoT devices at risk.

The latest version of SystemBC RAT is more stealthy and harder to detect, using encrypted communication to stay hidden while letting attackers move freely through compromised systems.

****SystemBC RAT: From Windows to Linux****

SystemBC is a Remote Access Trojan (RAT) commonly used in cyberattacks to provide attackers with remote control over infected systems. 

Initially a Windows-only threat, it has now expanded to Linux, making it even more dangerous as Linux-based servers are widely used in enterprise environments.

ANY.RUN’s analysts compared SystemBC’s Windows and Linux traffic

****What Makes the Linux Version of SystemBC RAT Dangerous?****

Let’s look at how this malware operates and why it poses a serious threat to Linux-based systems.

****Encrypted Communication with C2 Servers****

The SystemBC RAT for Linux maintains encrypted communication with C2 servers using the same custom protocols as its Windows counterpart. 

This allows attackers to keep a stable connection across a unified infrastructure of both Windows and Linux implants, making it easier to control infected machines without raising suspicion.

While SystemBC RAT is designed to keep its C2 communication encrypted and hidden, it becomes fully visible inside an ANY.RUN analysis session. By running a real sample in the sandbox, security teams can see the malware’s network connections, file modifications, and process activities in real time.

**View ANY.RUN analysis session**

SystemBC RAT analyzed inside ANY.RUN sandbox

Below the Linux Virtual Machine window, all network connections and system modifications related to this specific attack are clearly displayed. 

Suricata rule triggered by SystemBC RAT

In the Threats section, we can see that an alert was triggered by the Suricata rule: “Malware Command and Control Activity Detected – BOTNET SystemBC.Proxy Connection.” This immediate detection allows analysts to track the infection process and understand how the malware operates.

****Proxy Implant for Lateral Movement****

The malware operates as a proxy implant, meaning it can facilitate lateral movement within a compromised network without deploying additional, easily detectable tools. This makes it a powerful weapon for attackers who seek persistence and deeper infiltration within corporate infrastructures.

****Evasion of Traditional Detection****

One of the most concerning aspects is that security vendors struggle to detect this version as belonging to the SystemBC family. This stealthy approach allows the RAT to remain undetected for extended periods, making it a persistent threat.

****Sandbox and Virtualization Evasion****

Besides signature-based evasion, SystemBC also detects virtualized environments to resist dynamic analysis. In a real ANY.RUN analysis session mentioned above, the MITRE ATT&CK framework flags reveal “Virtualization/Sandbox Evasion- System Checks,” showing that the malware actively performs system checks to determine if it’s running inside a security sandbox or virtual machine. 

By identifying these environments, SystemBC can alter its behaviour or terminate execution, helping attackers bypass automated malware analysis tools while remaining fully operational on real infected systems.

Defense evasion techniques and tactics detected by ANY.RUN sandbox

****Integration with Other Malware Strains****

SystemBC is rarely deployed on its own. It often works alongside other malware to expand an attack’s impact. In Windows attacks, it has been observed delivering ransomware like Ryuk and Conti, as well as banking trojans and infostealers. 

With its new Linux variant, similar threats will likely follow, putting enterprise servers and cloud environments at greater risk of data theft, ransomware encryption, and persistent backdoor access.

****Unmasking Hidden Threats Before They Strike****

Cyber threats are getting smarter, and businesses can’t afford to play catch-up. With SystemBC RAT now hitting Linux, attackers have a new way to hide C2 traffic, move through networks unnoticed, and drop additional malware. Traditional security tools often miss these stealthy tactics, leaving corporate networks, and critical infrastructure at risk.

However, with tools like ANY.RUN interactive sandbox, hidden doesn’t mean unstoppable. Your security team can:

*   Analyze threats safely in a controlled environment.
*   Respond faster, containing threats before they spread and cause real harm.
*   Spot evasion techniques before they do damage, exposing how threats slip past defences.
*   Extract key IOCs, strengthening your threat intelligence and prevention strategies.
*   See hidden malware behaviours in real-time, from network traffic to system changes.

SystemBC RAT Now Targets Linux, Spreading Ransomware and Infostealers

PRESS RELEASE

WASHINGTON – Eric Council, 25, of Athens, Alabama, entered a guilty plea today to one count of conspiracy to commit aggravated identity theft in United States District Court for the District of Columbia. Council was arrested on October 17, 2024, in connection with his role in a conspiracy to hack into the X account of the U.S. Securities and Exchange Commission (SEC) and publish fraudulent posts in the name of the then-SEC Chairman. 

The plea was announced by U.S. Attorney Edward R. Martin, Jr., Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division, SEC Inspector General Deborah Jeffrey and FBI Special Agent in Charge Sean Ryan of the Washington Field Office, Criminal and Cyber Division.

Council’s plea was entered before U.S. District Court Judge Amy Berman Jackson in the District of Columbia. He faces a maximum sentence of five years in prison, a $250,000 fine, and up to three years of supervised release. His sentencing is scheduled for May 16, 2025.

According to court documents, from at least January 2024, Council conspired with others to carry out Subscriber Identity Model (SIM) attacks, commonly referred to as “SIM swaps,” in exchange for money. 

A SIM card is a chip that stores information identifying and authenticating a cell phone subscriber and connects a physical cell phone to a mobile carrier’s cellular and data network. A SIM swap attack is a form of sophisticated fraud where criminal actors fraudulently induce a mobile carrier to reassign a mobile phone number from a victim’s SIM card to a SIM card and telephone controlled by a criminal actor attempting to access valuable information associated with the victim’s telephone. Members of SIM swapping groups conduct SIM swaps for the purpose of defeating multifactor authentication and/or two-step verification security features for internet connected accounts, such as social media and virtual currency accounts. 

After convincing a mobile carrier to reassign a phone number to a new SIM card in the criminal actor’s control, members of the conspiracy generate password reset security authentication codes for online accounts and those codes are in turn sent to the telephone in the control of the criminal actor. Members of SIM swap groups share the security reset codes with one another to unlawfully access a victim’s internet connected accounts and complete the fraud. 

On or about January 9, 2024, Council, and others, executed a SIM swap of the mobile phone account associated with the @SECgov X account, the official account of the SEC. The purpose of this SIM swap was to gain unauthorized access to this government account in order to make fraudulent posts. 

Before January 9, a member of the conspiracy had identified the authorized user for the phone number linked to the official @SECgov X account. Council received instruction from a co-conspirator to perform the SIM swap on this phone line, along with information to make the needed fake ID, that is, an image of an ID card template with the authorized user’s name on it but Council’s face, and information purporting to be the user’s date of birth and social security number. 

Council used his portable ID card printer to create a physical ID which he used to impersonate the victim at an AT&T store in Huntsville, Alabama. Council provided false information to the AT&T store employee to explain why he needed a replacement SIM card. Council obtained the SIM card linked to the victim’s phone line and walked to a nearby Apple store where he purchased a new iPhone to use in the crime.  He inserted the SIM card to activate the phone, received the @SECGov X password reset codes on this new phone linked to the victim’s SIM card and used his personal cell phone to take a photo of the @SECgov X account reset code to share with his co-conspirators. After passing along the password reset codes, Council drove to Birmingham, Alabama and immediately returned the iPhone for cash.   

A member of the conspiracy used the reset code to gain access to the @SECGov X account and issue a fraudulent post in the name of the then-SEC Chairman, falsely announcing SEC approval of Bitcoin (BTC) Exchange Traded Funds (ETFs). The price of BTC increased by more than $1,000 following the post. Shortly after this unauthorized post, the SEC regained control over their X account and confirmed that the announcement was unauthorized and the result of a security breach, which caused the value of BTC decreased by more than $2,000.

Council also admitted to attempting to perform additional SIM swaps in June 2024 in Alabama. In June 2024, the FBI executed a search warrant at an Athens, Alabama, apartment where he resided. Agents recovered a fake identification card and a portable ID card printer. They also recovered a laptop computer.  

Pursuant to the search warrant, agents searched the laptop and discovered templates for additional fake identification cards stored on the laptop along with internet searches for

“SECGOV hack,” “telegram sim swap,” “how can I know for sure if I am being investigated by the FBI,” “What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them,” “what are some signs that the FBI is after you,” “Verizon store list,” “federal identity theft statute,” and “how long does it take to delete telegram account.” 

Council admitted to receiving approximately $50,000 from members of the conspiracy to perform SIM swap during the previous six months.   

This case is being investigated by the FBI Washington Field Office Criminal and Cyber Division, the SEC-Office of Inspector General, the U.S. Attorney’s Office for the District of Columbia, and the Computer Crime and Intellectual Property Section (CCIPS) and Fraud Section’s Market Integrity and Major Frauds Unit of the Justice Department’s Criminal Division. Significant assistance was provided by the FBI’s Birmingham Field Office.

The prosecution is being handled by Assistant United States Attorney Kevin Rosenberg, CCIPS Trial Attorney Ashley Pungello, and Fraud Section Trial Attorney Lauren Archer. Valuable assistance was provided by Assistant United States Attorney John Hundscheid from the Northern District of Alabama.

For more information on SIM swapping, go to: https://www.ic3.gov/PSA/2024/PSA240411

Guilty Plea in Hacking of the SEC's X Account That Caused Bitcoin Value Spike

Iranian-linked hackers claim to have breached Israeli police systems, stealing 2.1TB of sensitive data. Police deny the breach. Learn more about the alleged hack and its implications.

The infamous Handala hacking group, with suspected ties to Iranian intelligence, has claimed responsibility for a cyberattack against Israel’s police force, managing to exfiltrate 2.1 terabytes of sensitive data, including personnel records, weapons inventories, medical and psychological profiles, legal case files, weapon permits, and identity documents. Handala further claims to have disseminated 350,000 of these documents publicly.

The scope of the claimed data breach is extensive, encompassing a wide range of sensitive information. Reports suggest the stolen data includes email addresses, gun licenses, officer photos and personal contact details, classified documents, and personal information about suspects and convicted criminals, including details about sex offender employment permits.

Handala also alleges obtaining access to the personal files of police officers, including psychological evaluations and other private data, and breaching the servers of the Israeli Ministry of National Security. 

Despite Handala’s claims, the Israeli police have denied any direct penetration of their systems. Their statement suggests that the breach, if confirmed, likely involved third-party entities that share data with the police. An investigation is currently underway to ascertain the true extent of the incident and identify any vulnerabilities.

https://twitter.com/IL\_police/status/1888576600985243926

This alleged break follows a pattern of disruptive cyber actions by Handala targeting Israeli entities, particularly since the escalation of the Israeli-Hamas conflict. Microsoft reports that Israel has become a prime target for Iranian cyber operations, experiencing a significant increase in attacks. Handala’s own activity reflects this trend, with a series of increasing data breaches targeting Israeli institutions.

For instance, in October 2024, Hackread.com reported their suspected involvement in a phishing campaign targeting cybersecurity personnel within Israeli organizations with wiper malware, aiming to disrupt the country’s digital defences. In September 2024, the group targeted Israel’s Soreq Nuclear Research Center (SNRC) in a significant ransomware attack.

The group has targeted crucial Israeli institutions/ systems with the Elad Municipality and the Ramat Gan Academic College being their recent targets. On January 27, 2025, the group compromised the emergency alert system, operated by Israeli electronics firm Maagar-Tec, impacting at least 20 kindergarten educational institutions across Israel, triggering widespread panic with false terror alerts.

Nevertheless, in its post on BreachForums dated February 9, 2025, Handala Group not only claimed responsibility for the latest attack but also taunted Israel, emphasizing their success in penetrating their defences and exposing their secrets while accusing Israel of arrogance and deception.

“Handala does not forget. Handala does not forgive,” the group reiterated their slogan.

Handala Hackers Claim Massive Data Breach on Israeli Police, Leak 350,000 Files

For too long, we've treated our analysts as mere cogs in a machine, expecting them to conform to the limitations of our tools and processes. It's time to revolutionize security operations.

Source: Brain light via Alamy Stock Photo

COMMENTARY

In the battle against cyber threats, we're losing our most vital asset: our people. While the industry fixates on the latest tools and technologies, security analysts are burning out, crushed under the weight of an impossible mission. This isn't just a talent shortage, but an existential crisis threatening the future of cybersecurity defense. Until we prioritize supporting the humans at the heart of cyber operations, no tool or technology will be enough to keep us secure.

Security operations centers (SOCs), the heart of cybersecurity, have become pressure cookers of burnout and frustration. The numbers tell a dire story: More than half of SOC analysts have considered leaving the field, and with them goes the institutional knowledge and expertise that take years to develop. Each departure is a victory for malicious actors, who know that even the most sophisticated tools are only as effective as the humans behind them.

There's a tendency to frame this simply as a talent shortage. In one sense, it is. 53% of organizations report a critical lack of skilled cybersecurity workers. But this misses the direness of the current reality. We can't hire our way out of this disaster. It takes years to develop an analyst capable of detecting and responding to sophisticated threats. By the time junior analysts gain the expertise to handle advanced attacks, they're already burning out and searching for greener pastures. Cyber defenders need relief now.

The crisis extends beyond front-line defenders. Nearly a quarter of chief information security officers (CISOs) and IT security leaders are considering stepping down, with 93% citing unsustainable stress levels. They face mounting pressure to demonstrate return on investment (ROI) while navigating increasing legal and compliance risks, and even personal liability. It's no wonder the average tenure of a CISO is only 18 to 26 months — less than half of the general C-suite tenure.

Somehow, we've normalized this chaos. In any other critical operation, like the military, this level of systemic burnout would be considered an existential risk. Instead, we keep piling on more tools, more alerts, and more responsibilities, mistaking the symptoms for the disease.

Our industry has a blind spot. We've focused so much on software and hardware that we've forgotten about the "humanware" of security workflows. We've overlooked the frontline analysts, the threat hunters, and the managers whose judgment and intellectual horsepower are the real engine of modern security operations.

This matters so deeply to me on a personal level. In my Air Force career, I was a special operations helicopter pilot. Picture it: skimming treetops under night vision goggles, working with elite teams, pushing the boundaries of what seemed possible. Despite the intense pressure and risk, I never once thought about walking away. Why? Because I had cutting-edge equipment, unwavering support from my leadership, and a mission that made my heart race. I would have done it for free.

Today, cyber defenders are the pilots of the 21st century. It's the coolest job on the planet: battling sophisticated adversaries in real-time, protecting the critical infrastructure that powers our economy, and racing against the clock to stop attacks that could affect millions. They should be having the time of their lives. Instead, they're burning out.

**Technology Isn't the Solution — Reshaping Support Is**

The answer isn't just better technology — it's about fundamentally reshaping how we support our people. The industry talks constantly about analysts learning from AI, but we're missing something crucial: the AI must learn from our analysts as well. Their expertise, their pattern recognition, their hard-won instincts about what doesn't look quite right; this human judgment is irreplaceable. We need to give our humans AI partners that learn from them, support them, freeing them to focus on the high-level, intellectually stimulating work that drew them to cybersecurity in the first place.

Imagine SOCs where analysts focus on outsmarting adversaries instead of drowning in false positives. Where AI handles the repetitive tasks but learns from human insights, creating a virtuous cycle of improvement. Where the technology amplifies human expertise instead of trying to replace it. Where the job is as exhilarating as flying a combat mission, because you have tools that learn and evolve alongside you. (In a recent episode of CSO Perspectives, I go into depth of what that looks like.)

For too long, we've treated our analysts as mere cogs in a machine, expecting them to conform to the limitations of our tools and processes.

It's time to revolutionize security operations. When we get this right, we won't just solve our retention crisis. We'll create a field that the best and brightest are eager to join, where analysts don't just survive, but thrive in the mission of keeping us all safe. The future of cybersecurity belongs not to those who build better tools, but to those who best empower defenders to wield them.

**About the Author**

Chief Product Officer, Andesite

William MacMillan, Chief Product Officer at Andesite, is an experienced executive leader, advisor and trusted voice on cyber, digital transformation and national security. Prior to Andesite, he served as the Senior Vice President for Information Security at Salesforce. Before retiring from the federal government, William served as the CISO at the Central Intelligence Agency, where he led a sweeping transformation of the CIA’s cybersecurity strategy and organization. Before this, he held multiple senior leadership positions at the CIA, dealing with various aspects of intelligence, counterintelligence and cyber operations. Throughout his career, William focused significant attention on insider threat, supply chain risk and incident response issues, as well as the development of CIA’s Cybersecurity Operations Center (CSOC).

Analyst Burnout Is an Advanced Persistent Threat

This article looks at the measures AI solutions take to secure their offering with insights from platforms like OORT and Filecoin who are creating new security models for their AI infrastructure.

Artificial intelligence is changing industries from finance and healthcare to entertainment and cybersecurity. As AI adoption grows so do the risks to its integrity. AI models are being targeted by cybercriminals to manipulate, steal or exploit sensitive data. From adversarial attacks that mess with AI decision-making to large-scale data breaches the security landscape is more complex than ever.

The very nature of AI which relies on massive datasets, cloud computing power and decentralized processing creates vulnerabilities. Securing AI systems is not just about protecting data; it’s about reliability, trust and ethical usage.

This article looks at the measures AI solutions take to secure their offering with insights from platforms like OORT and Filecoin which are creating new security models for their AI infrastructure.

****The Growing Threats to AI****

AI is a target for cybercriminals. AI models process sensitive data from financial transactions to medical records so are a treasure trove for hackers. Breaches not only expose confidential information but also raise ethical concerns about privacy violations and data misuse.

The biggest security risks are data breaches, model theft and infrastructure vulnerabilities. AI models rely on proprietary datasets and unauthorized access to these datasets can cause financial and reputational damage. Attackers can steal AI models or feed them adversarial data to mess with outputs and cause incorrect decision-making. Centralized AI cloud solutions are single points of failure and can be taken down and cause service disruptions.

To address these risks many AI platforms are moving away from traditional centralized models to decentralized architectures. By distributing AI workloads and data across multiple nodes companies can increase security, reduce failure risks and create more robust AI-driven ecosystems.

****How These Two Decentralized AI Brands Tackle Cybersecurity****

AI solutions use different strategies to keep systems safe from cyber threats like hacking, data leaks, and unauthorized access. By building strong security measures, they help protect sensitive information and ensure AI runs smoothly and securely. Let’s take a look.

****OORT: Protecting Data with Blockchain****

OORT secures its holistic AI offering with blockchain and decentralization to build a more powerful cloud. One of its key patented innovations is the Proof of Honesty (PoH) algorithm which makes AI computations verifiable and tamper-proof. 

Unlike traditional cloud systems that rely on centralised servers that can be targeted, OORT distributes data across a decentralized network, so the risk of breaches or unauthorised access is greatly reduced. Even if one part of the network is compromised the rest remain secure so continuity and reliability are maintained.

To add more security, OORT uses Olympus Protocol, a DAG-based system (PDF), so transactions are faster, cheaper, and more scalable. Instead of miners, it uses trusted committees to validate transactions and secure the network. This allows for zero fees, high speed, and easy interoperability with other chains, it’s a good fit for Web3.

Since the blockchain is immutable any attempt to alter data leaves a trail so attackers can’t cover their tracks. 

Additionally, OORT recently partnered with DeTaSECURE to add AI security and data integrity using advanced threat intelligence to fortify decentralized AI infrastructure against cyber threats and support trustless, verifiable AI models in Web3.

By combining blockchain verification with distributed validation OORT creates a trustless AI infrastructure where users don’t have to rely on a single entity to verify computations. Nodes across the network validate AI processes so it’s fair, accurate and secure.

Image: OORT Infra. Edge, Super and Backup Nodes.

This is particularly useful for industries that require high trust such as finance, healthcare and autonomous systems where AI-driven decisions are critical. Through these mechanisms, OORT secures AI applications reduces risk and provides a safer environment for advanced AI solutions.

****Filecoin: Eliminating Single Points of Failure****

AI models need large datasets which are often stored in the cloud. Traditional cloud storage has risks due to centralization which creates a single point of failure. Decentralized storage is a more secure option.

Decentralized storage is key for AI because it eliminates single points of failure, and reduces the impact of a cyber attack. It uses cryptographic proofs to ensure data integrity and authenticity and allows users to control encryption and access permissions.

Filecoin is a decentralized storage network that provides secure and scalable data storage solutions. It secures AI-related data through Proof-of-Replication and Proof-of-Spacetime, cryptographic methods that verify data integrity and prevent unauthorized modifications. 

Distributed storage nodes prevent centralization breaches by distributing AI datasets across multiple storage providers.

Client-controlled encryption allows users to encrypt their data before storing it so only authorized parties can access it. By using decentralized storage AI platforms can reduce their dependence on vulnerable cloud providers and build a more resilient infrastructure.

****AI and Cybersecurity Future****

As AI adoption grows so will the sophistication of attacks on AI systems. Solving these security challenges requires continuous innovation and collaboration between AI developers, security experts and regulatory bodies.

Several trends are shaping AI security. Federated learning is emerging as a method where AI models are trained across decentralized devices without sharing raw data, more privacy. Blockchain-powered AI security uses smart contracts and distributed ledgers to ensure transparency and prevent unauthorized modifications. AI is being used to detect security threats in real-time, more resilience against attacks.

With cyber threats getting more sophisticated, AI platforms need to get proactive with security to be trusted and reliable. Companies need to realize that security is not an afterthought but a foundation of AI innovation. 

Whether through decentralized infrastructure, encryption protocols or secure AI training environments, the future of AI security is resilience, transparency and bleeding-edge tech. By security from the start, AI developers and companies can build systems that are intelligent and threat-proof.

Tag

#intel