Regulators are ready to enforce new state data privacy laws. Here's how experts say organizations can stay compliant and avoid penalties.

Source: EThamPhoto via Alamy Stock Photo

If you get a call from John Eakins at the Delaware Attorney General's office, you've already filed a data breach notice with the state, so you know there's a problem. What information security teams do next could mean the difference between getting slapped with a hefty fine or getting off with a warning, along with your reputation intact.

Delaware Deputy Attorney General Eakins is in charge of enforcing the new state regulations under the Delaware Personal Data Privacy Act (DPDPA), first passed by lawmakers in 2023 and just coming into effect on Jan. 1. He says organizations operating in Delaware should expect a call from his office after reporting a major breach. Then he is going to want to drill down on two specific criteria: the harm caused and whether it can be fixed.

"They should expect to be asked to provide information about the breach, an assessment of the harm caused, and the sensitivity of the data that was breached," Eakins tells Dark Reading. But that doesn't necessarily mean enforcement is imminent, he adds. Companies are offered what's known as a "right to cure," in Delaware along with many other states, meaning if the error that led to the breach can get fixed within a range of 30 to 60 days, the company won't be penalized.

That's where it becomes critical for organizations and their data security teams to have a "story to tell," according to Andreas Kaltsounis, an attorney and partner with BakerHostetler, who works with data privacy regulators on behalf of clients.

**State Privacy Laws, Enforcement on the Rise**

Twenty states, including Delaware, have passed data privacy regulations as of 2025, but these new laws aren't really necessary for states to levy penalties for data breaches, Kaltsounis points out. Federal law could be used in many of these instances, half the states already have information security requirements on the books, and nearly all the states have some form of an "unfair, deceptive, and abusive practices" (UDAP) law, which could also be used as enforcement mechanisms for many data breach instances, he adds.

What new privacy legislation has done for regulators isn't so much putting rules on the books — it's allocating more money toward enforcing lax data privacy among organizations, including money to hire in-house expertise. Pair that with federal deregulation under the Trump administration, and states are in a prime position to fill the gap.

Each state is picking its own lane.

Texas, for its part, is going after connected car data, filing suit against General Motors and, more recently, insurance company Allstate for collecting consumer data without complying with the new Texas Data Privacy Act (TDPSA). The Texas AG alleges the insurer was paying developers of other apps, including Life360, to incorporate secret embedded software to collect cell phone location data on Texans and then use that information to justify insurance rate hikes.

New York Attorney General Letitia James also recently fined companies, including one distributing a line of insecure home security video systems ($450,000), GEICO and Travelers insurance companies for failing to protect data ($11.3 million), and Capital Regions healthcare provider ($2.25 million) for failing to protect medical data. In December, New York Gov. Kathy Hochul expanded the AG's oversight of the cybersecurity of financial services. New York's primary enforcement efforts have been trained on the sizable financial services companies operating in its jurisdiction.

Delaware will be focused on the abuse of geolocational data and the data security of emerging artificial intelligence (AI) technologies, Delaware's deputy AG Eakins says.

Despite the flurry of press releases, consumer advocates like the Electronic Frontier Foundation's associate director of legislative advocacy, Hayley Tsukayama, say every state should be doing much more to protect consumer data. Tsukayama points to business-friendly loopholes like the "right to cure" offered by regulators, including those in Delaware, as a "get out of jail free card," and would like to see more pressure on companies to protect sensitive data before it's too late.

The Electronic Privacy Information Center (EPIC) is likewise unimpressed overall with state efforts on data privacy. In its recent "State of the Privacy" report, EPIC said new state laws, "...fail to protect consumers." Of the 19 states that have passed consumer privacy legislation packages, nearly half got F grades from EPIC; only California got a B, and no state received an A.

Chronic underfunding has bogged down enforcement efforts, Tsukayama says. But that's all about to change.

Delaware deputy AG Eakins said his office received a boost in funding along with the DPDPA and his office now has a full-time computer scientist to help lend expertise to their investigations. Many other states have followed suit, allocating bigger budgets for data privacy oversight along with new compliance requirements.

**Get Your Data Privacy Story Right, Now**

Attorney Kaltsounis says regulators are busy; in his experience, organizations with a compelling "story to tell" are going to be far better positioned to avoid penalties. That means being able to demonstrate how the organization was taking information security seriously well before the breach. He recommends a good old-fashioned data audit, purging anything sitting on an old server that isn't needed anymore. Then organizations need to double down on collecting only the data they absolutely need for the shortest period of time possible.

"They both need to be done," Kaltsounis advises.

Enterprises should treat this new regulatory environment at the state level as an opportunity to incorporate data privacy as a foundational principle of the business, according to Ryan Edge, director of strategy, privacy, and data governance with OneTrust, a data privacy services provider.

"One thing is for sure — data privacy is not going away," Edge says. "There are more than a dozen US state privacy laws in effect today. It can seem daunting, but it doesn't need to be. Companies don't have to reinvent the wheel for each law. By operationalizing data privacy, they can see benefits beyond compliance, like minimizing risk, driving data quality, and building trust with consumers."

Organizations should develop a strategy that includes data mapping, privacy impact assessments, and privacy engineering to understand how data is being used. This would help define policies such as how long data is kept, how it is protected, and how it is disposed when no longer needed.

When it comes to how the Delaware AG's office will determine where data privacy penalties are appropriate, Eakins says the state's $52 million settlement reached with Marriott for the company's lack of "providing reasonable security" is a strong starting framework. Baseline technical requirements established out of the multistate Marriott settlement include having a comprehensive information security program in place, minimizing the amount of data collected with disposal requirements and supply chain oversight. That's a good place for organizations to start.

Moving forward, Kaltsounis expects to see a "friendly competition" emerge among states to demonstrate the strongest data protection stance on behalf of their citizens. Staffed-up offices of state regulators armed with a mandate and fresh budgets are likely to start becoming a standard fixture in the aftermath of a data breach.

When they call, what story will you have to tell them?

State Data Privacy Regulators Are Coming. What Story Will You Tell Them?

Massive Pakistani cybercrime network HeartSender has been shut down in a joint US-Dutch operation. Learn how their phishing…

Massive Pakistani cybercrime network HeartSender has been shut down in a joint US-Dutch operation. Learn how their phishing kits and other tools caused millions in losses and impacted countless victims.

U.S. and Dutch law enforcement have taken down a major Pakistani cybercrime network known as HeartSender, or Saim Raza. The takedown was part of Operation Heart Blocker in which authorities seized multiple domains and servers used by the group including Heartsender(.)com and Botsdetector(.)com.

Visitors to these sites are greeted with the following message: “This domain has been seized in accordance with a seizure warrant issued pursuant to 18 U.S.C. § 1030 in the United States District Court for the Southern District of Texas as part of a coordinated law enforcement operation and action by: The U.S. Department of Justice’s Computer Crime & Intellectual Property Section, the Federal Bureau of Investigation, and the Dutch National Police.”

Screenshot credit: Hackread.com

This takedown closely follows another international law enforcement action dubbed Operation Talent resulting in the seizure of two major online cybercrime-as-a-service marketplaces, Cracked and Nulled.

HeartSender specialized in developing and distributing cybercrime tools, including phishing kits for deceptive emails, credential-stealing software, and resources for large-scale spam campaigns. These tools were sold to other cybercriminals, enabling them to carry out a range of attacks. 

The US Department of Justice states that these tools are estimated to have caused over $3 million in losses to victims.  Furthermore, the seizure of HeartSender’s servers yielded millions of records containing sensitive information belonging to their victims.

HeartSender ran multiple online storefronts and used platforms like YouTube to promote its malicious products. The network specialized in offering a full suite of cybercrime tools, enabling criminals to automate and scale large-scale attacks worldwide. HeartSender also provided access to other compromised resources, such as cPanels, SMTP servers, and WordPress accounts, further expanding the scope of their illicit services.

Screenshot from HeartSender’s store – Credit: Hackread.com

The investigation leading to the takedown uncovered a vast trove of stolen data, including millions of victim records. Among them were around 100,000 login credentials belonging to individuals in the Netherlands, highlighting the widespread reach of HeartSender’s cybercrime operations.

Apart from law enforcement, HeartSender has been on the radar of cybersecurity researchers for years. Independent journalist Brian Krebs previously reported on the group’s operational security shortcomings, including malware infections within their own network and significant security vulnerabilities in their services. These vulnerabilities reportedly exposed customer data and internal operations to unauthorized access. 

Krebs notes that the group was called The Manipulators. Krebs reveals that Saim Raza “for the past decade has peddled a popular spamming and phishing service variously called “Fudtools,” “Fudpage,” “Fudsender,” “FudCo,” etc.” Here FUD stands for Fully Un-Detectable.

The dismantling of HeartSender represents yet another victory in the ongoing fight against cybercrime, disrupting a key source of malicious tools and potentially preventing further harm to countless individuals and organizations.

HeartSender Cybercrime Network Dismantled in Joint US-Dutch Operation

Italy's data protection watchdog has blocked Chinese artificial intelligence (AI) firm DeepSeek's service within the country, citing a lack of information on its use of users' personal data.
The development comes days after the authority, the Garante, sent a series of questions to DeepSeek, asking about its data handling practices and where it obtained its training data.
In particular, it wanted

Italy Bans Chinese DeepSeek AI Over Data Privacy and Ethical Concerns

DeepSeek, a Chinese AI startup, exposed sensitive data by leaving a database open. Wiz Research found chat logs, keys, and backend details accessible.

DeepSeek, a Chinese AI company, has made a name for itself with its AI models that rival OpenAI’s systems. But along with its rise came a serious security issue as researchers at Wiz found that a database tied to the company was left publicly accessible, exposing over a million log entries, backend details, software keys, and more.

****How It Happened****

During a routine security assessment, researchers at Wiz discovered that DeepSeek had an unprotected ClickHouse database, open to anyone with internet access. This database wasn’t just visible; it allowed full control over stored data, meaning an attacker could manipulate or extract critical information without restriction.

The exposed database was linked to multiple subdomains, including:

dev.deepseek.com:9000

oauth2callback.deepseek.com:9000

ClickHouse is an open-source, columnar database management system designed to process analytical queries on large datasets quickly. Originally developed by Yandex, it’s widely used for real-time data analytics, log processing, and business intelligence.

According to Wiz’s blog post, its researchers were able to query the system without authentication, revealing a massive volume of logs containing:

*   **API keys**
*   **Chat histories**
*   **Backend service details**
*   **System operational metadata**

This wasn’t just a minor misconfiguration. The database contained detailed logs of internal system activity, exposing how DeepSeek’s AI tools operate and communicate. Worse yet, the exposure meant attackers could execute commands and extract even more sensitive data directly from the server.

****What Was at Risk?****

DeepSeek’s AI services process large amounts of user-generated data, meaning chat logs could have included personal or proprietary information. The database also stored API keys, which, in the wrong hands, could allow attackers to impersonate DeepSeek’s services or access further internal systems.

Given the expansion of AI startups, security often takes a backseat to development speed. In this case, a simple security lapse exposed valuable internal data, which could have been exploited by cybercriminals.

****DeepSeek’s Response****

Once notified by Wiz, DeepSeek moved quickly to lock down the database and remove public access. However, it remains unclear whether any unauthorized parties accessed the information before it was secured.

****DeepSeek: Privacy and Cybersecurity Concerns****

DeepSeek’s Chinese ownership has already raised concerns among Western governments, with some critics arguing that the chatbot collects excessive personal data, posing privacy risks. Adding to these worries, DeepSeek recently reported a “large malicious attack” that forced the company to suspend new user registrations. Now, with a publicly exposed database compromising sensitive information, the company faces yet another cybersecurity setback.

****Expert Opinion****

Gunter Ollmann, CTO at Cobalt, notes that situations like the DeepSeek issue happen often because the process of getting the product up and running takes priority over security. Also, since DeepSeek has taken a prominent place in the world of AI, the impact could have been huge for companies and individual users.

“The DeepSeek exposure highlights a critical and recurring issue—organizations, especially those innovating rapidly in AI, often prioritize speed over security.” Explained Gunter. “Wiz’s discovery reinforces the importance of proactive security testing, particularly as attack surfaces expand with cloud-based infrastructure and publicly accessible APIs.”

DeepSeek AI Leaks Over a Million Chat Logs and Sensitive Data Online

Martin discusses how defenders can use threat intelligence to equip themselves against AI-based threats. Plus check out his introductory course to threat intelligence.

Thursday, January 30, 2025 14:05

Welcome to this week’s edition of the Threat Source newsletter. 

You don’t need me to tell you that security is constantly changing and that more change is on its way. The enthusiastic adoption of new AI systems will inevitably lead to more demands on cybersecurity teams. Not only will these systems need protecting against the same threats which affect current systems, but also against new types of threats that target AI models. We can only expect that attacks designed to subvert AI models and get them to function in ways detrimental to their operators’ interests will become more effective and beneficial to attackers over time. 

The good news is that we can expect AI enabled security systems to help protect against attacks, detect incursions, and orchestrate the remediation of affected systems. However, we must not overlook the fact that people will remain involved and invested in the outcome. Within this AI powered future will be CISOs who will be held responsible for the security of systems. There will also be many analysts tasked with keeping systems operating correctly while trying to anticipate and protect against forthcoming malicious campaigns.

Although we may not be able to predict the nature of attacks in this distant future, we can predict some of the skills that will be necessary to beat these attacks. Threat intelligence skills will be vital to equip future cyber security professionals not only to understand the goals of the threat actors that they face but to situate their attacks within the context of these goals. Armed with this understanding, security teams will be able to make better decisions regarding the allocation and prioritization of resources to best defend against attacks. 

Developing threat intelligence skills within the cyber security professionals of tomorrow begins today. Training up people who are early in their careers and students yet to begin their careers is one of the best investments we can make to build resilience against future threats.

To help skill up future analysts, my colleagues and myself in collaboration with Cisco’s Networking Academy have developed an introductory course to threat intelligence. This course is free for all, only registration is required, and is intended to give an overview of the domain for someone without prior knowledge which can be used as a starting point for further study or employment.

For those looking to develop a threat intelligence program as part of their cyber security strategy, we are hosting a technical seminar at Cisco Live EMEA on Sunday February 9th. The session, “Establishing a Threat Intelligence Program, Why its Necessary, What to Expect and How to Go about it \[TECSEC-2003\]”, will present how managers can set-up a threat intelligence team as part of their arsenal against the bad guys and what can reasonably be expected.

**The one big thing**

One pointer to the nature of future threats against AI systems is a technique used in spam that Talos recently blogged about. Hiding the nature of the content displayed to the recipient from anti-spam systems is not a new technique. Spammers have included hidden text or used formatting rules to camouflage their actual message from anti-spam analysis for decades. However, we have seen increase in the use of such techniques during the second half of 2024.

**Why do I care?**

Parsers which are required for computers to understand text content, view the world very differently from humans. The human eye ignores text in miniscule font or can’t detect black letters on a black background, but this is not necessarily the case for parsers. Where the human eye sees readily readable text, the parser can see the gibberish that spammers have included to confuse them. Potentially the opposite is also true with humans seeing gibberish, but language parsing software seeing readable text.

Being able to disguise and hide content from machine analysis or from human oversight is likely to become a more important vector of attack against AI systems as they become a larger part of our lives. 

**So now what?**

Fortunately, the techniques to detect this kind of obfuscation are well known and already integrated into spam detection systems such as Cisco Email Threat Defense. Conversely, the presence of attempts to obfuscate content in this manner makes it obvious that a message is malicious and can be classed as spam.

**Top security headlines of the week**

Another incident of an undersea telecommunications cable being cut in the Baltic was encountered. (CNN). Organisations need to plan for the effects of a major telecommunications outage or internet bandwidth restriction affecting their business.

Three members of Russia’s GRU have been placed under sanctions for their suspected role in conducting cyber attacks against Estonia in 2020 (SecurityAffairs). Threat actors might try to hide their identities but eventually they will be discovered and held to account for their actions.

A botnet consisting of infected IoT devices is behind the largest ever DDoS attack (Help Net Security). Small network connected devices can easily be overlooked as part of a cyber security strategy, but they can be compromised by threat actors and used for nefarious purposes.

**Can't get enough Talos?**

Today we released the new Cisco Talos Quarterly Trends Report - covering incidents from October to December 2024. The big call out? Threat actors are increasingly deployed web shells against vulnerable web applications. They primarily exploited vulnerable or unpatched public-facing applications to gain initial access, a notable shift from previous quarters.

Watch Hazel, Joe and Craig break down the report - they discuss hunting down web shells, the Interlock ransomware, and the increasing use of remote access tools within ransomware attacks.

**Upcoming events where you can find Talos**

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.  (Cisco Live EMEA)

**Most prevalent malware files of the week**

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**VirusTotal:**https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_DetectionClaimed Product: 

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**MD5:** 71fea034b422e4a17ebb06022532fdde  
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Defeating Future Threats Starts Today

In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit -- a sprawling network tied to Chinese organized crime gangs and aptly named "Funnull" -- highlights a persistent whac-a-mole problem facing cloud services.

Image: Shutterstock, ArtHead.

In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit — a sprawling network tied to Chinese organized crime gangs and aptly named “**Funnull**” — highlights a persistent whac-a-mole problem facing cloud services.

In October 2024, the security firm **Silent Push** published a lengthy analysis of how **Amazon AWS** and **Microsoft Azure** were providing services to Funnull, a two-year-old Chinese content delivery network that hosts a wide variety of fake trading apps, pig butchering scams, gambling websites, and retail phishing pages.

Funnull made headlines last summer after it acquired the domain name **polyfill\[.\]io**, previously the home of a widely-used open source code library that allowed older browsers to handle advanced functions that weren’t natively supported. There were still tens of thousands of legitimate domains linking to the Polyfill domain at the time of its acquisition, and Funnull soon after conducted a supply-chain attack that redirected visitors to malicious sites.

Silent Push’s October 2024 report found a vast number of domains hosted via Funnull promoting gambling sites that bear the logo of the **Suncity Group**, a Chinese entity named in a 2024 UN report (PDF) for laundering millions of dollars for the North Korean Lazarus Group.

In 2023, Suncity’s CEO was sentenced to 18 years in prison on charges of fraud, illegal gambling, and “triad offenses,” i.e. working with Chinese transnational organized crime syndicates. Suncity is alleged to have built an underground banking system that laundered billions of dollars for criminals.

It is likely the gambling sites coming through Funnull are abusing top casino brands as part of their money laundering schemes. In reporting on Silent Push’s October report, _TechCrunch_ obtained a comment from Bwin, one of the casinos being advertised en masse through Funnull, and Bwin said those websites did not belong to them.

Gambling is illegal in China except in Macau, a special administrative region of China. Silent Push researchers say Funnull may be helping online gamblers in China evade the Communist party’s “Great Firewall,” which blocks access to gambling destinations.

Silent Push’s **Zach Edwards** said that upon revisiting Funnull’s infrastructure again this month, they found dozens of the same Amazon and Microsoft cloud Internet addresses still forwarding Funnull traffic through a dizzying chain of auto-generated domain names before redirecting malicious or phishous websites.

Edwards said Funnull is a textbook example of an increasing trend Silent Push calls “infrastructure laundering,” wherein crooks selling cybercrime services will relay some or all of their malicious traffic through U.S. cloud providers.

“It’s crucial for global hosting companies based in the West to wake up to the fact that extremely low quality and suspicious web hosts based out of China are deliberately renting IP space from multiple companies and then mapping those IPs to their criminal client websites,” Edwards told KrebsOnSecurity. “We need these major hosts to create internal policies so that if they are renting IP space to one entity, who further rents it to host numerous criminal websites, all of those IPs should be reclaimed and the CDN who purchased them should be banned from future IP rentals or purchases.”

A Suncity gambling site promoted via Funnull. The sites feature a prompt for a Tether/USDT deposit program.

Reached for comment, Amazon referred this reporter to a statement Silent Push included in a report released today. Amazon said AWS was already aware of the Funnull addresses tracked by Silent Push, and that it had suspended all known accounts linked to the activity.

Amazon said that contrary to implications in the Silent Push report, it has every reason to aggressively police its network against this activity, noting the accounts tied to Funnull used “fraudulent methods to temporarily acquire infrastructure, for which it never pays. Thus, AWS incurs damages as a result of the abusive activity.”

“When AWS’s automated or manual systems detect potential abuse, or when we receive reports of potential abuse, we act quickly to investigate and take action to stop any prohibited activity,” Amazon’s statement continues. “In the event anyone suspects that AWS resources are being used for abusive activity, we encourage them to report it to AWS Trust & Safety using the report abuse form. In this case, the authors of the report never notified AWS of the findings of their research via our easy-to-find security and abuse reporting channels. Instead, AWS first learned of their research from a journalist to whom the researchers had provided a draft.”

Microsoft likewise said it takes such abuse seriously, and encouraged others to report suspicious activity found on its network.

“We are committed to protecting our customers against this kind of activity and actively enforce acceptable use policies when violations are detected,” Microsoft said in a written statement. “We encourage reporting suspicious activity to Microsoft so we can investigate and take appropriate actions.”

**Richard Hummel** is threat intelligence lead at **NETSCOUT**. Hummel said it used to be that “noisy” and frequently disruptive malicious traffic — such as automated application layer attacks, and “brute force” efforts to crack passwords or find vulnerabilities in websites — came mostly from botnets, or large collections of hacked devices.

But he said the vast majority of the infrastructure used to funnel this type of traffic is now proxied through major cloud providers, which can make it difficult for organizations to block at the network level.

“From a defenders point of view, you can’t wholesale block cloud providers, because a single IP can host thousands or tens of thousands of domains,” Hummel said.

In May 2024, KrebsOnSecurity published a deep dive on Stark Industries Solutions, an ISP that materialized at the start of Russia’s invasion of Ukraine and has been used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia. Experts said much of the malicious traffic  traversing Stark’s network (e.g. vulnerability scanning and password brute force attacks) was being bounced through U.S.-based cloud providers.

Stark’s network has been a favorite of the Russian hacktivist group called **NoName057(16)**, which frequently launches huge distributed denial-of-service (DDoS) attacks against a variety of targets seen as opposed to Moscow. Hummel said NoName’s history suggests they are adept at cycling through new cloud provider accounts, making anti-abuse efforts into a game of whac-a-mole.

“It almost doesn’t matter if the cloud provider is on point and takes it down because the bad guys will just spin up a new one,” he said. “Even if they’re only able to use it for an hour, they’ve already done their damage. It’s a really difficult problem.”

Edwards said Amazon declined to specify whether the banned Funnull users were operating using compromised accounts or stolen payment card data, or something else.

“I’m surprised they wanted to lean into ‘We’ve caught this 1,200+ times and have taken these down!’ and yet didn’t connect that each of those IPs was mapped to \[the same\] Chinese CDN,” he said. “We’re just thankful Amazon confirmed that account mules are being used for this and it isn’t some front-door relationship. We haven’t heard the same thing from Microsoft but it’s very likely that the same thing is happening.”

Funnull wasn’t always a bulletproof hosting network for scam sites. Prior to 2022, the network was known as **Anjie CDN**, based in the Philippines. One of Anjie’s properties was a website called **funnull\[.\]app**. Loading that domain reveals a pop-up message by the original Anjie CDN owner, who said their operations had been seized by an entity known as **Fangneng CDN** and **ACB Group**, the parent company of Funnull.

A machine-translated message from the former owner of Anjie CDN, a Chinese content delivery network that is now Funnull.

“After I got into trouble, the company was managed by my family,” the message explains. “Because my family was isolated and helpless, they were persuaded by villains to sell the company. Recently, many companies have contacted my family and threatened them, believing that Fangneng CDN used penetration and mirroring technology through customer domain names to steal member information and financial transactions, and stole customer programs by renting and selling servers. This matter has nothing to do with me and my family. Please contact Fangneng CDN to resolve it.”

In January 2024, the **U.S. Department of Commerce** issued a proposed rule that would require cloud providers to create a “Customer Identification Program” that includes procedures to collect data sufficient to determine whether each potential customer is a foreign or U.S. person.

According to the law firm **Crowell & Moring LLP**, the Commerce rule also would require “infrastructure as a service” (IaaS) providers to report knowledge of any transactions with foreign persons that might allow the foreign entity to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.

“The proposed rulemaking has garnered global attention, as its cross-border data collection requirements are unprecedented in the cloud computing space,” Crowell wrote. “To the extent the U.S. alone imposes these requirements, there is concern that U.S. IaaS providers could face a competitive disadvantage, as U.S. allies have not yet announced similar foreign customer identification requirements.”

It remains unclear if the new White House administration will push forward with the requirements. The Commerce action was mandated as part of an executive order President Trump issued a day before leaving office in January 2021.

Infrastructure Laundering: Blending in with the Cloud

Over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia have been observed using artificial intelligence (AI) technology powered by Google to further enable their malicious cyber and information operations.
"Threat actors are experimenting with Gemini to enable their operations, finding productivity gains but not yet developing novel capabilities," Google Threat

Google: Over 57 Nation-State Threat Groups Using AI for Cyber Operations

Whether by intercepting its traffic or just giving it a little nudge, GitHub's AI assistant can be made to do malicious things it isn't supposed to.

Source: Mykhailo Polenok via Alamy Stock Photo

Researchers have discovered two new ways to manipulate GitHub's artificial intelligence (AI) coding assistant, Copilot, enabling the ability to bypass security restrictions and subscription fees, train malicious models, and more.

The first trick involves embedding chat interactions inside of Copilot code, taking advantage of the AI's instinct to be helpful in order to get it to produce malicious outputs. The second method focuses on rerouting Copilot through a proxy server in order to communicate directly with the OpenAI models it integrates with.

Researchers from Apex deem these issues vulnerabilities. GitHub disagrees, characterizing them as "off-topic chat responses," and an "abuse issue," respectively. In response to an inquiry from Dark Reading, GitHub wrote, "We continue to improve on safety measures in place to prevent harmful and offensive outputs as part of our responsible AI development. Furthermore, we continue to invest in opportunities to prevent abuse, such as the one described in Issue 2, to ensure the intended use of our products."

**Jailbreaking GitHub Copilot**

"Copilot tries as best as it can to help you write code, \[including\] everything you write inside a code file," Fufu Shpigelman, vulnerability researcher at Apex explains. "But in a code file, you can also write a conversation between a user and an assistant."

In the screenshot below, for example, a developer embeds within their code a chatbot prompt, from the perspective of an end user. The prompt carries ill intent, asking Copilot to write a keylogger. In response, Copilot suggests a safe output denying the request:

Source: Apex

The developer, however, is in full control over this environment. They can simply delete Copilot's autocomplete response, and replace it with a malicious one.

Or, better yet, they can influence Copilot with a simple nudge. As Shpigelman notes, "It's designed to complete meaningful sentences. So if I delete the sentence 'Sorry, I can't assist with that,' and replace it with the word 'Sure,' it tries to think of how to complete a sentence that starts with the word 'Sure.' And then it helps you with your malicious activity as much as you want." In other words, getting Copilot to write a keylogger in this context is as simple as gaslighting it into thinking it wants to.

Source: Apex

A developer could use this trick to generate malware, or malicious outputs of other kinds, like instructions on how to engineer a bioweapon. Or, perhaps, they could use Copilot to embed these sorts of malicious behaviors into their own chatbot, then distribute it to the public.

**Breaking Out of Copilot Using a Proxy**

To generate novel coding suggestions, or process a response to a prompt — for example, a request to write a keylogger — Copilot engages help from cloud-based large language models (LLM) like Claude, Google Gemini, or OpenAI models, via those models' application programming interfaces (APIs).

The second scheme Apex researchers came up with allowed them to plant themselves in the middle of this engagement. First they modified Copilot's configuration, adjusting its "github.copilot.advanced.debug.overrideProxyUrl" setting to redirect traffic through their own proxy server. Then, when they asked Copilot to generate code suggestions, their server intercepted the requests it generated, capturing the token Copilot uses to authenticate with OpenAI. With the necessary credential in hand, they were able to access OpenAI's models without any limits or restrictions, and without having to pay for the privilege.

And this token isn't the only juicy item they found in transit. "When Copilot \[engages with\] the server, it sends its system prompt, along with your prompt, and also the history of prompts and responses it sent before," Shpigelman explains. Putting aside the privacy risk that comes with exposing a long history of prompts, this data contains ample opportunity to abuse how Copilot was designed to work.

A "system prompt" is a set of instructions that defines the character of an AI — its constraints, what kinds of responses it should generate, etc. Copilot's system prompt, for example, is designed to block various ways it might otherwise be used maliciously. But by intercepting it en route to an LLM API, Shpigelman claims, "I can change the system prompt, so I won't have to try so hard later to manipulate it. I can just \[modify\] the system prompt to give me harmful content, or even talk about something that is not related to code."

For Tomer Avni, co-founder and CPO of Apex, the lesson in both of these Copilot weaknesses "is not that GitHub isn't trying to provide guardrails. But there is something about the nature of an LLM, that it can always be manipulated no matter how many guardrails you're implementing. And that's why we believe there needs to be an independent security layer on top of it that looks for these vulnerabilities."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

New Jailbreaks Allow Users to Manipulate GitHub Copilot

The sudden rise of DeepSeek has raised questions of data origin, data destination, and the security of the new AI model.

The sudden rise of DeepSeek has raised concerns and questions, especially about the origin and destination of the training data, as well as the security of the data.

For those returning from a short holiday away from the news, DeepSeek is a new player on the Artificial Intelligence (AI) field. The Chinese startup has certainly taken the app stores by storm: In just a week after the launch it topped the charts as the most downloaded free app in the US. This caused an upset on the stock markets that cost nVidia and Oracle shareholders a lot of money.

DeepSeek has been called an open-source project, however this technically is not true because only the model’s outputs and certain aspects are publicly accessible. This makes it qualify as an open-weight model. Anyway, the important difference is that the underlying training data and code necessary for full reproduction of the models are not fully disclosed.

And it’s the data that pose a concern to many. OpenAI has accused DeepSeek of using its ChatGPT model to train DeepSeek’s AI chatbot, which triggered quite some memes. If only because OpenAI previously suffered accusations of using data that was not its own in order to train ChatGPT.

Authorities have started to ask questions as well. The Italian privacy regulator GPDP has asked DeepSeek to provide information about the data it processes in the chatbot, and its training data.  Because it sees a risk to the privacy of millions of Italian citizens, GDPD has demanded DeepSeek answers within 20 days questions about:

*   Which personal data is collected
*   The origin of the data
*   Purpose for the collection
*   Whether the data is stored on servers in China

According to the Italian press agency ANSA, DeepSeek disappeared on January 29, 2025 from Google and Apple’s app stores in Italy.

And if all that isn’t scary enough, researchers at Wiz have found a publicly accessible database belonging to DeepSeek.

> “This database contained a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets, and operational details. “

The database was not just accessible and readable, it was also open to control and privilege escalation within the DeepSeek environment. No authentication was required, so anybody that stumbled over the database was able to run queries to retrieve sensitive logs and actual plaintext chat messages, and even to steal plaintext passwords and local files.

Needless to say, this oversight put DeepSeek and its users at risk.

We have said this before and we’ll probably have to repeat it numerous times, but the need for fast developments in this field is creating privacy risks that we have never seen before, simply because security is an afterthought for the developers. So, no matter which AI chatbot you prefer, always be mindful of the information you feed it: It may find its way to unexpected and undesirable places.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 The DeepSeek controversy: Authorities ask where does the data come from and how safe is it? 

Buzzy Chinese artificial intelligence (AI) startup DeepSeek, which has had a meteoric rise in popularity in recent days, left one of its databases exposed on the internet, which could have allowed malicious actors to gain access to sensitive data.
The ClickHouse database "allows full control over database operations, including the ability to access internal data," Wiz security researcher Gal

Tag

#intel