The stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.

Source: JHVEPhoto via Alamy Stock Photo

Dated configuration data and virtual private network (VPN) credentials for 15,474 Fortinet devices have been posted for free to the Dark Web.

On Jan. 14, Fortinet disclosed a severe authentication bypass vulnerability in its FortiOS operating system and FortiProxy Web gateway, CVE-2024-55591. For a model of what the aftermath of such a vulnerability could look like, one need only look to a parallel bug from October 2022 that's still making waves today.

Back then, Fortinet published an urgent security warning regarding CVE-2022-40684, an equivalent authentication bypass vulnerability affecting FortiOS, FortiProxy, and the autological FortiSwitchManager. Earning a "critical" 9.8 rating in the Common Vulnerability Scoring System (CVSS), it allowed any unauthenticated attacker to perform administrative operations on vulnerable devices via specially crafted HTTP requests. In the wake of that disclosure, security researchers developed a proof-of-concept (PoC) exploit, a template for scanning for vulnerable devices, and watched as exploitation attempts climbed and climbed.

On the same day CVE-2024-55591 was disclosed this week, a threat actor with the nom de guerre "Belsen Group" released data belonging to more than 15,000 Fortinet devices. In a blog post, the CloudSEK researchers who spotted it assessed that the data had been stolen thanks to CVE-2022-40684, likely when that bug was still a zero-day. Now, they wrote, "Once they exhausted its use for themselves (either by selling or using the access), the threat actor(s) decided to leak it in 2025."

Related:Extension Poisoning Campaign Highlights Gaps in Browser Security

**Possible Clues to Belsen Group's Origins**

"2025 will be a fortunate year for the world," the Belsen Group wrote in its post to the cybercrime site BreachForums (while conveniently omitting that its data had been gathered more than two years ago). The 1.6GB file it dumped on its onion website is accessible free of charge, and organized neatly in folders first by country, then by IP address and firewall port number.

Affected devices appear to be spread across every continent, with the highest concentration in Belgium, Poland, the US, and the UK, each with more than 20 victims.

On the flip side, security researcher Kevin Beaumont (aka GossiTheDog) noted in a blog post that every country in which Fortinet has a presence is represented in the data, except one: Iran, despite the fact that Shodan shows nearly 2,000 reachable Fortinet devices in that country today. Furthermore, there is just one affected device in the entirety of Russia, and technically it's in Ukraine's annexed Crimea region.

Related:Trend Micro and Intel Innovate to Weed Out Covert Threats

These points of data may be unimportant, or they may hold clues for attributing the Belsen Group. It appears to have popped up this month, though CloudSEK concluded "with high confidence" that it has been around for at least three years now, and that "They were likely part of a threat group that exploited a zero day in 2022, although direct affiliations have not been established yet."

**What's the Cyber-Risk?**

The leaked listings contain two types of folders. The first, "config.conf," contains affected device configurations: IP addresses, usernames and passwords, device management certificates, and all of the affected organization's firewall rules. This data was stolen via CVE-2022-40684. In the other folder, "vpn-password.txt," are SSL-VPN credentials. According to Fortinet, these credentials were sourced from devices via an even older path traversal vulnerability, CVE-2018-13379.

Though the data is all rather aged by now, Beaumont wrote, "Having a full device config including all firewall rules is … a lot of information." CloudSEK, too, cited the risk that leaked firewall configurations can reveal information about organizations' internal network structures that may still apply today.

Related:Zivver Report Reveals Critical Challenges in Email Security for 2025

Organizations also often don't cycle out usernames and passwords, allowing old ones to continue to cause problems. In examining a device included in the dump, Beaumont reported that the old authentications matched those still in use.

Fortinet, for its part, tried to quell concerns in a security analysis published on Jan. 16. "If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization’s current config or credential detail in the threat actor's disclosure is small," it explained.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

15K Fortinet Device Configs Leaked to the Dark Web

Explore how AI tools like OpenAI’s Sora face restrictions in Europe due to GDPR, with insights on bypassing…

Explore how AI tools like OpenAI’s Sora face restrictions in Europe due to GDPR, with insights on bypassing geo-restrictions and the impact on innovation and users.

Artificial intelligence tools are being widely integrated with many tools and activities as people begin noticing their benefits. The majority of companies around the world are using AI actively or exploring its use in some form. This means many startups and big corporations are actively testing new forms of AI and applying them to make life easier for everyone often except for Europe (in this article, don’t associate the word with continental Europe, as we discuss the circumstances within the European Union).

Many popular AI tools like OpenAI’s Sora and Meta AI are not available to European users. The main reasons behind their unavailability are due to regulatory frameworks and operational constraints. But does this mean European users are completely left out of using AI tools? Not really.

In this blog, we are going to look at why many new AI tools aren’t available in Europe and some tips to access them. 

****Bypassing The Geo-Restrictions****

AI tools are not available in Europe and the only way to access them is by using a strong proxy or third-party service. It can be quite surprising for people outside Europe to be denied access to popular AI tools since they are available elsewhere. For example, people from around the world, including Europe can use US-based proxies to get access to these platforms and enjoy using AI without any difficulties.

The proxy will act as a middleman between your device and the website and make it look like you are using the AI from the US itself. This not only improves accessibility but also has additional benefits of enhanced connection and improved security. This means businesses or even individuals who travel frequently and still require uninterrupted access to popular AI tools like Sora can use the help of proxies.

****Why Are AI Tools Restricted In Europe?****

Most AI tools are restricted in Europe due to the regulations the continent has, mainly in the form of the General Data Protection Regulation (GDPR). The GDPR ensures that all citizens and users within Europe are protected from unnecessary data tampering and misuse, but it also puts a heavy burden on tech companies. Since an AI platform requires data to be used for machine learning, the GDPR prevents tech companies from processing data in the traditional way which can harm the user’s privacy. This results in a delay in deploying the AI and hence the unavailability.

Take OpenAI’s Sora as an example. It has recently come into the news regarding its unavailability in Europe, and that is mainly due to compliance issues. Sora is a platform that uses advanced immersive AI to create hyper-realistic videos with simple prompts. This can create a revolution in terms of education and digital marketing. However, concerns regarding how the user data is collected, processed, and stored have delayed its deployment.

****What Europe Is Missing Out On****

With these restrictions, Europe is missing out on several advanced AI tools that are popular elsewhere. OpenAI’s Sora comes to mind first since it’s a relatively new AI that is available in most countries as of now and offers some hyper-realistic visuals with real-time prompts. Meta AI is also popular as it offers an entire suite for developers and consumers alike to enhance their social media experience and recommendations.

Some AI models are still available in Europe, like Jasper AI. The platform works similarly to ChatGPT but has more of a creative edge making it perfect for creative tasks like writing or brainstorming. JasperAI was initially unavailable due to GDPR laws, but after three years of continuous negotiations, the platform is now approved under the AI Act. This goes to show that Europe still has the potential to allow AI systems to run for European marketers.

****How AI Restrictions Affect Innovation****

Europe is pretty rigorous about its data regulation laws and user privacy; it’s a good thing to protect users but it also has its negative sides with companies unable to operate as they could. These restrictions can result in technological gaps between regions where businesses in the US can gain a competitive edge to streamline operations and enhance productivity. This not only results in a global challenge but also forces companies within Europe to look at less-productive alternatives.

The unavailability of AI tools in Europe is a pressing issue that is still being negotiated between lawmakers and developers. Even though AI has its share of downsides regarding data use, Europe needs to find a solution that aligns it with the globe in terms of AI. Since many things in our digitized world are connected, the unavailability of the latest technologies in the EU member countries may have an impact on digital nomads too, who choose to work from Europe.

As the EU also has initiatives to attract nomads, it will likely loosen some restrictions in the future, particularly those applicable in the early stages of new technology releases, while keeping user privacy at the forefront.

Top/Featured Image via FreePik

Why Many New AI Tools Aren’t Available In Europe – And How To Access Them

A highly targeted cyber-intelligence campaign adds fuel to the increasingly complex relationship between the two former Soviet states.

Source: Daniren via Alamy Stock Photo

A suspected Russia-nexus threat actor has been executing convincing spear phishing attacks against diplomatic entities in Kazakhstan.

UAC-0063, active since at least 2021, was first documented by Ukraine's Computer Emergency Response Team (CERT-UA) in 2023. With medium confidence, CERT-UA tied it to APT28 (aka Fancy Bear, Forest Blizzard, Strontium, Sofacy), from the General Staff Main Intelligence Directorate (GRU) Military Unit 26165. APT28 is best known for its high-profile attacks against Western governments: the Democratic National Committee (DNC) hack of 2016, campaigns against parliamentary bodies in Germany, Norway, and the Netherlands, and much more.

UAC-0063, specifically, has used cyber operations to collect intelligence from government entities, nongovernmental organizations (NGOs), academic institutions, and energy and defense organizations in Eastern Europe — most notably Ukraine — as well as Central Asia, including Kazakhstan, Kyrgyzstan, Tajikistan, and other countries in the vicinity, including Israel and India.

Its latest ongoing campaign, which, in a blog post, researchers from Sekoia date back to at least 2022, may fold into a broader effort by Vladimir Putin's government to gain strategic insights into, and advantage over, a former Soviet state that has sought to broaden its diplomatic horizons in recent years.

**Phishing Kazakh Diplomats**

On Oct. 16, 2024 — one month after it'd been deployed in the wild — researchers spotted a diplomatic document uploaded to VirusTotal. It appeared to be a legitimate draft of a joint declaration between the chancellor of Germany and heads of Central Asian countries.

"The first step, when you open this document, is that it asks you to enable macros," recalls Amaury Garçon, cyber threat intelligence (CTI) analyst at Sekoia Threat Detection & Research (TDR), adding that the document was obscured by "shapes" at first sight. "Some phishing documents look really ugly or have a bad shape \[at first\] — they prompt the user to enable macros, because if you don't enable macros you can't write text in the document, can't move images, etc.," he notes.

Clicking "enable" would trigger various malicious, unseen commands on a target device. While the user was made privy to the full, unadulterated lure document, in the background their security settings would be downgraded so as to remove the need for future "enable macros" prompts. Next a second, blank document was created and opened by a hidden instance of Microsoft Word. The Visual Basic (VB) code associated with this hidden document — now enabled by default, of course — dropped and executed a malicious HTML application (HTA) containing a backdoor named "HatVibe."

The purpose of HatVibe is to receive and execute code from a remote server. Though Sekoia couldn't identify the payloads associated with this phishing campaign, CERT-UA has previously observed HatVibe downloading and executing a more complex Python backdoor named "CherrySpy."

**What This Means for Kazakhstan and Russia**

Six weeks after researchers spotted the first VirusTotal upload associated with this campaign, on Nov. 27, Putin went on a two-day state visit to the country he deemed Russia's "true ally," Kazakhstan. He and Kazakhstan's president, Kassym-Jomart Tokayev, used the opportunity afforded by the Collective Security Treaty Organization (CSTO) summit to discuss various areas for economic partnership — particularly around the energy sector — and signed agreements over energy, education, and transportation.

"Central Asia is a real point of interest for Russian influence," Maxime Arquillière, senior CTI analyst at Sekoia TDR explains. "We know that Kazakhstan is a close ally, but since the beginning of the Ukraine war, Kazakhstan has distanced itself a little bit from Russia, trying to develop new connections with both Western states and also China."

Kazakhstan's centrality in the Asian continent positions it nicely as a trade bridge between China and Europe, particularly while Ukraine and Russia are consumed by war. And as Sekoia notes in its blog, the country's gradually broadening geopolitical ties are evident in recent agreements with Mongolia and Afghanistan's new Taliban government, and, most notably, its balanced position on the war in Ukraine — supporting Ukraine's right to territorial integrity without outright condemning Russia's invasion.

This latest cyber campaign, then, fits neatly into Russia's broader initiatives with regard to its Central Asian neighbor. Sekoia identified 11 lure documents in all, each one legitimate and likely having originated with Kazakhstan's Ministry of Foreign Affairs, pertaining to diplomatic business between Kazakhstan and potential partner nations.

Exactly how the threat actor obtained these documents is not known. They include, for example:

*   Letters from Kazakhstan's embassies in Afghanistan and Belgium, regarding diplomatic and economic developments.
    
*   A draft of a joint statement between Germany and Central Asian states, following a Sept. 16, 2024, summit in Astana.
    
*   Administrative reports and briefings on the Kazakh president's visits to Mongolia and New York.
    

"It's really coherent with the \[need for\] Russian intelligence to conduct this kind of cyber espionage, to know about the strategic interests between Kazakhstan and European states," Arquillière says.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Russian APT Phishes Kazakh Gov't for Strategic Intel

A breach of AT&T that exposed “nearly all” of the company’s customers may have included records related to confidential FBI sources, potentially explaining the bureau’s new embrace of end-to-end encryption.

The United States telecom giant AT&T disclosed a breach in July involving call and text messaging logs from six months in 2022 of “nearly all” its more than 100 million customers. In addition to exposing personal communication details for a slew of individual Americans, though, the FBI has been on alert that its agents’ call and text records were also included in the breach. A document seen and first reported by Bloomberg indicates that the bureau has been scrambling to mitigate any potential fallout that could lead to revelations about the identities of anonymous sources connected to investigations.

The breached data didn't include the content of calls and texts, but Bloomberg reports that it would have shown communication logs for agents' mobile numbers and other phone numbers they used during the six months period. It is unclear how widely the stolen data has spread, if at all. WIRED reported in July that after the hackers attempted to extort AT&T, the company paid $370,000 in an attempt to have the data trove deleted. In December, US investigators charged and arrested a suspect who reportedly was behind the entity that threatened to leak the stolen data.

The FBI tells WIRED in a statement: “The FBI continually adapts our operational and security practices as physical and digital threats evolve. The FBI has a solemn responsibility to protect the identity and safety of confidential human sources, who provide information every day that keeps the American people safe, often at risk to themselves.”

AT&T spokesperson Alex Byers says in a statement that the company “worked closely with law enforcement to mitigate impact to government operations” and appreciates the “thorough investigation” they conducted. “Given the increasing threat from cybercriminals and nation-state actors, we continue to increase investments in security as well as monitor and remediate our networks,” Byers adds.

The situation is surfacing amid ongoing revelations about a different hacking campaign perpetrated by China's Salt Typhoon espionage group, which compromised a slew of US telecoms, including AT&T. This separate situation exposed call and text logs for a smaller group of specific high-profile targets, and in some cases included recordings as well as information like location data.

As the US government has scrambled to respond, one recommendation from the FBI and the Cybersecurity and Infrastructure Security Agency has been for Americans to use end-to-end encrypted platforms—like Signal or WhatsApp—to communicate. Signal in particular stores almost no metadata about its customers and would not reveal which accounts have communicated with each other if it were breached. The suggestion was sound advice from a privacy perspective, but was very surprising given the US Justice Department's historic opposition to the use of end-to-end encryption. If the FBI has been grappling with the possibility that its own informants may have been exposed by a recent telecom breach, though, the about-face makes more sense.

If agents were following protocol for investigative communications strictly, though, the stolen AT&T call and text logs shouldn't pose a big threat, says former NSA hacker and Hunter Strategy vice president of research Jake Williams. Standard operating procedure should be designed to account for the possibility that call logs could be compromised, he says, and should require agents to communicate with sensitive sources using phone numbers that have never been linked to them or the US government. The FBI could be warning about the AT&T breach out of an abundance of caution, Williams says, or it may have discovered that agents' mistakes and protocol errors were captured in the stolen data. “This wouldn't be a counterintelligence issue unless someone was not following procedure,” he says.

Williams adds, too, that while the Salt Typhoon campaigns are only known to have impacted a relatively small group of people, they affected many telecoms, and the full impact of those breaches still may not be known.

“I worry about the FBI sources who might have been affected by this AT&T exposure, but more broadly the public still doesn't have a full understanding of the fallout of the Salt Typhoon campaigns,” Williams says. “And it seems that the US government is still working on getting a grasp of that as well.”

Hackers Likely Stole FBI Call Logs From AT&T That Could Compromise Informants

New order mandates securing the federal software supply chain and communications networks, as well as deploying AI tools to protect critical infrastructure from cyberattacks — but will the Trump administration follow through?

Source: UPI via Alamy Stock Photo

As President Biden prepares to hand over the government to the incoming Trump administration, he has issued a new cybersecurity executive order (EO) outlining an aggressive cyber-defense plan for today's most dangerous national cyber threats — including China, and rampant software supply chain vulnerabilities across government and the private sector.

Sweeping and ambitious, the EO reads like a detailed US cybersecurity status report from the Biden administration, focused on laying groundwork for the incoming team. And with threats on the rise across the world, party affiliation and partisan predilections aside, America and Americans' cybersecurity relies on a smooth handoff from Biden to Trump, experts say.

The signs are positive so far. The order is a reflection of a forthright and responsible transition to the Trump administration, according to Tom Cross, a cybersecurity strategist at WitFoo.

"Cybersecurity is not a partisan issue — everyone in the United States has a shared interest in protecting our nation against foreign cyber threats, such as spying and network disruption," Cross wrote in a statement responding to the new Biden cybersecurity executive order. "By issuing this EO now, the Biden administration is able to put its best thinking on these topics in motion, giving the Trump administration time to put new leaders in place and develop its strategy going forward.”

The EO is a bookend to Biden's 2021 cybersecurity executive order, issued early in his term, and reflects a country plagued by a new set of geopolitical adversaries armed with increasingly sophisticated technology, including generative artificial intelligence (GenAI).

The order acknowledges the brazen rise in malicious cyber activity from China, including breaches of the US Treasury and at least nine telecommunications networks in a vast espionage operation carried out by Salt Typhoon and other advanced persistent threats (APTs) sponsored by the Chinese government. While the EO only covers federal agencies, the Biden administration has long used federal cybersecurity policies and resources as a way to push the private sector into adopting more secure standards in turn.

"The Biden administration’s latest cyber executive order is focused on securing critical infrastructure, adopting AI for defense, and transitioning to post-quantum cryptography with an ambitious agenda," Andrew Borene, executive director of global security for Flashpoint and a former Office of the Director of National Intelligence (ODNI) senior official, tells Dark Reading. "However, the real power of this executive order may lie in its ability to institutionalize some best practices as American multinational businesses and government agencies face a new Cold War's dangerous digital environment."

**Securing the Federal Software Supply Chain, Cloud, Space**

Biden's latest EO starts with the federal software supply chain, mandating that agencies develop secure software acquisition standards and only do business with software vendors that can attest to secure development practices and provide evidence of compliance with those standards. Within the next 60 days, a consortium is ordered to be convened, including the cecretary of commerce and National Institute of Standards and Technology (NIST) officials, to develop those standards, which will include practices, procedures, controls, and implementation examples, according to the EO.

Federal agencies were also ordered to implement NIST supply chain risk management practices. The Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA) will evaluate how to securely manage open source software inside federal networks.

Biden's order additionally addresses emerging attack surfaces across the federal government, including cloud and space/satellite systems, and calls for the implementation of identity and access management (IAM) practices across agencies.

On the cloud front, the order mandates that FedRAMP marketplace service providers such as Google or Amazon provide federal agencies with recommendations on cloud configuration.

"I am particularly happy to see that cloud providers will be required to publish information to clients on how to operate securely," Chris Hauk, consumer privacy champion at Pixel Privacy, wrote in a statement. "Too many data breaches have been due to misconfigured cloud data buckets, many times leaving the data stored in those buckets open to anyone with an Internet connection and a little bit of knowledge."

Space systems meanwhile are ordered to receive continuous analysis to ensure US systems are keeping up with the latest threats, the EO explained.

"As cybersecurity threats to space systems increase, these systems and their supporting digital infrastructure must be designed to adapt to evolving cybersecurity threats and operate in contested environments," the EO reads. "In light of the pivotal role space systems play in global critical infrastructure and communications resilience, and to further protect space systems and the supporting digital infrastructure vital to our national security, including our economic security, agencies shall take steps to continually verify that federal space systems have the requisite cybersecurity capabilities through actions including continuous assessments, testing, exercises, and modeling and simulation."

**Securing Federal Communications**

China's espionage activities have highlighted the need to secure federal communications networks, according to the EO. The Biden administration thus has established guidelines for shoring up communications network cybersecurity, including implementing identity controls, encrypting DNS traffic, and encrypting all emails, voice, video, and messaging.

Regarding cryptography, the Biden EO said new rules for protecting and auditing cryptographic keys will be developed by NIST. Further, agencies should require post-quantum cryptography, where applicable, the EO states.

These cryptography and authentication controls requirements are also applicable to other critical national security systems, Flashpoint's Borene points out.

"From energy grids to satellites, the directive emphasizes the need to secure the systems that underpin our national security and daily life," he adds. "The push for universal encryption and authentication protocols is particularly timely, given the frequency and scale of recent attacks."

**Unleashing AI to Secure Critical Infrastructure**

Artificial Intelligence must be deployed to protect US critical infrastructure from cyberattack, according to the Biden EO. The order establishes a program to explore the use of AI to bolster US cyber defenses and push for additional research.

And indeed, AI will place an increasing role in protecting the US from cyberattacks in the future, according to Christian Geyer, CEO and founder of Actfore.

"While it's crucial to recognize the expanding attack surface that AI may bring, we can be optimistic about the incredible potential it holds for enhancing security and efficiency," Geyer wrote in a statement. "The main challenge lies in navigating the complexities of government processes, but with the right approach, these challenges can be overcome, ensuring that technology initiatives are both effective and secure."

Ransomware and the development of digital identification for secure online transactions are also included in the Biden administration's cybersecurity wish list.

The EO is clearly comprehensive and wide-ranging. But without buy-in from Trump's cyber team, many of the EO's efforts could be stymied, researchers warn. It's unclear for now how it will go.

The Trump administration has already signaled a distaste for regulation, and put it into practice throughout Trump's first term, according to Coleman Mehta, head of global public policy and strategy at Infoblox. Yet, he was willing to build on previous cybersecurity policies from the Obama administration.

"Similarly, President Biden often built on policies set by Trump," Mehta tells Dark Reading. "The fundamentals of that continuity should stay the same; focus on the threat from Chinese cyber adversaries, strengthen supply chain security, and continue to build public-private collaboration."

During his recent Senate confirmation hearings for secretary of state, Sen. Marco Rubio (R-Fla.) indicated an interest in seeing policy changes that address the global cyber supply chain threat, Flashpoint's Borene points out.

"Looking ahead, the new administration inherits a world of rapidly escalating state threats from adversaries like China, Russia, Iran, along with a growing network of cyber proxies and even transnational criminal extortion groups," Borene says. "A well-executed handoff of some of the executive order’s provisions could bolster US cyber defenses at a time when proactive information security has never been more critical."

Biden's Cybersecurity EO Leaves Trump a Comprehensive Blueprint for Defense

PRESS RELEASE

SALT LAKE CITY — January 13, 2025 — Ivanti, the software company that breaks down barriers between IT and security so that Everywhere Work can thrive, has appointed seasoned tech leader, Karl Triebes, as Chief Product Officer. In his new role, Triebes will focus on ensuring that Ivanti’s product strategy aligns with the company’s long-term goals, drives innovation, and enhances customer satisfaction.

Triebes’ appointment comes at a pivotal time for Ivanti, as the company continues to expand its footprint in the IT management and security landscape. His extensive experience and visionary approach are expected to ensure the company remains at the forefront of delivering high-quality technology solutions.

“I am thrilled to join Ivanti at such an exciting time in the company’s journey,” said Karl Triebes. “Ivanti's commitment to innovation and customer-centric approach align perfectly with my vision for product development. I look forward to working with the talented team at Ivanti to drive our product strategy forward, enhance our engineering capabilities, and deliver exceptional solutions to our customers.”

He joins Ivanti with over 30 years of extensive experience in technology leadership and product development. Throughout his career, Karl has held pivotal roles in several high-profile technology companies such as F5, Amazon and Imperva. In these positions, he has consistently demonstrated a strong prowess in engineering, product strategy, and driving business growth. His seasoned leadership and innovative vision have been instrumental in advancing technology solutions and enhancing product portfolios.

His strategic oversight will ensure that Ivanti’s products not only meet but exceed the expectations of customers, driving sustained business growth and solidifying Ivanti’s position as a leader in the industry.

“Customer satisfaction is at the heart of everything we do,” Triebes added. “By focusing on innovation and maintaining a customer-centric approach, we can develop products that not only solve current challenges but also anticipate future needs. I am eager to lead Ivanti in this direction and contribute to the company’s continued success.”

Ivanti’s CEO, Dennis Kozak, stated, “We are delighted to welcome Karl to the Ivanti team. His extensive experience and proven track record in technology leadership make him the perfect fit for our organization. We are confident that under his guidance, Ivanti will continue to innovate and deliver exceptional solutions to our customers.”

About Ivanti

Ivanti breaks down barriers between IT and security so that Everywhere Work can thrive. Ivanti has created the first purpose-built technology platform for CIOs and CISOs – giving IT and security teams comprehensive software solutions that scale with their organizations’ needs to enable, secure and elevate employees' experiences. The Ivanti platform is powered by Ivanti Neurons - a cloud-scale, intelligent hyper automation layer that enables proactive healing, user-friendly security across the organization, and provides an employee experience that delights users. Over 35,000 customers, including 85 of the Fortune 100, have chosen Ivanti to meet challenges head-on with its end-to-end solutions. At Ivanti, we strive to create an environment where all perspectives are heard, respected and valued and are committed to a more sustainable future for our customers, partners, employees and the planet. For more information, visit www.ivanti.com and follow @GoIvanti.

Karl Triebes Joins Ivanti as Chief Product Officer

By staying vigilant, agile, and prepared, organizations can turn TDIR from a defensive strategy into a proactive enabler of security and operational excellence.

The digital era has revolutionized how businesses operate, bringing unprecedented opportunities and challenges. Among the most pressing challenges are the ever-growing and sophisticated cyber threats. From crippling ransomware attacks to insidious phishing campaigns, organizations face a mounting need to defend their digital assets effectively.

In this complex landscape, threat detection, investigation, and response (TDIR) has become a cornerstone of modern cybersecurity. Unlike traditional, siloed approaches, TDIR integrates advanced technologies, skilled professionals, and well-defined processes into a unified framework. This holistic strategy empowers organizations to anticipate, identify, and address threats swiftly, fortifying both their security posture and operational resilience.

**Threat Detection: The First Line of Defense**

Cybersecurity begins with visibility — the ability to identify anomalies before they evolve into full-blown incidents. Threat detection serves as a digital sentinel, continuously monitoring systems for suspicious activities or deviations from the norm.

Take, for example, an instance where an employee's account starts downloading large volumes of sensitive data during non-business hours. While this may appear routine, sophisticated detection tools like security information and event management (SIEM) or endpoint detection and response (EDR) systems can flag such behavior as potentially malicious. These tools analyze vast amounts of data in real-time, enabling security teams to prioritize and respond to critical alerts.

**Real-World Applications of Threat Detection**

*   Phishing attacks: A SIEM solution identifies multiple failed log-in attempts from international IP addresses, signaling a targeted phishing campaign.
    
*   Ransomware: EDR platforms detect unusual file encryption patterns, catching ransomware in its early stages.
    
*   Insider threats: User and entity behavior analytics (UEBA) uncover unauthorized attempts to access sensitive files, potentially indicating insider malfeasance.
    

**Investigation: Unveiling the Bigger Picture**

Detection alone is not enough. Once a potential threat is identified, the investigation phase provides the context necessary to understand its origin, scope, and potential impact. This process is akin to piecing together a digital jigsaw puzzle to form a coherent narrative of the attack.

**Case Study**

A supply chain attack compromises an organization's network via a vulnerable third-party vendor. An investigation reveals that attackers exploited outdated software in the vendor's systems to gain unauthorized access.

During this phase, security teams leverage tools such as extended detection and response (XDR) platforms to correlate events, validate alerts, and construct a detailed timeline of the incident.

**Key Techniques in Threat Investigation**

*   Root cause analysis: Identifying vulnerabilities such as unpatched software or weak passwords.
    
*   Event correlation: Connecting seemingly unrelated events, such as unusual file transfers and login attempts, to reveal a coordinated attack.
    
*   Threat intelligence integration: Enriching investigations with external threat data to understand attacker tactics and methodologies.
    

**Response: Neutralizing the Threat**

The final phase of TDIR is response — an organized effort to contain, mitigate, and recover from the threat. The success of this phase hinges on speed, precision, and collaboration across teams.

**Example Scenario**

A university detects a ransomware attack encrypting files across its network. The incident response team acts swiftly to isolate infected systems, restore critical data from secure backups, and patch vulnerabilities exploited by the attackers. Post-incident, the university implements enhanced email filtering and endpoint protection to prevent future attacks.

**Key Response Strategies**

*   Containment: Isolating affected accounts or systems to limit the threat's impact.
    
*   Remediation: Eliminating malicious code, closing security gaps, and strengthening defenses.
    
*   Recovery: Restoring normal operations through reliable backups while leveraging lessons learned to refine future response protocols.
    

**The Value of TDIR in Modern Cybersecurity**

Organizations that adopt a comprehensive TDIR framework gain a competitive edge in cybersecurity. Here are some of the key benefits:

*   Enhanced visibility: Continuous monitoring across endpoints, networks, and cloud environments ensures a clear understanding of the security landscape.
    
*   Faster response times: Automated workflows and well-defined playbooks reduce the time taken to address incidents, minimizing damage.
    
*   Cost savings: Early detection and efficient response mechanisms lower the financial and reputational costs of breaches.
    
*   Regulatory compliance: A robust TDIR framework supports adherence to compliance standards like GDPR, HIPAA, and CCPA by ensuring effective threat management.
    

**TDIR in Action: Learning From Real-World Scenarios**

*   Healthcare data breach: A hospital responds to a ransomware attack by isolating compromised systems, restoring data from secure backups, and enhancing access controls to prevent recurrence.
    
*   Retail supply chain attack: A retailer mitigates a breach caused by a third-party vendor by implementing stronger third-party risk management practices and network segmentation.
    
*   Insider threat in banking: A financial institution uncovers unauthorized actions by an employee, leading to immediate corrective measures and stricter privileged access management.
    

**Proactive Defense Through TDIR**

In today's threat-filled digital landscape, TDIR is not merely a cybersecurity option — it's an imperative. By adopting a proactive, unified approach, organizations can build resilience against a diverse array of threats, from phishing and ransomware to insider attacks.

TDIR's strength lies in its integration of advanced technology, human expertise, and strategic processes, enabling organizations to navigate the evolving cyber threat landscape with confidence. As the battle against cybercrime continues, those who embrace TDIR will not only safeguard their operations but also strengthen their reputations and ensure long-term resilience.

By staying vigilant, agile, and prepared, organizations can turn TDIR from a defensive strategy into a proactive enabler of security and operational excellence.

**About the Author**

Lead Engineer/IAM Architect, Paramount Global

Sameer Bhanushali is an experienced IAM Architect with more than 16 years of expertise in information security, identity and access management (IAM), cloud services, and system architecture. Recognized for his ability to lead end-to-end IAM initiatives, Sameer leverages cutting-edge technologies and industry best practices to design and implement tailored solutions for both on-premises and cloud environments.

Sameer has been instrumental in aligning technical strategies with organizational goals, optimizing system performance, and enhancing cybersecurity defenses throughout his career. His consultancy excellence across diverse sectors has consistently delivered scalable IAM solutions that drive business growth while ensuring robust security.

A holder of advanced IAM and cybersecurity certifications, Sameer excels in navigating complex cybersecurity challenges, strengthening security postures, and exploring innovative technologies to deliver transformative outcomes. His dedication to the field is reflected in his thought leadership and unwavering commitment to protecting sensitive information in an evolving threat landscape.

Strategic Approaches to Threat Detection, Investigation &amp; Response

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep…

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep up, businesses need to understand that while complex regulations may sound difficult to deal with; cybersecurity threats are the real danger to their credibility and success. Here are six strategies that showcase how the change in financial technology impacts expansion and security.

**1\. **Using Data Analytics for Smarter Security and Personalization****

Fintech companies have access to a treasure trove of user data, making data analytics a key to both innovation and security. Predictive analytics can detect fraud in real time by spotting unusual transaction patterns, while personalization algorithms offer customized financial solutions to users.

Take PayPal, for instance, which uses machine learning to track fraud attempts while ensuring seamless user experiences. By investing in platforms like Tableau or Splunk, companies can not only improve data-driven decisions but also strengthen their cybersecurity protection.

**2\. **Optimizing Customer Journeys Through AI and Automation****

Customer retention in fintech depends on efficient, user-friendly platforms. AI-driven Client Lifecycle Management (CLM) tools not only enhance customer experience but also fortify compliance with data protection laws like GDPR.

For example, automated KYC (Know Your Customer) processes can validate user identities within minutes, reducing conflict while maintaining security. Companies that leverage AI to simplify operations position themselves as leaders in convenience and trust, two critical factors in the digital financial world.

**3\. **Expanding Beyond Payments: Diversification in Fintech Offerings****

Successful fintech companies are moving beyond basic services like payments and lending to offer a wider range of products. Digital wallets, cryptocurrency trading, BNPL (Buy Now, Pay Later) options, and even ESG (Environmental, Social, and Governance)-focused investment tools are becoming standard offerings.

For instance, Square (now Block) transitioned from payment processing to include cash apps, crypto wallets, and merchant solutions. This diversification not only strengthens market positioning but also hedges against disruptions in individual sectors.

**4\. **Automating Security Protocols to Counter Cyber Threats****

While cybersecurity threats grow more sophisticated, automation in fintech security has become a necessity. Tools like automated anomaly detection, real-time threat intelligence, and AI-driven incident response systems ensure swift responses to breaches.

Take Stripe, which integrates advanced monitoring tools to detect and neutralize suspicious activity before it escalates. Automation in security protocols not only protects sensitive financial data but also boosts consumer confidence in the platform.

**5\. **Sustainability in Fintech: Balancing Growth with Responsibility****

The fintech sector is embracing sustainability through green technologies and ethical financial practices. Blockchain-based carbon credit platforms, eco-friendly payment cards, and renewable energy-backed investments are paving the way for a greener future.

Consider Mastercard’s sustainable card program, which uses biodegradable materials and supports reforestation initiatives. By integrating eco-conscious elements, fintech companies are appealing to the growing demographic of socially responsible consumers and investors.

**6\. **Risk Management with Predictive Technologies****

Managing risk (risk management) is critical in fintech, where markets and regulations can change overnight. Predictive technologies like machine learning are revolutionizing risk management by identifying vulnerabilities before they become liabilities.

For example, Robinhood employs real-time analytics to manage liquidity risks and safeguard user assets during volatile market conditions. This approach not only ensures operational stability but also reinforces trust in the brand.

The worlds of technology and finance are changing like never before, with advancements in AI, blockchain, and sustainable solutions building the future of fintech. By using data-driven security, improving operations through automation, and focusing on sustainable practices, companies can remain competitive. For fintech firms, the message is clear: innovate, adapt, and protect your operations, or risk falling behind.

1.  **Cybersecurity, Big Data and Automation Tools**
2.  **Top 9 Compliance Automation Software in 2024**
3.  **Fortifying FinTech: Building Resilient APIs for Security**
4.  **Digital Transformation in Financial Industry: The Role of Fintech**
5.  **Blockchain and Smart Contracts in Securing Digital Transactions**

Top/Featured Image via Marvin Meyer/Unsplash

6 Strategic Innovations Transforming the Fintech Industry

US president Joe Biden just issued a 40-page executive order that aims to bolster federal cybersecurity protections, directs government use of AI—and takes a swipe at Microsoft’s dominance.

Four days before he leaves office, US president Joe Biden has issued a sweeping cybersecurity directive ordering improvements to the way the government monitors its networks, buys software, uses artificial intelligence, and punishes foreign hackers.

The 40-page executive order unveiled on Thursday is the Biden White House’s final attempt to kickstart efforts to harness the security benefits of AI, roll out digital identities for US citizens, and close gaps that have helped China, Russia, and other adversaries repeatedly penetrate US government systems.

The order “is designed to strengthen America’s digital foundations and also put the new administration and the country on a path to continued success,” Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging technology, told reporters on Wednesday.

Looming over Biden’s directive is the question of whether president-elect Donald Trump will continue any of these initiatives after he takes the oath of office on Monday. None of the highly technical projects decreed in the order are partisan, but Trump’s advisers may prefer different approaches (or timetables) to solving the problems that the order identifies.

Trump hasn’t named any of his top cyber officials, and Neuberger said the White House didn’t discuss the order with his transition staff, “but we are very happy to, as soon as the incoming cyber team is named, have any discussions during this final transition period.”

The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidents—namely, the security failures of federal contractors.

The order requires software vendors to submit proof that they follow secure development practices, building on a mandate that debuted in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be tasked with double-checking these security attestations and working with vendors to fix any problems. To put some teeth behind the requirement, the White House’s Office of the National Cyber Director is “encouraged to refer attestations that fail validation to the Attorney General” for potential investigation and prosecution.

The order gives the Department of Commerce eight months to assess the most commonly used cyber practices in the business community and issue guidance based on them. Shortly thereafter, those practices would become mandatory for companies seeking to do business with the government. The directive also kicks off updates to the National Institute of Standards and Technology’s secure software development guidance.

Another part of the directive focuses on the protection of cloud platforms’ authentication keys, the compromise of which opened the door for China’s theft of government emails from Microsoft’s servers and its recent supply-chain hack of the Treasury Department. Commerce and the General Services Administration have 270 days to develop guidelines for key protection, which would then have to become requirements for cloud vendors within 60 days.

To protect federal agencies from attacks that rely on flaws in internet-of-things gadgets, the order sets a January 4, 2027, deadline for agencies to purchase only consumer IoT devices that carry the newly launched US Cyber Trust Mark label.

Another part of the order boosts CISA’s ability to watch for cyberattacks across the government by tapping into the security software that other agencies operate. It’s an attempt to reduce visibility gaps that adversaries have successfully exploited in many intrusions, especially the 2020 SolarWinds hack. The order requires agencies to give CISA direct access to their security platforms and to allow CISA to conduct unannounced threat-hunting activities on their networks.

“If we find one particular technique that a foreign government is using to hack one particular federal agency,” Neuberger said, “this now … gives CISA centralized visibility to hunt across all agency systems to ensure we're defending against this attack broadly.”

The security risks and opportunities of AI play a major role in the executive order. The document directs the departments of Energy and Homeland Security to launch a pilot program to use AI to help protect energy infrastructure, with the goal of automating things like vulnerability detection and patching. The Defense Department would have to launch a program to use “advanced AI models” for cyber defense.

Biden also wants DHS, Commerce, and the National Science Foundation to prioritize research on topics like how humans and AI tools can coordinate to analyze cyber threat data, how to ensure the security of AI-generated code, how to design secure AI models, and how to prevent and recover from cyber incidents involving AI systems.

Biden’s order attempts to expedite agencies’ use of digital identity documents to streamline citizen services and reduce waste and fraud. The directive asks agencies to “consider accepting digital identity documents” as proof of eligibility for public benefits. Commerce would have 270 days to issue guidance to help agencies do so.

Other provisions in the executive order require government recommendations for securing open-source software; updates to cyber requirements in contracts for space systems; contracting changes to ensure that new technology supports post-quantum cryptography; and the use of encryption in DNS technologies, email systems, and voice and video conferencing platforms. There is also a provision requiring OMB to help agencies reduce risks associated with concentration in the IT market—a not-so-veiled shot at Microsoft.

The order also lowers the bar for the government to be able to sanction people who launch cyberattacks on US critical infrastructure, potentially easing barriers to deploying one of Washington’s favorite responses to major hacks.

A New Jam-Packed Biden Executive Order Tackles Cybersecurity, AI, and More

"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.

Source: DD Images via Shutterstock

North Korea's Lazarus threat group has launched a fresh wave of attacks targeting software developers, using recruitment tactics on job-hiring platforms. This time, the group is using job postings on LinkedIn to lure freelance developers in particular into downloading malicious Git repositories; these contain malware for stealing source code, cryptocurrency, and other sensitive data.

The SecurityScorecard STRIKE team on Jan. 9 discovered the ongoing attack, dubbed Operation 99, in which attackers pose as recruiters to entice the developers with project tests or code reviews, the researchers revealed in a report (PDF) published today.

"Victims are tricked into cloning malicious Git repositories that connect to a command-and-control (C2) server, initiating a series of data-stealing implants," according to the post.

Attackers are using various payloads that work across Windows, macOS, and Linux in the campaign, using a layered malware delivery system with modular components that adapt to different targets. Downloaders such as Main99 retrieve and execute payloads that include Payload 99/73, brow99/73, and MCLIP, which perform tasks like keylogging, clipboard monitoring, file exfiltration from development environments, and browser credential theft.

Related:Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

The malware also steals from application source code, secrets and configuration files, and cryptocurrency-related assets such as wallet keys and mnemonics, according to the researchers. The latter are used to facilitate direct financial theft, furthering Lazarus' goals to fund the regime of North Korean leader Kim Jong Un.

"By embedding the malware into developer workflows, the attackers aim to compromise not only individual victims, but also the projects and systems they contribute to," according to the report.

**North Korea's History of Targeting Developers**

The campaign builds on previous tactics by the group to target developers with various malware, including 2021's Operation Dream Job, in which the group sent fake job offers to specific organizational targets. When opened, they installed Trojan programs to collect information and send it back to the attackers.

Lazarus' long history of using the technology job market to target victims also includes another campaign called DEV#POPPER, which targeted software developers worldwide for data theft by having attackers pose as recruiters for nonexistent jobs.

North Korean threat groups also have turned the tables and used their own cyber spies to infiltrate global organizations for cyber espionage. The now-infamous case of security firm KnowBe4 accidentally hiring a North Korean hacker shows how convincing these campaigns can be.  

Related:Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

While a Department of Justice operation in May disrupted North Korea's widespread IT freelance operation with the indictment of several people for helping state-sponsored actors establish fake freelancer identities and evade sanctions, the latest campaign demonstrates that Lazarus remains undaunted.

Amid all this, the new campaign shows an evolution in tactics, the researchers said.

"In this instance, Lazarus is demonstrating a higher level of sophistication and focus compared to previous campaigns," says Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard. These include using AI-generated profiles to pose as recruiters that appear highly authentic and realistic, "enabling them to effectively deceive victims," he adds.

"By presenting complete and convincing profiles, they offer what seem to be genuine job opportunities to developers," Sherstobitoff says. In some cases, Lazarus even compromises existing LinkedIn accounts to lend heft to their credibility, he adds.

The group also is employing more advanced techniques for obfuscation and encryption, making their malicious activities significantly more difficult to detect and analyze, Sherstobitoff says.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

**Job Seekers, Exercise Caution**

Indeed, as these campaigns become more sophisticated through the use of AI and advanced social engineering, it's becoming "easier for attackers to gain the confidence of their targets, demonstrating a significant evolution in the level of precision and realism in their campaigns," Sherstobitoff says.

For this reason, mitigation strategies "should fundamentally center around reinforcing social engineering awareness and adhering to the basics of cybersecurity for everyday employees," he says. As a general rule, if a job offer or opportunity seems too good to be true, it likely is, and "should be approached with skepticism," Sherstobitoff says.

"Employees also should exercise extreme caution when interacting with recruiters, particularly if asked to download files, clone repositories, or engage with unfamiliar software," especially over platforms like LinkedIn or email, he says. "These channels can be easily manipulated by attackers posing as legitimate entities."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#intel