A critical security vulnerability in Palo Alto Networks’ Expedition tool is being actively exploited by hackers. CISA urges…

A critical security vulnerability in Palo Alto Networks’ Expedition tool is being actively exploited by hackers. CISA urges patch – Learn how to protect your network and sensitive data by patching your Expedition software immediately.

If you have recently migrated your network configuration to Palo Alto Networks using their Expedition tool, you need to act quickly as a critical security flaw (CVE-2024-5910) in the tool is actively being exploited by threat actors. This means hackers can takeover administrator account, access sensitive configuration data, and even gain control over your firewalls if you haven’t patched your Expedition software.

For your information, Expedition is a handy tool that helps users seamlessly switch their network configuration from other vendors like Cisco or Checkpoint to their own products. It automates many steps, making the transition smoother for businesses. The tool will be will discontinued from January 2025.

Palo Alto Networks has reportedly been notified by the Cybersecurity and Infrastructure Security Agency (CISA) about the exploitation of a security flaw within its Expedition tool versions prior to 1.2.92. Palo Alto already released a patch for this vulnerability in July, but attackers are already exploiting it.

 “Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data,” CISA explained in its advisory.

The advisory warns that configuration secrets, credentials, and other data moved into Expedition are at risk due to the critical flaw as the tool can trigger an administrative account takeover for threat actors. This vulnerability is rated as “critical” with a CVSS score of 9.3 (out of 10) entails a missing authentication for Critical Function (CWE-306). This means it’s very easy for attackers to exploit and can have severe consequences.

Exploitation attempts likely rose in October when a security researcher Zach Hanley released a proof-of-concept (PoC) exploit. It demonstrates how to combine CVE-2024-5910 and another vulnerability (CVE-2024-9464) to execute unauthenticated remote code on vulnerable Expedition servers, allowing attackers to reset admin accounts and control firewall configurations.

CISA has added this vulnerability to its “Known Exploited Vulnerabilities” catalog, urging federal agencies to address it before November 28th.

To protect yourself, update your software to the latest version (1.2.92 or later). Once updated, change usernames, passwords, and API keys for both Expedition and firewalls processed through Expedition.  Additionally, sign up for security alerts from Palo Alto Networks or other reputable sources to stay updated on the latest threats and vulnerabilities.

It is worth noting that the advisory comes after Threat intelligence firm Volexity discovered a zero-day exploit in April that affected Palo Alto Networks’ firewall appliances. The vulnerability had a maximum CVSS score of 10 and probably exploited by nation-state hackers, according to researchers.

John Bambenek, President at Bambenek Consulting weighed in on the situation stating, _“_This vulnerability lets attackers reach out and take over these devices without authentication and they are the kind of tool you set up for a tactical reason. Once the work is done, you forget about it. If, for whatever reason, you can’t shut it down, get these devices off the open Internet._“_

1.  Palo Alto Patches 0-Day Exploited by Python Backdoor
2.  CISA and Fortinet Warns of New FortiOS Zero-Day Flaws
3.  Hackers Target Check Point VPNs, Security Fix Released
4.  Private details of Palo Alto Networks employees leaked online
5.  Cisco Fixes High-Severity Code Execution, VPN Hijacking Flaws

CISA Urges Patching of Critical Palo Alto Networks’ Expedition Tool Vulnerability

The Pentagon is pursuing every available option to keep US troops safe from the rising tide of adversary drones, including a robotic twist on its standard-issue small arms.

Amid a rising tide of low-cost weaponized adversary drones menacing American troops abroad, the US military is pulling out all the stops to protect its forces from the ever-present threat of death from above. But between expensive munitions, futuristic but complicated directed energy weapons, and its own growing drone arsenal, the Pentagon is increasingly eyeing an elegantly simple solution to its growing drone problem: reinventing the gun.

At the Technology Readiness Experimentation (T-REX) event in August, the US Defense Department tested an artificial intelligence-enabled autonomous robotic gun system developed by fledgling defense contractor Allen Control Systems dubbed the “Bullfrog.”

Consisting of a 7.62-mm M240 machine gun mounted on a specially designed rotating turret outfitted with an electro-optical sensor, proprietary AI, and computer vision software, the Bullfrog was designed to deliver small arms fire on drone targets with far more precision than the average US service member can achieve with a standard-issue weapon like the M4 carbine or next-generation XM7 rifle. Indeed, footage of the Bullfrog in action published by ACS shows the truck-mounted system locking onto small drones and knocking them out of the sky with just a few shots.

The Bullfrog appears effective enough against drone targets to impress DOD officials: According to Defense Daily, Alex Lovett, the deputy assistant secretary of defense for prototyping and experimentation within the Pentagon’s Research and Engineering office, told reporters at a demonstration event in August that the testing of the “low-cost” Bullfrog solution had “gone really well.” Should the Pentagon adopt the system, it would represent the first publicly known lethal autonomous weapon in the US military’s arsenal, according to the Congressional Research Service. (The Office of the Secretary of Defense did not yet respond to WIRED’s request for comment.)

Shooting down small, fast-moving drones with conventional firearms is a significant challenge to even the most talented marksman, and the US military has been pursuing various ways to make its small arms more effective against unmanned airborne threats. Those efforts include the procurement of small- to medium-caliber munitions and “buckshot-like” ammo that can replicate the effects of the shotguns that have proven effective counter-drone measures amid Russia’s invasion of Ukraine; rifle-mounted radio frequency and GPS jammers to disorient incoming drones so troops don’t have to carry separate, bulky counter-drone weapons like the Dronebuster or NightFighter; and “smart” optics from companies like SmartShooter and ZeroMark that purportedly only allow a weapon to fire when it locks on target. The Army has even started integrating counter-drone exercises into its basic training regimen, part of a broader effort to make such schooling as “routine” as conventional marksmanship training.

For ACS cofounder and CEO Steve Simoni, a former Navy nuclear engineer, the best way to optimize a firearm for drone threats isn’t through novel accessories or enhanced training, but a combination of advanced robotics and a sophisticated AI that can take the guesswork out of target acquisition and tracking.

“During the Russian invasion of Ukraine, we \[Simoni and his ACS cofounder, fellow Navy veteran Luke Allen\] saw the proliferation of drones on both sides of the conflict, and we read in various news outlets the Ukrainians were firing AK-47s in the air at them,” Simoni tells WIRED. “We thought, ‘That’s a good robotics problem.’ It's hard to hit something flying so fast, but a robot can do that with modern-day computer vision and AI control algorithms.”

While smart optics like SmartShooter’s SMASH fire control system also use AI and computer vision to track potential targets, Simoni believes that physically keeping a rifle zeroed in on a fast-moving drone is a more significant challenge than even a highly trained human soldier with an advanced weapon-mounted scope is equipped to address. The solution, Simoni says, is to remove humans from the equation altogether and allow an extremely precise, custom-built motion control system to maintain a steady bead on an incoming drone amid the chaos of a battlefield.

“We are electrical engineers, and we decided that in order to solve this problem of hitting a fast drone that's accelerating at five Gs at a couple hundred yards, you would need an incredibly high-end current that goes through a motor and encoders that know the position of your gun at all times,” Simoni says. “To put that form factor in the hands of someone with an M4 seemed like a very tough problem.”

“A DJI Mini \[drone\] is a little bit bigger than my hand, and our system can down one at 200 yards with two shots,” he adds. “No human could make that shot.”

The 11th Armored Cavalry Regiment and the Threat Systems Management Office operate a swarm of 40 drones to test the rotational units' capabilities during the battle of Razish, National Training Center in 2019.

Photograph Courtesy of the U.S. Army / Pv2 James Newsome

Gun turrets are nothing new for the US military and its allies, from the manually operated Common Remotely Operated Weapon Station (CROWS) that adorns a growing number of American ground combat vehicles to the beloved semi-autonomous Phalanx Close-In Weapon System (CIWS) that’s essential to defending Navy warships from incoming missiles. More recently, the Army has experimented with several other gun-based counter-drone solutions—including a Ghost Robotics robot dog with its own AI-enabled AR/M4-pattern rifle turret.

At less than 400 pounds, the Bullfrog is smaller and simpler than the hulking 15-foot-tall, 12,000-plus-pound Phalanx CIWS and, in turn, better suited to provide flexible protection for individual platforms like, say, a Joint Light Tactical Vehicle on the move. And where the Phalanx CIWS sprays what essentially amounts to “a cloud of bullets,” Simoni claims the Bullfrog is precise enough to not only down airborne targets with minimal ammo expended, but deliver crossing shots at targets from the side, allowing the turret to accurately engage threats to units other than itself—and, with multiple systems, create a layered air defense network.

“Internally, we used to call the Bullfrog the ‘mini-CIWS,’” Simoni says. “But the CIWS control system isn’t as accurate.”

Then there’s the matter of the Bullfrog’s autonomy, a prickly subject for military planners. In accordance with the Pentagon’s current policy governing lethal autonomous weapons, the Bullfrog is designed to keep a human “in the loop” in order to avoid a potential “unauthorized engagement." In other words, the gun points at and follows targets, but does not fire until commanded to by a human operator. However, ACS officials claim that the system can operate totally autonomously should the US military require it to in the future, with sentry guns taking the entire kill chain out of the hands of service members and freeing them up to focus on other, more mission-essential tasks.

“Our system is fully autonomous-capable, we’re just waiting for the government to determine its needs,” Brice Cooper, ACS’s chief strategy officer and a Green Beret veteran who previously served as head of US Special Operations Command’s counter-drone program, tells WIRED. “Legacy systems in our category are just not there yet.”

A Phalanx Close-In Weapons System (CIWS) is tested aboard the amphibious assault ship USS Makin Island on Jan. 29, 2011.

Photograph Courtesy of the US Navy

The Bullfrog’s debut at T-REX couldn’t have come at a more fortuitous time. The Pentagon recently announced the second increment of its Replicator initiative that was launched last year to catalyze a surge in US military drone and counter-drone capabilities ahead of potential future conflicts with “great power” threats like China or Russia. Where the first Replicator increment focused on rapidly procuring and fielding low-cost, attritable drones for US forces around the world, the second will tackle “the threat posed by small uncrewed aerial systems (C-sUAS) to our most critical installations and force concentrations,” as Defense Secretary Lloyd Austin put it in a late September letter announcing the new stage of the initiative.

American military commanders in the Middle East have for years maintained that cheap, easily weaponizable commercial drones represent the greatest threat to their deployed forces since the advent of the improvised explosive device during the Global War on Terror, a concern driven home by attacks on Navy warships and commercial vessels in the Red Sea and US troop outposts in Iraq and Syria in the year following the outbreak of the current Israeli-Hamas conflict. In January, three US service members were killed in a drone attack on a military outpost in Jordan near the Syrian border, an incident that the Pentagon later determined had occurred because American forces there lacked the appropriate capabilities to defend against incoming drone threats.

“The threat landscape has become hyper-accelerated,” Cooper says. “A year ago, nobody was really concerned about the small drones that are destroying all kinds of armored vehicles in Ukraine. In reality, we're in the very nascent stages of what the unmanned threat landscape is going to look like, and it’s going to involve a serious investment from the Defense Department in perpetuity.”

It’s unclear at this time what specific types of counter-drone capabilities Replicator 2 might yield. At the moment, it appears that all options are on the table. They include remotely operated weapons turrets like the XM914 30-mm chain gun loaded up with explosive proximity rounds; missile systems like MSI’s Electronic Advanced Ground Launcher System (EAGLS) laser-guided rocket pod, L3Harris’s Vehicle-Agnostic Modular Palletized ISR Rocket Equipment (VAMPIRE) system, and Raytheon’s Coyote interceptor; “autonomous air vehicles” like the Air Force’s Paladin flying gun and the Roadrunner from defense upstart Anduril; vehicle-mounted sensor- and signal-jamming electronic warfare suites like the Marine Corps’ Light Marine Air-Defense Integrated System (L-MADIS) that’s been knocking drones out of the sky since 2019 and the Army’s Mobile Low, Slow Unmanned Aircraft Integrated Defense System (M-LIDS) that was most recently deployed to protect the service’s temporary pier in Gaza, both of which also feature “kinetic effectors” like machine guns and missiles; exotic directed energy weapons like high-energy lasers and high-powered microwaves to disrupt and disable drone electronics mid-flight; and a growing arsenal of infantry weapons from counter-drone rifles to the tried-and-true FIM-92 Stinger man-portable air-defense system. These weapons are all intended to turn every service member in American combat formations into a “drone defender.”

US Army soldiers with Task Force Spartan conduct Mobile Low, Slow, Small Unmanned Aerial Vehicle Integrated Defense System (M-LIDS) training at Camp Buehring, Kuwait, in 2022.

Photograph Courtesy of the US Army / Sgt. Gabriel Washington

One major factor driving the Pentagon’s counter-drone push, however, is cost. Many kill systems currently in use are still disproportionately expensive defense against comparatively cheap drones. And while directed-energy weapons like lasers and microwaves, at something like $10 a shot, offer a far more cost-effective solution than traditional munitions, they are also still relatively experimental (and incredibly complicated) technologies that, despite their ongoing testing and even active use in the Middle East, are not yet seen as reliable enough to field at scale.

“If something like \[the Bullfrog\] works where you can modify an existing system across the fleet, that's ideal,” Mike Clementi, a former congressional defense appropriator who previously worked on the US military’s counter-drone efforts, tells WIRED. “And if you can use it effectively for the cost of a handful of 7.62-mm rounds, you're getting ahead of the game.”

“The real question is: How do you eliminate massive amounts of cheap targets?” he adds. “If the Bullfrog pans out, it would be the cheapest solution out there.”

Simoni believes AI-powered autonomous gun systems like the Bullfrog can provide enough precision to deliver a cost-per-kill ratio similar to that associated with laser and microwave systems without the intensive maintenance and logistics upkeep. And while the Bullfrog isn’t the only counter-drone gun system on the Pentagon’s radar, Simoni believes that the algorithmic accuracy enabled by the turret’s unique machine-learning software and motion control system remains superior to that of other offerings.

“Tracking and shooting is only the tip of the iceberg: Eventually, the system will consist of different guns, reaching out to longer ranges, engaging drones that are moving in different acceleration patterns—that’s all based on updates to our AI model,” Simoni says. “We envision a convoy of vehicles outfitted with turrets employing coordinated fires that are effective even if they’re driving down a bumpy road. That’s what we’re building over the next 12 to 18 months.”

Regardless of Simoni’s ambitious vision and the Pentagon's recent push into the realm of autonomous weapons, questions still persist in defense circles about the potential dangers of taking a human operator out of the kill chain.

“Anything with robotics requires software to make the determination of friend or foe, and that's a concern with anything that's automated,” Clementi says. The use of fully automated systems would be “uncharted territory,” he says. “There's always been a person in the loop before.”

Should the Pentagon end up embracing an autonomous robotic gun system as its counter-drone defense of choice, the next big conflict involving American troops could end up looking like a joke from an episode of _The Simpsons_: “most of the actual fighting will be done by small robots.”

“The future battlespace is incredible autonomous robots like ours shooting each other,” Simoni said. “I don’t think there's much room for people with guns.”

The AI Machine Gun of the Future Is Already Here

With cybersecurity threats continuously evolving, having a strong incident response (IR) plan is crucial for businesses of all…

With cybersecurity threats continuously evolving, having a strong incident response (IR) plan is crucial for businesses of all sizes. Effective IR not only minimizes the financial and reputational damage caused by security incidents but also ensures that organizations can return to normal operations without delay. Here’s why Incident Response is essential and what it entails.

*   **Minimizing Downtime and Financial Impact**

When a **cyber incident strikes**, the faster an organization can identify, contain, and mitigate it, the lower the financial losses. An effective IR plan enables businesses to respond efficiently, which helps reduce costly downtime, potential ransom demands, and expenses related to data recovery.

*   **Protecting Sensitive Data and Customer Trust**

In many sectors, a breach of sensitive information can damage customer trust. Effective incident response minimizes the risks of exposing sensitive and confidential data, data; a quick, efficient response reassures customers that the organization prioritizes security, which is invaluable for customer loyalty and **brand reputation**.

*   **Staying Compliant and Avoiding Legal Consequences**

Organizations today must manage a complicated set of regulatory requirements related to data protection, including prominent regulations like the General Data Protection Regulation (**GDPR**) in Europe and the Health Insurance Portability and Accountability Act (**HIPAA**) in the United States. An effective Incident Response plan is essential in helping organizations meet these obligations.

*   **Establishing Clear Protocols**

By establishing clear protocols for breach notifications, data handling, and response strategies, an IR plan ensures compliance with industry standards and legal mandates. This approach reduces the risk of facing **hefty fines**, legal penalties, and reputational damage that can arise from non-compliance. Moreover, adhering to these regulations fosters a culture of accountability and transparency within the organization, ultimately strengthening stakeholder trust and confidence in its commitment to compliance and data security.

*   **Mitigating Long-Term Operational Risks**

A strong Incident Response strategy plays a major role in minimizing long-term operational risks by identifying and augmenting system, process, and people vulnerabilities that attackers could exploit to gain sensitive, confidential, or trade secret organization.

Furthermore, if an incident has occurred, updated IR planning allows organizations to document and analyze breached data, offering valuable insights that increase defences, refine response protocols, and enhance system, process, and human strength over time.

****Key Components of an Effective Incident Response Plan****

*   **Preparation:** A successful incident response begins with thorough preparation. This includes educating employees on recognizing suspicious activities and establishing clear reporting protocols. Regular training sessions and simulations help cultivate a culture of vigilance and ensure everyone understands their role in the incident response process.
*   **Detection and Analysis:** Early detection is critical to mitigating damage. Incident response teams should leverage advanced monitoring tools and threat intelligence to identify potential incidents in time. Once detected, the team conducts a detailed analysis to assess the severity and potential impact on the organization.
*   **Containment and Eradication:** After an incident is confirmed, immediate action is necessary to contain the threat. This may involve isolating affected systems to prevent further spread and executing eradication procedures to eliminate the root cause of the incident. Effective **containment strategies** limit damage and protect unaffected systems.
*   **Recovery:** Once the threat is contained, the focus shifts to recovery. Systems must be carefully restored to normal operations, with thorough testing to ensure functionality and security. Continuous monitoring during this phase helps to identify any lingering issues or signs of re-infection.
*   **Post-Incident Analysis:** After recovering from an incident, it’s essential to conduct a comprehensive review of the response efforts. This analysis helps identify strengths and weaknesses in the incident response plan, providing valuable insights for improving future strategies. Implementing lessons learned is vital for enhancing resilience against future threats and ensuring the organization is better prepared.

****Who should be on an incident response team?****

An effective incident response team (IRT) should include members with diverse expertise to address all critical areas. Core roles often include IT and security professionals, such as network engineers, system administrators, and cybersecurity analysts, who manage technical aspects. A legal advisor is essential for compliance and regulatory guidance, while a communications specialist handles both internal and external messaging.

In conclusion, businesses face a growing array of cyber threats that can put operations, reputations, and customer trust at risk. Developing **an effective incident response (IR**) strategy is essential for mitigating these risks.

By partnering with trusted service providers, companies can ensure they are prepared to respond quickly and efficiently when incidents arise and meet all compliance obligations, including notification requirements. A well-structured IR plan helps minimize potential damage, maintain regulatory compliance, protect sensitive data, and ensure recovery without delay.

Furthermore, a proactive IR approach fosters a culture of preparedness and resilience, allowing organizations to quickly adapt and manage the rising number of cybersecurity threats. By implementing clear response protocols and maintaining transparent communication channels, businesses can safeguard their operations and reduce the long-term consequences of security breaches.

Ultimately, a comprehensive incident response plan not only supports immediate recovery but also strengthens the organization’s overall security posture, protecting its long-term interests, information assets, and business integrity.

****Resources:****

_https://www.atlassian.com/incident-management/incident-response_

_https://insights.integrity360.com/what-are-the-key-elements-of-an-effective-incident-response-strategy_

1.  **What Is Incident Management Software?**
2.  **Key Features Of Threat Intelligence Platforms**
3.  **A Step-by-Step Guide to How Threat Hunting Works**
4.  **0-day attacks are potent cyber threats and require serious response**
5.  **Small Business Owners Must Prioritize Cybersecurity to Stay Operational**

The Importance of Effective Incident Response

Plus: Hot Topic confirms a customer data breach, Germany arrests a US citizen for allegedly passing military secrets to Chinese intelligence, and more.

Maybe you already heard, but Donald Trump will be president of the United States again. The far-right is celebrating by calling for mass executions. The left is responding with their own election conspiracy theories. Convicted January 6 rioters are banking on a pardon. And women who oppose Trump have frankly had enough.

Ahead of Election Day, WIRED found that an “election integrity” app made by True the Vote, a right-wing group that helped popularize election denialism around the 2020 election, was leaking the emails of its users. In one instance it revealed an election officer in California who appeared to be engaged in illegal voter suppression.

Disinformation and other forms of election interference have been a major issue since Russia’s hack of the Democratic National Committee in the lead-up to the 2016 election. But 2024 appears to have been the worst yet, with US officials warning that Russia had amplified its efforts to unprecedented levels.

In non-election news, Canadian authorities arrested Alexander “Connor” Moucka, who is accused of hacking a slew of Snowflake cloud storage customers earlier this year. Security experts who’ve long followed the exploits of a hacker who went by the handle Waifu—whom authorities say is Moucka—believe him to be “one of the most consequential threat actors of 2024.”

A federal judge in Michigan sentenced Richard Densmore to 30 years in prison after he pleaded guilty to sexually exploiting a child. Densmore was highly active in 764, an online criminal network that the FBI now considers to be a “tier one” terrorism threat.

Finally, in WIRED’s first story published in partnership with 404 Media, reporter (and 404 co-owner) Joseph Cox took a deep dive into the world of infostealer malware—the same kind used in all those Snowflake account breaches Moucka is accused of committing.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Some iPhones that police have in their possession for forensic examination are suddenly rebooting themselves, making it more difficult for investigators to access their contents, reports 404 Media. Police use tools like Cellebrite to essentially hack into phones, but this is typically done when a device is in the so-called After First Unlock (AFU) state. Once they reboot, iPhones are put into Before First Unlock (BFU), which makes them much harder to access with forensic tools.

According to a document obtained by 404, police believed the sudden reboots stemmed from the fact that the devices run iOS 18, Apple’s new mobile operating system. The police suspected that iOS 18 contains a secret feature that allowed the impacted devices, all of which were in airplane mode, to communicate with other nearby iPhones, which sent “a signal to devices to reboot after so much time had transpired since device activity or being off network,” the document reads.

They're half right. 404 reported Friday evening that multiple experts have discovered a new feature in iOS 18 called “inactivity reboot,” which appears to force iPhones to reboot on the fourth day after being locked—no secret signal-sending required. While the feature could help prevent robbers from using stolen iPhones, it's clearly giving the cops a headache, too.

Bad news, kids. The retail chain Hot Topic confirmed this week that it suffered a data breach that exposed the personal information of some 54 million customers. The stolen data includes email addresses for all 54 million people, 25 million “lightly encrypted” credit card numbers, the names, phone numbers, and birthdays of 20 million customers, and even the home addresses of 10 million people. While the hackers behind the breach claimed to have data on far more people than the dataset contains—350 million customers—the exposed data could still be used for identity theft and other malicious activities. Not cool!

Authorities in Germany this week arrested a US citizen for allegedly giving American military secrets to the Chinese government. Identified only as Martin D. due to German privacy laws, prosecutors say he recently “worked for the US armed forces in Germany” and “obtained the information in question during his work with the US armed forces,” according to NBC News. Prosecutors claim that Martin D. “contacted Chinese government agencies and offered to provide them with sensitive US military information for forwarding to a Chinese intelligence service.” Martin D.’s arrest comes just a month after German authorities arrested a woman on suspicion of passing information about arms deliveries to Chinese intelligence.

The FBI is investigating whether Chinese state-backed hackers breached the iPhones of senior staff members in either the Kamala Harris or Donald Trump presidential campaigns, Forbes reports. The CEO of security firm iVerify, Rocky Cole, tells Forbes that his company’s software identified strange changes to the settings on the iPhones of campaign staff “in patterns that are not observed on healthy devices.” (Cole declined to identify which campaign’s staff was impacted.) The FBI told Cole that the affected iPhones belonged to known targets of Chinese hacker group Salt Typhoon, which reportedly breached several US telecom networks including AT&T and Verizon.

Auto-Rebooting iPhones Are Causing Chaos for Cops

Large language models (LLMs) can help app security firms find and fix software vulnerabilities. Malicious actors are on to them too, but here's why defenders may retain the edge.

Source: vs148 via Shutterstock

Security researchers and attackers are turning to AI models to find vulnerabilities, a technology whose use will likely drive the annual count of software flaws higher, but could eventually result in fewer flaws in public releases, experts say.

On Nov. 1, Google said its Big Sleep large language model (LLM) agent discovered a buffer-underflow vulnerability in the popular database engine, SQLite. The experiment shows both the peril and the promise of AI-powered vulnerability discovery tools: The AI agent searched through the code for variations on a specific vulnerability, but identified the software flaw in time for Google to notify the SQLite project and work with them to fix the issue.

Using AI just for software-defect discovery could result in a surge in vulnerability disclosures, but introducing LLM agents into the development pipeline could reverse the trend and lead to fewer software flaws escaping into the wild, says Tim Willis, head of Google's Project Zero, the company's effort to identify zero-day vulnerabilities.

"While we are at an early stage, we believe that the techniques we develop through this research will become a useful and general part of the toolbox that software developers have at their disposal," he says.

Google is not alone in searching for better ways to find — and fix — vulnerabilities. In August, a group of researchers from Georgia Tech, Samsung Research, and other firms — collectively known as Team Atlanta — used an LLM bug-finding system to automatically find and patch a bug in SQLite. And just last month, cybersecurity firm GreyNoise Intelligence revealed it had used its Sift AI system to analyze honeypot logs leading to the discovery and patching of two zero-day vulnerabilities affecting Internet-connected cameras used in sensitive environments.

Overall, companies are gaining more ways to automate vulnerability discovery, and — if they are serious about security — will be able to drive down the number of vulnerabilities in their products by using the tools in development, says Corey Bodzin, chief product officer at GreyNoise Intelligence.

"The exciting thing is we do have technology that allows people who \[care about\] security to be more effective," he says. "Sadly ... there are not many companies where that is ... a primary driver, but even in companies where \[security is\] purely viewed as a cost" can benefit from using these tools.

**Only the First Steps**

Currently, Google's custom approach is still bespoke and requires work to adapt to specific vulnerability-finding tasks. The company's Big Sleep agent does not to look for completely new vulnerabilities, but uses details from a previously discovered vulnerability to look for similar issues. The project has looked at smaller programs with known vulnerabilities as test cases, but the SQLite experiment is the first time they found vulnerabilities in production code, the Google Project Zero and Google DeepMind researchers stated in Google's blog post describing the research.

While specialized fuzzers would likely have found the bug, tuning those tools to perform well is a very manual process, says Google's Willis.

"One promise of \[L\]LM agents is that they might generalize across applications without the need for specialized tuning," he says. "Additionally, we're hopeful that \[L\]LM agents will be able to uncover a different subset of vulnerabilities than those typically found through fuzzing."

The use of AI-based vulnerability discovery tools will be a race between attackers and defenders. Manual code review is a viable way of finding bugs for attackers, who only need a single exploitable vulnerability or short chain of vulnerabilities. But defenders need a scalable way of finding and fixing applications, Willis says. While bug-finding tools can be a force multiplier for both attackers and defenders, the ability to scale up to analyze code will likely be a greater benefit for defenders, Willis says.

"We expect that advances in automated vulnerability discovery, triage, and remediation will disproportionately benefit defenders," he says.

**Focus AI on Finding and Fixing Bugs**

Companies that focus on using AI to generate secure code and fix bugs when found will deliver higher quality code from developers, says Chris Wysopal, co-founder and chief security evangelist at Veracode, an application security firm. He argues that automating bug finding and bug fixing are two completely different problems. Finding vulnerabilities is a very large data problem, whIle fixing bugs usually deals with perhaps a dozen lines of code.

"Once you know the bug is there — if you found it through fuzzing, or through an LLM, or using human code review — and you know what kind of bug it is, fixing it is relatively easy," he says. "So, LLMs favor defenders, because having access to source code and fixing issues is easy. So I'm kind of bullish that we can eliminate whole classes of vulnerabilities, but it's not from finding more, it's from being able to fix more."

Companies that require developers to run automated security tools before code check-in will find themselves on a path to paying down their security debt — the collection of issues that they know about, but have not had time to fix, he says. Currently, about half (46%) of organizations have security debt in the form of persistent critical flaws in applications, according to Veracode's 2024 State of Software Security report.

"The idea that you're committing code that has a problem in it, and it's not fixed, will become the exception, not the rule, like it is today," Wysopal says. "Once you can start to automate this fixing — and we're always getting better at automating finding \[vulnerabilities\] — I think that's how things change."

Yet, the technology will still have to overcome companies' focus on efficiency and productivity over security, says Bob Rudis, vice president of data science and security research at GreyNoise Intelligence. He points to the fixing of the two security vulnerabilities that GreyNoise Intelligence found and responsibly disclosed. The company only fixed the issues in two product models, but not others — despite the fact that the other products likely had similar issues, he says.

Google and GreyNoise Intelligence proved that the technology will work, but whether companies integrate AI into the development pipelines to eliminate bugs is still an open question.

Rudis has doubts.

"I'm sure a handful of organizations are going to deploy it — it's going to make like seven C files a little bit safer across a bunch of organizations, and maybe we'll get like a tick more security for the ones that can actually deploy it properly," he says. "But ultimately, until we actually change the incentive structure around how software vendors build and deploy things, and how consumers actually purchase and deploy and configure things, we are not going to see any benefit."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

AI &amp; LLMs Show Promise in Squashing Software Bugs

It remains unclear how the attackers gained access to Newpark Resources' system, or what they plan to do with any stolen data the strike may have spewed out.

Source: Don Mammoser via Alamy Stock Photo

Newpark Resources, a Texas-based oil drilling fluids system and composite matting systems provider, announced in a filing with the Securities and Exchange Commission (SEC) that it is dealing with the fallout of a ransomware attack it faced earlier this week.

The company has not shared details as to how the attackers gained access to its network, nor who the threat actors are or why they may have targeted Newpark. But after the breach was discovered, Newpark engaged its security response plan as expected and limited access to certain parts of its systems.

"The incident has caused disruptions and limitation of access to certain of the company's information systems and business applications supporting aspects of the company's operations and corporate functions, including financial and operating reporting systems," Newpark said.

According to Matt Hull, global head for Strategic Threat Intelligence at cybersecurity consultancy NCC Group, any data stolen from the critical infrastructure company has not yet appeared on any leak sites.

And because the company reverted to downtime procedures in response to the attack, it was able to continue manufacturing, and its field operations were uninterrupted. It hopes the attack will not have an effect on its financial conditions, it said.

"Organizations are facing an increasingly pressing challenge: maintaining the security benefits of segmentation while enabling controlled connectivity," stated Chris Grove, director of cybersecurity strategy at Nozomi Networks, in an emailed statement to Dark Reading. "Industrial organizations will need to ensure their defenders can quickly isolate and contain threats, while preventing interruptions to critical operations. This is especially important for sectors where downtime has serious consequences in terms of public safety and economic impact, as would be the case with a critical infrastructure sector."

**About the Author**

Mystery Hackers Target Texas Oilfield Supplier in Ransomware Attack

Hackers can exploit critical vulnerabilities in Mazda’s infotainment system, including one that enables code execution via USB, compromising…

Hackers can exploit critical vulnerabilities in Mazda’s infotainment system, including one that enables code execution via USB, compromising your car’s security and putting you at risk.

Cybersecurity researchers at ZDI (Zero Day Initiative) have identified several critical vulnerabilities in Mazda‘s infotainment systems, specifically in the Connectivity Master Unit (CMU) installed in multiple Mazda car models, including the Mazda 3 from the years 2014 to 2021.

These vulnerabilities, caused by “insufficient sanitization” when handling attacker-supplied input, could allow a physically present attacker to exploit them by connecting a specially crafted USB device to the target system. Successful exploitation could result in arbitrary code execution with root privileges.

****The Target****

The CMU unit, manufactured by Visteon Corporation, an anutomotive technology company, and initially developed by Johnson Controls Inc (JCI), runs on the latest available software version (74.00.324A). However, earlier software versions down to at least 70.x may also be affected by these vulnerabilities. The CMU is part of an active “modding scene” where users release software tweaks to alter the unit’s operation, often exploiting such vulnerabilities.

****The Vulnerabilities****

There are multiple vulnerabilities identified in the CMU system. The details of each are as follows:

*   **SQL Injection (CVE-2024-8355/ZDI-24-1208)**: An attacker can inject malicious SQL code by spoofing the iAP serial number of an Apple device. This allows the attacker to manipulate the database, disclose information, create arbitrary files, and potentially execute code.
*   **OS Command Injection (CVE-2024-8359/ZDI-24-1191)**: The REFLASH\_DDU\_FindFile function in the libjcireflashua.so shared object fails to sanitize user input, allowing an attacker to inject arbitrary OS commands that can be executed by the head unit OS shell.
*   **OS Command Injection (CVE-2024-8360/ZDI-24-1192)**: The REFLASH\_DDU\_ExtractFile function in the libjcireflashua. so shared object also fails to sanitize user input, allowing an attacker to inject arbitrary OS commands that can be executed by the head unit OS shell.
*   **Missing Root of Trust in Hardware (CVE-2024-8357/ZDI-24-1189)**: The application SoC is missing any authentication of the bootstrap code, allowing an attacker to manipulate the root filesystem, configuration data, and potentially the bootstrap code itself.
*   **Unsigned Code (CVE-2024-8356/ZDI-24-1188)**: The VIP MCU can be updated with unsigned code, allowing an attacker to pivot from a compromised application SoC running Linux to the VIP MCU and gain direct access to the connected CAN busses of the vehicle.

****Exploitation****

An attacker can exploit these vulnerabilities by creating a file on a FAT32-formatted USB mass storage device with a name that contains the OS commands to be executed. The filename must end with .up for it to be recognized by the software update handling code.

Once the initial compromise is achieved, the attacker can gain persistence through manipulation of the root file system or install a specially crafted VIP microcontroller software allowing unrestricted access to vehicle networks.

****Associated Risks****

According to ZDI’s blog post, the attack chain can be completed in a few minutes in a lab environment, and there is no reason to believe it will take significantly more time against a unit installed in a car.

This means that the vehicle can be compromised while being handled by a valet, during a rideshare, or via USB malware. The CMU can then be compromised and “enhanced” to attempt to compromise any connected device in targeted attacks that can result in DoS, bricking, ransomware, safety compromise, etc. The worst part of it is that these security vulnerabilities remain unpatched.

> _“This research effort and its output highlighted the fact that high-impact vulnerabilities can be found even in a very mature automotive product that has been on the market for a number of years and with a long history of security fixes. To date, these vulnerabilities remain unpatched by the vendor.”_
> 
> ZDI analyst Dmitry Janushkevich 

****Conclusion****

The discovery of these vulnerabilities shows the importance of considering the whole system’s security and security-testing complete production systems in all their operational modes. The use of memory-safe languages or other security tools does not guarantee that deployed systems are secure. It is important to ensure system integrity at all runtime stages and for all components to guarantee downstream security properties of languages and their compilers.

1.  Cybercriminals Exploit CAN Injection Hack to Steal Cars
2.  App Flaw Let Honda and Nissan Cars Hack by Knowing VIN
3.  Tesla cars can be remotely hacked using drone, WIFI dongle
4.  Hackers Remotely Control Kia Cars by Exploiting License Plates
5.  High severity Intel chip flaw left cars and IoT devices vulnerable

Hackers Can Access Mazda Vehicle Controls Via System Vulnerabilities

Canada wants TikTok to dissolve its business in the country. TikTok plans to challenge the decision in court

The Government of Canada ordered the TikTok Technology Canada Inc. to close its offices in the country following a national security review.

This decision was made in accordance with the Investment Canada Act, which allows for the review of foreign investments that may be injurious to Canada’s national security. Canada’s Minister of Innovation, Science and Industry stated:

“As a result of a multi-step national security review process, which involves rigorous scrutiny by Canada’s national security and intelligence community, the Government of Canada has ordered the wind up of the Canadian business carried on by TikTok Technology Canada, Inc. The government is taking action to address the specific national security risks related to ByteDance Ltd.’s operations in Canada through the establishment of TikTok Technology Canada, Inc. The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners.”

This does not mean Canadians will no longer have access to the popular social media platform. It just means the Chinese owned company will have to close its Canadian operations located in Toronto and Vancouver.

Canada says the decision whether citizens want to use the social media platform is a personal choice but it does encourage Canadians to consult the guidance issued by Communications Security Establishment Canada’s Canadian Centre for Cyber Security to help them assess these risks.

One of the key points of their guidance is the “security over convenience” guideline, which says:

“It may be convenient to have an app always know your location or be able to fetch your photos without approval, but this isn’t the most secure option. Be aware of the features and elements of your device that can be accessed by an app, and make sure you limit permissions.”

Another one that is important in this case is the “consider where your data is being stored” guideline which reminds people to think about which nation’s laws will apply to your information and your activity on the platform.

TikTok responded that:

> “Shutting down TikTok’s Canadian offices and destroying hundreds of well-paying local jobs is not in anyone’s best interest, and today’s shutdown order will do just that. We will challenge this order in court.”

TikTok’s Chinese ownership has brought problems in other countries, as well. In April 2024, Malwarebytes Labs reported on how the US Senate approved a bill that would effectively ban TikTok from the country unless Chinese owner ByteDance gives up its share of the immensely popular app. That law is currently being challenged in court by the popular social media platform.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 TikTok ordered to close Canada offices following &#8220;national security review&#8221; 

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.
"This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a

IoT Security / Vulnerability

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.

"This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a new report.

AndroxGh0st is the name given to a Python-based cloud attack tool that's known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio.

Active since at least 2022, it has previously leveraged flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems.

Earlier this March, U.S. cybersecurity and intelligence agencies revealed that attackers are deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks."

The latest analysis from CloudSEK reveals a strategic expansion of the targeting focus, with the malware now exploiting an array of vulnerabilities for initial access -

*   CVE-2014-2120 (CVSS score: 4.3) - Cisco ASA WebVPN login page XSS vulnerability
*   CVE-2018-10561 (CVSS score: 9.8) - Dasan GPON authentication bypass vulnerability
*   CVE-2018-10562 (CVSS score: 9.8) - Dasan GPON command injection vulnerability
*   CVE-2021-26086 (CVSS score: 5.3) - Atlassian Jira path traversal vulnerability
*   CVE-2021-41277 (CVSS score: 7.5) - Metabase GeoJSON map local file inclusion vulnerability
*   CVE-2022-1040 (CVSS score: 9.8) - Sophos Firewall authentication bypass vulnerability
*   CVE-2022-21587 (CVSS score: 9.8) - Oracle E-Business Suite (EBS) Unauthenticated arbitrary file upload vulnerability
*   CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX21 firmware command injection vulnerability
*   CVE-2024-4577 (CVSS score: 9.8) - PHP CGI argument injection vulnerability
*   CVE-2024-36401 (CVSS score: 9.8) - GeoServer remote code execution vulnerability

"The botnet cycles through common administrative usernames and uses a consistent password pattern," the company said. "The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings."

The attacks have also been observed leveraging unauthenticated command execution flaws in Netgear DGN devices and Dasan GPON home routers to drop a payload named "Mozi.m" from different external servers ("200.124.241\[.\]140" and "117.215.206\[.\]216").

Mozi is another well-known botnet that has a track record of striking IoT devices to co-opt them into a malicious network for conducting distributed denial-of-service (DDoS) attacks.

While the malware authors were arrested by Chinese law enforcement officials in September 2021, a precipitous decline in Mozi activity wasn't observed until August 2023, when unidentified parties issued a kill switch command to terminate the malware. It's suspected that either the botnet creators or Chinese authorities distributed an update to dismantle it.

AndroxGh0st's integration of Mozi has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before.

"AndroxGh0st is not just collaborating with Mozi but embedding Mozi's specific functionalities (e.g., IoT infection and propagation mechanisms) into its standard set of operations," CloudSEK said.

"This would mean that AndroxGh0st has expanded to leverage Mozi's propagation power to infect more IoT devices, using Mozi's payloads to accomplish goals that otherwise would require separate infection routines."

"If both botnets are using the same command infrastructure, it points to a high level of operational integration, possibly implying that both AndroxGh0st and Mozi are under the control of the same cybercriminal group. This shared infrastructure would streamline control over a broader range of devices, enhancing both the effectiveness and efficiency of their combined botnet operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

PRESS RELEASE

Clearwater, Fla. – October 29, 2024 – According to a new AI Opportunity Report from remote connectivity and workplace digitalization solution company TeamViewer, 80% of U.S. business leaders say their organization’s AI adoption is mature, and 65% are sick of the hype and demand practical implementations of AI for their businesses. Leading from the C-suite, 81% of U.S. key decision makers currently use AI at least weekly, up from 60% last year, a notable 35% increase year-over-year. 

Most U.S. business leaders (72%) also agree that AI is vital to improving their organization’s financial outcomes. Along these lines, two-thirds (66%) agree that AI will positively affect revenue over the next year, with respondents saying that the technology makes an average of 249% revenue growth possible. Nearly a quarter of U.S. respondents (23%) believe that not implementing AI technology risks falling behind competitors and 24% foresee increased costs due to a lack of automation.

Successfully integrating AI into remote connectivity support is a prime example of how efficiencies can lead to better financial outcomes. Enter TeamViewer’s new AI-powered Session Insights.

AI-Powered Session Insights 

Aimed at helping IT teams boost efficiency and streamline operations, Session Insights is now being added to TeamViewer’s Tensor remote connectivity solution to automate session documentation and provide analytics, enabling faster handovers and smarter decision-making. By optimizing resources and capturing valuable knowledge, the new capabilities empower IT support teams to resolve issues faster, improve customer satisfaction, and scale expertise, even with limited staff.  

The new features will help internal IT teams better manage employee help desk requests and will also aid customer support teams providing remote assistance to keep their products onsite and customers up and running and aligned with uptime agreements. 

“AI adoption is growing rapidly as businesses increasingly recognize its tangible benefits in driving productivity and streamlining operations. Our research reveals that 81% of decision-makers now engage with AI at least weekly, a substantial rise from last year’s 60%. With the launch of TeamViewer’s new AI-powered Session Insights, we're enabling organizations to make smarter decisions and optimize processes while adhering to the highest security and data privacy standards. We uphold stringent encryption practices to safeguard customer data, ensuring secure processing, while also providing admins the control to enforce company-wide policies and keeping users informed every step of the way,” said Mei Dent, Chief Product and Technology Officer, TeamViewer. 

Trust, Security, Career Advancement & Equality

The report also delves into a variety of other topics gauging business leaders’ current perceptions of AI, including: 

*   Trust in AI: 50% of U.S. business leaders trust AI to act on business forecasts and make business decisions with an impressive 42% trusting AI to make decisions without human oversight.
    
*   Security: 75% of U.S. business leaders are concerned about data management in the use of AI and 67% would consider banning the use of AI outside of the IT team.
    
*   Career Advancement: 75% of U.S. business leaders believe AI is a key skill to enhance their career and 73% say AI has given them the chance to learn new skills they otherwise would not have.
    
*   The Great Equalizer: 72% of U.S. business leaders believe AI can help create equal job opportunities for parents and caregivers while 79% think AI can help increase accessibility in the workplace.
    

With 73% of U.S. respondents believing AI will drive the biggest productivity boom in a century and business leaders reporting that AI saves U.S. IT professionals approximately 16 hours per month, there is clearly huge momentum for increasing AI use in business, including TeamViewer’s AI-powered Session Insights, which integrates with Microsoft Teams and ServiceNow. More information can be found here.  

Survey Methodology 

In The AI Opportunity Report, TeamViewer uncovers the attitudes of 1,400 (500 in the U.S.) information technology, business, and operational technology decision makers towards Artificial Intelligence, across the UK, France, Germany, Australia, Singapore, and the U.S. The research was conducted online by Sapio Research in August and September 2024. 

About TeamViewer

TeamViewer is a leading global technology company that provides a connectivity platform to remotely access, control, manage, monitor, and repair devices of any kind – from laptops and mobile phones to industrial machines and robots. Although TeamViewer is free of charge for private use, it has more than 640,000 subscribers and enables companies of all sizes and from all industries to digitalize their business-critical processes through seamless connectivity. Against the backdrop of global megatrends like device proliferation, automation and new work, TeamViewer proactively shapes digital transformation and continuously innovates in the fields of Augmented Reality, Internet of Things and Artificial Intelligence. Since the company’s foundation in 2005, TeamViewer’s software has been installed on more than 2.5 billion devices around the world. The company is headquartered in Göppingen, Germany, and employs more than 1,500 people globally. In 2023, TeamViewer achieved a revenue of around EUR 627 million. TeamViewer SE (TMV) is listed at Frankfurt Stock Exchange and belongs to the MDAX. Further information can be found at www.teamviewer.com.

Tag

#intel