CISOs are planning to adjust their budgets this year to reflect their growing concerns for cybersecurity preparedness in the event of a cyberattack.

Source: Irina Guzovataya via Alamy Stock Photo

NEWS BRIEF

In 2025, chief information security officers (CISOs) will be directing their attention to becoming more cyber prepared in the event of an attack, by enhancing their crisis simulation capabilities.

That's according to a study conducted by researchers at Hack The Box, which found that out of 200 US- and UK-based CISOs, 74% said they plan to up their crisis simulation budgets this year.

These changes likely stem from rising concerns about the growing number of cyberattacks, the lack of incident-response planning, and inadequate stress-testing of crisis scenarios. Major cyberattacks and cyber incidents have impacted organizations such as NHS, 23andMe, and a host of businesses impacted by the CrowdStrike faulty update in 2024, affecting enterprises on a global level. CISOs are trying to reassess their organizations' capabilities in order to manage the chaos when it inevitably arises.

A full 77% of those surveyed said they would allocate greater budgets for cyber-crisis simulations if the exercises themselves were more realistic and actionable. 

"Preparedness is the foundation of resilience, and crisis simulations play a crucial role in testing organizations security and workforce performance when it's most critical," said Haris Pylarinos, CEO and founder at Hack The Box, in a statement. "Organizations are right to prioritize crisis simulation, and must ensure that these are implemented in the right way."

Also, 73% of survey respondents reported that crisis simulations and incident-response exercises for both their technical and non-technical teams were their top business priority this year.

Pylarinos highlighted that crisis simulation will continue to evolve, pairing artificial intelligence with expert knowledge in order to provide tailored and realistic scenarios that reflect challenges that security teams and management will face on digital front lines. "It will unite previously disparate business units as one," he said, "and allow real-world performance to be benchmarked in a controlled environment."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Crisis Simulations: A Top 2025 Concern for CISOs

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability. A critical flaw allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. Affected systems include Fortinet devices running FortiOS (e.g., FortiGate NGFW) and FortiProxy. 🔹 On January 10, Arctic Wolf reported attacks on Fortinet devices that began in November 2024. Attackers create […]

**About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability.** A critical flaw allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. Affected systems include Fortinet devices running FortiOS (e.g., FortiGate NGFW) and FortiProxy.

🔹 On January 10, Arctic Wolf reported attacks on Fortinet devices that began in November 2024. Attackers create accounts with random names, modify device settings, and gain access to internal systems.

🔹 The vendor advisory was published on January 14. The vulnerability was added to the CISA KEV.

🔹 A public exploit has been available on GitHub since January 21.

🔹 As of January 26, Shadow Server reports around 45,000 vulnerable devices accessible from the Internet.

The vendor recommends updating FortiOS and FortiProxy to secure versions and restricting or disabling administrative HTTP/HTTPS interfaces.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability

A critical vulnerability in Brave Browser allows malicious websites to appear as trusted sources during file uploads/downloads. Learn…

A critical vulnerability in Brave Browser allows malicious websites to appear as trusted sources during file uploads/downloads. Learn how to protect yourself and update your browser to the latest version.

A critical security vulnerability has been discovered in the popular Brave Browser, enabling malicious websites to deceive users into believing they are interacting with trusted sources. This flaw tracked as **CVE-2025-23086** (classified under CWE-60), impacts desktop versions of Brave from 1.70.x to 1.73.x.

The problem lies within a feature designed to enhance user safety: displaying the **origin of a website** in the operating system’s file selector dialogue during file uploads or downloads. This is intended to provide a visual cue, confirming the legitimacy of the site involved in the file transfer. However, in specific scenarios, this crucial origin information was not accurately inferred, leaving a critical gap in user protection.

This misrepresentation of origin becomes particularly dangerous when combined with an “open redirect” vulnerability on a legitimate website. Open redirects mean that a trusted website lets user-controlled input redirect users to external URLs and does not validate it properly. By exploiting this combination, malicious actors can craft scenarios where a malicious website, through the open redirect, appears as a trusted source in the file selector dialogue, tricking users into interacting with it.

In May 2024, Hackread.com **reported** HP’s quarterly Wolf Security Threat Insights series findings, which revealed a rise in cybercriminals employing “cat-phishing” tactics, exploiting open redirect vulnerabilities and other Living-off-the-Land techniques to bypass traditional security measures

The vulnerability has a base score of 6.1, classified as Medium in severity, with an attack vector of NETWORK and low attack complexity and user interaction requirements. The consequences of this vulnerability could be drastic. Users could be unknowingly tricked into downloading malware, sharing sensitive information with malicious actors, or falling victim to sophisticated phishing attacks. This dents the core principle of user trust and **security that browsers** are designed to uphold.

To mitigate CVE-2025-23086, update to Brave Desktop Browser version 1.74.48 or later, check for open redirect vulnerabilities, and make sure to verify the file download sources and recognize suspicious prompts.

In addition, use security tools and browser extensions to protect against open redirects and phishing tactics. Regular updates and user awareness can significantly reduce exploitation risks. Trusted site administrators should also review their platforms to remove or fix open redirect vulnerabilities. Check out **this article** to learn more about how to ensure browser security.

1.  **Brave browser Tor feature leaked .Onion queries to ISPs**
2.  **New Vcurms Malware Targets Popular Browsers for Data Theft**
3.  **Fake Brave browser site dropped malware, thanks to Google Ads**
4.  **New Tech Support Scam Freezes Chrome, Firefox & Brave Browser**
5.  **DOJ Proposes Breaking Up Google: Calls for Sale of Chrome Browser**

Brave Desktop Browser Vulnerability Lets Malicious Sites Appear Trusted

Cary, North Carolina, 26th January 2025, CyberNewsWire

**Cary, North Carolina, January 26th, 2025, CyberNewsWire**

INE Security, a leading global provider of cybersecurity training and certifications, today announced a new initiative designed to accelerate compliance with the Department of Defense’s (DoD) newly streamlined Cybersecurity Maturity Model Certification (CMMC) 2.0. This initiative aims to assist Defense Industry Base (DIB) contractors in swiftly adapting to the updated certification standards, which are critical to securing and maintaining defense contracts.

With the DoD’s reduction of CMMC levels from five to three, the path to compliance has become more direct but not less demanding. Recognizing the urgency for contractors to comply without delay, INE Security is offering a guide to strategic compliance acceleration. This includes a comprehensive checklist and guidance on how to implement the compliance requirements. 

> “The DoD’s updated framework requires greater clarity and speed in the compliance process than ever before,” said Dara Warn, CEO of INE Security. “At INE Security, we recognize the challenges organizations face in navigating the complexities of CMMC compliance. Our goal is to empower organizations to not only meet but exceed their compliance objectives by providing them with the tools and strategies needed for a faster and smoother journey. We are committed to simplifying the path to compliance, enabling our clients to focus on what they do best: securing their operations and contributing to our national defense.”

**Certification Requirements**

Each level carries its own stringent requirements, ranging from broad in scope at Level 1 to highly specialized at Level 3. Organizations can use this checklist to track progress and identify areas requiring attention before assessment. 

**Level 1 Certification Requirements**

**Technical Controls**

*   Basic password management
*   Access control implementation
*   Information integrity checks
*   Basic endpoint protection

**Documentation Needs**

*   System security policies
*   Access control documentation
*   Asset inventory
*   Basic security procedures

**Assessment Preparation**

*   Self-assessment documentation
*   Evidence collection
*   Policy review
*   Annual review planning

**Level 2 Certification Requirements**

**Technical Controls**

*   Multi-factor authentication
*   Network segmentation
*   Security monitoring tools
*   Incident response capabilities
*   Audit logging systems

**Documentation Needs**

*   System Security Plan (SSP)
*   Configuration management plans
*   Incident response procedures
*   Risk assessment documentation
*   POA&M development

**Assessment Preparation**

*   Third-party assessment readiness
*   Evidence compilation
*   Technical demonstrations
*   Staff interview preparation
*   Control validation testing

**Level 3 Certification Requirements**

**Technical Controls**

*   Advanced threat detection
*   Security orchestration
*   Continuous monitoring
*   Zero-trust implementation
*   Advanced access control

**Documentation Needs**

*   Enhanced SSP
*   Threat modeling documentation
*   Advanced security procedures
*   Risk management framework
*   Continuous monitoring plan

**Assessment Preparation**

*   Government assessment readiness
*   Advanced evidence compilation
*   Security control testing
*   Personnel training records
*   Program effectiveness metrics

**Implementation Guidance**

Successfully navigating the compliance requirements of CMMC 2.0 demands a structured approach to implementation and preparation. Each step, from initial technical review to mock assessments, is designed to build upon the previous, ensuring a seamless path to CMMC certification. 

**Technical Control Implementation**

*   Reviewing current architecture
*   Identifying gaps in controls
*   Developing implementation plan
*   Testing controls in staging
*   Deploying to production
*   Validating effectiveness

**Documentation Best Practices**

*   Using standard templates
*   Including revision history
*   Maintaining clear procedures
*   Documenting configurations
*   Tracking changes
*   Regular reviews

**Assessment Readiness**

*   Internal pre-assessment
*   Documentation review
*   Technical validation
*   Staff preparation
*   Evidence organization
*   Mock assessment

**How INE Security Helps Organizations Accelerate Compliance**

**Technical Training**

*   INE Security’s comprehensive technical training program provides hands-on experience through practical labs focused on control implementation and security tool configuration. Structured learning paths cover essential skills in network security implementation and monitoring system setup, giving users real-world experience with the tools and techniques required for CMMC compliance.

**Assessment Preparation**

*   Organizations can prepare confidently for CMMC assessment with INE Security’s practical scenarios and technical training tools. The training helps students master control validation exercises and provides thorough interview preparation guidance, ensuring students are prepared and the assessment process is smooth. 

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Director of Global Strategic Communications and Events**  
**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Security Alert: Expediting CMMC 2.0 Compliance

The MITRE framework's applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.

In 2025, an international fintech firm will face attacks through its hybrid cloud infrastructure by some of the most sophisticated cyber operators on the Internet, targeting the company's Active Directory instance, employees' LinkedIn profiles, and shared code repositories to further their compromises.

A prediction? Not quite.

The scenario is the premise of the latest MITRE ATT&CK Evaluations test, an annual assessment gauntlet that pits cybersecurity firms against the techniques and tactics of the latest cyber threats actors. For vendors, the exercises — conducted by government contractor MITRE — allow them to test their detection, protection, and response capabilities in real-world scenarios to see what can be improved. For cybersecurity professionals, the results of the assessments can help them determine whether they are prepared to defend against sophisticated attacks.

While some vendors tout their detection ratings in the evaluations, the point is less about grades for security software and more about improving companies' defenses and vendors' products, says Lex Crumpton, principal cybersecurity engineer at MITRE.

"ATT&CK Evaluations is more of an adversary-emulation, purple-teaming, collaboration effort, if you will — we assess the vendors tooling on an environment that we build in-house," she says. "They don't know which techniques we are going to choose, or what we're not going to choose, based off of that techniques and scope document."

The MITRE ATT&CK Framework is well-known as a taxonomy of tactics and techniques used by cyberattackers, but every year MITRE also conducts testing of security products against the latest threats targeting organizations. In 2024, for example, the exercise mimicked attacks by the LockBit ransomware-as-a-service group, the Cl0p ransomware gang, and North Korean state-sponsored threat groups, which have commonly used ransomware to fund national goals.

A variety of ransomware attacks were emulated in the test environment, including those targeting Windows and MacOS, MITRE said in a December 2024 statement.

For 2025, one part of the evaluation — known as the Managed Services Evaluation — will focus on "cloud-based attacks, response/containment strategies, and post-incident analysis," according to the organization's scenario outline.

Companies can use the ATT&CK Evaluations in two ways, says Greg Young, vice president of cybersecurity at Trend Micro, which participated in the 2024 Evaluations along with 18 other companies.

"For \[a company's\] purchase decisions, this is one sort of data input — it should not be the only data input because the testing for MITRE is exceptionally narrow against a few techniques and tactics," he says. "For the second part, the tests \[can inform\] companies' own security ops centers and their own red teaming behavior — looking at it and saying, 'Well, what are adversaries using today?'"

**Developing More Realistic Adversaries**

The ATT&CK evaluations use cybersecurity observations and threat reporting from analysts worldwide, collected from both MITRE's in-house cyber threat intelligence team and from the CTI community at large. The group collects information on attacks and selects the adversaries for the evaluations. A red development team creates a set of tools to emulate current techniques used by selected adversaries, while the detection team — the blue team — confirms whether those approaches are legitimate in terms of the evaluation.

MITRE conducts two distinct rounds of testing. One is a managed-service round, in which the organization creates a black-box testing environment, giving no information about the attack to the vendor being evaluated except for the general category of threat. In an enterprise round, the vendor is given the technical scope and potential information about the adversaries, such as whether they are a nation-state, such as China or the DPRK, or using some other tactics.

Like many testing organizations, MITRE has faced some pushback on aspects of its scenarios, Crumpton says.

"One of the biggest comments we had this year is — because we brought in false-positive noise \[such as\] benign user activity — some vendors argued that, 'Hey, this could be deemed malicious activity'," she says. "I think one of the benign use cases was disabling the firewall. One vendor said, 'Hey, the sys admins from our companies would never disable the firewall.'"

**Evaluations Push for Improvement**

Vendors get graded on how they perform, but the focus is on giving information to both the vendors and businesses about how they can improve their defenses, Crumpton says.

"Ultimately, we are there to improve the tools," she explains. "If we're emulating this adversary and we find this technique that your tool can't detect, can we help you improve your tool so that you can now detect that technique? That's something that I think also the customers or the community should look at."

Defenders can take a page from the ATT&CK evaluations as well, creating playbooks to detect and protect against the tested threats, says Trend Micro's Young. During the ATT&CK Evaluation, MITRE logs activity and takes screenshots, giving organizations a detailed picture of the attack unfolding and mapping the steps against the ATT&CK Framework.

"Knowing that adversaries are now using this kind of technique — say, this kind of lateral movement, or they're going to go after this kind of resource — that's exceptionally helpful for \[a company\] designing their defenses," he says. "I almost think there's more value in looking at the \[ATT&CK\] framework than the evaluations, but it depends on your purpose."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

MITRE's Latest ATT&amp;CK Simulations Tackle Cloud Defenses

Third-party API security requires a tailored approach for different scenarios. Learn how to adapt your security strategy to outbound data flows, inbound traffic, and SaaS-to-SaaS interconnections.

Source: Elena Uve via Alamy Stock Photo

COMMENTARY

API security often involves third-party, rather than first-party, APIs, and each use case can have different requirements. Rather than trying to make one technological approach work for all instances, security and risk management leaders must adapt their approach to the specific use case.

According to a recent Gartner survey, 71% of IT leaders report using third-party application programming interfaces (APIs) in their organizations. Many security and risk management leaders must focus on API security when dealing with consumption and integration with third-party APIs, rather than exposure of first-party APIs. 

In addition, when it comes to third-party APIs, many remediation measures, such as patching for exposures, are not under the organization's direct control. Therefore, the approach will have to be fundamentally different as compared to first-party APIs. 

Three use cases should be top of mind for these security leaders.

**Use Case 1: Discover and Manage Outbound Data Flows to Third-Party APIs**

In this first use case, the enterprise sends data to third parties via APIs, typically by invoking them from homegrown applications. In an e-commerce scenario, for instance, the service providing the API could be a payment gateway. In this example, the outgoing traffic would contain payment data used to process a payment. There are different ways to invoke the API from within the application, such as direct integration, using a software development kit or a webhook.

A main risk is that sensitive data may be sent toward the API. This activity may conflict with enterprise policies or industry regulations. Third-party APIs may also put the data, or the data of customers, in danger. For example, an attacker may be able to steal payment data from customers by using a vulnerable payment API. Depending on the scenario, injecting a malicious payload could also corrupt the database of a business partner.

In this scenario, security leaders should discover third-party APIs by performing traffic inspection, code repository inspection, and software composition analysis, as certain third-party APIs may be invoked via third-party libraries, not homegrown code.

Security leaders should also liaise with the team that manages sourcing, procurement, and vendor management (SPVM) and third-party cyber-risk to ensure software-as-a-service (SaaS) applications are vetted and comply with organizational policies.

Security leaders must also identify sensitive data exfiltration by monitoring the outgoing traffic in these API exchanges. This is typically achieved by implementing data loss prevention (DLP) capabilities. Disparate tools could apply—for example, security service edge (SSE), DLP, and API protection tools all have certain DLP capabilities.

*   Differentiators could include whether the tool can categorize data while in transit (“on the fly”) or whether it can perform remediation actions, such as blocking the exchange, anonymizing, or encrypting the data.
    
*   The monitoring point may also matter, as some tools may already be installed or have access to unencrypted traffic.
    
*   Most importantly, the way security leaders have configured a tool matters. If it is set up to act as a choke point, it could be a better option than a tool configured to process only specific types of traffic or incoming traffic, for example.
    
*   Internal considerations, such as which team owns and operates each tool, will also play a role in determining which tool to choose.
    

Finally, security leaders can implement proper authentication and authorization of the API client (in this scenario, the application) using the mechanisms offered by the API provider. At a minimum, favor tokens over API keys for authorization. Assess how opaque and proof-of-possession tokens (or at least frequently rotated access credentials) and certificate pinning may efficiently mitigate token leakage and interception risks in specific use cases. Be mindful of the technical burdens they may require to set them up and issues with traffic inspection.

**Use Case 2: Protect From Inbound Traffic From Third-Party APIs**

In this use case, the organization consumes the third-party API, and the data is incoming. A typical example could be an enterprise application that makes an API call to obtain data from a commercial SaaS provider or a business partner.

One risk in this use case is receiving potentially harmful input from the API. Malicious input from third-party APIs may endanger applications, its users, or the infrastructure hosting applications. For example, if an API response with a malicious payload is sent to a database, it could result in an injection attack.

Data exfiltration is still a risk for this use case, and many of the recommendations from the first use case still apply here. If the outgoing API request contains sensitive data, that data could be intercepted. For example, if an API call requests a list of restaurants based on GPS coordinates, said GPS coordinates could be intercepted if the connection is not secure. Most importantly, the third-party API could be fetching the specific data of the enterprise. (Think, for example, of an API fetching data about customers from specific instances of a CRM SaaS application.)

Security leaders should perform input validation. Ask developers to add input validation controls when ingesting any input, including input from third-party APIs. This will prevent a large spectrum of attacks from malicious input, such as SQL injection attacks. Application security testing (AST) tools can help automate these checks.

Use Web application firewall functionality from a Web application and API protection tool in-line to add contingencies against injection attacks and other types of malicious input.

Finally, vet the input with an antivirus, sandboxing, or content disarm and reconstruction solution by integrating applications typically via Internet content adaptation protocol or APIs with one or more of these tools.

**Use Case 3: Discover, Vet and Manage the Data for Third-Party Apps That Communicate via APIs**

Many security leaders are focused on API security but describe a scenario where one or more SaaS applications typically communicate via APIs, exchanging enterprise data. This issue can be exacerbated because users may be able to interconnect SaaS applications without having administrative privileges. While the underlying communication may be API-based, this problem's solution is closer to the best practices for SaaS security.

This situation is particularly challenging when an authorized SaaS application user connects it via API to an unauthorized SaaS app. Many organizations will have little to no visibility of the connection's existence, let alone of any data transfers across it. Second, visibility is limited to what SaaS providers reveal through their own management APIs, as there's no clear place to insert an in-line control. The main risk with this scenario is that the SaaS application may expose sensitive enterprise data via the API, and that data may be transferred to an unapproved and even unknown location that security has not vetted.

Security leaders should discover the SaaS applications used by performing a census, releasing a policy, and inspecting traffic. Use SSE, firewalls, SaaS management platforms, or other tools to identify the SaaS applications users are accessing, especially those housing sensitive data. Until they know what applications users are accessing, they cannot check for SaaS-to-SaaS connectivity

Discover rogue SaaS access tokens by querying the SaaS applications used, where supported. Create and promote policy to users about connecting SaaS apps via OAuth.

For the previous use cases, liaise with the team that manages SPVM and third-party cyber-risk to ensure SaaS applications are vetted and comply with organizational policies, such as data security and third-party sharing ones. In addition, inventory SaaS-to-SaaS interconnections; automated tooling, such as SSPM offerings, can help ensure this is a continuous process.

By adapting their approaches to these three specific use cases and their possible variations, security leaders can address the risks that third-party APIs present for their organizations.

**About the Author**

VP Analyst, Gartner

Dionisio Zumerle is a VP Analyst at Gartner, where he is currently focused on application and mobile security topics. Zumerle's coverage includes API security, mobile application security, DevSecOps, and mobile threat defense.

3 Use Cases for Third-Party API Security

Attackers can use a zero- or one-click flaw to send a malicious image to targets — an image that can deanonymize a user within seconds, posing a threat to journalists, activists, hackers, and others whose locations are sensitive.

Source: Brian Jackson via Alamy Stock Photo

A flaw in the widely used Cloudflare content delivery network (CDN) can expose someone's location by sending them an image on platforms like Signal and Discord, deanonymizing them in seconds without their knowledge.

That's according to a 15-year-old security researcher who goes by only "Daniel," who published research on GitHub Gist about the flaw — which he discovered three months ago — as a warning for journalists, activists, and hackers, who could be at physical risk.

The flaw allows an attacker to grab the location of any target within a 250-mile radius when a vulnerable app is installed on a target's phone, or even as a background application on their laptop. Using either a one-click or zero-click approach, an attacker can use the app to "send a malicious payload and deanonymize you within seconds — and you wouldn't even know," Daniel wrote.

**Cloudflare Content Caching Is the Cyber Culprit**

The core of the flaw lies in one of Cloudflare's most used features: caching, Daniel explained. Cloudflare's cache stores copies of frequently accessed content, such as images, videos, or webpages, in its datacenters, ostensibly to reduce server load and improve website performance.

When a device sends a request for a resource that can be cached, Cloudflare retrieves the resource from its local data center storage, if possible, or from the origin server. It then caches it locally, and returns it. "By default, some file extensions are automatically cached but site operators can also configure new cache rules," Daniel explained.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

Because of this process flow, if an attacker can get a user's device to load a resource on a Cloudflare-backed site, causing it to be cached in their local datacenter, they can then enumerate all Cloudflare data centers to identify which one cached the resource. "This would provide an incredibly precise estimate of the user's location," Daniel explained.

Daniel did have to overcome a hurdle to this attack flow in that someone "can't simply send HTTP requests to individual Cloudflare datacenters," he wrote. However, he discovered a bug via a forum post that demonstrates how someone can send requests to specific Cloudflare datacenters with Cloudflare Workers, and created a tool called Cloudflare Teleport, a proxy powered by Cloudflare Workers that redirects HTTP requests to specific datacenters.

**How to Exploit the Cloudflare Location Flaw**

Daniel went on to demonstrate how he could send images via both Signal and Discord that would expose the recipient's location. For Signal, which is an app favored by journalists and activists due to its privacy features, a one-click attack allows someone to send either an attachment or an avatar to a user that exploits the cache geolocation method to pinpoint the recipient's location.

Related:84% of Healthcare Organizations Spotted a Cyberattack in the Late Year

An attacker also could use a zero-click attack in Signal by taking advantage of push notifications, which occur when a message is sent to a user while they are not actively using the app. In this case, the recipient doesn't even have to open the Signal conversation for their device to download the attachment, he said.

Attackers can exploit the flaw similarly in Discord, with potentially wider impact, using a custom emoji that's loaded from Discord's CDN and configured to be cached on Cloudflare, he explained.

"So, instead of sending an attachment in a Discord channel, an attacker can display a custom emoji in their user status and simply wait for the target to open their profile to run a deanonymization attack," Daniel wrote. A one-click attack vector also is possible in Discord by changing a user's avatar and sending a friend request to someone, which triggers a push notification, he added.

**Signal, Discord, Cloudflare Response & Mitigation**

Daniel contacted Signal, Discord, and Cloudflare about the bug. The first two companies did nothing to mitigate it, with Signal claiming users are responsible for protecting their own identities, and Discord claiming it was Cloudflare's responsibility.

Related:Trump Overturns Biden Rules on AI Development, Security

For its part, Cloudflare did fix the Cloudflare Workers bug that allowed Daniel to create the Teleport tool. The bug was reported to its HackerOne program a year ago by another researcher, but the company had not responded to the report. It reopened the case after Daniel's report and mitigated the issue, awarding him a $200 bug bounty in the process.

However, even after the mitigation, Daniel was able to exploit the flaw by reprogramming his Cloudflare Teleport tool to use a VPN instead, choosing a VPN provider with more than 3,000 servers located in various locations across 31 different countries worldwide. "Using this new method, I'm able to reach about 54% of all Cloudflare datacenters again," he explained.

At this time, "any app using a CDN for content delivery and caching can still be vulnerable if the proper precautions aren’t taken," Daniel wrote.

And this can be especially dangerous for people who need to protect their location for various reasons, such as a woman who may be hiding from a violent boyfriend or husband, or a political dissident who is being targeted by a hostile government, says Roger Grimes, data-driven defense evangelist at KnowBe4.

“At first glance, the flaw seems really innocuous and barely relevant, but there are scenarios … where it could be a problem," he tells Dark Reading. Moreover, Grimes suspects that Cloudflare CDN is not the only CDN affected by such a flaw, as "the attack is just generic enough that I think it can be applied to more CDNs," he says.

Daniel advised that people concerned about their privacy should limit their exposure on the affected apps, which "can make a significant difference" when it comes to protecting their location data.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cloudflare CDN Bug Outs User Locations on Signal, Discord

Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can.

About a year ago, security researcher Sam Curry bought his mother a Subaru, on the condition that, at some point in the near future, she let him hack it.

It took Curry until last November, when he was home for Thanksgiving, to begin examining the 2023 Impreza's internet-connected features and start looking for ways to exploit them. Sure enough, he and a researcher working with him online, Shubham Shah, soon discovered vulnerabilities in a Subaru web portal that let them hijack the ability to unlock the car, honk its horn, and start its ignition, reassigning control of those features to any phone or computer they chose.

Most disturbing for Curry, though, was that they found they could also track the Subaru's location—not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car’s whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church.

A year of location data for Sam Curry’s mother’s 2023 Subaru Impreza that Curry and Shah were able to access in Subaru’s employee admin portal thanks to its security vulnerabilities.

Screenshot Courtesy of Sam Curry

“You can retrieve at least a year's worth of location history for the car, where it's pinged precisely, sometimes multiple times a day,” Curry says. “Whether somebody's cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone.”

Curry and Shah today revealed in a blog post their method for hacking and tracking millions of Subarus, which they believe would have allowed hackers to target any of the company's vehicles equipped with its digital features known as Starlink in the US, Canada, or Japan. Vulnerabilities they found in a Subaru website intended for the company's staff allowed them to hijack an employee's account to both reassign control of cars’ Starlink features and also access all the vehicle location data available to employees, including the car’s location every time its engine started, as shown in their video below.

Curry and Shah reported their findings to Subaru in late November, and Subaru quickly patched its Starlink security flaws. But the researchers warn that the Subaru web vulnerabilities are just the latest in a long series of similar web-based flaws they and other security researchers working with them have found that have affected well over a dozen carmakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and many others. There’s little doubt, they say, that similarly serious hackable bugs exist in other auto companies' web tools that have yet to be discovered.

In Subaru's case, in particular, they also point out that their discovery hints at how pervasively those with access to Subaru's portal can track its customers' movements, a privacy issue that will last far longer than the web vulnerabilities that exposed it. “The thing is, even though this is patched, this functionality is still going to exist for Subaru employees,” Curry says. “It's just normal functionality that an employee can pull up a year's worth of your location history.”

When WIRED reached out to Subaru for comment on Curry and Shah's findings, a spokesperson responded in a statement that “after being notified by independent security researchers, \[Subaru\] discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was immediately closed and no customer information was ever accessed without authorization.”

The Subaru spokesperson also confirmed to WIRED that “there are employees at Subaru of America, based on their job relevancy, who can access location data." The company offered as an example that employees have that access to share a vehicle's location with first responders in the case when a collision is detected. “All these individuals receive proper training and are required to sign appropriate privacy, security, and NDA agreements as needed,” Subaru's statement added. “These systems have security monitoring solutions in place which are continually evolving to meet modern cyber threats.”

Responding to Subaru's example of notifying first responders about a collision, Curry notes that would hardly require a year's worth of location history. The company didn't respond to WIRED asking how far back it keeps customers' location histories and makes them available to employees.

Shah and Curry's research that led them to the discovery of Subaru's vulnerabilities began when they found that Curry's mother's Starlink app connected to the domain SubaruCS.com, which they realized was an administrative domain for employees. Scouring that site for security flaws, they found that they could reset employees' passwords simply by guessing their email address, which gave them the ability to take over any employee's account whose email they could find. The password reset functionality did ask for answers to two security questions, but they found that those answers were checked with code that ran locally in a user's browser, not on Subaru's server, allowing the safeguard to be easily bypassed. “There were really multiple systemic failures that led to this,” Shah says.

The two researchers say they found the email address for a Subaru Starlink developer on LinkedIn, took over the employee's account, and immediately found that they could use that staffer's access to look up any Subaru owner by last name, zip code, email address, phone number, or license plate to access their Starlink configurations. In seconds, they could then reassign control of the Starlink features of that user's vehicle, including the ability to remotely unlock the car, honk its horn, start its ignition, or locate it, as shown in the video below.

Those vulnerabilities alone, for drivers, present serious theft and safety risks. Curry and Shah point out that a hacker could have targeted a victim for stalking or theft, looked up someone's vehicle's location, then unlocked their car at any time—though a thief would have to somehow also use a separate technique to disable the car's immobilizer, the component that prevents it from being driven away without a key.

Those car hacking and tracking techniques alone are far from unique. Last summer, Curry and another researcher, Neiko Rivera, demonstrated to WIRED that they could pull off a similar trick with any of millions of vehicles sold by Kia. Over the prior two years, a larger group of researchers, of which Curry and Shah are a part, discovered web-based security vulnerabilities that affected cars sold by Acura, BMW, Ferrari, Genesis, Honda, Hyundai, Infiniti, Mercedes-Benz, Nissan, Rolls Royce, and Toyota.

More unusual in Subaru's case, Curry and Shah say, is that they were able to access fine-grained, historical location data for Subarus going back at least a year. Subaru may in fact collect multiple years of location data, but Curry and Shah tested their technique only on Curry's mother, who had owned her Subaru for about a year.

Curry argues that Subaru's extensive location tracking is a particularly disturbing demonstration of the car industry's lack of privacy safeguards around its growing collection of personal data on drivers. “It's kind of bonkers,” he says. “There's an expectation that a Google employee isn't going to be able to just go through your emails in Gmail, but there's literally a button on Subaru's admin panel that lets an employee view location history.”

The two researchers’ work contributes to a growing sense of concern over the enormous amount of location data that car companies collect. In December, information a whistleblower provided to the German hacker collective the Chaos Computer Computer and Der Spiegel revealed that Cariad, a software company that partners with Volkswagen, had left detailed location data for 800,000 electric vehicles publicly exposed online. Privacy researchers at the Mozilla Foundation in September warned in a report that “modern cars are a privacy nightmare,” noting that 92 percent give car owners little to no control over the data they collect, and 84 percent reserve the right to sell or share your information. (Subaru tells WIRED that it “does not sell location data.”)

“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” Mozilla's report reads.

Curry and Shah's discovery of Subaru's security vulnerabilities in its tracking demonstrate a particularly egregious exposure of that data—but also a privacy problem that's hardly less disturbing now that the vulnerabilities are patched, says Robert Herrell, the executive director of the Consumer Federation of California, which has sought to create legislation for limiting car's data tracking.

“It seems like there are a bunch of employees at Subaru that have a scary amount of detailed information,” Herrell says. “People are being tracked in ways that they have no idea are happening.”

_Update 4:23 pm EST, January 23, 2025: The article's subheadline has been updated to clarify the scope of the researcher's work._

Subaru Security Flaws Exposed Its System for Tracking Millions of Cars

Chinese hacks, rampant ransomware, and Donald Trump’s budget cuts all threaten US security. In an exit interview with WIRED, former CISA head Jen Easterly argues for her agency’s survival.

When I walk into Jen Easterly’s office on a bright January day in Arlington, Virginia, I’m greeted by a giant shark head lurking on the floor. I instantly spot a Rubik’s Cube—an Easterly hallmark—emblazoned with the logo of the organization she’s run for the past three and a half years—the Cybersecurity and Infrastructure Security Agency, or CISA, which President Donald Trump created during his first term.

Easterly, who is 56 years old, jumps to her feet to greet me. The first thing that hits me is her denim pants, which have a dragon on one leg and a serpent on the other. Then she launches into updates on CISA’s animated “Secure Our World” video series and, in the same breath, laments that she hasn’t had time for a private guitar lesson in weeks. Seemingly a regular day on the job for her, except for one thing. As of January 20, Inauguration Day, Easterly’s time at CISA would be over. Trump had fired the agency’s first director, Chris Krebs, after CISA refused to question the integrity of the 2020 election, and Easterly now says she wasn’t asked to stay. Rumors are swirling that CISA programs—or even the entire agency—may soon be on Trump’s chopping block.

The timing couldn’t be worse for the nation to lose its top cybersecurity cop. A Beijing-linked group called Salt Typhoon spent months last year rampaging through American telecoms and siphoning call logs, recordings, text messages, and even potentially location data. Many experts have called it the biggest hack in US telecom history. Easterly and her agency unknowingly detected Salt Typhoon activity in federal networks early last year—warning signs that ultimately sped up the unraveling of the espionage campaign.

The work of banishing Chinese spies from victim networks isn’t over, but the walls are already closing in on CISA. Trump's nominee to run the Department of Homeland Security, Kristi Noem, told a senate committee last week that CISA needs to be “smaller” and “more nimble.” And a day after the inauguration, all members of the Cyber Safety Review Board—who were appointed by Easterly and were actively investigating the Salt Typhoon breaches—were let go.

When Easterly officially became the agency’s second director, in 2021, the government was still reeling from a different blockbuster hack—SolarWinds. Kremlin-backed intruders had compromised widely used software to infiltrate the networks of US agencies and other targets. Helping US institutions defend themselves became an even more urgent and daunting project. CISA doesn’t enforce laws or collect intelligence; its job is to evangelize digital security measures and offer free services, so institutions can see what they need to do to not get hacked or—more realistically—get hacked less badly. Easterly got to work building relationships across the federal government and with state and local officials, corporate executives, and utility managers. In crises like the Salt Typhoon campaign, these relationships are crucial to quickly containing the damage.

It takes a determined person, and perhaps a charismatic one, to build rapport with such a wide-ranging group of people. Easterly has the background for it: She has worked in the Army (with multiple deployments), the National Security Agency, and the National Security Council under Barack Obama, and she spent nearly five years in charge of Morgan Stanley’s global cybersecurity. She also helped establish US Cyber Command within the Department of Defense. Somehow, though, she’s chill. To break the ice, and probably to make an impression, Easterly has leaned into her passions while in office, cubing and jamming with executives and utility operators around the country. And, yes, there’s her eclectic style—high fashion (by cybersecurity standards, anyway) mixed with bell-bottoms and Birkenstocks—but also her quiet, intense obsession with trying to solve the puzzle that is digital defense.

_This interview has been edited for length and clarity, combining on-camera and off-camera portions. Check out_ WIRED’_s YouTube channel_ _for the video._

**You’re in your last days as the director of CISA. How's it going?**

It's a little bittersweet.

**Why are you leaving?**

Well, at the end of the day, I'm a Senate-confirmed political appointee. We serve at the pleasure of the president. I've not been asked to stay.

**There are signs that the Trump administration may be hostile to some of CISA’s goals. Do you think the agency has proven it's valuable?**

We are America's cyberdefense agency, but our budget is less than $3 billion. I think the American people are getting an incredible return on investment. Anybody who looks at it will see that there's been an enormous amount of progress made in reducing risk to the critical infrastructure Americans rely on every hour of every day. We're talking water, power, transportation, communication, finance. It's not a political or partisan issue, and these threats are only getting more complicated, more dangerous. Any stepping back of what we've put in place will be to the detriment of the safety and security of the American people.

**One threat that’s top of mind is Salt Typhoon. How have past foreign espionage campaigns, like Russia’s SolarWinds attacks, informed the work you all are doing?**

What we saw in December 2020, with the revelations about the Russian intrusions into US federal government networks, as well as businesses around the world, was a pretty sophisticated supply-chain espionage operation. I would say the bumper sticker was to finally allow CISA to manage the .gov federal digital assets as one enterprise, not as a disparate tribe of a hundred separate departments and agencies. It's still a work in progress, but what we've put in place across the government over the past three and a half years has given us enormous visibility and has allowed us to detect intrusions much more rapidly, to be able to remediate them and to get ahead of future intrusions.

**It’s concerning how difficult it seems to have been for the telecoms to eradicate the Chinese hackers from their networks.** **Has there been progress in terms of that transparency and insight you're talking about?**

After the revelations of these breaches, we stood up what's called a unified coordination group. So we're responding, the FBI is investigating, folks like the National Security Agency are using what we see in the intelligence to understand the extent and the depth of this intrusion. And we're coming together to work with the victims. We've been doing that for months. This has unfortunately been out in the press a lot—

**I would say fortunately!**

Anything that gets out there has the downside of having adversaries change their tactics. So, while I think the transparency to consumers is important, it also makes it more difficult to then find these actors within the network. I don't expect it to be remediated in the short term.

**What about in the long term?**

Everybody should assume that our adversaries, in particular China, are attempting to go after our critical infrastructure. The private sector, they are on the front lines of this fight, because they own and operate the vast majority of our critical infrastructure. It's why companies need to put collaboration over self-preservation.

I want a future where something like a ransomware attack is a shocking anomaly. Where damaging software vulnerabilities exploited by nation-state actors are as infrequent as plane crashes. A world where the technology that we've come to rely on every hour of every day is first and foremost secure.

**It feels like hackers always find new ways to get where they want to go. Can you win at defense?**

I mean, you're right. Defense is hard. I say that as America's cyber head goalie. And that's why it has to be a team. As much as we work to hunt for and eradicate Chinese actors, our partners need to hold those actors accountable, whether that's through offensive cyber capabilities or indictments or sanctions. But, yes, we're on the defensive side, and it's a challenge.

Former CISA director Jen Easterly left office on Inauguration Day as rumors swirled about the fate of the agency.Photograph: Dana Scruggs

**Right now is a very scary and precarious time in cyberspace.**

I spent a lot of time in counterterrorism, and people would often say, “What keeps you up at night?” But it's really not what keeps me up at night. It's all about what gets you up in the morning. I love my team. I love the mission. Not every day is the best day ever, but you work through the issues, you stay resilient, you stay focused.

**Probably a necessary attitude for this type of work. But I just have to be that guy who asks you one more time: What keeps you up at night?**

A major conflict in Asia—the potential invasion or blockade of Taiwan by the People’s Republic of China—could have very real consequences here in the US. You could see pipelines and water being affected, telecommunications being severed, rail lines, power. That is all part of a very deliberate effort by the People’s Republic of China to incite what they call “societal panic” and to deter our ability to marshal military might and citizen will. We have to acknowledge that disruption may occur.

**Is the public paying too much attention to espionage campaigns like Salt Typhoon? Should we all be more worried about threats to critical infrastructure, like China’s Volt Typhoon?**

We are very focused overall on PRC cyber actors. CISA is one of the few agencies in the government that has been able to find both Volt Typhoon within critical infrastructure as well as Salt Typhoon. In fact, it was our work several months ago to find Salt Typhoon that then led to law enforcement identifying virtual private servers that were being leased by the adversaries, and then that unraveled the wider campaign.

**You and I have talked before about how Ukraine has faced years of punishing digital attacks and, of course, an ongoing kinetic war with Russia. CISA has partnered for a few years now with its counterpart agency in Ukraine. Do you have concerns that the Trump administration won't prioritize that relationship?**

Ukraine is under active assault by a very sophisticated threat actor. What we are learning from how they are dealing with those attacks actually helps us understand and mitigate similar threats to our own infrastructure. Cyber is a borderless space, and what our foreign partners see can absolutely benefit us. We need to ensure that all of us—from the vendors that create technology to companies that buy technology to citizens that consume technology—recognize our shared role in a collective defense of cyberspace and critical infrastructure.

**Do you feel that there are too many cooks in the US federal cybersecurity kitchen? Has that been an issue?**

It really has not. A lot of people have asked that question, but when the SolarWinds incident occurred I was looking at it as both the cyber policy lead for the Biden-Harris transition team and, perhaps more importantly, from my day job at Morgan Stanley. One advisory came out from CISA that was very SolarWinds-specific. We didn't have SolarWinds in our infrastructure. Another one came from NSA that was focused on VMware, and we did have VMware in our systems. It was not clear how these things were connected. And then you would see an FBI private-sector notice about something else. At this point I've already been in government for 27 years. I'd been in the military, the Department of Defense, the intelligence community, the White House. It's like, I know this. I thought I understood the government. And I couldn't make sense of what the government was trying to tell us about this Russian espionage campaign. It was one of the motivating things about coming to CISA. How do we bring together the federal cyber ecosystem?

The relationships with NSA, FBI, and CISA have never been better. Some of that is personalities, but I think we have actually developed institutional connective tissue, so that it will last. It's very, very clear what CISA’s role is. Now, you often talk about, what does the National Security Council do? What does the Office of the National Cyber Director do? I think we've sorted out the relationships at that level with policy and strategy, but really at the operational level where CISA lives, those relationships across the federal cyber ecosystem I think have never been better.

**You said that there is unfinished business as you prepare to leave CISA. Where do you wish you could have done more?**

There’s a lot of unfinished business. We have made an impact through our ransomware vulnerability warning pilot and our pre-ransomware notification initiative, and I’m really proud of that, because we work on preventing somebody from having their worst day. But ransomware is still a problem. We have been laser-focused on PRC cyber actors. That will continue to be a huge problem. I'm really proud of where we are, but there's much, much more work to be done. There are things that I think we can continue driving, that the next administration, I hope, will look at, because, frankly, cybersecurity is a national security issue.

**I have to ask you, there are rumors: Are you or are you not going on tour when you leave CISA?**

You know, I certainly hope to. I played piano and guitar when I was young, but I started taking up electric guitar, and that has become my passion, my obsession. So my big postretirement plan several years from now is to start a bar in lower Manhattan, to have a band. We're going to do magic. We're going to do improv. I'm going to be the bartender.

**And will there be Rubik's Cubes at every table?**

There will be Rubik's Cubes. I'm obsessed with the Rubik's Cube. When I was 11 these things were introduced across the world, and I was a huge puzzler and a video game person. I learned how to solve it, and then I would go to toy stores—I was this little kid with pigtails—and say, “Hey, if I can solve this in less than two minutes, will you give me a free one?” So I was able to amass this whole set of them.

**You must see some sort of connection between that and your day job.**

Ernő Rubik, who invented the thing, said something like, if you are curious, you will find puzzles around you. And if you are determined, you will solve them. And when I think about the incredible technical talent that we have here at CISA, it’s the intellectual curiosity, it’s the hacker mindset, it’s the problem solver. But it's also the determination, the relentless drive to solve the most complicated problems out there.

_Let us know what you think about this article. Submit a letter to the editor at_ _mail@wired.com._

Under Trump, US Cyberdefense Loses Its Head

The flurry of non-human identity attacks at the end of 2024 demonstrates extremely strong momentum heading into the new year. That does not bode well.

Itzik Alvas, Co-Founder & CEO, Entro Security

January 22, 2025

3 Min Read

Source: Brain light via Alamy Stock Photo

COMMENTARY

A look back at 2024's top non-human identity (NHI) attacks and their year-end explosion sends a worrying signal that 2025 is going to be a tough year for machine-to-machine identity theft.

One year ago, NHI burst onto the scene with a big warning flare, when Cloudflare disclosed that NHI mismanagement caused a massive breach, stemming from the failure to rotate an access token and account credentials exposed in the 2023 Okta compromise. 

While the attack was contained, the impact on Cloudflare was nonetheless significant. The company disclosed it had to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, perform forensic triages on 4,893 systems, and then reimage and reboot every machine in its global network.

As the year progressed, NHI breaches gained momentum.

In June, the New York Times made its own news when 270GB of its internal data and applications in 5,000 repositories were stolen from GitHub and published on the Web. 

How? The breach was executed using NHI when an exposed GitHub Personal Access Token, a machine-to-machine secret, allowed unauthorized access to the company's code repositories. The "All the News That's Fit to Print" outlet downplayed the story. Cybersecurity experts did not agree, however, arguing that source-code leaks can have wide-ranging implications.

**High-Profile Breach Disclosures**

The year ended with a spate of high-profile breach disclosures attributed to NHI during the fourth quarter. 

Thousands of online stores running Adobe Commerce (formerly Magento) software were hacked and infected with digital payment skimmers. The NHI attack used stolen cryptographic keys to generate an application programming interface (API) authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process.

AWS and Microsoft Azure machine-to-machine authentication keys found in Android and iOS apps used by millions were compromised, exposing user data and source code to security breaches. Exposing this type of credential can easily lead to unauthorized access to storage buckets and databases with sensitive user data. Apart from this, attackers could use them to manipulate or steal data.

Schneider Electric confirmed its development platform was breached after a hacker used exposed Jira credentials to steal data. The hacker gloated that the breach compromised critical data, including projects, issues and plug-ins, along with over 400,000 rows of user data, totaling more than 40GB of compressed data,

The Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS. This security flaw enabled threat actors to remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.

A new sophisticated phishing tool targeting GitHub users was also revealed in the fourth quarter. It posed a significant threat to developers and organizations worldwide. Here's how this relates to NHIs: Bots used a compromised secret and set of permissions associated with that credential as the ingredients to make the API calls and create comments using a script.

The comments themselves convinced developers to use insecure scripts as validated solutions.

These scripts, in turn, could lead victims to phishing pages designed to steal login credentials, malware downloads, or rogue OAuth app authorization prompts granting attackers access to private repositories and data.

Finally, and bringing the year to a dramatic close, NHI was responsible for the US Treasury hack by Chinese threat actors, who gained access to "unclassified documents" after compromising the agency's networks. The attackers were able to exploit vulnerabilities in remote tech support software by misusing a leaked API key to gain unauthorized access.

The flurry of NHI attacks at the end of the year demonstrates extremely strong momentum heading into 2025. That does not bode well. 

Chief information security officers (CISOs) and security teams need to prioritize the emerging NHI threats roaring into the new year.

**About the Author**

Co-Founder & CEO, Entro Security

Itzik Alvas is co-founder and CEO at Entro Security and former healthcare organization CISO and information technology manager at Microsoft.

A cloud and security expert with more than 17 years of experience managing and building teams of hundreds of employees for both leading global enterprise companies and early-stage startups, always at the forefront of state-of-art security solutions used by governments, top intelligence agencies, data centers, cloud providers and industrial markets. Itzik served with the IDF's elite intelligence unit.

Tag

#ios