In this common email scam, a criminal pretending to be your boss or coworker emails you asking for a favor involving money. Here's what do to when a bad actor lands in your inbox.

Don't close this tab! I know there are few combinations of words less interesting than business, email, and compromise. I may as well have written an article about fiber, socks, and responsibility. But this isn't a boring article: it's an article about email con artists who, according to the FBI, are pulling in $26 billion a year by scamming people.

So yeah: business email compromise scams are a big deal. The con artists behind this criminal enterprise will cold email you, pretending to be someone you work with, in order to gain access to money or information. You might get an email that appears to be from your company's CEO asking you to quickly do something like buy gift cards, or you might get an email that looks like it's from an employee at your company asking you to change their direct deposit information. The scam itself can take a lot of forms, but the end goal is to somehow siphon money away from you or the business you work for.

It's worth it for anyone with a desk job to take a few moments to learn how to spot these emails. I talked with a few experts, and they passed along some helpful advice.

**Always Question Urgency**

When I asked two cybersecurity experts about BEC fraud, I expected them to lead with technical advice. Both started with emotions. This makes sense: while such fraud happens on computers, it is at its heart about psychological manipulation. So spotting an email compromise scam requires getting in touch with how you're feeling.

"If an email elicits an emotional response, take a step back and reread it when you're more calm," says Ronnie Tokazowski, a security researcher who has been working to educate people about email scams for over a decade. Tokazowski emphasizes how important creating a false sense of urgency is to such scams. The stress the scam induces is what keeps you from questioning the premise. "People who get pulled into these types of scams … their emotions get very deregulated," he says. That makes you less capable of thinking critically, which is a key part of how such scams work.

Selena Larson, a threat researcher at cybersecurity firm Proofpoint, went a step further. "I don't know if you can print this, but honestly: just breathe," she says. "Slow down, take a deep breath. That actually helps you think more clearly and rationally. Walk away from your computer or your phone and think critically. Would this be an email that someone would send me? Is this is a logical thing that I'm being asked to do?"

You should be particularly skeptical if the person sending the email asks you to keep something quiet.

"Scammers do things like isolate you from your peers," says Larson. "They come at you from a position of authority and say things like, 'Please keep this confidential and only between us.' This type of social engineering makes it so people feel like they have to take an action with some kind of urgency, and that you can't share it with anybody."

So this is the first step: take control of your emotions. Yes, it can be difficult if you work in a demanding field. But it's your best first defense, and your employer will thank you for it (or, at least, they should).

**Always Confirm Through a Second Channel**

Now that you're skeptically questioning the legitimacy of the urgent request, check to make sure the email is coming from the person it claims to be from. The best way to do this is to ask—just be careful.

"If you received an email like this, it's important to pick up the phone and call the number you know to be legitimate," says Larson, adding a caveat. "Do not rely on a phone number in the email itself—it will be owned by the threat actor."

This is a crucial point: any contact information in the email itself is likely compromised, and sometimes cleverly so. Use the phone number you've already saved in your phone for the person in question, or look up the phone number on an official website or in an official company directory. This applies even if the number in the email looks correct, because some scammers will go through the trouble of getting a phone number that's similar to that of the person they're impersonating, all on the hopes that you'll call that number instead of the real one.

"I've seen phone numbers off two digits from the actual phone number," says Tokazowski.

Call the person who supposedly emailed you—using a number you are 100 percent sure is real—and confirm the request is authentic. You could also use some other secure communication channel like Slack or Microsoft Teams, or, if they're in the office, just ask them face to face. The point is to confirm any urgent request somewhere outside of the initial email. And even if the person is your boss or some other bigwig, do not worry about wasting their time.

"The person that is being impersonated would so much rather have someone take the time to confirm than to lose thousands or a million dollars in a malicious transaction," says Larson.

**Check the Email Address**

Getting in touch with the supposed sender isn't always an option. If not, there are a few tricks you can use to spot whether an email is real or fake. The first: check the email address and make sure it's from company domain.

"Always check the domains that you're receiving emails from," says Larson. Sometimes this will be obvious; your CEO likely isn't emailing you from a Gmail account, for example. Sometimes it will be more subtle—fraudsters have been known to purchase domains that look similar to that of the company they're attempting to fraud, all in the hopes of appearing legitimate.

It's also worth checking to see if the email signature matches the address the email is coming from. “If you look in the footer, they'll use the actual domain of the company to make it look legitimate, but that won't match the email address,” says Larson. Just keep in mind that the difference might be subtle. “Lookalike domains are very common: someone will do a slight variation, like an ‘l’ instead of an ‘i’, to make it look legitimate.” One way to test that, if you're suspicious, is to copy and paste the domain half of the address into a browser. If you don't get a website, you're probably dealing with a fake.

Another trick scammers will use is email spoofing, which you can spot by clicking reply and checking the email address that shows up in the "To" field. If it's a different email address than the one the email looks like it arrived from, you're likely dealing with a fake request.

**Go Through the Proper Protocols**

Now this is boring, but the best defense against business email compromise scams might be old-fashioned bureaucracy. If there is a process in place for things that are the common target of scams—large purchases, for example, or updating financial information in a database—then your company is less likely to fall victim to such scams.

“Most of the time, from a process perspective, that request of purchasing something would need to go through human resources, procurement,” says Tokazowski. If you get a request like this over email asking you to bypass the usual processes, be skeptical. “There needs to be a paper trail. Someone saying ‘purchase this from your personal account’ is a process that just wouldn't happen.”

A healthy company probably shouldn't be using email as the workflow for important financial processes. If you want to change your direct deposit information, for example, it's terrible practice for the workflow.

**Leaders: Keep Communication Open**

I have one last piece of advice, and it's for leaders inside companies: don't act in such a way that people will mistake scammers for you. If you regularly email employees and ask for urgent favors while telling people to keep quiet about these requests and to not work through the official channels, you're increasing the odds that your company falls victim to such scams. On the other hand, if you create a company culture of transparency, you're making the company stronger and more resistant.

“An important step is to ensure that you're trying to foster a culture of open communication,” says Tokazowski. Many organizations are structured in a way that communication between various levels is minimized. In such organizations, Tokazowski says, “skip-level meetings” are helpful. This is a style of meeting where a senior manager meets with a middle manager's direct reports without the middle manager there—skipping a level in the hierarchy—to develop stronger paths of communication between all the levels.

Another thing leaders should keep in mind is how important it is to talk openly if your company falls victim to such a scam.

“The shame that people feel, regardless of the type of scam, feeling horrible, is part of how these scams keep working,” says Larson. “Talking about it openly helps the person, their peers, and their colleagues learn how to understand how to protect themselves.”

How to Spot a Business Email Compromise Scam

Plus: US lawmakers have nothing to say about an Israeli influence campaign aimed at US voters, a former LA Dodgers owner wants to fix the internet, and more.

Despite years worth of efforts to eliminate the scourge of ransomware targeting schools, hospitals, and critical infrastructure worldwide, experts are warning that the crisis is only heating up, with criminal gangs growing ever more aggressive in their tactics. The threat of real-world violence now looms, some experts warn, as the data stolen grows increasingly sensitive and millions in potential profits hang in the balance. “We know where your CEO lives,” read a message reportedly received by one victim. Attacks targeting the medical sector are blooming in response to the $44 million payout by Change Healthcare this March.

United States lawmakers and intelligence officials are circling their wagons following the revelation of Israel’s involvement in a malign influence campaign that targeted US voters—an attempt by America’s Middle East ally to artificially boost support for an increasingly unpopular war that was kicked off by Hamas’ unprecedented Oct. 7th attack. The sock-puppet operation, which was launched by an Israeli contractor on X, Facebook, and Instagram and utilized OpenAI’s ChatGPT software, impersonated mostly Black Americans and targeted “Black and Democratic” lawmakers. A weeks’ worth of efforts by WIRED to get answers from US officials who may have been notified about the operation prior to a vote on enhancing military aide to Israel went ignored. Strikingly, the National Security Council denied having ever heard of it.

Frank McCourt, a real estate mogul and former owner of the Los Angeles Dodgers, explained why he’s spearheading an effort to purchase TikTok, which the United States is slated to ban unless its current owner, ByteDance, decides to sell the platform to a US company—a decision that will undoubtedly require the consent of the Chinese government. McCourt sees the internet as being imperiled by closed-off platforms like Facebook and X and is embracing the growing interest in decentralized networks. Decentralized platforms such as Mastodon have been popular among a subset of users for many years, allowing people to effectively own their own social networks and moderate them according to their own rules. These private networks are free to connect with others using the same software but can also sever connections to communities that embrace harmful content. (Think of these user-controlled networks as “islands” with diplomatic ties between them.) McCourt says purchasing and decentralizing TikTok could be the first step in raising the internet out of the siloed swamp that it is today thanks to Meta and its competitors.

But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

****Pentagon Led Anti-Vax Psyops Against Filipinos Under Trump****

A bombshell Reuters investigation has unearthed a malign influence campaign launched by the US military at the height of the 2020 Covid-19 pandemic. The campaign utilized sock-puppet accounts on X, Facebook, and Instagram and was focused on convincing citizens of the Philippines that vaccines produced by China were dangerous and—preying on the religious beliefs of Muslims—full of pig parts. Infectious disease experts expressed dismay at the Pentagon’s actions. According to Reuters, the campaign was ordered to an end by the Biden White House shortly after the president’s inauguration, though the Pentagon was apparently slow to enact the commander in chief’s orders. The private contractor responsible for producing the Pentagon’s disinformation was recently awarded a $493 million US government contract.

****Microsoft Hid Major Vulnerability Tied to Historic SolarWinds Attack****

ProPublica recounts how, in 2016, a top cybersecurity specialist raised alarms about a cloud-based vulnerability at Microsoft, a major US government contractor. The weakness threatened to expose national security secrets among other sensitive data. The specialist “pleaded” with the company to address the problem, but his concerns were dismissed by the tech giant as it strived to secure a multibillion-dollar government contract in the cloud computing space. Frustrated, the specialist quit the company and, months later, as predicted, Russian hackers carried out SolarWinds, one of the largest cyberattacks in US history. The reporting brings into question testimony by Microsoft president Brad Smith, who assured Congress in 2016 there was no way the hackers had exploited his company’s software.

****Police Victims of Face-Recognition Errors Decry California Bill as Inadequate****

Three Black men jailed in the US for crimes they didn't commit—after having been falsely identified by police face-recognition software—are speaking out _against_ pending legislation in California that lawmakers claim would protect citizens from such egregious mistakes. The men say the bill, which passed with unanimous support from the state assembly last month and now is under scrutiny in its upper chamber, would have done nothing to stop them from being falsely arrested. Said one of the men: “In my case, as in others, the police did exactly what AB 1814 would require them to do,” adding, “Once the facial recognition software told them I was the suspect, it poisoned the investigation. This technology is racially biased and unreliable and should be prohibited.”

****The Other Threat From Surveillance Data Brokers: Garbage Data****

While much of the scrutiny facing the data broker industry concerns its power to monitor people’s movements and attendance at sensitive locations such abortion clinics and mental health facilities, there’s another issue at play: Much of the data it markets is “inaccurate trash,” The Record reports. A chief privacy officer at Acxiom, a leading third-party data broker, acknowledged as much in an interview last month, saying the “inferences” drawn by his company are, at best, “informed guesses.” Experts are growing increasingly concerned about the downstream effects, with some highlighting how insurance companies are relying more and more on data brokers to inform how much customers should pay. Another expert tells The Record that data brokers may be incentivized not to scrutinize the data too closely, noting that customers aren’t too worried if a fraction of it leads them to false assumptions.

Ransomware Attacks Are Getting Worse

Pakistan has become the latest target of a threat actor called the Smishing Triad, marking the first expansion of its footprint beyond the E.U., Saudi Arabia, the U.A.E., and the U.S.
"The group's latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage and SMS," Resecurity said in a report published earlier this week. "The goal is

Pakistan has become the latest target of a threat actor called the Smishing Triad, marking the first expansion of its footprint beyond the E.U., Saudi Arabia, the U.A.E., and the U.S.

"The group's latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage and SMS," Resecurity said in a report published earlier this week. "The goal is to steal their personal and financial information."

The threat actors, believed to be Chinese-speaking, are known to leverage stolen databases sold on the dark web to send bogus SMS messages, enticing recipients into clicking on links under the pretext of informing them of a failed package delivery and urging them to update their address.

Users who end up clicking on the URLs are directed to fake websites that prompt them to enter their financial information as part of a supposed service fee charged for redelivery.

"Besides Pakistan Post, the group was also involved in detecting multiple fake delivery package scams," Resecurity said. "These scams primarily targeted individuals who were expecting legitimate packages from reputable courier services such as TCS, Leopard, and FedEx."

The development comes as Google revealed details of a threat actor it calls PINEAPPLE that employs tax and finance-themed lures in spam messages to entice Brazilian users into opening malicious links or files that ultimately lead to the deployment of the Astaroth (aka Guildma) information-stealing malware.

"PINEAPPLE often abuses legitimate cloud services in their attempts to distribute malware to users in Brazil," Google's Mandiant and Threat Analysis Group (TAG) said. "The group has experimented with a number of cloud platforms, including Google Cloud, Amazon AWS, Microsoft Azure and others."

It's worth noting that the abuse of Google Cloud Run to disseminate Astaroth was flagged by Cisco Talos earlier this February, describing it as a high-volume malware distribution campaign targeting users across Latin America (LATAM) and Europe.

The internet goliath said it also observed a Brazil-based threat cluster it tracks as UNC5176 targeting financial services, healthcare, retail, and hospitality sectors with a backdoor codenamed URSA that can siphon login credentials for various banks, cryptocurrency websites, and email clients.

The attacks leverage emails and malvertising campaigns as distribution vectors for a ZIP file containing an HTML Application (HTA) file that, when opened, drops a Visual Basic Script (VBS) responsible for contacting a remote server and fetching a second-stage VBS file.

The downloaded VBS file subsequently proceeds to carry out a series of anti-sandbox and anti-VM checks, after which it initiates communications with a command-and-control (C2) server to retrieve and execute the URSA payload.

A third Latin America-based financially motivated actor spotlighted by Google is FLUXROOT, which is linked to the distribution of the Grandoreiro banking trojan. The company said it took down phishing pages hosted by the adversary in 2023 on Google Cloud that impersonated Mercado Pago with the goal of stealing users' credentials.

"More recently, FLUXROOT has continued distribution of Grandoreiro, using cloud services such as Azure and Dropbox to serve the malware," it said.

The disclosure follows the emergence of a new threat actor dubbed Red Akodon that has been spotted propagating various remote access trojans like AsyncRAT, Quasar RAT, Remcos RAT, and XWorm through phishing messages that are designed to harvest bank account details, email accounts, and other credentials.

Targets of the campaign, which has been ongoing since April 2024, include government, health, and education organizations as well as financial, manufacturing, food, services, and transportation industries in Colombia.

"Red Akodon's initial access vector occurs mainly using phishing emails, which are used as a pretext for alleged lawsuits and judicial summonses, apparently coming from Colombian institutions such as the Fiscalía General de la Nación and Juzgado 06 civil del circuito de Bogotá," Mexican cybersecurity firm Scitum said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan

The company focused heavily on data and system security in the announcement of its generative AI platform, Apple Intelligence, but experts worry that companies will have little visibility into data security.

Source: Cosmo Condina via Alamy Stock Photo

Apple's long-awaited announcement of its generative AI (GenAI) capabilities came with an in-depth discussion of the company's security considerations for the platform. But the tech industry's past focus on harvesting user data from nearly every product and service have left many concerned over the data security and privacy implications of Apple's move. Fortunately, there are some proactive ways that companies can address potential risks.

Apple's approach to integrating GenAI — dubbed Apple Intelligence — includes context-sensitive searches, editing emails for tone, and the easy creation of graphics, with Apple promising that the powerful features require only local processing on mobile devices to protect user and business data. The company detailed a five-step approach to strengthen privacy and security for the platform, with much of the processing done on a user's device using Apple Silicon. More complex queries, however, will be sent to the company's private cloud and use the services of OpenAI and its large language model (LLM).

While companies will have to wait to see how Apple's commitment to security plays out, the company has put a lot of consideration into how GenAI services will be handled on devices and how the information will be protected, says Joseph Thacker, principal AI engineer and security researcher at AppOmni, a cloud-security firm.

"Apple's focus on privacy and security in the design is definitely a good sign," he says. "Features like not allowing privileged runtime access and preventing user targeting show they are thinking about potential abuse cases."

Apple spent significant time during its announcement reinforcing the idea that the company takes security seriously, and published a paper online that describes the company's five requirements for its Private Cloud Compute service, such as no privileged runtime access and hardening the system to prevent targeting specific users.

Still, large language models (LLMs), such as ChatGPT, and other forms of GenAI are new enough that the threats remain poorly understood, and some will slip through Apple's efforts, says Steve Wilson, chief privacy officer at cloud security and compliance provider Exabeam, and lead on the Open Web Application Security Project's Top 10 Security Risks for LLMs.

"I really worry that LLMs are a very, very different beast, and traditional security engineers, they just don't have experience with these AI techniques yet," he says. "There are very few people who do."

**Apple Makes Security a Centerpiece**

Apple seems to be aware of the security risks that concern its customers, especially businesses. The implementation of Apple Intelligence across a user's devices, dubbed the Personal Intelligence System, will connect data from applications in a way that has, perhaps, only been implemented through the company's health-data services. Conceivably, every message and email sent from a device could be reviewed by AI and context added through on-device semantic indexes.

Yet, the company pledged that, in most cases, the data never leaves the device, and the information is anonymized as well.

"It is aware of your personal data, without collecting your personal data," Craig Federighi, senior vice president of software engineering at Apple, stated in a four-minute video on Apple Intelligence and privacy during the company's June 10 launch, adding: "You are in control of your data, where it is stored and who can access it."

When it does leave the device, data will be processed in the company's Private Cloud Compute service, so Apple can take advantage of more powerful server-based generative-AI models, while still protecting privacy. The company says that it never stores or makes accessible any data to Apple. In addition, Apple will make every production build of its Private Cloud Compute platform available to security researchers for vulnerability research in conjunction with a bug-bounty program.

Such steps seemingly go beyond what other companies have promised and should assuage the fears of enterprise security teams, AppOmni's Thacker says.

"This type of transparency and collaboration with the security research community is important for finding and fixing vulnerabilities before they can be exploited in the wild," he says. "It allows Apple to leverage the diverse skills and perspectives of researchers to really put the system through the wringer from a security testing perspective. While it's not a guarantee of security, it will help a lot."

**There's an App for (Leaking) That**

However, the interactions between apps and data on mobile devices and the behavior of LLMs may be too complex to fully understand at this point, says Exabeam's Wilson. The attack surface area of LLMs continues to surprise the large companies behind the major AI models. Following its release of its latest Gemini model, for example, Google had to contend with inadvertent data poisoning that arose from training its model with untrusted data.

"Those search components are falling victim to these kind of indirect injection data-poisoning incidents, where they're off telling people to eat glue and rocks," Wilson says. "So it's one thing to say, 'Oh, this is a super-sophisticated organization, they'll get this right,' but Google's been proving over and over and over again that they won't."

Apple's announcement comes as companies are quickly experimenting with ways to integrate GenAI into the workplace to improve productivity and automate traditionally tough-to-automate processes. Bringing the features to mobile devices has happened slowly, but now, Samsung has released its Galaxy AI, Google has announced the Gemini mobile app, and Microsoft has announced Copilot for Windows.

While Copilot for Windows is integrated with many applications, Apple Intelligence appears to go beyond even Microsoft's approach.

**Think Different (About Threats)**

Overall, companies need to first gain visibility into their employees' use of LLMs and other GenAI. While they do not need to go to the extent of billionaire tech innovator Elon Musk, a former investor in OpenAI, who raised concerns that Apple — or OpenAI — would abuse users' data or fail to secure business information and pledged to ban iPhones at his companies, chief information security officers (CISOs) certainly should have a discussion with their mobile device management (MDM) providers, Exabeam's Wilson says.

Right now, controls to regulate data going into and out of Apple Intelligence do not appear to exist and, in the future, may not be accessible to MDM platforms, he says.

"Apple has not historically provided a lot of device management, because they are leaned in on personal use," Wilson says. "So it's been up to third parties for the last 10-plus years to try and build these third-party frameworks that allow you to install controls on the phone, but it's unclear whether they're going to have the hooks into \[Apple Intelligence\] to help control it."

Until more controls come online, enterprises need to set a policy, and to find ways to integrate their existing security controls, authentication systems, and data loss prevention tools with AI, says AppOmni's Thacker.

"Companies should also have clear policies around what types of data and conversations are appropriate to share with AI assistants," he says. "So while Apple's efforts help, enterprises still have work to do to fully integrate these tools securely."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Apple Intelligence Could Introduce Device Security Risks

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Rockwell's dire ICS warning; a red alert on biometrics; cybersecurity for the Hajj season.

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner:**

*   Apple's AI Offering Makes Big Privacy Promises
    
*   Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks
    
*   DR Global: Governments, Businesses Tighten Cybersecurity Around Hajj Season
    

*   Why CIO & CISO Collaboration Is Key to Organizational Resilience
    
*   Rockwell's ICS Directive Comes as Critical Infrastructure Risk Peaks
    
*   4 Ways to Help a Security Culture Thrive
    

Don't miss "Anatomy of a Data Breach: What to Do if It Happens to You," a free Dark Reading virtual event scheduled for June 20! Speakers include Verizon's Alex Pinto, plus execs from Snowflake, pharma giant GSK, Salesforce, and more — register today!

**Apple's AI Offering Makes Big Privacy Promises**

By Agam Shah, Contributing Writer, Dark Reading

Apple's guarantee of privacy on every AI transaction — whether on-device or cloud — is ambitious and could influence trustworthy AI deployments on device and in the cloud, analysts say.

Apple's announcement of Apple Intelligence and plans to integrate AI across its devices and applications comes with a commitment to guarantee privacy on every AI transaction. This sets a high bar on zero-trust infrastructure that competitors may try to match.

Because of Apple's walled garden model, rival providers don’t have nearly the same level of control over their AI infrastructure. Unlike Apple, they can’t lock down security as queries pass through various hardware and software layers. For example, OpenAI and Microsoft process queries through GPUs from Nvidia, which handles vulnerability discovery and patching.

“If Apple sets the standard, the effect will be 'why I should buy Android if I don’t care about the privacy,'" says Alex Matrosov, CEO of security company Binarly.io. "The next step will be Google following up and trying to maybe implement or do the similar thing."

Read more: Apple's AI Offering Makes Big Privacy Promises

Related: OpenAI Forms Another Safety Committee After Dismantling Prior Team

**Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks**

By Nate Nelson, Contributing Writer, Dark Reading

Face scans stored like passwords inevitably will be compromised, like passwords are. But there's a crucial difference between the two that organizations can rely on when their manufacturers fail.

Biometric security is more popular today than ever, with widespread adoption in the public sector — law enforcement, national ID systems, etc. — as well as for commercial industries like travel and personal computing. In Japan, subway riders can "pay by face," and Singapore's immigration system relies on face scans and thumbprints to allow travelers into the country. The fact that even burger places are experimenting with face scans suggests something's brewing here.

But researchers have found two dozen vulnerabilities in a biometric terminal used in critical facilities worldwide could allow hackers to gain unauthorized access, manipulate the device, deploy malware, and steal biometric data, which highlights the risks that come with implementing these systems.

The critical nature of the environments in which these systems are so often deployed necessitates that organizations go above and beyond to ensure their integrity. And that job takes much more than just patching newly discovered vulnerabilities.

Read more: Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks

Related: Biometric Bypass: BrutePrint Makes Short Work of Fingerprint Security

**Global: Governments, Businesses Tighten Cybersecurity Around Hajj Season**

By Robert Lemos, Contributing Writer, Dark Reading

While cyberattacks drop slightly during the week of the Islamic pilgrimage, organizations in Saudi Arabia and other countries with large Muslim populations see attacks on the rise.

The final month of the Islamic calendar, Dhu al-Hijjah, began on June 7, marking the countdown for millions of Muslims to the Hajj pilgrimage, and also a time when cybercriminals and cyber-espionage actors see increased opportunity amid reduced vigilance and slimmed staffing.

While many of the cyberattacks are focused on pilgrims as consumers of travel services, a variety of businesses — from banks to e-commerce sites — are at greater risk of data theft and denial-of-service attacks, according to experts. On June 3, for example, cyber-threat actors announced a data leak on an underground forum that allegedly contained the personal information of 168 million users from "The Hajj and Pilgrimage Organization in Iran," according to cybersecurity firm Kaspersky.

The attacks highlight the two aspects of how cyberattackers see the Hajj season: as an opportunity to take advantage of pilgrims, but also as a time of reduced resources for security teams, making business and government agencies vulnerable.

Read more: Governments, Businesses Tighten Cybersecurity Around Hajj Season

Related: 'DuneQuixote' Shows Stealth Cyberattack Methods Are Evolving. Can Defenders Keep Up?

**The CEO Is Next**

Commentary by Joe Sullivan, CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC

If CEOs want to avoid being the target of government enforcement actions, they need to take a personal interest in ensuring that their corporation invests in cybersecurity.

One day soon, a government agency will very publicly seek to hold a corporate CEO personally liable for a failure to ensure their organization invested sufficiently in cybersecurity. The surprising thing won't be that it happens, but rather how many people who work for and look up to the CEO will be happy when it does.

We're experiencing a movement toward regulation by enforcement. Look no further than the National Cybersecurity Strategy, which, at its core, demands that corporate America do more to protect citizens from cyberattacks. There's also the Securities and Exchange Commission's (SEC) action against the software company SolarWinds and its head of security. The case has raised eyebrows, specifically because the security leader was held personally responsible.

But with very few exceptions, the CISO or senior-most security leader is simply not the "responsible corporate officer.” It's the CEO. Security leaders rarely, if ever, get the budget needed to do their job well. CEOs and boards that do control the corporate budget rarely invest the time to understand their cyber-risks, and instead allocate resources in other directions.

Read more: The CEO Is Next

Related: White House Fills in Details of National Cybersecurity Strategy

**Why CIO & CISO Collaboration Is Key to Organizational Resilience**

Commentary by Robert Grazioli, Chief Information Officer, Ivanti

Alignment between these domains is quickly becoming a strategic imperative.

Gartner forecasts that the world will spend $215 billion on risk management and cybersecurity in 2024. That's a 14% increase over 2023. But many workers are feeling spread thin, with more data and endpoints than ever and not enough qualified talent to be found. It's time to finally break down the silos between IT and security.

That starts by fostering alignment between the CIO and chief information security officer (CISO).

Individually, CISOs and CIOs are powerful forces with a lot on their plates — and a lot on the line. Together, they could be unstoppable. However, historically, organizational structures have relegated CISOs and CIOs to separate domains with distinct — and occasionally contradictory — objectives.

Here's how to foster alignment: Why CIO & CISO Collaboration Is Key to Organizational Resilience

Related: CISO & CIO Convergence: Ready or Not, Here It Comes

**Rockwell's ICS Directive Comes as Critical Infrastructure Risk Peaks**

By Tara Seals, Managing Editor, News, Dark Reading

Critical infrastructure is facing increasingly disruptive threats to physical processes, while thousands of devices are online with weak authentication and riddled with exploitable bugs.

Industrial control systems (ICS) giant Rockwell Automation's recent directive to customers to disconnect their gear from the Internet showcases not just growing cyber risk to critical infrastructure, but the unique challenges that security teams face in the sector, experts say.

CISA is warning that increased threats to could lead to various catastrophic attacks, including denial-of-service (DoS) efforts that take down electrical grids; privilege escalation and lateral movement to burrow deeper into the operational technology (OT) environment in order to control it; modifying settings to, say, change safety thresholds for power generators; remotely compromising programmable logic controllers (PLCs) to halt water sector operations; or even conducting destructive Stuxnet-style attacks that can obliterate a site's ability to function permanently.

Yet thousands of devices are exposed online with weak authentication and riddled with exploitable bugs; and there's an endemic lack of security team participation in site design and asset/infrastructure management. All in all, it's not an ideal situation.

Read more: Rockwell's ICS Directive Comes as Critical Infrastructure Risk Peaks

Related: Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity

**4 Ways to Help a Security Culture Thrive**

DR Technology commentary by Ken Deitz, CSO/CISO, Secureworks

Creating and nurturing a corporate environment of proactive cybersecurity means putting people first — their needs, weaknesses, and skills.

A good cybersecurity culture trusts and empowers teammates to make good decisions. In turn, that trust fuels a more productive relationship between cybersecurity and the business. Culture is a living entity that needs to be continuously nurtured. Give it the dedication it needs, and your businesses will be safer as a result.

Here are some core pillars for establishing an effective security culture:

1\. Establish the Right Mindset: Focus on the positive actions that people can and should take.

2\. Engage with Empathy: A productive and inclusive security culture is one that shuns blame. Instead, focus on what you can collectively learn from the incident to enrich your cyber strategy for the future.

3\. Communicate, Communicate, Communicate: When it comes to cybersecurity, there's no such thing as too much communication. People have a lot going on in their jobs and lives. Meet people where they are, and you'll have much better results.

4\. Stay on Your Toes: New and emerging technologies bring opportunities and challenges. Generative artificial intelligence (AI), for example, can offer teammates productivity gains, but they also need to know the risks.

Read more: 4 Ways to Help a Security Culture Thrive

Related: How to Transform Security Awareness Into Security Culture

CISO Corner: Apple's AI Privacy Promises; CEOs in the Hot Seat

Meta's new subscription model points out the need for clearer and stricter regulations — ones that prioritize consumer privacy and control of personal data.

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY

Meta recently offered its customers in the European Union the choice between paying for privacy or consenting to tracking, a model some people are calling "pay or OK." This sparked an investigation, since privacy in the EU is defined as a consumer right. With the bipartisan federal privacy bill in the US gaining ground to similarly make consumer privacy a right at the federal level, Meta's new model could come under even more fire if the company implements it here.

But what is "pay or OK," and why does it matter? 

**Understanding the Conflict**

Meta's subscription model violates the principle of freely given consent by forcing users to choose one of just two options: paying a fee or consenting to tracking for personalized advertising. It's essentially a false choice, because Meta is making money off users' data one way or another, either through the subscription or by selling their information. Numerous privacy and consumer rights proponents have already criticized the move as an attempt to circumvent the European Union's stringent data protection laws by coercing users to agree to data tracking. 

The new model also allows Meta to sidestep the broad demand from privacy advocates for all such software platforms and services to install opt-out mechanisms. Technically, on Meta's various sites, there is an opt-out mechanism, but this new model manipulates consent dynamics by introducing financial incentives to sway user choices. Users might believe that they are "giving consent," when in reality they can only either financially support the platform or surrender their privacy rights. Ironic, considering that, according to Meta, the whole point of the subscription is supposedly to protect user privacy.

History has already shown how little users can trust Big Tech companies like Meta to protect consumer data. For example, Meta has had several major breaches over the past few years and several lawsuits related to misuse of consumer data. Google and Microsoft have both experienced similar accusations. Naturally, the security and privacy lapses have caused privacy advocates to question: Are these the companies you should be paying to protect your data? The answer for a constantly increasing number of consumers is: No. 

**Steps for Consumer Protection**

The evidence is clear: Big Tech won't protect users' data. Consumers are looking for other ways to defend themselves from data theft, and fortunately, new technologies and privacy developments have started to make this a lot easier. 

For starters: Use privacy-focused browsers. Some examples include Brave, Tor, and Firefox, all of which are known for prioritizing data privacy. These browsers often come with built-in features to block trackers and advertisements, reduce digital fingerprinting, and ensure more secure browsing.

Next are virtual private networks (VPNs). VPNs encrypt Internet traffic, which prevents other third parties, even your Internet service provider, from monitoring users' online activities. A reliable VPN can also mask a user's IP address. Normally, advertisers and other third parties use your IP address to track your activity and create a profile that is unique to that address. A VPN prevents that tracking, which enhances anonymity on the Web. 

Third, users should view and adjust their social media privacy settings on a regular basis. Social media platforms frequently update their policies and settings. Users should review their settings to control who sees their information, which data third parties have access to, and how their information is used for advertising.

Fourth, I suggest users actively manage and regularly delete unnecessary personal data stored online. A simple Internet search will show you that your name, and possibly your address, phone number, and tons of other information, is readily available on data broker websites — thanks to companies like Meta selling them all that data. Look for ways to opt out of these platforms. Consider setting social media accounts to be private or deleting old accounts that are no longer active. 

Finally, stay informed on consumer rights and data protection laws like the General Data Protection Regulation (GDPR) in Europe or the California Consumer Privacy Act (CCPA) in the United States. These laws often grant users the right to access, correct, and delete personal data, along with the right to opt out of companies selling your info. Being informed lets users make educated decisions and take legal action if necessary.

**Final Thoughts**

Privacy regulators may or may not be able to counteract Meta's consent-or-pay ploy. But either way, the new subscription model points out the need for clearer and stricter regulations in the US, ones that prioritize consumer privacy and control of personal data rather than forcing users to choose between shelling out or giving up. Until then, consumers need to be aware of the privacy technologies, opt-out mechanisms, and choices that are readily available today.

**About the Author(s)**

CEO, Abine/DeleteMe

Rob Shavell is CEO of Abine/DeleteMe, The Online Privacy Company. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC, and Fox. Rob is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).

Why Trading Privacy for 'Free' Web Services Must End

Microsoft on Thursday revealed that it's delaying the rollout of the controversial artificial intelligence (AI)-powered Recall feature for Copilot+ PCs.
To that end, the company said it intends to shift from general availability to a preview available first in the Windows Insider Program (WIP) in the coming weeks.
"We are adjusting the release model for Recall to leverage the expertise of the

Microsoft Delays AI-Powered Recall Feature for Copilot+ PCs Amid Security Concerns

Apple's guarantee of privacy on every AI transaction could influence trustworthy AI deployments.

Source: OleCNX via Alamy Stock Photo

Apple has long styled itself as the company that cares about privacy, and it continues to tout its privacy bona fides with Apple Intelligence.

At this week's Worldwide Developer Conference, the company announced Apple Intelligence, its secure AI system, and plans to integrate AI across its devices and applications. The AI features will be used to upgrade personal assistant features in Apple devices and provide assistance with writing and image manipulation.

While a lightweight AI model runs locally on Apple devices, more complex queries will go to the cloud. Apple will assess the complexity and computing power required by an AI query and decide whether to process it on device or send it to the cloud. Data won’t leave the device if it is processed on device, and layers of security protect the information sent to the cloud.

Within this secure AI system, user data is not visible to anyone, even Apple, and is deleted once a query is answered, the company said.

"Your data is never stored or made accessible to Apple. It's used exclusively to fulfill your request," said Craig Federighi, senior vice president of software engineering at Apple, during a WWDC keynote.

**Trusted AI Deployments?**

Apple's guarantee of privacy on every AI transaction — whether on-device or in the cloud — is ambitious and could influence trustworthy AI deployments.

Apple's hardware and software implementation to guarantee privacy on every AI transaction sets a high bar on zero-trust infrastructure that competitors may try to match, says James Sanders, an analyst at chip research firm TechInsights.

Sanders notes there is a "growing trust problem" with LLMs, especially as top AI providers collect information from users to train large-language models or improve services. Google collects user data from across its vast portfolio of products to boost its capabilities. It also includes human reviewers to evaluate answers with the ultimate goal to improve its Gemini AI service.

Apple did not announce its own AI infrastructure and instead will be integrating with OpenAI. Apple left open the possibility of working with others as well. Users will be prompted to agree to send user data to OpenAI.

"I do wonder to what extent this is going to put pressure on Microsoft to adopt a similar method," Sanders says.

**Building an AI Walled Garden**

As part of its investments, the company has built a trustworthy cloud infrastructure called Private Compute Cloud with new servers and chips to handle AI queries that demand more computing power. Apple's secure boot and secure enclaves protect data.

"These models run on servers … specially created using Apple silicon. These Apple silicon servers offer the privacy and security of your iPhone from the silicon on up," Apple’s Federighi said.

Private data can be easily stolen en route or from the cloud, but Apple is using the latest hardware and software techniques to protect the data, said Matthew Green, associate professor at Johns Hopkin’s computer science department. Apple devices generate encryption keys, which authenticates devices and cloud connections. The request is then sent to a secure enclave on Apple's servers, where the requests are processed.

Apple is also taking a serverless approach in which data is deleted once the answer is sent back. New keys are generated each time a system reboots. The operating system also has an attestation system to verify users and software images.

"Specifically, it signs a hash of the software and shares this with every phone/client. If you trust this infrastructure, you'll know it's running a specific piece of software," Green said.

Apple controls nearly every major piece of software and hardware in its infrastructure, which makes it easier for them to build a strong privacy wall around its AI service, said Alex Matrosov, CEO of security company Binarly.io.

“I really liked how they frame all the requirements and specifically use their own silicon. Once they control everything, they can guarantee the chain of trust from the silicon to the cloud,” Matrosov said.

Rival providers don’t have nearly the same level of control over their AI infrastructure. Unlike Apple, they can’t lock down security as queries pass through various hardware and software layers, Matrosov says. For example, OpenAI and Microsoft process queries through GPUs from Nvidia, which handles vulnerability discovery and patching.

"If Apple sets the standard, the effect will be 'why I should buy Android if I don’t care about the privacy.' The next step will be Google following up and trying to maybe implement or do the similar thing," Matrosov said.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Apple's AI Offering Makes Big Privacy Promises

The recently identified threat actor uses public registries for distribution and has expanded capabilities to disrupt the software supply chain.

Source: Igor Stevanovic via Alamy Stock Photo

A newly identified North Korean threat actor has widened its distribution of malicious node package manager (npm) code to public registries. And it's differentiating itself from other state-sponsored groups as it ramps up activity to threaten the software supply chain by poisoning open source code repositories.

Moonstone Sleet first appeared on the scene late last month, when Microsoft revealed that the threat group concurrently was engaged in espionage and financial cyberattacks using a grab bag of attack techniques against aerospace, education, and software organizations and developers.

Among those techniques was to try to get hired for remote tech jobs with real companies and, in the process, spread malicious npm packages on LinkedIn and freelancer websites. Now researchers from CheckMarx have discovered that the scope of Moonstone Sleet's malicious npm package activity is wider than first reported, according to a blog post published on June 13.

The actor is "placing those malicious packages in public open source package repositories that are accessible to developers," an activity that allows the actor to expand its attack surface, Tzachi Zornstein, head of software supply chain at Checkmarx, tells Dark Reading.

"With the revelation of this new North Korean group, coupled with the recent attacks by Russian and North Korean threat actors … it has become increasingly apparent that the open-source ecosystem has become a prime target for powerful and sophisticated adversaries," Zornstein and fellow CheckMarx researcher Yehuda Gelb wrote in the post.

The researchers cite the multiyear supply chain attack that started with a backdoor implanted in the XZ Utils data compression utility to demonstrate how spreading malicious open source code can have a massive ripple effect across the security of enterprise software.

**Differentiation From Lazarus Activity**

CheckMarx also discovered how Moonstone Sleet is setting itself apart through the structure and the style of its malicious code packages from another well-known and prolific North Korean actor — Jade Sleet, better known as Lazarus — that engages in similar activity.

The newest packages published late last year and in the first quarter of 2024 show Moonstone Sleet using "a single-package approach" that executes its payload immediately upon installation, the researchers wrote.

Further, while earlier malicious payloads "included OS-specific code, executing only if it detected that it was running on a Windows machine," packages released earlier this year show the actor adding obfuscation and creating code to target Linux systems if that OS is detected by the package, the researchers revealed.

In contrast, Lazarus designed its packages, discovered in the summer of 2023, to work in pairs, with each pair being published by a separate npm user account to distribute their malicious functionality. "This approach was used in an attempt to make it more challenging to detect and trace the malicious activity back to a single source," Zornstein and Gelb wrote.

The first package from Lazarus would create a directory on the victim's machine, fetch updates from a remote server, and save them in a file within the newly created directory, while the second package would execute the malicious payload.

**Evolving Threat to Open Source Ecosystem**

The tactic of publishing malicious npm packages by North Korean threat actors in general "underscores the persistent nature of their campaign" and poses a growing risk for the open source community that depends on public registries for software development.

"By uploading those malicious packages to a public registry, the attackers abuse the trust that developers have for the open source registries," Zornstein says.

However, while the open source community plays a key role in maintaining the security and integrity of the ecosystem, the primary responsibility for ensuring the safety of the software supply chain lies with the organizations that consume these packages. That's why it's imperative for organizations to "scan the code in the packages for malicious behaviors … prior to making the code available to developers," he says.

Developers and organizations also should continue to collaborate and share information among themselves and with the security community to identify and thwart these attacks, the researchers said. "Through collective effort and proactive measures," they wrote, "we can work towards a safer and more secure open-source ecosystem for all."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Moonstone Sleet Widens Distribution of Malicious Code

A botnet is a network of computers or other internet-connected devices that are infected by malware and controlled by a single threat actor or group.

Thursday, June 13, 2024 14:00

As I covered in last week’s newsletter, law enforcement agencies from around the globe have been touting recent botnet disruptions affecting the likes of some of the largest threat actors and malware families.  

Operation Endgame, which Europol touted as the “largest ever operation against botnets,” targeted malware droppers including the IcedID banking trojan, Trickbot ransomware, the Smokeloader malware loader, and more.  

A separate disruption campaign targeted a botnet called “911 S5,” which the FBI said was used to “commit cyber attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.” 

But with these types of announcements, I think there can be confusion about what a botnet disruption means, exactly. As we’ve written about before in the case of the LockBit ransomware, botnet and server disruptions can certainly cause headaches for threat actors, but usually are not a complete shutdown of their operations, forcing them to go offline forever.  

I’m not saying that Operation Endgame and the 911 S5 disruption aren’t huge wins for defenders, but I do think it’s important to separate botnets from the malware and threat actors themselves.  

For the uninitiated, a botnet is a network of computers or other internet-connected devices that are infected by malware and controlled by a single threat actor or group. Larger botnets are often used to send spam emails in large volumes or carry out distributed denial-of-service attacks by using a mountain of IP addresses to send traffic to a specific target all in a short period. Smaller botnets might be used in targeted network intrusions, or financially motivated botnet controllers might be looking to steal money from targets. 

When law enforcement agencies remove devices from these botnets, it does disrupt actors’ abilities to carry out these actions, but it’s not necessarily the end of the final payload these actors usually use, such as ransomware.  

When discussing this topic in relation to the Volt Typhoon APT, Kendall McKay from our threat intelligence team told me in the latest episode of Talos Takes that botnets should be viewed as separate entity from a malware family or APT. In the case of Volt Typhoon, the FBI said earlier this year it had disrupted the Chinese APT’s botnet, though McKay said “we’re not sure yet” if this has had any tangible effects on their operations. 

With past major botnet disruptions like Emotet and other Trickbot efforts, she also said that “eventually, those threats re-emerge, and the infected devices re-propagate \[because\] they have worm-like capabilities.” 

So, the next time you see headlines about a botnet disruption, know that yes, this is good news, but it’s also not time to start thinking the affected malware is gone forever.  

**The one big thing **

This week, Cisco Talos disclosed a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.” Talos attributes this operation with high confidence to a Pakistani nexus of threat actors we’re calling “Cosmic Leopard,” focused on espionage and surveillance of their targets.  

**Why do I care? **

While this operation has been active for at least the past six years, Talos has observed a general uptick in the threat landscape in recent years, with respect to the use of mobile malware for espionage to target high-value targets, including the use of commercial spyware. There are two ways that this attacker commonly targets users to be on the lookout for: One is spearphishing emails that look like they’re referencing legitimate government-related documents and issues, and the other is social media-based phishing. Always be vigilant about anyone reaching out to you via direct messages on platforms like Twitter and LinkedIn.  

**So now what? **

Adversaries like Cosmic Leopard may use low-sophistication techniques such as social engineering and spear phishing, but will aggressively target potential victims with various TTPs. Therefore, organizations must remain vigilant against such motivated adversaries conducting targeted attacks by educating users on proper cyber hygiene and implementing defense in depth models to protect against such attacks across various attack surfaces. 

**Top security headlines of the week **

**Microsoft announced changes to its Recall AI service after privacy advocates and security engineers warned about the potential privacy dangers of such a feature.** The Recall tool in Windows 11 takes continuous screenshots of users’ activity which can then be queried by the user to do things like locate files or remember the last thing they were working on. However, all that data collected by Recall is stored locally on the device, potentially opening the door to data theft if a machine were to be compromised. Now, Recall will be opt-in only, meaning it’ll be turned off by default for users when it launches in an update to Windows 11. The feature will also be tied to the Windows Hello authentication protocol, meaning anyone who wants to look at their timeline needs to log in with face or fingerprint ID, or a unique PIN. After Recall’s announcement, security researcher Kevin Beaumont discovered that the AI-powered feature stored data in a database in plain text. That could have made it easy for threat actors to create tools to extract the database and its contents. Now, Microsoft has also made it so that these screenshots and the search index database are encrypted, and are only decrypted if the user authenticates. (The Verge, CNET) 

**A data breach affecting cloud storage provider Snowflake has the potential to be one of the largest security events ever** if the alleged number of affected users is accurate. Security researchers helping to address the attack targeting Snowflake said this week that financially motivated cybercriminals have stolen “a significant volume of data” from hundreds of customers. As many as 165 companies that use Snowflake could be affected, which is notable because Snowflake is generally used to store massive volumes of data on its servers. Breaches affecting Ticketmaster, Santander bank and Lending Tree have already been linked to the Snowflake incident. Incident responders working on the breach wrote this week that the attackers used stolen credentials to access customers’ Snowflake instances and steal valuable data. The activity dates back to at least April 14. Reporters at online news outlet TechCrunch also found that hundreds of Snowflake customer credentials were available on the dark web, after malware infected Snowflake staffers’ computers. The list poses an ongoing risk to any Snowflake users who had not changed their passwords as of the first disclosure of this breach or are not protected by multi-factor authentication. (TechCrunch, Wired) 

**Recovery of a cyber attack affecting several large hospitals in London could take several months to resolve, according to an official with the U.K.’s National Health Service.** The affected hospitals and general practitioners’ offices serve a combined 2 million patients. A recent cyber attack targeting a private firm called Synnovis that analyzes blood tests has forced these offices to reschedule appointments and cancel crucial surgeries. “It is unclear how long it will take for the services to get back to normal, but it is likely to take many months,” the NHS official told The Guardian newspaper. Britain also had to put out a call for volunteers to donate type O blood as soon as possible, as the attack has made it more difficult for health care facilities to match patients’ blood types at the same frequency as usual. Type O blood is generally known to be safe for all patients and is commonly used in major surgeries. (BBC, The Guardian) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #186: A mid-year checkin on Volt Typhoon 
*   LilacSquid APT Employs Open Source Tools, QuasarRAT 
*   Cisco Finds 15 Vulnerabilities in AutomationDirect PLCs 

**Upcoming events where you can find Talos **

**_Cisco Connect U.K._** **_(June 25)_**

_London, England_

> _In a fireside chat, Cisco Talos experts Martin Lee and Hazel Burton discuss the most prominent cybersecurity threat trends of the near future, how these are likely to impact UK organizations in the coming years, and what steps we need to take to keep safe._

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 2d1a07754e76c65d324ab8e538fa74e5d5eb587acb260f9e56afbcf4f4848be5   
**MD5:** d3ee270a07df8e87246305187d471f68   
**Typical Filename:** iptray.exe   
**Claimed Product:** Cisco AMP   
**Detection Name:** Generic.XMRIGMiner.A.A13F9FCC

**SHA 256:** 9b2ebc5d554b33cb661f979db5b9f99d4a2f967639d73653f667370800ee105e   
**MD5:** ecbfdbb42cb98a597ef81abea193ac8f   
**Typical Filename:** N/A   
**Claimed Product:** MAPIToolkitConsole.exe   
**Detection Name:** Gen:Variant.Barys.460270 

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201

Tag

#microsoft