A North Korean advanced persistent threat (APT) actor (aka Gleaming Pisces) tried to sneak simple backdoors into public software packages.

Source: Chronicle via Alamy Stock Photo

One of North Korea's most sophisticated threat groups has been hiding remote access malware for macOS and Linux inside of open source Python packages.

North Korean advanced persistent threats (APTs) have become notorious for certain characteristic types of cyberattack in recent years. There's the cryptocurrency scam, which can come in many forms — often a fake trading platform, where victims are lured into divulging their wallet information or downloading malware. Supply chain attacks are common, particularly via poisoned packages typosquatting on public repositories. An impish recent trend involves contracting actual, honest labor to Western companies under false pretenses, then sending the salaries earned back to Kim's state. The reverse — agents posing as tech recruiters, convincing developers to download malware — is also common.

The group, which Palo Alto's Unit 42 tracks as Gleaming Pisces (and Microsoft as Citrine Sleet), seems to have supplemented category one with category two. Active since 2018, the financially motivated, DPRK Reconnaissance General Bureau (RGB)-linked group is known for attacks weaponizing fake crypto platforms. Unit 42 now assesses with medium confidence that it was responsible for uploading a handful of malicious packages to the Python Package Index (PyPI) back in February. The packages have since been taken down.

**DPRK-Poisoned PyPI Packages**

Most packages uploaded to open source repositories are simple by nature. As Louis Lang, co-founder and chief technology officer (CTO) at Phylum recalls, "What was interesting about these packages was that there was a higher order of complexity than you typically find among benign packages."

Phylum had identified four packages worth taking a second look at: real-ids, minisound, coloredtxt, and beautifultext. The innocuous names seemed to allude to legitimate functionality, like syntax highlighting for terminal outputs.

In reality, the packages contained malicious code that would be decoded and executed upon download. The code would then run bash commands in order to retrieve and download a remote access Trojan (RAT) called "PondRAT."

PondRAT is an entirely simple backdoor, capable of just a few functions: uploading and downloading files, checking to see that an implant is active or instructing it to sleep, and executing commands issued by the operator. It is, in essence, a "light" version of PoolRAT. PoolRAT is a known Gleaming Pisces backdoor for macOS that has a half dozen more standard capabilities than its successor, like listing directories, deleting files, etc.

**No Need for Windows**

More notable than the malware itself may be the fact that its authors wrote it only for macOS and Linux systems.

Forgoing hackers' long preferred Windows operating system makes sense, though, when one considers Gleaming Pisces' typical audience. As Lang explains, "They're targeting the actual builders, CI/CD infrastructure, developer workstations — environments that are overwhelmingly going to be Linux or macOS based. Very few people are doing development on straight Windows. So if you are targeting developers, it makes sense to ship variants for these systems, because that's where your target population lives."

Developers, then, need to be alert to phishing attacks, like those fake crypto platforms and job recruitment scams. Because while it's rare that anyone might pull an unpopular, ultra-generic package from PyPI, it's entirely likely that that same package could be quietly integrated into a broader infection chain.

"If you add a package, it could have downstream impacts, where you're actually pulling in 30, 40 other packages it may \[be connected to\]. So if I was a developer, I'd be very cognizant of what I'm installing, and try to minimize the attack surface by minimizing the number packages I'm pulling in. And then, obviously, scan the packages — look for these zombies, look for high-entropy strings, look for code obfuscation," Lang suggests.

"Like we always say," he adds, "you're one update away from malware."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Citrine Sleet Poisons PyPI Packages With Mac &amp; Linux Malware

Critical-rated CVE-2024-20017 allows remote code execution (RCE) on a range of phones and Wi-Fi access points from a variety of OEMs.

Source: Ros Drinkwater via Alamy Stock Photo

A nearly max-critical zero-click vulnerability is impacting MediaTek Wi-Fi chipsets and driver bundles used in routers and smartphones from various manufacturers, including Ubiquiti, Xiaomi, and Netgear.

According to SonicWall Capture Labs researchers who found the issue (CVE-2024-20017, CVSS 9.8), exploitation would open the door to remote code execution (RCE) without user interaction, making the bug a conduit for easy device takeover. Making matters worse, a public proof-of-concept exploit (PoC) recently became available, they warned.

The issue affects MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02, and affected users should apply the available MediaTek patches as soon as possible.

In terms of the technical details, the vulnerability is an out-of-bounds write issue that resides in wappd, a network daemon responsible for configuring and managing wireless interfaces and access points.

"The architecture of wappd is complex, comprising the network service itself, a set of local services that interact with the device's wireless interfaces, and communication channels between components via Unix domain sockets," the researchers explained in a blog post on the issue this week. "Ultimately, the vulnerability is a buffer overflow as a result of a length value taken directly from attacker-controlled packet data without bounds checking and placed into a memory copy."

**About the Author**

Zero-Click MediaTek Bug Opens Phones, Wi-Fi to Takeover

The company announced an update to its privacy policy, acknowledging it is using customer data to train its AI models.

Source: Chris Batson via Alamy Stock Photo

Professional social networking site LinkedIn allegedly used data from its users to train its artificial intelligence (AI) models, without alerting users it was doing so.

According to reports this week, LinkedIn hadn't refreshed its privacy policy to reflect the fact that it was harvesting user data for AI training purposes.

Blake Lawit, LinkedIn's senior vice president and general counsel, then posted on the company’s official blog that same day to announce that the company had corrected the oversight.

The updated policy, which includes a revised FAQ, confirms that contributions are automatically collected for AI training. According to the FAQ, LinkedIn's GenAI features could use personal data to make suggestions when posting.

**LinkedIn's AI Data-Gathering Is Automatic**

"When it comes to using members' data for generative AI training, we offer an opt-out setting," the LinkedIn post read. "Opting out means that LinkedIn and its affiliates won't use your personal data or content on LinkedIn to train models going forward, but does not affect training that has already taken place."

Shiva Nathan, founder and CEO of Onymos, expressed deep concern about LinkedIn's use of prior user data to train its AI models without clear consent or updates to its terms of service.

Related:Dark Reading Confidential: The CISO and the SEC

"Millions of LinkedIn users have been opted in by default, allowing their personal information to fuel AI systems," he said. "Why does this matter? Your data is personal and private. It fuels AI, but that shouldn’t come at the cost of your consent. When companies take liberties with our data, it creates a massive trust gap."

Nathan added this is not just happening with LinkedIn, pointing out many technologies and software services that individuals and enterprises use today are doing the same.

"We need to change the way we think about data collection and its use for activities like AI model training," he said. "We should not require our users or customers to give up their data in exchange for services or features, as this puts both them and us at risk."

LinkedIn did explain that users can review and delete their personal data from past sessions using the platform's data access tool, depending on the AI-powered feature involved.

**LinkedIn Faces Tricky Waters**

The US has no federal laws in place to govern data collection for AI use, and only a few states have passed laws on how users' privacy choices should be respected via opt-out mechanisms. But in other parts of the world, LinkedIn has had to put its GenAI training on ice.

Related:An AI-Driven Approach to Risk-Scoring Systems in Cybersecurity

"At this time, we are not enabling training for generative AI on member data from the European Economic Area, Switzerland, and the United Kingdom," the FAQ states, confirming that it has stopped the data collection in those geos.

Tarun Gangwani, principal product manager, DataGrail, says the recently enacted EU AI Act has provisions within the policy that require companies that trade in user-generated content be transparent about their use of it in AI modeling.

"The need for explicit permission for AI use on user data continues the EU's general stance on protecting the rights of citizens by requiring explicit opt-in consent to the use of tracking," Gangwani explains.

And indeed, the EU in particular has shown itself to be vigilant when it comes to privacy violations. Last year, LinkedIn parent company Microsoft had to pay out $425 million in fines for GDPR violations, while Facebook parent company Meta was slapped with a $275 million fine in 2022 for violating Europe's data privacy rules.

The UK's Information Commissioners Office (ICO) meanwhile released a statement today welcoming LinkedIn's confirmation that it has suspended such model training pending further engagement with the ICO.

"In order to get the most out of generative AI and the opportunities it brings, it is crucial that the public can trust that their privacy rights will be respected from the outset," ICO's executive director, regulatory risk, Stephen Almond said in a statement. "We are pleased that LinkedIn has reflected on the concerns we raised about its approach to training generative AI models with information relating to its UK users."

Related:How Shifts in Cyber Insurance Are Affecting the Security Landscape

Regardless of geography, it's worth noting that businesses have been warned against using customer data for the purposes of training GenAI models in the past. In August 2023, communications platform Zoom abandoned plans to use customer content for AI training after customers voiced concerns over how that data could be used. And in July, smart exercise bike startup Peloton was slapped with a lawsuit alleging the company improperly scraped data gathered from customer service chats to train AI models.

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

LinkedIn Addresses User Data Collection for AI Training

The lack of abundant data on AI-enabled attacks in official reports shouldn't prevent us from preparing for and mitigating potential future threats.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

The Verizon "Data Breach Investigations Report" (DBIR) is a highly credible annual report that provides valuable insights into data breaches and cyber threats, based on analysis of real-world incidents. Professionals in cybersecurity rely on this report to help inform security strategies based on trends in the evolving threat landscape. However, the 2024 DBIR has raised some interesting questions, particularly regarding the role of generative AI in cyberattacks.

**The DBIR Stance on Generative AI**

The authors of the latest DBIR state that researchers "kept an eye out for any indications of the use of the emerging field of generative artificial intelligence (GenAI) in attacks and the potential effects of those technologies, but nothing materialized in the incident data we collected globally."

While I have no doubt this statement is accurate based on Verizon's specific data collection methods, it is in stark contrast to what we are seeing in the field. The main caveat to Verizon's blanket statement on GenAI is in the 2024 DBIR appendix, where there is a mention of a Secret Service investigation that demonstrated GenAI as a "critically enabling technology" for attackers who didn't speak English.

However, at SlashNext, we've observed that the real impact of GenAI on cyberattacks extends well beyond this one use case. Below are six different use cases that we have seen "in the wild."

**Six Use Cases of Generative AI in Cybercrime****1\. AI-Enhanced Phishing Emails**

Threat researchers have observed cybercriminals sharing guides on how to use GenAI and translation tools to improve the efficacy of phishing emails. In these forums, hackers suggest using ChatGPT to generate professional-sounding emails and provide tips for non-native speakers to create more convincing messages. Phishing is already one of the most prolific attack types and, even according to Verizon's DBIR, it takes only, on average, 21 seconds for a user to click on a malicious link in a phishing email once the email is opened, and only another 28 seconds for the user to give away their data. Attackers leveraging GenAI to craft phishing emails only makes these attacks more convincing and effective.

**2\. AI-Assisted Malware Generation**

Attackers are exploring the use of AI to develop malware, such as keyloggers that can operate undetected in the background. They are asking WormGPT, an AI-based large language model (LLM), to help them create a keylogger using Python as a coding language. This demonstrates how cybercriminals are leveraging AI tools to streamline and enhance their malicious activities. By using AI to assist in coding, attackers can potentially create more sophisticated and harder-to-detect malware.

**3\. AI-Generated Scam Websites**

Cybercriminals are using neural networks to create a series of scam webpages, or "turnkey doorways," designed to redirect unsuspecting victims to fraudulent websites. These AI-generated pages often mimic legitimate sites but contain hidden malicious elements. By leveraging neural networks, attackers can rapidly produce large numbers of convincing fake pages, each slightly different to evade detection. This automated approach allows cybercriminals to cast a wider net, potentially ensnaring more victims in their phishing schemes.

**4\. Deepfakes for Account Verification Bypass**

SlashNext threat researchers have observed vendors on the Dark Web offering services that create deepfakes to bypass account verification processes for banks and cryptocurrency exchanges. These are used to circumvent "know your customer" (KYC) guidelines. This alarming trend shows how AI-generated deepfakes are evolving beyond social engineering and misinformation campaigns into tools for financial fraud. Criminals are using advanced AI to create realistic video and audio impersonations, fooling security systems that rely on biometric verification. 

**5\. AI-Powered Voice Spoofing**

Cybercriminals are sharing information on how to use AI to spoof and clone voices for use in various cybercrimes. This emerging threat leverages advanced machine-learning algorithms to recreate human voices with startling accuracy. Attackers can potentially use these AI-generated voice clones to impersonate executives, family members, or authority figures in social engineering attacks. For instance, they might make fraudulent phone calls to authorize fund transfers, bypass voice-based security systems, or manipulate victims into revealing sensitive information. 

**6\. AI-Enhanced One-Time Password Bots**

AI is being integrated into one-time password (OTP) bots to create templates for voice phishing. These sophisticated tools include features like custom voices, spoofed caller IDs, and interactive voice response systems. The custom voice feature allows criminals to mimic trusted entities or even specific individuals, while spoofed caller IDs lend further credibility to the scam. The interactive voice response systems add an extra layer of realism, making the fake calls nearly indistinguishable from legitimate ones. This AI-powered approach not only increases the success rate of phishing attempts but also makes it more challenging for security systems and individuals to detect and prevent such attacks.

While I agree with the DBIR that there is a lot of hype surrounding AI in cybersecurity, it's crucial not to dismiss the potential impact of generative AI on the threat landscape. The anecdotal evidence presented above demonstrates that cybercriminals are actively exploring and implementing AI-powered attack methods.

**Looking Ahead**

Organizations must take a proactive stance on AI in cybersecurity. Even if the volume of AI-enabled attacks is currently low in official datasets, our anecdotal evidence suggests that the threat is real and growing. Moving forward, it's essential to do the following:

*   Stay informed about the latest developments in AI and cybersecurity
    
*   Invest in AI-powered security solutions that can demonstrate clear benefits
    
*   Continuously evaluate and improve security processes to address evolving threats
    
*   Be vigilant about emerging attack vectors that leverage AI technologies
    

While we respect the findings of the DBIR, we believe that the lack of abundant data on AI-enabled attacks in official reports shouldn't prevent us from preparing for and mitigating potential future threats — particularly since GenAI technologies have become widely available only within the past two years. The anecdotal evidence we've presented underscores the need for continued vigilance and proactive measures.

**About the Author**

Field CTO, SlashNext

J. Stephen Kowski is an experienced global technical leader with a demonstrated history in the cybersecurity, design, engineering, information technology, and manufacturing industries. In his current role as field chief technology officer (CTO) of SlashNext, he provides sales enablement for internal and external partners, and he represents the “Voice of the Customer” to senior leadership and product and engineering teams. Stephen has a background in information technology, Web development, engineering, robotics, sales, and software development. He is a graduate of the Stetson University College of Law, the University of South Carolina College of Engineering and Computing, and the University of South Florida College of Engineering. When he isn’t helping companies fight threat actors, he helps run two high school K-12 education charities focused on getting kids excited about STEM career pathways through the vehicle of competitive robotics in his community, and was one of the charities' original founders 20 years ago.

GenAI in Cybersecurity: Insights Beyond the Verizon DBIR

How the Kimsuky nation-state group and other threat actors are exploiting poor email security — and what organizations can do to defend themselves.

Dr. Sean Costigan, Managing Director, Resilience Strategy, Red Sift

September 20, 2024

5 Min Read

Source: Brian Jackson via Alamy Stock Photo

COMMENTARY

With heightened geopolitical tensions, a surge in cyberattacks on US and allied organizations by a North Korean cyber-espionage group is hardly unexpected. What is disquieting, however, is that an advanced persistent threat (APT) group known as Kimsuky has seen remarkable success by turning a defensive strength into a weakness — exploiting poorly configured Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to carry out spear-phishing campaigns to secure advantage.

A May 2 advisory from the FBI, the National Security Agency (NSA), and the US State Department stated that Kimsuky, acting as an arm of North Korea's Reconnaissance General Bureau (RGB), has been sending spoofed emails to individuals in high-profile think tanks, media outlets, nonprofits, academia, and other organizations. The emails are part of an intelligence campaign to troll for information on geopolitics and foreign policy plans, particularly related to nuclear policies, sanctions, and other sensitive concerns involving the Korean peninsula.    

With sanctions biting, North Korea has developed a formidable cybercrime capability to generate liquidity for the regime. However, in this case, we see Kimsuky threat actors alter their focus to intelligence operations, targeting troves of information held by trusted parties and prominent organizations. Although the ongoing campaign has complex geopolitical implications, effectively defending against these attacks fundamentally relies on robust, actionable, and properly executed cyber-hygiene practices.

Related:Singapore Arrests 6 Suspected Members of African Cybercrime Group

**DMARC Misconfigurations Are Too Common**

Kimsuky is using trusted networks with improperly configured or missing DMARC to spoof legitimate domains and impersonate trusted personalities and organizations. The DMARC protocol was created to stop the compromise of user accounts and hinder the very types of social engineering at work here.

This is how it's supposed to work: DMARC allows email recipients to verify an email's origin through the Domain Name System (DNS), ensuring that threat actors cannot spoof legitimate domains. DMARC checks the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records for an incoming email and, if it does not appear to be legitimate, tells the receiving email server what to do next.

But as Kimsuky's attacks have shown, that only works if DMARC services are properly configured. As the IC3 advisories detail, misconfigurations are far too common or policies are poorly defined by the domain owners. For some organizations, self-managing DMARC may seem cost-effective, but it can also lead to significant oversights, including increasing vulnerabilities, failing to pay heed to evolving threats, missing sound compliance reporting, and creating a false sense of security.  

Related:Indian Army Propaganda Spread by 1.4K AI-Powered Social Media Accounts

**What North Korea's Attack Looks Like**

Kimsuky's spear-phishing campaigns may begin with an innocuous email from a seemingly credible source, building trust before sending a subsequent email with a malicious link or attachment. The group then uses successful compromises to escalate attacks with more credible spear-phishing emails aimed at higher-value targets.

The group focuses its intelligence-gathering activities against South Korea, Japan, and the United States, targeting individuals identified as experts in various fields. According to a subsequent advisory from the Cybersecurity and Infrastructure Security Agency (CISA), think tanks and South Korean government entities have also been targeted.  

One real-world example from the FBI-NSA advisory had a subject line reading: "\[Invitation\] US Policy Toward North Korea Conference." The message, seemingly from a known university, begins: "I hope you and your family are enjoying a lovely holiday and a restful season. It is my privilege to invite you to provide a keynote address for a private workshop, hosted by the \[legitimate think tank\] to discuss the U.S. policy toward North Korea." As further inducement, the email also offers a $500 speaker's fee.

Related:Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection

Another email had the subject line "Questions about N. Korea," with the writer posing as a journalist from a legitimate media outlet and requesting an interview, followed by a broad outline of North Korea's nuclear activities.

In the university example, the email received a "pass" from SPF and DKIM checks, suggesting the attacker gained access to the university's legitimate email client. And although DMARC returned a "fail" because the sender's email domain differed from SPF and DKIM records for the legitimate source, the organization's DMARC policy was not set to take filtering action, so the message was delivered. In the second case, no DMARC policy was present, allowing the attacker to spoof the journalist's name and the news organization's email domain.

**Why DMARC Matters**

The US government's advisories offer compelling reasons for organizations to secure their digital estates. Kimsuky is not alone among APTs nor, more broadly, cybercriminals who work for profit: Lessons are shared and all are becoming increasingly savvy at targeting misconfigurations and weaknesses.

Securing and properly configuring DMARC is key since it improves organizational cyber hygiene and broadly protects against ubiquitous threats like business email compromise and ransomware email attacks.

Notably, industry or regulatory requirements may already make DMARC a requirement for your organization. As of February 2024, Google and Yahoo have required DMARC for organizations sending large volumes of email, and Microsoft is reportedly planning to follow suit. Additionally, the PCI DSS 4.0 requires implementation of DMARC. According to BIMI Radar, since the FBI's May 2 advisory, DMARC adoption globally has grown from 3.74 million organizations to 5.71 million organizations, as of June 17. 

There's a business imperative at work as well. Organizations must prioritize cyber hygiene to safeguard their digital assets, prevent data breaches, and protect against evolving cybersecurity threats. DMARC should be part of your organization's cyber posture. When properly managed, not only does it ensure better deliverability, provide protection against phishing and business email compromise (BEC), and enable the deployment of Brand Indicators for Message Identification (BIMI), but it can help close doors against nation-state espionage and cybercrime.

**About the Author**

Managing Director, Resilience Strategy, Red Sift

Sean Costigan is an expert in emerging security challenges and a highly sought-after speaker on technology and national security. He is the lead for NATO’s cybersecurity curriculum and is widely published on national security matters relating to information security and hybrid threats. He is also a Professor at the George C. Marshall Center, where he educates on global cybersecurity, hybrid warfare, crime, and national security.

North Korean APT Bypasses DMARC Email Policies in Cyber-Espionage Attacks

Mastercard's $2.65 billion deal to acquire the threat intelligence provider will boost the credit-card company's AI-based cybersecurity protection capabilities.

Source: SOPA Images Limited via Alamy Stock Photo

The largest credit-card providers have made sizeable investments in advanced cybersecurity capabilities in recent years, but Mastercard is upping the ante with last week's agreement to buy Recorded Future from Insight Partners for $2.65 billion.

The deal, scheduled to close in the first quarter of 2025, would mark the second-largest acquisition in Mastercard's 58-year history. The price tag also nearly equals the $3 billion Mastercard is estimated to have previously spent on nine cybersecurity-related companies since launching its cybersecurity business unit in 2017, Strategy of Security analyst Cole Grolmus wrote on LinkedIn.

Recorded Future says it has 1,900 customers worldwide, including governments and half of the Fortune 100. According to a recent Frost & Sullivan report, the Recorded Future Intelligence Cloud hosts one of the largest threat repositories in the world. Recorded Future's Collective Insights integrates broadly with governance, risk, and compliance; third-party risk management; attack surface management; and other analytics tools, a May 2024 Forrester Research report noted.

"Combining Recorded Future's threat intelligence capabilities with Mastercard's extensive insight and knowledge of and partnership with merchants and financial institutions should provide greater protection to digital payment transactions," says Forrester principal research analyst Brian Wrozek. "This also gives Mastercard more direct control over a critical cybersecurity capability: threat intelligence."

Last year, Recorded Future added OpenAI's GPT model to the threat intelligence platform to enhance its real-time analytics capabilities. Using the pretrained transformer model, Recorded Future AI includes 10 years of threat analysis from its Insikt Group threat research subsidiary, which is integrated with the Recorded Future Intelligence Graph.

**Expanding Threat Intelligence Capabilities**

Mastercard has been investing in threat and risk intelligence capabilities for over a decade. In 2014, Mastercard launched SafetyNet, a tool to detect risks based on activity throughout its network. SafetyNet thwarted $20 billion in fraud attempts directed at its network in 2023, says Johan Gerber, Mastercard's EVP of security solutions.

"It's our AI-enabled Decision Intelligence \[solution\] that provides a score to banks, helping them identify and stop fraudulent transactions," he says.

Last year, Mastercard added AI-based risk management capabilities by acquiring Baffin Bay Networks, a threat protection provider based in Sweden. Mastercard integrated Baffin Bay's automated threat protection service to prevent attackers from penetrating or disabling cybersecurity systems through ransomware and distributed denial-of-service (DDoS) attacks.

Mastercard is not alone in its focus on threat and risk intelligence. Visa has invested more than $9 billion in cybersecurity over the past few years in new tools and services to help address fraud and account security in its payment services. The credit card company has embedded AI and analytics in more than 60 different services to stop and block payment fraud. The Visa Account Attack Intelligence (VAAI) offering uses generative AI components to identify and score enumeration attacks. The VAAI Score tool assigns each transaction with a risk score in real time to detect and prevent enumeration attacks in card-not-present transactions.

**Building on Mastercard's AI Capabilities**

Gerber says Recorded Future promises to build on Mastercard's AI-enabled Decision Intelligence capability, which gives scores to its member banks.

"Recorded Future has pioneered the use of AI in analyzing and reporting cyber threat intelligence," he says. "The ability to draw these trends from a wide range of sources will allow our customers to quickly access relevant insights and safeguard their critical operations and infrastructure. It allows us to quantify risk more accurately and simulate attacks based on the latest trends."

Gerber also sees the potential for adding Recorded Future's AI capabilities to RiskRecon, the third-party threat scanning and rating provider Mastercard acquired in 2020 that provides enterprise security monitoring and measures third-party and supply chain risk. Similarly, Recorded Future can boost two Mastercard service offerings launched in 2022: Cyber Front, which provides a threat simulation, and Cyber Quant, a service that identifies and prioritizes risks.

"The insights allow us to quantify risk more accurately," Gerber says. "Our customers will see benefits from the real-time threat insights that Recorded Future brings to the table."

Recorded Future will enhance the intelligence and security of all its products, he adds.

"It will help us create smarter models and anticipate emerging threats before cyberattacks can take place — in payments and beyond," Gerber notes.

Forrester's Wrozek says that Recorded Future promises to give Mastercard more direct control over critical threat intelligence, now a critical cybersecurity capability.

"This aligns perfectly with Mastercard's journey towards leading the defense of the global digital economy," he says.

Citing a 2024 Forrester survey, Wrozek notes that improving threat intelligence capabilities is consistently a top tactical security priority for companies, which typically purchase, on average, over half a dozen threat intelligence feeds.

"Companies need more threat intelligence to improve decision-making, expedite incident remediation, and shift from a reactive to a more proactive security posture," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Mastercard's Recorded Future Deal Furthers Its AI Security Goals

PRESS RELEASE

AUSTIN, Texas and Fal.Con 2024, Las Vegas – September 16, 2024 — CrowdStrike (NASDAQ: CRWD) today announced the launch of its second annual Cybersecurity Startup Accelerator with Amazon Web Services (AWS). NVIDIA also joins in supporting the Accelerator program, powering the next generation of artificial intelligence (AI) and cloud security startups. Targeting cybersecurity’s next market-defining disruptors across the U.S. and EMEA, AWS and CrowdStrike with NVIDIA through its Inception program, will provide mentorship, technical expertise, funding and go-to-market opportunities.  
Applications for the AWS and CrowdStrike Cybersecurity Startup Accelerator with NVIDIA are open from September 16, 2024 to January 10, 2025. Selected startups will be enrolled in a free eight-week program developed by AWS, CrowdStrike and NVIDIA that offers mentorship and guidance from industry experts and executives. Startups will also have access to top-tier global cybersecurity investors, enablement sessions, and up to $25,000 in AWS Activate credits, among other exclusive benefits.

At the end of the program, participants can present their innovations at an in-person Demo Day at the AWS Startup Loft in San Francisco, which will take place during the RSA Conference in April 2025. Winning presentations may be eligible to receive funding from the CrowdStrike Falcon® Fund. 

“CrowdStrike and AWS created the Cybersecurity Startup Accelerator as a formative, value creation experience for innovative startups to learn, create and grow. Since participating in the Accelerator, last year’s cohort participants raised over $150 million from leading global VCs,” said Daniel Bernard, chief business officer, CrowdStrike. “We’re proud to welcome NVIDIA as a supporter of the Accelerator program – bringing together market-leading cybersecurity, cloud and AI expertise to cultivate tomorrow’s great innovators.”

“For startups seeking to tackle the most pressing security challenges, the Cybersecurity Startup Accelerator provides the AI technologies, accelerated computing resources and technical expertise they need,” said Bartley Richardson, director of cybersecurity engineering at NVIDIA.

To apply, visit this website. Startups are encouraged to review the terms and conditions here.

You May Also Like

CrowdStrike Expands Cybersecurity Startup Accelerator With AWS and NVIDIA

PRESS RELEASE

SAN FRANCISCO, Sept. 18, 2024 /PRNewswire/ -- Abstract Security, building the future of AI-enabled security operations, today announced it has added support for deployments within Google Cloud Platform (GCP).

The support for GCP follows Abstract Security's existing support for AWS and Azure. Abstract enables multi-cloud deployments of its SOC platform, deploying multiple instances of Abstract Security around the world to support data localization requirements and eliminate data transfer costs. Additionally, Abstract supports transactions through both AWS and Azure marketplaces with GCP coming soon.

"Abstract's ability to offer customers a true multi-cloud offering with three different cloud platforms in AWS, Azure and now GCP is something we're very proud of for this growing startup," said Colby DeRodeff, co-founder and CEO of Abstract Security. "Because we deploy directly into our customers' cloud environment, we enable those customers to truly own their own data, which separates us from most of our competitors."

Abstract Security's SOC platform offers:

*   Seamless integration with local GCP services - Ensuring strong security coverage and visibility into GCP services.
    
*   Abstract Intel Gallery - As part of Abstract's data fabric, organizations can leverage no-code ETL to enrich events with real-time threat intelligence, enhancing detection accuracy and relevancy.
    
*   Real-time streaming threat detection - Security analytics are powered by AI, enabling enterprises to stay ahead of rapidly evolving cyber threats.
    
*   Compliance and data sovereignty - Providing a single search and reporting view across regional deployments, enabling compliance with data localization requirements.
    

Abstract has seen growing demand since emerging from stealth and announcing its Seed funding in March 2024. In April, Abstract announced the opening of its first Middle East office. In May, the company announced the addition of Christopher Key to its Board of Directors and was selected as a "Pioneering Cybersecurity Startup" winner, as part of the 2024 Global Infosec Awards.

About Abstract Security

Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

The leadership team of Colby DeRodeff, Ryan Clough, Aaron Shelmire, Chris Camacho, and Stefan Zier bring a unique set of experiences and backgrounds in product development and company-building expertise, at companies such as ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and Sumo Logic. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

You May Also Like

Abstract Security Expands Multi-Cloud Security Operations

Company urges organizations using self-hosting GitLab instances to apply updates for CVE-2024-45409 as soon as possible.

Source: T. Schneider via Shutterstock

Organizations with self-hosted GitLab instances configured for SAML-based authentication might want to update immediately to new versions of the DevOps platform that the company released this week.

The update addresses a maximum severity bug in GitLab Community Edition (CE) and Enterprise Edition (EE) that allows an attacker to bypass authentication checks and log in as an arbitrary user in an affected system. Depending on the level of access, an attacker could then steal leak or modify source code, inject malicious code into production systems, steal secrets and sensitive data, and execute a variety of other malicious actions.

**Maximum Severity Threat**

The bug, identified as CVE-2024-45409, has a severity score of 10.0, which is as critical as it gets on the CVSS rating scale. The bug has garnered the rating because of its high impact and also because exploiting it involves low-attack complexity, no special privileges, and no user interaction.

CVE-2024-45409 affects both GitLab Dedicated, the fully managed cloud-hosted version, and also self-managed instances of GitLab. The company already has updated all instances of GitLab Dedicated and says that customers of the managed version are already protected against the vulnerability. However, those running self-managed GitLab installations must patch now, the vendor advised. "We strongly recommend that all installations running a version affected by the issues … are upgraded to the latest version as soon as possible."

GitLab has recommended that organizations enable two-factor authentication for all user accounts for self-managed GitLab installations to mitigate against exploits targeting CVE-2024-45409. "Enabling identity provider multifactor authentication does not mitigate this vulnerability," GitLab cautioned. The company also recommends that organizations not allow the SAML two-factor bypass option in GitLab. In addition, GitLab's advisory provides detailed guidance on how to hunt for and detect signs of exploit activity tied to the flaw.

CVE-2024-45409 is present in versions 12.2 and older and versions 1.13.0 to 1.16.0 of Ruby SAML, a library which is a part of GitLab's SAML-based authentication feature. Ruby SAML is what allows organizations to authenticate users to GitLab via external identity providers.

**Improper Signature Verification**

The National Vulnerability Database's description of the flaw shows that affected Ruby SAML versions either aren't verifying or are incorrectly verifying the cryptographic signature in a SAML response. This allows an attacker with access to any signed SAML document from an identity provider to forge a SAML response. "This would allow the attacker to log in as \[an\] arbitrary user within the vulnerable system," the NVD said.

In its advisory, GitLab said that in order to craft a successful exploit for the flaw, an attacker would need to find a way to craft SAML assertions that are identical to those from an organization's legitimate identity provider. This would involve having the information needed to accurately replicate key fields like username, role, identity, and privileges.

"When crafting an exploit, there are many SAML assertions an attacker would need to craft to perfectly replicate a legitimate login," GitLab said. "These include both the key and value fields that you specify at your \[identity provider\] and may be unknown to unauthorized individuals — especially if you have customized these attributes."

**Particularly Troubling on Dev Platforms**

Researchers consider vulnerabilities in DevOps platforms like GitHub to be particularly troublesome because of the opportunities they provide attackers to compromise application development environments in multiple ways.

"The ability to bypass authentication checks is a huge threat, as it gives attackers the window of opportunity to easily enter development environments and cause tremendous damage — all without triggering any alerts," says Katie Teitler-Santullo, cybersecurity strategist at OX Security. "Presumably, and hopefully, organizations are using strong authentication — MFA least privilege, and zero-trust principles — to ensure that all access is fully authorized."

Jeff Williams, founder and CTO at Contrast Security, stresses the importance of addressing authentication bypass flaws. "In this case, a forged SAML assertion can be created to log on as any user and take any actions that a user can do," he says. "This might include tampering with pipelines, embedding malicious code in software products, stealing intellectual property, installing malware, or just about any other bad thing you can imagine."

CVE-2024-45409 is the most critical among 18 vulnerabilities that GitHub disclosed this month as part of its regular security updates. GitHub assessed one of the other 17 vulnerabilities as critical. The flaw (CVE-2024-6678), with a CVSS severity score of 9.9, affects multiple GitLab CE and EE versions. It is one of several in recent months that allows an unauthenticated, remote attacker to run a pipeline in the context of any user within a GitLab environment.

The vulnerability is similar to flaws that GitLab disclosed in May, June, and July and suggests a pattern of not taking security seriously, Williams says. "Critical vulns month after month. Maybe they're doing better testing? Good. Or maybe they aren't being proactive. We need transparency."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

GitLab Warns of Max Severity Authentication Bypass Bug

PRESS RELEASE

SAN FRANCISCO, Calif., September 16, 2024 – c/side, a cybersecurity company with tools for monitoring, optimizing, and securing vulnerable browser-side third-party scripts, today announced $6 million in seed funding. The round is led by Uncork Capital, with participation from Mantis VC, Scribble Ventures, Roar Ventures, and PrimeSet. c/side’s total funding is now $7.7 million, following a pre-seed round announced earlier this year. Scribble and Roar also participated in the pre-seed, along with strategic angel investors.

  
As headlines have continued to show since the infamous British Airways breach, the third-party code scripts that businesses add into their websites are often poorly monitored and undersecured. While these scripts are necessary for critical site functions such as analytics, chatbots, and error handling, the scripts change frequently without a business’ knowledge—posing significant risks. Malicious actors exploit vulnerabilities within the scripts to redirect website visitors, steal sensitive information, or manipulate website content. As a result of increased security awareness on the infrastructure and open source supply chain, malicious actors increasingly seek to weaponize the browser as the place of execution—yet most sites have nothing in place to monitor client-side behavior.

  
With an advanced proxy service and an AI-driven detection engine, c/side offers a comprehensive toolkit to identify and neutralize malicious scripts in real-time. The innovative solution not only bolsters website security, but also significantly enhances website performance. Beyond safeguarding organizations from cyberattacks, c/side’s technology also simplifies compliance with stringent industry regulations like PCI DSS 4.0, making it a critical and particularly timely tool for businesses accepting digital payments via their sites.

  
“Even in the few short months since we launched, major browser supply chain attacks like polyfill\[.\]io and regulatory breach incidents like the one at Kaiser Permanente have underscored just how significant and rapidly-escalating this attack vector has become,” said Simon Wijckmans, CEO and founder, c/side. “Security and IT teams cannot take a ‘set it and forget it’ approach to the third-party web scripts that run through their organization’s website. We understand what’s required to ensure ongoing visibility and protection, and offer an end-to-end solution that’s simple to deploy. We’re thrilled to bring on new investors with our seed funding, and look forward to our next stage.”

  
“c/side is addressing client-side app security, one of the most challenging threats to digital organizations and a problem that has been largely overlooked until now,” said Andy McLoughlin, Managing Partner at Uncork Capital. “Their AI-driven solution not only identifies these threats but acts swiftly to neutralize them, ensuring robust client-side web security. We’re thrilled to lead this round and support the c/side team as they develop solutions to protect businesses from costly and damaging browser-executed attacks."

  
“We’re impressed by c/side’s AI-driven approach and its potential to revolutionize client-side security at scale,” said Alex Pall, General Partner, Mantis VC. “This team has the expertise and vision to make a significant and lasting impact across the cybersecurity landscape, making web security more accessible to all. Whether you’re an early-stage grinding entrepreneur or a large established brand, c/side will grow to have your back. Simon and the team will make things rock!”

  
The seed funding will enable c/side to accelerate the development of its flagship product, the powerful proxy solution for securing third-party web scripts. The company will also deepen its vulnerability detection engine’s capabilities and grow its team to support customer service, sales, partnership, and marketing functions.

  
c/side’s free tier is now fully operational and available — anyone can sign up and begin securing their site in minutes. Business, Enterprise, and Partner tiers are in development; those interested can contact c/side here. 

  
About c/side  
c/side is a forward-thinking cybersecurity startup focused on browser-side detection and protection. Led by industry expert Simon Wijckmans, c/side is pioneering technologies to shield against sophisticated cyber threats, ensuring unparalleled security standards for users across the web.

Source

DARKReading