Concerns include everything from ransomware, malware, and phishing attacks on the game's infrastructure to those targeting event sponsors and fans.

Source: Steve Cukrov via Shutterstock

Sporting events like the upcoming Super Bowl LIX in New Orleans are prime targets for cyberattacks due to their massive audiences, extensive digital infrastructure, and the potential for high financial and reputational impact. Experts say organizers should be prepared for an onslaught of attacks leading up to and on game day, which is Feb. 9 this year.

Securing such events can be particularly challenging due to the vast array of potential attack surfaces, including ticketing systems, livestreaming platforms, in-stadium Internet of Things (IoT) devices, and valuable fan data. The New Year's Day terrorist attack in the city has only added to the concerns, and has prompted greater physical security measures in the form of increased surveillance, a significantly larger police presence than initially planned, and the use of drones and extra cameras to monitor for threats.

**High-Stakes Cybersecurity Playbook for the Big Game**

James DeMeo, faculty member with Tulane University's School of Professional Advancement, is an expert in sport event security, facilities, and venue risk assessment. The Super Bowl, he reminds, is a mega event that the Department of Homeland Security has designated as a Special Event Assessment Rating 1 (SEAR 1), which is the highest rating from a threat assessment standpoint. Following the Jan. 1 vehicle ramming incident in New Orleans' French Quarter, event security concerns are sure to have only heightened, he says.

The top cybersecurity concerns will include those around ransomware, malware, and phishing threats directed at critical infrastructure for the games and communication networks. "Command center controls will be tasked with averting bad actors from infiltrating CCTV, access controls, and wireless networks while ensuring a seamless fan experience," DeMeo says.

Other focus areas for the security team at the Super Bowl will include protecting fan payment data and monitoring social media networks for signs of potential physical threat activity. "Law enforcement will be sharing relative and timely information with governmental stakeholders like the JTTF and the Secret Service," DeMeo says. Expect the DHS to monitor posts on social media platforms in real time before and during the games for conversations that indicate a threat to the event.

DeMeo expects drones will play a key role on the physical security side of things as well. "Drones are an effective risk mitigation tool for key Super Bowl security stakeholders," he says. "This technology can be implemented for properly monitoring crowds, crowd management, crowd ingress/egress, and reconnaissance for potential nefarious bad actors on the exterior perimeters of the venue."  

Additionally, such technologies as biometrics and iris scans can be utilized as an effective risk mitigation tool by event security leads, he says.

**A Collaborative Defensive Effort**

Mike Storm, distinguished engineer at Cisco, says preparation for an event like the Super Bowl actually begins years in advance, with collaboration between a number of entities, including the host venue, the local city, a wide network of tech vendors, and government entities like the FBI. "In the years, months and weeks leading up to the event, the cross-functional team engages in a wide variety of scenario and role-playing exercises so that should any issues arise during the event, responses are swift, coordinated, and ideally resolve the problem before it can impact the game or the fan experience."

As the primary network provider for the Super Bowl, Cisco has partnered with the NFL in a collaborative approach to manage threats to the game. "This playbook," he says, "is built on a few core attributes that are essential to successfully protecting an event of this magnitude — simplicity, visibility, reliability, and protection." As part of the effort, Cisco has deployed a range of technologies to secure the game network, including Cisco Secure Firewall, Cisco Umbrella, Cisco Security Malware Analytics, Cisco XDR with Meraki, and Splunk Enterprise.

The NFL is also tapping Cisco's Talos threat intelligence service for real-time intelligence pertinent to the event. The goal is to safeguard game day operations and respond to potential threats during the event to prevent disruptions, Storm says. "When it comes to large sporting events, we are looking for all types of attacks, at volume," he says. Many attacks are often focused on trying to degrade the experience of fans or on the misuse of data of viewers, guests, or participants of the game. "These events are targeted by a variety of different actors, which can include ideologically or politically motivated hacktivists and state-sponsored threat actors." These actors employ a variety of tactics, which can include targeting sponsors to disrupt the game or misusing branding to lure viewers to click something on something malicious.  

Storm points to the rising use of artificial intelligence as impacting Cisco's approach to protecting high-profile events like the Super Bowl. For instance, it adds complexity, he says: "The stakes of something going wrong with AI are incredibly high. On the other hand, it unlocks opportunities for faster, smarter security."

**The Threat from Unmonitored Service Accounts & APIs**

Meanwhile. the proliferation of automated systems and services like "just walk out" payment methods and frictionless checkout systems at events like the Super Bowl present a new attack vector that security teams need to guard against. The growing digitization has enabled faster retail transactions and a host of other benefits for fans. But it also led to an explosion of non-human identities (NHIs) and shared multiuse service accounts, APIs, tokens, and access keys that are often poorly monitored or completely unmonitored, says Tim Eades, CEO and co-founder of Anetac.

"Anetac's research indicates that large-scale events like the Super Bowl represent a perfect storm for NHI vulnerabilities," Eades says. "The combination of reliance on automated systems, rapid deployment, and the expansive network of NHIs required to support modern stadiums \[has\] significantly \[increased\] the attack surface," at events like the Super Bowl.

Eades perceives the targeting of NHIs as presenting a threat for event organizers in New Orleans and remote locations, "Bad actors recognize that automated accounts are gateways to critical infrastructure and sensitive data such as customer information, employee data, and more," he says. Securing such accounts, Eades notes, is important because they enable attackers to potentially gain control over stadium systems, from payment processing to manipulating environmental controls and emergency systems.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Super Bowl LIX Could Be a Magnet for Cyberattacks

Compliance standards are mandating better data security. There are several ways to do this, but most organizations would admit that erasure is not one of them.

Adam Strange, Principal Analyst, Data Security, Omdia

January 28, 2025

5 Min Read

Compliance standards are shining new light on the need to better control and protect data. There are a multitude of ways to implement a data protection and security strategy, but most organizations would admit that destroying data is not one they typically prioritize.

As well as good business and cyber processes, data privacy regulations also mandate the deletion of data, such as the "right to be forgotten" under the General Data Protection Regulation. Organizations need to be of the mindset that they both could and should be reducing their data estate as a part of normal business and compliance operations.

**More Controls Across the Entire Data Estate**

There are many good reasons why organizations need to assume better control over their entire data estates. Among them: data privacy legislation, a growing sustainability agenda, and risk to the business of data exposure. But improved control should also involve acceptance that data has a life cycle: a creation point, a period of operational life, and then a point when the data is beyond its useful life and should be deleted or removed. At the very least, less data is easier to control and manage from an operational standpoint.

Data deletion — or, more precisely, data erasure — is an area of growing importance in IT and cybersecurity, driven by the reasons above and more. The notion that data is created, used, and stored away with little, if any, thought given to what happens to that data once it is no longer needed is now from a bygone era. A much more focused and cyclical approach is needed, ultimately to destroy data when it no longer has any business value.

Omdia believes enterprises should establish timelines for deletion or erasure once data is beyond its useful lifespan — or, as a first step, to at least review the data for its business viability. Data should not be retained if its removal is required under some areas of data privacy legislation or if that data no longer fulfills the purposes for which it was collected. This retention period will depend on various factors, including legal obligations, the purpose of data processing, industry standards, and business needs.

**To Erase or Not to Erase?**

Data destruction is not usually a commonly employed cybersecurity tactic. It almost seems to conflict with the human psyche, which typically embraces the idea that the wholesale collection of data is somehow beneficial. "The more data, the better" seems to be the mantra.

However, a movement against this ideology seems to be taking place. As more and more data is created, organizations are wrestling with what to do with it all and, moreover, how to address compliance with data privacy legislation. Large and growing data volumes present a significant headache to CISOs and their teams. Can organizations put a hand on heart and claim they even know where all of their data is or that they know what it is? In a recent Omdia survey, only 11% of respondents said they would be able to identify their entire data estate if asked what percentage of their data they would be confident their organizations could account for.

As data grows in volume and cost, there are also questions to be asked about how to power all of the arrays necessary to store all of the data — not forgetting that as the threat landscape continues to grow, an effective backup strategy with duplicate copies of data is an increasingly important aspect of data security. This creates even more data, consuming more space and power. Failure to adopt a cyclical approach to data security exposes organizations to significant risks as users and security teams alike invest most of their efforts protecting and securing operational rather than archived data.

Organizations have tended to take an "ignorance is bliss" approach to stored or archived data. But with regulatory pressures, increasingly limited available storage, an unwieldy and difficult-to-manage data estate, data subjects wanting more privacy, and the requirement for a demonstrable sustainability agenda, there is now an urgent need to act.

**Sustainability**

The IT industry generates an enormous amount of waste as part of regular equipment refresh cycles; old equipment becomes redundant and needs disposal, which often means the landfill. The outgoing equipment often still functions but is less advanced and technically capable than a newer version better able to manage escalating workloads.

Omdia questions the sustainability of the way the industry currently operates, particularly in view of directives in the European Union and elsewhere around reducing the energy consumption required to process and transmit data. Furthermore, as many organizations begin to factor in environmental responsibility as a tool for brand enhancement, consuming more and more IT resources to process growing volumes of data is self-defeating.

Where infrastructure does need replacing, it is logical to clean all of the data from the systems being replaced before items are disposed of or repurposed. In this case, erasing data is a process in itself and needs to include written proof that the data has been permanently erased, with no potential for recourse. To simply go on creating more and more data, to use it for a period of time, and then store it away, largely to be forgotten about, is an antiquated mind set that needs to be substantially adjusted. Data warrants much more focus; enterprises must adopt a life cycle approach to data management — in particular, that it has an end point, after which it needs removal. Storing data away and leaving it in perpetuity is dangerous, irresponsible, and unnecessary. Ignored data poses risk to the business. Today the risks data can present to an organization mean it is too important to be ignored.

**About the Author**

Principal Analyst, Data Security, Omdia

Adam Strange is responsible for delivering a comprehensive analysis and insight program focused on data security within the Omdia cybersecurity research function, supporting vendor, service provider and enterprise clients.

Adam brings comprehensive experience of the cybersecurity industry, having worked for a series of UK-based channel and global vendor organizations.

Data Privacy Day 2025: Time for Data Destruction to Become Standard Business Practice

Globally, security researchers and whistleblowers face increasingly hostile laws and judiciaries that are ready to levy fines and prison sentences.

Source: bestfoto77 via Shutterstock

While disclosure of software vulnerabilities and data breaches has become more accepted over the past three decades, researchers and whistleblowers continue to risk lawsuits and criminal charges depending on the country in which they live.

In April 2022, for example, police in Istanbul arrested independent Turkish journalist İbrahim Haskoloğlu after he revealed details of a breach of government data in Turkey. The country's ruling party has since proposed a law to make the false reporting of a data breach a crime punishable by two to five years in prison — a law that critics say will prevent disclosure of real data breaches.

And in the island nation of Malta, three computer-science students and their lecturer at the University of Malta will be charged in March, two years after they found vulnerabilities in scheduling service FreeHour and notified the company. FreeHour claimed the disclosure appeared to be a ransom demand and reported the students to the police — although, since then the firm has criticized the nation's lack of clear exemptions for researchers.

The students continue to face charges, however.

"I hope that at the end of this case, it results in a better climate for cybersecurity, but I'm genuinely exhausted from this whole situation," Michael Debono, one of the students, stated in a post on Facebook. "It's crazy that I've had to spend almost two years now dealing with the fallout of an incident that should have been resolved over a table in a day with FreeHour and the police."

Turkey and Malta are not the only countries to crack down people who report data breaches and software vulnerabilities. In Poland, a train manufacturer threatened to sue three ethical hackers who circumvented a kill code that the cybersecurity professionals claim disabled trains that had been parked in a third-party repair facility. In China, vulnerability researchers who do not first report software issues to the government risk prison time.

Even in the US, where vulnerability-disclosure issues have been debated for decades, companies and government agencies still occasionally resort to legal attacks rather than civil engagement. In September 2024, the city government of Columbus, Ohio, filed a lawsuit against whistleblower David L. Ross after he disputed the significance of a data breach, claiming that Ross colluded with the ransomware gang behind the breach. Two months later, the city settled the lawsuit.

**Defensive Driving and Disclosure**

Worldwide, vulnerability researchers need to take care when disclosing software security issues. Erring on the side of safety, like defensive driving, should be the default for cybersecurity researchers and whistleblowers, says Trey Ford, chief information security officer at San Francisco-based Bugcrowd, who connects its stable of independent penetration testers with clients.

The October 2022 email that resulted in three students and their lecturer facing charges. Source: Lecturer Luke Collins' site

In the best case, researchers should obtain permission from the targeted organization to conduct research and disclose findings, he says.

"The reality now is: If you see something, and you're not absolutely sure — and don't have receipts and proof — maybe don't say anything, or you risk going to jail," Ford says, pointing out that defensive or vindictive organizations can cause trouble. Any risk can be "further amplified by the misaligned incentives of companies that would prefer not to address an issue. These companies have the power to almost completely silence the reporter."

In addition, working with the organization rather than immediately adopting an adversarial approach can help minimize potential misinformation about what constitutes a breach or vulnerability, says Ilona Cohen, chief legal and policy officer at HackerOne, a hacking-services platform.

Researchers should also always be cognizant of local law, she says.

"Whether a data breach has occurred or a vulnerability is present are not always clear-cut," Cohen says. "It’s not uncommon for countries to have laws against fraudulent misrepresentation, but lawmakers must take care not to target individuals that do not intend to deceive or to cause harm."

**Benign Intent or Hostile Actions**

So far, the researchers and whistleblowers are paying the price of the lack of clarity. Turkish journalist Haskoloğlu, for example, claimed he notified the Turkish government two months before his disclosure, after being contacted by the hackers that the data had been stolen. Last month, he announced he would leave Turkey following escalating death threats.

In December, Newag — the train manufacturer in Poland that allegedly bricked trains not repaired in its workshops — filed a lawsuit against the three hackers who discovered and publicized their workaround for the kill code. While the European Union adopted a right-to-repair law for consumer goods in 2024, it's unclear whether industrial equipment, such as trains and machinery, are covered.

The incidents highlight that organizations are aiming to silence researchers, rather than engage publicly with them, says Dustin Childs, the head of threat awareness and the Zero Day Initiative at Trend Micro, which maintains a third-party bug bounty program.

"It’s a disturbing trend I hope reverses soon," he says. "We need to offer safe harbor to researchers who are willing to report vulnerabilities in a coordinated manner. Unfortunately, this trend is unlikely to change without either litigation or legislation."

Globally, however, legislation appears to be moving in a different direction. In August 2024, the UN General Assembly adopted the Convention Against Cybercrime, which makes it a crime to "access ... an information or communications technology (ICT) system without right" or to intercept data or communications. Digital-rights groups worry that the treaty will lead to more laws that penalize legitimate security research.

While Turkey appears to be the first country since August to pass a more strict cybercrime statue, tougher regulations seem increasingly likely, Childs says.

"Overall, we are currently in a climate where governments favor businesses over individual researchers," he says. "It would not surprise me to see similar measures in other countries."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Reporting a Breach or Vuln? Be Sure Your Lawyer's on Call

Quantum computing will bring new security risks. Both professionals and legislators need to use this time to prepare.

Source: Sergey Tarasov via Alamy Stock Photo

COMMENTARY

One of cybersecurity's major pitfalls is assuming that risks will always stay the same. Failing to consider emerging threats has caused detriment in the security field. When varied threats already exist that are time-tested and successful, like ransomware, phishing, or business email compromise, security professionals often don't consider that new risks arise daily. 

Quantum computing and the potential for cracked algorithms are among the first instances where security professionals have a heads-up on an emerging trend. As a result, both professionals and legislators can use this time to their advantage and prepare by putting forth maximum effort to approach cryptographic agility. This model is defined as the ability for technology to seamlessly switch to new protocols or mechanisms when algorithms become insecure (without system interruption).

**The Possibility of Cryptographic Agility Adoption**

A critical question that has emerged as quantum computing and algorithm cracking approaches is whether cryptographic agility is genuinely possible for the average tech company. 

Quantum computing is not a new concept, and new cryptographic algorithms to prepare for that hypothesis have been developing progressively since 2016 (note the National Institute of Standards and Technology's call for new algorithms — three of which were published last fall). Yet the United States is far from documenting robust legislation to mandate cryptographic agility in the US market. 

Unfortunately, this puts the data stored on US soil at risk, leaving US businesses to fend for themselves. Small players within the US may be at the mercy of legislation and large tech companies to pave the way for cryptographic agility (such as through the Shared Responsibility Model). 

NIST has done a solid job of widely distributing the three new encryption standards it has published (ML-KEM, ML-DSA, and SLH-DSA). Still, proper enforcement may only be possible at the federal level, which is required to make cryptographic agility a widespread practice in security departments.

**Cryptographic Agility: A Legislative Necessity **

One reliable way to plan for any emerging threat, including quantum computing that could crack standard algorithms, is to look to the courts. US security professionals and tech businesses should consistently look toward Europe, since its cybersecurity legislation is often further ahead and more mature. 

Two examples are the emerging NIS and DORA regulations, which strongly emphasize cryptographic agility as a security best practice. Though these sweeping directives were enacted outside US borders, they provide a framework America could use to build its quantum computing legislation. 

A significant challenge regarding quantum computing and the cracking of standard algorithms is that we know it is coming — though not precisely when. The field lacks detail on how soon key cracking and invalidation will occur (though heavily debated, news articles emerged last fall indicating that Chinese agencies had cracked reputable algorithms — some argue the risk is coming sooner than 2030). 

This uncertainty underscores the strong benefit legislation would provide ahead of the arrival of quantum computing.

**The Business Benefit of Cryptographic Agility**

Implementing a cryptographic agility model has benefits beyond data security and privacy protection. This adoption also has significant business benefits.

Cryptographic agility is a strategic move for a company. Preparing before quantum computing fully emerges is an opportunity to positively contribute to a company's bottom line, because cryptographic agility could be an organization's market differentiator. With so few businesses embracing this best practice, implementing it today would present a distinct competitive advantage. Security and safety are not the only motivators for implementing a cryptographic agile program. 

**The Time to Prepare With Cryptographic Legislation Is Now**

A quantum computing risk assessment is challenging to conduct because no professional in the security space has been able to identify, with precision, how many years it will take until an algorithm like AES-256 (a popular symmetric model which is often the topic during encryption resiliency debates) is found to have flaws. Instead, the field has relied on very vague definitions and estimates, ranging from 10 years to 30 years down the road. Industries and legislators are postponing the goal of becoming cryptographically agile by decades, using both excuses that "we have time" and "we do not know when this risk will be realized." Nevertheless, the time to prepare with cryptographic agile legislation is now — and even without it, businesses that adopt the model have a distinct competitive advantage.

The cybersecurity field is fortunate to have adequate notice; they must prepare before quantum computing emerges and alters the trusted algorithms technology has relied on.

**About the Author**

Cybersecurity Specialist

Keavy Murphy is a Boston-based security professional. Passionate about cybersecurity, especially for new and emerging companies, she prioritizes using soft skills to manage compliance and risk management effectively in parallel with business objectives. Previously, she served in information security roles at Starburst Data, Cambridge Mobile Telematics, Alegeus and State Street. She enjoys writing about and researching the benefits of effective communication within the security space. Her work has been published in Dark Reading and Info Security Magazine and presented at seminars including the Chief Data and Analytics Officers Conference and FutureCon. She is an active volunteer with Boston Cares, has served in the ISACA Engage Mentor program, and holds both CIPP and CIPM certifications.

Cryptographic Agility's Legislative Possibilities &amp; Business Benefits

The firewall specialist has patched the security flaw, which was responsible for a series of attacks reported earlier this month that compromised FortiOS and FortiProxy products exposed to the public Internet.

Source: Lutsenko via Oleksandr via Shutterstock

Fortinet has patched an actively exploited zero-day authentication bypass flaw affecting its FortiOS and FortiProxy products, which attackers have been exploiting to gain super-administrative access to devices to conduct nefarious activities, including breaching corporate networks.

Fortinet characterized the flaw, rated as critical and tracked as CVE-2024-55591 (CVSS 9.6), as an "authentication bypass using an alternate path or channel vulnerability" that "may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module," according to a FortiGuard Labs security advisory last week.

Fortinet observed threat actors performing various malicious operations by exploiting the flaw. These activities included: creating an admin account on the device with a random user name; creating a local user account on the device with a random user name; creating a user group or adding a local user to an existing SSL VPN user group; adding and/or changing other settings, including firewall policy and/or firewall address; and logging in to the SSL VPN to get a tunnel to the internal network.

Fortinet recommended that customers using affected products follow the recommended upgrade path on its website to mitigate the flaw. It also offered workaround options in its advisory.

Related:For $50, Cyberattackers Can Use GhostGPT to Write Malicious Code

**First Signs of Fortinet Zero-Day Exploitation**

The first signs that something was amiss came earlier this month, when researchers at Arctic Wolf revealed that a zero-day flaw was likely to blame for a series of recent attacks on FortiGate firewall devices with management interfaces exposed on the public Internet. Attackers were targeting the devices to create unauthorized administrative logins and make other configuration changes, create new accounts, and perform SSL VPN authentication.

Fortinet quietly informed its customer base of the issue before revealing the patch and extent of the situation late last week; this low-key revelation is how Arctic Wolf got wind of it, according to a blog post analyzing the flaw by watchTowr Labs published on Jan. 27. However, security researchers did not yet know exactly what the flaw was or what the exploitation entailed.

That's become clearer now. The flaw resided within the jsconsole functionality, which is a graphical user interface (GUI) feature to execute command line interface (CLI) commands inside FortiOS's management interface, according to watchTowr Labs. "Specifically, the weakness in this functionality allowed attackers to add a new administrative account," according to the post.

Related:Change Healthcare Breach Impact Doubles to 190M People

Jsconsole is a WebSocket-based Web console to the CLI of the affected Fortinet appliances. "This CLI is all-powerful, since it is effectively the same as the actual provided CLI that is used by legitimate administrators to configure the device," according to watchTowr Labs. Therefore, if an attacker gains access to the Web console, the appliance itself should be considered compromised.

The researchers took a deep dive into the vulnerability and found that it was actually a chain of issues combined into one critical vulnerability that allowed attackers to follow four key steps to achieve super administrative access.

Those steps are: creating a WebSocket connection from a pre-authenticated HTTP request; using a special parameter local\_access\_token to skip session checks; exploiting a race condition in the WebSocket Telnet CLI to send authentication before the server does; and picking the access profile that an attacker wishes to assume, which in the case of the researchers' proof-of-concept was to become a super administrator.

**Mitigation & Protection Against CVE-2024-55591**

Fortinet devices are a popular target for threat actors, with vulnerabilities found in the products often widely exploited to breach not only devices but also act as a point of entry to attack corporate networks.

Related:The Case for Proactive, Scalable Data Protection

Organizations using the devices affected by the flaw are advised to follow the appropriate update path or apply the workaround provided by Fortinet.

Fortinet also noted in its advisory that an attacker generally would need to know an admin account's username to perform the attack and log in to the CLE to exploit the flaw. "Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice," according to the advisory.

However, the company added, since the targeted WebSocket is not itself an authentication point, attackers still have the possibility of brute-forcing the username to exploit the flaw.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Actively Exploited Fortinet Zero-Day Gives Attackers Super-Admin Privileges

Malware writing is only one of several malicious activities for which the new, uncensored generative AI chatbot can be used.

Source: Owlie Productions via Shutterstock

A recently debuted AI chatbot dubbed GhostGPT has given aspiring and active cybercriminals a handy new tool for developing malware, carrying out business email compromise scams, and executing other illegal activities.

Like previous, similar chatbots like WormGPT, GhostGPT is an uncensored AI model, meaning it is tuned to bypass the usual security measures and ethical constraints available with mainstream AI systems such as ChatGPT, Claude, Google Gemini, and Microsoft Copilot.

**GenAI With No Guardrails: Uncensored Behavior**

Bad actors can use GhostGPT to generate malicious code and to receive unfiltered responses to sensitive or harmful queries that traditional AI systems would typically block, Abnormal Security researchers said in a blog post this week.  

"GhostGPT is marketed for a range of malicious activities, including coding, malware creation, and exploit development," according to Abnormal. "It can also be used to write convincing emails for business email compromise (BEC) scams, making it a convenient tool for committing cybercrime." A test that the security vendor conducted of GhostGPT's text generation capabilities showed the AI model producing a very convincing Docusign phishing email, for example.

The security vendor first spotted GhostGPT for sale on a Telegram channel in mid-November. Since then, the rogue chatbot appears to have gained a lot of traction among cybercriminals, a researcher at Abnormal tells Dark Reading. The authors offer three pricing models for the large language model: $50 for one-week usage; $150 for one month and $300 for three months, says the researcher, who asked not to be named.

Related:Actively Exploited Fortinet Zero-Day Gives Attackers Super-Admin Privileges

For that price, users get an uncensored AI model that promises quick responses to queries and can be used without any jailbreak prompts. The author(s) of the malware also claim that GhostGPT doesn't maintain any user logs or record any user activity, making it a desirable tool for those who want to conceal their illegal activity, Abnormal said.

**Rogue Chatbots: An Emerging Cybercriminal Problem**

Rogue AI chatbots like GhostGPT present a new and growing problem for security organizations because of how they lower the barrier for cybercriminals. The tools allow anyone, including those with minimal to no coding skills, the ability to quickly generate malicious code by entering a few prompts. Significantly, they also allow individuals who already have some coding skills the ability to augment their capabilities and improve their malware and exploit code. They largely eliminate the need for anyone to spend time and effort trying to jailbreak GenAI models to try and get them to engage in harmful and malicious behavior.

Related:Change Healthcare Breach Impact Doubles to 190M People

WormGPT, for instance, surfaced in July 2023 — or about eight months after ChatGPT exploded on the scene — as one of the first so-called "evil" AI models created explicitly for malicious use. Since then, there have been a handful of others, including WolfGPT, EscapeGPT, and FraudGPT, that their developers have tried monetizing in cybercrime marketplaces. But most of them have failed to gather much traction because, among other things, they failed to live up to their promises or were just jailbroken versions of ChatGPT with added wrappers to make them appear as new, standalone AI tools. The security vendor assessed GhostGPT to likely also be using a wrapper to connect to a jailbroken version of ChatGPT or some other open source large language model.

"In many ways, GhostGPT is not massively different from other uncensored variants like WormGPT and EscapeGPT," the Abnromal researcher tells Dark Reading. "However, the specifics depend on which variant you're comparing it to."

For example, EscapeGPT relies on jailbreak prompts to bypass restrictions, while WormGPT was a fully customized large language model (LLM) designed for malicious purposes. "With GhostGPT, it’s unclear whether it is a custom LLM or a jailbroken version of an existing model, as the author has not disclosed this information. This lack of transparency makes it difficult to definitively compare GhostGPT to other variants."

Related:The Case for Proactive, Scalable Data Protection

The growing popularity of GhostGPT in underground circles also appear to have made its creator(s) more cautious. The author or the seller of the chatbot has deactivated many of the accounts they had created for promoting the tool and appears to have shifted to private sales, the researcher says. "Sales threads on various cybercrime forums have also been closed, further obscuring their identity, \[so\] as of now, we do not have definitive information about who is behind GhostGPT."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

For $50, Cyberattackers Can Use GhostGPT to Write Malicious Code

The Apple iOS 18.3 update fixes 28 other vulnerabilities identified by the tech company, though there is little information on them.

Source: Shahid Jamil via Alamy Stock Photo

NEWS BRIEF

In its latest security update for users, Apple has released a patch for a zero-day vulnerability tracked as CVE-2025-24085 (no CVSS score assigned yet).

The vulnerability, not yet added to the National Vulnerability Database (NVD), can be found in iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. As a privileged escalation security flaw, it is located in Apple's Core Media framework. The bug is being actively exploited in the wild.

The Core Media framework, according to Apple, is "the media pipeline used by AVFoundation and other high-level media frameworks found on Apple platforms." It allows users to process media samples as well as manage queues of media data.

This patch comes in the form of iOS 18.3, which fixes 28 other vulnerabilities as well. Apple has yet to divulge many details about any of the issues that have been patched by this update, likely to prevent attackers from exploiting them before users can apply the necessary fix.

Impacted devices from this bug include:

*   Apple Watch Series 6 and later
    

*   Apple TV HD and Apple TV 4K (all models)
    
*   iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
    

Though the tech giant has disclosed that "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2," it has not published any details of the attacks nor attributed its discovery to a researcher.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Apple Patches Actively Exploited Zero-Day Vulnerability

PRESS RELEASE

BIRMINGHAM, Mich., Jan. 15, 2025 /PRNewswire/ -- IT-Harvest, the premier data-driven industry analyst firm, is excited to announce the launch of HarvestIQ.ai, a groundbreaking platform featuring two cutting-edge AI assistants designed to redefine how professionals navigate the complex cybersecurity landscape.

The Analyst AI provides unparalleled access to IT-Harvest's comprehensive database of 4,070 cybersecurity vendors, offering users instant insights into market players, trends, and innovations. Meanwhile, the Architect AI empowers users with tailored guidance on cybersecurity products, leveraging IT-Harvest's in-depth analysis of over 11,300 products to help organizations make informed decisions about their cybersecurity strategies.

"HarvestIQ.ai is a game-changer for cybersecurity professionals. By combining our vast database with the power of AI, we're equipping analysts, architects, and decision-makers with tools that provide instant, actionable insights," said Richard Stiennon, Chief Research Analyst at IT-Harvest. "Whether you're evaluating vendors or designing a security architecture, HarvestIQ.ai ensures you're making data-driven decisions."

Key Features:

*   Analyst Assistant: Instant access to detailed information on 4,070 cybersecurity vendors through a familiar chat interface. A user holds a conversation with a powerful industry analyst with full vendor knowledge, including funding, security rating & health, headcount growth, and more.
    
*   Architect Assistant: Expert guidance on 11,300 cybersecurity products to streamline decision-making. Hold a conversation with a product-oriented assistant with in-depth technical knowledge of all cybersecurity solutions, compliance frameworks, capabilities, and more.
    
*   User-Friendly Platform: Get immediate access at harvestiq.ai.
    

"At IT-Harvest, we understand the critical need for precision and speed in cybersecurity decision-making," said Maximillian Schweizer, Chief Technology Officer. "HarvestIQ leverages the latest AI technology to deliver not just data, but actionable intelligence, enabling our users to stay ahead of evolving demands on their teams."

HarvestIQ is available now at harvestiq.ai. Monthly subscriptions are priced at $179 for the Architect Assistant and $159 for the Analyst Assistant, making it an accessible solution for enterprises, cybersecurity professionals, and consultants alike. Trial users can sign up for free answers to ten questions a month.

About IT-Harvest: IT-Harvest is a data-driven industry analyst firm specializing in cybersecurity market intelligence. With a mission to provide actionable insights and foster informed decision-making, IT-Harvest delivers unparalleled analysis and data-driven solutions to clients worldwide. The IT-Harvest Dashboard is the only platform for researching the entire cybersecurity industry. Data on 4,070 vendors and 11,300 products are continuously updated. Enterprise subscribers use the Dashboard for industry analysis, product discovery and selection, gap analysis, and acquisition hunting.

For more information, visit www.it-harvest.com or contact IT-Harvest at \[email protected\].

You May Also Like

IT-Harvest Launches HarvestIQ.ai

PRESS RELEASE

SEATTLE, Jan. 15, 2025 /PRNewswire/ -- Spectral Capital Corporation (OTCQB: FCCN), a pioneer in providing its deep quantum technology platform, is pleased to announce the filing of a critical patent in quantum cybersecurity.

"Over the past three decades, I have been deeply involved in the cybersecurity industry, including founding a leading-edge company that addressed some of the most complex challenges in the field," said Sean Michael Brehm, chairman of Spectral. "Quantum computing elevates cybersecurity risks to an entirely new level. With its potential to break RSA encryption—the foundation of global data security—quantum technology presents an unprecedented threat. In response, our team has developed a solution to ensure RSA encryption remains secure, even in the quantum era," concluded Spectral chairman Sean Michael Brehm.

"Out of the 104 patentable innovations acquired in the Vogon Cloud acquisition, the patent application around protecting RSA encryption from quantum hacking could be one of our most important. According to Allied Market Research, the global RSA encryption market, primarily measured within the broader "hardware encryption" category, is estimated to hold a significant share, with some reports stating that the RSA segment represents around 50% of the hardware encryption market, which is projected to reach a size of approximately $1.2 trillion by 2031, indicating a substantial market for RSA encryption alone. We are proud to be a part of protecting that market, even as new technologies for encryption emerge, like Spectral's unhackable distributed quantum ledger database technology," said Spectral's Chief Executive Officer, Jenifer Osterwalder. 

Spectral has a portfolio of patents and trade secrets designed to meet the enormous demand for hybrid computing systems which combine current classical computing technologies with emerging quantum computing technologies as these are made commercially available. An entire ecosystem of hardware and software will be needed to support hybrid and quantum computing and Spectral has ambitious plans to build one of the largest intellectual property portfolios in the industry, including its previously announced goal of filing for more than 500 patents by the end of 2025.

About Spectral Capital  
Spectral Capital (OTCQB: FCCN) is a quantum technology platform company at the forefront of innovation. Focusing on sustainable green cloud computing, quantum databases, and advanced quantum chip technology, Spectral Capital is revolutionizing industries such as telecommunications, AI, and green technology. With flagship offerings like the Vogon Cloud and Vogon DQLDB, the company is pioneering a future of decentralized, secure, and scalable computing.

Forward-Looking Statements

This press release contains forward-looking statements (as defined in Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended) concerning future events and FCCN's growth and business strategy. Words such as "expects," "will," "intends," "plans," "believes," "anticipates," "hopes," "estimates," and variations on such words and similar expressions are intended to identify forward-looking statements. Although FCCN believes that the expectations reflected in such forward-looking statements are reasonable, no assurance can be given that such expectations will prove to have been correct. These statements involve known and unknown risks and are based upon a number of assumptions and estimates that are inherently subject to significant uncertainties and contingencies, many of which are beyond the control of FCCN. Actual results may differ materially from those expressed or implied by such forward-looking statements. Factors that could cause actual results to differ materially include, but are not limited to, changes in FCCN's business; competitive factors in the market(s) in which FCCN operates; risks associated with operations outside the United States; and other factors listed from time to time in FCCN's filings with the Securities and Exchange Commission. FCCN expressly disclaims any obligations or undertaking to release publicly any updates or revisions to any forward-looking statements contained herein to reflect any change in FCCN's expectations with respect thereto or any change in events, conditions or circumstances on which any statement is based.

Spectral Capital Files Quantum Cybersecurity Patent

One of the largest data breaches in history was apparently twice as impactful as previously thought, with PII belonging to hundreds of millions of people sitting in the hands of cybercriminals.

Source: Pavel Kapish via Alamy Stock Photo

New evidence suggests that more than half of the US population was touched by the ransomware attack(s) against UnitedHealth subsidiary Change Healthcare.

One of the largest data breaches ever recorded struck Change Healthcare last year. Change's technology services reach hundreds of vendors and laboratories, thousands of hospitals, tens of thousands of pharmacies, and hundreds of thousands of physicians and dentists, including "nearly all government and commercial payers," according to company documentation. These services necessarily sweep up loads of patients' personally identifying information (PII), which ended up in the hands of multiple ransomware actors.

Later last year, it was reported that the incident affected around 100 million Americans. Now, UnitedHealth has updated that number to approximately 190 million. A company spokesperson confirmed this in an emailed statement to Dark Reading, adding, "the vast majority of those people have already been provided individual or substitute notice."

**Change's Changing Cyberattack Story**

Last February, in concert, pharmacies around the US experienced significant delays to prescription orders. Behind it all was Change Healthcare, which processes billions of transactions every year, representing trillions of dollars worth of medical claims.

Related:Actively Exploited Fortinet Zero-Day Gives Attackers Super-Admin Privileges

The company first stated that it had suffered a nation-state cyber intrusion. In fact, it was a regular old ransomware attack (for which it would later pay a whopping $22 million ransom). And this wasn't the only crucial detail it got wrong.

In June, Change Healthcare finally sent out notices of data compromise, revealing that affected customers totaled around 100 million. On Friday, however, UnitedHealth Group publicly adjusted that figure to include 90 million more.

In its updated online notice of data breach, the company admitted that hackers may have obtained a variety of personally identifying information (PII) about patients and guarantors, including their first and last names, dates of birth, phone numbers, home addresses, and email addresses. Social security numbers, it noted, were only lost in "rare instances," and in an email to Dark Reading, a spokesperson claimed that Change Healthcare "has not seen electronic medical record databases appear in the data during the analysis."

The spokesperson also emphasized that "Change Healthcare is not aware of any misuse of individuals' information as a result of this incident."

However, Paul Bischoff, consumer privacy advocate at Comparitech, warns that "every press release I ever see about a data release says 'there's no evidence that your information has been abused or misused in any way.' But, obviously, they're not really looking for that for those instances of abuse, and they would never know if it actually happened. And the people that it happens to can't attribute the identity theft that they're suffering back to the data breach that caused it."

Related:For $50, Cyberattackers Can Use GhostGPT to Write Malicious Code

**When Data Breach Disclosures Go Wrong**

The Securities and Exchange Commission (SEC) data breach disclosure rules require that publicly traded companies disclose "material" cybersecurity incidents within four days of becoming alerted to them. The same rule applies to material updates to breach disclosures, such as when an attack is found to have affected nearly twice as many victims as once thought.

Despite these rules, companies have managed to take extensive time in investigating and addressing critical aspects of their breaches. For instance, it took Change Healthcare four months to notify customers of its incident, nine months to admit that 100 million people were affected, and nearly a year to update that figure to 190 million.

Bischoff hesitates, though, before suggesting that what's needed is even stricter regulation. "It's a complicated subject, because it gets to a point where you put such a burden on companies. Companies are also victims in these situations, so I don't want to penalize them for reporting things incorrectly," he says.

Related:The Case for Proactive, Scalable Data Protection

At the same time, he adds, "What we see a lot is that these companies take way too long to finish their investigations and notify victims. Sometimes it's up to a year or more before we're notified that people's data is out there on the Dark Web, being used for who knows what. And that's after they're most likely to get hit with identity fraud, and other sorts of fraud, because cybercriminals want that information when it's as fresh as possible. That's when it's most valuable. So I think we do need more strict standards about the timeliness of these notifications."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Source

DARKReading