The company reports that it is not experiencing any operational issues within its business, so far.

Source: JHVEPhoto via Alamy Stock Photo

NEWS BRIEF

Hewlett Packard Enterprise (HPE) is conducting an investigation after a threat actor said it had stolen data from the company's network.

IntelBroker, a cyberattack group that has been active since at least 2022, claimed responsibility for the breach on the BreachForums underground forum, alleging that it had access to the company's API, WePay, private and public GitHub repositories, Zerto and iLO source code, old user information, and more.

Previously, IntelBroker claimed to have breached organizations such as AMD, Europol, Cisco, Nokia, and others, and its members have served in leadership positions at BreachForums.

And this isn't the first time HPE has faced breaches at the hands of malicious actors. In 2018, APT10 hackers reportedly compromised some HPE systems, hacking into customer devices; and in 2021, its Aruba Central network monitoring platform was breached, allowing threat actors to access data regarding monitored devices.

As HPE investigates the most recent data breach claims, it remains unclear if there is any truth to them, and, if so, how the breach occurred.

"HPE became aware on Jan. 16 of claims being made by a group called IntelBroker that it was in possession of information belonging to HPE," an HPE spokesperson tells Dark Reading. "HPE immediately activated our cyber-response protocols, disabled related credentials, and launched an investigation to evaluate the validity of the claims."

HPE also reported that there is no evidence that customer information was involved, and currently no operational impact to the business.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

HPE Investigates After Alleged Data Breach

Two separate campaigns are targeting flaws in various IoT devices globally, with the goal of compromising them and propagating malware worldwide.

Source: Aleksey Funtap via Alamy Stock Photo

Separate spinoffs of the infamous Mirai botnet are responsible for a fresh wave of distributed denial-of-service (DDoS) attacks globally. One is exploiting specific vulnerabilities in Internet of Things (IoT) devices to establish "expansive" botnet networks, while the other has been targeting organizations in North America, Europe, and Asia with DDoS attacks since the end of 2024, researchers have found.

An ongoing operation within Mirai dubbed "Murdoc\_Botnet" (which began in July and has more than 1,300 active IPs) is targeting Avtech cameras and Huawei HG532 routers, researchers from Qualys revealed in a report posted today.

The researchers uncovered more than 100 distinct sets of servers associated with the Murdoc botnet, "each tasked with deciphering its activities and establishing communication with one of the compromised IPs implicated in this ongoing campaign," Qualys lead security researcher Shilpesh Trivedi wrote in the post.

Meanwhile, a botnet that comprises malware variants derived from both Mirai and Bashlite is exploiting security flaws and weak credentials in IoT devices in DDoS attacks spanning the globe, according to separate research from Trend Micro. "The malware infiltrates the device by exploiting RCE vulnerabilities or weak passwords, then executes a download script on the infected host," the researchers said.

Related:Email Bombing, 'Vishing' Tactics Abound in Microsoft 365 Attacks

The two campaigns demonstrate the ongoing impact of Mirai, a botnet that has spawned myriad variants since its source code was leaked in 2016 and which remains a significant security threat 10+ years after first appearing on the cyberattack scene.

**Murdoc Botnet Exploits Specific Flaws**

The Murdoc botnet delivering Mirai malware uses existing exploits, including CVE-2024-7029 and CVE-2017-17215, to download next-stage payloads. The former is an Avtech camera flaw that allows for commands to be injected over the network and executed without authentication, while the latter is a remote code execution (RCE) flaw found in Huawei routers.

Most of the IP addresses associated with the Murdoc botnet campaign are found in Malaysia, followed by Thailand, Mexico, and Indonesia.

Qualys researchers discovered more than 500 samples containing ELF files and shell script files associated with the Murdoc botnet. Each shell script "is loaded onto devices such as IP cameras, Network devices, and IoT devices, and, in turn, the C2 server loads the new variant of Mirai botnet, i.e., Murdoc\_Botnet, into the devices," Trivedi wrote in the post.

**An Expansive DDoS Campaign Targets US**

Related:DONOT Group Deploys Malicious Android Apps in India

Meanwhile, researchers at Trend Micro initially detected "large-scale" DDoS botnet attacks against Japanese organizations, including major corporations and banks, starting at the end of 2024, but then tracked the activity to a larger global campaign. Organizations in the US were most affected by the attacks, followed by companies in Bahrain, Poland, and Spain, among various other countries.

The primary devices targeted in the attacks have been wireless routers and IP cameras from well-known brands, including TP-Link and Zyxel routers, and Hikvision IP cameras. As with the Murdoc botnet activity, cyberattackers here targeted flaws in the devices to compromise them, but they also used weak passwords to gain access.

In terms of attack vector, the researchers found two different types of DDoS attacks related to the activity, they said. One type overloads the network by sending a large number of packets, while the other exhausts server resources by establishing a large number of sessions.

"In addition, we observed two or more commands used in combination, making it possible that both network overload attacks and server resource exhaustion attacks occur simultaneously," according to the post.

**How to Defend Against DDoS Cyberattacks**

Related:Russian APT Phishes Kazakh Gov't for Strategic Intel

With Mirai variants continuing to spawn new botnets for mounting new and widespread DDoS attacks, it's important that organizations can identify and protect their networks from floods of unwanted traffic, the researchers said.

Qualys researchers recommended that organizations regularly monitor the suspicious processes, events, and network traffic spawned by the execution of any untrusted binary/scripts, as well as exercise caution in executing shell scripts from unknown and untrusted sources.

Meanwhile, Trend Micro analysts recommended different mitigation efforts for the two types of DDoS attacks that they observed. For attacks that flood the network with packets, the researchers recommended organizations use a firewall or router to block specific IP addresses or protocols and restrict traffic; collaborate with communication service providers to filter DDoS traffic at the backbone or edge of the network; and strengthen router hardware to increase the number of packets that can be processed.

For attacks that exhaust resources by establishing a large number of sessions, Trend Micro recommended that organizations limit the number of requests that can be sent by a specific IP address within a certain period of time; use third-party services to separate attack traffic and process clean traffic; and perform real-time monitoring and block IP addresses with a high number of connections, among other mitigations and preventions.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mirai Botnet Spinoffs Unleash Global Wave of DDoS Attacks

Set for release in March, Cisco AI Defense will provide algorithmic red teaming of large language models with technology that came over as part of the Robust Intelligence acquisition last year.

Source: Andriy Popov via Alamy Stock Photo

Cisco is expanding its cloud security platform with new technology that will let developers detect and mitigate vulnerabilities in artificial intelligence (AI) applications and their underlying models.

The new Cisco AI Defense offering, introduced Jan. 15, is also designed to prevent data leakage by employees who use services like ChatGPT, Anthropic, and Copilot. The networking giant already offers AI Defense to early-access customers and plans to release it for general availability in March.

AI Defense is integrated with Cisco Secure Access, the revamped secure service edge (SSE) cloud security portfolio that Cisco launched last year. The software-as-a-service offering includes zero-trust network access, VPN-as-a-service, a secure Web gateway, cloud access security broker, firewall-as-a-service, and digital experience monitoring.

Administrators can view the AI Defense dashboard in the Cisco Cloud Control interface, which hosts all of Cisco's cloud security offerings.

**Gaps in AI Capabilities**

AI Defense is intended to help organizations that are concerned about the security risks associated with AI but are under pressure to implement the technology into their business processes, said Jeetu Patel, Cisco's chief product officer and executive VP, at the launch event.

"You need to have the right level of speed and velocity to keep innovating in this world, but you also need to make sure that you have safety," Patel said. "These are not trade-offs that you want to have. You want to make sure that you have both."

According to Cisco's 2024 AI Readiness Survey, 71% of respondents don't believe they are fully equipped to prevent unauthorized tampering of AI within their organizations. Further, 67% said they have a limited understanding of the threats specific to machine learning. Patel said AI Defense addresses these issues.

"Cisco AI Defense is a product which is a common substrate of safety and security that can be applied across any model, that can be applied across any agent, any application, in any cloud," he said.

**Model Validation at Scale**

Cisco AI Defense is primarily targeted at enterprise AppSecOps organizations. It allows developers to validate AI models before applications and agents are deployed into production.

Patel noted that the challenge with AI models is that they are constantly changing with new data added to them, which changes the behavior of the applications and agents.

"If models are changing continuously, your validation process also has to be continuous," he said.

Seeking a way to offer the equivalent of red teaming, Cisco last year acquired Robust Intelligence, a startup founded in 2019 by Harvard researchers Yaron Singer and Kojin Oshiba, and the core component of AI Defense. The Robust Intelligence Platform uses algorithmic red teaming to scan for vulnerabilities, along with a mechanism Robust Intelligence created called Tree of Attacks with Pruning, an AI-based method of using automation to systematically jailbreak large language models (LLMs).

According to Patel, Cisco AI Defense uses detection models from generative AI (GenAI) platform provider Scale AI and threat intelligence telemetry from Cisco's Talos and its recently acquired Splunk to continuously validate the models and automatically recommend guardrails. Further, he noted that Cisco designed AI Defense to distribute those guardrails through the network fabric.

"This essentially allows us to deliver a purpose-built model and data for going out, allowing us to validate if a model is going to work as per expectations or if it's going to surprise us," said Patel, adding that it typically takes most organizations seven to 10 weeks to validate a model. "We can do it within 30 seconds because this is completely automated," he said.

**An Industry-First?**

Analysts believe Cisco is the first major player to launch technology that can address automated model verification at that scale.

"I don't know anyone else who's done anything close to this," says Frank Dickson, group VP for IDC's security and trust research practice. "I've heard people doing what we might call an LLM firewall, but it's not as intricate and complex as this. The ability to do this kind of automated pen testing in 30 seconds looks pretty slick."

Scott Crawford, research director for the 451 Research Information Security channel with S&P Global Market Intelligence, agrees, noting that a variety of large vendors are approaching security for GenAI in different ways.

"But in Cisco's case, it made the first acquisition of a startup with this focus with its pickup of Robust Intelligence, which is at the heart of this initiative," Crawford says. "There are a range of other startups in this space, any of which could be an acquisition target in this emerging field, but this was the first such acquisition by a major enterprise IT vendor."

Addressing AI security will be a major concern this year, given the rise in attacks against vulnerable models, Crawford says.

"We have already seen examples of LLM exploits, and experts have considered the ways in which it can be manipulated and attacked," he says.

Such incidents, often described as LLMjacking, are waged by exploiting vulnerabilities with prompt injections, supply chain attacks, and data and model poisoning. One notable LLMjacking attack was discovered last year by the Sysdig Threat Research Team, which observed stolen cloud credentials targeting 10 cloud-hosted LLMs. In that incident, the attackers accessed credentials from a system running a vulnerable version of Laravel (CVE-2021-3129).

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Cisco Previews AI Defenses to Cloud Security Platform

Even as the rule book changes, the profession of the CISO remains unchanged: protecting the organization in a world of constant, continually evolving threats.

Source: filmfoto via Alamy Stock Photo

COMMENTARY  
In the high-stakes world of cybersecurity, the ground is shifting beneath the feet of those charged with protecting our digital infrastructure. First came the new Securities and Exchange Commission (SEC) rules and lawsuits related to cybersecurity. More recently, a US Supreme Court ruling promises to reshape the regulatory landscape, compelling federal officials to rethink their approach to cyber governance.  

Yet amid this whirlwind of change that has descended on the industry, it's critical for chief information security officers (CISOs) to remain steadfast and not be deterred — or discouraged — by this shift.  

Therefore, my message, drawn from decades in the security field, resonates with the stiff-upper-lip slogan of Britain in the run-up to World War II: Keep calm and carry on.  

**A Regulatory Tsunami**

The SEC's rules went into effect last December. Under the new rules, public companies must report any cyber incidents within four business days of determining that it was a material event. The SEC also requires that public companies disclose their strategies for handling cybersecurity risks.  

Those in the security world apprehensive about these anticipated changes became downright frightened when the SEC — even before its new rules went into effect — sued a company, SolarWinds, that had been going so far as to single out its CISO in its filings. Just weeks before its new cybersecurity laws were set to go into effect, the agency was sending a clear message to the country's CISOs: Complacency is no longer an option.  

When in July a federal judge dismissed most of the SEC's case against SolarWinds and its CISO, you could almost hear the sigh of relief among security professionals across the land.

But the judge simply confirmed what those of us in the cybersecurity field already understood: Holding a CISO personally liable for a cyberattack won't make systems more secure. While security professionals play a critical role in protecting a company, they cannot do so effectively without the collaboration and support of others. CISOs often have only partial visibility into an organization's attack surface. That, of course, is a serious impediment to conducting a complete risk assessment.  

To be clear, legislation can play a role in helping CISOs enhance an organization's defenses. The Food and Drug Administration's (FDA's) implementation of cybersecurity requirements for medical devices illustrates this well. Those regulations empowered CISOs to join the conversation and secure the resources needed to safeguard additional areas of their organizations. 

The SEC's newest ruling provides a similar opportunity — and long overdue change — for today's CISOs to be more involved in an organization's fuller set of technology decisions. 

**A Collective Responsibility **

At their core, CISOs are truth sayers — akin to an internal audit committee that assesses risks and makes recommendations to improve an organization's defenses and internal controls.  

Ultimately, though, it's the board and a company's top executives who set policy and decide what to disclose in public filings. CISOs can and should be a counselor for this group effort because they have the understanding of security risk. And yet, the advice they can offer is limited if they don't have full visibility into an organization's technology stack. 

"Many oversee a company's IT system, but not the products the company sells. That's crucial when it comes to data-dependent systems and devices that can provide network-access targets to cyber criminals. Those might include medical devices, or sensors and other Internet of Things endpoints used in manufacturing lines, electric grids, and other critical physical infrastructure.  

In short: A company's defenses are only as strong as the board and its top executives allow it to be. 

And if there is a breach, as in the case of SolarWinds? CISOs do not determine the materiality of a cybersecurity incident; a company's top executives and its board make that call. The CISO's responsibilities in that scenario involves responding to the incident and conducting the follow-up forensics required to help minimize or avoid future incidents.  

Even before the SEC got involved, though, liability was an underlying concern among security officers. Those whose job it is to protect our data systems invariably feel responsible when something goes wrong, whatever a federal agency might say.  

Ours is a business in which thwarting a bad actor 99 times will not make any difference if an intruder manages to breach defenses on the 100th try. That's the burden that comes with the CISO title, and that's why I've always recommended — long before the SEC's new transparency rules — that a CISO understand the complex threat landscape as well as the evolving regulatory environment.  

**The Chevron Decision: A New Layer of Complexity**

For cybersecurity professionals, the legal move potentially more significant than the dismissal of the SolarWinds suit was the Supreme Court's decision in June to reverse the so-called Chevron doctrine. The Chevron doctrine, established by a previous case in 1984, required the courts to defer to a federal agency's reasonable interpretation of ambiguous statutes.  

Now, the wisdom of agencies — whether the SEC or other bodies — is no longer assumed. The overturning of this decades-old Chevron precedent has created uncertainty around the enforcement of cybersecurity regulations, making it even potentially harder for CISOs to navigate the regulatory landscape.  

Even as the rule book may be in flux, though, the professional mission of the CISO remains unchanged: protecting their organization in a world of constant, continually evolving threats. That requires clear thinking and the ability to keep one's head amid chaos. 

In other words: Keep calm and carry on. 

**About the Author**

Nozomi Networks Advisory Board Member

Marene Allison is the former vice president and chief information security officer (CISO) for Johnson & Johnson, where she was responsible for protecting the company’s IT and OT systems worldwide. She is a member of the Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee and is a founding member of West Point Women, currently serving on its board of directors. In addition to serving as an adviser for Nozomi Networks, she served on the board of directors for H-ISAC (Health Information Sharing and Analysis Center) and ASIS International. Allison has received numerous awards, including being inducted into the CSO Hall of Fame in 2022 and named a 2023 Distinguished Graduate by the West Point Association of Graduates.

Why CISOs Must Think Clearly Amid Regulatory Chaos

Feeling creative? Have something to say about cybersecurity? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

What motivates you? What will change how you do security? Send us a cybersecurity-related caption to describe the above scene and our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Feb. 12 deadline:

*   Via social media: Bluesky, LinkedIn, Facebook, and X. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 gift card — to Paul Mauriks, ICT security specialist, technology solutions, at the Department of Justice and Community Safety in Victoria, Australia for sending us the winning caption for last month's "Sneaking Around" cartoon. Some noteworthy contenders included "I guarantee you there are no backdoors to our network," "Finally found a way to get rid of all that old IT gea.," and "‘Yeah, asset disposal by ‘Back Door Inc.’ I’ll do the supplier assessment thing on Monday…’" Congrats to Paul, and a big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: Incentives

The US Department of Commerce will prohibit the import of components for connected vehicles from China or Russia, as the US continues to ban technology it sees as potential national security threats.

Source: Hsyn20 via Shutterstock

Smart-vehicle makers are facing supply chain disruption as the US Department of Commerce plans to enforce new regulations banning the import of connected-vehicle technology from China and Russia over cybersecurity fears.

The Commerce Department pursued new regulations after President Biden declared a national emergency over concerns that the United States had become overreliant on China for information and communications technology and services (ICTS). The rule mandates that companies and their suppliers eliminate hardware or software imported from China or Russia in their vehicle connectivity system (VCS) or in their automated driving system (ADS).

It aims to address two concerns: vulnerabilities that would allow a nation-state or criminal organization to implant a backdoor in automotive hardware or software; and the collection of data on US drivers through diagnostic features and other mechanisms, says Yoav Levy, CEO and co-founder of automotive cybersecurity provider Upstream.

"The threat is definitely real," he says. "There are many cases where cars could be hacked — including the safety elements within the cars — and there were many cases where data was stolen or leaked. ... But so far, we haven't seen something like that on a huge scale."

Related:Leveraging Behavioral Insights to Counter LLM-Enabled Hacking

The concerns come as software-defined vehicles (SDVs) shake up the automotive market, while also potentially increasing the cyberattack surface area of automobiles. In the past, vehicle makers created a variety of platforms for their different models, and the number of processors — known as electronic control units (ECUs) — quickly climbed. While the post-pandemic chip shortage slowed the shift to new platforms, manufacturers now aim to quickly reduce the number of ECUs and other hardware needed for the VCS and ADS systems. While current models, for example, can have as many as 130 ECUs, Rivian has already reduced the number of ECUs to seven in its second generation R1 vehicles.

**Wielding the Cyber-Ban Hammer**

Rivian aside, most automobiles have a wide variety of components sourced from China, raising concerns that the United States' reliance on the technologies could allow future compromises.

Banning technology from China and sanctioning Russia is nothing new, says Ivan Novikov, CEO at API security firm Wallarm. The US government has already raised cybersecurity concerns over telecommunications equipment from Huawei, Chinese-made cargo equipment at US seaports, home routers made by Chinese manufacturer TP-Link, and popular social media app TikTok.

Related:Strategic Approaches to Threat Detection, Investigation & Response

"This is kind of the next logical step," he says.

The new commerce regulations will prohibit any "transactions involving VCS hardware and covered software designed, developed, manufactured, or supplied" by people or organizations linked to China or Russia, according to a 213-page final rule, which will be put into effect after months of comments.

Yet, many implementation details remain unclear, Novikov says.

"The open question here is who will enforce the regulations, because the usual enforcement of security requirements and crash \[safety\] tests is under the Department of Transportation," he says. "It's unclear how these two agencies can work together, and how this final DoT requirements or restrictions or controls can work."

**Securing Supply Chains & the Economy?**

The impact on the supply chain will be significant, experts say. The first tier of OEMs — large US and international companies — are not the problem. Their products, however, often come from suppliers that source their own components from Chinese companies, says Alex Oyler, director for North America at industry consultancy SBD Automotive.

It's just one more way that the supply chain is currently undergoing changes, he says. Many carmakers are looking to rewrite their relationships with providers as they move to software-defined vehicles.

Related:Trusted Apps Sneak a Bug Into the UEFI Boot Process

"We're in a bit of a different phase of software-defined vehicle in the sense that OEMs are actually starting to become a lot more prescriptive in the specification of the components that they're sourcing," Oyler says. "It's more of what's called a build-to-print relationship, where they provide not the functional requirements, but requirements for the component architecture — we want this processor, we need this memory, we need this GPU."

The shift to other sources of supply will take years, with the Biden administration allowing carmakers a grace period to comply with the regulations: Software components can no longer be sourced from China and Russia starting with 2027 car models, while by 2030 car models must contain no hardware from prohibited sources.

Making such changes will not be easy, says Upstream's Levy.

"It's not that easy to replace a supplier," he says. "There are financial implications with the supply chain — maybe it's going to be more expensive, or there may be some changes to software that they would need to do for the for the new supplier — an adjustment to the architecture. ... It really depends on what they are actually going to replace."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

US Ban on Automotive Components Could Curb Supply Chain

New hands-on testing results show that most devices are unable to catch phishing emails, texts, or calls, leaving users at risk.

Source: Thomas Bethge via Alamy Stock Photo

Highlights:

*   Consumer survey shows that the most common security issues are phishing attacks, such as text or emails seeking personal information, as well as malware and physical theft. 
    

*   Hands-on device testing shows that Samsung S24 offers the best anti-phishing protection, while the Google Pixel 9 Pro leads in many other areas. 
    

*   The iPhone 16 Pro and other premium Android smartphones from Honor, Xiaomi, and OnePlus lack security features and protections. 
    

COMMENTARY  
New research from Omdia shows that the security capabilities on several of the latest consumer smartphones, including top devices from Apple, Google, and Samsung, fail to detect several types of common phishing attacks.

As part of the fourth-annual Omdia Mobile Device Security Scorecard, Omdia surveyed 1,572 consumers across 13 major countries in the Americas, Asia and Oceania, and Europe, in October 2024. This survey covered the demographics of smartphone users, their security concerns and attitudes, their perception of the most common security threats, and the key smartphone purchasing drivers.

Consumers reported that the most common security issue they encountered was phishing scams and attacks (texts, emails or calls which use false pretenses to try to get the target to give away valuable personal information), with 24% reporting to have experienced phishing. 

Omdia also asked consumers to rate how important various security features were, with anti-phishing having the largest net-importance rating. In fact, over the four years Omdia has conducted its Mobile Device Security Scorecard research, anti-phishing has been rising in importance. This is no surprise, as phishing not only becomes more common, but also as consumers become more familiar with the attacks and the potential for personal information theft or financial loss. 

The next most common security issue was malware and viruses. The third most common was physical theft, such as pickpocketing, mugging or snatching. 

**Mobile Device Security Testing Results**

For each of these security issues, Omdia tested leading premium smartphones to determine availability and effectiveness of security features and capabilities. Google's Pixel 9 Pro and Samsung's Galaxy S24 both scored highly, ahead of Apple's iPhone 16 Pro and other leading Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro.

Despite the importance consumers place on phishing prevention on mobile devices, the anti-phishing features failed to some degree on every device Omdia tested. No device caught all the attempted phishing texts, calls, and emails initiated as part of the testing.  

Several of the devices did catch simulated spam calls: All Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung, which have voice call protection, flagged suspected spam calls before the recipient could answer the call. The iPhone 16 Pro, however, did not have the same protections and did not catch the simulated spam call. 

Text messages with malicious short links were sent from an unknown number and sender ID, but these were not successfully caught by the test devices. Simulated phishing emails were sent from both Gmail and Google's Mail Delivery subsystem, but no device caught the phishing emails from Gmail; the messages were only identified as spam when sent from Google's SMTP. 

Despite not all phishing texts and emails being caught, once malicious links were opened on the devices, those that use Google Safe Browsing protections successfully blocked the link from opening. A warning screen was raised, forcing the user to bypass it to proceed.

Yet not all Android devices performed similarly: Samsung Internet blocked most links except the more sophisticated custom URLs, while the Xiaomi Mii and OnePlus Internet browsers failed to warn the user even when loading known malicious links. 

In previous years' testing, smartphones have been able to detect and successfully block or warn against the attempted phish. However, the difference year-on-year showcases the ever-changing nature of threats.

**Lack of Mobile Security Impacts Consumer Trust**

The lack of effective security protections on mobile devices, particularly against the growing threat of phishing attacks, is eroding consumer trust.

When Omdia asked consumers if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer. 

Despite some manufacturers' efforts to ensure the latest mobile device security protections are in place, Omdia notes that it is difficult to protect against 100% of phishing attempts. This highlights the severity of the issue and potential impact to consumers.

That said, Omdia asserts that smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities on the market) and should have more effective baseline phishing protection in place — such as voice call protection, and all Android devices making use of Google’s Safe Browsing protections. 

Omdia sees the value in the phishing protection features implemented by the leading smartphone vendors, and how this can help to protect consumers — at least in most instances, based on Omdia's latest round of testing.

However, these features need to be paired with awareness activity from manufacturers, as well as the wider industry, to help consumers be vigilant and prepared for the instance when a security threat evades a protection mechanism. Such awareness adds an important additional layer of protection against the rising number of scams targeting consumers through their mobile devices.

**About the Authors**

Principal Analyst, IoT Cybersecurity, Omdia

Hollie works as a Principal Analyst within the Omdia team, providing insight into the fascinating and fast-moving domain of IoT Cybersecurity.

Hollie has a range of experience in research. She began her career in the legal sector, writing and researching for expert witness reports on the labour market. She then moved into product testing, with a consumer protection focus. In this role she was responsible for managing comparative tests of various tech products, as well as regular testing and investigative work into the security of these products.

She has published various articles for Which?, the UK's largest consumer organisation and one of the largest subscription magazines, and Computing magazine.

Senior Analyst, Smartphones, Omdia

Aaron West provides expertise and analysis of the smartphone market, joining Omdia in 2022. His areas of reporting include the active smartphone installed base, eSIM development, mmWave 5G, sustainability, and the foldable smartphone market.

Aaron has a range of research and publishing experience. He graduated with a degree in theoretical physics before moving into consumer product testing, with a focus on sustainability and the environment.

In this role, he was responsible for research project management, including comparative testing of technology products and consumer surveys. He also reported on the energy efficiency and longevity of home appliances, as well as the product lifecycle and obsolescence of smartphones.

Phishing Attacks Are the Most Common Smartphone Security Issue for Consumers

The Supreme Court has affirmed TikTok's ban in the US, which has its users in revolt and is creating a whole new set of national cybersecurity concerns.

Source: Roykas Tenys via Alamy Stock Photo

Now that the US Supreme Court has upheld a ban on the wildly popular video social media platform we know as TikTok, its most influential users have decided to retaliate by moving their game over to REDnote, a competing Chinese social media company, thus creating an entirely new, and arguably worse, situation for the nation's cybersecurity.

The move to the alternate platform is emerging as a pop culture phenomenon. Of TikTok's roughly 170 million monthly users in the US, more than 3 million have already headed over to REDnote. Chart-topping rapper Doechii announced her account, with 2.5 million followers, was headed over to REDnote just days before the Supreme Court ruling. Bunnie XO, wife of country music star Jelly Roll, with 7 million TikTok followers, has already declared her love for Mandarin Trap music after spending time on the app. The term "TikTok refugees," referring to new US users, is trending on REDnote, according to data. Searches for REDnote have spiked 100% over the past three months, and a recent "TikTok refugees" live chat attracted more than 50,000 users across the US and China.

Meanwhile, native Chinese speakers on the app are teaching their new group of US users how to correctly pronounce REDnote's Mandarin name, "Xiaohongshu," which directly translates to "Little Red Book," sharing the same name as Mao Zedong's book of quotations. Chairman Mao founded the People's Republic of China.

And, as US TikTok culture jokes about willingly handing over their data to a Chinese company with impunity as payback for the government's ban of the app, the US national security over TikTok just got even more problematic, according to experts.

**REDnote's Cybersecurity Problems**

ByteDance, the parent company behind TikTok, is headquartered in Singapore, and it has tried to convince the US it is run independent of the Chinese government. REDnote, on the other hand, is based in Shanghai, and it's one of the few social media platforms allowed to operate on both sides of the Great Firewall, making spying on Americans and throttling propaganda aligned with the Chinese Communist Party (CCP) agenda seemingly much easier. For US users interested in the specific terms of service to use REDNote, they are written in Mandarin, leaving the few who want to drill down on the app's data use to rely on Google Translate or a similar service to decipher the details.

"REDnote appears to be a more dangerous application than TikTok, as its terms of service are in Mandarin and it has not been vetted as extensively as TikTok," Ted Miracco, CEO of Approov, says. "REDnote's servers are primarily located in China, which means that user data is subject to Chinese cybersecurity laws that require companies to grant government access upon request. This situation contrasts with TikTok, which has made efforts to store some user data on US servers, offering a modicum of oversight by American authorities."

That said, national security concerns about a Chinese company controlling such a huge communications platform as TikTok in the US were well founded, according to Lawrence Pingree, vice president of Dispersive.

"I think that there are some valid concerns about the involvement of government agencies in espionage and influence operations that are important issues to address," Pingree said. "Things like data sovereignty, isolation networks and access, regular trusted third-party audits, background checks, authentication of remote employees, and, potentially, source code review are all prudent measures to require. Bans need to consider the totality of the situation, and the politics of the time."

And the politics are indeed prickly. Chinese government-backed hackers have been ramping up their espionage activities in recent weeks with compromises of multiple telecommunications networks and a breach of the US Treasury Department systems. Just a day before the Supreme Court's ruling, President Biden issued a sweeping new executive order on cybersecurity, directly calling out the malign activities of the Chinese government against the US.

The chances of a Chinese company like REDnote complying with any of the US's TikTok requirements to operate, like audits and background checks for employees, seem pretty slim in this environment.

**The Cyber Problem With the TikTok Ban**

The ban, which technically goes into effect on Sunday, was narrowly focused on TikTok and simply doesn't go far enough, Approov's Miracco adds.

"As the problem of data misuse continues to escalate, focusing solely on foreign platforms like TikTok without addressing the systemic issues within domestic social media creates an incomplete solution. A comprehensive approach is needed — one that holds all social media companies accountable for their data practices and prioritizes user privacy and security across the board," Miracco insists.

The ongoing larger problem is that legislation and lawmakers continue to lag behind technology, he adds. The ban wasn't able to effectively meet the moment, creating unintended consequences for US national security.

"The slow pace of legislative and legal actions often fails to keep up with the rapid evolution of technology and tactics employed by bad actors," Miracco says. "This gap can leave users unprotected against emerging threats that exploit the chaos surrounding the ban. As users seek alternatives to TikTok, they will inadvertently download less secure or malicious applications, including REDnote."

However, the threat of users migrating to other apps shouldn't be a deterrent to making decisions to improve US cybersecurity posture, argues Willy Leichter, chief marketing officer of AppSOC.

"The ban may inspire targeted attacks against other US-based social media platforms, but those are already happening. As a general rule, you shouldn't let the fear of reprisals stop you from taking proactive security steps," Leichter says. "We need to be prepared for the consequences anyway."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Has the TikTok Ban Already Backfired on US Cybersecurity?

The propensity for users to enter customer data, source code, employee benefits information, financial data, and more into ChatGPT, Copilot, and others is racking up real risk for enterprises.

Source: Marcos Alvarado via Alamy Stock Photo

A wide spectrum of data is being shared by employees through generative AI (GenAI) tools, researchers have found, legitimizing many organizations' hesitancy to fully adopt AI practices.

Every time a user enters data into a prompt for ChatGPT or a similar tool, the information is ingested into the service's LLM data set as source material used to train the next generation of the algorithm. The concern is that the information could be retrieved at a later date via savvy prompts, a vulnerability, or a hack, if proper data security isn't in place for the service.

That's according to researchers at Harmonic, who analyzed thousands of prompts submitted by users into GenAI platforms such as Microsoft, Copilot, OpenAI ChatGPT, Google Gemini, Anthropic's Clause, and Perplexity. In their research, they discovered that though in many cases employee behavior in using these tools was straightforward, such as wanting to summarize a piece of text, edit a blog, or some other relatively simple task, there were a subset of requests that were much more compromising. In all, 8.5% of the analyzed GenAI prompts included sensitive data, to be exact.

**Customer Data Most Often Leaked to GenAI**

The sensitive data that employees are sharing often falls into one of five categories: customer data, employee data, legal and finance, security, and sensitive code, according to Harmonic.

Customer data holds the biggest share of sensitive data prompts, at 45.77%, according to the researchers. An example of this is when employees submit insurance claims containing customer information into a GenAI platform to save time in processing claims. Though this might be effective in making things more efficient, inputting this kind of private and highly detailed information poses a high risk of exposing customer data such as billing information, customer authentication, customer profile, payment transactions, credit cards, and more.

Employee data makes up 27% of sensitive prompts in Harmonic's study, indicating that GenAI tools are increasingly used for internal processes. This could mean performance reviews, hiring decisions, and even decisions regarding yearly bonuses. Other information that ends up being offered up for potential compromise includes employment records, personally identifiable information (PII), and payroll data.

Legal and finance information is not as frequently exposed, at 14.88%, however, when it is, it can lead to great corporate risk, according to the researchers. Unfortunately, when GenAI is used in these fields, it's for simple tasks such as spell checks, translation, or summarizing legal texts. For something so small, the consequences are incredibly high, risking a variety of data such as sales pipeline details, mergers and acquisition information, and financial data. 

Security information and security code each compose the smallest amount of leaked sensitive data, at 6.88% and 5.64%, respectively. However, though these two groups fall short compared to those previously mentioned, they are some of the fastest growing and most concerning, according to the researchers. Security data inputted into GenAI includes penetration test results, network configurations, backup plans, and more, providing exact guidelines and blueprints as to how bad actors can exploit vulnerabilities and take advantage of their victims. Code inputted into these tools could put technology companies at a competitive disadvantage, exposing vulnerabilities and allowing competitors to replicate unique functionalities.

**Balancing GenAI Cyber-Risk & Reward**

If the research shows that GenAI offers high-risk potential consequences, should businesses continue to use it? Experts say they might not have a choice.

"Organizations risk losing their competitive edge of if they expose sensitive data," said the researchers in the report. "Yet at the same time, they also risk losing out if they don't adopt GenAI and fall behind."

Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, agrees. "Companies that don’t adopt generative AI risk losing significant competitive advantages in efficiency, productivity, and innovation as the technology continues to reshape business operations," he said in an emailed statement to Dark Reading. "Without GenAI, businesses face higher operational costs and slower decision-making processes, while their competitors leverage AI to automate tasks, gain deeper customer insights, and accelerate product development."

Others, however, disagree that GenAI is necessary, or that an organization needs any artificial intelligence at all.

"Utilizing AI for the sake of using AI is destined to fail," said Kris Bondi, CEO and co-founder of Mimoto, in an emailed statement to Dark Reading. "Even if it gets fully implemented, if it isn't serving an established need, it will lose support when budgets are eventually cut or reappropriated."

Though Kowski believes that not incorporating GenAI is risky, success can still be achieved, he notes.

"Success without AI is still achievable if a company has a compelling value proposition and strong business model, particularly in sectors like engineering, agriculture, healthcare, or local services where non-AI solutions often have greater impact," he said.

If organizations do want to pursue incorporating GenAI tools but want to mitigate the high risks that come along with it, the researchers at Harmonic have recommendations on how to best approach this. The first is to move beyond "block strategies" and implement effective AI governance, including deploying systems to track input into GenAI tools in real time, identifying what plans are in use and ensuring that employees are using paid plans for their work and not plans that use inputted data to train systems, gaining full visibility over these tools, sensitive data classification, creating and enforcing workflows, and training employees on best practices and risks of responsible GenAI use.

Employees Enter Sensitive Data Into GenAI Prompts Far Too Often

The stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.

Source: JHVEPhoto via Alamy Stock Photo

Dated configuration data and virtual private network (VPN) credentials for 15,474 Fortinet devices have been posted for free to the Dark Web.

On Jan. 14, Fortinet disclosed a severe authentication bypass vulnerability in its FortiOS operating system and FortiProxy Web gateway, CVE-2024-55591. For a model of what the aftermath of such a vulnerability could look like, one need only look to a parallel bug from October 2022 that's still making waves today.

Back then, Fortinet published an urgent security warning regarding CVE-2022-40684, an equivalent authentication bypass vulnerability affecting FortiOS, FortiProxy, and the autological FortiSwitchManager. Earning a "critical" 9.8 rating in the Common Vulnerability Scoring System (CVSS), it allowed any unauthenticated attacker to perform administrative operations on vulnerable devices via specially crafted HTTP requests. In the wake of that disclosure, security researchers developed a proof-of-concept (PoC) exploit, a template for scanning for vulnerable devices, and watched as exploitation attempts climbed and climbed.

On the same day CVE-2024-55591 was disclosed this week, a threat actor with the nom de guerre "Belsen Group" released data belonging to more than 15,000 Fortinet devices. In a blog post, the CloudSEK researchers who spotted it assessed that the data had been stolen thanks to CVE-2022-40684, likely when that bug was still a zero-day. Now, they wrote, "Once they exhausted its use for themselves (either by selling or using the access), the threat actor(s) decided to leak it in 2025."

Related:Extension Poisoning Campaign Highlights Gaps in Browser Security

**Possible Clues to Belsen Group's Origins**

"2025 will be a fortunate year for the world," the Belsen Group wrote in its post to the cybercrime site BreachForums (while conveniently omitting that its data had been gathered more than two years ago). The 1.6GB file it dumped on its onion website is accessible free of charge, and organized neatly in folders first by country, then by IP address and firewall port number.

Affected devices appear to be spread across every continent, with the highest concentration in Belgium, Poland, the US, and the UK, each with more than 20 victims.

On the flip side, security researcher Kevin Beaumont (aka GossiTheDog) noted in a blog post that every country in which Fortinet has a presence is represented in the data, except one: Iran, despite the fact that Shodan shows nearly 2,000 reachable Fortinet devices in that country today. Furthermore, there is just one affected device in the entirety of Russia, and technically it's in Ukraine's annexed Crimea region.

Related:Trend Micro and Intel Innovate to Weed Out Covert Threats

These points of data may be unimportant, or they may hold clues for attributing the Belsen Group. It appears to have popped up this month, though CloudSEK concluded "with high confidence" that it has been around for at least three years now, and that "They were likely part of a threat group that exploited a zero day in 2022, although direct affiliations have not been established yet."

**What's the Cyber-Risk?**

The leaked listings contain two types of folders. The first, "config.conf," contains affected device configurations: IP addresses, usernames and passwords, device management certificates, and all of the affected organization's firewall rules. This data was stolen via CVE-2022-40684. In the other folder, "vpn-password.txt," are SSL-VPN credentials. According to Fortinet, these credentials were sourced from devices via an even older path traversal vulnerability, CVE-2018-13379.

Though the data is all rather aged by now, Beaumont wrote, "Having a full device config including all firewall rules is … a lot of information." CloudSEK, too, cited the risk that leaked firewall configurations can reveal information about organizations' internal network structures that may still apply today.

Related:Zivver Report Reveals Critical Challenges in Email Security for 2025

Organizations also often don't cycle out usernames and passwords, allowing old ones to continue to cause problems. In examining a device included in the dump, Beaumont reported that the old authentications matched those still in use.

Fortinet, for its part, tried to quell concerns in a security analysis published on Jan. 16. "If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization’s current config or credential detail in the threat actor's disclosure is small," it explained.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Source

DARKReading