CISOs need to recognize the new threats AI can present — while also embracing AI-powered solutions to stay ahead of those threats.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

Security teams have always had to adapt to change, but new developments that will play out over the next year could make 2025 particularly challenging. The accelerating pace of AI innovation, increasingly sophisticated cyber threats, and new regulatory mandates will require chief information security officers (CISOs) to navigate a more complex landscape.

Vendors are rapidly adding AI-enabled features to existing products, and the foundational large language models (LLMs) they are using present a new attack surface that malicious actors will try to exploit. CISOs will need to understand their level of exposure to these threats and how to mitigate them.

Simultaneously, the dynamic landscape of cybersecurity regulations, particularly in regions like the European Union and California, demands enhanced collaboration between security and legal teams to ensure compliance and mitigate risks. This convergence of new technologies and laws means CISOs must balance board-level compliance needs with novel security challenges to protect their organizations.

Despite the potential security challenges posed by generative AI (GenAI), it also offers opportunities to improve the security of software development processes. By proactively identifying vulnerabilities and enabling greater automation, AI will help close the gap between developers and security teams. 

Below are three trends that will dominate the enterprise security landscape in 2025. 

**Trends to Watch in 2025****1\. Vulnerabilities in Proprietary LLMs Open the Possibility of Broad-Impact Security Incidents**

Software vendors are rushing to add AI-enabled features to their products, often by leveraging proprietary foundational LLMs. As attackers start to find vulnerabilities in these models, they will open a new attack vector with potentially wide-scale consequences. Industry consolidation increases risk.

Proprietary models reveal little information about their provenance or internal guard rails, making them much harder for security professionals to understand and manage. As such, attackers can embed malware or exploit lesser-known attack surfaces in a model's feature space. 

Because the industry relies heavily on a few proprietary LLMs, these attacks could have cascading effects throughout the software ecosystem, potentially leading to wide-scale outages or impacts. 

**2\. AI and Cloud-Native Workloads Will Increase Demand for Highly Adaptive Identity Management **

The growth of cloud-native and AI applications creates new challenges for identity management systems. This year, access control must become more adaptive to deal with the increase in non-human, service-based identities. 

Systems that manage identity and permissions have already been transitioning from their traditional, static state to a more ephemeral and adaptable framework, reflecting the agility required for modern digital interactions. These needs will become even greater in the year ahead. 

AI-driven applications, in particular, demand a solid understanding of transitive identities. These applications require systems that provide secure and efficient access, even as roles and needs constantly evolve.

**3\. AI Will Help Scale Security Within DevOps**

In a recent survey, 58% of developers said they feel some degree of responsibility for application security. However, the demand for security-skilled DevOps professionals still outpaces supply. 

AI will continue democratizing security expertise within DevOps teams by automating routine tasks, providing smart coding recommendations, and further bridging the skills gap. Security will be integrated throughout the build pipeline, enabling the early identification of potential vulnerabilities at the design stage by leveraging reusable security templates that can be integrated into developer workflows.

Authentication and authorization will also be improved, with AI automatically assigning roles and permissions as services are deployed across cloud environments. 

The net result will be improved security outcomes, reduced risk, and enhanced collaboration between developers and their security peers. 

**Embracing AI-Powered Solutions to Secure the Threat Landscape **

As the technology landscape continues to evolve and cyber threats become increasingly sophisticated, CISOs must recognize the new threats that AI can present while embracing AI-powered solutions to stay ahead of them. 

By leveraging AI to automate security tasks, identify vulnerabilities, and respond to threats in real-time, organizations can strengthen their security posture and stay ahead of the fast-evolving threat landscape.

**About the Author**

CISO, GitLab

Josh Lemos is the CISO at GitLab Inc., where he brings 20 years of experience leading information security teams to his role. He is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected, fortifying the GitLab DevSecOps platform and ensuring the highest level of security for customers. A talented security practitioner and technology leader, Josh is widely recognized for his strategic vision, his ability to drive growth and innovation, and his passion for building and empowering teams. He believes in technology's potential to transform the world and the need to secure it against emerging threats. Josh has led security teams at numerous high-growth technology companies including ServiceNow, Cylance, and most recently Block (formerly known as Square).

New AI Challenges Will Test CISOs &amp; Their Teams in 2025

The country awaits implementation guidelines for a framework that gives Indians greater autonomy and security over their personal data — and recognizes a right to personal privacy.

Source: Wavebreakmedia Ltd IFE-240405\_3 via Alamy Stock Photo

The government of India has drafted rules that will define how companies inside and outside of the country must handle its citizens' data privacy.

A year and a half ago, India enacted its first ever comprehensive national data protection law: the Digital Personal Data Protection (DPDP) Act. The act defined key privacy rights for Indian citizens — to access, update, correct, challenge, port, and erase their data, plus additional safeguards for children's data — and various obligations of data stewards to secure user data, maintain its accuracy, limit how it's used, and more.

Organizations have not yet been forced to adjust their data trafficking practices, as the act was waiting on a set of clearly defined rules of implementation. On Jan. 3, India's Ministry of Electronics and Information Technology (MeitY) released those draft rules, designed to operationalize DPDP. In 22 provisions and seven schedules, the DPDP Rules provide businesses with a framework for complying with the act once the government begins to enforce it.

For years leading up to this point, "As the digital infrastructure in India has grown exponentially, the absence of safety mechanisms for individuals has left citizens vulnerable," says Pankit Desai, CEO and co-founder of Sequretek. That makes DPDP "a landmark regulation, long overdue. It's not just a regulatory framework — it is a signal of India's readiness to prioritize citizen welfare in the digital age."

**India's Long Road to Data Privacy**

In 1941, Khrarak Singh, a citizen of India's northern state of Uttar Pradesh, was tried for gang robbery (dacoity). He was let off thanks to an absence of evidence, but police kept an eye on him nonetheless. They visited his home at night, kept tabs on his movements, and monitored various aspects of his personal life: his employment, social life, and habits, for example.

Eventually Singh filed a petition, arguing that the surveillance violated his constitutional rights. On Dec. 18, 1962, six judges of India's Supreme Court ruled that though some of the police tactics amounted to harassment, many of their surveillance measures were legally permissible. Privacy, they argued, was not a fundamental right under the country's constitution.

That remained the case until 2017, after India's government proposed the "Aadhaar" project, giving all citizens identification numbers backed with various demographic and biometric data. Overseeing a challenge to Aadhaar, Chief Justice of India JS Khehar explained, “It is essential for us to determine whether there is a fundamental right to privacy in the Indian Constitution," citing the Kharak Singh case. In August 2017, a nine-judge bench declared that privacy was a right given to India's citizens under its constitution.

Their ruling opened the floodgates to data protection legislation, first and most notably the proposed Personal Data Protection Bill of 2019. However, the bill was proved both expansive and restrictive. The bill covered both personal and non-personal data, but was stringent in mandating that sensitive personal data not leave the borders of the country, yet also lenient in allowing the government to exempt itself for various reasons. Regardless, the bill was withdrawn in August 2022. It was followed in spirit by the more neutral DPDP, which will finally become operational once the latest proposed rules are finalized.

**New Rules of the Road**

The DPDP rules are mostly industry standard: companies must notify customers about the data they collect, and if it's breached, encrypt it at rest and in transit, delete it after three years of inactivity, and so on.

"Most notably, they grant substantial control to the data principal (individual) over their personal data, including the ability to determine when, how, where, and for what purpose their data is used," notes Rama Krishna Gudipati, head of customer success at CloudSEK. "Additionally, the introduction of penalties for non-compliance adds an important layer of accountability." Failing to notify customers of a breach, for example, or betraying obligations around children's data, could cost companies up to INR 200 crore (around $23 million).

Certain provisions are more debatable, though, like the continued exceptions afforded to government agencies. Sequretek's Desai says that "The exemption granted to the government from these rules raises questions about fairness and accountability, especially given the government's significant role as a service provider," says Sequretek's Desai. "India's digital infrastructure is heavily influenced by government-led initiatives, unlike in the West, where private enterprises dominate," making the rule more impactful than it would be in other countries.

The deadline for submitting feedback on the new draft rules is Feb. 18. After the rules are activated, MeitY stated in a Jan. 5 press release, "An adequate period would be provided so that all stakeholders, from small enterprises to large corporates, may transition smoothly to achieve compliance with the new law."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

India Readies Overhauled National Data Privacy Rules

The voluntary program is intended to boost consumer confidence in vulnerable IoT devices, but experts want to see vendors held to a higher standard.

Source: Prisma by Dukas Presseagentur GmbH via Alamy Stock Photo

Yesterday, the White House introduced a cybersecurity labeling program for wireless Internet-connected devices, intended to help Americans make more informed decisions about the products they buy and their security.

As Americans continue to add Internet of Things (IoT) devices to their home networks — everything from baby monitors to security cameras — there are growing concerns about the safety of these devices and their vulnerability to hackers. The goal of this label is to guide consumers to more secure products as well as encourage vendors in their cyber practices.

Known as the "US Cyber Trust Mark," the label has been a long time coming, with the Federal Communications Commission gathering input over the past 18 months. In a bipartisan and unanimous vote, the FCC authorized the program and said 11 vendors will act as label administrators while UL Solutions will serve as the lead administrator.

"The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devices, much as EnergyStar labels did for energy efficiency," the White House brief read.

**Just Good Intentions?**

Though this new system has good intentions for both consumers and vendors, there are concerns and speculation as to how effective this cybersecurity label will be.

The FCC intends to use QR codes linking to a national registry of certified devices and information about these products, such as how to change the default password, configure the device securely, determine whether updates and patches are automatic and how to access them, and how long the vendor will support device security.

"Allowing consumers to scan a QR code and get information from a decentralized IoT registry is a terrific idea," Roger Grimes, data-driven defense evangelist at KnowBe4, wrote in an emailed statement. "There are a lot of things to like about this program, especially the focus on IoT cybersecurity basics, such as changing default passwords, patching, data protection, and a software/hardware bill of materials."

For these reasons alone, he believes that this program is worth supporting. However, he has some reservations.

"The devil is in the details and many of the security requirements are really just recommendations, such as the entire program itself (i.e., vendors do not need to participate), are voluntary, and only suggestions," Grimes wrote. "I wish many basic cybersecurity defenses such as the customer being forced to change the default password and automatic patching were required to be in the program. It would make the program much more valuable."

Part of the reason the program is voluntary is because the FCC believes that "the success of a cybersecurity labeling program will be dependent upon a willing, close partnership and collaboration between the federal government, industry, and other stakeholders" and the record shows "substantial support for a voluntary approach."

**Making Assumptions**

In order to use the US Cyber Trust Mark, manufacturers that meet eligibility criteria must have their products tested by an FCC-recognized and accredited third-party lab to ensure that the program's requirements have been met. After this, they must submit an application to a Cybersecurity Label Administrator with the necessary supporting documents. 

But the way the requirements are written, patching on behalf of the organizations isn't necessarily automatic, indicating that though an organization may have a cyber sticker of approval, it's still the consumer's responsibility to stay up to date with cybersecurity standards.

"So, you could have some IoT vendors really going out of their way to make very secure products that require very little attention from the consumer and other IoT vendors not applying the same high cybersecurity practices and getting to use the same mark," Grimes wrote.

And while the FCC safety mark may indicate a device is designed safely, the US Cyber Trust Mark doesn't necessarily mean the same thing. This leads to consumers seeing the mark and believing they are secure.

"We also must consider whether this trust mark will give consumers a false sense of being 'unhackable' and a false sense of complacency," Sean Tufts, managing partner for critical infrastructure and operational technology at Optiv, wrote in an emailed statement. "Even if a smart device has built-in security features, users still have a personal responsibility to do their part by taking extra safety precautions — for example, changing default passwords and updating drivers/software/firmware."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Fed 'Cyber Trust' Label: Good Intentions That Fall Short

PRESS RELEASE

AUSTIN, Texas – January 8, 2025 – CrowdStrike (Nasdaq: CRWD), today announced that the CrowdStrike Falcon® cybersecurity platform achieved Federal Risk and Authorization Management Program (FedRAMP) authorization for three key modules: CrowdStrike Falcon® Next-Gen SIEM, CrowdStrike Falcon® for IT and CrowdStrike Falcon® Data Protection. These modules are available to government entities requiring FedRAMP Moderate authorization, enabling them to secure assets through the CrowdStrike Falcon Platform in GovCloud. With these capabilities, CrowdStrike continues to deliver innovative technology to empower federal, state and local government entities, as well as their supply chains, to detect sophisticated endpoint, identity and cloud-based cyberattacks, while enhancing operational efficiency.

“CrowdStrike delivers deep visibility across managed and unmanaged devices, enabling public sector and private industry to meet critical security mandates,” said Michael Sentonas, president, CrowdStrike. “Today’s federal agencies navigate a complex regulatory landscape – from the comprehensive logging mandates outlined in OMB M-21-31 to the adoption of Zero Trust frameworks to secure identities against advanced threats. FedRAMP authorization allows CrowdStrike to help government agencies streamline operations, secure hybrid environments and reduce costs while staying ahead of today’s most sophisticated adversaries.”

The U.S. government operates in one of the most severe threat environments, requiring comprehensive visibility across complex, distributed networks – including traditional endpoints, cloud environments, identity and SaaS applications. Advanced nation-state adversaries like LIMINAL PANDA exploit trusted relationships and weak security configurations within the federal supply chain, posing a significant risk to national security. To combat these significant threats, CrowdStrike delivers proactive threat detection and critical telemetry, empowering agencies to stop modern, multi-faceted intrusions across multiple domains.

Through the latest modules authorized in GovCloud, CrowdStrike provides comprehensive visibility, enhanced intelligence and advanced threat response to help government entities and their supply chains meet stringent security requirements while reducing complexity and cost. Falcon Next-Gen SIEM, Falcon for IT and Falcon Data Protection offers real-time threat detection, asset visibility, centralized log management and data protection to support compliance efforts and adoption of Zero Trust frameworks across government environments. 

Learn how to enhance Zero Trust coverage across government endpoints, identities and cloud environments on Thursday, January 23 with CrowdStrike. Register for the CrowdCast here. 

Register for Fal.Con Gov 2025 – the must-attend public sector event of the year for mission-critical cybersecurity on February 27 at the Ronald Reagan Building in Washington, DC. 

About CrowdStrike  
CrowdStrike (NASDAQ: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike Achieves FedRAMP Authorization for New Modules

PRESS RELEASE

DALLAS, Jan. 7, 2025 /PRNewswire/ -- Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today announced a new collaboration with Intel® (NASDAQ: INTC) designed to help joint enterprise customers protect critical systems from stealthy threats, including fileless malware and advanced ransomware.

When Trend's proactive security platform and Intel's technology are used together, the integrated solution can better determine if encryption behavior is legitimate—such as a user backing up files or malicious—ensuring the appropriate action is taken to protect critical systems.

This news coincides with the CES 2025 (Consumer Electronics Show), which is the most influential tech innovation event for enterprises and society as a whole, where Intel and Trend will be present. Trend invites corporate attendees to join a panel discussion on Thursday, January 9th, entitled "Data Collection, Privacy and Why You Should Care," to learn how to safeguard a digital footprint as cybercriminals increasingly target critical data. Register now at: https://spr.ly/6044vmkSQ.

Carla Rodriguez, Intel VP: "Threat actors are increasingly targeting endpoints with sophisticated attacks that evade traditional software-based security. Trend's integration of Intel® Threat Detection Technology provides a hardware-accelerated detection layer to uncover stealthy threats. This technology, deployed across a billion PCs, is the only AI-based silicon security solution of its kind. Our mutual customers will benefit from enhanced protection with Trend's AI-powered Trend Vision One™ – Endpoint solutions on Intel AI PCs."

Protecting critical assets across endpoints, email, networks, and cloud workloads is increasingly challenging as malicious actors favor covert threats such as fileless malware, which was reportedly present in 40% of attacks in 2023. These can be used to deploy ransomware, steal sensitive data, and cause significant financial and reputational damage.

Fileless attacks are particularly dangerous as they rely on in-memory execution, reside in the registry, or abuse legitimate tools like PowerShell and Windows Management Instrumentation.

That's why Trend and Intel are teaming up by combining the AI-powered Trend Vision One. This collaboration provides organizations with powerful tools to detect and respond to ransomware and fileless attacks before they can cause damage.

Rachel Jin, Chief Enterprise Platform Officer at Trend: "Proactive security has long been desired but just recently feasible. Through our work with Intel, we're redefining what's possible in cybersecurity—empowering enterprises to proactively safeguard their systems, data, and operations against an increasingly complex threat landscape."

How AMS works:

*   Intel® TDT offloads advanced memory scanning (AMS) workloads from CPU to GPU.
    
*   This enables Trend endpoint security solutions to scan more deeply and more often to uncover fileless attacks before they can launch malicious payloads.
    
*   Using fewer CPU resources enhances threat detection and response without affecting performance, slowing down PCs, or reducing battery life.
    

Trend Vision One™ – Endpoint Security leverages AMS to improve memory scanning capacity by 7 to 10X1. This means that organizations can scan more and detect more threats.

CPU-based threat detection:

Advanced ransomware is increasingly capable of evading EDR detection thanks to packing and obfuscation techniques and VM cloaking. EDR solutions are too often playing catchup with behavior-based approaches, which take time to get up to speed.

Intel® TDT augments Trend's behavioral analysis, runtime machine learning, and expert rules by providing critical visibility into the hardware layer, increasing ransomware detection efficacy by 24% over software alone.

It does this by:

*   Using CPU telemetry and Intel® AI, offloading Intel AI and memory scanning from the CPU to the integrated GPU to provide a detection assist to Trend's ransomware defenses which won't disrupt the user experience.
    
*   Integrating Intel TDT source code directly into the Trend Micro agent to deliver deeper insights from CPU telemetry. This enables instant discovery of zero-day attacks and new, fast-moving variants.
    

About Trend Micro  
Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's AI-powered cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, Trend's platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 70 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.

Trend Micro and Intel Innovate to Weed Out Covert Threats

PRESS RELEASE

7th January 2025 – Zivver, a leader in secure communications, has published its latest report, shedding light on critical gaps in email security practices and their alignment with increasing regulatory requirements. The findings from Email Security Trends 2025: The Widening Disconnect Between Email Security and Risk Management highlight the often-overlooked threats in email security, and the scrutiny of regulatory demands on organisations. 

Landmark directives such as NIS2, DORA, and GDPR demand rigorous risk management, information classification, and data leak prevention, with email firmly in the compliance spotlight. Email is a cornerstone of business communication, with 93% of employees ranking it as “important” or “very important” for their daily work. Yet, as the sophistication of cyber threats increases and compliance requirements evolve, the risks tied to email usage have become a pressing concern for organisations worldwide.  

According to the report, which surveyed 400 IT decision-makers and 2,000 employees across the US, UK, Netherlands, France, Germany, and Belgium, over two-thirds of IT leaders report that vendors are not innovating quickly enough to address emerging risks, and 60% of employees admit to using workarounds to bypass email security policies. Additionally, only 24% of IT leaders feel their security spending is very well-aligned with actual risks, leaving organisations vulnerable to both inbound and outbound threats. 

Other key findings from the report include:  

*   While 47% of IT leaders prioritise phishing and inbound threats, two-thirds admit that outbound email mistakes—such as misaddressed emails or improper encryption—cause more significant data losses. 
    

*   Over 50% of employees admit to email-related mistakes every few months, and 60% report using workarounds to bypass policies, indicating a need for better tools and training. 
    

*   While 73% of employees are aware of the security policies pertaining to email, only 52% adhere to them 
    

*   Only 34% of email incidents are formally reported, leaving IT teams unaware of the full scope of security breaches. 
    

*   54% of employees say they are more likely to make email mistakes when they are busy or overwhelmed, highlighting the need for supportive tools.
    

Rick Goud, Co-Founder and CIO at of Zivver said: “Compliance requirements today demand that organisations take a comprehensive view of email security, integrating robust solutions that address both inbound and outbound risks. By embedding security measures into existing workflows and ensuring they align with evolving regulations, businesses can create a safer and more compliant environment for employees. This report offers actionable insights to help organisations align their security measures with today’s challenges while maintaining the trust and productivity that email enables.” 

To read the full report you can download a copy here. 

About Zivver  

Zivver is a leading provider of solutions for secure communications and data leak prevention, with a focus on protecting sensitive information. With more than 11,000 organisations as customers, Zivver is the market leader in the Dutch healthcare, municipal, government, and legal sectors. Zivver has been recognised by Gartner for several years as one of the four leading global providers of email data security.  

https://www.zivver.com/ 

You May Also Like

Zivver Report Reveals Critical Challenges in Email Security for 2025

PRESS RELEASE

PRINCETON, N.J., Jan. 6, 2025 /PRNewswire/ -- Palindrome Technologies has been conditionally approved as a Cybersecurity Label Administrator (CLA) for the Federal Communications Commission's (FCC) voluntary Internet of Things (IoT) Cybersecurity Labeling Program.

As a CLA, Palindrome will evaluate and certify IoT products that meet FCC cybersecurity standards.  
Qualified products will bear the "U.S. Cyber Trust Mark" label.  
This program is designed to incentivize manufacturers to meet higher cybersecurity standards and differentiate trustworthy products in the marketplace, and most importantly, help consumers make informed decisions about the products they use in their homes.

Peter Thermos, Palindrome CEO, stated, "We are honored to support the FCC's efforts in strengthening IoT security and building consumer trust. Our expertise in security assurance testing of network devices and products positions us well for this role."

Palindrome will provide manufacturers with:

*   Streamlined application review and management for FCC IoT Label usage authorization
    
*   Assistance with preparation for certification
    
*   Guidance throughout the certification process
    
*   Testing and certification of IoT products
    

The program offers benefits to manufacturers, connected infrastructure, and consumers by raising cybersecurity standards and providing clear information about device security.

For more information, visit the Palindrome Technologies website.

About Palindrome Technologies:  
Since 2005, Palindrome Technologies has been a trusted cybersecurity partner to Fortune 500 companies and growing organizations that want to engineer cyber resilience in emerging threat environments. With a focus on excellence, curiosity, and integrity, Palindrome helps clients defend against cyberattacks across all attack surfaces, including hardware, software, network-to-cloud, people, and emerging technologies.

Palindrome Technologies Approved as Cybersecurity Label Administrator for FCC's IoT Program

Cyberattackers injected the NFL Wild Card team's online Pro Shop with malicious code to steal credit card data from 8,500 fans.

Source: Cal Sport Media via Alamy Stock Photo

Fans of the Green Bay Packers football franchise have been tackled by a payment-card skimmer; people who bought merch at the Packers Pro Shop website last fall may have had their personal data harvested.

In a data-breach notification letter to the 8,514 "cheeseheads" affected, the NFL juggernaut noted that its security staff was alerted to the code on Oct. 23, just as the team was gearing up to play the Jacksonville Jaguars in Week 8 of the 2024 season.

"We were alerted to the presence of malicious code inserted on the Pro Shop website by a third-party threat actor," reads the notice, which added that the team immediately asked the outside vendor that hosts the store to take the e-commerce site offline. "The malicious code may have allowed an unauthorized third party to view or acquire certain customer information entered at the checkout that used a limited set of payment options on the Pro Shop website."

Fortunately, the skimmer was active in only two windows: Between Sept. 23-24, and Oct. 3-23, 2024. And, fans who used a gift card, a Pro Shop website account, PayPal, or Amazon Pay weren't exposed.

Cybercriminals were able to score on everyone else though, collecting names, addresses (billing and shipping), emails, and full payment-card information, according to the notice.

Related:Hacking Group 'Silk Typhoon' Linked to US Treasury Breach

According to an analysis from Sansec, a Dutch e-commerce security company that notified Green Bay about the attack, the threat actors abused a JSONP callback and YouTube's oEmbed feature, which allows users to embed content from one website into another website. Ultimately, the skimmers were able to bypass the Content Security Policy (CSP) for the Pro Shop website, and "a script was injected from https://js-stats.com/getInjector. This script harvested data from input, select, and text area fields on the site, exfiltrating the captured information."

**A Pick 6 for Magecart & Other Cybercrime Carders?**

While there's no public attribution available for the incident, the cyberattack has all the hallmarks of a classic "Magecart" attack. Magecart is an umbrella term for a loose confederation of groups that steal credit cards by exploiting a vulnerability within a website to inject a malicious piece of code, which simply exfiltrates any data the users put into checkout pages on e-commerce sites.

Lately, these types of attacks have been on the rise, with scores of groups beyond classic Magecart actors running skimmer plays, researchers warn; the Packers are just the latest victim in the pass rush of maliciousness.

Related:Ransomware Targeting Infrastructure Hits Telecom Namibia

"There's no solid theory about why there's been an uptick in skimmer attacks,” says Javvad Malik, lead security awareness advocate at KnowBe4. "It could be a case of low-hanging fruit, a lot of e-commerce transactions over the holiday period when people are searching for deals, and also the ease through which some third parties can be compromised without triggering alarms."

According to the Recorded Future Payment Fraud Intelligence group, digital e-skimming will remain a top threat to e-commerce going forward, with bad actors relying on easy-to-use skimmer kits and persistent CMS security vulnerabilities. Plus, smaller security organizations (including those used by many sports franchises) are at particular risk.

"Payment Card Industry Data Security Standard (PCI DSS) requirements will continue aiming to improve security, but the impact will remain limited as many small and medium-sized retailers fail to adhere," said Boris Ivanov, principal malware researcher at Recorded Future, via email. "This gap will worsen the already serious problem of attackers exploiting vulnerable platforms and compromising payment data."

Meanwhile, Malik notes that sports teams might be in the cybercrime sites as a top target in part due to fan exuberance.

Related:CISA: Third-Party Data Breach Limited to Treasury Dept.

"Technically, sports organizations probably don't have any different challenges than others," he says. "What makes them attractive to criminals though is the fact that they have a loyal fan base that is willing to spend money on tickets and merchandise. Often during busy periods when tickets are released, there is a rush, so people will often ignore any security warnings in a bid to complete their purchase."

**The Payment-Skimmer Ground Game Is Hard to Defend Against**

Skimmers are also having a moment because the back-end complexity of the code running e-stores is on the rise, which offers cover for malware infestation and makes defense more porous.

"These are difficult to detect by nature, especially when these attacks take place by compromising third-party components, which can end up in organizations' blind spots," explains Malik. "Complexity and the reliance on many third parties is perhaps the biggest challenge to keep modern Web applications secure."

In the Packers' case, the Pro Shop is hosted by a third party, which complicates things even further.

"In the case of organizations outsourcing many components and hosting, security responsibility cannot be outsourced, so many organizations end up with a lack of skilled resources within the organization to keep an eye over the end-to-end security — something that is often fueled by budget constraints," Malik notes.

Ultimately, e-commerce organizations of all stripes, including those catering to Wisconsin NFL fans, need to balance security with business agility and the user experience, which creates a series of challenges. Technical complexity, resource constraints, skills shortages, and organizational culture can all affect how organizations approach Web security, Malik cautions.

"It's about embedding security into the very fabric of the business, rather than treating it as an afterthought," he says. "Some of the things you can do include implementing robust content security policies, undertaking regular security audits and penetration testing, employing real-time monitoring that can detect unusual code or behavior patterns, and finally, educating staff and fostering a culture of cybersecurity."

Dane Sherrets, staff innovation architect at HackerOne, notes that, from a coding standpoint, user input should be considered suspect until proven otherwise.

"Firstly, it's important to remind everyone never to explicitly trust user input and to treat all such inputs as potentially malicious," he says. "The Green Bay Packers incident, in particular, highlights the threat of exploiting a loophole in the site's CSP."

The Green Bay Packers did not immediately return a request for comment.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Green Bay Packers' Online Pro Shop Sacked by Payment Skimmer

"Where Warlocks Stay Up Late" project speaks to hackers who have played pivotal roles in shaping the field of cybersecurity. The video interviews are complemented by an encyclopedia and an anthropological map.

Nathan Sportsman, the CEO of offensive security company Praetorian, had a grim epiphany in the summer of 2023: We're beginning to lose some of the hackers and visionaries who laid the foundation of the cybersecurity industry.

"When Kevin Mitnick passed, I realized that he would never be able to tell his story again," Sportsman says. "We're running out of time to tell these stories."

So he decided to document the history of hackers and preserve the stories of those early trailblazers and their groundbreaking contributions. The title of his docuseries project, "Where Warlocks Stay Up Late," pays homage to Katie Hafner and Matthew Lyon's 1996 book, Where Wizards Stay Up Late, which chronicles the origins of the Internet and spotlights the stories of the pioneers responsible for shaping it.

Each month, two long-form video interviews will be released on the Warlocks project's YouTube channel, featuring candid conversations in which cybersecurity pioneers share their technical achievements, as well as their personal journeys, challenges, and ethical dilemmas they faced along the way.

Sportsman and his team — Emmy-winning producer Matthew Wallis, filmmaker Tyson Culver, anthropologist Gabriella Coleman, and historian Matt Goerzen — plan to capture the stories of over 200 cybersecurity pioneers who helped shape the hacking scene of the 1980s and 1990s. These were the hackers who testified before the US Congress in 1998 and claimed they could take down the Internet in 30 minutes. They also exposed vulnerabilities in early wireless networks and were early advocates for encryption. Some of their stories have never been told before, Sportsman says.

Related:Black Hat 2024: Praetorian CEO Teases 'Warlock' Series on Cyber Pioneers

"This is going to be a three- to five-year commitment," Sportsman notes.

The list features prominent groups like L0pht Heavy Industries, Germany's Chaos Computer Club, w00w00, and the Legion of Doom. Smaller yet interesting groups, such as TESO and ADM, will also be represented. Some of the hackers from these groups went on to build successful careers in cybersecurity, becoming CISOs or CEOs, while others found roles in policymaking or intelligence.

Each interviewee is encouraged to bring along a historical artifact that represents their journey or contributions to hacking culture.

"It could be anything," Sportsman says. "It could be an old version of Phrack magazine. It could be a floppy disk, a motherboard."

The goal is to donate the artifacts to a physical museum at some point, maybe the Smithsonian, he says.

"Maybe they create a cyber wing where these stories can be held and all these artifacts can be kept," Sportsman adds.

**Mapping Hacking Groups**

The overall goal of the Warlocks project is to create a 360-degree view on the origins of the cybersecurity industry. The video interviews will be supplemented by an encyclopedia, which will provide context, and an anthropological map, which will offer a visual representation of the underground groups and the connections among them. By selecting a hacker's name, viewers will be able to access a wealth of information, including biographical details and contributions to the field.

Coleman, a professor in the Department of Anthropology at Harvard University, was "instantly drawn to the Warlocks, like a moth to flame," she says, because the project complements her focus on the politics and cultures of hacking and online activism. Over the years, she has studied distinct hacker communities, such as Anonymous.

"Combining visual data \[maps, videos, and pictures\] with written and oral histories allows us to make more sturdy, sound, or compelling arguments," Coleman says.

To capture the full picture of the hacking scene, the team plans to talk to all kinds of pioneers "from the no-malicious yet unorthodox underground scene," as Coleman puts it, regardless of where they are located.

"Those studying hackers know there were important waypoints in the transition from underground hacking to professional security, but the full stories of their members still need to be charted," Coleman adds.

Although she has studied hacker communities for over two decades, Coleman admits that some of the names that appear on the anthropological map were initially unfamiliar to her — a reflection of the secrecy that has long shrouded the scene.

"This terra incognita reminds us of the power and importance of what some philosophers call 'epistemic humility,'" she says. "This map both charts known territory and reveals what still needs to be studied."

**A (Digital) Museum of Hackers**

One of Sportsman's first interviews for the Warlocks project was with Mike Schiffman, editor-in-chief of hacker e-zine Phrack. During the taping, Schiffman and Sportsman reminisced about the early days of IRC channels where hackers hung out to share ideas and cutting-edge research. They discussed how hacker culture has evolved over the years.

"Back then, \[Shiffman\] would just kick/ban me out of the channel because I was a kid and I was annoying, but I looked up to him because of everything he had already done to that point," Sportsman says.

Schiffman recalls a bizarre incident from his youth, when his phone switch was hijacked and all of his calls were forwarded to a bridge. Anyone trying to reach him was told he had died. While doing some research for the project, Schiffman was able to identify the exact person who hacked his phone switch 25 years ago.

"I'll be interviewing him for Warlocks in February," Schiffman says.

For Schiffman, working on the Warlocks project has been both nostalgic and thought-provoking. He serves as a producer, interviewer, and planner, making sure the project authentically captures the "rich cultural history of the hacking scene."

The motivation to talk about the old days is deeply personal.

"I want my children to know my story," Schiffman says. "They're currently quite young, and I expect them to get different things from this as they watch it at different ages."

**More Than Just Hacker Nostalgia**

The stories hackers will share on camera offer glimpses into their personal journeys, but they also weave together a collective narrative that will help the next generation understand how everything started.

"There's not a single person in this industry that achieved any type of long-term success without the help of others," says cybersecurity expert Ralph Logan, an adviser to the project.

The desire to tap into the collective memory of the cybersecurity community and capture the stories for the new generation of people entering the cybersecurity workforce is deep-seated. In the past few years, a number of projects have been developed to tell the background stories of major cybersecurity events — an oral history of L0pht and a book on the Cult of the Dead Cow, to name a few. The Computer History Museum and the International Spy Museum also have exhibits highlighting cybersecurity researchers and stories.

The collective aspect of the narrative resonates deeply with Harvard's Coleman, who views hackers as collaborative individuals who embrace partnerships that further their goals. This is why their stories should be told in a way that highlights the intricate web of interactions, collaborations, and shared ambitions that define the community, she says.

"While many industry histories, like those of Walter Isaacson, elevate individual 'tech heroes,' this project showcases how diverse, interconnected hacker collectives worldwide transformed security from an afterthought into a critical priority," Coleman says.

The anthropologist hopes the project will also serve as a template for other areas of technology, including hacktivism, a topic she holds close to her heart. By applying the same methods, researchers could one day uncover groundbreaking insights into the inner workings, cultural dynamics, and broader impacts of groups like the Cult of the Dead Cow, the Electronic Disturbance Theater, or the Xnet collective.

"Like the underground, much material connected to hacktivist circles has either remained historically hidden, is hard to access, or is precariously stored," Coleman says, noting that this is an ideal time for projects like this. "Many \[hackers\] are seeking and willing to publicize their past. Many have expressed interest in ensuring this history does not get lost to time, while we still have access to firsthand accounts."

New Docuseries Spotlights Hackers Who Shaped Cybersecurity

Attackers are abusing a Microsoft 365 feature to send payment requests to users, tricking them into logging in to their accounts so attackers can seize control over them.

Source: Robert Wilkinson via Alamy Stock Photo

An unconventional phishing campaign convincingly impersonates online payments service PayPal to try to trick users into logging in to their accounts to make a payment; in reality, the login allows attackers to take over an account. The novel part of the attack is the abuse of a legitimate feature within Microsoft 365 to create a test domain, which then allows the attackers to create an email distribution list that makes the payment-request messages appear to be legitimately sent from PayPal.

Carl Windsor, CISO for Fortinet Labs, discovered the campaign when he himself was targeted by it, he revealed in a blog post published today.

Windsor received a request in his inbox from a sender with a nonspoofed PayPal email address seeking a payment of $2,185.96. The person requesting the money was someone called Brian Oistad, and aside from the "to" address not being Windsor's email address —  it was addressed to Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com —  there were few obvious signs it was not a genuine email, he said.

"What's interesting about this attack is that it doesn’t use traditional phishing methods," Windsor wrote. "The email, the URLs, and everything else are perfectly valid."

That validity might persuade an average email user to click on the link in the email, which redirects them to a PayPal login page showing a request for payment.

Related:PhishWP Plug-in Hijacks WordPress E-Commerce Checkouts

At this point, "some folks might be tempted to log in with their account details, however, this would be extremely dangerous," he wrote. That's because the login page links the target's PayPal account address with the address it was sent to — Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com, controlled by the attacker — not their own email address.

**Abusing Microsoft 365 Test Domains for Cybercrime**

The campaign works because the scammer appears to have registered a Microsoft 365 test domain — which is free for three months — and then created a distribution list containing target emails. This allows any messages sent from the domain to bypass standard email security checks, Windsor explained in the post.

Then, "on the PayPal Web portal, they simply request the money and add the distribution list as the address," he wrote.

This money request is then distributed to the targeted victims, and the Microsoft 365 Sender Rewrite Scheme (SRS) rewrites the sender to, for example, "bounces+SRS=onDJv=S6\[@\]5ln7g7.onmicrosoft.com, which will pass the SPF/DKIM/DMARC check," Windsor added.

"Once the panicking victim logs in to see what is going on, the scammer’s account (Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com) gets linked to the victim’s account," he wrote. "The scammer can then take control of the victim's PayPal account — a neat trick … \[that\] would sneak past even PayPal’s own phishing check instructions."

Related:Thousands of BeyondTrust Systems Remain Exposed

Indeed, abusing a vendor feature to deliver the phishing message does give the attackers a stealthy advantage when it comes to bypassing typical email security, a security expert notes.

"The emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request," says Elad Luz, head of research at Oasis Security, a provider of non-human identity management. "This makes them difficult for mailbox providers to distinguish from genuine communications."

**Cyber Defense: Create a "Human Firewall" Against Phishing**

Because the attack appears to be a genuine email, the best solution to avoid falling prey to it is what Windsor calls the "human firewall," or "someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look," he wrote in the post.

"This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves — and your organization — safe," Windsor noted.

Related:Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

It is also possible to create a rule within email security scanners to "look for multiple conditions that indicate that this email is being sent via a distribution list," to help detect a campaign that uses this vector, he added.

Another potential mitigation is to use artificial intelligence (AI)-based security tools that use neural networks to analyze social graph patterns, among other techniques, "to help spot these hidden interactions by analyzing user behaviors more deeply than static filters," Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, tells Dark Reading.

"That kind of proactive detection engine recognizes unusual group messaging patterns or requests that slip through basic checks," he says. "A thorough inspection of user interaction metadata will catch even this sneaky approach."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading