If passed, APRA will be a giant leap forward for the rights and freedoms of Americans.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

April 7 was quite a moment for Americans. That was when two US lawmakers shared draft legislation of a soon-to-be unveiled bill called the American Privacy Rights Act, or APRA. According to the International Association of Privacy Professionals (IAPP), if it becomes law, the American Privacy Rights Act "would introduce a significant shift in how organizations collect, process and share personal information, and set a high bar for data minimization practices.

To date, corporate privacy professionals whose operations are in scope of the US have needed to treat the region essentially as 50 countries since, generally, each state has its own set of laws and regulations on the subject. Complex if you deal with one or two states, unmanageable if you deal with 50.

Let's set the scene: The United States has, historically, addressed the privacy of its citizens at the state level, reserving broader rule for specific industries such as medical (HIPAA), financial, and trade (FTC). You quickly can see how this legislative patchwork left significant gaps in the processing of personal data outside very specific use cases. Europe suffered a similar lack of cohesion for many years, until the implementation of the General Data Protection Regulation (GDPR) in 2018, and the world watched closely to see if unified laws spanning dozens of geographies could actually work.

Six years later, it is safe to say that the processing and protection of personal information across Europe is unrecognizable from what it once was, and in the interim period, we've even seen the birth of revolutionary data laws in California and other states. A standard for data subjects' rights and what they expected was emerging in a place where we were generating and using — as well as valuing and relying upon — an exponentially increasing amount of data.

**The US Needs Federal Privacy Laws**

There are a number of reasons why the US wants, and needs, privacy laws at a federal level: consistency, manageability, interstate operability, trade with other regions such as Europe and Australia, and to enable technologies such as open banking to move forward. To date, states including California, Kentucky, Maryland, and others have been left with no choice but to enact local laws in order to compete in a marketplace where data privacy is a key player and differentiator among those vying for business. 

APRA, which at the time of this writing is still in draft form, follows in the footsteps of GDPR and the ePrivacy Directive, with provisions for data processing principles, subject's rights, consent to marketing, and data security.

This is still very early days, and in addition to the unclear timing (typically, an election year would preclude these types of proposals), there are more than a few obstacles still to overcome, including the same challenges that were evident in 2022, such as state law preemption and Private Right of Action.

Relevant stakeholders (think big tech, privacy groups, state governors, etc.) will each have their own perspectives, priorities, and questions, all of which will take time to come to an agreement on, if at all possible. It's worth noting that, unlike legislation in other countries, APRA attempts to consider both the interests of the data subject as well as those of the business and its operational abilities. This is untested waters, though, so it will be very interesting to see if, and how, that would work in real life.

In summary, APRA is a giant leap forward for the rights and freedoms of American subjects. I know we have been here before (two years ago), but this feels different — with people reenergized, reinvigorated, and excited by it. US lawmakers will be feeling pressure from different angles, not least from large enterprises that are losing opportunities to other regions where legislation enforces the notion of putting personal information front and center. Watch this space: I think good things are coming.

**About the Author(s)**

Group Data Protection Officer, GlobalSign

Richard Hancock is Group Data Protection Officer of GlobalSign, where he utilizes a strong technical background to provide clear and practical steer and guidance in addressing problems with a long, proven track record of creating, implementing, managing and reviewing data protection programs and framework, aligning with industry standards, and meeting a plethora of ever changing, culturally different global legislative landscapes. He spent many years helping enterprises implement PKI solutions, ranging from 1 or 2 SSL certificates through to custom-written API modules for automated process handling. Over the past decade, he has used that skill set to develop and implement data governance regime and data protection legislation compliance, encompassing not just General Data Protection Regulation (GDPR) and ePrivacy but also many domestic laws, as well as both federal and state level regulations within the US. He continues to lead the way in strategic thinking and best practice deployment in the identity verification, digital signing, and data encryption sector.

Is a US Nationwide Privacy Law Really Coming?

The threat environment will continue to grow in complexity. Now is the time for organizations to streamline how they manage and mitigate overlooked vulnerabilities.

Source: Stephen Parker via Alamy Stock Photo

According to Coalition's research, Common Vulnerabilities and Exposures (CVEs) are expected to increase by 25% in 2024 to a shocking height of 34,888 vulnerabilities, or roughly 2,900 per month. As attack surfaces continue to expand rapidly, business leaders face mission-critical choices in increasing their cyber defenses to improve vulnerability warning, patch management, and incident response.

Through our honeypot data and view into our cyber insurance policyholders' attack surfaces, security tools, and workflows, Coalition has identified the key technology choices that place businesses at risk — as well as the choices that are proving most effective.

**Short-Sighted Business Choices**

Several factors contribute to the current state of weak vulnerability management, making organizations more susceptible to cyberattacks.

First, companies often leave security teams under-resourced and overworked. These cyber workforce challenges — from worker shortages and cyber skill gaps to security burnout — continue weighing down security teams. Information security professionals are enduring extreme alert fatigue, inhibiting their ability to quickly track, patch, and remediate vulnerabilities.

Second, choosing to use disparate flagging systems keeps critical information on the latest threats siloed. Companies and their customers are at risk because key resources are managed separately: The National Institute of Standards and Technology's (NIST) Common Vulnerability Scoring System (CVSS) scores, the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) Catalog, and miscellaneous (and often belated) security advisories from vendors all come from distinct sources. The onus then is transferred to each organization to stay on top of all these different information sources. Worse, now that NIST is facing major backlog issues, its National Vulnerability Database can no longer be seen as a source of truth, complicating the picture further.

Third, companies don't always put business resources into closing the talent gap. ISC2 found that while the cybersecurity workforce grew 8.7% year over year in 2023, the workforce gap grew an additional 12.6%. Supply is outpacing demand, and security teams are simply strapped.

Finally, choosing to ignore technical debt keeps old and outdated software a high-risk target. Legacy technologies and companies' massive lists of technology subscriptions not only take up security budgets, but they also expand businesses' attack surfaces. Many businesses don't have the budget to explore new security tools or approaches because they are weighed down by technical debt.

**Risky Technical Choices**

Security teams must make smarter choices about the overlooked risks threat actors continue to successfully target and exploit year after year: unpatched vulnerabilities, Internet-exposed technologies, and end-of-life (EOL) technology.

First, understand that vulnerabilities can turn seemingly small software flaws into active attacks, so putting off patching is a risky decision. In a recent example, a nation-state attack from a North Korean threat group targeted a Windows zero-day vulnerability left unpatched for six months. This vulnerability's scale and business impacts are still unknown but pose a massive, ongoing risk for organizations.

Second, organizations need to pay more attention to their easily exploitable, Internet-exposed technologies. For example, Coalition found scans from unique IP addresses looking for Remote Desktop Protocol (RDP) increased by 59% from January 2023 to October 2023, indicating that cybercriminals are still targeting this vulnerable technology to gain operating system access.

Finally, companies often decide to keep outdated and EOL technologies running until they break down completely — or get penetrated. Threat actors upped their attacks on outdated, out-of-date software this last year. Coalition's report found that 10,000 businesses are running EOL database Microsoft SQL Server 2000, while over 100,000 businesses are running EOL Microsoft SQL servers. If left unaddressed, outdated technology and technical debt will cost organizations in the US trillions of dollars in the coming years.

As threat actors continue to search for the easiest risks to exploit and monetize, strengthening an organization's cyber resilience can be as simple as identifying the most easily addressable risks.

**Smarter Choices for Security Teams**

Our research shows that choosing to implement a few leading solutions improves vulnerability management and will continue to do so in the foreseeable future.

First, security professionals can leverage threat intelligence tools, like honeypots, to identify hackers' tactics, techniques, and procedures. These tools help serve as an early warning system for new threats. For example, Coalition uncovered cybercriminal activity related to the 1,000% 2023 MOVEit vulnerability spike in mid-May, two weeks before Progress Software and CISA issued their advisories. This early alerting helped our policyholders remediate the vulnerability and avoid related cyber incidents and impending cyber insurance claims. Meanwhile, the vulnerability cost the broader cyber ecosystem $15.6 billion.

Second, defenders should employ artificial intelligence (AI) to help them generate and contextualize alerts across the security ecosystem. While the cyber industry works to overcome the cybersecurity risks of AI, vendors are also finding new ways to battle adversaries with the technology. For example, Coalition's Exploit Scoring System incorporates multiple data sets and analyzes them with AI to help companies manage and prioritize risk mitigation.

Finally, remember to pair continuous threat detection and response management with a human traffic guard. The human power of security teams will lift cogent businesses over risky ones. While AI and machine learning are key to catching vulnerabilities, patching with intelligence requires people — strategic human partners who can act on the AI's automated insights.

**About the Author(s)**

Vice President of Research, Coalition

Tiago Henriques has had a rich career across the cybersecurity industry as an entrepreneur, CEO, pen tester, security analyst and auditor. In 2015 he founded BinaryEdge, a cybersecurity company specializing in enterprise infrastructure scanning and attack surface management. Since Coalition's acquisition of BinaryEdge in 2020, Tiago led customer security efforts across the organization as Director of Engineering for Security, recently becoming Vice President of Research.

Making Choices that Lead to Stronger Vulnerability Management

While cyberattacks drop slightly during the week of the Islamic pilgrimage, organizations in Saudi Arabia and other countries with large Muslim populations see attacks on the rise.

Source: ESB Professional via Shutterstock

The final month of the Islamic calendar, Dhu al-Hijjah, began on June 7, marking the countdown for millions of Muslims to the Hajj pilgrimage, and also a time when cybercriminals and cyber-espionage actors see increased opportunity amid reduced vigilance and slimmed staffing.

While many of the cyberattacks are focused on pilgrims as consumers of travel services, a variety of businesses — from banks to e-commerce sites — are at greater risk of data theft and denial-of-service attacks, according to experts. On June 3, for example, cyberthreat actors announced a data leak on an underground forum that allegedly contained the personal information of 168 million users from "The Hajj and Pilgrimage Organization in Iran," according to cybersecurity firm Kaspersky.

The attacks highlight the two aspects of how cyberattackers see the Hajj season: as an opportunity to take advantage of pilgrims, but also as a time of reduced resources for security teams, making business and government agencies vulnerable, says Amin Hasbini, head of global research and analysis team for the Middle East, Turkey, and Africa region at Kaspersky.

"Companies in the Middle East and other regions need to exert extra caution during holiday seasons such as Hajj — the absence of certain employees needs to be accounted for to ensure smooth operations and maintaining security efficiency and productivity," he says. "Overall, it’s challenging for companies to have the right resources available and ready, in addition to the right policies and plans to complete the handover transition correctly, creating weaknesses that could be abused by threat actors."

The Hajj, which starts on the eighth day of the Islamic month and lasts four to six days, marks nearly a week of religious holidays for the Middle East and for an estimated 2 billion Muslims worldwide.

While Kaspersky sees threats affecting Saudi Arabia and other countries in the region drop by as much as 30% during the week of the Hajj, cyberattacks then quickly rebound. In 2022, for instance, when Saudi Arabia once again opened the annual Hajj pilgrimage to the world following the COVID-19 pandemic, cyberattacks doubled to more than 2 million during the month of Dhu al-Hijjah, which officially starts with the appearance of the new crescent moon.

While Saudi Arabia did not report data on cyberattacks in 2023, other countries have seen similar increases in attacks, says Shilpi Handa, associate research director for security at IDC's Middle East, Turkey, and Africa group.

"Annually, there's a significant surge in cybersecurity incidents reported by multiple security organizations in the Middle East," she says. "Similar findings are reported all over the region after the conclusion of Hajj each year."

**Cyber Scams**

The cyber threats linked to the Hajj pilgrimage typically begin early in the year, as cybercriminals aim to take advantage of Muslim adherents planning to make the trip to Saudi Arabia. Attackers use fake travel agencies, social media scams, or attacker-controlled online registration sites to entrap unsuspecting victims. Saudi Arabia's Ministry of Hajj and Umrah, which manages services and infrastructure around the pilgrimages, launched a government platform, Nusuk, that connects prospective pilgrims with legitimate operators and sites, which has significantly reduced fraud.

However, advanced threat actors have used messages and notifications about the Hajj as a way to lure employees into opening links and attachments in email. From January to May 2024, for example, an India-linked threat group — alternatively known as Sidewinder and Rattlesnake — has used Hajj-related emails to target users in Asia and Africa, according to Kaspersky.

The problem for many companies is that employees often use their business email in Web forms, or expose themselves to threats through social media, says Shawn Loveland, chief operating officer for Resecurity, a global cybersecurity service provider with clients in the Middle East.

"It's concerning how many employees use their business email on personal websites," he says. "If their PII gets scammed, now the threat actors know where you work. ... Employers should be helping to educate their employees about online fraud, because in addition to protecting the employee, it will protect the business."

As part of its effort to combat fraud, Resecurity detected and blocked more than 630 social media accounts publishing scams targeting people preparing for Hajj season, the company stated in a report on Hajj-related fraud.

**Defending With Reduced Head Count**

Saudi Arabia has taken the threat seriously. The country's National Cybersecurity Authority (NCA) conducted a comprehensive cyber exercise with more than 200 agencies represented by more than 600 officials and specialists, with a specific focus on cybersecurity during the Hajj season.

The exercise, which the country also conducted the previous year, leaves it well-prepared to handle potential cyber incidents, IDC's Handa says.

"Drills are \[being\] conducted across the region to counter cyberattacks," she says, with the government "establishing a 24/7 cyber-operations room to monitor and analyze cyber threats and share results with national agencies, allocating cyber-incident response teams, and conducting assessments to measure the cyber-risks of sensitive assets."

Businesses should take a page from Saudi Arabia's playbook, says Kaspersky's Hasbini. While attacks typically drop off for the week around the Hajj, security teams are also short-staffed, often leaving response times slower. Planning to identify and respond to incidents under such restrictions makes for good preparation.

"While the risk of mistakes by an insider is lower when employees of an organization are out of office, we see a bigger risk if the responsibilities of employees in the IT or IT security departments ... are mishandled or simply ignored, opening up weaknesses for attackers to abuse," he says.

Companies should be clear in their delegation of duties when there is a shortage of cybersecurity specialists and establish clear protocols for communications, Hasbini says.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Governments, Businesses Tighten Cybersecurity Around Hajj Season

Charges against the ransomware gang member included damage to computers, conspiracy to commit fraud, and conspiracy to commit money laundering.

Source: Ozrimoz via Shutterstock

Ukrainian national Yaroslav Vasinskyi, affiliate of the REvil ransomware-as-a-service group, was sentenced to more than 13 years in prison after pleading guilty to an 11-count indictment.

The charges against Vasinskyi, also known as Rabotnik, involved conspiracy to commit fraud, conspiracy to commit money laundering, and damage to protected computers. According to court documents, he conducted thousands of ransomware attacks using the Sodinokibi/REvil ransomware variants.

"Yaroslav Vasinskyi and his co-conspirators hacked into thousands of computers around the world and encrypted them with ransomware," said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department's Criminal Division. "Then they demanded over $700 million in ransom payments and threatened to publicly disclose victims' data if they refused to pay."

Alongside his sentencing, Vasinskyi has been ordered to pay roughly $16 million in restitution for the role he played in over 2,500 ransomware attacks — a fraction of the $700 million in ransom payments that was demanded of his victims.

**About the Author(s)**

REvil Affiliate Off to Jail for Multimillion-Dollar Ransomware Scheme

Patch now: Cyberattackers are exploiting CVE-2023-7028 (CVSS 10) to take over and lock users out of GitLab accounts, steal source code, and more.

Source: simon de glanville via Alamy Stock Photo

A critical security vulnerability in GitLab is under active attack, according to CISA. It allows bad actors to send password reset emails for any account to an email address of their choice, thus paving the way for account takeover.

"This will allow attackers to reset the password just as if they were a user that had legitimately forgotten theirs," says Erich Kron, security awareness advocate at KnowBe4. "From there, the account would belong to the bad actors."

Further, Kron warned that if adversaries choose to change the legitimate associated email address for a GitLab account they've infiltrated, they could then keep the rightful account owner from being able to log in or use the password recovery function to change it back.

CISA added the vulnerability, CVE-2023-7028, to its Known Exploited Vulnerabilities (KEV) catalog as a "GitLab Community and Enterprise Editions Improper Access Control Vulnerability." The agency noted that the bug is maximum severity with a 10 out of 10 CVSS vulnerability-severity score, and is requiring Federal Civilian Executive Branch (FCEB) agencies to remediate FCEB networks against the active threat.

Sajeeb Lohani, senior director of cybersecurity at Bugcrowd, said there are publicly available exploits for the bug as well, so defenders shouldn't sit on this one.

"Since the exploit itself is quite simple to pull off, the bar of entry for the exploit is low, implying less skilled hackers will also be able to exploit this issue," he says. "In simple terms, this is an issue you want to patch promptly."

**CVE-2023-7028: Risk of Proprietary Data, Code Theft**

David Brumley, cybersecurity professor at Carnegie Mellon and CEO of ForAllSecure, explains that the stakes are high for organizations because GitLab stores source code and proprietary data.

"There's always the risk of an attacker injecting malicious code into the supply chain as well, but that requires the changes not being flagged elsewhere," he explains. "While data exfiltration typically won't run up against other checks, the point of a source control platform is that you can easily transfer code in and out of it to local machines."

He recommended that organizations that manage their own GitLab deployments should ensure they have a plan to upgrade to a patched version if they haven't already done so.

"If that can't be done immediately, then mitigations should be employed," he says. "You need to ensure that you have regular password rotation or use a separate identity provider for authentication."

Larger organizations may want to also consider tools that can identify anomalous activity based on user actions, which could flag compromised accounts for quarantine.

**MFA, Zero Trust Are Effective Counters**

Defending against these types of attacks goes back to security basics. For instance, Kron suggests that one of the most effective ways to counter attacks such as unauthorized password changes is the use of multifactor authentication (MFA), which attackers keep trying to circumvent.

He added that while MFA is not unhackable, it can add enough complexity to the account takeover process that the bad actors may fail.

"Even if they could reset your password, they will not be able to log in without the second factor," he says. "This could prevent them from changing the recovery email address, making them unable to lock the rightful account owner out."

Patrick Tiquet, vice president of security and architecture at Keeper Security, meanwhile notes the most effective method to prevent account-based cyberattacks is to invest in a zero-trust and zero-knowledge cybersecurity architecture that will limit, if not altogether prevent, a bad actor's access.

He also says a privileged access management (PAM) solution is imperative for IT administrators and security personnel to manage and secure privileged credentials and ensure least-privilege access.

"Additionally, each organization's patch management strategy needs to have a fast track for critical vulnerabilities with high possible severities — like this one — to ensure they can immediately take action," Tiquet says.

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Critical GitLab Bug Under Exploit Enables Account Takeover, CISA Warns

If CEOs want to prevent their firm from being the next victim of a high-profile deepfake scam, they need to double cybersecurity funding immediately.

Source: Tenebroso via Alamy Stock Photo

COMMENTARY

In a recent open letter, high-profile names from across the business, academic, and scientific worlds called for governments to intensify their regulation of deepfakes.

While their aims are admirable, their efforts are misplaced — it's innovation, not regulation, that will shore up our defenses against the deepfake threat. 

The letter, titled "Disrupting the Deepfake Supply Chain," was signed by prominent thinkers, including Stephen Pinker, computer scientist Joy Buolamwini, US politician Andrew Yang, and the "godfather" of AI, Yoshua Bengio.

Specifically, the letter called for increased criminalization of deepfakes, the establishment of specific criminal penalties, and liability for software developers and distributors for the use of their products in deepfakes. 

The letter correctly identifies the symptoms. Deepfakes are proliferating at a rapid rate — more than 900% annually, according to The World Economic Forum. This is ratcheting up the threat level across society.

Deepfakes are already an established weapon in the hacker arsenal. One finance worker recently paid $25 million to malicious actors after they used a deepfake of the employee's CFO in a video conference call. This should serve as a warning shot across the bow for the corporate world, and the open letter is correct to raise the alarm about the relative lack of action.

However, delegating responsibility to governments will only leave corporations more exposed. CEOs cannot afford to sit back and rely on regulators to stem the flow of deepfakes. They must take action and build their own defenses as soon as possible — and they are already starting from behind. Catching up will mean doubling their investment in innovative technologies that can counteract deepfakes.

**Stone Age Policies**

But why aren't governments up to the task themselves?

Most governments' cybersecurity departments and policies are in the Stone Age compared with these hackers. By the time legislation is drawn up, debated, and rolled out, it's often already antiquated and behind the pace of technological development. 

Furthermore, relying on reactive regulation in one government also means trusting all governments to do the same. No matter how punitive the legislation in one country, hackers in another country won't worry about the penalties, so nations will have to work together to negate the threat of deepfakes. But right now, hoping the Chinese or Russian states will prevent hackers from disrupting business in the West is nothing short of naive. 

CEOs and senior management must step up to the challenge and take responsibility for ensuring that they aren't the next victim of a deepfake scam.

Fortunately, management has several technologies available that can be rolled out to shore up their deepfake defenses, including advanced authentication, detection AI, and content watermarking. 

CEOs can integrate enhanced authentication standards to insulate their firms from deepfake scams. Two-factor or multifactor authentication systems require users to provide additional verification beyond a password, adding information that deepfake scammers will need to access sensitive information.

**Fighting Deepfakes With AI**

Management must also deploy AI in the fight against deepfakes. AI tools can analyze media files for anomalies and inconsistencies that are evidence of tampering. They can also analyze the subjects of these files, such as facial expressions and vocal patterns, and then flag non-natural inconsistencies that the human eye may miss. They can even compare deepfakes against genuine employee biometric data to identify fake representations of company employees.

Another option available to corporations is content watermarking, which embeds invisible, unique identifiers into official company media files. This can be used to verify the authenticity and origin of media content that employees come into contact with. 

These are just some of the many digital tools that management can use to insulate themselves from deepfake scammers and hackers. But they come at a cost.

Currently, cybersecurity funding lags far behind the scale of the threat that deepfakes pose. As with the finance worker above, company funds are at risk. Deepfake scams could also be used to access sensitive IP and trade secrets. Deepfakes of employees can also damage a firm's reputation, harming investor and consumer confidence. 

Even in the face of these ominous threats, firms continue to woefully underfund cybersecurity. The recent Cisco Cybersecurity Readiness Index highlights how only 3% of organizations have the "mature" level of readiness needed to be resilient against cyber threats. 

So, if CEOs want to prevent their firm from being the next victim of a high-profile deepfake scam, they need to double cybersecurity funding immediately. Relying on the government to do this for them only increases their exposure to the risk that deepfakes pose. With healthier financing, corporations can roll out authentication tools, AI identification systems, and content watermarking to properly insulate themselves from the deepfake threat. 

**About the Author(s)**

Founder & CEO, artius.iD

Michael Marcotte is one of the world’s pre-eminent experts in digital identity, cybersecurity, and business intelligence technology. He joined EchoStar, the multibillion-dollar satellite communications firm, in 2006, and was Global CIO, Global CDO, and president (Hughes Cloud Services). He was one of the very first people to serve as chief digital officer of a major international corporation. Michael left EchoStar in 2014 and currently is the founder and CEO of digital authentication firm artius.iD. He has applied his expertise at a range of firms in technology, cybersecurity, and venture capital. He is also co-founder of the National Cybersecurity Center (NCC) and was founder and chairman of the NCC's Rapid Response Center Board. He has been a senior adviser for several heads of state and US senators.

Innovation, Not Regulation, Will Protect Corporations From Deepfakes

The AI security startup's platform will allow organizations to define appropriate AI usage and enforce security policies.

Source: Ole CNX via Shutterstock

The past two years have seen unprecedented interest in generative artificial intelligence (AI), with companies across all industries integrating capabilities into their products and services. Organizations are adopting these tools to work faster and more efficiently. However, these AI applications also pose security challenges for organizations, with heightened risks of leaks of customer data and intellectual property. They also expand organizations' attack surface, potentially exposing them to malicious data injection and other AI-driven attacks.

This evolving threat landscape sets the stage for Apex, an AI security company that came out of stealth yesterday. Apex's security platform provides organizations with visibility of their AI activities. Organizations can define what AI usage should look like within their environments and enforce security policies accordingly. The platform can detect violations to company policies, as well as detect and respond to attacks, the company said.

The platform also includes a secure portal through which users can interact securely with the organization's AI tools. Apex works with public generative AI tools such as ChatGPT and Gemini, copilots such as the one from Microsoft, and the organization's own custom AI applications.

Founded in 2023, Apex currently has a few trials with Fortune 500 companies, the company told Reuters. Apex's co-founders are Matan Derman (CEO) and Tomer Avni (CPO).

As part of the launch, Apex raised $7 million in seed funding from Sequoia Capital, Index Ventures, and angel investors, including Sam Altman, CEO of OpenAI. The company plans to use seed funding for product development, grow its team, and go-to-market activities.

**About the Author(s)**

New AI Security Startup Apex Secures AI Models, Apps

The startup says its SaaS platform helps organizations detect and recover from ransomware attacks faster than "traditional" methods.

Source: Ihor Sveitukha via Alamy Stock Photo

The number of ransomware and associated extortion attacks is growing, with reports nearly every day about damage inflicted on organizations. These attacks disrupt business operations and result in significant downtime. In some cases, data is stolen. Educational institutions, retail and healthcare entities, and critical infrastructure organizations have all been targeted over the past few months.

Mimic, which came out of stealth today, is a ransomware defense company that offers a way for organizations to detect, deflect, and recover from ransomware attacks. The company says its software-as-a-service platform is capable of restoring an organization's environment and data back to an uninfected state within 24 hours without needing to pay a ransom.

Details about the technology are sparse, but the company has the support of several well-known names, including Ted Schlein, general partner at Ballistic Ventures, who joined the board of directors; and Marie Mouchet, former CIO of Colonial Pipeline, who joined the advisory board.

Mimic's platform works "in concert" with a customer's existing security controls, said Mimic CEO Derek Smith in a statement. Smith was formerly CEO of Shape Security, a Web and mobile application security company that was acquired by F5 in 2019 for $1 billion. 

As part of the launch, Mimic raised $27 million in seed funding from Ballistic Ventures, Menlo Ventures, Team8, Wing Venture Capital, and Shield Capital. The company said Apex Group, a financial services provider, is currently using the platform.

**About the Author(s)**

Mimic Launches With New Ransomware Defense Platform

Microsoft has uncovered a common vulnerability pattern in several apps allowing code execution; at least four of the apps have more than 500 million installations each; and one, Xiaomi's File Manager, has at least 1 billion installations.

Source: rafapress via Shutterstock

Researchers from Microsoft recently discovered many Android applications — including at least four with more than 500 million installations each — to be vulnerable to remote-code execution attacks, token theft, and other issues because of a common security weakness.

Microsoft informed Google's Android security research team of the problem and Google has published new guidance for Android app developers on how to recognize and remediate the issue.

**Billions of Installations at Risk of Compromise**

Microsoft has also shared its findings with vendors of affected Android apps on Google's Play store. Among them were Xiaomi Inc.'s File Manager product, which has more than 1 billion installations, and WPS Office with some 500 million downloads.

Microsoft said vendors of both products have already fixed the issue. But it believes there are more apps out there that are fallible to exploit and compromise because of the same security weakness. "We anticipate that the vulnerability pattern could be found in other applications," Microsoft's threat intelligence team said, in a blog post this week. "We're sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases."

The issue that Microsoft discovered affects Android applications that share files with other applications. To facilitate the sharing in a secure manner, Android implements a so-called "content provider" feature that basically acts as an interface for managing and exposing an app's data to other installed applications on a device, Microsoft said. An app that needs to share its files — or a file provider in Android speak — declares the specific paths that other apps can use to get to the data. File providers also include an identifying feature that other apps can use as an address to find them on a system.

**Blind Trust & Lack of Content Validation**

"This content provider-based model provides a well-defined file-sharing mechanism, enabling a serving application to share its files with other applications in a secure manner with fine-grained control," Microsoft said. However, in many cases when an Android app receives a file from another app, it does not validate the content. "Most concerning, it uses the filename provided by the serving application to cache the received file within the consuming application's internal data directory."

This gives attackers an opening to create a rogue app that can send a file with a malicious filename directly to a receiving app — or file share target — without the user's knowledge or approval, Microsoft said. Typical file share targets include email clients, messaging apps, networking apps, browsers, and file editors. When a share target receives a malicious filename, it uses the filename to initialize the file and trigger a process that could end with the app getting compromised, Microsoft said.

The potential impact will vary depending on an Android application's implementation specifics. In some cases, an attacker could use a malicious app to overwrite a receiving app's settings and cause it to communicate with an attacker-controlled server, or get it to share the user's authentication tokens and other data. In other situations, a malicious application could overwrite malicious code into a receiving app's native library to enable arbitrary code execution. "Since the rogue app controls the name as well as the content of the file, by blindly trusting this input, a share target may overwrite critical files in its private data space, which may lead to serious consequences," Microsoft said.

Both Microsoft and Google have provided tips to developers on how to avoid the issue. End users, meanwhile, can mitigate the risk by ensuring their Android apps are up to date and by only installing apps from trusted sources.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Billions of Android Devices Open to 'Dirty Stream' Attack

Organizations can go a long way toward preventing spoofing attacks by changing one basic parameter in their DNS settings.

Source: Panther Media GmbH via Alamy Stock Photo

North Korean hackers are taking advantage of weak DMARC configurations to impersonate organizations in phishing attacks against individuals of strategic significance to the Kim Jong Un regime.

DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is a security protocol for preventing email-based attacks. Unlike most security solutions, however, which potential victims implement for themselves, DMARC policies are set by email senders. In part for this reason, it can be easily overlooked.

On Thursday, the FBI and National Security Agency released a joint cybersecurity advisory detailing how the APT Kimsuky (aka APT 43, Thallium) is taking advantage. For some time now, it has been masquerading as organizations that have weak or nonexistent DMARC policies in convincing spear phishing emails.

"This is a highly effective new tool in the arsenal of one of the more prolific social engineering threat groups that Mandiant tracks," Gary Freas, Mandiant senior analyst with Google Cloud, said in an email. "Organizations in a variety of industries around the world are at risk of leaving themselves unnecessarily exposed. Proper DMARC configuration, in conjunction with proper management of SPF/DKIM, is low-hanging fruit to deliver high-impact prevention of phishing and spoofing of an organization."

**The Difference DMARC Makes**

Kimsuky's primary objective is to steal valuable intelligence — regarding geopolitical events, other nations' foreign policy strategies, and more — for the Kim regime. To do that, it aims cyberattacks at journalists, think tanks, government organizations, and the like.

To add legitimacy to these attacks, it often impersonates individuals from trusted organizations like these in highly targeted emails. Such emails are extra convincing when Kimsuky gains access to their puppet's legitimate account or domain (often through a separate spear phishing attack) to send emails on their behalf.

A Kimsuky phishing email sent from late 2023 to early 2024. Source: FBI/NSA

This is what DMARC is designed to prevent. It combines two authentication mechanisms: the Sender Policy Framework (SPF), which checks that a sender's IP address is authorized to send emails from their specified domain, and DomainKeys Identified Mail (DKIM), which uses public key cryptography for anti-tampering. Domain owners can set a DMARC record in their domain name system (DNS) settings to determine what happens should an email-en-route fail one of these checks: either block it (p=reject), treat it with suspicion (p=quarantine), or do nothing (p=none).

The FBI-NSA joint advisory suggests organizations favor p=reject or p=quarantine to prevent threat actors like Kimsuky from sending emails from their domains.

"DMARC hygiene is critical," says Jeremy Fuchs, Harmony Email analyst at Check Point. "It's a fantastic way to ensure that when someone gets an email from your company, it’s actually from your company. It can be a big project, though, to ensure p=reject state, especially when you have many domains. This is why reporting, monitoring, and consistent hygiene is key.

"DMARC is not a silver bullet, as hackers have plenty of ways to spoof, but it can be a good starting point."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading