In an attack vector that's been used before, threat actors aim to commit crypto fraud by hijacking highly followed users, thus reaching a broad audience of secondary victims.

Source: Ronstik via Alamy Stock Photo

An active, one-click phishing campaign is targeting the X accounts of high-profile individuals — including journalists, political figures, and even an X employee — to hijack and exploit them to commit cryptocurrency fraud.

Researchers at SentinelLabs uncovered the campaign, which they said appears to be most prominent on X but is not limited to a single social media platform, they revealed in a recent blog post. The goal of attackers is ultimately to use the potential reach of the high-impact accounts — which also include technology and cryptocurrency organizations as well as owners of accounts with valuable, short usernames — to target people with crypto scams for financial gain, the researchers said.

"Once an account is taken over, the attacker swiftly locks out the legitimate owner and begins posting fraudulent cryptocurrency opportunities or links to external sites designed to lure additional targets, often with a crypto theft-related theme," SentinelLabs threat researchers Tom Hegel, Jim Walter, and Alex Delamotte wrote in the post.

Ultimately, this compromise of high-profile accounts — a tactic used before by cybercriminals, most notably in targeting celebrity Twitter accounts in 2020 — enables the attacker to reach a broader audience of potential secondary victims, maximizing their financial gains, the researchers noted.

Related:Can AI & the Cyber Trust Mark Rebuild Endpoint Confidence?

Indeed, the campaign is also similar to one uncovered last year that compromised the Linux Tech Tips X account along with other high-profile users. The researchers discovered related infrastructure and similar phishing messages used in both campaigns, evidence that suggests the same threat actor is behind both, they said. However, at this time it's not known from which region of the world the actor hails, or who might be behind the campaign.

**Classic Fake Crypto Lures & Adaptable Infrastructure**

SentinelLabs observed a variety of phishing lures being used in the campaign, including a "classic account login notice" that targets people with an email informing them that someone logged into their account from a new device. The email includes a link suggesting they "take steps to protect" their account which actually leads to a site that phishes X credentials, according to the post.

Other email-based lures use copyright-violation themes to get users to click on a phishing page that ask them to enter their X credentials. In recent cases, the phishing page to which victims were redirected abused Google’s “AMP Cache” domain cdn.ampproject\[.\]org to evade common email detections, according to SentinelLabs.

Related:PrintNightmare Aftermath: Windows Print Spooler Is Better. What's Next?

Infrastructure used in the account suggests that the actor behind the campaign is "highly adaptable, continuously exploring new techniques while maintaining a clear financial motive," the researchers wrote.

Recent activity used the domain securelogins-x\[.\]com to deliver emails and x-recoverysupport\[.\]com to host phishing pages. As "any of these domains can be considered email delivery or phishing-page hosting," the activity indicates "a level of informality and flexibility of infrastructure use," the researchers observed.

Attackers also hosted a flurry of recent activity on an IP associated with a Belize-based VPS service called Dataclub. The domains associated with the campaign have been predominantly registered through Turkish hosting provider Turkticaret, but this alone is not enough to confirm that the attackers are from Turkey, the researchers added.

**Protect Your Corporate Social Accounts**

High-profile X accounts are often targets for threat actors because controlling them can help them reach a wider audience with fraudulent activity. Often this activity involves crypto scams aimed at financial fraud, such as a case last year in which security firm Mandiant temporarily lost control of its X account to cryptocurrency drainer malware operators.

Related:Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

"The cryptocurrency landscape offers financially-motivated threat actors multiple opportunities for profit and fraud," the researchers noted in the post. "While marketing for coins and tokens has long been irreverent and meme-driven, recent developments have further blurred the line between legitimate projects and scams."

To protect an X account, the researchers recommended the obvious: users should maintain good password hygiene by using a unique password, enabling two-factor authentication (2FA), and avoiding credential sharing with third-party services.

People also should be especially wary of messages containing links to account alerts or security notices, and always verify URLs before clicking on them. If their accounts do need a password reset for security purposes, these should be initiated only directly through the official website or app rather than relying on unsolicited links, the researchers advised.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

1-Click Phishing Campaign Targets High-Profile X Accounts

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and Informa

**TechTarget and Informa Tech’s Digital Business Combine.**

Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.

*   Home
*   Events
*   Black Hat USA

Black Hat USA

Aug 2, 2025 TO Aug 7, 2025

|

Mandalay Bay Convention Center, Las Vegas, USA

Ready to level up your cybersecurity knowledge? Join us at the industry’s top cybersecurity event, where professionals and hackers of all levels gather to learn the latest risks, research, and trends in information security. Black Hat USA features top cybersecurity experts from across the globe, delivering their cutting-edge work and discoveries in a welcoming, vendor-neutral atmosphere. Don't miss out on this must-attend event!

**Editor's Choice**

Reports

*   The State of Firewall Security: Challenges, Risks, and Solutions for Modern Networks
    
    Jan 10, 2025
*   Industrial Networks in the Age of Digitalization
    
    Jan 6, 2025
*   Zero-Trust Adoption Driven by Data Protection, Cloud Access Control, and Regulatory Compliance Requirements
    
    Jan 6, 2025
*   Threat Hunting's Evolution: From On-Premises to the Cloud
    
    Jan 6, 2025
*   How Enterprises Secure Their Applications
    
    Jan 6, 2025

Webinars

*   Uncovering Threats to Your Mainframe & How to Keep Host Access Secure
    
    Feb 13, 2025
*   Securing the Remote Workforce
    
    Feb 20, 2025
*   Emerging Technologies and Their Impact on CISO Strategies
    
    Feb 25, 2025
*   How CISOs Navigate the Regulatory and Compliance Maze
    
    Feb 26, 2025
*   Where Does Outsourcing Make Sense for Your Organization?
    
    Feb 27, 2025

White Papers

*   Driving the Future of Work Through Enterprise-Wide SASE
    
*   4 Best Practices for Hybrid Security Policy Management
    
*   Social Engineering: New Tricks, New Threats, New Defenses
    
*   Understanding Social Engineering Attacks and What To Do About Them
    
*   Solution Brief: Introducing the runZero Platform
    

Events

*   Black Hat USA - August 2-7 - Learn More
    
    Aug 2, 2025
*   Black Hat Asia - April 1-4 - Learn More
    
    Apr 1, 2025
*   Cybersecurity's Most Promising New and Emerging Technologies
    
    Mar 20, 2025

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Black Hat USA

By integrating security into CI/CD, applying automated policies, and supporting developers with the right processes and tools, infosec teams can increase efficiency and build secure software.

Remi Yazigi, Information Security Engineer, Cisco Systems

February 3, 2025

4 Min Read

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

As cyber threats grow more sophisticated, organizations must prioritize secure software development practices. Vulnerability management is a critical aspect of this, but its success depends on clear ownership and collaboration between information security and engineering teams. By shifting left and embedding vulnerability management into the development life cycle, organizations can empower engineering teams to deliver secure code efficiently. Here's how infosec teams can drive this transformation.

**Shifting Left: The Key to Proactive Security**

Traditional vulnerability management approaches often focus on addressing issues post-deployment. This reactive strategy slows development and increases the risk of exposure. Shifting left means identifying and remediating vulnerabilities earlier in the development process, during the build phase, or even before code reaches the repository. This early action reduces cost and effort while improving the quality of the codebase.

By integrating vulnerability scanning tools like Trivy into continuous integration and continuous delivery (CI/CD) pipelines, infosec teams can block builds that introduce known vulnerabilities. Tools like these, with seamless integration with GitHub Actions (GHA) and Jenkins, provide immediate feedback to developers. When vulnerabilities are identified, engineers can address them without disrupting the workflow. This approach not only enhances security but also fosters a culture of accountability and ownership among developers.

**Applying Policies for Image Promotion**

One of the most effective ways to enforce security practices is through automated policies for container image promotion. For example:

1.  Base images: Ensure that development teams use only approved base images vetted by information security. These images should be regularly updated to incorporate security patches and align with organizational standards.
    
2.  Docker registries: Restrict usage to trusted and approved registries, reducing the risk of introducing malicious or outdated images. Approved registries should provide regular scans and metadata to verify image integrity.
    
3.  Image scanning: Automate the scanning process for all container images before they are promoted to staging or production environments. By applying strict vulnerability gates, organizations can ensure only secure images progress through the pipeline. Coupled with regular rescanning of images in production, this practice maintains security over time.
    

**Handling Exceptions Transparently**

No vulnerability management strategy is complete without a robust mechanism for handling exceptions. infosec teams should provide engineering teams with a clear process to request and manage exceptions when immediate fixes are not feasible. This includes:

*   Time-bound exceptions: Set expiry dates for exceptions to ensure vulnerabilities are addressed within a reasonable time frame. Expired exceptions should trigger reminders and escalate unresolved issues.
    
*   Approval workflow: Establish an approval workflow that involves both engineering and infosec stakeholders. Collaboration ensures balanced decisions that consider security and business needs.
    
*   Documentation: Require detailed justifications for exceptions, including mitigation strategies, impact assessments, and follow-up plans. Documentation enables transparency and ensures accountability for all stakeholders.
    

By managing exceptions transparently, organizations can balance security requirements with operational realities while maintaining accountability. This process also offers an opportunity for continuous improvement by identifying recurring vulnerabilities or patterns requiring systemic fixes.

**Building a Collaborative Framework**

For vulnerability management to succeed, infosec and engineering teams must work in harmony. Information security teams can support engineering teams by:

1.  Providing tools and training: Offer developers access to easy-to-use security tools and training on secure coding practices. This training should emphasize real-world examples.
    
2.  Defining clear policies: Develop and document policies that align with engineering workflows, ensuring that security requirements are achievable without disrupting productivity. Regularly review these policies to adapt to evolving threats and technologies.
    
3.  Creating feedback loops: Establish feedback mechanisms to address false positives, improve tool configurations, and enhance the developer experience. Prompt feedback helps developers focus on genuine risks and encourages compliance with security measures.
    
4.  Encouraging shared metrics: Track shared security metrics that matter to both teams, such as vulnerability closure rates and build success rates. Shared goals foster collaboration and build a sense of collective responsibility.
    

**Leveraging Automation and Metrics**

Automation plays a pivotal role in ensuring the scalability and reliability of vulnerability management processes. Integrating tools for automated scanning, ticket generation, and remediation tracking saves time and reduces human error. Meanwhile, metrics such as mean time to resolution (MTTR) and the number of vulnerabilities detected per build provide valuable insights into program effectiveness and areas for improvement.

**The Path Forward**

Empowering engineering teams with ownership of vulnerability management is a cultural shift that requires effort and collaboration. By integrating security into the CI/CD pipeline, applying automated policies, and supporting developers with clear processes and tools, infosec teams can drive efficiency and foster a shared commitment to building secure software.

Organizations that embrace this approach will not only reduce risk but also enhance their ability to deliver secure and reliable applications at scale. The time to shift left is now. Success requires a proactive mindset, the right tools, and above all, a strong partnership between infosec and engineering teams.

**About the Author**

Information Security Engineer, Cisco Systems

Remi Yazigi is information security engineer for Cisco Systems. He has extensive experience in cloud and container vulnerability management, specializing in automation to enhance security workflows. He holds two master’s degrees in computer engineering and cybersecurity and forensics. He joined ThousandEyes in London in 2018 and moved to the US in 2022 after Cisco Systems acquired ThousandEyes in 2020. There, he lead efforts to improve vulnerability detection and remediation. Prior to that, he worked in France as a cybersecurity consultant, focusing on securing industrial systems, including projects such as Ariane 5 space rocket and SECOIA. He is passionate about empowering engineering teams to take ownership of security processes, ensuring resilient and secure infrastructures. His expertise lies in creating scalable, efficient solutions that address modern security challenges.

Proactive Vulnerability Management for Engineering Success

Now we know exactly how DeepSeek was designed to work, and we may even have a clue toward its highly publicized scandal with OpenAI.

Source: mundissima via Alamy Stock Photo

Researchers have tricked DeepSeek, the Chinese generative AI (GenAI) that debuted earlier this month to a whirlwind of publicity and user adoption, into revealing the instructions that define how it operates.

DeepSeek, the new "it girl" in GenAI, was trained at a fractional cost of existing offerings, and as such has sparked competitive alarm across Silicon Valley. This has led to claims of intellectual property theft from OpenAI, and the loss of billions in market cap for AI chipmaker Nvidia. Naturally, security researchers have begun scrutinizing DeepSeek as well, analyzing if what's under the hood is beneficent or evil, or a mix of both. And analysts at Wallarm just made significant progress on this front by jailbreaking it.

In the process, they revealed its entire system prompt, i.e., a hidden set of instructions, written in plain language, that dictates the behavior and limitations of an AI system. They also may have induced DeepSeek to admit to rumors that it was trained using technology developed by OpenAI.

**DeepSeek's System Prompt**

Wallarm informed DeepSeek about its jailbreak, and DeepSeek has since fixed the issue. For fear that the same tricks might work against other popular large language models (LLMs), however, the researchers have chosen to keep the technical details under wraps.

Related:Code-Scanning Tool's License at Heart of Security Breakup

"It definitely required some coding, but it's not like an exploit where you send a bunch of binary data \[in the form of a\] virus, and then it's hacked," explains Ivan Novikov, CEO of Wallarm. "Essentially, we kind of convinced the model to respond \[to prompts with certain biases\], and because of that, the model breaks some kinds of internal controls."

By breaking its controls, the researchers were able to extract DeepSeek's entire system prompt, word for word. And for a sense of how its character compares to other popular models, it fed that text into OpenAI's GPT-4o and asked it to do a comparison. Overall, GPT-4o claimed to be less restrictive and more creative when it comes to potentially sensitive content.

"OpenAI's prompt allows more critical thinking, open discussion, and nuanced debate while still ensuring user safety," the chatbot claimed, where "DeepSeek’s prompt is likely more rigid, avoids controversial discussions, and emphasizes neutrality to the point of censorship."

While the researchers were poking around in its kishkes, they also came across one other interesting discovery. In its jailbroken state, the model seemed to indicate that it may have received transferred knowledge from OpenAI models. The researchers made note of this finding, but stopped short of labeling it any kind of proof of IP theft.

Related:OAuth Flaw Exposed Millions of Airline Users to Account Takeovers

"\[We were\] not retraining or poisoning its answers — this is what we got from a very plain response after the jailbreak. However, the fact of the jailbreak itself doesn't definitely give us enough of an indication that it's ground truth," Novikov cautions. This subject has been particularly sensitive ever since Jan. 29, when OpenAI — which trained its models on unlicensed, copyrighted data from around the Web — made the aforementioned claim that DeepSeek used OpenAI technology to train its own models without permission.

Source: Wallarm

**DeepSeek's Week to Remember**

DeepSeek has had a whirlwind ride since its worldwide release on Jan. 15. In two weeks on the market, it reached 2 million downloads. Its popularity, capabilities, and low cost of development triggered a conniption in Silicon Valley, and panic on Wall Street. It contributed to a 3.4% drop in the Nasdaq Composite on Jan. 27, led by a $600 billion wipeout in Nvidia stock — the largest single-day decline for any company in market history.

Then, right on cue, given its suddenly high profile, DeepSeek suffered a wave of distributed denial of service (DDoS) traffic. Chinese cybersecurity firm XLab found that the attacks began back on Jan. 3, and originated from thousands of IP addresses spread across the US, Singapore, the Netherlands, Germany, and China itself. 

Related:Spectral Capital Files Quantum Cybersecurity Patent

An anonymous expert told the Global Times when they began that "at first, the attacks were SSDP and NTP reflection amplification attacks. On Tuesday, a large number of HTTP proxy attacks were added. Then early this morning, botnets were observed to have joined the fray. This means that the attacks on DeepSeek have been escalating, with an increasing variety of methods, making defense increasingly difficult and the security challenges faced by DeepSeek more severe."

To stem the tide, the company put a temporary hold on new accounts registered without a Chinese phone number.

On Jan. 28, while fending off cyberattacks, the company released an upgraded Pro version of its AI model. The following day, Wiz researchers discovered a DeepSeek database exposing chat histories, secret keys, application programming interface (API) secrets, and more on the open Web.

Elsewhere on Jan. 31, Enkyrpt AI published findings that reveal deeper, meaningful issues with DeepSeek's outputs. Following its testing, it deemed the Chinese chatbot three times more biased than Claud-3 Opus, four times more toxic than GPT-4o, and 11 times as likely to generate harmful outputs as OpenAI's O1. It's also more inclined than most to generate insecure code, and produce dangerous information pertaining to chemical, biological, radiological, and nuclear agents.

Yet despite its shortcomings, "It's an engineering marvel to me, personally," says Sahil Agarwal, CEO of Enkrypt AI. "I think the fact that it's open source also speaks highly. They want the community to contribute, and be able to utilize these innovations. I think that's why a lot of closed-source model providers are sort of scared."

He adds, too, that "there are other models that are worse than DeepSeek. It's just that DeepSeek is so much in the news, so it has a lot of eyes on it."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

DeepSeek Jailbreak Reveals Its Entire System Prompt

Check out all the highlights from Black Hat USA 2024 at the Mandalay Bay in Las Vegas.
#cybersecurity #infosec #blackhat

Black Hat USA returns to the Mandalay Bay Convention Center in Las Vegas with a 6-day program. The 2025 event will open with four days of specialized cybersecurity Trainings (August 2-5), with courses for all skill levels. Also taking place during Black Hat USA is Summit Day on Tuesday, August 5, followed by the two-day main conference on August 6 & 7 featuring more than 100 selected Briefings, dozens of open-source tool demos in Arsenal, a robust Business Hall, networking and social events, and much more. View Pass Options »

Black Hat USA 2024 Highlights

The CHC remains operational, but a host of personal data is now in the hands of a "skilled cybercriminal," it said.

Source: Panther Media via Alamy Stock Photo

NEWS BRIEF

Nonprofit healthcare provider Community Health Center (CHC) has begun notifying more than a million patients of a breach that compromised its data.

This is the third healthcare institution to be targeted in the past week. Frederick Health and the New York Blood Center Enterprises were both targeted in separate ransomware attacks that it alerted the public to on Jan. 27 and Jan. 29, respectively. 

It remains unclear who is behind the heists, and whether there is any connection between the attacks.

In a letter to victims from CHC, it reports that it noticed unusual activity on its computer systems on Jan. 2. It then launched an investigation and bolstered its security systems alongside cybersecurity experts. The investigation determined that a "skilled criminal hacker" was able to gain access to its systems and steal data, including some of the personal information of its patients. That includes names, dates of birth, addresses, phone numbers, emails, diagnoses, treatment details, test results, Social Security numbers, and health insurance information.

"Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal's activity did not affect our daily operations," the CHC wrote in its letter. "We believe we stopped the criminal hacker's access within hours, and that there is no current threat to our systems."

"Incidents in this sector underscore the ongoing risks healthcare providers face, with attackers gaining access to sensitive data like names, medical diagnoses, and insurance details," Emily Phelps, director of Cyware, wrote in an emailed statement to Dark Reading. "This incident highlights the urgency of securing healthcare infrastructures — protecting not just patient data, but the broader ecosystem of communication, collaboration, and care delivery."

Though there is currently no sign that the information was misused, the CHC is offering free identity theft protection through IDX including two years of credit and CyberScan monitoring, $1,000,000 insurance reimbursement policy, and assistance recovering stolen identities. 

The letter provides additional information regarding how customers can sign up for IDX protection services, which the CHC urges individuals to take advantage of, even if there is no current sign of foul play regarding their stolen information, as it remains unclear what the threat actor intends to do with the stolen data.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Community Health Center Data Breach Affects 1M Patients

The "Cracked" and "Nulled" Dark Web sites are now offline, along with the Pakistani "Saim Raza" network of underground forums (aka HeartSender).

Source: Britpix via Alamy Stock Photo

The US Department of Justice Department (DoJ) has partnered with international law enforcement to crack down on Dark Web cybercrime forums, with a pair of operations that disrupted underground markets linked to attacks on millions of victims globally. It's unclear what the long-term effects of the efforts will be, however.

In the first action, the DoJ, in coordination with the Dutch National Police, seized 39 domains operated by a Pakistani group known as Saim Raza (aka HeartSender).

According to a DoJ announcement on Jan. 31, Saim Raza has been operating since 2020, slinging phishing kits and fraud tools to the highest bidder across a network of underground sites. The cybercriminals buying the tools are responsible for global business email compromise (BEC) attacks and other nefarious scams, including against victims in the US who were collectively swindled out of $3 million.

"Not only did Saim Raza make these tools widely available on the open Internet, it also trained end users on how to use the tools against victims by linking to instructional YouTube videos on how to execute schemes using these malicious programs, making them accessible to criminal actors that lacked this technical criminal expertise," the agency said in its announcement. "The group also advertised its tools as 'fully undetectable' by antispam software."

Related:7 Tips for Strategically Saying 'No' in Cybersecurity

**"Cracked" & "Nulled" Dark Web Markets Are … Cracked & Nulled**

In a separate action, the DoJ participated in "Operation Talent," a Europol-backed international operation that disrupted the Cracked and Nulled Dark Web marketplaces. Together, the forums have been linked to cybercrimes against at least 17 million US victims.

According to the DoJ, the Cracked marketplace emerged in 2018, boasted 4 million users, made $4 million in revenue, and hosted more than 28 million cybercrime ads over the course of its reign.

Reflective of its name, one service on offer on the Cracked forum gave users a password search tool to find stolen credentials for millions of accounts and services. In one case, a stalker allegedly sextorted and harassed a woman in the Buffalo, NY, area after using the service to break into one of her accounts and access sensitive materials.

The Nulled website domain seizure meanwhile came in tandem with the unsealing of charges against one of its administrators, Lucas Sohn, an Argentinian national living in Spain. Nulled had been around since 2016, had 5 million users, raked in $1 million per year, and listed more than 43 million ads.

Nulled specialized in selling stolen login credentials, stolen identification documents, and hacking tools, according to the DoJ. If convicted, Sohn faces a maximum penalty of five years in prison for conspiracy to traffic in passwords, 10 years in prison for access device fraud, and 15 years in prison for identity fraud.

Related:IT-Harvest Launches HarvestIQ.ai

**Law Enforcement Takedowns: Do They Deter Cybercrime?**

The actions are just the latest in a flurry of efforts by US law enforcement to take down the infrastructure that powers cybercrime.

Just last week for example, the DoJ announced a partial disruption of North Korea's tech worker scam efforts. And in January, it wrapped up an eradication effort against the notorious PlugX malware. Other recent operations have included arresting actors behind the LockBit ransomware gang and teenaged members of Scattered Spider.

However, law-enforcement disruptions can be a game of whack-a-mole, with new threats popping up, or old ones re-emerging or taking a different shape, in the wake of takedowns. For instance, just two weeks after the DoJ shuttered the infamous BreachForums cybercrime forum last May, it sprang back to life with listings for Ticketmaster breach data. Fast forward several months, and the site is back to enjoying high-traffic status, with cybercriminals using it as a go-to for offering data breach information for sale.

Related:MITRE's Latest ATT&CK Simulations Tackle Cloud Defenses

"Arrests can cause actors to move away from a code base or campaigns that were formerly a notable threat," explains Ken Dunham, cyber threat director at Qualys Threat Research Unit. "In other situations, actors adapt, like cockroaches that simply move to another room when you move the couch, when pressure is applied, taking on new codes and tactics to further nefarious means and motives."

It's important to offer a full-court press against the most virulent threats to have even a scintilla of hope to root them out entirely, according to Derek Manky, global vice president of threat intelligence at Fortinet.

"Turning the tide against cybercrime necessitates a culture of collaboration, transparency, and accountability on a larger scale," he explains. "No single organization can effectively stop cybercrime alone. Public-private partnerships can influence the disruption of large-scale cybercrime activities, leading to a safer, more resilient society. Every organization has a place in the chain of disruption against cyberthreats."

Taken on their own though, it's useful to think of the disruption efforts as an important thorn in cybercriminals' sides, at the very least.

"Historically attackers can more easily obtain information and tools than defenders, giving them a perpetual advantage," Evan Dornbush, former National Security Agency (NSA) cybersecurity expert, said in an emailed statement. "Actions like this make it more expensive for cyber criminals to operate, and ultimately this is a good thing. Lesser players who rely on purchasing tools and network access from these two marketplaces won't be able to get started, raising the barrier to entry for their criminal enterprise aspirations."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

DoJ Shutters Cybercrime Forums Behind Attacks on 17M Americans

Regulators are ready to enforce new state data privacy laws. Here's how experts say organizations can stay compliant and avoid penalties.

Source: EThamPhoto via Alamy Stock Photo

If you get a call from John Eakins at the Delaware Attorney General's office, you've already filed a data breach notice with the state, so you know there's a problem. What information security teams do next could mean the difference between getting slapped with a hefty fine or getting off with a warning, along with your reputation intact.

Delaware Deputy Attorney General Eakins is in charge of enforcing the new state regulations under the Delaware Personal Data Privacy Act (DPDPA), first passed by lawmakers in 2023 and just coming into effect on Jan. 1. He says organizations operating in Delaware should expect a call from his office after reporting a major breach. Then he is going to want to drill down on two specific criteria: the harm caused and whether it can be fixed.

"They should expect to be asked to provide information about the breach, an assessment of the harm caused, and the sensitivity of the data that was breached," Eakins tells Dark Reading. But that doesn't necessarily mean enforcement is imminent, he adds. Companies are offered what's known as a "right to cure," in Delaware along with many other states, meaning if the error that led to the breach can get fixed within a range of 30 to 60 days, the company won't be penalized.

That's where it becomes critical for organizations and their data security teams to have a "story to tell," according to Andreas Kaltsounis, an attorney and partner with BakerHostetler, who works with data privacy regulators on behalf of clients.

**State Privacy Laws, Enforcement on the Rise**

Twenty states, including Delaware, have passed data privacy regulations as of 2025, but these new laws aren't really necessary for states to levy penalties for data breaches, Kaltsounis points out. Federal law could be used in many of these instances, half the states already have information security requirements on the books, and nearly all the states have some form of an "unfair, deceptive, and abusive practices" (UDAP) law, which could also be used as enforcement mechanisms for many data breach instances, he adds.

What new privacy legislation has done for regulators isn't so much putting rules on the books — it's allocating more money toward enforcing lax data privacy among organizations, including money to hire in-house expertise. Pair that with federal deregulation under the Trump administration, and states are in a prime position to fill the gap.

Each state is picking its own lane.

Texas, for its part, is going after connected car data, filing suit against General Motors and, more recently, insurance company Allstate for collecting consumer data without complying with the new Texas Data Privacy Act (TDPSA). The Texas AG alleges the insurer was paying developers of other apps, including Life360, to incorporate secret embedded software to collect cell phone location data on Texans and then use that information to justify insurance rate hikes.

New York Attorney General Letitia James also recently fined companies, including one distributing a line of insecure home security video systems ($450,000), GEICO and Travelers insurance companies for failing to protect data ($11.3 million), and Capital Regions healthcare provider ($2.25 million) for failing to protect medical data. In December, New York Gov. Kathy Hochul expanded the AG's oversight of the cybersecurity of financial services. New York's primary enforcement efforts have been trained on the sizable financial services companies operating in its jurisdiction.

Delaware will be focused on the abuse of geolocational data and the data security of emerging artificial intelligence (AI) technologies, Delaware's deputy AG Eakins says.

Despite the flurry of press releases, consumer advocates like the Electronic Frontier Foundation's associate director of legislative advocacy, Hayley Tsukayama, say every state should be doing much more to protect consumer data. Tsukayama points to business-friendly loopholes like the "right to cure" offered by regulators, including those in Delaware, as a "get out of jail free card," and would like to see more pressure on companies to protect sensitive data before it's too late.

The Electronic Privacy Information Center (EPIC) is likewise unimpressed overall with state efforts on data privacy. In its recent "State of the Privacy" report, EPIC said new state laws, "...fail to protect consumers." Of the 19 states that have passed consumer privacy legislation packages, nearly half got F grades from EPIC; only California got a B, and no state received an A.

Chronic underfunding has bogged down enforcement efforts, Tsukayama says. But that's all about to change.

Delaware deputy AG Eakins said his office received a boost in funding along with the DPDPA and his office now has a full-time computer scientist to help lend expertise to their investigations. Many other states have followed suit, allocating bigger budgets for data privacy oversight along with new compliance requirements.

**Get Your Data Privacy Story Right, Now**

Attorney Kaltsounis says regulators are busy; in his experience, organizations with a compelling "story to tell" are going to be far better positioned to avoid penalties. That means being able to demonstrate how the organization was taking information security seriously well before the breach. He recommends a good old-fashioned data audit, purging anything sitting on an old server that isn't needed anymore. Then organizations need to double down on collecting only the data they absolutely need for the shortest period of time possible.

"They both need to be done," Kaltsounis advises.

Enterprises should treat this new regulatory environment at the state level as an opportunity to incorporate data privacy as a foundational principle of the business, according to Ryan Edge, director of strategy, privacy, and data governance with OneTrust, a data privacy services provider.

"One thing is for sure — data privacy is not going away," Edge says. "There are more than a dozen US state privacy laws in effect today. It can seem daunting, but it doesn't need to be. Companies don't have to reinvent the wheel for each law. By operationalizing data privacy, they can see benefits beyond compliance, like minimizing risk, driving data quality, and building trust with consumers."

Organizations should develop a strategy that includes data mapping, privacy impact assessments, and privacy engineering to understand how data is being used. This would help define policies such as how long data is kept, how it is protected, and how it is disposed when no longer needed.

When it comes to how the Delaware AG's office will determine where data privacy penalties are appropriate, Eakins says the state's $52 million settlement reached with Marriott for the company's lack of "providing reasonable security" is a strong starting framework. Baseline technical requirements established out of the multistate Marriott settlement include having a comprehensive information security program in place, minimizing the amount of data collected with disposal requirements and supply chain oversight. That's a good place for organizations to start.

Moving forward, Kaltsounis expects to see a "friendly competition" emerge among states to demonstrate the strongest data protection stance on behalf of their citizens. Staffed-up offices of state regulators armed with a mandate and fresh budgets are likely to start becoming a standard fixture in the aftermath of a data breach.

When they call, what story will you have to tell them?

State Data Privacy Regulators Are Coming. What Story Will You Tell Them?

The deal, expected to close this quarter, will give Tenable One Exposure Management much-needed integration with over 100 third-party security tools and platforms.

Source: Maxiphoto via iStock Photo

Tenable is poised to fill significant gaps in its exposure management platform with its agreement to acquire Vulcan Cyber.

Tenable said it was the first vendor to add exposure management to its vulnerability management platform when it launched the Tenable One Exposure Management Platform in 2022. However, Tenable's exposure management has lacked the ability to share telemetry with IT and security tools from other vendors. This is where Vulcan Cyber's exposure management offering, which can integrate with more than 100 third-party security tools, can make a difference for Tenable.

"This will give organizations the ability to have insights across the attack surface, not just what you point at Tenable but also that third-party data," says Tenable senior VP of products Jason Merrick. "At the end of the day, our focus here is helping organizations move as they're progressing from vulnerability management to exposure management and then gaining that context where they can make better decisions."

**Adding Exposure Management to Vulnerability Management**

Unlike vulnerability management offerings that are designed to discover, assess, prioritize, and mitigate threats in IT assets, exposure management considers an organization's cybersecurity posture and performs risk assessment.

Several Tenable rivals also offer exposure management as part of their product portfolios. For example, CrowdStrike added Exposure Management to its Falcon XDR platform in 2023, and Microsoft recently added exposure management to Microsoft Defender, which notably includes third-party connectors. On the same day Tenable announced its Vulcan Cyber plans, exposure management platform provider CYE acquired Solvo.

Omdia analyst Andrew Braunberg believes Vulcan Cyber will bring needed features to Tenable One that its rivals are now touting.

"While Tenable has been talking about exposure management for as long as anyone, it still often has the feel of an old legacy vulnerability management company," Braunberg says. "Vulcan has always seen exposure management as where the market was headed and has taken an impressively open approach to pulling in asset and exposure data and working to broadly support remediation, orchestration, and automation."

Tenable's Merrick acknowledges that Microsoft's licensing model with its M365 E3 and E5 plans give Microsoft an advantage.

"They can throw a lot of free stuff at this, and there are many organizations that are Microsoft-only shops," he says. "CrowdStrike, too, is growing and expanding. But I also think that this is an opportunity for Tenable to differentiate, to continue being that source of truth, to provide better analytic capability, and to tie these things together. Because at the end of the day, this forces us, from a product standpoint, to continue to innovate and deliver new capabilities."

Organizations are only beginning to expand their focus on vulnerability management to include exposure management, Merrick adds.

"I think we're in the first inning of exposure management," he says. "More and more, organizations are starting to talk about this."

The deal, announced on Wednesday, calls for Tenable to pay $147 million in cash and $3 million in restricted stock to Vulcan Cyber. While Merrick is unable to discuss specific integration plans before the deal closes, which the company anticipates will take place this quarter, the 100-plus connectors to third-party systems were a key impetus for the deal.

"We have always been envisioning being able to ingest third-party data into our exposure management platform like we've done with our vulnerability management solution," he says. "We've already built the data model specifically to accept and bring in third-party data. So we want to be able to go and fast-track that. Once we close, this is going to be the big focus for us in 2025."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Source

DARKReading