A threat you've never heard of is using double extortion attacks on mom-and-pop shops around the globe.

A ransomware group that operated under the radar for over a year has come to light in recent weeks, thanks to a series of business data leaks on the Dark Web.

Since at least April 2022, 8base — not to be confused with the Florida-based software company of the same name — has been conducting double-extortion attacks against small and midsized businesses (SMBs). It all came to a head in May, when the group dumped data belonging to 67 organizations on the cyber underground.

It didn't end there. "We've been keeping an eye on what they're doing, and this month they're busy again," says Matt Hull, global head of threat intelligence at NCC Group. 8base has already doxxed 29 new businesses this month.

Not much is known yet about the group's tactics, techniques, and procedures (TTPs), likely due to the low profile of their victims. According to data scraped from their leak site, those victims include a British cleaning company, a sanitation company in Egypt, a private school in a Boston suburb, and a CPA in New York, among others of a similar profile.

The victims span science and technology, manufacturing, retail, construction, healthcare, and more. They're wisely distributed geographically as well: a shipping company in India, a Peruvian gift basket company, and a corrugated cardboard manufacturer in Madagascar. The majority, however, are focused in North America — around a third of the total — and South America. A dozen victims in both May and June were based in Brazil, in line with a recent wave of Brazilian cyberattacks more generally.

**How 8base Conducts Its Business**

With little yet known about 8base (it's part of a wave of ransomware newbies entering the market), one aspect of the group that is very clear is their preferred mode of operation. In a terms-of-service section of their leak site (see graphic), the group laid out 13 rules for their victims and themselves, written in ersatz legalese: "Participation of police departments is prohibited," and "Personal data will not be shared with third parties by the team."

    

Source: Hackmanac

Whether the gang is as honest as it would like you to think is another matter. On the About Us page, the hackers perfidiously claim, "We are honest and simple pentesters," adding that "this list contains only those companies that have neglected the privacy and importance of the data of their employees and customers."

NCC's Hull says 8base is not the first group to operate like this. "I think it's a result of the successes that other groups are having with these types of tactics," he notes.

Though 8base isn't breaking any new ground, actually defending against their tried-and-true methods is another matter.

"Budgets are tight, particularly for the smaller organizations. These organizations aren't going to be able to pay for a SOC or other advanced detection capabilities," Hull notes. "The main thing that anyone can do, whether it's an individual or small business, is get the fundamentals right." He points to password hygiene, multifactor authentication, and social engineering awareness as three simple changes small businesses can make to better their security without breaking the bank.

"Getting a hold of the basics goes a long way," he adds.

Emerging Ransomware Group 8Base Doxxes SMBs Globally

The emerging cyber-threat group is unusually persistent and nimble, bypassing MFA, stealing data, and using compromised environments for downstream customer attacks.

A new, unusually dogged threat group dubbed "Muddled Libra" by threat researchers is targeting large outsourcing firms with multi-layered, persistent attacks that start with smishing and end with data theft. The group is also using the infrastructure that it compromises in downstream attacks on victims' customers.

The threat group has been attributed to more than half a dozen interrelated incidents from mid-2022 and early 2023, and makes use of the previously reported Oktapus phishing kit as initial entry into its attacks, researchers from Palo Alto Networks Unit 42 said in a report released today.

From there, the group — which has "an intimate knowledge of enterprise information technology" — maintains non-destructive persistence on a target organization's system until it achieves its goals, which typically are the exfiltration of data and the use of this data and the compromised system to conduct further attacks, Unit 42 researchers Kristopher Russo, Austin Dever, and Amer Elsad, said.

"Muddled Libra has shown a penchant for targeting a victim's downstream customers using stolen data and, if allowed, they will return repeatedly to the well to refresh their stolen data set," they wrote. "Using this stolen data, the threat actor has the ability to return to prior victims even after initial incident response."

Indeed, the group doesn't just capitalize on opportunistic access to targets but has clear goals for breaches, seeking out and then stealing information on an organization's clients that can then be used it to pivot into those environments, the researchers said.

**Muddled Libra: A Targeted & Tenacious Cyberthreat**

Researchers have observed the group targeting large outsourcing firms serving high-value cryptocurrency institutions and individuals but added that Muddled Libra also poses a substantial threat to organizations in the software automation, business process outsourcing, telecommunications, and technology industries.

Though it's not bringing "anything new to the table" in terms of malware or tactics, the group is particularly dangerous for a couple of key reasons, the researchers said. The threat actors are both methodical and flexible in their attack technique, able to pivot to another vector or even modify an environment to allow for their favored attack path.

Muddled Libra also shows proficiency in a range of security disciplines and can thrive and execute "devastating" attack chains rapidly, even in environments that organizations have adequately secured by most standards, the researchers noted.

Further, the group is unusually tenacious even after discovery, repeatedly demonstrating "a strong understanding of the modern incident response (IR) framework," that allows them to keep going even once they face attempted network expulsion, the researchers wrote. "Once established, this threat group is difficult to eradicate," they said.

**Oktapus Phishing, a Typical Cyberattack Vector**

The group's attacks typically start with reconnaissance to create profiles of targets, followed by the development of resources — such as setting up lookalike phishing domains and the deployment of the Oktapus phishing kit.

These resources eventually lead to a smishing attack that sends a lure message directly to the targeted employees' mobile phones. The message claims the need to update account information or re-authenticate to a corporate application and includes a link that emulates a familiar corporate log-in page.

One of the attackers then employs social engineering in conversation with the employee to gain access to the network, capturing credentials to be used for initial access and navigating multifactor authentication (MFA), either by asking for a code or generating an endless string of MFA prompts until the user accepts one out of fatigue or frustration, in a tactic known as MFA bombing.

Once establishing a network foothold, Muddled Libra moves quickly to elevate access using standard credential-stealing tools such as Mimikatz, ProcDump, DCSync, Raccoon Stealer, and LAPSToolkit. If the group can't quickly locate elevated credentials, it turns to Impacket, MIT Kerberos Ticket Manager, and NTLM Encoder/Decoder, the researchers said.

Muddled Libra also deploys at least a half dozen free or demo versions of remote monitoring and management (RMM) tools — which are legitimately used within organizations and thus won't arouse suspicion — once it gains access to an environment. This ensures that even if their activities are discovered, they can maintain a backdoor into the environment, the researchers said.

The group also engages in a series of evasive maneuvers, including disabling antivirus and host-based firewalls; attempting to delete firewall profiles; creating defender exclusions; and deactivating or uninstalling EDR and other monitoring products to ensure persistence on the network.

Finally, Muddled Libra eventually moves on to accessing and exfiltrating data, which appears to be its primary goal, as the researchers rarely saw the group engage in remote code execution, they said. To exfiltrate data, the group attempted to establish reverse proxy shells or secure shell (SSH) tunnels for command and control (C2), or used common file-transfer sites or the Cyberduck file-transfer agent, they said. In some cases, the group then uses the compromised infrastructure as a trusted organizational asset to engage in follow-on attacks on downstream customers, the researchers said.

**Mitigation & Protection Against Sophisticated Data Theft**

To defend against such a sophisticated threat actor, organizations "must combine cutting-edge technology and comprehensive security hygiene, as well as diligent monitoring of external threats and internal events," the researchers advised.

Unit 42 researchers made a number of recommendations to this end, including the implementation of MFA and single sign-on (SSO) wherever possible, noting that Muddled Libra has its most success when it has to convince employees to help the group bypass MFA. "When they were unable to do so, they appeared to move onto other targets," they noted.

Organizations should also implement comprehensive user-awareness training, as the group is highly skilled at social engineering both help desk and other employees via phone and SMS. Training can help employees identify suspicious non-email-based outreach and thus mitigate attacks, the researchers said.

Credential hygiene should also be kept up to date and organizations should grant access to employees only when and for as long as necessary, the researchers said. Defenders also should limit the connection of anonymization services to the network, which ideally should only be allowed at the firewall level by App-ID, they said.

Moreover, organizations should maintain robust network security and endpoint security, the researchers advised. The latter should be an extended detection and response (XDR) solution that can identify malicious code through the use of advanced machine learning and behavioral analytics, blocking threats in real time as they are identified, they said.

Finally, in case an organization is breached, administrators should assume that the attacker "knows the modern IR playbook" and consider setting up out-of-band response mechanisms, they said.

'Muddled Libra' Uses Oktapus-Related Smishing to Target Outsourcing Firms

Organizations need to start taking critical infrastructure threats seriously, as they could be a precursor to future, hybrid cyber-kinetic warfare attacks, experts warn.

INFOSEC23 – London – The concept of cyber warfare isn't new, but attacks on operational technology (OT) and industrial control system (ICS) environments could enable the development of kinetic weapons with physical effects, at least one expert is warning.

Speaking at Infosecurity Europe on "The Future of Cyberwarfare," Chris Dobrec, vice president of product marketing for Armis, looked at past examples of attacks that affected OT and ICS environments, such as Stuxnet, Havex, and Blackenergy, as well as the use of Ryuk ransomware on Colonial Pipeline. "Demonstrated attacks can have kinetic effect and can harm humans," he said.

**Are We Ready for Cyber Warfare?**

Pointing at the company's cyber-warfare research from last year, Dobrec showed results that found 24% of respondents were not prepared to handle the effect of these kinds of attacks — yet counterintuitively, three-quarters (76%) believe that they have appropriate controls in place. Also, the research found that after the Russian invasion of Ukraine, 74% of respondents agreed that response to OT attacks needs to be a board-level issue.

Pointing at the HSE attack last year, Dobrec predicted that there will be more attacks on healthcare organizations in particular in the future, as well as on utilities and transportation.

"It is bizarre that OT is now vulnerable and exposed, so widen that aperture in your overall organization and monitor for potential threats," he said. "Look for the potential vulnerabilities in these systems that you may have not been looking at previously, and then work to actually continuously monitor and remediate that."

He added, "Also engage the entire organization: it's not just the IT and security folks, but the operational folks that are involved in keeping those systems up and running."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyberattacks on OT, ICS Lay Groundwork for Kinetic Warfare

While it's impossible for an organization to be completely secure, there's no reason to be defenseless.

The cyber landscape continues to evolve as its economy grows. Ransomware attacks already account for trillions of dollars in damages to enterprises each year and standardized and sophisticated offerings such as ransomware-as-a-service and phishing-as-a service will soon become commonplace. While it's impossible for an organization to be completely secure, we're not defenseless.

Research shows that up to 95% of cyber incidents are a result of human error. Many of these breaches stem from oversights that include system misconfigurations or employee phishing campaigns, yet I would argue that an underreported component is the way threat actors target and manipulate human emotions. For example, when looking at the social engineering of phishing emails, you can see how nefarious actors use greed, curiosity, urgency, and the inherent need to help as means to hack the employee's behavior. Anyone can become a victim in these situations, which is why the key to establishing a sound cybersecurity culture within your workforce is placing people and realism at the center of your cyber strategy.

**Mitigate Human Biases**

Organizations must focus on human nature, including a person's innate soft skills and behaviors, when developing and implementing their cybersecurity strategy because attackers will use perception blindness and human biases to their advantage. One of the strongest is confirmation bias, where a person obtains a single piece of information, it prevents them from seeing any other possible options, and it causes them to draw incorrect conclusions and burn cycles in the wrong area. Job bias is another key human bias that hinders crisis response, as key stakeholders are unsure of the role they play and what their responsibilities are in certain situations.

It's critical to identify opportunities to emulate real-world use cases rather than best-case scenarios to understand how biases will impact remediation efforts. The most substantiated efforts leverage ideation, immersion, and gamification rather than passive information or lectures. Conducting tabletops and wargame exercises are effective ways of revealing multiple human biases that arise when your teams are under immense amounts of pressure. These allow you to integrate best practices into your organizational training and playbooks, which ultimately flips the attacker's script on human nature and enables you to use it _your_ advantage.

**Unify Technical, Business, and Risk-Oriented Frameworks**

Enterprises that undertake these tabletops and wargames feel prepared to face and mitigate a potential attack. However, it is imperative for leaders to understand that these immersive exercises are conducted in a controlled environment. Planned actions can easily be lost in the chaos during a real cyberattack, especially when employees attempt to address the "fog of war" caused by stress. Security culture starts with how the employees feel, act, and behave, and deploying a cohesive, holistic, and unified approach to incident response within the first couple of hours are critical for success.

A cyberattack response that unifies technical, business, and risk-oriented frameworks empowers enterprises to create a seamless detection and remediation strategy. This prepares the entire organization — from the board of directors down — for when a real attack hits. The response plan should be underpinned by a common cybersecurity and risk language within the workplace. Instituting this, and ensuring each person becomes fluent, should be a priority along with clearly defining key roles across the enterprise.

**Weave Cybersecurity into the Fabric of an Organization**

Cyber readiness is _everyone's_ job across the enterprise. Weaving cybersecurity into the fabric of your company and making it an everyday topic can reduce human-error-initiated cyberattacks at the source. After Equifax's 2017 data breach, it reinvented its security culture by starting with what it called "shared fate." This strategic pillar focused on how everyone in the company is responsible for protecting the organization with each micro-decision they make. It's proven to be highly successful, because when every individual feels personally responsible for keeping the workplace safe, it makes cybersecurity ubiquitous.

Highly mature organizations understand the importance of cyber-crisis preparedness. To further ingrain a strong culture of cybersecurity within an organization, leaders should suggest certain components of security training be conducted at home. If you can make individuals feel safe at a time when their role shifts from employee to parent, partner, or simply off duty, their sense of cybersecurity responsibility will extend beyond the workplace and become part of life itself. That takes your cybersecurity plan a step further and embraces widespread cyber readiness.

As the industry prepares for the next wave of attack methods and attempts to cohabitate with a new generation of cybercriminals, it's more important than ever for enterprises to reassess their cybersecurity posture. Successful cybersecurity policies keep the end user, the employee, the human in mind. In doing so, these policies are frictionless, making it is easy for employees to do the right thing, and they enable organizations to provide an explanation behind the "why" to mitigate resistance to change. While deploying technical resources and training are crucial steps in keeping the workplace and its assets safe, the cybersecurity battlefield is increasingly human. To win the war, leaders should acknowledge this and exercise their people as their best defense.

Placing People & Realism at the Center of Your Cybersecurity Strategy

As a former Gartner analyst, it was interesting to be on the other side, listening as others explored the impact of CEO and CIO priorities on security.

GARTNER SECURITY & RISK MANAGEMENT SUMMIT 2023 — National Harbor, Md. — At the opening keynote for the Gartner Security & Risk Management Summit 2023, Gartner distinguished VP analyst Leigh McMullen and senior director analyst Henrique Teixeira emphasized that cybersecurity can generate massive value for enterprises. However, professionals in this field must be willing to challenge misconceptions and move beyond obsolete practices.

This keynote discussed the importance of adopting a minimum effective mindset across business engagement, technology, and talent. This approach refers to the input, not the outcome, with a deliberate, ROI-driven strategy to lead cybersecurity into the future.

McMullen and Teixeira took aim at four prevalent myths in the cybersecurity field:

1.  **More data equals better protection:** Instead, they suggested pursuing the least amount of information needed, to draw a line between the funding of cybersecurity and the amount of vulnerability that funding addresses.
2.  **More technology equals better protection:** They warned against the mindset that some forthcoming technology will solve all problems, leading to the premature acquisition of solutions.
3.  **More cybersecurity pros equal better protection:** They argued that there's no way to scale services to match the enterprise pace merely by hiring more professionals.
4.  **More controls equal better protection:** They pointed out that controls that are circumvented are worse than no controls at all, highlighting the friction employees often experience with secure behavior.

Gene Alvarez, a distinguished VP analyst at Gartner, presented another keynote on the metaverse and digital twins — concepts that will become increasingly important as our thinking about identity management evolves.

In another session, Katell Thielemann, distinguished VP analyst at Gartner, presented on the current CIO and CEO agenda. She highlighted the top priorities of executive leaders and the implications for security. According to Thielemann, boards are willing to increase risks but want results, and CEOs want tangible growth from digital investments. CIOs, on the other hand, need to deliver outcomes by prioritizing the right digital initiatives. She emphasized that CISOs need to adopt a more rigorous approach to prioritizing security resources due to the accelerated enterprise demand for information security expertise caused by digitization.

Walking the vendor floor, I saw many solutions aimed at very familiar use cases, and I heard attendees comment how so many products appeared to replicate solutions to the same problems. Of course, many of the leading sector vendors were there, covering email and messaging security and endpoint protection. Some interesting vendors were taking a fresh look at secure browsers, which for a long time lacked effective enterprise controls despite being a key plank in the endpoint security posture. I must admit that I was somewhat relieved that no one tried to explain to me how GenAI was the source of, or the solution to, all of life's problems.

An Analyst View of Gartner Security & Risk Management Summit 2023

The tool trained on the company's investigative cybersecurity services data set, and provides natural language responses to client queries, to improve response and remediation efforts.

Managed detection and response (MDR) provider eSentire has announced eSentire AI Investigator, a machine learning-powered tool for querying asset and vulnerability data, security telemetry, and other sources of cybersecurity information. The goal? To improve security investigations, threat response, and threat hunting.

Even as novel vulnerabilities and new threat actors emerge, existing problems have a continuing presence. The growing pool of information, alongside the ongoing scarcity of human cybersecurity talent, drive the demand for automated tools for finding and fixing security issues. According to the company, eSentire AI Investigator uses generative AI (the same technology behind ChatGPT) to answer natural language queries from its MDR clients, providing information drawn from a variety of internal and external resources to show them how wider security events and trends could affect their businesses.

The eSentire services units also use eSentire AI Investigator to increase efficiency and reduce response time. The company said the tool is trained against eSentire's investigation data set of more than a million investigations and responses, shaped by human feedback from its Cyber Response Team, to find and suggest threat remediation measures quickly. Using eSentire AI Investigator, the company claimed a mean time to contain unknown threats of 15 minutes. The company also credited the tool for a global threat sweep that detected and defanged a recent Batloader malware campaign.

The eSentire AI Investigator tool is available in private preview through the eSentire Insight Portal.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

eSentire's AI Investigator Chatbot Aids Human Response to Security Incidents

New product provides customers with an attacker's view of their cyber resilience aligned to business context.

**NEW YORK – June 20, 2023 –** Cymulate, the leader in exposure management and security validation, today announced the release of a ground-breaking new solution for organizations to run an informed continuous threat exposure management (CTEM) program. The CTEM program, which was coined by Gartner, Inc. is designed to diagnose the severity of exposures, create an action plan for remediation and facilitate a common language for discussions between business and technical teams. Disparate data sources, point-in-time collection, and lack of business context create challenges for cybersecurity teams to ingest and contextualize exposure data and translate it from a security concern to a business impact. The new Cymulate Exposure Analytics solution bridges this gap by ingesting data from Cymulate products and other third-party data on vulnerabilities, risky assets, attack paths, threat intelligence, and other security controls to create a risk-informed defense with business context.

Unlike other programs that focus on reactive detection and response, the Gartner CTEM program is centered on proactively managing risk and resilience. By aligning with this program, organizations apply a repeatable framework to scope, discover, prioritize, validate, and mobilize their offensive cybersecurity initiatives. The Cymulate Exposure Analytics solution has a quantifiable impact across all five of the CTEM program pillars and on a business’s ability to reduce risk by understanding, tracking, and improving its security posture.

**CTEM Alignment**

*   **Scoping:** Understand by organizational segment, the risk posture of business systems and security tools and its risk to immediate and emergent threats to define the highest impact programs needed to reduce or manage risk scores and tolerance
*   **Discovery:** Correlated analysis from Cymulate and multi-vendor data that assesses on-premises and cloud attack surfaces, risky assets, attack paths, vulnerabilities, and business impact
*   **Prioritization:** Vulnerability prioritization & remediation guidance based on multi-vendor aggregated data that is normalized, contextualized, and evaluated against breach feasibility
*   **Validation:** Analyze exposure severity, security integrity, and effectiveness of remediation from security validation assessment data. Immediate threat and security control efficacy data can be used to answer questions such as “Are we at risk to this emergent threat?”, “Do we have the necessary capabilities to protect us when under attack?”.
*   **Mobilization:** Utilize Cymulate contextualized data to understand various response outcome options, and establish and track performance against baselines, benchmarks, and risk profiles

"Cymulate has always taken an attacker’s view on cybersecurity defense, and through our experience in breach and attack simulation we have carefully studied the ways attackers creatively exploit vulnerabilities and other exposures driven by human error, misconfiguration, or control weaknesses," said Avihai Ben-Yossef, chief technology officer and co-founder of Cymulate. "This latest announcement provides customers with a centralized tool that leverages data collected from the Cymulate platform and other third-party exposure data sources and contextualizes it for scoping security risk, prioritizing remediation, tracking the performance of cybersecurity initiatives, and effectively communicating risk."

**Cymulate Exposure Analytics Capabilities**

**Contextualized Vulnerability Management:** Integrates with common vulnerability scanners and cybersecurity validation solutions to continuously provide organizations visibility, context, and risk for each vulnerability. Rather than simply prioritizing based on CVSS scores, Cymulate Exposure Analytics provides a security data fabric for contextualized vulnerability prioritization, which correlates vulnerability findings with business context and security control effectiveness. By integrating with tools for breach and attack simulation and continuous automated red teaming, Cymulate Exposure Analytics creates a risk score that considers the exploitability and effectiveness of compensating security controls.

**Risk-Based Asset Profile:** Creates a consolidated view of assets with context to their risk. The product aggregates data from vulnerability management, attack surface management, configuration databases, Active Directory, cloud security posture management, and other systems and then applies its risk quantification to score each asset. This risk-profiled asset inventory contains a quantified risk score for every endpoint, system, cloud container, virtual machine, application, email address, web domain, IoT/OT device, and more. This data can also be aggregated by business or operational context. The inventory includes details for each asset, including existing security controls, currently enforced policies, known vulnerabilities, un-patchable vulnerabilities or security gaps, and mitigation status.

**Remediation Planning:** Applies its risk quantification and aggregated asset inventory to create a prioritized list of mitigations that deliver the most significant risk reduction and improvement in cyber resilience. When available, the remediation plan presents remediation options that consider urgency, severity, and compensating controls – as well as the forecasted outcomes by modeling the risk impact of the mitigation.

**Measure and Baseline Cyber Resilience:** Quantifies risk as a key metric of cyber resilience to understand security resilience and business risk in the context of business units, mission-critical systems, and business operations. Risk scoring considers the attack surface, business context, control efficacy, breach feasibility, and external data such as CVSS scores and threat intel. With dynamic reporting and dashboards for baselines and visualizations, security leaders gain insights to measure and communicate cyber resilience and risk to executives, boards, and their peers.

**Platform Alignment:** Complements the company’s current platform, which includes Attack Surface Management (ASM), Breach and Attack Simulation (BAS), and Continuous Automated Red Teaming (CART) solutions. Exposure management and control validation tools are consolidating as businesses need to simplify how they understand risk and resilience to emergent threats and a rapidly changing attack surface. With the Cymulate modular offering, customers can deploy aligned to their current cybersecurity maturity and grow to leverage the platform's additional capabilities as their needs change.

Deployed on its own, Cymulate Exposure Analytics creates centralized intelligence and visibility to security posture with business context essential to an exposure management program. When deployed as part of the Cymulate Exposure Management and Security Validation Platform, the total solution enables and optimizes CTEM programs by merging the traditional vulnerability-based view of risk with the “attacker’s view” of the attack surface.

**Resources**

*   Datasheet
*   Website

**About Cymulate**

Cymulate, the leader in exposure management and security validation, provides a modular platform for continuously assessing, testing, and improving cybersecurity resilience against emergent threats, evolving environments, and digital transformations. The solution has a quantifiable impact across all five continuous threat exposure management (CTEM) program pillars and on a business’s ability to reduce risk by understanding, tracking, and improving its security posture. Customers can choose from its Attack Surface Management (ASM) product for risk-based asset profiling and attack path validation, Breach and Attack Simulation (BAS) for simulated threat testing and security control validation, Continuous Automate Red Teaming (CART) for vulnerability assessment, scenario-based and custom testing, and Exposure Analytics for ingesting Cymulate and third-party data to understand and prioritize exposures in the context of business initiatives and cyber resilience communications to executives, boards, and stakeholders. For more information, visit www.cymulate.com.

Cymulate Announces Security Analytics for Continuous Threat Exposure Management

ChatGPT usage growing 25% monthly in enterprises, prompting key decisions to block or enable based on security, productivity concerns.

**SANTA CLARA, Calif. – June 20, 2023 –** Netskope, a leader in Secure Access Service Edge (SASE), today announced general availability of a comprehensive data protection solution to help enterprises securely manage employee use of ChatGPT and other generative AI applications, such as Google Bard and Jasper. As part of its award-winning Intelligent Security Service Edge (SSE) platform and decade-long commitment to data security innovation, Netskope today can successfully enable safe usage of generative AI thanks to unique, patented data protection techniques not found in other vendors’ SSE platforms.

Following incidents in 2023 of sensitive data exposure from generative AI, many enterprises are now prioritizing if and how to safely enable the use of these applications and support AI innovation without putting their businesses at risk. According to Netskope research, currently \[1\]:

*   About 10% of enterprise organizations are actively blocking ChatGPT use by teams
*   ChatGPT adoption is growing exponentially in enterprises, currently at a rate of 25% month over month
*   Approximately 1 out of 100 enterprise employees actively uses ChatGPT daily, with each user submitting, on average, 8 prompts per day

To address this challenge, Netskope Intelligent SSE combines longstanding, industry-recognized Netskope data protection features with newly released innovations specifically for classifying and dynamically controlling safe usage of generative AI applications. These are available to Netskope customers today as a unified solution offering from Netskope and its network of channel partners. (Click to get started right away: http://netskope.com/chatgpt)

"Enterprises today are faced with deciding whether to block access to ChatGPT and other generative AI apps to reduce security risk, or allow usage and reap the efficiencies and other benefits these apps can bring about. The safe enablement of these apps is ultimately an advanced data protection challenge—one Netskope is uniquely positioned to solve," said Krishna Narayanaswamy, Netskope Co-Founder and Chief Technology Officer. "Netskope helps all organizations encourage the responsible use of these increasingly popular applications using the right data protection controls in place that help keep the business safe and productive."

As part of Intelligent SSE, Netskope Zero Trust Engine capabilities for the safe enablement of generative AI applications include:

**Comprehensive Application Usage Visibility**

*   Instant access to specific ChatGPT usage and trends within the organization via industry’s broadest discovery of SaaS (using a dynamic database of 60,000+ applications) and Advanced Analytics dashboards
*   Best-in-class Cloud Confidence Index™ (CCI) that actively classifies new generative AI applications and evaluates their risks accordingly
*   Granular context and instance awareness via patented Cloud XD™ inspection, which discerns access levels and data flows through application accounts, such as corporate vs. personal accounts
*   Visibility via a new web category specially created for identifying generative AI domains, enabling teams to configure access control and real-time protection policies, and manage traffic destined specifically for generative AI applications

**Advanced Application Access Control**

*   The ability to dynamically perform granular access to ChatGPT and other generative AI applications
*   Visual coaching messages to alert users in real-time on potential data exposure and other risks every time generative AI applications are accessed— promoting responsible use of generative AI applications and training employees in real time, without stopping harmless queries

**Advanced Data Protection**

*   The ability to monitor, allow, or block enterprise sensitive data (such as source code) from being posted to AI chatbots
*   Support for regulatory compliance needs such as GDPR, CCPA, HIPAA, and many others, using advanced data classifiers and ML-based detection

**The Highest Performing Security Services**

*   With SSE services powered by NewEdge, the world’s largest security private cloud presence with data centers in 65+ regions globally, Netskope provides customers with unparalleled service coverage, performance, and resilience

**A History and Tradition of AI/ML Innovation in Data Protection and Beyond**

Since its founding in 2012, Netskope has been continuously lauded for its advanced data protection capabilities and the uses of AI and machine learning (ML) innovation in its platform. These innovations include in data security, embedded UEBA, threat protection, IoT security, Borderless SD-WAN, AIOps and other areas, with advanced techniques for personally identifiable information (PII) image classification, whiteboard image detection, sensitive document classification, IoT device detection, WAN access anomaly detection, encrypted file detection, and many other critical use cases.

In addition, Netskope AI Labs is recognized as an authority in solving security and fraud problems through the responsible use of AI/ML in different domains, developing large-scale AI/ML models for real-time SSE and SASE use cases. Netskope’s team also includes inventors listed on hundreds of patents worldwide.

"As a leader in the transformation of network, cloud, and data security, Netskope is committed to the responsible use of artificial intelligence and machine learning. We work with peers, academia, thought leaders, and governments alike to safely direct AI/ML efforts in a way that will benefit and not cause harm to our customers, partners, employees, and their families," said Dr. Yihua Liao, Head of Netskope AI Labs. "Netskope AI Labs is a critical component of Netskope product and service innovation. Even more importantly, we help drive the right outcomes regarding AI's role in security and networking and how we can all take advantage of innovation with the right protections in place, whether for generative AI applications or any other compelling use case."

Among other recent accolades, Netskope was named a Leader in the 2023 Gartner®  Magic Quadrant™  for Security Service Edge and was the only SSE Leader to also rank among the highest three scoring vendors for all Use Cases in the companion Critical Capabilities for SSE report. Those use cases include “Identify and Protect Sensitive Information,” a data protection category in which Netskope received the highest scores among any SSE vendor.

For more on Netskope AI innovations:

*   Get the Netskope for ChatGPT solution brief
*   Join Netskope at Infosecurity Europe at ExCEL London this week, June 20-22, where Netskope AI innovations will be featured as part of Netskope SASE and Intelligent SSE demonstrations at Stand Z60. Click here to register for free and get the full list of Netskope Infosecurity activities.
*   Join Netskope for a special LinkedIn Live discussion, **“ChatGPT: Fortifying Data Security in the AI App-ocalypse”** featuring Netskope experts Krishna Narayanaswamy, Neil Thacker, and Naveen Pallavalli, on Thursday, June 22, at 12:30pm ET / 9:30am PT. Click here to confirm attendance.
*   Read the latest Netskope AI and ML insights via the Netskope blog
*   Visit the Netskope AI Labs resources page

**Gartner Disclaimer**

Gartner, “Magic Quadrant for Security Service Edge,” Charlie Winckless, Aaron McQuaid, John Watts, Craig Lawson, Thomas Lintemuth, Dale Koeppen. Published 10 April 2023 – ID G00766751.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark, MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

**About Netskope**

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

Netskope Enables Secure Enterprise Use of ChatGPT and Generative AI Applications

**GHENT,** **Belgium****,** **June 20, 2023** **/PRNewswire/ --** After raising $1.4 million in 2022 and successfully launching its product, award-winning Belgian access management start-up NineID announced raising another $1.2 million, successfully closing its $2.6 million seed round. The funding came from lead investor Pitchdrive, Comate Ventures, and several business angels (including Showpad's founders). NineID just opened a New York office and has customers like World Forum The Hague (who recently welcomed Ukrainian president Zelensky). The funds will be used to fuel internationalization and product expansion.

Organizations such as World Forum The Hague, PSA (world's largest port group), A.S. Watson (world's largest international health & beauty retailer), Alpro (part of Danone Group), and dozens of other multinationals joined NineID's client base in search of one thing: a modern access control solution. Other technologies are outdated and offer limited security. In addition, manual onboardings and check-ins are not user-friendly and can lead to administrative chaos.

The company offers a SaaS platform that centralizes user identification, certificates, and training documentation, making it easily accessible for audits. In addition, NineID provides hardware for on-site access management, utilizing QR codes, smartphone scans, or facial recognition.

The founders, Roy Jeunen and Frederik Keysers, built the solution while experiencing cumbersome security procedures themselves. "In previous roles we underwent long queues and countless security checks prior to getting site access via (RFID) badges. Anyone can pass on this badge, making the whole process useless," says Roy.

"Companies often lose sight of physical identity and access management when focusing entirely on cyber security," adds Roy. "Physical badges are often prone to sharing, copying, or theft — allowing hackers to gain access to unauthorized premises and use unattended computers or network ports. This opens the literal and figurative door for security breaches."

NineID put their theory to the test by successfully infiltrating an unknowing company and accessing all sensitive information within 15 minutes. "Physical breaches are responsible for over 10% of data breaches, according to sources like IBM. NineID's solution ensures that everyone entering a site is 100% security compliant," says Frederik.

To further expand internationally and enhance their solution, NineID secured additional funding from Pitchdrive and prominent figures in the Belgian technology landscape, such as Comate Ventures, the founders of Showpad, and Drupal CMS' founder.

For more information: nineid.com

SOURCE NineID

NineID Raises $2.6M to Build a Secure Bridge Between the Digital and Physical Worlds of Corporate Security

Infostealers are as alive as ever, wantonly sweeping up whatever business data might be of use to cybercriminals, including OpenAI credentials.

In the last year, at least 100,000 devices infected by various infostealer malwares have leaked ChatGPT credentials to the Dark Web.

Infostealers can collect just about anything: information about a target machine, cookies and browser histories, documents, and so on. More often than not, hackers profit off of this kind of bounty not just by utilizing it themselves, but by reselling it on the Dark Web. For example, online marketplaces regularly traffic in logs that contain victims' account credentials for popular applications.

From June 2022 through last month, cybersecurity firm Group-IB tracked how many of these for-sale logs expose ChatGPT accounts. In total, it counted 101,134.

The malware overwhelmingly responsible for these leaks was Raccoon, the infamous Russian-designed tool first discovered in 2019. The Raccoon operation briefly shut down early last year after the death of its creator, only to come back new and improved three months later. Since then, it has been responsible for at least 78,348 devices leaking ChatGPT credentials.

Besides Raccoon, the researchers tracked 12,984 GPT-laden logs attributed to Vidar and 6,773 to Redline.

In the entire sample size, less than 5,000 infected devices were traced to North America. A plurality originated in the Asia-Pacific, with the biggest offenders being India (12,632) and Pakistan (9,217). Other countries with many exposed ChatGPT credentials included Brazil (6,531), Vietnam (4,771), and Egypt (4,558).

**ChatGPT Logins the Tip of the Iceberg**

Last December — the first month ChatGPT was made available to the public — the researchers tracked 2,766 Dark Web stealer logs containing compromised accounts. That number surpassed 11,000 the following month and doubled two months after that. By May, the figure was up to 26,802.

In other words, the trendline is clearly only moving in one direction.

But ChatGPT credentials are almost beside the point, says Mike Parkin, senior technical engineer at Vulcan Cyber. "Infostealers can be an issue, at least in part, because they're not as outwardly destructive as, say, ransomware, which is hard to miss. A well obfuscated infostealer can be much harder to detect, precisely because it doesn't make itself known."

Because organizations can more easily miss infostealers than certain other kinds of malware, they're liable to realize their sensitive data is gone only after it's too late.

"Depending on the strain of information stealer, hackers can be gathering everything from application and Web credentials to personal information, stored files, and system configurations. Organizations that have these malware infections in their environment could face having intellectual property, company financials, and pretty much any other data that lands on infected systems exposed," Parkin says.

As long as infostealers continue to run rampant, ChatGPT credentials will be the least of anybody's worries. "The real question," Parkin asks, "is what kind of data isn't being leaked by these kinds of malware?"

Source

DARKReading