Plug X and other information-stealing remote-access Trojans are among the malware targeting networking, manufacturing, and logistics companies in Taiwan.

Cyber espionage attacks against organizations in Taiwan have surged against the backdrop of recent political tensions, new research shows.

Trellix this week cited a fourfold rise in malicious phishing emails targeting Taiwanese companies between April 7 and 10 of this year. Networking/IT, manufacturing, and logistics, were hit the most.

The emails followed different archetypes — a fake shipment update from DHL, a fake order for bulk cement, or a fake payment overdue notification.

Some of the emails came fitted with malicious attachments, while others contained links to fake login pages designed to harvest credentials.

Following the jump in malicious emails, the researchers detected an even more significant rise in instances of PlugX — a decade-old remote access Trojan common among Chinese state-linked threat actors. PlugX is perhaps most notable for its stealthiness, using DLL sideloading as a means of circumventing Windows security measures and running arbitrary code on a target machine.

Other infostealer malware families spotted in attacks against Taiwan include Zmutzy — a Trojan written in .NET — and Formbook — a cheap infostealer-as-a-service with downloader capabilities.

Patrick Flynn, head of commercial threat intelligence at Trellix, says the majority of the attacks appear to be nation-state, with about 40% targeting Taiwan officials and agencies.

**Cyberattacks in the China-Taiwan Conflict**

Conflict between China and Taiwan dates back three quarters of a century, with the former claiming sovereignty over the autonomous latter. Tensions have ebbed and flowed ever since, with a recent flare-up precipitating from the parallel conflict in Ukraine, diplomatic meetings between American and Taiwanese officials, and Chinese military drills in the Taiwan Strait. The political and economic implications are severe.

As in Ukraine, cyberattacks have long played a role in the Taiwan conflict — a simpler, more cost-effective, and less politically dangerous weapon of war most often deployed by the more powerful side to target their adversary.

"Cyberwarfare is an attractive option for a number of nation states, as it lets them target their adversaries without escalating to a 'shooting war,'" says Mike Parkin, senior technical engineer at Vulcan Cyber.

In January 2023, for example, Trellix observed a 30-times increase in extortion emails sent to Taiwanese officials. "Though it's unclear if this activity is from China-backed threat actors, it speaks to a continued increase in attacks specifically targeting Taiwan," the researchers explained.

For now, there's no reason to believe that cyber campaigns against Taiwan and its economy will slow down any time soon, so the impetus will fall on organizations to defend themselves.

"In most cases, the things we do to counter common cybercriminals are the same things we should be doing to counter nation-state attacks: training users, up-to-date patches, secure configurations, etc.," Parkin says.

But "state-level threats are likely to have more resources and can deploy more sophisticated malware, more targeted phishing attacks, and they have the time and energy to stay persistent," he says. "Facing threats like that makes it even more important for us to have our security stack at least to baseline."

Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict

Risk from artificial intelligence vectors presents a growing concern among security professionals in 2023.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

10 Types of AI Attacks CISOs Should Track

Cybercrime group that often uses smishing for initial access bypassed traditional OS targeting and evasion techniques to directly gain access to the cloud.

A threat actor known for targeting Microsoft cloud environments now is employing the serial console feature on Azure virtual machines (VMs) to hijack the VM to install third-party remote management software within clients' cloud environments.

Tracked as UNC3944 by researchers at Mandiant Intelligence, the threat group is leveraging this attack method to skirt traditional security detections employed within Azure with a living-off-the-land (LotL) attack ultimately aimed at stealing data that it can use for financial gain, Mandiant researchers revealed in a blog post this week.

Using one of its typical method of initial access — which involves compromising admin credentials or accessing other privileged accounts via malicious smishing campaigns — UNC3944 establishes persistence using SIM swapping and gains full access to the Azure tenant, the researchers said.

From there, the attacker has a number of options for malicious activity, including the exportation of information about the users in the tenant, collection of information about the Azure environment configuration and the various VMs, and creation or modification of accounts.

"Mandiant has observed this attacker using their access to a highly privileged Azure account to leverage Azure Extensions for reconnaissance purposes," the researchers wrote. "These extensions are executed inside of a VM and have a variety of legitimate uses."

**Hijacking the VM**

By leveraging in particular the serial console in Microsoft Azure, UNC3944 can connect to a running OS via serial port, giving the attacker an option besides the OS to access a cloud environment.

"As with other virtualization platforms, the serial connection permits remote management of systems via the Azure console," they wrote. "The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer."

UNC3944 is a financially motivated threat group active since last May that typically targets Microsoft environments for ultimate financial gain. The group was previously seen in December leveraging Microsoft-signed drivers for post-exploitation activities.

However, once UNC3944 takes control of an Azure environment and uses LotL tactics to move within a customer's cloud, the consequences go beyond mere data exfiltration or financial gain, one security expert notes.

"By gaining control of an organization's Azure environment, the threat actor can plant deepfakes, modify data, and even control IoT/OT assets that are often managed within the cloud," Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, said in a statement sent to Dark Reading.

**From the VM to the Environment**

Mandiant detailed in the post how the threat actor targets the VM and ultimately installs commercially available remote management and administration tools within the Azure cloud environment to maintain presence.

"The advantage of using these tools is that they’re legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms," the researchers wrote.

Before pivoting to another system, the attacker set up a reverse SSH (Secure Shell Protocol) tunnel to its command-and-control (C2) server and deployed a reverse tunnel configured such that port forwarding any inbound connection to remote machine port 12345 would be forwarded to the localhost port 3389, they explained in the post. This allowed UNC3944 a direct connection to the Azure VM via Remote Desktop, from which they can facilitate a password reset of an admin account, the researchers said.

The attack demonstrates the evolution and growth in sophistication of both attackers' evasion tactics and targeting, the latter of which now goes beyond the network and the endpoint directly to mobile devices and the cloud, notes Kern Smith, vice president of Americas, sales engineering at mobile security firm Zimperium.

"Increasingly, these attacks are targeting users where organizations have no visibility using traditional security tooling — such as smishing — in order to gain the information needed to enable these types of attacks," he says.

**How to Defend Against this VM Attack**

To thwart this type of threat, organizations must first prevent targeted smishing campaigns "in a way that enables their workforce while not inhibiting productivity or impacting user privacy," Smith says.

Mandiant recommends restricting access to remote administration channels and disabling SMS as a multifactor authentication method wherever possible.

"Additionally, Mandiant recommends reviewing user account permissions for overly permissive users and implementing appropriate Conditional Access Authentication Strength policies," the researchers wrote.

They also directed organizations to the available authentication methods in Azure AD on the Microsoft website, recommending that least-privilege access to the serial console be configured according to Microsoft's guidance.

Microsoft Azure VMs Hijacked in Cloud Cyberattack

Security by design can't be just a best practice — it has to become a fundamental part of software development.

Amid a feverish cybersecurity environment, there is a growing chorus for software to be secure by design. In April, the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), aligned with the cybersecurity authorities of Australia, Canada, the United Kingdom, Germany, the Netherlands, and New Zealand to create guidelines aimed at supporting software manufacturers to "embed security-by-design and by-default."

In this new paper, the agencies call on software makers to deploy threat modeling at the design stage. These guidelines follow fast on the news that the US government will legislate to introduce liability for software makers to secure the products they manufacture.

All software developers want to build secure software, so why is it so difficult to do, what does effective security by design look like, and what needs to change to embed it in the software development process?

**The Challenge**

The sheer prevalence of cybersecurity breaches is evidence of the huge challenge faced by developers trying to build secure software. Striving to get their products to market quickly, software manufacturers are incentivized to take shortcuts on security. And the challenge of designing secure software is becoming more difficult as software architecture grows in complexity, with every sector of the economy being transformed by software. The recent intention of the White House to hold vendors accountable for poor software security could be seen as an attempt to correct the current market incentives.

This is especially the case with supply chains, which are getting ever more complex, making it difficult to predict how different pieces of software will interact. We've seen this challenge in the growing trend of supply chain attacks that have affected businesses, including Air France, KLM, and Nissan in the past year.

**Security by Design and Threat Modeling**

It is still the case that most software security activities are focused at the end of the development process, but this creates some problems. First, scanning software through application security testing tools can miss more complex flaws in the design of an application. In addition, when you do identify a bug once you have completed development, remediation can be costly and time consuming.

It is much better to identify and address security flaws before code is written, through the process of threat modeling. There are a number of different approaches to threat modeling, but fundamental to them all is analyzing the design of the system as a cross-functional team — development and security teams coming together to identify potential security and privacy issues and developing a plan to solve or mitigate them.

So far, so straightforward. So why isn't this happening? There seem to be three main barriers: skills, responsibility, and practicality.

**Embedding Security by Design**

A fundamental challenge is that many developers enter the workplace without the technical knowledge to build secure software and with little or no experience of threat modeling. It is a software skill that you have to invest in and it takes time to learn. The focus of the developer is, understandably, on the functionality that they are developing, not on how a threat actor might find a vulnerability in that new functionality.

This leads us to the second barrier, which is a lack of clarity over where responsibility for security at the design stage lies, which means in many businesses threat modeling can fall through the cracks. Despite their fundamental role, the development team often views security as the responsibility of the security team. This is also entirely understandable, given that in most businesses the knowledge about the process of threat modeling and of the security risks is held by the security team. Just as you can't design secure software without the engineers, you can't build secure software without the security team's insight into the evolving attack vectors used by threat actors.

Until these two teams are working together at the very start of the software development process and threat modeling is embedded as a community practice with shared responsibility, this problem won't be solved.

The third barrier is that until fairly recently, traditional approaches to threat modeling have been impractical when developing software on a large scale. For an organization that is building many thousands of applications, the traditional approach to threat modeling, as a group in a meeting room with a whiteboard, isn't possible. However, automation of this process is now a reality. As a developer, you can now use automation to generate a threat model that contains relevant threats and countermeasures for you.

This latest guidance from the world's leading cybersecurity agencies should leave us in no doubt that security by design is no longer just best practice — it has to become a fundamental part of software development. The tools exist now to make it possible to achieve, but it must be a shared endeavor, with development and security teams working closely together before a line of code is written.

Embedding Security by Design: A Shared Responsibility

Customized fix recommendations and cut and paste code fixes dramatically reduce remediation times.

**TEL AVIV, Israel****,** **May 17, 2023** **/PRNewswire/ --** OX Security, a leader in software supply chain security, today announced the launch of OX-GPT, the first ChatGPT integration to improve software supply chain security. With the new integration, OX now presents developers with customized fix recommendations and cut and paste code fixes, providing for quick remediation of critical security issues across the software supply chain.

ChatGPT has dramatically changed the cybersecurity landscape. Over the past few months, hackers have already begun using ChatGPT, and other AI models to find and exploit vulnerabilities, develop malware and craft phishing emails.

Yet AI also holds tremendous potential to protect against cyber attacks, and OX Security is the first to use ChatGPT to improve software supply chain security.

Until now, security teams often needed many tools to secure the software supply chain, resulting in too many alerts and fragmented workflows.

"Flooded by alerts, developers often become frustrated and overwhelmed. After wasting enough time chasing false positives, they lose trust in these tools and no longer see the value in the activities that security asks them to perform," said OX Security CEO and co-founder Neatsun Ziv, who served as Check Point's VP of Cyber Security prior to founding OX. "We want to bring that trust back."

The first of its kind ChatGPT integration provides developers with contexts for the specific issues they are facing, including how the code in question could be exploited by hackers, the possible impact of such an attack and potential damage to the organization. It then provides them with control over security and enables faster and easier remediation with cut and paste code crafted to secure and fix the specific issue, along with an explanation of why the fix works.

"Developers' primary focus may not be security," said Shai Sivan, CISO of Kaltura (NASDAQ: KLTR), "but if they could trust that spending a short amount of time to remediate risks pre-production would save them from having to go into crisis mode later, they would take the time to fix those problems."

"By giving developers control and providing them with the information and tools they need to quickly assess and fix the issue, OX-GPT will enable organizations to stay ahead of attackers," Ziv continued.

For more information about OX-GPT, send an email to \[email protected\], or request a demo via OX Security's website: www.ox.security.

**About OX Security**

OX Security believes that security should be an integral part of the software development process, not an afterthought. Founded by Neatsun Ziv and Lior Arzi, who previously led Check Point's Security Group, OX is the first end-to-end software supply chain security solution. OX provides DevSecOps teams with the automation, visibility, and risk insights they need to bring security and integrity to every step of the supply chain, from the earliest planning stages until deployment to production.

SOURCE Ox Security

OX Security Launches OX-GPT, AppSec's First ChatGPT Integration

With the new additions to Satori's Data Security Platform, companies gain unprecedented visibility to answer "Where is all my data?" and "Who has access to it?"

**Sunnyvale, CA — May 17, 2023 —** Satori, the industry’s leading data security platform, today announced the availability of Posture Management, a new capability within Satori’s platform that monitors the authorization of users to data across all of a company’s data stores. In addition, Satori announced the availability of Data Store Discovery, which scans and monitors an organization’s cloud accounts to discover new data stores.

Powered by Satori's opensource Universal Data Permissions Scanner , Posture Management is designed to give companies a comprehensive understanding of who has access to what data within the organization, at all times. Posture Management scans all data permissions, provides an analytics layer over data access in the organization, and tracks KPIs to help improve data access posture. Using Posture Management, companies can proactively eliminate risks of a data breach due to over-privileged data access. In addition, with Posture Management, companies can view authorization permissions over time and at any specific point in time, making compliance audits and forensic investigations easier and more efficient. 

With Data Store Discovery, another new capability within Satori’s Data Security Platform, users can connect Satori directly to their cloud accounts to gain a holistic view of all data stores in the organization. For example, if a team sets up a “shadow” cloud database without proper access controls in place, the data and security teams will know about it immediately and take proper action, such as shutting it down or applying appropriate access control over it.

These capabilities are available to all Satori customers as part of its Data Security Platform, which allows frictionless just-in-time access to data, with a self-service data portal where data users can select the data they need and get access to it according to the organization’s guardrails and policies.

“Data access posture management is a critical capability that every data security platform should encompass, and our new Posture Management can help enterprises stay ahead of the game when it comes to data security and compliance,” said Yoav Cohen, CTO and co-founder of Satori. “Taking action against data security threats reactively is not enough in today's data-driven environment. Our goal is to empower organizations to take a preventative approach to protect their most sensitive and business-critical data. With Posture Management, our customers can take control of their data security and manage risk with ease.”

Both capabilities are available now to all Satori customers. Click here to learn more.   

**About Satori**

In today's complex environment, with the growth of large and diverse cloud-based data, it can be difficult to know who is accessing what data and when. This can lead to serious data security consequences, including overprivileged access and an increased risk of data loss or breach. It's crucial for companies to monitor and manage access to their data on a continuous basis to reduce risk and remain compliant. Satori enables companies to confidently discover and classify sensitive data, apply security policies and permissions, monitor access to sensitive data, and now, track security posture — all in one place. 

Satori is revolutionizing data security. Its data security platform seamlessly integrates into any environment to automate access controls and deliver complete data-flow visibility utilizing activity-based discovery and classification. The platform provides context-aware and granular data access and privacy policies across all enterprise data flows, data access and data stores. With Satori, organizations and their data teams can confidently ensure that data security, privacy and compliance are in place – enabling data-driven innovation and competitive advantage. Learn more at satoricyber.com.

Satori Augments Its Data Security Platform With Posture Management and Data Store Discovery Capabilities

Turkorat-poisoned packages sat in the npm development library for months, researchers say.

Two code packages named "nodejs-encrypt-agent" in the popular npm JavaScript library and registry recently were discovered containing the open source information-stealing TurkoRat malware.

Researchers from ReversingLabs, who discovered the malware-ridden packages, say the attackers behind them attempted to have the packages impersonate another legitimate package — agent-base version 6.0.2 — which has been downloaded over 20 million times.

Their findings underscore an emerging trend of threat actors taking advantage of how npm has for years failed to account for certain types of typosquatting, potentially leading enterprises to inadvertently download malware, which Checkmarx recently flagged in a report.

ReversingLabs' researchers said the discovery of the latest malicious packages, including irregularities in the package version numbers, were a red flag: in this case, a "strangely high version number" (6.0.2) that was used to try and bait developers into downloading what appeared to be the latest release of the package.

"The malicious actors were clearly hoping one of those millions of developers would be fooled into downloading the malicious package instead of the benign one," ReversingLabs said in its report.

The TurkoRat package — which has been removed from the npm library — utilized the npm package "pkg" to bundle files into a single executable, with the files stored in a virtual file system accessible during runtime.

The nodejs-encrypt-agent was discovered to closely resemble the agent-base module it was based on, except for the inclusion of a malicious portable executable (PE) file, which executed right after the package was run, using hidden malicious commands in the index.js file.

The malicious behaviors included writing to and deleting from Windows system directories, executing commands, and tampering with DNS settings.

**How You Can Spot Malicious npm Packages**

Lucija Valentić, software threat researcher with ReversingLabs, explains there are many ways to identify malicious packages.

"Since package repositories contain source code, one of the simplest ways is to inspect it manually," she says. "Packages can also be installed and executed in an isolated environment and inspected for unusual behavior."

Any kind of out-of-place content or behavior which isn't advertised or expected for a particular package (e.g., network requests in non-network-related packages), should be double-checked and verified.

"Always check if you need an external dependency to implement a particular functionality — if it's something simple, it might be better to handle it yourself than to introduce unverified code in your project," Valentić adds. "If you really need to use a library, check its name and reputation, and review the code to make sure you're including the correct library."

**Software Supply Chain Threat**

Meantime, the malicious nodejs-encrypt-agent was downloaded approximately 500 times in two months, and nodejs-cookie-proxy-agent had fewer than 700 downloads.

"Still, the malicious packages were almost certainly responsible for the malicious TurkoRat being run on an unknown number of developer machines," the report cautioned. "The longer-term impact of that compromise is difficult to measure."

The escalation of automated cyberattacks against npm, NuGet, and PyPI underscores the growing sophistication of threat actors and the threats to open source software supply chains. The use of automated processes to create the packages and user accounts is making it hard for security teams to identify and take down the packages.

In March, more than a dozen components in the .NET code repository were discovered impersonating other legitimate software, such as Coinbase and Microsoft ASP.NET, and running a malicious script upon installation, with no warning or alert.

Back in July 2022, analysts with ReversingLabs uncovered a widespread campaign that used more than 24 malicious npm packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps.

Tech giants including Google are taking steps to shore up security in the open source software supply chain through deps.dev API, which helps developers with information about the packages they are thinking of using, and Assured OSS, which lets organizations incorporate the same open source packages Google secures and uses into their own developer workflows.

Once Again, Malware Discovered Hidden in npm

Elevated attack rate expected to remain during 2023 as cybercrime becomes more sophisticated and widespread.

**ATLANTA****,** **May 17, 2023** **/PRNewswire/ --** LexisNexis® Risk Solutions today released the results of its annual Cybercrime Report, an analysis of data from 79.8 billion transactions processed through its LexisNexis® Digital Identity Network® throughout 2022. The report, _Trust and Collaboration as Foundations to Fight Fraud_, shows that the global digital attack rate increased 20% year over year (YOY) compared to 2021, continuing the trend of digital fraud rising as economies re-open following the pandemic.

The LexisNexis® Identity Abuse Index, which records the percentage of attacks per day, shows attack rates fell in the fourth quarter of 2022 although the picture varies by region, with sizeable spikes in APAC, LATAM and North America at the end of the year. 

Despite the effects of economic uncertainty, inflation and the war in Ukraine, digital transactions in 2022 went up by 24% YOY primarily driven by increasing transactions in financial services (29%) and ecommerce (17%).

Organizations are looking to establish consistent digital identity insights across all digital channels and end-customer touch points to mitigate rising fraud levels. They are striving to increase the level of trust with their customers, as well as identifying risk more easily. The report showed that the percentage of transactions classified as trusted in the Digital Identity Network® platform increased by 9% YOY, allowing organizations to provide a smoother customer journey.

"Businesses remain vulnerable to transactional fraud during this time of accelerated digitalization," said Stephen Topliss, vice president of fraud and identity strategy for LexisNexis Risk Solutions. "Despite heightened regulatory scrutiny, technological innovations and higher public awareness, there are persistent challenges in preventing fraud. This trend is likely to endure as consumers continue adopting digital channels. As fraud levels and its sophistication increase, relying on multi-factor authentication alone as a defense is inadequate in today's digital world. Organizations, industries and countries must collaborate and identify the interconnected signals of complex fraud attacks because criminal networks working in a structured way are here to stay. Addressing the latest scams requires targeted machine learning models that can consume the latest digital intelligence insights, behavioral biometrics signals and mule account indicators."

**Key findings from** _The LexisNexis Risk Solutions Cybercrime Report, January to_ December 2022**:**

*   **Mobile Channels Increasingly Popular** **–** Mobile transactions have reached a record high of 77% of all observed transactions in the Digital Identity Network, with the mobile app channel making up 82% of all mobile interactions.
*   **Attack Rate Continues to Rise** **–** The global attack rate continues to increase, driven by an uptick in the financial services and ecommerce industries at 31% and 29% respectively. The report shows that criminals continue to target the communications, mobile and media industries more than any other sector. However, a noticeable decline of 27% YOY in the overall attack rate suggests criminals are changing focus. 
*   **Vulnerabilities in Payments –** Across all desktop and mobile channels, attack rates on digital payments increased 27% YOY. Alternative payment methods, such as digital wallets, QR code payments and peer-to-peer transfers, continue to gain popularity, particularly in APAC. The shift has contributed to the 32% YOY growth in payment transactions in that region, yet criminals are also fast at exploiting vulnerabilities. The report shows a 50% YOY increase in APAC's payment attack rate.
*   **Lucrative Avenue for Cybercrime –** Automated bot attacks in the ecommerce space have grown 195% globally. Almost half of these attacks focused on the U.S., where ecommerce focused bot attacks increased by 127% YOY. Bot attacks increased 112% in the U.S. gaming and gambling industry, while the sector grows due to legalization in more states.

Download a copy of _Trust and Collaboration as Foundations to Fight Fraud: The_

**Methodology**

The LexisNexis Risk Solutions Cybercrime Report is based on cybercrime attacks detected by the Digital Identity Network platform. It processed 92 billion transactions in 2022, including common attack types such as new account creation, account login and payment fraud. It analyzes transactions for legitimacy based on device identification, geolocation, history and behavioral analytics in near real-time, providing insight into global digital identities. Customers benefit from global risk views and custom-tuned policies. The report covers "high-risk" transactions scored by global customers. Digital Identity Network does not include transaction data from all countries in the world.

**About LexisNexis Risk Solutions**

LexisNexis® Risk Solutions includes seven brands that span multiple industries and sectors. We harness the power of data, sophisticated analytics platforms and technology solutions to provide insights that help businesses and governmental entities reduce risk and improve decisions to benefit people around the globe. Headquartered in metro Atlanta, Georgia, we have offices throughout the world and are part of RELX (LSE: REL/NYSE: RELX), a global provider of information-based analytics and decision tools for professional and business customers. For more information, please visit www.risk.lexisnexis.com and www.relx.com.

LexisNexis Risk Solutions Cybercrime Report Reveals 20% Annual Increase in Global Digital Attack Rate

New retainer provides expert support starting in the first 72 hours of the incident response process to contain the attack and improve preparedness for the future.

**Helsinki, Finland – May 17, 2023:** The first 72 hours of an attack are a crucial window for incident response teams. To support organizations in preparing a swift, efficient response to incidents while minimizing their impact on operations, WithSecure™ (formerly known as F-Secure Business) is offering a new range of incident readiness and response packages.  

Incident response is more challenging than ever. Cloud services complicate IT security, skills are scarce, and responsibilities are shared with cloud service providers.   

Based on his experience, Cyber Security Advisor Paul Brucciani says that in spite of cyber attacks’ ubiquity, many mid-market organizations find themselves unprepared for incidents when they occur.

“Today, only about one in five organizations have an incident response plan–typically enterprises with well-developed cyber security. Mid-market companies don’t have these resources and if there is any service fit to be outsourced, it is incident response. Our new offering brings industry-leading incident response services to the mid-market to make it more resilient to cyber-attacks, covering both traditional on-premise and cloud IT,” he said.  

WithSecure™ has a strong record of providing incident response services to organizations large and small throughout the globe. It has over 30 years of experience in helping organizations prepare for, respond to, and recover from data breaches. Its incident response capability is assured by government agencies in Germany and the UK.

The new range of incident response offerings include three different but related services:  

*   Incident Readiness
*   Incident Response Retainer
*   Emergency Incident Response Support  
    

"The first 72 hours of an attack are vital for limiting the damage. Not just to mitigate direct damages, but it’s also important for GDPR compliance, as organizations are required to report certain incidents within that time frame. Without an effective response during that window, organizations will struggle to understand the scope of the damages and what steps to take next,” added Brucciani.    

More information on WithSecure's range of incident response services is available at

**About WithSecure™**

WithSecure™, formerly F-Secure Business, is cyber security's reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world's most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations. Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we've built our portfolio to grow with our partners through flexible commercial models.  

WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.

WithSecure Launches New Range of Incident Response and Readiness Services

As ChatGPT adoption grows, the industry needs to proceed with caution. Here's why.

With ChatGPT making headlines everywhere, it feels like the world has entered a _Black Mirror_ episode. While some argue artificial intelligence will be the ultimate solution to our biggest cybersecurity issues, others say it will introduce a whole slew of new challenges.

I'm on the side of the latter. While I recognize that ChatGPT is an amazing piece of technology, it is also an enabler for hackers, commoditizing nation-state capabilities for the benefit of the "script kiddies" — aka unsophisticated hackers. In addition to writing text, the technology opens up a scary scenario where a computer can be guided to look for information within images that humans can't immediately pick up but machines are sensitive enough to see. Examples would be reflections of passwords on glass, or people who appear in photos that would not appear in them without the help of AI.

As ChatGPT adoption grows, I believe the industry needs to proceed with caution, and here's why. There are three types of capabilities hackers can use ChatGPT for: mass phishing, reverse engineering, and smart malware. Let's take a look at each one of these in detail.

**Mass Phishing**

Because ChatGPT is so powerful, it can reduce the amount of time it takes to create handcrafted, personalized emails to a list of people from a few days to just minutes. And with just the click of a button, ChatGPT can answer very specific questions and use its knowledge to impersonate both security and non-security personnel experts. Because ChatGPT can also translate text into any style of writing or proofread at a very high level, once a list of employees and their details are attained, it's easy to mass create emails where a hacker is pretending to be someone else to increase the chances of a successful attack.

Phishing is an essential part of hacking organizations, whether it be to gain access to the servers of an organization or to attempt to convince people to transfer money. To combat this, business leaders must educate employees on the security implications of ChatGPT and how to spot potential attacks. I think employees should be especially critical of text and never assume something is coming from an authentic source. Instead of just blindly trusting anyone, employees should put their trust in other mechanisms, like paying close attention to whether an email/code came from the company server or whether it includes the proper signature. My biggest advice is for employees to use other means of verification besides the style of the text itself.

**Reverse Engineering**

ChatGPT is amazing at understanding code, or even machine code. By providing either binary code or obfuscated code of a system, ChatGPT can explain how the code works and what it does in a way that makes it easy for hackers to manipulate the piece of software and enable them to gain access to the company's servers.

Reverse engineering used to be a very rare and highly lucrative skill; historically, only nation-states could incorporate it into their operations. This is now something that can be done by the most basic hackers.

**Smart Malware**

ChatGPT can function as a mini-brain for malware, making it completely autonomous. Nowadays, sophisticated malware allows the hacker to tunnel through a company's servers to observe the hacked network and servers, and send commands on how to extract information. This operation usually involves a hacker connecting to malware he or she has managed to install somewhere within the hacked company's network or servers.

With ChatGPT, the malware can make decisions autonomously so it understands where the interesting data is, where passwords might be stored locally, and even how to connect to the data sources and extract the data automatically. ChatGPT can sift through much more data than a human — in some cases, even do it better — making the risk of a malware using ChatGPT much more dangerous than would be the case with simple malware that allows hackers to connect and operate it. Since it is completely autonomous — there's no longer a need for a hacker to control the malware and manually direct it to the right place — it is not only more dangerous, but it could be more common. This means more companies are at risk for being sporadically attacked, instead of being specifically targeted.

We've already seen Samsung fall victim to one of the first cyberattacks using ChatGPT, and it surely won't be the last to do so. This serves as a good reminder that companies across all industries must stay vigilant, training their employees to understand the cybersecurity risks of ChatGPT — not only when they are using it themselves, but when somebody else may be using it against them. Over time, I expect (and encourage) investment priorities to change so that privacy and security teams can ensure their organizations are not vulnerable to the negative ramifications of ChatGPT.

Source

DARKReading