Even as the rule book changes, the profession of the CISO remains unchanged: protecting the organization in a world of constant, continually evolving threats.

Source: filmfoto via Alamy Stock Photo

COMMENTARY  
In the high-stakes world of cybersecurity, the ground is shifting beneath the feet of those charged with protecting our digital infrastructure. First came the new Securities and Exchange Commission (SEC) rules and lawsuits related to cybersecurity. More recently, a US Supreme Court ruling promises to reshape the regulatory landscape, compelling federal officials to rethink their approach to cyber governance.  

Yet amid this whirlwind of change that has descended on the industry, it's critical for chief information security officers (CISOs) to remain steadfast and not be deterred — or discouraged — by this shift.  

Therefore, my message, drawn from decades in the security field, resonates with the stiff-upper-lip slogan of Britain in the run-up to World War II: Keep calm and carry on.  

**A Regulatory Tsunami**

The SEC's rules went into effect last December. Under the new rules, public companies must report any cyber incidents within four business days of determining that it was a material event. The SEC also requires that public companies disclose their strategies for handling cybersecurity risks.  

Those in the security world apprehensive about these anticipated changes became downright frightened when the SEC — even before its new rules went into effect — sued a company, SolarWinds, that had been going so far as to single out its CISO in its filings. Just weeks before its new cybersecurity laws were set to go into effect, the agency was sending a clear message to the country's CISOs: Complacency is no longer an option.  

When in July a federal judge dismissed most of the SEC's case against SolarWinds and its CISO, you could almost hear the sigh of relief among security professionals across the land.

But the judge simply confirmed what those of us in the cybersecurity field already understood: Holding a CISO personally liable for a cyberattack won't make systems more secure. While security professionals play a critical role in protecting a company, they cannot do so effectively without the collaboration and support of others. CISOs often have only partial visibility into an organization's attack surface. That, of course, is a serious impediment to conducting a complete risk assessment.  

To be clear, legislation can play a role in helping CISOs enhance an organization's defenses. The Food and Drug Administration's (FDA's) implementation of cybersecurity requirements for medical devices illustrates this well. Those regulations empowered CISOs to join the conversation and secure the resources needed to safeguard additional areas of their organizations. 

The SEC's newest ruling provides a similar opportunity — and long overdue change — for today's CISOs to be more involved in an organization's fuller set of technology decisions. 

**A Collective Responsibility **

At their core, CISOs are truth sayers — akin to an internal audit committee that assesses risks and makes recommendations to improve an organization's defenses and internal controls.  

Ultimately, though, it's the board and a company's top executives who set policy and decide what to disclose in public filings. CISOs can and should be a counselor for this group effort because they have the understanding of security risk. And yet, the advice they can offer is limited if they don't have full visibility into an organization's technology stack. 

"Many oversee a company's IT system, but not the products the company sells. That's crucial when it comes to data-dependent systems and devices that can provide network-access targets to cyber criminals. Those might include medical devices, or sensors and other Internet of Things endpoints used in manufacturing lines, electric grids, and other critical physical infrastructure.  

In short: A company's defenses are only as strong as the board and its top executives allow it to be. 

And if there is a breach, as in the case of SolarWinds? CISOs do not determine the materiality of a cybersecurity incident; a company's top executives and its board make that call. The CISO's responsibilities in that scenario involves responding to the incident and conducting the follow-up forensics required to help minimize or avoid future incidents.  

Even before the SEC got involved, though, liability was an underlying concern among security officers. Those whose job it is to protect our data systems invariably feel responsible when something goes wrong, whatever a federal agency might say.  

Ours is a business in which thwarting a bad actor 99 times will not make any difference if an intruder manages to breach defenses on the 100th try. That's the burden that comes with the CISO title, and that's why I've always recommended — long before the SEC's new transparency rules — that a CISO understand the complex threat landscape as well as the evolving regulatory environment.  

**The Chevron Decision: A New Layer of Complexity**

For cybersecurity professionals, the legal move potentially more significant than the dismissal of the SolarWinds suit was the Supreme Court's decision in June to reverse the so-called Chevron doctrine. The Chevron doctrine, established by a previous case in 1984, required the courts to defer to a federal agency's reasonable interpretation of ambiguous statutes.  

Now, the wisdom of agencies — whether the SEC or other bodies — is no longer assumed. The overturning of this decades-old Chevron precedent has created uncertainty around the enforcement of cybersecurity regulations, making it even potentially harder for CISOs to navigate the regulatory landscape.  

Even as the rule book may be in flux, though, the professional mission of the CISO remains unchanged: protecting their organization in a world of constant, continually evolving threats. That requires clear thinking and the ability to keep one's head amid chaos. 

In other words: Keep calm and carry on. 

**About the Author**

Nozomi Networks Advisory Board Member

Marene Allison is the former vice president and chief information security officer (CISO) for Johnson & Johnson, where she was responsible for protecting the company’s IT and OT systems worldwide. She is a member of the Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee and is a founding member of West Point Women, currently serving on its board of directors. In addition to serving as an adviser for Nozomi Networks, she served on the board of directors for H-ISAC (Health Information Sharing and Analysis Center) and ASIS International. Allison has received numerous awards, including being inducted into the CSO Hall of Fame in 2022 and named a 2023 Distinguished Graduate by the West Point Association of Graduates.

Why CISOs Must Think Clearly Amid Regulatory Chaos

Feeling creative? Have something to say about cybersecurity? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

What motivates you? What will change how you do security? Send us a cybersecurity-related caption to describe the above scene and our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Feb. 12 deadline:

*   Via social media: Bluesky, LinkedIn, Facebook, and X. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 gift card — to Paul Mauriks, ICT security specialist, technology solutions, at the Department of Justice and Community Safety in Victoria, Australia for sending us the winning caption for last month's "Sneaking Around" cartoon. Some noteworthy contenders included "I guarantee you there are no backdoors to our network," "Finally found a way to get rid of all that old IT gea.," and "‘Yeah, asset disposal by ‘Back Door Inc.’ I’ll do the supplier assessment thing on Monday…’" Congrats to Paul, and a big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: Incentives

The US Department of Commerce will prohibit the import of components for connected vehicles from China or Russia, as the US continues to ban technology it sees as potential national security threats.

Source: Hsyn20 via Shutterstock

Smart-vehicle makers are facing supply chain disruption as the US Department of Commerce plans to enforce new regulations banning the import of connected-vehicle technology from China and Russia over cybersecurity fears.

The Commerce Department pursued new regulations after President Biden declared a national emergency over concerns that the United States had become overreliant on China for information and communications technology and services (ICTS). The rule mandates that companies and their suppliers eliminate hardware or software imported from China or Russia in their vehicle connectivity system (VCS) or in their automated driving system (ADS).

It aims to address two concerns: vulnerabilities that would allow a nation-state or criminal organization to implant a backdoor in automotive hardware or software; and the collection of data on US drivers through diagnostic features and other mechanisms, says Yoav Levy, CEO and co-founder of automotive cybersecurity provider Upstream.

"The threat is definitely real," he says. "There are many cases where cars could be hacked — including the safety elements within the cars — and there were many cases where data was stolen or leaked. ... But so far, we haven't seen something like that on a huge scale."

Related:Leveraging Behavioral Insights to Counter LLM-Enabled Hacking

The concerns come as software-defined vehicles (SDVs) shake up the automotive market, while also potentially increasing the cyberattack surface area of automobiles. In the past, vehicle makers created a variety of platforms for their different models, and the number of processors — known as electronic control units (ECUs) — quickly climbed. While the post-pandemic chip shortage slowed the shift to new platforms, manufacturers now aim to quickly reduce the number of ECUs and other hardware needed for the VCS and ADS systems. While current models, for example, can have as many as 130 ECUs, Rivian has already reduced the number of ECUs to seven in its second generation R1 vehicles.

**Wielding the Cyber-Ban Hammer**

Rivian aside, most automobiles have a wide variety of components sourced from China, raising concerns that the United States' reliance on the technologies could allow future compromises.

Banning technology from China and sanctioning Russia is nothing new, says Ivan Novikov, CEO at API security firm Wallarm. The US government has already raised cybersecurity concerns over telecommunications equipment from Huawei, Chinese-made cargo equipment at US seaports, home routers made by Chinese manufacturer TP-Link, and popular social media app TikTok.

Related:Strategic Approaches to Threat Detection, Investigation & Response

"This is kind of the next logical step," he says.

The new commerce regulations will prohibit any "transactions involving VCS hardware and covered software designed, developed, manufactured, or supplied" by people or organizations linked to China or Russia, according to a 213-page final rule, which will be put into effect after months of comments.

Yet, many implementation details remain unclear, Novikov says.

"The open question here is who will enforce the regulations, because the usual enforcement of security requirements and crash \[safety\] tests is under the Department of Transportation," he says. "It's unclear how these two agencies can work together, and how this final DoT requirements or restrictions or controls can work."

**Securing Supply Chains & the Economy?**

The impact on the supply chain will be significant, experts say. The first tier of OEMs — large US and international companies — are not the problem. Their products, however, often come from suppliers that source their own components from Chinese companies, says Alex Oyler, director for North America at industry consultancy SBD Automotive.

It's just one more way that the supply chain is currently undergoing changes, he says. Many carmakers are looking to rewrite their relationships with providers as they move to software-defined vehicles.

Related:Trusted Apps Sneak a Bug Into the UEFI Boot Process

"We're in a bit of a different phase of software-defined vehicle in the sense that OEMs are actually starting to become a lot more prescriptive in the specification of the components that they're sourcing," Oyler says. "It's more of what's called a build-to-print relationship, where they provide not the functional requirements, but requirements for the component architecture — we want this processor, we need this memory, we need this GPU."

The shift to other sources of supply will take years, with the Biden administration allowing carmakers a grace period to comply with the regulations: Software components can no longer be sourced from China and Russia starting with 2027 car models, while by 2030 car models must contain no hardware from prohibited sources.

Making such changes will not be easy, says Upstream's Levy.

"It's not that easy to replace a supplier," he says. "There are financial implications with the supply chain — maybe it's going to be more expensive, or there may be some changes to software that they would need to do for the for the new supplier — an adjustment to the architecture. ... It really depends on what they are actually going to replace."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

US Ban on Automotive Components Could Curb Supply Chain

New hands-on testing results show that most devices are unable to catch phishing emails, texts, or calls, leaving users at risk.

Source: Thomas Bethge via Alamy Stock Photo

Highlights:

*   Consumer survey shows that the most common security issues are phishing attacks, such as text or emails seeking personal information, as well as malware and physical theft. 
    

*   Hands-on device testing shows that Samsung S24 offers the best anti-phishing protection, while the Google Pixel 9 Pro leads in many other areas. 
    

*   The iPhone 16 Pro and other premium Android smartphones from Honor, Xiaomi, and OnePlus lack security features and protections. 
    

COMMENTARY  
New research from Omdia shows that the security capabilities on several of the latest consumer smartphones, including top devices from Apple, Google, and Samsung, fail to detect several types of common phishing attacks.

As part of the fourth-annual Omdia Mobile Device Security Scorecard, Omdia surveyed 1,572 consumers across 13 major countries in the Americas, Asia and Oceania, and Europe, in October 2024. This survey covered the demographics of smartphone users, their security concerns and attitudes, their perception of the most common security threats, and the key smartphone purchasing drivers.

Consumers reported that the most common security issue they encountered was phishing scams and attacks (texts, emails or calls which use false pretenses to try to get the target to give away valuable personal information), with 24% reporting to have experienced phishing. 

Omdia also asked consumers to rate how important various security features were, with anti-phishing having the largest net-importance rating. In fact, over the four years Omdia has conducted its Mobile Device Security Scorecard research, anti-phishing has been rising in importance. This is no surprise, as phishing not only becomes more common, but also as consumers become more familiar with the attacks and the potential for personal information theft or financial loss. 

The next most common security issue was malware and viruses. The third most common was physical theft, such as pickpocketing, mugging or snatching. 

**Mobile Device Security Testing Results**

For each of these security issues, Omdia tested leading premium smartphones to determine availability and effectiveness of security features and capabilities. Google's Pixel 9 Pro and Samsung's Galaxy S24 both scored highly, ahead of Apple's iPhone 16 Pro and other leading Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro.

Despite the importance consumers place on phishing prevention on mobile devices, the anti-phishing features failed to some degree on every device Omdia tested. No device caught all the attempted phishing texts, calls, and emails initiated as part of the testing.  

Several of the devices did catch simulated spam calls: All Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung, which have voice call protection, flagged suspected spam calls before the recipient could answer the call. The iPhone 16 Pro, however, did not have the same protections and did not catch the simulated spam call. 

Text messages with malicious short links were sent from an unknown number and sender ID, but these were not successfully caught by the test devices. Simulated phishing emails were sent from both Gmail and Google's Mail Delivery subsystem, but no device caught the phishing emails from Gmail; the messages were only identified as spam when sent from Google's SMTP. 

Despite not all phishing texts and emails being caught, once malicious links were opened on the devices, those that use Google Safe Browsing protections successfully blocked the link from opening. A warning screen was raised, forcing the user to bypass it to proceed.

Yet not all Android devices performed similarly: Samsung Internet blocked most links except the more sophisticated custom URLs, while the Xiaomi Mii and OnePlus Internet browsers failed to warn the user even when loading known malicious links. 

In previous years' testing, smartphones have been able to detect and successfully block or warn against the attempted phish. However, the difference year-on-year showcases the ever-changing nature of threats.

**Lack of Mobile Security Impacts Consumer Trust**

The lack of effective security protections on mobile devices, particularly against the growing threat of phishing attacks, is eroding consumer trust.

When Omdia asked consumers if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer. 

Despite some manufacturers' efforts to ensure the latest mobile device security protections are in place, Omdia notes that it is difficult to protect against 100% of phishing attempts. This highlights the severity of the issue and potential impact to consumers.

That said, Omdia asserts that smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities on the market) and should have more effective baseline phishing protection in place — such as voice call protection, and all Android devices making use of Google’s Safe Browsing protections. 

Omdia sees the value in the phishing protection features implemented by the leading smartphone vendors, and how this can help to protect consumers — at least in most instances, based on Omdia's latest round of testing.

However, these features need to be paired with awareness activity from manufacturers, as well as the wider industry, to help consumers be vigilant and prepared for the instance when a security threat evades a protection mechanism. Such awareness adds an important additional layer of protection against the rising number of scams targeting consumers through their mobile devices.

**About the Authors**

Principal Analyst, IoT Cybersecurity, Omdia

Hollie works as a Principal Analyst within the Omdia team, providing insight into the fascinating and fast-moving domain of IoT Cybersecurity.

Hollie has a range of experience in research. She began her career in the legal sector, writing and researching for expert witness reports on the labour market. She then moved into product testing, with a consumer protection focus. In this role she was responsible for managing comparative tests of various tech products, as well as regular testing and investigative work into the security of these products.

She has published various articles for Which?, the UK's largest consumer organisation and one of the largest subscription magazines, and Computing magazine.

Senior Analyst, Smartphones, Omdia

Aaron West provides expertise and analysis of the smartphone market, joining Omdia in 2022. His areas of reporting include the active smartphone installed base, eSIM development, mmWave 5G, sustainability, and the foldable smartphone market.

Aaron has a range of research and publishing experience. He graduated with a degree in theoretical physics before moving into consumer product testing, with a focus on sustainability and the environment.

In this role, he was responsible for research project management, including comparative testing of technology products and consumer surveys. He also reported on the energy efficiency and longevity of home appliances, as well as the product lifecycle and obsolescence of smartphones.

Phishing Attacks Are the Most Common Smartphone Security Issue for Consumers

The Supreme Court has affirmed TikTok's ban in the US, which has its users in revolt and is creating a whole new set of national cybersecurity concerns.

Source: Roykas Tenys via Alamy Stock Photo

Now that the US Supreme Court has upheld a ban on the wildly popular video social media platform we know as TikTok, its most influential users have decided to retaliate by moving their game over to REDnote, a competing Chinese social media company, thus creating an entirely new, and arguably worse, situation for the nation's cybersecurity.

The move to the alternate platform is emerging as a pop culture phenomenon. Of TikTok's roughly 170 million monthly users in the US, more than 3 million have already headed over to REDnote. Chart-topping rapper Doechii announced her account, with 2.5 million followers, was headed over to REDnote just days before the Supreme Court ruling. Bunnie XO, wife of country music star Jelly Roll, with 7 million TikTok followers, has already declared her love for Mandarin Trap music after spending time on the app. The term "TikTok refugees," referring to new US users, is trending on REDnote, according to data. Searches for REDnote have spiked 100% over the past three months, and a recent "TikTok refugees" live chat attracted more than 50,000 users across the US and China.

Meanwhile, native Chinese speakers on the app are teaching their new group of US users how to correctly pronounce REDnote's Mandarin name, "Xiaohongshu," which directly translates to "Little Red Book," sharing the same name as Mao Zedong's book of quotations. Chairman Mao founded the People's Republic of China.

And, as US TikTok culture jokes about willingly handing over their data to a Chinese company with impunity as payback for the government's ban of the app, the US national security over TikTok just got even more problematic, according to experts.

**REDnote's Cybersecurity Problems**

ByteDance, the parent company behind TikTok, is headquartered in Singapore, and it has tried to convince the US it is run independent of the Chinese government. REDnote, on the other hand, is based in Shanghai, and it's one of the few social media platforms allowed to operate on both sides of the Great Firewall, making spying on Americans and throttling propaganda aligned with the Chinese Communist Party (CCP) agenda seemingly much easier. For US users interested in the specific terms of service to use REDNote, they are written in Mandarin, leaving the few who want to drill down on the app's data use to rely on Google Translate or a similar service to decipher the details.

"REDnote appears to be a more dangerous application than TikTok, as its terms of service are in Mandarin and it has not been vetted as extensively as TikTok," Ted Miracco, CEO of Approov, says. "REDnote's servers are primarily located in China, which means that user data is subject to Chinese cybersecurity laws that require companies to grant government access upon request. This situation contrasts with TikTok, which has made efforts to store some user data on US servers, offering a modicum of oversight by American authorities."

That said, national security concerns about a Chinese company controlling such a huge communications platform as TikTok in the US were well founded, according to Lawrence Pingree, vice president of Dispersive.

"I think that there are some valid concerns about the involvement of government agencies in espionage and influence operations that are important issues to address," Pingree said. "Things like data sovereignty, isolation networks and access, regular trusted third-party audits, background checks, authentication of remote employees, and, potentially, source code review are all prudent measures to require. Bans need to consider the totality of the situation, and the politics of the time."

And the politics are indeed prickly. Chinese government-backed hackers have been ramping up their espionage activities in recent weeks with compromises of multiple telecommunications networks and a breach of the US Treasury Department systems. Just a day before the Supreme Court's ruling, President Biden issued a sweeping new executive order on cybersecurity, directly calling out the malign activities of the Chinese government against the US.

The chances of a Chinese company like REDnote complying with any of the US's TikTok requirements to operate, like audits and background checks for employees, seem pretty slim in this environment.

**The Cyber Problem With the TikTok Ban**

The ban, which technically goes into effect on Sunday, was narrowly focused on TikTok and simply doesn't go far enough, Approov's Miracco adds.

"As the problem of data misuse continues to escalate, focusing solely on foreign platforms like TikTok without addressing the systemic issues within domestic social media creates an incomplete solution. A comprehensive approach is needed — one that holds all social media companies accountable for their data practices and prioritizes user privacy and security across the board," Miracco insists.

The ongoing larger problem is that legislation and lawmakers continue to lag behind technology, he adds. The ban wasn't able to effectively meet the moment, creating unintended consequences for US national security.

"The slow pace of legislative and legal actions often fails to keep up with the rapid evolution of technology and tactics employed by bad actors," Miracco says. "This gap can leave users unprotected against emerging threats that exploit the chaos surrounding the ban. As users seek alternatives to TikTok, they will inadvertently download less secure or malicious applications, including REDnote."

However, the threat of users migrating to other apps shouldn't be a deterrent to making decisions to improve US cybersecurity posture, argues Willy Leichter, chief marketing officer of AppSOC.

"The ban may inspire targeted attacks against other US-based social media platforms, but those are already happening. As a general rule, you shouldn't let the fear of reprisals stop you from taking proactive security steps," Leichter says. "We need to be prepared for the consequences anyway."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Has the TikTok Ban Already Backfired on US Cybersecurity?

The propensity for users to enter customer data, source code, employee benefits information, financial data, and more into ChatGPT, Copilot, and others is racking up real risk for enterprises.

Source: Marcos Alvarado via Alamy Stock Photo

A wide spectrum of data is being shared by employees through generative AI (GenAI) tools, researchers have found, legitimizing many organizations' hesitancy to fully adopt AI practices.

Every time a user enters data into a prompt for ChatGPT or a similar tool, the information is ingested into the service's LLM data set as source material used to train the next generation of the algorithm. The concern is that the information could be retrieved at a later date via savvy prompts, a vulnerability, or a hack, if proper data security isn't in place for the service.

That's according to researchers at Harmonic, who analyzed thousands of prompts submitted by users into GenAI platforms such as Microsoft, Copilot, OpenAI ChatGPT, Google Gemini, Anthropic's Clause, and Perplexity. In their research, they discovered that though in many cases employee behavior in using these tools was straightforward, such as wanting to summarize a piece of text, edit a blog, or some other relatively simple task, there were a subset of requests that were much more compromising. In all, 8.5% of the analyzed GenAI prompts included sensitive data, to be exact.

**Customer Data Most Often Leaked to GenAI**

The sensitive data that employees are sharing often falls into one of five categories: customer data, employee data, legal and finance, security, and sensitive code, according to Harmonic.

Customer data holds the biggest share of sensitive data prompts, at 45.77%, according to the researchers. An example of this is when employees submit insurance claims containing customer information into a GenAI platform to save time in processing claims. Though this might be effective in making things more efficient, inputting this kind of private and highly detailed information poses a high risk of exposing customer data such as billing information, customer authentication, customer profile, payment transactions, credit cards, and more.

Employee data makes up 27% of sensitive prompts in Harmonic's study, indicating that GenAI tools are increasingly used for internal processes. This could mean performance reviews, hiring decisions, and even decisions regarding yearly bonuses. Other information that ends up being offered up for potential compromise includes employment records, personally identifiable information (PII), and payroll data.

Legal and finance information is not as frequently exposed, at 14.88%, however, when it is, it can lead to great corporate risk, according to the researchers. Unfortunately, when GenAI is used in these fields, it's for simple tasks such as spell checks, translation, or summarizing legal texts. For something so small, the consequences are incredibly high, risking a variety of data such as sales pipeline details, mergers and acquisition information, and financial data. 

Security information and security code each compose the smallest amount of leaked sensitive data, at 6.88% and 5.64%, respectively. However, though these two groups fall short compared to those previously mentioned, they are some of the fastest growing and most concerning, according to the researchers. Security data inputted into GenAI includes penetration test results, network configurations, backup plans, and more, providing exact guidelines and blueprints as to how bad actors can exploit vulnerabilities and take advantage of their victims. Code inputted into these tools could put technology companies at a competitive disadvantage, exposing vulnerabilities and allowing competitors to replicate unique functionalities.

**Balancing GenAI Cyber-Risk & Reward**

If the research shows that GenAI offers high-risk potential consequences, should businesses continue to use it? Experts say they might not have a choice.

"Organizations risk losing their competitive edge of if they expose sensitive data," said the researchers in the report. "Yet at the same time, they also risk losing out if they don't adopt GenAI and fall behind."

Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, agrees. "Companies that don’t adopt generative AI risk losing significant competitive advantages in efficiency, productivity, and innovation as the technology continues to reshape business operations," he said in an emailed statement to Dark Reading. "Without GenAI, businesses face higher operational costs and slower decision-making processes, while their competitors leverage AI to automate tasks, gain deeper customer insights, and accelerate product development."

Others, however, disagree that GenAI is necessary, or that an organization needs any artificial intelligence at all.

"Utilizing AI for the sake of using AI is destined to fail," said Kris Bondi, CEO and co-founder of Mimoto, in an emailed statement to Dark Reading. "Even if it gets fully implemented, if it isn't serving an established need, it will lose support when budgets are eventually cut or reappropriated."

Though Kowski believes that not incorporating GenAI is risky, success can still be achieved, he notes.

"Success without AI is still achievable if a company has a compelling value proposition and strong business model, particularly in sectors like engineering, agriculture, healthcare, or local services where non-AI solutions often have greater impact," he said.

If organizations do want to pursue incorporating GenAI tools but want to mitigate the high risks that come along with it, the researchers at Harmonic have recommendations on how to best approach this. The first is to move beyond "block strategies" and implement effective AI governance, including deploying systems to track input into GenAI tools in real time, identifying what plans are in use and ensuring that employees are using paid plans for their work and not plans that use inputted data to train systems, gaining full visibility over these tools, sensitive data classification, creating and enforcing workflows, and training employees on best practices and risks of responsible GenAI use.

Employees Enter Sensitive Data Into GenAI Prompts Far Too Often

The stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.

Source: JHVEPhoto via Alamy Stock Photo

Dated configuration data and virtual private network (VPN) credentials for 15,474 Fortinet devices have been posted for free to the Dark Web.

On Jan. 14, Fortinet disclosed a severe authentication bypass vulnerability in its FortiOS operating system and FortiProxy Web gateway, CVE-2024-55591. For a model of what the aftermath of such a vulnerability could look like, one need only look to a parallel bug from October 2022 that's still making waves today.

Back then, Fortinet published an urgent security warning regarding CVE-2022-40684, an equivalent authentication bypass vulnerability affecting FortiOS, FortiProxy, and the autological FortiSwitchManager. Earning a "critical" 9.8 rating in the Common Vulnerability Scoring System (CVSS), it allowed any unauthenticated attacker to perform administrative operations on vulnerable devices via specially crafted HTTP requests. In the wake of that disclosure, security researchers developed a proof-of-concept (PoC) exploit, a template for scanning for vulnerable devices, and watched as exploitation attempts climbed and climbed.

On the same day CVE-2024-55591 was disclosed this week, a threat actor with the nom de guerre "Belsen Group" released data belonging to more than 15,000 Fortinet devices. In a blog post, the CloudSEK researchers who spotted it assessed that the data had been stolen thanks to CVE-2022-40684, likely when that bug was still a zero-day. Now, they wrote, "Once they exhausted its use for themselves (either by selling or using the access), the threat actor(s) decided to leak it in 2025."

Related:Extension Poisoning Campaign Highlights Gaps in Browser Security

**Possible Clues to Belsen Group's Origins**

"2025 will be a fortunate year for the world," the Belsen Group wrote in its post to the cybercrime site BreachForums (while conveniently omitting that its data had been gathered more than two years ago). The 1.6GB file it dumped on its onion website is accessible free of charge, and organized neatly in folders first by country, then by IP address and firewall port number.

Affected devices appear to be spread across every continent, with the highest concentration in Belgium, Poland, the US, and the UK, each with more than 20 victims.

On the flip side, security researcher Kevin Beaumont (aka GossiTheDog) noted in a blog post that every country in which Fortinet has a presence is represented in the data, except one: Iran, despite the fact that Shodan shows nearly 2,000 reachable Fortinet devices in that country today. Furthermore, there is just one affected device in the entirety of Russia, and technically it's in Ukraine's annexed Crimea region.

Related:Trend Micro and Intel Innovate to Weed Out Covert Threats

These points of data may be unimportant, or they may hold clues for attributing the Belsen Group. It appears to have popped up this month, though CloudSEK concluded "with high confidence" that it has been around for at least three years now, and that "They were likely part of a threat group that exploited a zero day in 2022, although direct affiliations have not been established yet."

**What's the Cyber-Risk?**

The leaked listings contain two types of folders. The first, "config.conf," contains affected device configurations: IP addresses, usernames and passwords, device management certificates, and all of the affected organization's firewall rules. This data was stolen via CVE-2022-40684. In the other folder, "vpn-password.txt," are SSL-VPN credentials. According to Fortinet, these credentials were sourced from devices via an even older path traversal vulnerability, CVE-2018-13379.

Though the data is all rather aged by now, Beaumont wrote, "Having a full device config including all firewall rules is … a lot of information." CloudSEK, too, cited the risk that leaked firewall configurations can reveal information about organizations' internal network structures that may still apply today.

Related:Zivver Report Reveals Critical Challenges in Email Security for 2025

Organizations also often don't cycle out usernames and passwords, allowing old ones to continue to cause problems. In examining a device included in the dump, Beaumont reported that the old authentications matched those still in use.

Fortinet, for its part, tried to quell concerns in a security analysis published on Jan. 16. "If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization’s current config or credential detail in the threat actor's disclosure is small," it explained.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

15K Fortinet Device Configs Leaked to the Dark Web

The cyber actor played a role in the Treasury breach as well as attacks on critical infrastructure, linked to China-backed advanced persistent threat (APT) group Salt Typhoon.

Source: Trek and Shoot via Alamy Stock Photo

NEWS BRIEF

The Department of the Treasury's Office of Foreign Assets Control (OFAC) announced that it is sanctioning Yin Kecheng, a cyber actor based in Shanghai, who was involved in the recent breach that compromised the Department of Treasury's network.

The OFAC is also sanctioning Sichuan Juxinhe Network Technology, a cybersecurity company based in Sichuan involved with Salt Typhoon, a Chinese state-backed cybercriminal group that has compromised major US telecommunications companies and ISPs.

These designations are just the latest in a series of moves made by the Treasury in an effort to combat malicious cyber activity by the People's Republic of China (PRC) and PRC-backed actors. Previously sanctioned groups include Integrity Technology Group, for its association with Flax Typhoon activity, Sichuan Silence Information Technology, and Wuhan Xiaoruizhi Science and Technology.

"The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically," said Adewale Adeyemo, deputy secretary of the Treasury Department.

The US Department of State's Rewards for Justice program is offering up to $10 million for any information leading to identifying or locating any person who engages in malicious cyber activities against US critical infrastructure under the direction of a foreign government. 

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

US Sanctions Chinese Hacker &amp; Firm for Treasury, Critical Infrastructure Breaches

As LLMs broaden access to hacking and diversify attack strategies, understanding the thought processes behind these innovations will be vital for bolstering IT defenses.

COMMENTARY

Hacking is innovation in its purest form. Like any other innovation, a successful hack requires developing a creative solution to the scenario at hand and then effectively implementing that solution. As technologies facilitate implementation, successfully preventing a hack (that is, blue teaming) or simulating an attack to test defenses (red teaming) will require a better understanding of how adversaries generate creative ideas.

In the 1990s, many organizations and vendors did not sufficiently prioritize security when designing systems. As a result, finding solutions to bypass their security measures took hackers relatively little time. The problem was that while many hackers could imagine attacks that would bypass these rudimentary security measures, few had the technical skills to implement those attacks. For instance, while hacking enthusiasts theoretically understood how to abuse vulnerabilities in insecure network protocols, most lacked the technical skills necessary to write a raw socket library to do so. The bottleneck was implementation.

Over the next two decades, automated tools were developed for almost every generalized attack pattern. Suddenly, the complicated solutions that a '90s hacker could only imagine but lacked the programming capability to execute became possible with the click of a button for anyone. While some attacks still require technical skills, today it is possible to hack by creatively chaining together the abundant functions of various automated hacking tools (e.g., Metasploit, Burp Suite, Mimikatz) to penetrate the system's cracks.

Similarly, it is easy to find help, such as Copilot apps and software developers on freelancing platforms, to write specific functions required to implement an attack. In other words, with the advent of new tools and platforms, the emphasis in a successful hack has been shifting from implementation (that is, being able to write the code for the attack you imagine) to creativity (being able to imagine a novel attack). Now, the advent of large language models (LLMs) with growing inventive capabilities means that pure creativity — rather than bottlenecks in technical capability — will drive the next era of hacking.

**A New Breed of Hackers**

How will this new breed of hackers differ in terms of how they devise new cyberattacks? In many cases, this creativity will take the form of designing a novel prompt, as implementation will increasingly happen through LLMs and their various plug-ins (for instance, Anthropic's Claude 3.5 Sonnet model can already use computers). Most importantly, because many of them will not have a background in computer science, their reasoning will build on ideas and solutions from different domains — also known as analogical transfer. Many fighters in history designed novel martial arts by drawing inspiration from the behaviors of different animals. In a similar vein, a recently developed side-channel attack uses signals from wireless devices in a building to map the bodies of the people inside (analogous to how bats use echolocation to find their prey). Research has also found that information can be stolen even from air-gapped systems not connected to the Internet by examining the electromagnetic wave patterns emitted by a screen's cable or by analyzing the acoustic sound patterns of the screen itself to reconstruct the contents displayed on the computer's screen (perhaps analogous to reconstructing the recent history of a black hole by analyzing faint remnant signals in the form of Hawking radiation).

It's likely that novel prompts making similar analogies will lead to creative uses of LLMs in devising new and unexpected attack patterns. They may draw inspiration from famous battles, chess games, or business strategies, resulting in novel attack patterns or techniques. This also means that successfully preventing such attacks or emulating them for red-teaming purposes will require using research methods from behavioral sciences — such as marketing — to extrapolate common or uncommon prompts an attacker might try.

Research into potential prompts for designing an attack can take various forms. Traditional research methods, such as idea generation experiments, surveys, and in-depth interviews, can provide insights into common and uncommon prompts people may consider. Additionally, research from search engines and social media platforms may offer ideas about common combinations of knowledge (for instance, market basket analysis), which can be valuable for estimating potential analogies that people interested in hacking may be more likely to generate. Finally, crowdsourcing-based research, such as hacking challenges, will again be an asset, but the focus will be not only on the attack but also on the prompts used to develop that attack. Prompts that result in novel attacks are likely to be regularly utilized by both blue and red teams, much like Google Dorks are employed today.

As LLMs broaden access to hacking and diversify attack strategies, understanding the thought processes behind these innovations will be vital for bolstering IT defenses. Insights from behavioral sciences like marketing will play a key role in achieving this goal.

**About the Authors**

Reader (Associate Professor) in Digital Innovation and Information Security, King's College London

Aybars Tuncdogan is a reader (associate professor) in digital innovation and information security at King’s College London. He is also a research affiliate of the King’s AI Institute and a member of both the Cybersecurity Research Centre (King’s Informatics Department) and the Cyber Security Research Group (King’s War Studies Department). 

Professor of Marketing & Innovation, King's College London

Oguz A. Acar is a professor of marketing and innovation and head of generative AI at King's Business School, King's College London. He is also a research affiliate at Laboratory of Innovation Science at Harvard University and an expert at World Economic Forum.

Leveraging Behavioral Insights to Counter LLM-Enabled Hacking

A highly targeted cyber-intelligence campaign adds fuel to the increasingly complex relationship between the two former Soviet states.

Source: Daniren via Alamy Stock Photo

A suspected Russia-nexus threat actor has been executing convincing spear phishing attacks against diplomatic entities in Kazakhstan.

UAC-0063, active since at least 2021, was first documented by Ukraine's Computer Emergency Response Team (CERT-UA) in 2023. With medium confidence, CERT-UA tied it to APT28 (aka Fancy Bear, Forest Blizzard, Strontium, Sofacy), from the General Staff Main Intelligence Directorate (GRU) Military Unit 26165. APT28 is best known for its high-profile attacks against Western governments: the Democratic National Committee (DNC) hack of 2016, campaigns against parliamentary bodies in Germany, Norway, and the Netherlands, and much more.

UAC-0063, specifically, has used cyber operations to collect intelligence from government entities, nongovernmental organizations (NGOs), academic institutions, and energy and defense organizations in Eastern Europe — most notably Ukraine — as well as Central Asia, including Kazakhstan, Kyrgyzstan, Tajikistan, and other countries in the vicinity, including Israel and India.

Its latest ongoing campaign, which, in a blog post, researchers from Sekoia date back to at least 2022, may fold into a broader effort by Vladimir Putin's government to gain strategic insights into, and advantage over, a former Soviet state that has sought to broaden its diplomatic horizons in recent years.

**Phishing Kazakh Diplomats**

On Oct. 16, 2024 — one month after it'd been deployed in the wild — researchers spotted a diplomatic document uploaded to VirusTotal. It appeared to be a legitimate draft of a joint declaration between the chancellor of Germany and heads of Central Asian countries.

"The first step, when you open this document, is that it asks you to enable macros," recalls Amaury Garçon, cyber threat intelligence (CTI) analyst at Sekoia Threat Detection & Research (TDR), adding that the document was obscured by "shapes" at first sight. "Some phishing documents look really ugly or have a bad shape \[at first\] — they prompt the user to enable macros, because if you don't enable macros you can't write text in the document, can't move images, etc.," he notes.

Clicking "enable" would trigger various malicious, unseen commands on a target device. While the user was made privy to the full, unadulterated lure document, in the background their security settings would be downgraded so as to remove the need for future "enable macros" prompts. Next a second, blank document was created and opened by a hidden instance of Microsoft Word. The Visual Basic (VB) code associated with this hidden document — now enabled by default, of course — dropped and executed a malicious HTML application (HTA) containing a backdoor named "HatVibe."

The purpose of HatVibe is to receive and execute code from a remote server. Though Sekoia couldn't identify the payloads associated with this phishing campaign, CERT-UA has previously observed HatVibe downloading and executing a more complex Python backdoor named "CherrySpy."

**What This Means for Kazakhstan and Russia**

Six weeks after researchers spotted the first VirusTotal upload associated with this campaign, on Nov. 27, Putin went on a two-day state visit to the country he deemed Russia's "true ally," Kazakhstan. He and Kazakhstan's president, Kassym-Jomart Tokayev, used the opportunity afforded by the Collective Security Treaty Organization (CSTO) summit to discuss various areas for economic partnership — particularly around the energy sector — and signed agreements over energy, education, and transportation.

"Central Asia is a real point of interest for Russian influence," Maxime Arquillière, senior CTI analyst at Sekoia TDR explains. "We know that Kazakhstan is a close ally, but since the beginning of the Ukraine war, Kazakhstan has distanced itself a little bit from Russia, trying to develop new connections with both Western states and also China."

Kazakhstan's centrality in the Asian continent positions it nicely as a trade bridge between China and Europe, particularly while Ukraine and Russia are consumed by war. And as Sekoia notes in its blog, the country's gradually broadening geopolitical ties are evident in recent agreements with Mongolia and Afghanistan's new Taliban government, and, most notably, its balanced position on the war in Ukraine — supporting Ukraine's right to territorial integrity without outright condemning Russia's invasion.

This latest cyber campaign, then, fits neatly into Russia's broader initiatives with regard to its Central Asian neighbor. Sekoia identified 11 lure documents in all, each one legitimate and likely having originated with Kazakhstan's Ministry of Foreign Affairs, pertaining to diplomatic business between Kazakhstan and potential partner nations.

Exactly how the threat actor obtained these documents is not known. They include, for example:

*   Letters from Kazakhstan's embassies in Afghanistan and Belgium, regarding diplomatic and economic developments.
    
*   A draft of a joint statement between Germany and Central Asian states, following a Sept. 16, 2024, summit in Astana.
    
*   Administrative reports and briefings on the Kazakh president's visits to Mongolia and New York.
    

"It's really coherent with the \[need for\] Russian intelligence to conduct this kind of cyber espionage, to know about the strategic interests between Kazakhstan and European states," Arquillière says.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Source

DARKReading