The company says no sensitive data was stolen, but federal agencies claim otherwise. CISA and FBI sources said attackers accessed all records of specific customers and the private communications of targeted individuals.

Source: GK Images via Alamy Stock Photo

T-Mobile USA is the latest telecommunications provider to acknowledge it's been targeted by the Chinese advanced persistent threat (APT) known as Salt Typhoon, as part of a widescale and unsettling cyber-espionage operation that hacked numerous US and international telecommunications companies aiming to steal sensitive information.

The second-largest wireless carrier in the US is currently investigating and monitoring a cyberattack "consistent" with the recent activities of the Chinese state-sponsored cyber actor, a company spokesperson told Dark Reading late on Nov. 18 in a statement.

However, so far, the company has "had no evidence of access or exfiltration of any customer or other sensitive information as other companies may have experienced," according to T-Mobile. Moreover, "there have been no significant impacts to T-Mobile systems or data," the company said. T-Mobile, based in Bellevue, Wash., has more than 127.5 million US subscribers.

However, T-Mobile's account differs from reports in which federal agencies said that there is evidence that the threat actor gained access to sensitive data, according to a published report in the Wall Street Journal that cited sources from the FBI and Cybersecurity and Infrastructure Security Agency (CISA).

Related:Akamai Reports Third Quarter 2024 Financial Results

According to those agencies, Salt Typhoon accessed call records of specific customers, private communications of targeted individuals, and information about law enforcement surveillance requests in an effort to gather intelligence on high-ranking US national security and policy officials, the report said.

**T-Mo Cyberattack: Full Impact Yet Unknown**

All in all, the wave of recent attacks by Salt Typhoon that have rocked telecom providers both at home and abroad — including AT&T, Verizon, and Lumen Technologies — is "unnerving," says one industry expert.

"No one is pleased with the idea that the Chinese government has access to information about us from our cellphones, one of the more intimate devices used in our daily life," says Jim Routh, former CISO at Aetna, American Express, and CVS and currently chief trust officer at security firm Saviynt. "The practical reality is that this incident does little to change the risk of a significant impact to US consumers."

As T-Mobile is not yet acknowledging that data was even stolen, let alone what type of data, the full impact of the attack won't be known for some time, Paul Bischoff, consumer privacy advocate at Comparitech, notes. That said, there is a chance it's not as serious as some fear depending on what is revealed, he observes.

Related:Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover

"Metadata like call times and participants, although concerning, is not nearly as scary as state-sponsored threat actors stealing texts and audio messages," Bischoff says.

Still, the national security implications of Chinese threat actors rooting around in the personal data of mobile device users, and then using that data to "island hop into a myriad of government agencies and critical infrastructures … are profound," observes another security expert, Tom Kellermann, senior vice president of cyber strategy at Contrast Security.

"This is the third telecom provider compromised by \[China\] in the last 12 months," Kellermann says. "The systematic campaign of infiltration will take months to root out."

**Further Salt Typhoon Telecom Attacks Imminent?**

Indeed, experts have surmised that the idea behind Salt Typhoon's wave of attacks is to leverage the useful information that can be gleaned from people's personal communications to launch further malicious activity and/or potentially disrupt communications to further China's interests in its political and economic conflict with the US.

"We can expect to see additional attacks by this group in the coming months, as \[it\] works to access the phone lines and records of national security officials and politicians," notes Chris Hauk, consumer privacy champion at Pixel Privacy.

Related:DHS Releases Secure AI Framework for Critical Infrastructure

The incidents are certainly a rude awakening for telecommunications and other critical infrastructure providers, and demonstrate just how vulnerable they are to compromise by organized cybercriminal groups, experts say. Indeed, T-Mobile itself doesn't have the best track record in cybersecurity, Bischoff notes, as just last month the mobile carrier paid a $31.5 million settlement to resolve multiple data breaches that took place over three years.

The threat of imminent further attacks by Salt Typhoon demand that telecom providers act fast to shore up cybersecurity efforts. "We can expect to continue to see attacks like this, as well as traditional ransomware attacks," Hauk notes, "as state actors continue to wage a cyberwar against the United States and its vulnerable infrastructure."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Salt Typhoon Hits T-Mobile as Part of Telecom Attack Spree

Individual companies and entire industries alike must take responsibility for protecting customer data — and doing the right thing when they fail.

Chris Lindsey, Application Security Evangelist, Mend.io

November 19, 2024

5 Min Read

Source: Anthony Brown via Alamy

Having a long career in cybersecurity doesn't stop me from being included in the same data breaches and mass involuntary disclosures of consumer information as everyone else. And like everyone else, I probably have now collected enough years of "free" credit monitoring that some of it could be passed on to my kids upon my death — maybe there will be some left for my grandkids, too.

Not that credit monitoring isn't helpful — one big benefit is the detection of data on the Dark Web, which has shed more light on the frequency of breaches. Through my free credit monitoring obtained after one breach, I have been notified about my data showing up on the Dark Web, indicating a new breach has occurred with a different company, long before the company notified me itself.

Last year, over a third of Americans experienced fraudulent charges on their debit or credit cards, email or social media account takeovers, or a fraudulent attempt to open a line of credit or take out a loan in their name, according to Pew Research Center.

Breaches don't seem to be slowing down. Identity Theft Resource Center reports there were 78% more breaches in 2023 than the previous year. There are hundreds of millions of victims each year.

It certainly feels like no one cares. It's true that stock prices do recover after a major breach, and they seem to be recovering faster each time. Wall Street must assume that consumers just don't care that much, but I don't see that continuing for long. Consumers might feel helpless, they might even feel hopeless, but they absolutely do care. If they start to take action, the economy will feel it.

Consider what might happen if most American consumers, concerned about the number of data breaches, decided to just take the simple action of freezing their credit. It would probably be healthier for the economy overall if the ability to borrow impulsively was removed, but it's not "good for business" and could negatively affect several sectors — retail in particular — significantly. This is not unrealistic. Just a few years ago, freezing and unfreezing credit was a bit of a hassle. Today it takes only a couple minutes per credit bureau.

So maybe companies ought to treat disclosure victims a little better and do more to not create victims in the first place.

Below are some ideas.

**Before a Breach**

At the very minimum, companies that hold personal health information or personally identifiable information on databases that can be accessed from the Internet should have a bug bounty program. Bug-bounty programs allow freelance security researchers to earn money by "hacking" companies and responsibly disclosing the vulnerabilities they found in the process. Without a clear program, these researchers are not only not guaranteed any reward for doing the right thing, they also are not guaranteed safe harbor against legal action being taken against them.

It also makes sense for companies of at least a certain size to obtain and share security certifications. At present, these certifications are voluntary. Eventually, government regulation may change that. For now, however, industry regulation will need to take the reins. Businesses that rely in any way on freely available consumer credit, such as retail stores that offer store credit cards, should be especially on top of their security certifications and wary of working with third parties who aren't.

**After a Breach**

The number of breaches should absolutely be lower than it is, but even with great security, breaches can and will still occur. What's important after a breach is protecting the affected consumers and not insulting them.

The first thing businesses should do is step up their disclosure game and notify customers in a timelier manner that their data has been compromised. It took Change Healthcare six months to send me a notification letter informing me that I was included in their breached data, but I was already keenly aware that this had happened months earlier. What was the point of the delay?

Next, companies need to do more than free credit monitoring. Credit monitoring is valuable, but it's reactive security on the consumer's end. Giving victims access to free password management services as well would provide them with a proactive tool.

But companies giving out another relatively cheap service is likely not going to cause companies enough pain to force them into prioritizing security any more than they are now. Regarding those industry regulations, certification should be contingent on an agreement to pay victims directly in the event of a breach, something like $5 to $50 per person per event.

If the company has good security implemented and proof that proper controls were in place, then they would pay less. If an ostensibly reputable company that has been identified as compliant is found to be grossly negligent, then not only should that company have to pay a higher amount to each consumer, the certification body should also have to pay out to victims. This extra agreement would bolster the overall value that the certifiers provide because it prevents blind certification to any company willing to pay for it.

The sun is setting on companies getting away with being opaque, cheap, and slow to react after major breaches of customer data. Individual companies and entire industries alike must take responsibility for protecting customer data and doing the right thing when they fail.

**About the Author**

Application Security Evangelist, Mend.io

Chris Lindsey is a seasoned speaker who has appeared at conferences, webinars, and private events. Currently building an online community and creating a podcast series, Chris draws on expertise from more than 15 years of direct security experience and over 35 years of experience leading teams in programming and software, solutions, and security architecture. For three years, Chris built and led an entire application security program that includes the implementation of mature AppSec programs, including oversight of security processes and procedures, SAST, DAST, CSA/OSA, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.

We Can Do Better Than Free Credit Monitoring After a Breach

Freshly released court documents reveal new details on controversial Israeli spyware firm's operations.

Source: Shubham singh 007 via Shutterstock

Israel's NSO Group may know a lot more about how customers use its Pegasus commercial spyware product than the company has let on, newly released court documents connected to a legal dispute with Meta's WhatsApp suggest.

In fact, NSO Group installed and operated the spyware on behalf of its customers, making the company directly liable for the spyware's use, WhatsApp lawyers said in one court filing, released Nov. 14 in the US District Court for the Northern District of California.

The court documents are part of a lawsuit that WhatsApp filed against NSO Group in October 2019 after discovering the Israeli firm had used WhatsApp servers to distribute Pegasus to some 1,400 mobile phones, including those belonging to journalists and rights activists.

The lawyers also claimed that NSO Group repeatedly developed and used exploits for abusing WhatsApp's servers to install Pegasus on target devices, including at least once after WhatsApp had sued the company over the issue.

**NSO 'Solely Responsible'**

"NSO is solely responsible for Pegasus’s unauthorized access to WhatsApp's servers," the social media giant noted in one briefing. "Despite what NSO has claimed, its customers had a minimal role in how the spyware tool operated or collected information. All that NSO Group customers typically had to do was enter their target's phone number, press install and wait for the malware to install on the target device without any further interaction," they noted.

Related:Trustwave-Cybereason Merger Boosts MDR Portfolio

"In other words, the customer simply places an order for a target device's data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus," WhatsApp's lawyers said. The company, in fact, was so aware of how customers were using its malware that it actually disconnected service to 10 customers for excessive abuse, the lawyers claimed.

**Controversial Surveillance Software**

Pegasus is a controversial mobile spyware designed to secretly monitor and extract data from iOS and Android smartphones. Once installed, Pegasus can intercept messages, emails, media, and passwords, and track location data, all while evading detection by antivirus software. NSO Group claims to sell the technology solely to authorized government agencies for legitimate law enforcement, crime-fighting, and anti-terror purposes. But critics argue that the tool has been misused, particularly in authoritarian regimes, to target journalists, human rights activists, political dissidents, and others critical of the government.  

Related:Xiphera & Crypto Quantique Announce Partnership

A 2021 database leak revealed that NSO Group customers had, at the time, targeted more than 50,000 phone numbers for surveillance in countries like Mexico, Hungary, and India. The US government formally blacklisted the company in 2021, meaning its ability to operate in the US or do business with US entities abroad is severely restricted.

The NSO Group has tried to get US courts to dismiss WhatsApp's lawsuit against the company, citing, among other things, a lack of jurisdiction and the fact that its clients are mostly governments and therefore are not doing anything illegal. WhatsApp lawyers have sought to portray NSO Group as indeed being liable for Pegasus by attempting to tie the vendor more directly to customer use of the spyware tool.

In the newly released court documents, WhatsApp has alleged that NSO Group repeatedly and deliberated worked around the mechanisms the company put in place to prevent misuse of the secure messaging platform. One of them was a modified WhatsApp client app called the WhatsApp Installation Server (WIS) that could access WhatsApp's back-end servers in ways its own client software could not. NSO Group then developed tools named Heaven and Eden to interact with WIS in such a way as to trigger Pegasus downloads on target phones via WhatsApp. The company developed Eden after WhatsApp discovered Heaven and put up blocks against it. When WhatsApp engineers discovered Eden, NSO developed and used yet another tool, called Erised, through 2020, or after WhatsApp had filed its lawsuit.

Related:North Korea's Andariel Pivots to 'Play' Ransomware Games

The WhatsApp lawsuit is one of several that NSO Group is currently battling in courts worldwide from organizations and individuals impacted by the malware. In September, Apple sought voluntary dismissal of a 2021 lawsuit it had filed against NSO Group, citing concerns over the company having to share information with the court that other spyware makers could abuse going forward.

Back when the lawsuit was filed, the NSO Group was among a handful of known purveyors of such mobile spyware software. Since then, there has been a sharp increase in the number of commercial spyware vendors, driven largely by demand from government agencies. A Google report earlier this year identified spyware vendors like NSO Group as being responsible for nearly half of all zero-day exploits it counted between mid-2014 and December 2023.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

WhatsApp: NSO Group Operates Pegasus Spyware for Customers

PRESS RELEASE

SILVER SPRING, Md. – The Security Industry Association (SIA) has named 24 recipients for this year’s SIA RISE Scholarship, a program offered through SIA’s RISE community, which supports the education and career development goals of young industry talent and emerging leaders.

Through this scholarship program – open to SIA student members and RISE members who are employees at SIA member companies – each awardee will receive a $3,000 scholarship to use toward continuing education and professional development courses, SIA program offerings and/or other academic or education programs. Scholarship funds can be used to expand knowledge in the areas of business, human resources, information technology, marketing, sales, project management, security engineering and/or risk management.

“SIA congratulates this year’s class of RISE Scholarship awardees – an impressive, diverse array of security professionals and rising stars who are making their mark on our industry,” said SIA CEO Don Erickson. “We are proud to present scholarships to more recipients this year than ever before and honored to support these inspiring young leaders as they pursue their educational and career development goals.”

The winners for this year’s RISE Scholarship are:

*   Zachary Allen, account executive, Convergint Technologies
    
*   Brianna Bonfondeo, account manager, Traka, ASSA ABLOY Global Solutions
    
*   Joi Brown, control center specialist, Rapid Response Monitoring Services
    
*   Brenda Constantin, account executive, 3Sixty Integrated, a Division of the Cook & Boardman Group
    
*   Jonathan Crabtree, channel sales specialist, Genetec
    
*   Taylor Davenport, HR business partner, i-PRO Americas
    
*   Mason Fanning, end user specialist, ASSA ABLOY
    
*   Natalie Fetsko, customer success manager, dormakaba
    
*   Aishwarya Gandhe, senior channel marketing coordinator, North America, Genetec
    
*   Anish Chandra Jalla, software developer II, Genetec
    
*   Kajaanei Kajenthiran, security guard, City of Toronto, Canada
    
*   Will Knehr, senior manager of information assurance and data privacy, i-PRO Americas
    
*   Ryan Knoll, account executive, Pro-Tec Design
    
*   Chandni Lalwani, DevOps engineer, HID Global
    
*   Vincent Malenfer-Henard, security analyst, Genetec
    
*   Josh Martin, mechanical engineer II, dormakaba
    
*   Bryn Menzel, director of strategic accounts and marketing, 3millID Corporation
    
*   Gabriella Moraniec, contracts manager, GSA Schedules
    
*   Taylor Nevells, digital marketing and content specialist, Wavelynx
    
*   Juan Pelayo, technical support supervisor, i-PRO Americas
    
*   Itzel Portillo, marketing specialist, Allegion
    
*   Joel Searle, program manager, ZBeta
    
*   Maria Sturges, project coordinator and administrator, Northland Controls
    
*   Julie Trinh, SDK specialist, Genetec
    

Learn more about the honorees here.

SIA would also like to thank the following individuals and companies which contributed to the 2024 RISE Scholarship fund. Tax-deductible donations were made through the Foundation for Advancing Security Talent (FAST), a nonprofit organization co-founded by SIA and the Electronic Security Association and dedicated to connecting passionate, innovative professionals with new opportunities in the security industry.

*   Secure Access & Digital Systems
    

SIA RISE is a community that fosters the careers of emerging leaders in the security industry. In addition to the SIA RISE Scholarship, SIA RISE offers fun in-person and virtual networking events for young professionals, the Talent Inclusion Mentorship Education (TIME) program for early and mid-career professionals, the 25 on the RISE Awards, career growth webinars and trade show education tracks and the annual AcceleRISE conference – a unique event designed to ignite new thinking, strengthen leadership and sharpen business acumen in young security talent. The SIA RISE community is open to all employees at SIA member companies who are young professionals under 40 or have been in the security industry for less than two years; learn more and sign up to join. 

About SIA

SIA is the leading trade association for global security solution providers, with over 1,500 innovative member companies representing thousands of security leaders and experts who shape the future of the security industry. SIA protects and advances its members’ interests by advocating pro-industry policies and legislation at the federal and state levels, creating open industry standards that enable integration, advancing industry professionalism through education and training, opening global market opportunities and collaborating with other like-minded organizations. As the premier sponsor of ISC Events expos and conferences, SIA ensures its members have access to top-level buyers and influencers, as well as unparalleled learning and network opportunities. SIA also enhances the position of its members in the security marketplace through SIA GovSummit, which brings together private industry with government decision makers, and Securing New Ground, the security industry’s top executive conference for peer-to-peer networking.

Security Industry Association Announces SIA RISE Scholarship Awardees

Experimental counter-offensive system responds to malicious AI probes with their own surreptitious prompt-injection commands.

Source: Valentin Baciu via Shutterstock

Companies worried about cyberattackers using large-language models (LLMs) and other generative AI systems that automatically scan and exploit their systems could gain a new defensive ally — a system capable of subverting the attacking AI.

Dubbed Mantis, the defensive system uses deceptive techniques to emulate targeted services and — when it detects a possible automated attacker — sends back a payload that contains a prompt-injection attack. The counterattack can be made invisible to a human attacker sitting at a terminal and will not affect legitimate visitors who are not using malicious LLMs, according to the paper penned by a group of researchers from George Mason University.

Because LLMs used in penetration testing are singularly focused on exploiting targets, they are easily co-opted, says Evgenios Kornaropoulos, an assistant professor of computer science at GMU and one of the authors of the paper.

"As long as the LLM believes that it's really close to acquiring the target, it will keep trying on the same loop," he says. "So essentially, we are kind of exploiting this vulnerability — this greedy approach — that LLMs take during these penetration-testing scenarios."

Cybersecurity researchers and AI engineers have proposed a variety of novel ways for LLMs to be used by attackers. From the ConfusedPilot attack, which uses indirect prompt injection to attack LLMs when they are ingesting documents during retrieval-augmented generation (RAG) applications, to the CodeBreaker attack, which causes code-generating LLMs to suggest insecure code, attackers have automated systems in their sights.

Yet, research on offensive and defensive uses of LLMs is still early: AI-augmented attacks are essentially automating the attacks that we already know about, says Dan Grant, principal data scientist at threat-defense firm GreyNoise Intelligence. Yet, signs of increasing use of automation among attackers is increasing: the volume of attacks has been slowly increasing in the wild and the time to exploit a vulnerability has been slowly decreasing.

"LLMs enable an extra layer of automation and discovery that we haven't really seen before, but \[attackers are\] still applying the same route to an attack," he says. "If you're doing a SQL injection, it's still a SQL injection whether an LLM wrote it or human wrote it. But what it is, is a force multiplier."

**Direct Attacks, Indirect Injections, and Triggers**

In their research, the GMU team created a game between an attacking LLM and a defending system, Mantis, to see if prompt injection could impact the attacker. Prompt injection attacks typically take two forms. Direct prompt injection attacks are natural-language commands that are entered directly into the LLM interface, such as a chatbot or a request sent to an API interface. Indirect prompt injection attacks are statements included in documents, web pages, or databases that are ingested by an LLM, such as when an LLM scans data as part of a retrieval-augmented generation (RAG) capability.

In the GMU research, the attacking LLM attempts to compromise a machine and deliver specific payloads as part of its goal, while the defending system aims to prevent the attacker's success. An attacking system will typically use an iterative loop that assesses the current state of the environment, selects an action to advance toward its goal, execute the action, and analyze the targeted system's response.

Using a decoy FTP server, Mantis sends a prompt-injection attack back to the LLM agent. Source: "Hacking Back the AI-Hacker" paper, George Mason University

The GMU researchers' approach is to target the last step by embedding prompt-injection commands in the response sent to the attacking AI. By allowing the attacker to gain initial access to a decoy service, such as a web login page or a fake FTP server, the group can send back a payload with text that contains instructions to any LLM taking part in the attack.

"By strategically embedding prompt injections into system responses, Mantis influences and misdirects LLM-based agents, disrupting their attack strategies," the researchers stated in their paper. "Once deployed, Mantis operates autonomously, orchestrating countermeasures based on the nature of detected interactions."

Because the attacking AI is analyzing the responses, a communications channel is created between the defender and the attacker, the researchers stated. Since the defender controls the communications, they can essentially attempt to exploit weaknesses in the attacker's LLM.

**Counter Attack, Passive Defense**

The Mantis team focused on two types of defensive actions: Passive defenses that attempt to slow the attacker down and raise the cost of their actions, and active defenses that hack back and aim to gain the ability to run commands on the attacker's system. Both strategies were effective with a greater than 95% success rate using the prompt-injection approach, the paper stated.

In fact, the researchers were surprised at how quickly they could redirect an attacking LLM, either causing it to consume resources or even to open a reverse shell back to the defender, says Dario Pasquini, a researcher at GMU and the lead author of the paper.

"It was very, very easy for us to steer the LLM to do what we wanted," he says. "Usually, in a normal setting, prompt injection is a little bit more difficult, but here — I guess because the task that the agent has to perform is very complicated — any kind of injection of prompt, such as suggesting that the LLM do something else, is \[effective\]."

By bracketing a command to the LLM with ANSI characters that hide the prompt text from the terminal, the attack can happen without the knowledge of a human attacker.

**Prompt Injection is the Weakness**

While attackers who want to shore up the resilience of their LLMs can attempt to harden their systems against exploits, the actual weakness is the ability to inject commands into prompts, which is a hard problem to solve, says Giuseppe Ateniese, a professor of cybersecurity engineering at George Mason University.

"We are exploiting those something that is very hard to patch," he says. "The only way to solve it for now is to put some human in the loop, but if you put the human in the loop, then what is the purpose of the LLM in the first place?"

In the end, as long as prompt-injection attacks continue to be effective, Mantis will still be able to turn attacking AIs into prey.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

AI About-Face: 'Mantis' Turns LLM Attackers Into Prey

PRESS RELEASE

NEW YORK, Nov. 14, 2024 /PRNewswire/ -- Kyndryl (NYSE: KD), the world's largest IT infrastructure services provider, today introduced a new suite of services, co-developed with Microsoft, to enhance cyber resilience for businesses globally.

Kyndryl and Microsoft have built upon their successful, long-standing partnership to develop differentiated, scalable security and resiliency services. The new services are integrated into Kyndryl Bridge, the industry-leading, artificial intelligence (AI)-powered, open integration digital business platform. Combining Kyndryl's deep services expertise with Microsoft's security technologies provides businesses a comprehensive approach to defending their operations from nefarious threats and attacks.  

This collaboration between Kyndryl and Microsoft can help customers address their expansive cyber resilience needs, ranging from compliance to secure, resilient IT infrastructure, especially considering that cyberattacks are the top concern for business leaders.

"As businesses continue to embrace digital modernization and rapid advancements in technology, the cyber threat landscape and growing regulatory pressures around the world are becoming increasingly complex," said Michelle Weston, Vice President of Security & Resiliency, Kyndryl. "Through our strategic partnership with Microsoft, we are positioned to meet our customers' needs by providing robust security capabilities and supporting their regulatory readiness. Our combined expertise allows us to deliver services that not only protect our customers' assets, but also empower them to thrive in a rapidly evolving digital environment."

"The need for robust cyber resilience has never been greater," said Ricardo Davila, Senior Director, Kyndryl, at Microsoft. "By leveraging Microsoft's security technologies and Kyndryl's expertise, together, we're helping businesses protect their critical assets, so they can operate with confidence. This partnership reinforces our shared commitment to combat cyber threats, so they can realize digital transformation across industries."

Through its services, Kyndryl provides customers:

*   Enhanced risk and compliance readiness: To help support customers' cyber regulatory readiness around the world, Kyndryl's services with Microsoft Purview can automatically assess and manage compliance across multi-cloud and hybrid cloud environments. A global team of security experts recommend the most relevant assessments and advise on which policies and operational procedures to implement to help mitigate compliance risk. 
    
*   Security information and event management (SIEM) migration: Customers can migrate existing Microsoft Sentinel SIEM solutions quickly, enhancing security operations center (SOC) capabilities and accelerating onboarding processes, reducing time to initiate the delivery of services.
    
*   Identity and access management (IAM): Protecting identities and controlling access is one of the first lines of defense against threats to an organization's data and systems. Using Zero Trust principles, Kyndryl's services with Microsoft Entra enhance security and provide a better user experience for customers by offering simplified user authentication, identity governance and integrations to help secure access to their resources.
    
*   Increased detection and response (XDR) capabilities: Businesses have increasingly complex IT architecture with remote endpoints that use several operating systems and device types. The XDR services with Microsoft Defender enable threat prevention, detection and response against increasingly sophisticated attacks on customer assets, including email, identity, Software as a Service (SaaS) applications, cloud infrastructure and data.
    

As part of the partnership, Kyndryl became a member of the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors (ISVs) and managed security service providers (MSSPs) that have integrated their solutions with Microsoft Security technology to better defend mutual customers against a world of increasing cyber threats.

Visit the Kyndryl and Microsoft alliance page for more information on the strategic partnership.

About Kyndryl  
Kyndryl (NYSE: KD) is the world's largest IT infrastructure services provider, serving thousands of enterprise customers in more than 60 countries. The Company designs, builds, manages and modernizes the complex, mission-critical information systems that the world depends on every day. For more information, visit www.kyndryl.com.

Forward-Looking Statements  
This press release contains "forward-looking statements" within the meaning of the Private Securities Litigation Reform Act of 1995. Such forward-looking statements often contain words such as "will," "anticipate," "predict," "project," "plan," "forecast," "estimate," "expect," "intend," "target," "may," "should," "would," "could," "outlook" and other similar words or expressions or the negative thereof or other variations thereon. All statements, other than statements of historical fact, including without limitation statements representing management's beliefs about future events, transactions, strategies, operations and financial results, may be forward-looking statements. These statements do not guarantee future performance and speak only as of the date of this press release and the Company does not undertake to update its forward-looking statements. Actual outcomes or results may differ materially from those suggested by forward-looking statements as a result of risks and uncertainties including those described in the "Risk Factors" section of the Company's most recent Annual Report on Form 10-K filed with the Securities and Exchange Commission.

Kyndryl &amp; Microsoft Unveil New Services to Advance Cyber Resilience for Customers

Akamai Reports Third Quarter 2024 Financial Results

PRESS RELEASE

SAN FRANCISCO, Nov. 4, 2024 /PRNewswire/ -- Bugcrowd, the leader in crowdsourced security, today announced the addition of Trey Ford as Chief Information Security Officer for the Americas, to the leadership team.

Trey is a seasoned strategic advisor and security thought leader with over 25 years of experience in offensive and defensive security disciplines. Trey has held key leadership roles at Deepwatch, Vista Equity Partners, Salesforce, Black Hat, and more. He has also been a valued member of Bugcrowd's advisory board for over a decade.

Trey is passionate about working with enterprise leaders, corporate directors, and investors to help teams strengthen their technology and execution strategy.

"I'm really looking forward to joining this amazing Bugcrowd team and this fast-growing, dynamic organization that continues to execute on its compelling vision for the future of cybersecurity, based on the ingenuity of the crowd," Ford said. "I've always believed in taking a hands-on approach to building, breaking, and deconstructing security problems to first principles -- I intend to continue applying that same mindset here at Bugcrowd."

"Trey's addition to our team marks a pivotal moment for enhancing our operational capabilities in the Americas region," said Nick McKenzie, Chief Information and Security Officer of Bugcrowd. "His leadership and offensive security expertise, coupled with his ability to help us connect with and support customers, will elevate the team's capabilities to new heights—a timely appointment with our current business momentum."

Bugcrowd also announced the availability of Bugcrowd Continuous Attack Surface Pentesting as a Service Subscription, a new way to consume pen testing. By using this subscription model, customers can enjoy the flexibility and predictability of pre-paid capacity on the Bugcrowd Platform to be drawn-down on demand.

In addition, Bugcrowd announced an additional growth capital facility of $50 million from Silicon Valley Bank in October. The new financing will further scale Bugcrowd's AI-powered platform globally, fund continued innovation into the Bugcrowd Platform, and leverage opportunities for strategic M&A, providing added value to clients, partners, and the hacker community.

"We are extremely excited by the rapid growth and market momentum that Bugcrowd has achieved so far this year," said Dave Gerry, Chief Executive Officer of Bugcrowd. "We believe we are putting together the world's strongest combination of people and technologies to deliver on the powerful insights provided by elite hackers operating on our global Platform."

The Bugcrowd Platform connects organizations with trusted security researchers and hackers to help proactively defend themselves against sophisticated threats. For over a decade, Bugcrowd's unique "skills-as-a-service" approach has uncovered more high-impact vulnerabilities than traditional methods, along with clearer ROI, for more than 1,200 customers – including OpenAI, Google, T-Mobile, Carvana, the US Department of Defense's Chief Digital and Artificial Intelligence Office (CDAO), ExpressVPN, Rapyd, New Relic, and OpenSea. With unmatched flexibility and access to a decade of vulnerability intelligence, the Bugcrowd Platform has evolved to address a changing attack surface influenced by adoption of mobile infrastructure, hybrid work, APIs, crypto, cloud workloads, and AI. Bugcrowd's crowdsourced solutions include penetration-testing-as-a-service, managed bug bounties, vulnerability disclosure programs (VDPs), and AI Safety and Security products.

To learn more about how the Bugcrowd platform can help your organization fight against today's evolving cyberattacks, visit here.

To download a copy of the Inside the Mind of a Hacker 2024 report, click here.

About Bugcrowd

We are Bugcrowd. Since 2012, we've been empowering organizations to take back control and stay ahead of threat actors by uniting the collective ingenuity and expertise of our customers and trusted alliance of elite hackers, with our patented data and AI-powered Security Knowledge Platform™. Our network of hackers brings diverse expertise to uncover hidden weaknesses, adapting swiftly to evolving threats, even against zero-day exploits. With unmatched scalability and adaptability, our data and AI-driven CrowdMatch™ technology in our platform finds the perfect talent for your unique fight. We are creating a new era of modern crowdsourced security that outpaces threat actors.

Unleash the ingenuity of the hacker community with Bugcrowd, visit www.bugcrowd.com. Read our blog.

Bugcrowd Names Trey Ford as CISO

Other Biden administration appointees at CISA will also submit their resignations on Jan. 20, as the cyberdefense agency prepares for President-elect Trump's new DHS director.

Source: NurPhoto SRL via Alamy Stock Photo

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that Jen Easterly, director of the agency, will step down from her position on President-elect Donald Trump's Inauguration Day.

Other political appointees of President Biden will follow suit with their own resignations as the agency prepares for a second Trump administration.

When Easterly was first nominated for the position by the Biden administration, she filled an eight-month vacancy after then-President Trump fired the agency's first director, Chris Krebs, for denouncing the administration's false claims of a rigged 2020 US election.

During her time as CISA director, Easterly oversaw prominent moments within the cybersecurity field, such as the Colonial Pipeline ransomware attack that sent shockwaves throughout the industry and prompted significant change within critical infrastructure security practices. She also led CISA in ushering in new cybersecurity initiatives, such as Secure by Design and CISA's resiliency playbook to provide guidance and improve critical infrastructure security.

It remains unclear what Easterly's plans are after leaving CISA. However, former President Trump has nominated South Dakota Gov. Kristi Noem as secretary of the Department of Homeland Security, which oversees CISA. It's unclear what CISA's future holds, as some Republican lawmakers have called for restricting the scope of its mission and, in some cases, for its elimination.

**About the Author**

Jen Easterly, CISA Director, to Step Down on Inauguration Day

A vulnerability found in the Really Simple Security plug-in allows an attacker to remotely gain access to any account on an affected website, including the administrator, when 2FA is enabled.

Source: Primakov via Shutterstock

A WordPress plug-in installed on more than 4 million websites exposes them to full administrative takeover through a scripting flaw that potentially can be used to launch large-scale automated attacks against multiple sites.

Researchers from Wordfence called the authentication bypass flaw "one of the more serious vulnerabilities" that they have ever identified, uncovering it earlier this month in a plug-in from Really Simple Security that provides WordPress security features for sites, according to a recent blog post. The flaw, rated with a critical CVSS score of 9.8, affects the Really Simple Security Pro and Pro Multisite plug-ins, versions 9.0.0 to 9.1.1.1.

"The vulnerability makes it possible for an attacker to remotely gain access to any account on the site, including the administrator account, when the two-factor authentication (2FA) feature is enabled," Wordfence security researcher Istvan Marton wrote in the post.

The flaw exists due to improper user check error handling in the two-factor REST API actions with the "check\_login\_and\_get\_user" function, according to Wordfence. Moreover, because the flaw is scriptable, it can be weaponized against numerous WordPress sites simultaneously in an automated way.

Due to the critical nature of the bug, Wordfence acted quickly after discovering the flaw on Nov. 6 to work with the Really Simple Security team to mitigate it. After immediately disclosing the flaw to the vendor, a patched update, version 9.1.2, was released publicly on Nov. 12. Then, on Wordfence's advice, Really Simple Security force-updated all sites running the plug-in two days later.

Related:Akamai Reports Third Quarter 2024 Financial Results

Still, Wordfence recommended that any administrator with a site that uses the plug-in confirm that it has been automatically updated to the patched version, as "it appears that sites without a valid license may not have auto-updates functioning," Marton noted in the post.

**New 'Really Simple Security' Feature Introduces Flaw**

The Really Simple Security plug-in was formerly known as Really Simple SSL; it was renamed in its latest major version update, which also expanded the plug-in with security features such as log-in protection, vulnerability detection, and 2FA.

During this revamp, one of the features adding 2FA "was insecurely implemented" to introduce the flaw, which allows an attacker to create a simple request to gain access to any user account with 2FA on.

Specifically, the plug-in uses the skip\_onboarding() function in the Rsssl\_Two\_Factor\_On\_Board\_Api class to handle authentication via REST API that returns a WP\_REST\_Response error in case of a failure. However, this is not handled within the function, which "means that even in the case of an invalid nonce, the function processing continues and invokes authenticate\_and\_redirect()," Marton wrote. This "authenticates the user based on the user id passed in the request, even when that user’s identity hasn’t been verified," he wrote.

Related:DHS Releases Secure AI Framework for Critical Infrastructure

Ultimately, this makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plug-in.

"As always, authentication bypass vulnerabilities and resulting access to high privileged user accounts make it easy for threat actors to completely compromise a vulnerable WordPress site and further infect it," Marton explained.

**Wordfence: Spread the Word, Check Your Plug-ins**

Due to its widespread use as a foundation for millions of websites, the WordPress platform and its plug-ins especially are a notoriously popular threat target for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to exploit singular plug-ins with large install bases, making flaws like the one found in Really Simple Security's plug-in an attractive target.

Related:Microsoft Pulls Exchange Patches Amid Mail Flow Issues

Even though most sites using the plug-in should have been updated already, Wordfence still advises that users spread the word to ensure the broadest patch coverage possible due to the critical nature of the flaw.

"If you know someone who uses these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk," Marton wrote in the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading