Developers are pulling in publicly available ASP.NET keys into their environments, without realizing that cyberattackers can use them for clandestine code injection.

Source Hilda DeSanctis via Alamy Stock Photo

NEWS BRIEF

Website developers are unwittingly putting their companies at risk by incorporating publicly disclosed ASP.NET machine keys from code documentation and repositories into their applications, Microsoft is warning.

The tech giant has issued an alert on the insecure practice, after observing threat actors in December using a static, known ASP.NET machine key to deploy the Godzilla post-exploitation cyberattack framework, known for stomping all over corporate environments.

The attack vector involves manipulating ViewState, which represents the state of a webpage when it was last processed on the server. If threat actors can get ahold of ASP.NET keys, they can craft a malicious ViewState, send it to a targeted website via a POST request to be loaded, and can thus compromise the environment via code injection.

"Once it's processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used," a Microsoft post on the concern explained. "The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS Web server."

Microsoft has uncovered at least 3,000 publicly disclosed keys that could be used for these types of attacks, which lowers the bar for exploitation significantly.

"Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on Dark Web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification," according to the post.

To prevent attack, Microsoft recommends that organizations do not copy keys from publicly available sources and to regularly rotate keys in any event.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Microsoft: Thousands of Public ASP.NET Keys Allow Web Server RCE

PRESS RELEASE

A five-count criminal indictment was unsealed today in federal court in New York charging a Canadian man with exploiting vulnerabilities in two decentralized finance protocols to fraudulently obtain about $65 million from the protocols’ investors.

According to court documents, from 2021 to 2023, Andean Medjedovic, 22, allegedly exploited vulnerabilities in the automated smart contracts used by the KyberSwap and Indexed Finance decentralized finance protocols. Medjedovic borrowed hundreds of millions of dollars in digital tokens, which he used to engage in deceptive trading that he knew would cause the protocols’ smart contracts to falsely calculate key variables. Through his deceptive trades, Medjedovic was able to, and ultimately did, withdraw millions of dollars of investor funds from the protocols at artificial prices, rendering the victims’ investments essentially worthless.

Medjedovic also allegedly laundered the proceeds of his fraudulent schemes through a series of transactions designed to conceal the source and ownership of the funds, including through swap transactions, “bridging transactions,” and the use of a digital assets “mixer.” With others, Medjedovic also allegedly schemed to open accounts with digital assets exchanges using false and borrowed identifying information to conceal the source and true ownership of the proceeds. In around November 2023, after executing the KyberSwap exploit, Medjedovic also allegedly attempted to extort the victims of the KyberSwap exploit through a sham settlement proposal, in which he demanded complete control of the KyberSwap protocol and the decentralized autonomous organization that oversaw the KyberSwap protocol in exchange for returning 50 percent of the digital assets that he fraudulently obtained through his scheme.

Medjedovic is charged with one count of wire fraud, one count of unauthorized damage to a protected computer, one count of attempted Hobbs Act extortion, one count of money laundering conspiracy, and one count of money laundering. If convicted, he faces a maximum penalty of 10 years in prison on the unauthorized damage to a protected computer count and 20 years in prison on each of the other counts. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division, U.S. Attorney John J. Durham for the Eastern District of New York, Chief Guy Ficco of IRS Criminal Investigation (IRS-CI), Special Agent in Charge William S. Walker of Homeland Security Investigations (HSI) New York, and Assistant Director in Charge James E. Dennehy of the FBI New York Field Office made the announcement.

IRS-CI, HSI, and the FBI New York Field Office are investigating the case, with valuable assistance provided by U.S. Customs and Border Protection’s New York Field Office and the Justice Department’s Office of International Affairs. The Justice Department also thanks the Netherlands’ Public Prosecution Service and Cybercrime Unit — the Hague of the Dutch National Police for their significant assistance with the investigation.

Trial Attorney Tian Huang of the Criminal Division’s Fraud Section, who is a member of the National Cryptocurrency Enforcement Team (NCET), and Assistant U.S. Attorneys Nicholas Axelrod and Andrew Reich for the Eastern District of New York are prosecuting the case. SEC Enforcement Attorney Daphna A. Waxman, formerly a member of the NCET, provided significant assistance.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Canadian Man Charged in $65M Cryptocurrency Hacking Schemes

PRESS RELEASE

With a staggering 5263 attacks, 2024 saw the highest volume of ransomware attacks observed since 2021, according to a new report from cybersecurity consulting firm, NCC Group.

In a turbulent year for the cyber landscape, with high-impact attacks on sophisticated nation-state espionage campaigns, attack volume continued to rise. 

LockBit remains top threat actor despite takedown

The infamous threat group LockBit was the top actor of 2024, accounting for 10% (526) of all attacks. However, it’s overall activity declined compared to 2023, with LockBit’s takedown earlier in 2024.

RansomHub followed closely behind. Accountable for 501 attacks, it became the most dominant threat actor in the second half of the year.

Uptick in most regions

North America experienced over half of all attacks in 2024 (55%). Overall, most regions witnessed a rise in attacks, including Asia, South America, and Oceania. Rising global geopolitical tensions and high payouts for ransomware attacks are likely to have attributed to increase across regions. 

Industrials remains a top target

With its crucial role in the global economy, Industrials experienced 27% (1424) of all ransomware attacks in 2024, increasing 15% from 2023. Attacks in the sector have caused mass disruption, affecting critical infrastructure and services and causing material downtime.

Law enforcement whack-a-mole 

There are some encouraging signs that the international community has stepped up efforts to recognise and address the threats posed by cyber adversaries. Notable examples include coordinated law enforcement actions against cybercriminal networks such as Operations Cronos, Magnus, Destabilise, and Serengeti.

Despite short term law enforcement crack downs, threat actors continued to emerge quickly after intervention - LockBit was operating again only five days after its takedown. And with warnings from the group that it will be back in full force by February 2025, it’s evident that governments and law enforcement need to do more to prevent the reemergence of these groups.

Matt Hull, global head of Threat Intelligence at NCC Group said: “The cyber security landscape in 2024 presented unprecedented challenges. The scale and complexity of cyber incidents tested the resilience of businesses and institutions globally. Looking ahead, these challenges are set to escalate as cyber criminals and nation-state actors increasingly exploit the growing integration of technology into all aspects of life.

“Key concerns such as third-party compromises, cloud vulnerabilities, and insecure APIs remain critical. We also can’t ignore the rapid advances in artificial intelligence (AI) that are giving rise to new cybercriminal tactics. And the geopolitical dimension of cyber security adds to the ever-changing threat landscape, with nation-states posing significant risks to critical infrastructure.

“In the face of these challenges, businesses, governments, and individuals must stay vigilant and proactive. By understanding the risks and acting today, we can collectively work towards a more secure digital future.”

2024 Breaks Records With Highest Ever Ransomware Attacks

**Databarracks Launches Air Gap RecoverDatabarracks Launches Air Gap Recover**

PRESS RELEASE

Databarracks has announced the launch of Air Gap Recover, a new service that provides enhanced protection against cyber threats, including ransomware attacks.

Designed specifically for cloud-native environments, Air Gap Recover provides isolated, air-gapped data protection and automated failover to guarantee rapid recovery from any cyber attack.

“Traditional data protection solutions don’t work for cloud-native systems and businesses,” said James Watts, Managing Director of Databarracks.

“Native cloud tools are designed more for simplicity than resilience and lack the functionality you need to fully protect your data. Enterprise backup solutions, on the other hand, struggle to scale and can’t handle the volume of data stored in modern cloud systems. Whichever you choose, your recovery is compromised – it either takes too long to restore operations or, in a worst-case scenario, you’re left with no clean copy of data to recover from at all.

“Air Gap Recover addresses these shortcomings. It’s equipped to protect the petabytes of data and globally distributed architectures within cloud-native environments – allowing for complex cloud-scale recovery.

“In 2025, cyber remains the number one threat to business continuity. We know it is no longer a question of “if” but “when”. But no matter the scale or severity of the cyber event – and cloud-native environments are not immune – Air Gap Recover ensures your critical data is protected. If the worst happens – your cloud account is breached, and your data is encrypted or deleted – you failover instantly to a secure and separate account. Your business stays operational while others would scramble to recover.”

Key features include:

*   Advanced air-gapped security: Data is stored in immutable, isolated cloud accounts to protect against ransomware and other cyber threats.
    
*   Automated failover: Provides immediate cross-region failover to a segregated cloud account, ensuring instant recovery with near-zero downtime.
    

Stepping in where traditional solutions fall short, Air Gap Recover sets a new standard for cloud-native data protection to further strengthen Databarracks’ IT resilience offering.

About Databarracks

Databarracks is the technology and business resilience specialist.

In 2003, we launched one of the world’s first managed Backup services to bring indestructible resilience to mission-critical data.

Today, we deliver award-winning IT resilience and continuity services. We help organisations get the most out of the cloud and protect their data, wherever it lives.

And we back this up with unbeatable support. There’s no such thing as ‘above and beyond’ for our engineers because they only work to one standard: to keep your systems running perfectly.

Enterprise-class continuity, security, and resilience. Accessible for all. 

You May Also Like

Databarracks Launches Air Gap Recover

A year after Google and Yahoo started requiring DMARC, the adoption rate of the email authentication specification has doubled; and yet, 87% of domains remain unprotected.

Source: Tapati Rinchumrus via Shutterstock

A year after Google and Yahoo forced bulk email senders to implement the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard, the rate of the adoption of DMARC among domains has doubled, although many of the same email threats continue to successfully deliver payloads or redirect unwary users to phishing sites.

The increase in adoption started in February 2024, when Google and Yahoo started requiring bulk email senders — defined as any company sending more than 5,000 email messages daily — to use DMARC. The email authentication standard uses two authentication specifications — Sender Policy Framework (SPF) and DomainsKeys Identified Mail (DKIM) — to confirm that an email comes from an authorized email server and on behalf of the purported sender. The technology makes it much more difficult to spoof email from a legitimate company or brand.

In the past year, adoption has increased by about 2.3 million domains, but that still leaves about 87% of domains without a DMARC record, according to data published by cyber-resilience firm Red Sift on Feb 5. Adoption is also uneven, with organizations in Austria, Japan, and Indonesia seeing some of the highest growth and publicly traded companies making the most significant gains.

Related:Microsoft: Thousands of Public ASP.NET Keys Allow Web Server RCE

While doubling the adoption rate of DMARC is a significant success, the private sector needs to do better, says Sean Costigan, managing director of resilience strategy at Red Sift.

"DMARC is considered an indicator of cyber maturity in many sectors, and we are still in the early days — healthcare, for example, is struggling to surpass 40% to 50% adoption," he says, adding that "widely, properly managed DMARC adoption will reduce spoofing, phishing and other forms of cybercrime."

Source: Red Sift

Google, for example, has seen a significant reduction in questionable email. In 2024, Gmail users saw 265 billion fewer unauthenticated emails, or about 65% less. During the 2024 holidays, a season that typically sees a massive spike in phishing attacks, users encountered 35% fewer scams, says Neil Kumaran, group product manager at Google.

"We think these improvements represent a huge boost in the health of the email ecosystem overall," he says. "We are actually seeing the industry embrace these requirements, seeing how important they are to increase the healthy ecosystem for everybody."

**DMARC Adoption Likely to Accelerate**

Large email senders are not the only groups quickening the pace of DMARC adoption. The latest Payment Card Industry Data Security Standard (PCI DSS) version 4.0 requires DMARC for all organizations that handle credit card information, while the European Union's Digital Operational Resilience Act (DORA) makes DMARC a necessity for its ability to report on and block email impersonation, Red Sift's Costigan says.

Related:Abandoned AWS Cloud Storage: A Major Cyberattack Vector

"Mandatory regulations and legislation often serve as the tipping point for most organizations," he says. "Failures to do reasonable, proactive cybersecurity — of which email security and DMARC is obviously a part — are likely to meet with costly regulatory actions and the prospect of class action lawsuits."

Overall, the authentication specification is working as intended, which explains its arguably rapid adoption, says Roger Grimes, a data-driven-defense evangelist at security awareness and training firm KnowBe4. Other cybersecurity standards, such as DNSSEC and IPSEC, have been around longer, but DMARC adoption has outpaced them, he maintains.

"DMARC stands alone as the singular success as the most widely implemented cybersecurity standard introduced in the last decade," Grimes says.

**Subdomain Attacks Exploit Gaps**

Yet that does not mean that threats have diminished. Attackers have adapted, Grimes says. Typically, attackers will just use lookalike domains — or use creative punctuation to create confusion — and fool the end user while still sending messages from an authenticated domain.

Related:Name That Toon: Incentives

"Since the creation and wide-scale adoption of DMARC, the percentage and number of phishing emails claiming to be from a particular legitimate domain are significantly less, perhaps just a few percent of what they used to be," Grimes says. "Unfortunately, phishers just created new illegitimate domains, often with lookalike names, that they then applied DMARC on so that the new, illegitimate domains passed DMARC inspection."

One technique used to dodge DMARC is "subdomail," where attackers seek out SPF records that include unregistered domains, and then take control of the orphaned domains as a way to conduct massive spamming campaigns. In one case, an SPF record for msnmarthastewartsweeps.com "included" two domains, allowing any authorized mail servers listed in those domain records to send authenticated email. In the Sender Policy Framework, the "include" keyword allows on domain to specify that those domains' lists of authenticated email servers should be trusted. For msnmarthastewartsweeps.com, that resulted in nearly 18,000 domains being authorized to send email on behalf of the domain.

Because the email messages make it past DMARC checks, they are more likely to successfully impersonate other companies, says Red Sift's Costigan.

"SubdoMailing exploits gaps in DMARC safeguards, allowing attackers to send emails from subdomains that pass both SPF and DMARC checks," he says. "These messages appear legitimate and are incredibly deceptive."

**BIMI on Deck for Email Security**

Still, companies gain much more visibility into their email by using DMARC, as the standard includes a reporting function that allows companies — or service providers on their behalf — to track email failures. Thus, companies should rapidly move from "none" to "quarantine" to "reject" as their policy, experts say.

In addition, companies should also look to take the next step, moving to Brand Indicators for Message Identification or BIMI, which allows companies to present a logo to email recipients. BIMI requires strict DMARC, however, and only about a third of domains currently comply, according to Red Sift's data.

While none of these technologies solve the problem of malicious emails, they all give companies and their email service providers more reliable signals to use to filter out unwanted messages and potential attacks, says Google's Kumaran. DMARC adoption does not boil down to "authenticated mail is good, and unauthenticated email is bad," he says.

"The idea is that authentication gives you confidence of the source of the message, and then you can start to do a better job of classification and actually providing protections to users," Kumaran says. "So I think it's a very desirable behavior if 100% of attacks are actually authenticated, because it makes the job of protecting people — and gives those the folks working in defending — stronger signals on which to operate."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Google's DMARC Push Pays Off, but Email Security Challenges Remain

As the cost of data breaches continues to climb, the role of user and entity behavioral analytics (UEBA) has never been more important.

Jackie Wyatt, Adjunct Professor of Cyber Studies, University of Tulsa

February 7, 2025

4 Min Read

Source: Igor Stevanovic via Alamy Stock Photo

COMMENTARY

Last year, the cost of a data breach rose 10%, from $4.4 million to $4.8 million, as stated by IBM's annual "Cost of a Data Breach Report." According to cybersecurity firm Vectra AI, more than 70% of security operations center (SOC) leaders fear that a real attack will be hidden under an overwhelming flood of false-positive alerts and other security noise. The resulting burnout may be contributing to the labor shortage plaguing the industry. 

As the cost of data breaches continues to climb along with the deluge of meaningless alerts on an increasingly stressed workforce, the role of behavioral analytics in cybersecurity, or user and entity behavioral analytics (UEBA), has never been more important. That role is even more critical for schools, government agencies, and hospitals and other healthcare facilities. These entities play crucial roles in our day-to-day lives but operate with limited resources. They tend to have smaller cybersecurity teams and less money, amplifying the potential perils of a breach. In fact, the smaller the team, the greater the need for UEBA, which has a number of benefits.

**Weeds Out the Noise **

In the absence of behavioral analytics, every login and machine connection can result in an alert for the SOC. Without the ability to differentiate true threats from false positives, every threat detected is treated with high priority, which may cause the true positives to either get missed or not be addressed in a timely fashion. In places like schools, government offices, and medical facilities the consequences of missing an actual threat are monumental. These establishments thrive on their reputation while accumulating critical information that could mean life or death for a person.   

The danger of alert fatigue is real, causing SOC analysts to eventually ignore certain signals or attempt to address them all with no sense of which ones indicate actual risk. UEBA tracks access patterns across people, machines, and systems; eventually detecting and alerting the SOC only when there's a true risk. Not only does this approach cut out alert noise, it also limits the information bombarding the security team, reduces false positives, and virtually eliminates alert fatigue so analysts can focus on important alerts. Using behavioral analytics to detect the patterns that are normal makes it much easier to spot the ones that aren't. 

**Allows for Prioritization**

Using UEBA is already a no-brainer for many SOCs, but it has not been implemented for most hospitals, government institutions, and schools. Analyzing behavior patterns could have an even bigger payoff for those types of entities, in part because their teams are small. With a fully functioning, automated UEBA system, analysts know alerts are far more likely to be credible and worth their time to investigate. 

When discussing pattern detection and automation, AI naturally springs to mind. This makes perfect sense because UEBA is an excellent use case for AI. The kind of public sector/public good entities that have the most limited resources are best suited to leverage the power of AI combined with UEBA. It could virtually eliminate the disadvantage of fewer resources because a well-trained AI would only surface credible threats for human vetting. AI is not susceptible to alert fatigue, burnout, or the lure of a higher salary elsewhere. An automated system may be able to handle threat response, however its greatest potential lies in prioritizing potential threats for SOC analysts to analyze them more efficiently. This saves engineers and analysts countless hours, since they do not have to craft rules and queries to achieve the desired outcome.

**Reduces Risk **

It may be difficult for some executives to wrap their heads around placing an automated system at the heart of their security operations. Some worry about all the company data being in one place. Others fear AI might miss something, but it seems that the risk of a small and overwhelmed team subject to burnout is greater. While it's possible for a problem to surface with AI, it's more likely that a problem will arise with stressed out people.  

Some companies have already seen the benefit of involving AI in their security operations. About 70% of those that responded to a Vectra AI survey said AI has already reduced burnout and increased threat detection and response abilities. Imagine moving the needle that much for the places that instruct our kids, provide healthcare, and keep the lights on. 

**About the Author**

Adjunct Professor of Cyber Studies, University of Tulsa

Jackie Wyatt is an adjunct professor of cyber studies at the University of Tulsa and a cybersecurity operations analyst at QuikTrip. Jackie received a master’s degree in cybersecurity from Maryville University. She holds the Certified Enterprise Defender (GCED) certification and Coin from SANS, marking her as an expert in network defense and incident response. Her combination of advanced education and hands-on experience makes her a valuable figure in the cybersecurity field.

Behavioral Analytics in Cybersecurity: Who Benefits Most?

Local law enforcements need to steer away from "place-based policing" when investigating cybercrimes.

Source: motortion via Adobe Stock Photo

Last November, an Idaho man was sentenced to 10 years in prison for hacking into the computer servers of 19 victims across the United States, stealing personally identifiable information (PII) belonging to more than 132,000 people, and attempting to extort a Florida orthodontist for payment in Bitcoin cryptocurrency.

The perpetrator, Robert Purbeck, had also purchased access to the computer server belonging to a medical clinic in Griffin, Ga., from a cybersecurity forum and used stolen credentials to remove records containing sensitive PII, such as birth dates and Social Security numbers for 43,000 individuals, according to the US Department of Justice. In addition, Purbeck purchased access to a server belonging to the police department of Newnan, Ga., and stolen police reports and other documents, including the PII for over 14,000 people.

This case illustrates some of the challenges law enforcement currently face trying to investigate and arrest criminals in an increasingly digital world where cybercriminals operate across state — and often national — lines, employing a variety of tools. While the FBI plays a significant role in investigating cybercrime, most of the responsibility often falls to local law enforcement — municipal police departments, county sheriff's offices, and other local agencies. These groups have to determine jurisdiction and secure limited resources while staying on top of the ever-evolving threat landscape.

In 2023, the Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) received 880,418 cybercrime complaints, a nearly 10% increase from 2022. Potential losses exceeded $12.5 billion, up 22% from 2022. While the figures for 2024 are not yet available, the numbers are expected to be even higher.

At the top of the list is a need to evolve beyond place-based policing, says Dr. Chris Moloney, an instructor at Colorado State University whose research focuses on the digital transformation of public safety agencies.

"One of the greatest challenges is that \[local\] agencies have historically evolved to be place-based, and they've been resourced to deal with physical, tangible crimes, burglaries, robberies, arsons, homicides, all those that show up on TV shows and in the newspapers," he says. "But cybercrime is borderless. Your perpetrator could be thousands of miles away, and your victims could be in your small local town that has a police department with 15 employees. That's a fundamental challenge."

In addition to questions of place and jurisdiction, Moloney says local law enforcement also suffers from resource and "capability gaps." Local police departments may struggle to allocate budgets for software that can analyze forensic evidence or hire personnel with expertise in areas like encryption or blockchain.

And prioritizing cybercrime often takes a back seat to the day-to-day issues facing a local community.

“When I want to make sure that my neighborhood's safe, it's a very, very challenging dynamic for leadership to go to the community or to go to their local government and say, 'We need more money specifically for these technological resources,'" Moloney says.

**Public-Private Partnerships Are Key**

Law enforcement also has to compete for talent with the private sector, which can afford to pay higher salaries to those with cyberskills, Moloney says. However, law enforcement also needs to work in partnership with the private sector to investigate and prosecute some kinds of cybercrime. 

"One of the best solutions is a better defense, right? And that's where the private sector comes in in a big way," he says. "And that's where education comes in a big way."

In addition to enhanced partnerships with the private sector, fighting the rise of cybercrime will require finding ways to bring agencies and law enforcement groups together and making cybercrime a priority by providing increased financial and technological resources and staffing.

"We do not have a unified or coherent strategy or set of tactics or solutions that unify how everybody's approaching this issue," Moloney says. "It's a challenging environment, and it's really complicated. How do we navigate all those different issues that are all coming together at the same time and recognize that if you don't do it, it's only going to get worse?"

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Cybercrime Forces Local Law Enforcement to Shift Focus

Cybereason co-founders launch their second act with a security startup focused on offering a platform that uses agentic AI to offload repetitive tasks commonly performed by security analysts.

Source: Laurent Davoust via Alamy Stock Photo

The co-founders of EDR provider Cybereason have regrouped with a new security startup, 7AI, to help organizations shift the burden of performing repetitive and routine security tasks currently performed by human analysts onto AI. 7AI's Agentic AI Platform frees security professionals from time-consuming tasks, such as triaging alerts, interpreting signals, correlating telemetry, and hunting for known threats, says Lior Div, one of the co-founders.

Div and Yonatan Striem-Amit left Cybereason two years ago after Softbank took a majority stake in the company; they founded 7AI in April 2024. The startup, which emerged from stealth on Thursday, says more than a dozen companies, mostly large and midsize enterprises, are already using its Agentic AI Platform. 7AI also received $36 million in seed funding from Greylock Partners, Spark Capital, and CRV.

Div describes agentic AI as "swarms of AI agents" capable of autonomously taking on routine security tasks. Unlike isolated generative AI agents, these swarms can enable autonomous operations by pooling and communicating their intelligence to investigate and prioritize threats while optimizing system resources. A swarm of agents working in tandem means that one agent could be configured to discover suspicious telemetry in an endpoint detection and response (EDR) system while another could be configured to validate the potential threat by correlating cloud logs. Yet another agent could be configured to observe user behavior patterns in identity and access management (IAM) systems. 

"Instead of spending their time on repetitive work to respond to alerts, our early customers are able to start their work with full context, drastically fewer false positives, and the results of full investigations," Div explained in a blog post announcing the company's new platform. The platform documents how each agent reached its conclusions and can be reviewed at any time by human analysts.

7AI's agentic AI capabilities, which is hosted in the Amazon Web Services cloud, is built with generative AI tools from Open AI and Anthropic.

"When it comes to reasoning, we're using Open AI," Div tells Dark Reading. "But when it comes to actually implementing and writing code, we're using Anthropic."

**A Replacement for SOAR?**

The platform is not designed to replace security administrators and analysts but rather allow them to take mundane tasks off their plates so they can allocate their time to more strategic functions.

"AI will take away 90% of the boring, toiling work," Div says.

Besides handling repetitive tasks, 7AI's platform is designed to correlate telemetry without moving data into another system. For example, in a typical threat hunting scenario, the data would have to be pushed into a security information and event management (SIEM). Instead, 7AI correlates the information at its source. The platform can also detect threat activity and anomalies in IAM systems such as Okta, Div says.

"We believe our AI will meet the data where the data was born," he says. "You don't have to send a lot of those pieces to the SIEM anymore."

This could also reduce organizations' reliance on managed security and service providers or managed detection and response providers, Div suggests.

"We don't think that you will need a SOAR once you have our system because it will decide on the fly what is the right playbook to run and what type of investigation to conduct without the need for human beings to specify it step by step," Div says.

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

7AI Streamlines Security Operations With Autonomous AI Agents

OpenAI's latest tech can reason better than its previous models could, but not well enough to ferret out careful social engineering.

Source: SOPA Images Limited via Alamy Stock Photo

A prompt engineer has challenged the ethical and safety protections in OpenAI's latest o3-mini model, just days after its release to the public.

OpenAI unveiled o3 and its lightweight counterpart, o3-mini, on Dec. 20. That same day, it also introduced a brand new security feature: "deliberative alignment." Deliberative alignment "achieves highly precise adherence to OpenAI's safety policies," the company said, overcoming the ways in which its models were previously vulnerable to jailbreaks.

Less than a week after its public debut, however, CyberArk principal vulnerability researcher Eran Shimony got o3-mini to teach him how to write an exploit of the Local Security Authority Subsystem Service (lsass.exe), a critical Windows security process.

**o3-mini's Improved Security**

In introducing deliberative alignment, OpenAI acknowledged the ways its previous large language models (LLMs) struggled with malicious prompts. "One cause of these failures is that models must respond instantly, without being given sufficient time to reason through complex and borderline safety scenarios. Another issue is that LLMs must infer desired behavior indirectly from large sets of labeled examples, rather than directly learning the underlying safety standards in natural language," the company wrote.

Deliberative alignment, it claimed, "overcomes both of these issues." To solve issue number one, o3 was trained to stop and think, and reason out its responses step by step using an existing method called chain of thought (CoT). To solve issue number two, it was taught the actual text of OpenAI's safety guidelines, not just examples of good and bad behaviors.

"When I saw this recently, I thought that \[a jailbreak\] is not going to work," Shimony recalls. "I'm active on Reddit, and there people were not able to jailbreak it. But it is possible. Eventually it did work."

**Manipulating the Newest ChatGPT**

Shimony has vetted the security of every popular LLM using his company's open source (OSS) fuzzing tool, "FuzzyAI." In the process, each one has revealed its own characteristic weaknesses.

"OpenAI's family of models is very susceptible to manipulation types of attacks," he explains, referring to regular old social engineering in natural language. "But Llama, made by Meta, is not, but it's susceptible to other methods. For instance, we've used a method in which only the harmful component of your prompt is coded in an ASCII art."

"That works quite well on Llama models, but it does not work on OpenAI's, and it does not work on Claude whatsoever. What works on Claude quite well at the moment is anything related to code. Claude is very good at coding, and it tries to be as helpful as possible, but it doesn't really classify if code can be used for nefarious purposes, so it's very easy to use it to generate any kind of malware that you want," he claims.

Shimony acknowledges that "o3 is a bit more robust in its guardrails, in comparison to GPT-4, because most of the classic attacks do not really work." Still, he was able to exploit its long-held weakness by posing as an honest historian in search of educational information.

In the exchange below, his aim is to get ChatGPT to generate malware. He phrases his prompt artfully, so as to conceal its true intention, then the deliberative alignment-powered ChatGPT reasons out its response:

Source: Eran Shimony via LinkedIn

During its CoT, however, ChatGPT appears to lose the plot, eventually producing detailed instructions for how to inject code into lsass.exe, a system process that manages passwords and access tokens in Windows.

Source: Eran Shimony via LinkedIn

In an email to Dark Reading, an OpenAI spokesperson acknowledged that Shimony may have performed a successful jailbreak. They highlighted, though, a few possible points against: that the exploit he obtained was pseudocode, that it was not new or novel, and that similar information could be found by searching the open Web.

**How o3 Might Be Improved**

Shimony foresees an easy way, and a hard way that OpenAI can help its models better identify jailbreaking attempts.

The more laborious solution involves training o3 on more of the types of malicious prompts it struggles with, and whipping it into shape with positive and negative reinforcement.

An easier step would be to implement more robust classifiers for identifying malicious user inputs. "The information I was trying to retrieve was clearly harmful, so even a naive type of classifier could have caught it," he thinks, citing Claude as an LLM that does better with classifiers. "This will solve roughly 95% of jailbreaking \[attempts\], and it doesn't take a lot of time to do."

Dark Reading has reached out to OpenAI for comment on this story.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Researcher Outsmarts, Jailbreaks OpenAI's New o3-mini

While President Trump supported federal space efforts during his first administration, the addition of SpaceX chief Elon Musk to his circle likely means challenges for regulating spacecraft cybersecurity, experts say.

Source: Andrei Armiagov via Shutterstock

The cybersecurity of satellites, spacecraft, and other space-based systems continues to lag behind current threats, despite efforts by the National Aeronautics and Space Administration (NASA) to require that contractors shore up electronic protections for the hardware and software provided to the US space program.

The cybersecurity gaps will likely only grow worse as the Trump administration's efforts to deregulate private industry accelerates, and as Elon Musk — the CEO of the largest private space company, SpaceX —  pushes for less stringent requirements for spacecraft and launch-system manufacturers, experts say. The company's lobbyists have already reportedly pushed to disband the National Space Council (NSpC), a group of experts established during the George H.W. Bush administration that develops policies and guidelines for US space programs.

Meanwhile, the United States and its commercial contractors must keep up with an accelerating threat landscape, says Samuel Sanders Visner, a technical fellow at the Aerospace Corporation, a federally funded research and development center, who also serves as chairman of the board of the Space Information Sharing and Analysis Center (Space ISAC).

"Our potential adversaries understand the critical nature of our space systems to our national and economic security, \[so\] we can expect they will continue to develop the means to hold at risk these systems," he says. "We must redouble our own efforts to stay ahead of adversaries' capabilities."

Related:Credential Theft Becomes Cybercriminals' Favorite Target

And indeed, threats to space-based systems have increased. Russia-linked hackers disrupted satellite communications in Ukraine during the opening months of its invasion, and researchers are concerned about the potential satellite-hacking capabilities of China and Iran.

Because so much of the US space infrastructure now relies on private manufacturers, those organizations need to make sure they meet stringent levels of cybersecurity, says Josh Taylor, lead cybersecurity analyst at Fortra, an automated cybersecurity provider. In July 2024, two Democratic US representatives, Maxwell Alejandro Frost (Fla.-10) and Don Beyer (Va.-8) introduced a bill, the Spacecraft Cybersecurity Act, that would require manufacturers to adopt cybersecurity requirements to supply NASA with spacecraft. No actions have been taken on the bill.

"Spacecraft manufacturers are not proactively doing enough to ensure cybersecurity best practices, as evidenced by the original need for the Spacecraft Cybersecurity Act and the lack of progress in adopting large-scale changes since its proposal," Taylor says. "The delay is particularly concerning in today's heightened threat environment, given the recent renewed attention on supply chain breaches targeting government systems."

Related:Ferret Malware Added to 'Contagious Interview' Campaign

**Trump & Policy: Not Politics as Usual**

Such legislation may not get much attention in the current political climate. The Trump administration's off-the-cuff approach to setting policy has made the future of the space program — never mind its cybersecurity — a large question mark. While Trump has focused on space-based initiatives in the past — such as establishing the US Space Command in his first administration, and pledging last month to support programs to land Americans on Mars (a Musk pet project) — cybersecurity-focused regulatory efforts will likely face significant hurdles.

The Biden administration made some progress in cybersecurity but failed to require private contractors to commit to cybersecurity plans. In a flurry of eleventh-hour executive orders in January, the Biden administration issued a wide-ranging mandate to boost cybersecurity using contract requirements and the federal government's purchasing power. Among the provisions are stipulations that NASA and other civilian agencies create cybersecurity requirements for government-contracted systems, and inventory the existing cybersecurity protections of the ground systems that support space missions.

Related:Cybercriminals Court Traitorous Insiders via Ransom Notes

Yet the Trump administration has already reversed several of the previous administration's executive orders and regulations in general, and the threat to undo the National Space Council remains real.

"How important is outer space to the new administration? That's still an open question," says Patrick Lin, director of the Ethics + Emerging Sciences Group at California Polytechnic State University (Cal Poly), and a member of the NSpC's User Advisory Group. "Without \[the NSpC\], we might see a single point of failure, if it's just the White House trying to tackle space policy alone — which already seems low on their agenda and thus may likely be under-staffed."

**Regulation Remains in Orbit**

Musk, meanwhile, has pushed back on regulations for commercial providers, including SpaceX, the dominant maker of private launch systems and spacecraft. The company accounted for more than half (52%) of 259 worldwide launches in 2024. Before attaching himself to the Trump administration, Musk — and SpaceX — had fallen afoul of environmental regulators and federal reporting standards for handling sensitive information.

A single private citizen has seldom, if ever, wielded as much influence over the US government as SpaceX's Musk, who has been designated a "special government employee" and whose team — the Department of Government Efficiency, or DOGE — has moved to cut specific programs and agencies.

But even without the threat of a private citizen with conflicts of interest cutting NASA's regulatory efforts, boosting cybersecurity for spacecraft is not an easy task.

NASA, a historically popular target of hackers, has focused on organizational and terrestrial cybersecurity, but the focus on cyber protection for space-based systems and communications is relatively recent. In 2019 and 2023, NASA issued its first guidelines to secure spacecraft, such as the Orion Multi-Purpose Crew Vehicle, but has not incorporated the requirements into its acquisition policies, according to a 2024 report by the US Government Accounting Office.

In addition, NASA needs trusted suppliers that also know the provenance of their hardware and software, says Space ISAC's Visner.

"Particular attention should be paid to the increasingly global and commoditized supply chain of hardware and software that comprises our space systems," he says. "Industry should recognize — and it appears many industry leaders do recognize — that the systems they produce for the public and private sectors are potential adversary targets."

**Hope Remains for Cybersecurity Moonshot**

A few weeks into the second Trump administration, experts are split on whether cybersecurity will be a focus in the push to ramp up the United States' efforts in space.

On one hand, the Trump administration has not stated a policy for current space efforts nor announced initiatives to secure space-based systems, but then NASA already issued a best-practices guide for securing space systems in 2023.

"It's worth noting that Space Policy Directive 5 (SPD-5), which described the principles for the cybersecurity of space systems, was promulgated by President Trump's first administration, while the subsequent Biden administration pursued implementation of this directive," Visner explains. "So, we can expect additional, and perhaps increased emphasis, as the new administration shapes its efforts."

CalPoly's Lin, however, is a bit more pessimistic about the chances for more stringent cybersecurity requirements for space-based infrastructure and the commercial contractors that manufacture components for those devices and vehicles.

"It's really anyone's guess how all this will play out, and that uncertainty doesn't give much confidence that space cybersecurity will be strengthened," he says. "\[It\] takes real work and coordination — discipline, competence, safety cultures, \[and\] international and industry cooperation. In the absence of governmental leadership, it may be up to the space industry to watch their own cyber-backs, which unfortunately doesn't bode well for national security."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading