Please don’t, actually. But do update your Shimano Di2 shifters’ software to prevent a new radio-based form of cycling sabotage.

Professional cycling has, in its recent history, been prone to a shocking variety of cheating methods and dirty tricks. Performance-enhancing drugs. Tacks strewn on race courses. Even stealthy motors hidden inside of wheel hubs.

Now, for those who fail to download a software patch for their gear shifters—yes, bike components now get software updates—there may be hacker saboteurs to contend with, too.

At the Usenix Workshop on Offensive Technologies earlier this week, researchers from UC San Diego and Northeastern University revealed a technique that would allow anyone with a few hundred dollars of hardware to hack Shimano wireless gear-shifting systems of the kind used by many of the top cycling teams in the world, including in recent events like the Olympics and the Tour de France. Their relatively simple radio attack would allow cheaters or vandals to spoof signals from as far as 30 feet away that trigger a target bike to unexpectedly shift gears or to jam its shifters and lock the bike into the wrong gear.

The trick would, the researchers say, easily be enough to hamper a rival on a climb or, if timed to certain intense moments of a race, even cause dangerous instability. “The capability is full control of the gears. Imagine you're going uphill on a Tour de France stage: If someone shifts your bike from an easy gear to a hard one, you're going to lose time,” says Earlence Fernandes, an assistant professor at UCSD’s Computer Science and Engineering department. “Or if someone is sprinting in the big chain ring and you move it to the small one, you can totally crash a person's bike like that.”

Here's a video demonstration of the researchers’ hacking technique:

The researchers' technique exploits the increasingly electronic nature of modern high-end bicycles, which now have digital components like power meters, wireless control of fork suspensions, and wireless shifters. “Modern bicycles are cyber-physical systems,” the researchers note in their Usenix paper. Almost all professional cyclists now use electronic shifters, which respond to digital signals from shifter controls on the bike's handlebars to move a bicycle's chain from gear to gear, generally more reliably than mechanical shifting systems. In recent years, those wired electronic shifters have transitioned again to wireless versions that pair via a radio connection, such as the popular Di2 wireless shifters sold by the Japanese cycling component firm Shimano, which the researchers focused on.

To exploit those wireless components and sabotage a specific target bike, the researchers' technique does require that a hacker first intercept the target's gear-shift signals at some point before they carry out their attack. The hacker can then replay those signals—even months later—to cause the bike to shift at the hacker's command.

To carry out that eavesdrop-and-replay attack, the researchers used a $1500 USRP software-defined radio, an antenna, and a laptop. They say though that a $350 HackRF would work just as well, and point out that their hardware setup could be miniaturized to the degree that it could be hidden along the sidelines of a race, in a cycling team car, or even in the back pouch of a rider's jersey, such as by implementing it in a Raspberry Pi mini-computer.

Jamming wireless shifters with that toolkit would be considerably easier than even replay attacks, the researchers say. While a jamming attack could prevent a specific rider from shifting gears if a hacker were able to first pick up one of their wireless shifting signals, a saboteur could also simply broadcast a jamming signal at the frequency used by all Shimano shifters, potentially disrupting a large group of racers. The researchers even say that it would be possible to read the shifting signals from an entire peloton of cyclists and then jam everyone _except_ a chosen rider. “You can basically jam everyone except you,” says Northeastern professor Aanjhan Ranganathan, another author of the paper.

Shimano’s Di2 wireless shifting components and the researchers’ hacking toolkit. They say their hardware could easily be miniaturized, by using a Raspberry Pi mini-computer for instance, to make it small enough to be hidden along the sidelines of a race, in a cycling team car, or even in the back pouch of a rider’s jersey.Courtesy of UCSD and Northeastern University

The researchers first reached out to Shimano about their research in March, and the company's engineers worked with them closely to develop a patch. A Shimano spokesperson wrote in a statement to WIRED that the company “identified and created a new firmware update to enhance the security of the Di2 wireless communication systems.”

Shimano says it has provided that firmware update to the professional cycling teams that use its components. But it says its fix won't be more widely available until late August and declined to explain exactly how its update prevents the attacks the researchers identified. “We can share that this update is intended to improve wireless transmission across Shimano Di2 component platforms," the company writes. “We cannot share details on the exact fix at this moment, for obvious security reasons.”

Exactly how the patch will be deployed to customers isn't quite clear either. The company writes that “riders can perform a firmware update on the rear derailleur” using Shimano’s E-TUBE Cyclist smartphone app. But it fails to mention whether the fix will apply to the front derailleur. “More information about this process and steps riders can take to update their Di2 systems will be available shortly,” it concludes.

While Shimano's patching plan leaves a week or two-week gap between the researchers' public presentation of their bike-hacking technique at Usenix and the broad rollout of a fix for customers, UCSD professor Fernandes argues it's unlikely that average riders will be targeted with their technique—at least not immediately. “I find it hard to believe that someone will want to launch such an attack on me during my Saturday group ride,” Fernandes says.

Professional cyclists, however, should be sure to implement the early patch that Shimano has already provided, the researchers say. They note, too, that other brands of wireless shifters may be vulnerable to similar hacking techniques: They focused on Shimano only because it has the largest market share.

In the ruthless world of competitive cycling, which has been rocked to its foundations in recent decades by doping scandals, they argue that rivals hacking each others' shifters is not at all a far-fetched scenario. “This is, in our opinion, a different kind of doping,” says Fernandes. “It leaves no trace, and it allows you to cheat in the sport.”

More broadly, they argue that their radio-based bike hacking research is a cautionary tale about the temptation to add wireless electronic features to every technology, from garage doors to cars to bicycles, and the unintended consequences of that long-term trend—namely, that they've all become vulnerable to forms of replay and jamming attacks of the kind that Shimano is now scrambling to fix.

“This is a repeating pattern,” says Northeastern's Ranganathan, who has also developed solutions for replay attacks on cars’ keyless entry systems. “When manufacturers start putting in wireless features in their products, it has an impact on real-world control systems. And that can cause real physical harm.”

_Corrected at 8/14/2024 at 10:00 am ET to note the correct software-defined radio used in the researchers' experimental setup and remove an incorrect reference to Bluetooth._

Want to Win a Bike Race? Hack Your Rival’s Wireless Shifters

PRESS RELEASE

NEW YORK – Today, Verizon Business released its 2024 Mobile Security Index (MSI) report outlining the top threats to mobile and IoT device security. This year’s report, in its seventh iteration, goes beyond employee-level mobile usage and extends into the usage of IoT devices and sensors and the security concerns the growth of these devices can present especially as remote work continues to be a trend. This expanded view of mobile security concerns for organizations showcases the evolving threat landscape that CIOs and other IT decision makers must contend with.

As dependency on mobile devices grows, so too do the risks, especially in critical infrastructure sectors where the consequences of security breaches can be catastrophic. The 2024 MSI, which surveyed 600 people responsible for security strategy, policy and management, underscores this point.

**Employees are using more mobile and IoT devices, leading to increased cyber risks**

The survey finds that 80% of respondents consider mobile devices critical to their operations, while 95% are actively using IoT devices. However, this heavy reliance comes with significant security concerns. In critical infrastructure sectors, where 96% of respondents report using IoT devices, more than half state that they have experienced severe security incidents that led to data loss or system downtime.

“These findings highlight the continued friction that employers face as more and more work is done on personal mobile devices,” said Phil Hochmuth Research VP, enterprise mobility at IDC. “This is why we are seeing more and more employers move from a pure bring-your-own-device model to employer provided devices where CIO’s can have greater governance to protect critical infrastructure from cyber attacks."

Additionally, Hochmuth says, organizations should adopt robust frameworks such as Zero Trust and the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) 2.0, and comply with mandates like the European Union’s NIS2 Directive.

**Emerging AI cyberthreats meet new AI defenses**

Emerging artificial intelligence (AI) technologies are expected to exacerbate the mobile threat landscape, but it also presents opportunities for defense. A striking 77% of respondents anticipate that AI-assisted attacks, such as deepfakes and SMS phishing, are likely to succeed. At the same time, 88% of critical infrastructure respondents acknowledge the growing importance of AI-assisted cybersecurity solutions.

**Accounting for IoT growth in cybersecurity planning**

With companies increasingly deploying IoT devices, their digital landscapes are evolving, creating a need for cybersecurity strategies to evolve in kind.

“The Industrial Internet of Things (IIoT) is giving rise to a massive expansion in mobile device technology that goes well beyond phones, tablets and laptops. Enterprise networks now include all sorts of sensors and purpose-built devices that monitor, measure, manage and control commercial tasks and data flow,” said TJ Fox, SVP of Industrial IoT and Automotive, Verizon Business. “That IIoT growth brings with it a proportionate need for more knowledge, awareness and IT solutioning to ensure the security of those increasingly sophisticated networks. The growing importance that IoT plays in our customer’s technology ecosystem underscores why it should be a component in any sound cybersecurity program.”

**What business leaders should know**

The 2024 MSI helps inform cybersecurity decisions for leaders of businesses of all sizes and in key sectors. As mobile and IoT threats rise, the need for robust security measures has never been greater. In response to these growing threats, 84% of respondents have increased their mobile device security spending over the past year, with 89% of critical infrastructure respondents planning further increases.

This year’s MSI includes contributions from Verizon’s partners including Ivanti, Lookout, Jamf among others.  Help your organization lower cyber risks by deploying comprehensive security protections, continuous employee education and advanced threat detection capabilities. Read the Verizon Business 2024 Mobile Security Index to learn more about suggested best practices your organization can implement.

Verizon Business 2024 Mobile Security Index Reveals Escalating Risks in Mobile and IoT Security

PRESS RELEASE

SEATTLE -- July 31, 2024 – Protect AI, a leader in AI security, today announced the acquisition of SydeLabs, which specializes in the automated attack simulation (red teaming) of generative AI (GenAI) systems. This strategic acquisition enhances Protect AI's platform ability to test and improve LLM security and extends the company’s lead as the only provider of end-to-end AI security solutions.

SydeLabs: A Leader in AI Red Teaming

Generative AI and LLM adoption are revolutionizing industries. LLMs are being integrated into critical end user applications such as customer service, finance and healthcare. However the complexity and scale of the technology has exacerbated security concerns that traditional application security processes simply can not keep up with or address effectively. 

SydeLabs was founded less than a year ago by former product and engineering leads from Google and MPL, and has quickly established itself as a pioneer in the field of AI security. Based in Bangalore, India, SydeLabs has developed SydeBox, a cutting-edge product designed to provide comprehensive vulnerability assessments for GenAI systems. The talented team from SydeLabs will join Protect AI where they will continue to add local talent in Bangalore to complement our Seattle and Berlin based teams.

“Protect AI is continuously looking to add products to our AI security posture management platform that help our customers build a safer AI-powered world,” said Ian Swanson, CEO of Protect AI. “The acquisition of SydeLabs extends the Protect AI platform with unmatched red teaming capabilities and immediately provides our customers with the ability to stress test, benchmark and harden their large language models against security risks.” 

SydeBox will be integrated into the Protect AI Platform and rebranded as Protect AI Recon. Recon identifies potential vulnerabilities in LLMs, ensuring enterprises can deploy AI applications with confidence. Key features of Recon include no-code integration, model-agnostic scanning, and detailed threat profiling across multiple categories. Recon uses both an attack library and LLM agent based solution for red teaming and evaluating the security and safety of GenAI systems. Protect AI Recon aligns perfectly with the growing demand for robust AI security solutions, driven by formal guidance from NIST, MITRE, OWASP and CISA, as well as mandates like the Executive Order on AI Safety and Security and the EU AI Act.

“The combination of SydeLabs’ SydeBox and Protect AI’s platform provides customers a comprehensive defense-in-depth solution for building, managing, testing, deploying and monitoring LLMs,” said Ruchir Patwa, co-founder of SydeLabs. “We couldn’t be more excited about joining the Protect AI mission and the prospect of what we can achieve in terms of helping companies of all sizes adopt and deploy more secure LLMs and AI applications.”

The new Recon product will enable Protect AI to meet growing customer demand for robust AI security solutions. Customers will benefit from detailed threat profiling across jailbreaks, prompt injection attacks, input manipulations and other attack vectors, which are crucial for maintaining the integrity and security of AI systems. Recon covers six of the OWASP Top 10 for LLM applications.

“Recon, formally SydeBox, has enabled us to identify and fix security blindspots before deploying our GenAI solutions to ensure we are building the most secure and safe LLM powered applications, and that products we serve our customers are free from any security or safety loopholes,” Said Kiran Darisi, CTO and cofounder, AtomicWork.

This acquisition and new product, Recon, further enhances Protect AI’s position as the leader in the AI security market and AI Security Posture Management (AI-SPM) solutions, differentiating it from competitors and solidifying its market presence. More specifically when used alongside Layer, Protect AI’s LLM observability and monitoring solution, Recon enables organizations to harden the implementation of LLMs against the spectrum of emerging security concerns associated with GenAI usage. Partners and stakeholders will also gain from the enhanced security capabilities, ensuring that the entire AI ecosystem is better protected against potential threats.

About SydeLabs

SydeLabs is a pioneering AI security company specializing in automated red teaming for GenAI systems. Founded by former leaders from Google and MPL, SydeLabs has developed SydeBox, a leading product designed to identify and mitigate vulnerabilities in LLMs. SydeLabs’ products have been adopted by enterprises to make GenAI models and applications safe and secure, giving them the confidence to deploy these systems to production. The company is headquartered in Bangalore. 

About Protect AI

Protect AI empowers organizations to secure their AI applications with comprehensive AI Security Posture Management (AI-SPM) capabilities, enabling them to see, know, and manage their ML environments effectively. The Protect AI Platform offers end-to-end visibility, remediation, control, and governance, safeguarding AI/ML systems from security threats and risks. Founded by AI leaders from Amazon and Oracle, Protect AI is backed by top investors, including Acrew Capital, boldstart ventures, Evolution Equity Partners, Knollwood Capital, Pelion Ventures, 01 Advisors, StepStone Group, Samsung, and Salesforce Ventures. The company is headquartered in Seattle, with offices in Berlin and Bangalore. For more information, visit our website and follow us on LinkedIn and Twitter.

Protect AI Acquires SydeLabs to Red Team Large Language Models

The sustained cyberattack, likely made worse by a mitigation snafu, disrupted several Azure cloud services for nearly eight hours on July 30.

Source: DD Images via Shutterstock

Microsoft blamed an implementation error for amplifying the impact of a distributed denial-of-service (DDoS) attack yesterday, which ended up disrupting the company's Azure cloud services for nearly eight hours.

The attack affected several Azure offerings, including Azure App Services, Azure IoT Central, Application Insights, Log Search Alerts, and Azure Policy. The disruption, which began at around 7:45 a.m. ET and lasted until 3:43 p.m. ET, also impacted the main Azure portal and a subset of Microsoft 365 and Microsoft Purview data-protection services.

**DDoS Cyber-Defense Error Under Investigation**

In an event summary yesterday, Microsoft described the DDoS attack as causing an "unexpected usage spike \[that\] resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds." The spike caused intermittent service errors, timeouts, and sudden latency increases.

More concerningly in some ways, "while the initial trigger event was a DDoS attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it."

Microsoft has not specifically identified the mistake that exacerbated the DDoS attack. But according to its description of the events of July 30, the initial network configuration changes the company made to support DDoS mitigation efforts may have led to some unexpected "side effects." The company implemented an updated approach that it first rolled out in thbe Asia-Pacific region and Europe, and then deployed in the Americas after validating the approach worked.

"Our team will be completing an internal retrospective to understand the incident in more detail," Microsoft said. "We will publish a Preliminary Post Incident Review (PIR) within approximately 72 hours, to share more details on what happened and how we responded."

**Inadvertent Errors in DDoS Mitigation**

Rody Quinlan, staff research engineer at Tenable, says there are several ways an organization can mess up a DDoS mitigation effort.

"Organizations can inadvertently amplify cyberattacks through various implementation errors, such as misconfigured rate limiting, inefficient load balancing, firewall misconfigurations, overly aggressive security rules, inadequate resource scaling, incorrect traffic filtering, and dependence on single points of failure," he says. "These errors can lead to blocked legitimate traffic, overloaded servers, bottlenecked firewalls, and critical services being taken offline."

And while Microsoft's initial response might have contributed to its Azure service problems this week, the incident is another reminder of how effective DDoS attacks remain for adversaries looking to disrupt and degrade a target's online presence.

A Cloudflare report earlier this year identified a 117% increase year-over-year in network-layer DDoS attacks. Part of the reason for that is a specific increase in DDoS attacks that targeted retail, shipping, and public relations websites on and around Black Friday and the holiday shopping season in general. However, many of the attacks have also been by groups looking to send out a specific message or convey a particular political stance. Cloudflare, for example, said it has observed a massive increase in DDoS attacks that target Taiwanese, Israeli, and Palestinian sites amid geopolitical tensions in those areas, and attacks on environmental sciences websites.

**DDoS Attacks Adopt "Smash & Grab" Tactics**

"Trends in DDoS are often cyclical, but currently we’re seeing attacks grow larger in size, and shorter in duration," says Donny Chong, director at DDoS security vendor Nexusguard. "Our most recent data suggests that attack sizes increased by an average of 183% last year, with an average size of 0.80Gbps," he says. At the same time, between 2022 and 2023, the average duration of DDoS attacks dropped to just over 101 minutes. Currently, 81% of DDoS attacks last less than 90 minutes, Chong says.

"Part of this decrease in attack duration is due to attackers becoming more and more efficient when inflicting disruption on business," likely because they are using artificial intelligence (AI) to automate some attacks. But the shorter attack durations are also likely due to mitigation technologies, Chong says. "\[Attackers\] are finding it increasingly difficult to sustain prolonged disruptions. So, rather than a prolonged siege, it's now more a case of ‘smash and grab,'" he says.

Quinlan says the key to mitigating DDoS disruption is having a real-time traffic analysis capability, scalable cloud infrastructure, redundant systems, and intelligent load balancing to prevent overload. "Proper rate limiting, throttling, and WAFs \[Web application firewalls\] filtering malicious traffic, and regular software and hardware vulnerability remediation is crucial to protect systems," Quinlan says. "An effective incident-response plan and collaboration with Internet service providers and security providers enhance detection and mitigation capabilities."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft: Azure DDoS Attack Amplified by Cyber-Defense Error

With sufficient privileges in Active Directory, attackers only have to create an "ESX Admins" group in the targeted domain and add a user to it.

Source: Schoening via Alamy Stock Photo

Multiple ransomware groups have been weaponizing an authentication bypass bug in VMware ESXi hypervisors to quickly deploy malware across virtualized environments.

VMware assigned the bug (CVE-2024-37085) a "medium" 6.8 out of 10 score on the CVSS scale. The average score is largely due to the fact that it requires an attacker to have existing permissions in a target's Active Directory (AD).

If they do have AD access, however, attackers can cause significant damage. With no technical trickery whatsoever, they can use CVE-2024-37085 to instantly scale up their ESXi privileges to the max, opening the door to ransomware deployment, data exfiltration, lateral movement, and more. Groups like Storm-0506 (aka Black Basta), Storm-1175, Manatee Tempest (part of Evil Corp), and Octo Tempest (aka Scattered Spider) have already tried it out, deploying ransomware such as Black Basta and Akira.

Broadcom recently published a fix, available on its website.

**How CVE-2024-37085 Works**

Some organizations configure their ESXi hypervisors to use AD for user management. It turns out that by doing this, organizations were exposing themselves to something unexpected. By default, ESXi hypervisors granted full administrative access to any member of an AD domain group named "ESX Admins."

It's unclear how the "ESX Admins" group vulnerability was introduced into ESXi in the first place—Broadcom declined to clarify when Dark Reading reached out on the question. As Microsoft noted in a blog post, there's no particular reason why the hypervisor should have expected such a domain group, or have had a rule for what to do with it. "This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist," the threat intel team wrote. "Additionally, the membership in the group is determined by name and not by security identifier (SID)."

Exploiting CVE-2024-37085 was entirely trivial. So long as an attacker had sufficient privileges in AD, all they'd have to do to gain ESXi admin privileges was to create an "ESX Admins" group in the targeted domain and add a user to it. They could also rename any existing group to "ESX Admins," and either wield one of its existing users or add a new one.

**The Risk with Hypervisors**

"Ransomware attacks targeting ESXi and VMs are increasingly common, especially since around 2020, when enterprises increased their move toward digital transformation and took advantage of modern hybrid cloud and virtualized on-premise environments," explains Jason Soroko, senior vice president of product at Sectigo.

For all the business sense they make, virtualized environments also afford hackers unique benefits. Hypervisors tend to run many VMs at once, making them a one-stop shop for blasting ransomware as widely as possible, and those VMs often host critical services and business data.

Their utility to hackers makes it all the more troubling that, as Microsoft noted in its blog, security products have limited visibility and protections for hypervisors. This, Soroko explains, is "due to their isolation, complexity, and the specialized knowledge required for their protection. This isolation makes it difficult for traditional security tools to monitor and protect the entire environment, and API integration limits further exacerbate this issue."

To cover for these shortcomings, Microsoft highlighted the importance of keeping up to date with patches, and practicing broader cyber hygiene around critical and vulnerable assets. "Attackers love using the path of least resistance that provides maximum opportunity," Soroko notes, adding that ransomware actors will only target these systems more and more in the future.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs

Plus: More Pegasus spyware controversy, a major BIOS controversy, and more of the week’s top security news.

The fallout from CrowdStrike’s deleterious software update came into full view this week as system administrators and IT staffers scrambled to get digital systems back online and return operations to normal. Elsewhere, the Olympics began this week, and Paris is ready with a controversial new surveillance system that hints at a future of ubiquitous CCTV camera coverage. And researchers revealed new findings this week about the innovative malware Russia used in January to sabotage a heating utility in Lviv and cut heat to 600 Ukrainian buildings at the coldest point in the year.

The US Department of Defense has a $141 billion idea to modernize US intercontinental ballistic missiles and their silos around the country. Meanwhile, the European Commission is allocating €7.3 billion for defense research—from drones and tanks to battleships and space intelligence—over the next seven years. And hackers have established a “ghost” network to quietly spread malware on the Microsoft-owned developer platform GitHub.

In more encouraging news, a former Google engineer has built a prototype search engine, dubbed webXray, meant to allow users to find specific privacy violations online, determine which sites are tracking you, and see where all that data goes.

And there’s more. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

**Israel Reportedly Worked to Keep Info on Pegasus Spyware Out of US Courts**

Leaked files obtained by The Guardian reveal that the Israeli government took extraordinary measures to prevent information about the Pegasus spyware system from falling into the hands of US courts, including seizing files directly from the company to prevent legal disclosure. The spyware is the product of the Israel-based NSO Group. It allows users to infect smartphones, extract messages and photos, record calls, and secretly activate microphones. NSO Group faces legal action in the US brought by WhatsApp, which claims the company engineered Pegasus to target users of its messaging software. According to WhatsApp, more than 1,400 of its users were targeted. NSO, whose software has been allegedly tied to the harassment and murder of journalist Jamal Khashoggi, has denied any wrongdoing.

**Massive Screwup Leaves BIOS on 200+ Computer Models Vulnerable**

In an effort to thwart BIOS-based threats, prompted in part by the rollout of a powerful rootkit designed by a Chinese researcher in 2007, Secure Boot became a widely adopted tool. Unfortunately, researchers at the security firm Binarly have revealed that Secure Boot is now “completely compromised” on more than 200 device models, affecting major hardware manufacturers like Dell, Acer, and Intel. The incident was the result of a weak cryptographic key used to establish trust between hardware and firmware systems. AMI, the key's owner, says it was meant to be used for testing and should never have made its way into production.

**Musk’s AI system, Grok, Is Now Feeding on All Your Tweets**

Following in Meta's footsteps, Elon Musk's X quietly adjusted its settings this week to give the company's AI system—known as Grok—access to all of its users' posts. There is a way to prevent Grok from ingesting your posts; however, you cannot perform this action from the mobile app. You'll need to access X's **Settings** using a desktop computer; select **Privacy and Safety**, then select **Grok**, and then uncheck the box. Or just head straight here to go directly to the right settings page. (You can also delete your conversation history with Grok, if you have one, by clicking **Delete conversation history**.)

Stop X’s Grok AI From Training on Your Tweets

Digital literacy and protective measures will be key to detecting disinformation and deepfakes as AI is used to shape public opinion and erode trust in the democratic processes, as well as identify nefarious content.

Source: Enrico01 via Alamy Stock Photo

COMMENTARY

Disinformation — information created and shared to mislead opinion or understanding — isn't a new phenomenon. However, digital media and the proliferation of open source generative artificial intelligence (GenAI) tools like ChatGPT, DALL-E, and DeepSwap, coupled with mass dissemination capabilities of social media, are exacerbating challenges associated with preventing the spread of potentially harmful fake content. 

Although in their infancy, these tools have begun shaping how we create digital content, requiring little in the way of skill or budget to produce convincing photo and video imitations of individuals or generate believable conspiratorial narratives. In fact, the World Economic Forum places disinformation amplified by AI as one of the most severe global risks over the next few years, including the possibilities for exploitation amid heightened global political and social tensions, and during critical junctures such as elections. 

In 2024, as more than 2 billion voters across 50 countries have already headed to the polls or await upcoming elections, disinformation has driven concerns over its ability to shape public opinion and erode trust in the media and democratic processes. But while AI-generated content can be leveraged to manipulate a narrative, there is also potential for these tools to improve our capabilities to identify and protect against these threats. 

**Addressing AI-Generated Disinformation**

Governments and regulatory authorities have introduced various guidelines and legislation to protect the public from AI-generated disinformation. In November 2023, 18 countries — including the US and UK — entered into a nonbinding AI Safety agreement, while in the European Union, an AI Act approved in mid-March limits various AI applications. The Indian government drafted legislation in response to a proliferation of deepfakes during elections cycle that compels social media companies to remove reported deepfakes or lose their protection from liability for third-party content. 

Nevertheless, authorities have struggled to adapt to the shifting AI landscape, which often outpaces their ability to develop relevant expertise and reach consensus across multiple (and often opposing) stakeholders from government, civil, and commercial spheres. 

Social media companies have also implemented guardrails to protect users, including increased scanning and removal of fake accounts, and steering users toward reliable sources of information, particularly around elections. Amid financial challenges, many platforms have downsized teams dedicated to AI ethics and online safety, creating uncertainty as to the impact this will have on platforms' abilities and appetite to effectively stem false content in the coming years. 

Meanwhile, technical challenges persist around identifying and containing misleading content. The sheer volume and rate at which information spreads through social media platforms — often where individuals first encounter falsified content — seriously complicates detection efforts; harmful posts can "go viral" within hours as platforms prioritize engagement over accuracy. Automated moderation has improved capabilities to an extent, but such solutions have been unable to keep up. For instance, significant gaps remain in automated attempts to detect certain hashtags, keywords, misspellings and non-English words.  

Disinformation can be exacerbated when it is unknowingly disseminated by mainstream media or influencers who have not sufficiently verified its authenticity. In May 2023, the Irish Times apologized after gaps in its editing and publication process resulted in the publication of an AI-generated article. In the same month, while an AI-generated image on Twitter of an explosion at the Pentagon was quickly debunked by US law enforcement, it nonetheless prompted a 0.26% drop in the stock market. 

**What Can Be Done?**

Not all applications of AI are malicious. Indeed, leaning into AI may help circumvent some limitations of human content moderation, decreasing reliance on human moderators to improve efficiency and reduce costs. But there are limitations. Content moderation using large language models (LLMs) is often overly sensitive in the absence of sufficient human oversight to interpret context and sentiment, blurring the line between preventing the spread of harmful content and suppressing alternative views. Continued challenges with biased training data and algorithms and AI hallucinations (occurring most commonly in image recognition tasks) have also contributed to difficulties in employing AI technology as a protective measure. 

A further potential solution, already in use in China, involves "watermarking" AI-generated content to help identification. Though the differences between AI and human-generated content are often imperceptible to us, deep-learning models and algorithms within existing solutions can easily detect these variations. The dynamic nature of AI-generated content poses a unique challenge for digital forensic investigators, who need to develop increasingly sophisticated methods to counter adaptive techniques from malicious actors leveraging these technologies. While existing watermark technology is a step in the right direction, diversifying solutions will ensure continued innovation which can outpace, or at least keep up with, adversarial uses. 

**Boosting Digital Literacy**

Combating disinformation also requires addressing users' ability to critically engage with AI-generated content, particularly during election cycles. This requires improved vigilance in identifying and reporting misleading or harmful content. However, research shows that our understanding of what AI can do and our ability to spot fake content remains limited. Although skepticism is often taught from an early age in the consumption of written content, technological innovations now necessitate the extension of this practice to audio and visual media to develop a more discerning audience. 

**Testing Ground**

As adversarial actors adapt and evolve their use of AI to create and spread disinformation, 2024 and its multitude of elections will be a testing ground for how effectively companies, governments, and consumers are able to combat this threat. Not only will authorities need to double down on ensuring sufficient protective measures to guard people, institutions, and political processes against AI-driven disinformation, but it will also become increasingly critical to ensure that communities are equipped with the digital literacy and vigilance needed to protect themselves where other measures may fail.

**About the Author(s)**

Associate, Strategic Intelligence, S-RM

Erin Drake is an associate in S-RM’s Strategic Intelligence team, where she leads on case management of regular and bespoke consulting projects. She joined the firm in 2017 and has worked on a variety of projects ranging from threat assessments to security risk assessments across several markets. This often entails the development of client-specific approach and methodological framework for high-level and detailed bespoke projects, to support clients in understanding and monitoring the security, political, regulatory, reputational, geopolitical, and macroeconomic threats present in their operating environment. Erin’s expertise includes global maritime security issues, political stability concerns in the commercial sector, and conflict analysis. Erin holds a master's degree in international relations with a focus on global security issues like nuclear proliferation and multilateral diplomacy.

Global Cyber Threat Intelligence Lead, S-RM

Melissa DeOrio is Global Cyber Threat Intelligence Lead at S-RM, supporting clients on a variety of proactive cyber and cyber-threat intelligence services. Before joining S-RM, Melissa worked on US Federal Law Enforcement cyber investigations as a cyber targeter. In this role, Melissa utilized numerous cyber-investigative techniques and methodologies to investigate cyber threat actors and groups including open source intelligence techniques, cryptocurrency asset tracing as well as identifying and mapping threat actor tactics, techniques, and procedures (TTPs) to provide tactical and strategic intelligence reports. Melissa began her career in corporate intelligence, where she specialized in Turkish regional investigations, managed a global team of researchers, and played a role in the development and implementation of a new compliance program at a leading management consulting firm.

AI Remains a Wild Card in the War Against Disinformation

As the travel industry rebounds post-pandemic, it is increasingly targeted by automated threats, with the sector experiencing nearly 21% of all bot attack requests last year. That’s according to research from Imperva, a Thales company. In their 2024 Bad Bot Report, Imperva finds that bad bots accounted for 44.5% of the industry’s web traffic in 2023—a significant jump from 37.4% in 2022.

As the travel industry rebounds post-pandemic, it is increasingly targeted by automated threats, with the sector experiencing nearly 21% of all bot attack requests last year. That's according to research from Imperva, a Thales company. In their 2024 Bad Bot Report, Imperva finds that bad bots accounted for 44.5% of the industry's web traffic in 2023—a significant jump from 37.4% in 2022.

The summer travel season and major European sporting events are expected to drive increased consumer demand for flights, accommodation, and other travel-related services. As a result, Imperva warns that the industry could see a surge in bot activity. These bots target the industry through unauthorized scraping, seat spinning, account takeover, and fraud.

****From Scraping to Fraud****

Bots are software applications that run automated tasks across the internet. Many of these tasks, from indexing websites for search engines to monitoring website performance, are legitimate, but a growing number are not.

Bad bots engage in various malicious activities, from denial-of-service attacks to transaction fraud. These automated threats can consume bandwidth, slow down servers, and disrupt business operations even when not directly stealing sensitive data or conducting fraudulent transactions.

The travel industry has long grappled with complex bot issues, as malicious actors can exploit the various ways in which business logic is utilized in travel applications. These are some of the most common ways travel-related applications are targeted daily:

*   **Fare Scraping:** The use of bots to aggregate pricing information, inventories, discounted fares, and more. Airlines are particularly targeted by scraping, as bots operated by Online Travel Agencies (OTAs), aggregators, and competitors often harvest data without permission. As a result, the high volume of bots scraping information can skew critical business metrics like look-to-book ratios and inflate API costs. For example, one airline incurred $500,000 per month in API request fees due to a surge in bad bot traffic scraping its search API.
*   **Seat Spinning:** The use of bots to repeatedly book and cancel airline seats or hotel rooms, creating a temporary hold on inventory without making an actual purchase. This activity falsely creates scarcity, making it seem like fewer seats or rooms are available. As a result, it misleads customers and potentially drives up prices due to perceived high demand. This artificial shortage can lead to inventory mismanagement, making it difficult for legitimate customers to find and book available seats or rooms. Consequently, travel companies may suffer revenue losses as real customers are deterred by unavailability or inflated prices caused by the fake demand. Seat spinning also disrupts the normal operations of airlines and hotels, leading to inefficiencies and increased operational costs associated with managing and monitoring such fraudulent activities. This deterioration in customer experience can lead to frustration as genuine customers face difficulties in finding and booking seats or rooms.
*   **Account Takeover:** The travel industry experienced the second-highest volume of account takeover (ATO) attempts in 2023, with 11% of all ATO attacks targeting the industry and 17% of all login requests associated with ATO. Cybercriminals target this industry due to the valuable personal information, stored payment methods, and loyalty points within user accounts, making them lucrative for identity theft and fraud. Time-sensitive, high-value travel transactions enable quick monetization, often before fraud is detected, resulting in financial losses, damaged customer trust, and harm to the company's reputation. Moreover, addressing ATO demands substantial resources for customer support, reimbursements, and security enhancements. The industry's interconnected systems and numerous entry points further exacerbate its vulnerability.

****Not All Bots Are Created Equal****

Imperva categorizes malicious bot activity into three categories: simple, moderate, and advanced. Connecting from a single, ISP-assigned IP address, simple bad bots connect to sites or applications using automated scripts without self-reporting as a browser. Moderate bad bots use "headless browser" software that simulates browser technology, including the ability to execute JavaScript. Advanced bad bots mimic human user behavior, such as mouse movements and clicks, to spoof bot detection. They also use browser automation software or malware installed within real browsers to connect to sites.

Simple bad bots often perform basic web scraping activity, while advanced bad bots may be needed for more sophisticated fraud and account takeover attempts. The travel industry is particularly plagued by advanced bad bot activity, which accounted for 61% of bad bot activity last year. Advanced bad bot traffic poses a significant risk, as these bots can achieve their goals with fewer requests than simple bad bots and are much more persistent.

Sophisticated bot operators often employ techniques shared between moderate and advanced bad bots to evade detection. These evasive bots use complex tactics like cycling through random IPs, entering via anonymous proxies, defeating CAPTCHA challenges, and more to circumvent bot management solutions.

****Layering up Defenses****

Bots accounted for nearly half of all traffic within the travel industry in 2023. That situation could worsen as consumer demand for travel grows and bot operators target loyalty rewards programs, carry out account takeover attacks, or commit fraud. To mitigate these threats, Imperva recommends several strategies for IT security teams.

First, organizations must identify risks through advanced traffic analysis and real-time bot detection. Understanding exposure, particularly around login functionalities, is crucial as these are prime targets for credential stuffing and brute force attacks. A comprehensive security strategy should encompass all digital touchpoints, including APIs and mobile applications.

Imperva suggests several quick wins, such as blocking outdated browser versions, restricting access from bulk IP data centers, and implementing detection strategies for signs of automation, like unusually fast interactions. Regular monitoring for traffic anomalies, such as high bounce rates or sudden spikes, can help identify bad bot activity. Additionally, analyzing suspicious traffic sources, like single IP addresses, can provide valuable insights.

As bot technology advances, especially with AI, distinguishing between good and bad traffic will become more challenging. Therefore, Imperva advocates for layered defenses, including user behavior analysis, profiling, and fingerprinting, as essential measures for the travel industry.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Automated Threats Pose Increasing Risk to the Travel Industry

Learn about critical threats that can impact your organization and the bad actors behind them from Cybersixgill’s threat experts. Each story shines a light on underground activities, the threat actors involved, and why you should care, along with what you can do to mitigate risk. 
Cybersecurity professionals are facing unprecedented challenges as they strive to manage increasing workloads

_Learn about critical threats that can impact your organization and the bad actors behind them from Cybersixgill's threat experts. Each story shines a light on underground activities, the threat actors involved, and why you should care, along with what you can do to mitigate risk._

Cybersecurity professionals are facing unprecedented challenges as they strive to manage increasing workloads amidst limited budgets, inadequate staffing, and growing attack surfaces. Research indicates that a majority of these professionals find their jobs more difficult than ever, and a significant number are contemplating leaving their current positions due to the stress and demands of the role.

The value of cyber threat intelligence (CTI) in anticipating and mitigating potential attacks is widely recognized. However, security teams face several challenges in effectively utilizing CTI insights, which can turn a powerful cyber defense weapon into an additional burden that security professionals must contend with to perform their jobs effectively, further fueling their stress and frustration. Such issues include a lack of interoperability among cybersecurity tools, inadequate funding, and insufficient time. However, 44% of respondents cited the most significant obstacle as the lack of trained staff or skills to fully utilize CTI.

The shortage of skilled cybersecurity professionals is a long-term issue that has created a gap between the available CTI information and the ability of security teams to act upon it. This skills shortage, with a global deficit of around 4 million cybersecurity employees, exacerbates the challenges faced by organizations in protecting themselves from cyber threats.

Another critical issue for cybersecurity teams is the frequent requests for reports from board directors, senior executives, and other stakeholders. When major media outlets raise alarms about new, pervasive malware, top executives naturally seek immediate assurance and action from their cybersecurity teams. Producing these reports, however, is a time-consuming process. It involves gathering data from various open sources, analyzing the information, and compiling it into a comprehensive report. According to one survey, 60% of respondents spend up to 40% of their time responding to such cybersecurity news reports, time that is desperately needed for other critical tasks.

This problem is particularly pronounced for Managed Services Security Providers (MSSPs), who must often summarize findings and communicate them to multiple clients simultaneously. The extensive manual effort required for this reporting can strain already overburdened teams.

****Enter Cybersixgill's IQ Report Generator****

Cybersixgill has introduced a solution that promises significant relief: the IQ Report Generator. Leveraging the capabilities of Cybersixgill IQ, the company's generative AI offering, this tool allows security teams and MSSPs to create comprehensive CTI reports in a matter of minutes. This innovation represents a substantial shift from the traditional manual process of culling through disparate intelligence sources and navigating various platforms.

IQ Report Generator utilizes generative AI to rapidly compile and organize information into reports that are easily understandable by non-technical stakeholders, such as board members and C-level executives. These reports not only assess the current situation but also provide actionable insights and recommendations for next steps. For more technical audiences, IQ Report Generator can produce in-depth and detailed reports tailored to specific needs.

****Versatile Reporting Capabilities****

The AI report generator offers several parameters that users can adjust to customize their reports, including topic, audience, format, and timeframe. This flexibility ensures that the reports are relevant and useful for a variety of purposes. Here are some of the types of reports that can be generated:

*   **Incident Response Reports:** Detailing indicators of compromise, attack timelines, affected systems, and recommended actions.
*   **Threat Intelligence Briefings:** Assessing key threat trends, emerging threats, and their potential impact on the organization.
*   **Vendor Risk Reports:** Highlighting risks from third-party vendors and informing decision-making.
*   **Post-Incident Reports:** Summarizing lessons learned, recommendations for improvement, and strategies to prevent future incidents.
*   **Risk-Assessment Reports:** Evaluating overall cybersecurity risk, potential impacts, and mitigation strategies.

By automating the report-creation process, security teams have more time to focus on proactive measures to prevent cyberattacks and are also better able to manage the skills shortage that may impact their organization. MSSPs, in particular, can communicate risk and ROI to their clients more efficiently, especially when they need to generate multiple custom reports tailored to each client organization.

The reports generated by IQ Report Generator provide more than just raw data; they offer insights and recommendations for remediation, making them valuable tools for both strategic planning and immediate action. The ability to produce high-level summaries for executives and detailed technical reports for security teams ensures that all stakeholders receive the information they need in a format they can understand and act upon.

****Conclusion****

As cybersecurity threats continue to evolve and become more sophisticated, the demands on cybersecurity professionals will only increase. Tools like Cybersixgill's IQ Report Generator offer a much-needed solution to alleviate some pressures faced by these professionals. By automating the report generation process and providing actionable insights, IQ Report Generator enables security teams to focus on more critical tasks, ultimately enhancing their organizations' overall cybersecurity posture.

To learn more about this innovative tool, click here to see a quick demo, or contact Cybersixgill to generate a free CTI report in minutes.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ease the Burden with AI-Driven Threat Intelligence Reporting 

A ShinyHunters hacker tells WIRED that they gained access to Ticketmaster’s Snowflake cloud account—and others—by first breaching a third-party contractor.

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they obtained access to some of the Snowflake accounts by first breaching a Belarusian-founded contractor that works with those customers.

About 165 customer accounts were potentially affected in the recent hacking campaign targeting Snowflake’s customers, but only a few of these have been identified so far. In addition to Ticketmaster, the banking firm Santander has also acknowledged that their data was stolen but declined to identify the account from which it was stolen. Wired, however, has independently confirmed that it was a Snowflake account; the stolen data included bank account details for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about staff, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also said they might be victims as well.

Snowflake has not revealed details about how the hackers accessed the accounts, saying only that the intruders did not directly breach Snowflake’s network. This week, Google-owned security firm Mandiant, one of the companies engaged by Snowflake to investigate the breaches, revealed in a blog post that in some cases the hackers first obtained access through third-party contractors, without identifying the contractors or stating how this access aided the hackers in breaching the Snowflake accounts.

But according to one of the hackers who spoke with WIRED through a text chat, one of those firms was EPAM Systems, a publicly traded software engineering and digital services firm, founded by Belarus-born Arkadiy Dobkin, with current revenue of around $4.8 billion. The hacker says his group, which calls themselves ShinyHunters, used data found on an EPAM employee system to gain access to some of the Snowflake accounts.

EPAM told WIRED that it does not believe that it played a role in the breaches and suggested the hacker had fabricated the tale. ShinyHunters has been around since 2020 and has been responsible for numerous breaches since then that involve stealing large troves of data and leaking or selling it online.

Snowflake is a large data storage and analysis firm that provides tools for companies to derive intelligence and insight from customer data. EPAM develops software and provides various managed services for customers worldwide, primarily in North America, Europe, Asia, and Australia, according to its web site, with about 60 percent of its revenue coming from customers in North America. Among the services EPAM provides customers is assistance with using and managing their Snowflake accounts to store and analyze their data. EPAM claims it has some 300 workers who are experienced in using Snowflake’s data analytics tools and services, and announced in 2022 that it had attained “Elite Tier Partner” status with Snowflake to leverage the latter’s analytics platform for its customers.

EPAM’s founder emigrated from Belarus to the US in the ’90s before founding his company in 1993 from his New Jersey apartment. Nearly two-thirds of EPAM’s 55,000 employees resided in Ukraine, Belarus, and Russia until Russia invaded Ukraine, at which point the company says it closed its Russia operations and moved some of its Ukrainian workers to locations outside of that country.

The hacker who spoke with WIRED says that a computer belonging to one of EPAM’s employees in Ukraine was infected with info-stealer malware through a spear-phishing attack. It’s unclear if someone from ShinyHunters conducted this initial breach or just purchased access to the infected system from someone else who hacked the worker and installed the infostealer. The hacker says that once on the EPAM worker’s system, they installed a remote-access Trojan, giving them complete access to everything on the worker’s computer.

Using this access, they say, they found unencrypted usernames and passwords that the worker used to access and manage EPAM customers’ Snowflake accounts, including an account for Ticketmaster. The hacker says the credentials were stored on the worker’s machine in a project management tool called Jira. The hackers were able to use those credentials, they say, to access the Snowflake accounts because the Snowflake accounts didn’t require multifactor authentication (MFA) to access them. (MFA requires that users type in a one-time temporary code in addition to a username and password, making accounts that use MFA more secure.)

While EPAM denies it was involved in the breach, hackers did steal data from Snowflake accounts including Ticketmaster's, and have extorted the owners of the data by demanding hundreds of thousands, and in some cases more than a million, dollars to destroy the data or risk having the hackers sell it elsewhere.

The hacker who spoke with WIRED didn’t identify all of the victims breached through EPAM but did indicate that Ticketmaster was one of them. Ticketmaster did not respond to a request for comment from WIRED. But Ticketmaster’s parent company, Live Nation, has acknowledged that data was stolen from its Snowflake account in May without revealing how much data was stolen or how the hackers accessed the Snowflake account. In a post offering the data for sale, however, the hackers indicated that they had taken data on 560 million Ticketmaster consumers.

The hacker claims that in some cases they were able to directly access the Snowflake account of EPAM customers using the plaintext usernames and passwords they found on the EPAM worker’s computer. But in cases where Snowflake credentials weren’t stored on the worker’s system, the hacker claims they sifted through stockpiles of old credentials stolen in previous breaches by hackers using infostealer malware and found additional usernames and passwords for Snowflake accounts, including ones harvested from the machine of the same EPAM worker in Ukraine.

Credentials harvested by infostealers are often posted online or made available for sale on hacker forums. If victims don’t change their login credentials after a breach, or don’t know their data has been stolen, those credentials can remain active and available for years. It’s especially problematic if those credentials are used across multiple accounts; hackers can identify the user through the email address they use as a login credential, and if that person reuses the same password, hackers can simply try those credentials in multiple places.

The hackers in this case say they were able to use credentials stolen by an infostealer in 2020 to access Snowflake accounts.

WIRED wasn’t able to independently confirm that the hackers were inside the EPAM worker’s machine or used EPAM to gain access to Ticketmaster’s data and other Snowflake accounts, but the hacker provided WIRED with a file that appears to be a list of EPAM worker credentials lifted from the company’s Active Directory database after they gained access to the worker’s computer.

Furthermore, in the blog post written by Mandiant, which was published after the hacker told WIRED about his group’s use of data harvested by infostealers, the security firm revealed that the hackers who breached Snowflake accounts used old data siphoned by infostealers to access some of the accounts. Mandiant said that about 80 percent of the victims it identified in the Snowflake campaign were compromised using credentials that had previously been stolen and exposed by infostealers.

And an independent security researcher who has been helping to negotiate the ransom transactions between the ShinyHunter hackers and victims of the Snowflake campaign pointed WIRED to an online repository of data harvested by an infostealer that includes data siphoned from the computer of the EPAM worker in Ukraine that the hacker says was used to gain access to the Snowflake accounts. This stolen data includes the worker’s browser history, which reveals the worker’s complete name. It also includes an internal EPAM URL pointing to Ticketmaster’s Snowflake account, as well as a plaintext version of the username and password that the EPAM worker used to access the Ticketmaster Snowflake account.

“This means that \[an EPAM worker\] who had access to that Snowflake \[account\] had password-stealing malware on their computer, and their password was stolen and sold on the dark web,” says the researcher, who asked to be identified only as Reddington, an identity they use online to communicate with cybercriminals. “This means that anyone that knew the correct URL to \[Ticketmaster’s\] Snowflake could have simply looked up the password, logged in, and stolen the data.”

An EPAM spokesperson did not seem to be aware when contacted by WIRED early this week that its company allegedly played a role in breaches of Snowflake accounts. “We do not comment on situations to which we are not a part,” she wrote in an email, suggesting the company did not believe it played any role in the campaign. When WIRED provided the spokeswoman with details about how the hackers say they obtained access to the system of an EPAM worker in Ukraine, she replied, “Hackers frequently spread false information to advance their agendas. We maintain a policy of not engaging with misinformation and consistently uphold robust security measures to protect our operations and customers. We are continuing our exhaustive investigation and, at this time, see no evidence to suggest that we have been affected or involved in this matter.”

WIRED followed up by providing the name of the Ukrainian worker whose machine the hackers allegedly compromised, as well as the username and password the worker used for accessing Ticketmaster’s Snowflake account, but the spokesperson did not respond to any additional questions.

It’s possible the ShinyHunter hackers did not directly hack the EPAM worker, and simply gained access to the Snowflake accounts using usernames and passwords they obtained from old repositories of credentials stolen by info stealers. But, as Reddington points out, this means that anyone else can sift through those repositories for these and other credentials stolen from EPAM accounts. Reddington says they found data online that was used by nine different infostealers to harvest data from the machines of EPAM workers. This raises potential concerns about the security of data belonging to other EPAM customers.

EPAM has customers across various critical industries, including banks and other financial services, health care, broadcast networks, pharmaceutical, energy and other utilities, insurance, and software and hi-tech—the latter customers include Microsoft, Google, Adobe, and Amazon Web Services. It’s not clear, however, if any of these companies have Snowflake accounts to which EPAM workers have access. WIRED also wasn’t able to confirm whether Ticketmaster, Santander, Lending Tree, or Advance AutoParts are EPAM customers.

The Snowflake campaign also highlights the growing security risks from third-party companies in general and from infostealers. In its blog post this week, Mandiant suggested that multiple contractors were breached to gain access to Snowflake accounts, noting that contractors—often known as business process outsourcing (BPO) companies—are a potential gold mine for hackers, because compromising the machine of a contractor that has access to the accounts of multiple customers can give them direct access to many customer accounts.

“Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” wrote Mandiant in its blog post. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

The company also highlighted the growing risk from infostealers, noting that the majority of the credentials the hackers used in the Snowflake campaign came from repositories of data previously stolen by various infostealer campaigns, some of which dated as far back as 2020. “Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020,” the company noted.

This, accompanied by the fact that the targeted Snowflake accounts didn’t use MFA to further protect them, made the breaches in this campaign possible, Mandiant notes.

Snowflake’s CISO, Brad Jones, acknowledged last week that the lack of multifactor authentication enabled the breaches. In a phone call this week, Jones told WIRED that Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to \[make the\] default MFA,” he says.

_Update 6/17/2024, 5:45 pm EDT: The article was updated to clarify the details that Santander has publicly revealed about the hack._

Tag

#acer