A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients.…

A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients. Within 90 minutes, 1,165 malicious emails bombarded 22 user inboxes, aiming to trick users into clicking on malicious links.

Researchers at SlashNext have published new findings revealing attackers using tactics similar to the **Black Basta ransomware gang**, targeting 22 inboxes within 90 minutes. The attack was swift and targeted, aiming to overwhelm users and bypass traditional security measures.

According to their **blog post**, shared with Hackread.com, this Black Basta-style attack utilizes a ransomware scam that deceives employees into granting remote access to their computers. 

SlashNext’s investigation of this phishing wave revealed five key tactics used by attackers: masquerading as popular platforms like WordPress and Shopify, using legitimate-looking domains to send fake account creation and subscription emails, utilizing seemingly harmless domains, using unusual characters or minor variations in subject lines, and targeting different user roles to increase attention.

The attackers first flood inboxes with seemingly legitimate emails like newsletters or payment receipts. The emails used subject lines like “Account Confirmation” and “Subscription Notice” to entice users to click malicious links, causing a sense of urgency. Attackers further employed social engineering tactics by incorporating foreign languages or odd characters to bypass basic keyword filters. 

This initial barrage creates confusion and makes it difficult to distinguish genuine emails from malicious ones. When users are overwhelmed, attackers swoop in, often via phone calls or messages impersonating IT support. By speaking confidently, they gain trust and trick users into installing remote access software like **TeamViewer or AnyDesk**. Once this software is installed, attackers gain a foothold in the system, potentially spreading malware or compromising sensitive data on the network.

Targeted Campaign Stats and the types of scams (Via SlashNext)

Fortunately, SlashNext’s Integrated Cloud Email Security (ICES) quickly identified hundreds of red flags targeting a small group of users. Within a mere 90 minutes, a whopping 1,165 emails bombarded 22 mailboxes, averaging over 50 emails per user in rapid bursts. This tactic aimed to create panic and encourage impulsive clicks.

The ICES platform’s early detection allowed the client to respond proactively and prevent the attack from spreading. SlashNext’s AI-powered security system, SEER™, proactively identified and blocked these emails in real time. SEER™ analyzes email behaviour beyond simple keyword checks, detecting suspicious patterns like encoded URLs and fake login pages. Researchers noted a sudden rise in these attacks across the web between November and December. SlashNext was the first to launch an automated AI-powered defence to handle the situation in real time.

The incident shows the increasing nature of cybersecurity threats, with attackers using sophisticated techniques to evade traditional security measures. Organizations should prioritize threat detection and response, and regular security assessments to identify vulnerabilities and improve overall security.

1.  **‘Matrix’ Hackers Deploy Massive New IoT Botnet for DDoS Attacks**
2.  Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Flaws
3.  Russian APT29 Using NSO Group-Style Exploits in Attacks: Google
4.  Iranian Hackers Team Up with Ransomware Gangs in Attacks on US
5.  BlackByte Ransomware Exploits VMware Flaw in VPN-Based Attacks

Top/Feature Image via Freepik

Black Basta-Style Cyberattack Hits Inboxes with 1,165 Emails in 90 Minutes

Cybersecurity is facing new challenges with advances in AI, cloud tech, and increasing cyber threats. Solutions like blockchain…

Cybersecurity is facing new challenges with advances in AI, cloud tech, and increasing cyber threats. Solutions like blockchain are emerging to support data security and trust.

Cybersecurity faces considerable challenges in light of recent technological developments, from artificial intelligence to exposed programming vulnerabilities. At the same time, emerging attacks on cloud, hardware, and machine learning hinder business progress as hackers and illicit actors create subtle but complex breaches and other similar threats.

As companies find it more difficult to withstand these issues, new solutions such as blockchain technology arise to push for top-notch security and innovation. Digital ledgers are transparent and immutable, borrowing safety features from their consensus mechanisms.

An example of such blockchain is Tron, an ecosystem whose tools offer developers opportunities to use smart contract technology to create decentralized applications. The native token powers up the network, so the TRX price is influenced by the bandwidth efficiency, which dictates the level of network congestion. 

The Tron blockchain is only one of the emerging technologies whose features can protect customers’ data integrity in the real world. Here’s how. 

Cybersecurity audits are imperative in this fast-paced world of changing technologies. First, audits help identify and mitigate upcoming risks, comply with regulations, and maintain business continuity. Still, not all companies perform the audit correctly, considering it can extend for a longer period. 

That’s why blockchain could be used for cybersecurity audits. Since the ledger is immutable, every data record is tamper-resistant, meaning no one can interfere with and modify data sets. Therefore, the blockchain becomes a tool for tracking and assessing security incidents. At the same time, since blockchain data is transparent to anyone, it’s easier to decide if the data complies with current regulations. 

A blockchain audit can also target special attacks for the ledger, from 51% attacks to smart contract vulnerabilities. Some of its key components include the following actions: 

*   Code review of the smart contracts; 
*   Network architecture examination; 
*   Consensus mechanism assessment; 
*   Private key analysis; 
*   Third-party integrations; 

**Blockchain and threat response **

Threat response management involves all the tools and actors involved in acting as fast as possible upon a cybersecurity alert. Identifying, containing, and mitigating a threat are essential methods to avoid further problems of data theft, financial trouble, and damage to brand reputation. 

Blockchain’s automation features are the best solution for automating these responses in case of an incident. The digital ledger leverages real-time data on threats in a decentralized manner, so the response won’t further compromise data security. Decentralization and automation also establish another layer of security over ecosystems due to the complexity of manipulating the system.

One of the best features for indecent response involves smart contract automation. Developers can establish code that automatically triggers the smart contract to operate when certain conditions are met, such as a cyberattack. For example, when the blockchain identifies signs of an attack, such as employees receiving strange emails or noticing redirected internet searches, the smart contract immediately notes important components and isolates the attack as efficiently as possible. 

****Blockchain and DDoS protection** **

A distributed denial-of-service attack can exploit multiple sources of data traffic, from computers to IoT devices, to achieve maximum effectiveness in disrupting a server’s regular traffic. Malicious attempts are one of the most challenging to deal with as an IT infrastructure, and there are many types of DDoS attacks, each with unique features. 

Blockchain technology can protect servers from such risks by increasing resilience and improving service availability. The distributed network leverages scattered resources across the ledger, employing multiple points of control. Therefore, it’s considerably difficult for hackers to overwhelm all the nodes with traffic, lowering the chances of this happening at all. 

The digital ledger strategy can help companies absorb and mitigate attacks, offering them a chance to continue operating even when pressed on a potential attack. Hence, no attack can lead to disruptions, making it achievable for businesses to navigate such challenges. 

****Blockchain and Zero-Trust security models** **

The Zero Trust security method of protecting networks is one of the latest and most efficient strategies for addressing the challenges of modern infrastructure. In this model, everyone involved in the organization must comply with authentication, authorization, and validation requirements to access data and applications. 

Since this process can require time and resources, the best option is to approach blockchain technology to settle it. A digital ledger is much more efficient for identity verification and access control because it eliminates unauthorized access and, therefore, insider threats. 

The blockchain ensures that every access request is thoroughly analyzed, regardless of its origins, to secure the ecosystem. This means the ledger can better respond to suspicious activities in real time. 

****Blockchain and file storage** **

Storing data files is necessary for every enterprise because they contain important information supporting its development and innovation. However, considering their values, companies must extensively protect these resources from unauthorized access, whether accidental or deliberate. 

Currently, most companies work with centralized storage systems, which are considerably exposed to threats. On the other hand, a decentralized approach is superior as it distributes the information across an expansive network, eliminating the risks of a single point of failure. Therefore, data sets are less exposed to breaches as privacy is secured. 

That’s because blockchain decentralization ensures file storage by fragmenting and encrypting the files before distributing them across the network and multiple nodes. So, even if one or a few nodes are compromised, the data still lives within others, making it inaccessible to unauthorized access.

Critical data can be safe and valuable even during cybersecurity threats due to efforts to maintain resilience and data availability. At the same time, the multiple nodes and access points on the blockchain make it easy for a plan to be established to navigate a potential attack. 

****What do you think about blockchain for cybersecurity?** **

In a fast-paced world of technology where data is most important for companies and users, we ought to find improved ways to safeguard information. Blockchain is capable of creating a new era of data security in which resilience is prioritized. For example, blockchain can perform enhanced data audits, respond to threats in no time, and store files across multiple nodes. Therefore, it brings a more efficient method of ensuring data security. 

_**Editor’s Note:** This content is for informational purposes only and should not be considered financial, investment, or legal advice. Always consult a professional for guidance tailored to your specific situation._

1.  **Is the Blockchain Secure? Yes, and Here’s Why**
2.  **Signal21 Beta Launch Bridges Gap in Blockchain Intel Services**
3.  **Ethereum’s Layer 2 Solutions Could Outrun the Main Blockchain**
4.  **Blockchain in Identity Management: Securing Data and Identities**
5.  **Blockchain and Smart Contracts in Securing Digital Transactions**

Top/ Featured Image source: Freepik

Blockchain in cybersecurity: opportunities and challenges 

A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account…

A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account and replaced the legitimate Kong Ingress Controller v.3.4.0 image with a malicious version.

A critical security vulnerability was identified in Kong Ingress Controller version 3.4.0. This vulnerability stemmed from an unauthorized image uploaded to DockerHub on December 23rd, 2024. The affected image (hash: sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43) contained malicious code that enabled cryptojacking. 

This malicious code directed the controller to pool.supportxmr.com, a crypto mining site, which means the image contained code that secretly mined cryptocurrency. Moreover, it would have been executed by any system running the compromised image, effectively turning those systems into unintended mining rigs.

The Kong team became aware of the issue on January 2nd, 2025 and took swift action. They removed version 3.4.0 and all associated tags from DockerHub. Additionally, they rotated all access keys used for DockerHub access. Finally, a patched version, 3.4.1, was released on January 2nd, 2025. This version removed the unauthorized cryptojacking code.

There is currently no evidence to suggest that any Kong Ingress Controller versions besides 3.4.0 (specifically the image hash mentioned above) were affected.

****What You Should Do:****

If you deployed Kong Ingress Controller version 3.4.0 between December 22nd, 2024 and January 3rd, 2025, immediate action is required. You should remove this image from all internal registries and clusters.

To fix the issue, remove the vulnerable image (sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43) from internal registries and clusters, pull a remediated image from either the patched version 3.4.1 or a clean version 3.4.0.

The fixed image hashes for the clean, re-tagged version of 3.4.0 are:

AMD64: sha256:b358296fa6a1458c977c0513ff918e80b708fa9d7721f9d438f3dfce24f60f4f

ARM64: sha256:e0125aa85a4c9eef7822ba5234e90958c71e1d29474d6247adc3e7e21327e8ee

By taking these steps, you can ensure you are no longer running a vulnerable image and protect your systems from cryptojacking attempts.

Dan Lorenc, CEO and founder of software supply chain security platform Chainguard provided Hackread.com with a detailed comment addressing the core issues within this attack stating, “Supply-chain breaches happen, and it looks like the kong/kubernetes-ingress-controller images are the latest to fall victim. Here’s what we know so far:

*   A DockerHub PAT used to upload release images was compromised sometime before Dec. 23rd
*   The attacker used this PAT to upload a malicious version of the 3.4.0 release image directly to DockerHub
*   This image contained code to mine cryptocurrency and send results to a specific wallet
*   High CPU usage was reported by a user on December 29th, and the malicious images were taken down by January 2nd
*   New versions were uploaded, and the keys used to upload were revoked/rotated by the maintainers

“How should you protect against attacks like this? As a maintainer, any key you have is a key that you can leak,” said Dan. “Lock down and regularly audit all systems that have access to PATs like this, or choose systems that allow OIDC-based authentication to avoid this altogether. CI/CD pipelines are notoriously hard to configure securely; tools like Zizmor (lnkd.in/eGSGrMqm) help here. Signing artefacts can help even if you can’t use OIDC to publish or users pull from mirrors out of your control.”

“As an end-user, pin images you receive from third-parties by digest and test/malware scan them before upgrading. Check signatures if they exist,” Dan explained.

Nevertheless, a crypto mining attack on organizations could have drastic implications, including increased resource consumption, higher energy costs, and a multitude of security risks. The compromised image could have introduced vulnerabilities or backdoors, allowing attackers to gain further access, highlighting the importance of software supply chain security, particularly for critical components like container images. Organizations should employ image integrity verification mechanisms, and conduct regular security audits to identify and mitigate vulnerabilities.

1.  **OracleIV DDoS Botnet Hits Docker Engine API Instances**
2.  **Malware Hits 9Hits, Turns Docker Servers into Crypto Miners**
3.  **Hackers hijacking Bitbucket and Docker Hub for Monero mining**
4.  **TeamTNT Exploits 16M IPs in Malware Attack on Docker Clusters**
5.  **Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps**

Malicious Kong Ingress Controller Image Found on DockerHub

The security vulnerability tracked as CVE-2024-50603, which rates 10 out of 10 on the CVSS scale, enables unauthenticated remote code execution on affected systems, which cyberattackers are using to plant malware.

Source: Everett Collection Historical via Alamy Stock Photo

Multiple threat actors are actively targeting a recently disclosed maximum-severity security bug in the Aviatrix Controller centralized management platform for cloud networking.

In a worst-case scenario, the vulnerability, identified as CVE-2024-50603 (CVSS 10) could allow an unauthenticated remote adversary to run arbitrary commands on an affected system and take full control of it. Attackers are currently exploiting the flaw to deploy XMRig cryptomining malware and the Sliver backdoor on vulnerable targets.

**CVE-2024-50603: A High-Impact Vulnerability**

The vulnerability presents an especially severe risk in Amazon Web Services (AWS) cloud environments, where Aviatrix Controller allows privilege escalation by default, researchers at Wiz Security warned in a blog on Jan. 10.

"Based on our data, around 3% of cloud enterprise environments have Aviatrix Controller deployed," the researchers noted. "In 65% of such environments, the virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions."

Hundreds of large companies use Aviatrix's technology to manage cloud networking across AWS, Azure, Google Cloud Platform (GCP), and other multi-cloud environments. Common use cases include automating the deployment and management of cloud network infrastructure, and managing security, encryption, and connectivity policies. The company lists organizations such as Heineken, Raytheon, Yara, and IHG Hotels and Resorts among its customers.

Related:In Appreciation: Amit Yoran, Tenable CEO, Passes Away

CVE-2024-50603 stems from Aviatrix Controller not properly checking or validating the data that users send through its application programming interface (API). It is the latest bug to highlight the security risks tied to the growing use of APIs among organizations of all sizes. Other common API-related risks include those stemming from configuration errors, lack of visibility, and inadequate security testing.

The flaw is present in all supported versions of Aviatrix Controller before 7.2.4996 or 7.1.4191. Aviatrix has issued a patch for the bug and recommends that organizations apply it or upgrade to either versions 7.1.4191 or 7.2.4996 of the Controller.

"In certain circumstances the patch is not fully persistent across controller upgrades and must be re-applied, even if the controller status is displayed as 'patched,'" the company noted. One such circumstance is applying the patch on non-supported versions of the controller, Aviatrix said.

**Hackers Mount Opportunistic Cloud Attacks**

Security researcher Jakub Korepta of SecuRing, who discovered and reported the bug to Aviatrix, publicly disclosed details of the flaw on Jan. 7. Just one day later, a proof-of-concept exploit for the bug became available on GitHub, triggering near-immediate exploit activity.

Related:Managing Cloud Risks Gave Security Teams a Big Headache in 2024

"Since the proof-of-concept release, Wiz observed that most of the vulnerable instances were specifically targeted by attackers looking for unpatched Aviatrix deployments," says Alon Schindel, vice president of AI & Threat Research at Wiz. "The overall volume of exploitation attempts has been steady. However, we see customers patching their systems and preventing attackers from targeting them."

Schindel characterizes the exploit activity so far as largely opportunistic in nature, and emanating from scanners and automated tool sets combing the Internet for unpatched Aviatrix instances.

"Although some of the payloads and infrastructure used suggest higher sophistication in a few cases, most of the attempts appear to be broad sweeps rather than highly customized or targeted attacks on specific organizations," he says.

Available telemetry suggests that multiple threat actors, including organized criminal gangs, are leveraging the flaw in various ways. So far at least, there is no evidence pointing to any single group as dominating the exploitation activity, Schindel says. "Depending on the environment's setup, an attacker might exfiltrate sensitive data, access other parts of the cloud or on-prem infrastructure, or disrupt normal operations," he notes.

Related:DDoS Attacks Surge as Africa Expands Its Digital Footprint

**A Reminder of API-Based Cyber-Risks**

Ray Kelly, a fellow at Black Duck, says the Aviatrix Controller vulnerability is another reminder of both the growing risks associated with API endpoints and the challenges involved in addressing them. The vulnerability shows how a server can be compromised via a simple Web call to an API, and highlights the need for thorough testing of APIs. But such testing can be daunting, given the size, complexity, and interdependence of APIs and the fact that many APIs are developed and managed by external software and service providers.

"One effective approach to mitigating these risks is by establishing clear 'rules of governance' for third-party software," Kelly says. "This includes implementing thorough vetting processes for third-party providers, enforcing consistent security measures, and maintaining continuous monitoring of software performance and vulnerabilities."

Wiz's Schindel says the best recourse for organizations affected by the new Aviatrix bug is to apply the company's patch for it as soon as possible. Organizations that are unable to patch immediately should restrict network access to the Aviatrix Controller via an IP allowlist so only trusted sources can reach it, Schindel advises. They should also monitor logs and system behavior closely for suspicious activity or known exploit indicators, set up alerts for abnormal behavior associated with Aviatrix, and reduce unnecessary lateral movement paths between their cloud identities.

Jessica MacGregor, spokeswoman for Aviatrix says the company issued an emergency patch for the vulnerability back in November 2024 given its potential severity. The security patch applied to all supported releases and also for versions of Aviatrix Controller for which support had ended two years ago. The company also reached out privately to customers via multiple targeted campaigns to make sure affected organizations applied the patch, MacGregor says.

While a significant portion of affected customers have applied the patch and recommended hardening measures, some organizations have not. And it is these customers that are experiencing the current attacks, she notes. "While we strongly recommend that customers remain current in their software, customers on Controller version 6.7+ who have applied the Security Patch can be protected even if they have not upgraded to the latest versions with the permanent fixes," she says.

 MacGregor says Aviatrix wants anyone unable to upgrade or patch their systems to reach out so the company can work with them to harden their configuration based on best practices. "We will also work closely with customers that believe they been exploited to restore their Aviatrix software to a clean state."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cloud Attackers Exploit Max-Critical Aviatrix RCE Flaw

Telefónica faces a data breach impacting its internal systems, linked to hackers using compromised credentials. Learn more about this alarming cyber threat.

****SUMMARY****

*   **Telefonica confirmed a data breach involving its internal Jira ticketing system, with stolen data leaked online.**

*   **Hackers used compromised employee credentials to access and scrape 2.3 GB of internal data.**

*   **The breach is linked to Hellcat Ransomware, also tied to a Schneider Electric cyberattack.**

*   **No extortion attempts were made; data was leaked without contacting Telefonica.**

*   **The attack highlights increasing cyber threats against global telecommunications firms.**

Telefonica, a Spanish multinational telecommunications company, confirmed a data breach of their internal ticketing system. The confirmation came after stolen data appeared on Breach Forums, a cybercrime and hacking forum.

Screenshot from Breach Forums (Credit: Hackread.com)

Telefonica, the largest telecommunications firm in Spain, operates in twelve countries with over 104,000 employees. The Telefonica cyberattack. The company has confirmed that its ticketing system was breached and that it is currently investigating the incident’s extent and has taken steps to prevent further unauthorized access. The leak on the hacking forum included a Telefonica Jira database. 

Four individuals using aliases DNA, Grep, Pryx, and Rey claimed responsibility for the breach. According to Pryx, one of the attackers, the “internal ticketing system” is an internal Jira development and ticketing server utilized by Telefonica for reporting and resolving internal issues. 

According to sources, compromised employee credentials were used to breach the system on the prior day. Telefonica responded by blocking their access and resetting passwords on impacted accounts. The attackers say they were able to scrape roughly 2.3 GB of documents, tickets, and various data using the compromised employee accounts. While some of this data was labeled as customers, the tickets were opened with @telefonica.com email addresses, indicating they might have been opened on behalf of customers.

Screenshot from the leaked data (Credit: Hackread.com)

Pryx claims they did not contact Telefonica or attempt extortion before leaking the data online. Three individuals behind the attack, Grep, Pryx, and Rey, are also part of a recently launched ransomware operation known as Hellcat Ransomware. Hellcat is responsible for a recent data breach at Schneider Electric, where 40GB of data was stolen from the company’s JIRA server.

This Telefonica cyberattack reportedly involves Fortinet, a crucial component of the company’s network infrastructure. While the extent of the data breach and the nature of the compromised data remain undisclosed, concerns have arisen regarding the potential impact. Despite the claim, Telefonica’s official website remains functional, raising questions about the authenticity of the alleged cyberattack.

This, however, is not the first time that Telefonica has suffered a data breach. In July 2018, millions of Telefonica customers had their data exposed after a security breach. Nevertheless, as the telecommunications industry faces cyber threats, companies must maintain their collaboration to establish proper cybersecurity measures against critical infrastructure. 

1.  **Telecom Giant BT Group Hit by Black Basta Ransomware**
2.  **8220 Gang Targets Telecom in Global Cryptojacking Attack**
3.  **Hackers Breach TPG Telecoms’ Email Host to Steal Client Data**
4.  **US Telecom Breaches Widen as 9 Firms Hit by Chinese Hackers**
5.  **New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms**

Hackers Breach Telefonica Network, Leak 2.3 GB of Data Online

Discover how AI revolutionizes cybersecurity with real-time threat detection, adaptive protection, and advanced data protection to combat evolving…

Discover how AI revolutionizes cybersecurity with real-time threat detection, adaptive protection, and advanced data protection to combat evolving cybersecurity risks.

Cybersecurity threats are no longer luxuries of the big corporations and reach every part of our connected world making big and small businesses both vulnerable. With attacks becoming smarter and more sophisticated, traditional security measures frequently can’t keep up.

Enter Artificial Intelligence (AI) and how they have begun to change how we defend against cybersecurity risks. In this article, we’ll talk about how AI powers threat intelligence and strengthen cyber defence strategies so that organizations never find themselves behind the curve of malicious actors.

****The Foundation of AI in Cybersecurity****

AI revolutionized the cybersecurity field by providing tools beyond static defences. AI learns patterns from millions of data and reports the anomalies that were otherwise left unnoticed. Thus, unlike conventional systems, AI developed as an already mature and powerful response to what could be learned in certain usage scenarios with time, also because it doesn’t require any extensive manual configuration, making it perfect for proactive threat intelligence.

One key application is Two-Factor Authentication Methods. In complement to the authentication process, AI analyzes login patterns and signals on unusual access attempts. This can, for example, block login attempts with the correct credentials from risky locations – just another level of security. Integrating machine learning models means both security and user convenience.

****Identifying Threats Before They Strike****

Hence, AI driven cybersecurity is all about being able to predict and react to threats. Using machine learning, we build predictive models that aggregate and analyze data from previous attacks, and then try to detect warning signs before breaches take place. That’s proactive, saves time, and minimizes damage.

For instance, AI tools detect system behaviours in real-time, alerting them of anything unusual and escalating cases, such as an unexpected increase in outbound traffic or unauthorized access to some data. These early warnings help the security teams to do something before the harm is already done. Anomaly detection algorithms and other advanced AI systems mean that even the slightest hints of an attack don’t slip under the radar.

****AI-Powered Defense Mechanisms****

It’s not just detecting threats; it’s defending against threats in real-time. AI-powered automated response systems immediately block attacks. AI helps to quickly and efficiently counteract threats, by enchasing firewalls and neutralizing malware.

A standout example is its role in implementing multi-factor authentication windows. AI aids in physical identity verification more reliably than people could using a manual system by monitoring access requests on devices and across time zones. It’s combined with intelligent firewalls so that attackers are stopped at the gate, and no unauthorized entry is allowed.

****Adapting to Evolving Cyber Threats****

Things change quickly in the cyber threat space but when it comes to AI it changes even faster. The AI is constantly trained using new data in order to counter emerging risks. From ransomware to zero-day exploits, AI systems will evolve to tackle new problems.

Take phishing, for instance. Because AI knows what patterns to look for in the text, as well as sender and email behaviour, as well as embedded links, it has the ability to recognize fraudulent emails. Phishing tactics undergo regular change, where AI’s ongoing process of information digestion and processing means that it keeps a step ahead. However, flexibility had to exist to combat ever-changing attack strategies.

****Protecting Data with AI****

Attackers seek out data, so protecting it is job one. In turn, AI encrypts data more securely and at a faster rate while also being able to detect unauthorized access attempts. For instance, if one wishes to monitor file transfers anywhere sensitive documents are being accessed outside approved parameters, the AI will do this and will alert administrators or supervisors when required.

Offloading the work and analysis of your users allows an organization to better protect its users and secure sensitive data, and is an integral part of AI’s predictive analytics that also prevent data breaches. It analyzes historical trends of high-risk behaviours that could result in leaks. Such measures protect customer trust as well as adherence to data protection laws.

****AI’s Role in Network Security****

Networks are the foundation of any organization’s digital infrastructure, with AI strengthening protection through proper security and traffic monitoring.

An example would be AI-driven tools that can spot abnormal behaviours such as this spike in bandwidth usage. Analyzing such patterns makes AI able to prevent Distributed Denial-of-Service (DDoS) attacks. Besides, the use of AI in access control guarantees that only nominated gadgets connect to the network, making the organization less vulnerable.

****Enhancing Endpoint Protection****

Attackers often use endpoints like laptops, phones, and IoT devices. AI recognizes and microscopically halts threats, preventing such compromises.

Instead, an AI-powered antivirus will see the behaviour of a file rather than just relying on a signature database. This approach guarantees the detection of even new or modified malware. Additionally, through surveillance of user behaviour, and anomalies such as abnormal data downloads, AI ensures an additional security blanket against insider threats.

****Coordinating Incident Responses With AI****

Quick response is crucial when there is a breach. AI allows for better incident management, automating key incidents and leading to faster recovery time. This results in identifying the root cause and neutralizing threats to mitigate damage.

It also helps security teams provide actionable insights with AI. It can simulate what attack paths could be and allows teams to proactively patch vulnerabilities. Being this ready means companies can bounce back quickly and keep operating without losing much time.

****Ethical Concerns and Limitations of AI****

While AI has many benefits, it’s not trouble-free. A very good solution is the usage of machine learning, however ethical considerations, for example in the form of potential bias of the algorithms, can hinder its usage. An example is an AI system trained on biased data that may miss out on threats making organisations vulnerable.

In addition, human oversight may decrease because of over-dependence on automation. Finding a balance between AI manpower and human intervention is something important. With these concepts addressed, AI continues to be a viable position tool in cyber security.

****The Future of AI in Cyber Defense****

As technology develops, AI will assume more and more of a role in cybersecurity. Innovations that are emerging, such as federated learning will make AI systems even more secure and effective. These technologies will work to strengthen interactions between these organizations, putting up more formidable bulwarks against cyber threats.

Ahead, it is important for organizations to invest in AI-powered tools while keeping human expertise intact. A combination of technology and human insight will make our security strong against future next-generation cyber risks.

****Summary****

Cyber defence is being revolutionized by AI, which allows for both real-time threat detection and adaptive protection, as well as a quick response to attacks. Organizations can protect data better, improve security processes, and get ahead of changing risks by integrating AI tools.

Improved detection accuracy and proactive defences work together, and compatibility with tools you may already employ, such as two-factor authentication. As AI remains continuously advancing, the systems stay effective and ethical.

When you combine AI and human expertise, you get strong protection able to handle the cyber challenges you face now and will face in the future and also secure a resilient digital future.

1.  **Key Features Of Threat Intelligence Platforms**
2.  **A Step-by-Step Guide to How Threat Hunting Works**
3.  **ANY.RUN Upgrades Threat Intelligence to Identify Threats**
4.  **Criminal IP and Maltego Expand Threat Intelligence Search**
5.  **Leveraging AI for Enhanced Threat Detection and Prevention**

Harnessing AI for Proactive Threat Intelligence and Advanced Cyber Defense

A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks.
The botnet maintains approximately 15,000 daily active IP addresses, with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States.

Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks

New security regulations are more than compliance hurdles — they're opportunities to build better products, restore trust, and lead the next chapter of innovation.

Source: Panom Bounak via Alamy Stock Photo

COMMENTARY

The regulatory clock is ticking on the Internet of Things (IoT). In October, European lawmakers officially adopted the Cyber Resilience Act, ushering in much-needed security thresholds for connected devices across the region. Meanwhile, United Kingdom makers are already navigating world-first device security and privacy rules, and the United States is preparing to launch its Cyber Trust Mark.

It's about time. For too long, default passwords and weak authentication practices were accepted as the status quo in connected devices, wreaking post-pandemic botnet and hacker havoc. But now, amid the rapid rise of endpoints powering the smart home and office, governments are finally taking a stand and setting standards.

For manufacturers, this regulatory reckoning is unavoidable across the world's most lucrative markets, forcing them to get up to code or fall behind. What's clear is the sooner companies evolve, the better the outcome for troubleshooting, performance, and users. Let's explore the urgency and opportunity for connected device creators heading into 2025.

**Profits Over Protection**

Device makers haven't done themselves any favors over the past few years. Many are cutting corners and abandoning cybersecurity cornerstones in a race to the lowest price. Default passwords, non-existent software updates, and zero vulnerability testing are creating bigger attack vectors ripe for exploitation. Botnets, for example, are booming, with botnet-driven distributed denial-of-service (DDoS) devices increasing by five times in the past year. Even more concerning? Device numbers will double over the next 10 years, to more than 40 billion worldwide, quadrupling the pre-pandemic figure. Something's got to give, and governments know it.

Europe, in the footsteps of the General Data Protection Regulation (GDPR), is again leading the tech regulation charge. The Cyber Resilience Act is the most comprehensive suite of coming changes, with an obligation for manufacturers to protect their Internet-connected products from unauthorized access throughout their life cycle. This demands products without known exploitable vulnerabilities — a tall order requiring design, development, and production that ensures an appropriate security level at all times.

Meanwhile, the UK's Product Security and Telecommunications Infrastructure Act tackles many of the same themes but with a lower bar to clear. Passed in April, the act requires minimum security update periods (rather than lifetime) and mandatory security issue reporting back to consumers. The best part of this act is the ruling on passwords — devices must either have a randomized password or generate a unique one during initialization. This is a great step that goes a long way to stopping hackers from accessing smart devices, infecting local networks, and creating botnets.

Finally, the US is betting on market forces. The Cyber Trust Mark, similar to Energy Star, offers voluntary certification for products meeting "robust" security standards. The hope? Consumer choice will drive industry change. One thing is evident across markets: Governments are taking this threat seriously and acting accordingly. It's now up to makers to meet the moment and move in kind.

**Move Now or Move Aside**

My advice to connected device makers? Prepare now. If you want access to the world's largest markets (and I suspect you do), there's only a short window to get up to code. Sure, Europe's act is now in a three-year transition before taking full effect, but getting this right demands investment, time, and troubleshooting. These are big hurdles, and 2027 isn't far away.

This is something we learned from the GDPR. The new rules didn't just require writing a report — they demanded system adjustments and subsequent costs. On average, firms spent more than €1 million ($1.06 million) on readiness initiatives, but justified the investment by retaining access to the bloc and avoiding business-threatening fines (not to mention better protecting consumer data).

So, what does this say to device makers? Simple — start getting up to standard now with best practice authentication, encryption, and communication. Make sure security updates are part of your product planning, reconsider your approach to passwords, and implement consistent testing, patching, and reporting. Yes, this takes valuable resources, but the payoff is clear — better products, stronger security, and lasting consumer trust.

**This Is Beyond Compliance**

I'm relieved to see these regulations come into force. Device makers have lacked respect for their creations, consumers, and — frankly — themselves for several years. The rise of cheap and lazy products isn't an accurate reflection of IoT ingenuity. Sincerely, I hope these regulations weed out the bad apples, set an acceptable bar of baseline requirements, and give confidence back to consumers and enterprises.

Device makers, it's now up to you. Don't just treat these new regulations as mere compliance hurdles, but seize them as opportunities to build better products, restore trust, and lead the next chapter of our sector's innovation.

**About the Author**

CEO & Founder, Nabto

Carsten Rhod Gregersen is an IoT expert with more than two decades in software and innovation. Carsten is the founder of Nabto, the platform providing peer-to-peer communications for connected devices. His areas of expertise span critical domains including cybersecurity, technology regulation, and the impact of IoT.

IoT's Regulatory Reckoning Is Overdue

The fast growing region has its own unique cyber issues — and it needs its own talent to fight them.

Source: Panther Media via Alamy Stock Photo

COMMENTARY

The Middle East is undergoing a digital transformation that is as rapid as it is remarkable. Tech multinationals are investing big in the region as Dubai, Riyadh, and Abu Dhabi strive to establish themselves as global innovation hubs.   

But this increased digitization comes with an increased risk of cyberattacks — and businesses throughout the Middle East are at risk of being caught with their guard down.

The pace of digital growth in countries throughout the Middle East has far outstripped cybersecurity talent in the region, leaving organizations fatally exposed. While some businesses resort to outsourcing their cybersecurity measures to tech giants and their tools, this hands-off approach is risk-prone.

The Middle East now sits squarely in the firing line. With cyberattacks emboldened by AI, robust cybersecurity defenses are more crucial than ever. Businesses must move away from outsourcing and focus on building strong in-house defenses by investing in tool-based approaches and heavily leveraging in-house hiring, upskilling, and talent retention practices.

**Victims of Their Own Success?**

The commercial success of locations like Dubai, Abu Dhabi, and Saudi Arabia has transformed them into potential hotbeds for cybercrime. Distributed denial-of-service (DDoS) attacks on Middle Eastern countries have risen 75% in the past year, with the UAE and Saudi Arabia taking the brunt of the blow. 

Related:Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

The UAE alone falls victim to around 50,000 cyberattacks a day. And it comes at a cost: in 2023, cyberattacks cost businesses, organizations, and public bodies more than $8 million per incident.

The uptick in cyberattacks is only exacerbated by changing patterns in the cybercrime landscape. The rise of AI has lowered the barrier to entry for would-be hackers, allowing those with even the most novice skills to carry out a full-scale attack. Meanwhile, the proliferation of cybercrime as a service (CaaS), offering services like DDoS-for-hire, means threat actors now need little more than an intention to launch a cyberattack. In this new era of cybercrime, where there's a will, there's a way.

The current cybersecurity skills gap seen throughout the Middle East is leaving companies exposed and vulnerable to bad actors. Over half the companies in the EMEA region have attributed cybersecurity breaches to a lack of skills and training, while 70% of business leaders believe that skills shortages create a whole host of additional cybersecurity risks for companies to address.

**AI Muddles Outsourced Security Equation**

Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Too many businesses attempt to remedy this lack of talent by outsourcing their cybersecurity to third parties. While this might have been effective when countries like the US were the main target for threat actors, that's no longer the case.   

The rise of AI-enhanced cyberattacks presents a new host of threats that businesses outsourcing cybersecurity won't necessarily be able to tackle. Not only has AI made it easier for threat actors to carry out cyberattacks, it's also made the attacks themselves more sophisticated and more malicious.

AI-enhanced malware is stealthier, making it harder to detect a breach of IT infrastructure. Automated phishing attacks enable bad actors to target a larger number of potential victims, while the phishing attacks themselves are highly tailored to their targets.

It is crucial that Middle Eastern businesses — particularly those in the UAE and Saudi Arabia — are on top of their cybersecurity measures. They cannot sit back and outsource cybersecurity with the assumption that the risk is also transferred. Instead, they must take an active approach to their cybersecurity measures by building up a strong in-house cybersecurity team that can identify, respond to, and deal with threats in an effective and timely manner. 

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

Bringing cybersecurity in-house mitigates the risks that can crop up when relying on outsourced defenses, such as slow response times. Instead, in-house cybersecurity teams will have their fingers on the pulse of the business's security framework, as well as a thorough understanding of business specifics, enabling them to react quickly to threats.

But to achieve this, businesses must invest heavily in new and pre-existing IT talent to close the Middle East's skills gap — and this should be done with a particular focus on hiring and retention practices.

**Retention Is Tough in Smaller Talent Pool**

Over half of organizations globally say they struggle to recruit candidates with cybersecurity experience. Difficulties in hiring cybersecurity talent are compounded by trouble retaining cybersecurity staff, throwing employers into a vicious cycle of hiring and re-hiring. In the Middle East, where the digital economy is still young, this is of particular concern — the talent pool is finite, and companies cannot afford to lose out on promising employees.   

To combat this, corporations in the Middle East should turn their attention to the fresh talent coming out of universities throughout the Middle East and around the world. By forming partnerships with universities and offering attractive graduate schemes, businesses can tap into dense talent pools brimming with promising cybersecurity talent.

Graduates are eager to learn and willing to mold to the company ethos, making them the ideal choice for corporations looking to build up a dedicated in-house cybersecurity team.

Investing in apprenticeship schemes is another option for companies. Although more hands-on, companies will be able to train candidates from the ground up, ensuring the candidate's skills and knowledge are strongly aligned with the business's cybersecurity needs.

**Learning & Development Must Be Fostered**

Retaining this talent is just as crucial as bringing them on board in the first place.  Alongside the usual retention tactics, such as competitive pay packets and desirable benefits, companies must invest heavily in continuous learning and development (L&D) opportunities throughout the employee's career.  

Poor training — or a lack of training altogether — is a surefire way to lose employees. Conversely, 94% of employees say they would stay longer with an employer that invested in L&D. In a fast-changing, continually developing industry like cybersecurity, L&D is especially vital.

Investing in training sessions and development courses for cybersecurity employees will ensure they're kept up to date with any changes in the threat and security landscape. And, in the process, employees will feel as if the company is giving them opportunities to develop their skills and abilities, rounding them out into highly experienced cybersecurity professionals.

Investing in staff as a cybersecurity tactic shouldn't begin and end with cybersecurity staff. Deploying a company-wide cybersecurity upskilling program is a vital first step — and a simple way of ruling out one of the greatest causes behind cybersecurity breaches: human error. Negligence, a lack of awareness, or simple mistakes can lead to vulnerabilities and breaches, even in the most robust systems. Upskilling is a vital step companies must take to mitigate this risk.

With the rising rate of cyberattacks in the Middle East, corporations cannot afford to sit back and wait until they become the next big victim of a data breach or DDoS attack.

Companies can't rely solely on third-party cybersecurity measures — they must build up comprehensive in-house defenses. Businesses need to act now and double their investments in cybersecurity talent, paying particular mind to up-and-coming graduate talent.

**About the Author**

Founder, PG Advisors Ltd.

Partha Gopalakrishnan is a leading business transformation expert with more than 25 years of experience directing global teams to drive digital growth. He also has his own firm, PG Advisors, which offers board advisory and non-executive director services for prominent analysts and PE Firms. 

Partha has served in executive leadership positions with some of the world’s largest technology firms and global systems Integrators, including 17 years with Infosys, followed by a tenure at Tech Mahindra. He has completed executive education programs at the Stanford University Graduate School of Business and The Wharton School of the University of Pennsylvania.

Cybersecurity Lags in Middle East Business Development

From "spying" air fryers to 3 million rogue toothbrushes, here are the strangest stories about internet-connected home goods in 2024.

The holidays are upon us, which means now is the perfect time for gratitude, warmth, and—because modern society has thrust it upon us—gift buying.

It’s Bluey and dig kits and LEGOs for kids, Fortnite and AirPods and backpacks for tweens, and, for an adult you particularly love, it’s televisions, air fryers, e-readers, vacuums, dog-feeders, and more, which all seemingly require a mobile app to function.

“The Internet of Things” is the now-accepted term to describe countless home products that connect to the internet so that they can be controlled and monitored from a mobile app or from a web browser on your computer. The benefits are obvious for shoppers. Thermostats can be turned off during vacation, home doorbells can be answered while at work, and gaming consoles can download videogames as children sleep on Christmas Eve.

And while some of these internet-connected smart devices can sound a little dumb—cue the $400 “smart juicer” that a Bloomberg reporter outperformed with her bare hands—there are legitimate cybersecurity risks at hand. Capable of collecting data and connecting to the internet, smart devices can also fall victim to leaking that data to hackers online.

As we enter the new year, Malwarebytes Labs is looking back at some of the strangest, scariest, and most dumbfounding smart device stories this past year. Read on and enjoy.

****The million-car track hack****

The latest vehicles filling up the local car lot might not strike you as “smart devices,” but upon closer inspection, these cars, SUVs, trucks, and minivans absolutely are. Replete with cameras and sensors that can track location, speed, distance travelled, seatbelt use, and even a driver’s eye movements, modern vehicles are, as many have described them, “smartphones on wheels.”

For years, the cybersecurity of these particularly mobile mobiles (sorry) was passable.

When a group of security researchers hacked into a Jeep Cherokee’s steering and braking systems in 2014, they were building off earlier research that required the hacker’s laptop to be physically connected to the Jeep itself—a comforting reality when imagining shadowy cybercriminals wresting control from a driver while sat behind a computer console hundreds of miles away. And while the security researchers were able to eventually hack the Jeep Cherokee without a physical connection, the work involved was still robust.

But early this year, a separate group of security researchers revealed that they could remotely lock, unlock, start, turn off, and geolocate more than a million Kia vehicles by knowing nothing more than the vehicle’s license plate number. The researchers could also activate a vehicle’s horn, lights, and camera.

The vulnerability wasn’t in the vehicles themselves, but in Kia’s online infrastructure (Kia fixed the vulnerability before the researchers published their findings).

In short, the researchers posed as Kia _dealers_ when using an online Kia web portal and, by entering the Vehicle Identification Number—which could be revealed separately through license plate numbers—they could assign certain features like remote start and geolocation to a new account, which the security researchers controlled.

While the vulnerability did not provide access to any of the vehicles’ steering systems or acceleration or braking, it still posed an enormous privacy and security risk, said researcher Sam Curry in speaking to the outlet Wired:

> “If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car. If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.”

****Whispering sweet nothings into your air fryer****

There’s a modern urban legend that our smartphones listen to our in-person conversations to deliver eerily relevant ads, and while there’s no proof this is true, there are certainly a few stories that raise nearby suspicions.

Take, for instance, the case of the nosy air fryers.

On November 5, a UK consumer rights group named “Which?” published research into several categories of smart devices—TVs, smart watches, etc.—and what they discovered about three models of air fryers surprised many.

In testing the Xiaomi Mi Smart Air Fryer, the Cosori CAF-LI401S, and the self-titled Aigostar, the researchers discovered that the associated air fryer mobile apps for Android requested a startling amount of information:

> “\[As\] well as knowing customers’ precise location, all three products wanted permission to record audio on the user’s phone, for no specified reason.”

The connected app for the Xiaomi air fryer “connected to trackers from Facebook, Pangle (the ad network of TikTok for Business), and Chinese tech giant Tencent (depending on the location of the user).” When creating an account for the Aigostar air fryer, the connected app asked users to divulge their gender and date of birth, without stating why that was necessary. The request, however, could be declined. The Aigostar app, like the Xiaomi app, sent personal data to servers in China, but this data sharing practice was clarified in the companies’ privacy policies, the researchers wrote.

The companies in the report pushed back on the characterizations from Which?, with a Xiaomi representative clarifying that “the permission to record audio on Xiaomi Home app is not applicable to Xiaomi Smart Air Fryer which does not operate directly through voice commands and video chat.” A representative for Cosori expressed frustration that the researchers at Which? did not share “specific test reports” with the company, as well.

The truth, then, may be somewhere in the middle. The air fryer mobile apps in question may request more information than necessary to function, but that could also be because the apps are trying to service the needs of many different types of products all at once.

****A toothbrush tall tale****

Let’s play a game of telephone: A Swiss newspaper interviews a cybersecurity expert about a _hypothetical_ cyberattack and, days later, dozens of news outlets report that hypothetical as the truth.

This story did happen, and it would be far more disturbing if it wasn’t also tinged with a hint of humor, and that’s because the tall-tale-turned-“truth” involved a massive cyberattack launched by… toothbrushes.

In February, a Swiss newspaper article included an anecdote about a “Distributed Denial-of-Service” attack, or DDoS attack. DDoS attacks involve sending loads of connection requests (like regular internet traffic) to a certain webpage as a way to briefly overwhelm that web page and take it down. But the interesting thing about DDoS attacks is that they don’t require a laptop or a smartphone to make those requests—all they need is a device that can connect to the internet.

In the Swiss newspaper’s account, those devices were 3 million toothbrushes. Translated from the article’s original language in German, it read:

> “She’s at home in the bathroom, but she’s part of a large-scale cyberattack. The electric toothbrush is programmed with Java, and criminals have, unnoticed, installed malware on it—like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.”

The article, which noted that the whole scenario could’ve been ripped out of “Hollywood,” contextualized why the attack was so scary: It “actually happened.”

But it most assuredly had not.

The article had no details about the attack, so there was no company named, no toothbrush model specified, and no response from any organization. But none of that mattered as countless news outlets aggregated the original article, because what _did_ matter was the virality of the whole affair. There was a device that seemingly everyone agreed had no reason to connect to the internet, and—would you look at that—it led to major consequences.

In reality, the consequences were to the truth.

This holiday season, let’s do better than the silliest, most needless IoT devices, and let’s connect to what matters instead.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#ddos