These types of "long-lived" credentials pose a risk for users across all major cloud service providers, and must meet their very timely ends, researchers say.

Source: Artur Marciniec via Alamy Stock Photo

Almost half of organizations have users with "long-lived" credentials in cloud services, making them more likely to be victimized in a data breach.

Long-lived credentials are authentication tokens or keys in the cloud that remain for a long period of time — sometimes valid and sometimes not — ultimately causing major data breaches where attackers have a lengthy open window to compromise credentials.

In Datadog's 2024 "State of Cloud Security" report, the researchers found that long-lived credentials are a widespread issue across all major cloud services, including Google Cloud, Amazon Web Services (AWS), and Microsoft Entra. Not just that, but many of these are even unused, and often are leaked in source code, where they can open access to images and build logs and application artifacts, never expiring and becoming major security risks. 62% of Google Cloud service accounts, 60% of AWS IAM users, and 46% of Microsoft Entra ID applications have an access key older than one year, the researchers found.

Ultimately, organizations struggle to manage these types of credentials, especially at scale, so the researchers at Datadog recommend that long-lived credentials be avoided altogether in order to mitigate this issue. 

"The findings from the State of Cloud Security 2024 suggest it is unrealistic to expect that long-lived credentials can be securely managed," said Andrew Krug, head of security advocacy at Datadog. "To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use."

**About the Author**

Unmanaged Cloud Credentials Pose Risk to Half of Orgs

Immigration and Customs Enforcement's contract with Paragon Solutions faces scrutiny over whether it complies with the Biden administration's executive order on spyware, WIRED has learned.

A $2 million contract that United States Immigration and Customs Enforcement signed with Israeli commercial spyware vendor Paragon Solutions has been paused and placed under compliance review, WIRED has learned.

The White House’s scrutiny of the contract marks the first test of the Biden administration’s executive order restricting the government’s use of spyware.

The one-year contract between Paragon’s US subsidiary in Chantilly, Virginia, and ICE’s Homeland Security Investigations (HSI) Division 3 was signed on September 27 and first reported by WIRED on October 1. A few days later, on October 8, HSI issued a stop-work order for the award “to review and verify compliance with Executive Order 14093,” a Department of Homeland Security spokesperson tells WIRED.

The executive order signed by President Joe Biden in March 2023 aims to restrict the US government’s use of commercial spyware technology while promoting its “responsible use” that aligns with the protection of human rights.

DHS did not confirm whether the contract, which says it covers a “fully configured proprietary solution including license, hardware, warranty, maintenance, and training,” includes the deployment of Paragon’s flagship product, Graphite, a powerful spyware tool that reportedly extracts data primarily from cloud backups.

“We immediately engaged the leadership at DHS and worked very collaboratively together to understand exactly what was put in place, what the scope of this contract was, and whether or not it adhered to the procedures and requirements of the executive order,” a senior US administration official with first-hand knowledge of the workings of the executive order tells WIRED. The official requested anonymity to speak candidly about the White House’s review of the ICE contract.

Paragon Solutions did not respond to WIRED's request to comment on the contract's review.

The process laid out in the executive order requires a robust review of the due diligence regarding both the vendor and the tool, to see whether any concerns, such as counterintelligence, security, and improper use risks, arise. It also stipulates that an agency may not make operational use of the commercial spyware until at least seven days after providing this information to the White House or until the president's national security adviser consents.

“Ultimately, there will have to be a determination made by the leadership of the department. The outcome may be—based on the information and the facts that we have—that this particular vendor and tool does not spur a violation of the requirements in the executive order,” the senior official says.

While publicly available details of ICE’s contract with Paragon are relatively sparse, its existence alone raised alarms among civil liberties groups, with the nonprofit watchdog Human Rights Watch saying in a statement that “giving ICE access to spyware risks exacerbating” the department’s problematic practices. HRW also questioned what it calls the Biden administration’s “piecemeal approach” to spyware regulation.

The level of seriousness with which the US government approaches the compliance review of the Paragon contract will influence international trust in the executive order, experts say.

“We know the dangers mercenary spyware poses when sold to dictatorships, but there is also plenty of evidence of harms in democracies,” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab who has been instrumental in exposing spyware-related abuses. “This is why oversight, transparency, and accountability around any US agency attempt to acquire these tools is essential.”

International efforts to rein in commercial spyware are gathering pace. On October 11, during the 57th session of the Human Rights Council, United Nation member states reached a consensus to adopt language acknowledging the threat that the misuse of commercial spyware poses to democratic values, as well as the protection of human rights and fundamental freedoms. “This is an important norm setting, especially for countries who claim to be democracies,” says Natalia Krapiva, senior tech-legal counsel at international nonprofit Access Now.

Although the US is leading global efforts to combat spyware through its executive order, trade and visa restrictions, and sanctions, the European Union has been more lenient. Only 11 of the 27 EU member states have joined the US-led initiative stipulated in the “Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware,” which now counts 21 signatories, including Australia, Canada, Costa Rica, Japan, and South Korea.

“An unregulated market is both a threat to the citizens of those countries, but also to those governments, and I think that increasingly our hope is that there is a recognition \[in the EU\] of that as well,” the senior US administration official tells WIRED.

The European Commission published on October 16 new guidelines on the export of cyber-surveillance items, including spyware; however, it has yet to respond to the EU Parliament's call to draft a legislative proposal or admonish countries for their misuse of the technology.

While Poland launched an inquiry into the previous government’s spyware use earlier this year, a probe in Spain over the use of spyware against Spanish politicians has so far led to no accusations against those involved, and one in Greece has cleared government agencies of any wrongdoing.

“Europe is in the midst of a mercenary spyware crisis,” says Scott-Railton. “I have looked on with puzzled wonderment as European institutions and governments fail to address this issue at scale, even though there are domestic and export-related international issues.”

With the executive order, the US focuses on its national security and foreign policy interests in the deployment of the technology in accordance with human rights and the rule of law, as well as mitigating counterintelligence risks (e.g. the targeting of US officials). Europe—though it acknowledges the foreign policy dimension—has so far primarily concentrated on human rights considerations rather than counterintelligence and national security threats.

Such a threat became apparent in August, when Google’s Threat Analysis Group (TAG) found that Russian government hackers were using exploits made by spyware companies NSO Group and Intellexa.

Meanwhile, Access Now and Citizen Lab speculated in May that Estonia may have been behind the hacking of exiled Russian journalists, dissidents, and others with NSO Group’s Pegasus spyware.

“In an attempt to protect themselves from Russia, some European countries are using the same tools against the same people that Russia is targeting,” says Access Now’s Krapiva. “By having easier access to this kind of vulnerabilities, because they are then sold on the black market, Russia is able to purchase them in the end.”

“It’s a huge mess,” she adds. “By attempting to protect national security, they actually undermine it in many ways.”

Citizen Lab’s Scott-Railton believes these developments should raise concern among European decisionmakers just as they have for their US counterparts, who emphasized the national security aspect in the executive order.

“What is it going to take for European heads of state to recognize they have a national security threat from this technology?” Scott-Railton says. “Until they recognize the twin human rights and national security threats, the way the US has, they are going to be at a tremendous security disadvantage.”

ICE's $2 Million Contract With a Spyware Vendor Is Under White House Review

The emergence of novel anti-detection kits for sale on the Dark Web limit the effectiveness of a Chrome browser feature that warns users that they have reached a phishing page.

Source: Rawpixel via Shutterstock

Cybercriminals have found a new way to get around what has been an effective deterrent to phishing attacks, with novel anti-bot services sold on the Dark Web that allow them to bypass the protective "Red Page" warning in Google Chrome that alerts users to potential fraud.

The anti-bot services aim to prevent security crawlers from identifying phishing pages and blocklisting them by filtering out cybersecurity bots and disguising phishing pages from Google scanners, according to new research published today by SlashNext.

They do this by rendering ineffective the Red Page, a feature of Google Safe Browsing — which itself is a feature of Chromium-based browsers and other Google services — that aims to protect users from harmful websites by warning them of potential dangers, such as phishing attempts. The page is so-named because it is displayed in red and provides a warning that a site to which someone is navigating may be deceptive, advising them to avoid it.

In doing so, the warning can "severely" limit "the potential success of phishing attacks," according to the post, providing "a massive hurdle" to threat campaigns. That's because these campaigns rely on high click-through rates, which is significantly lowered when Google's detection flags a phishing page and adds it to a blocklist.

Now various anti-bot services found on the Dark Web, such as Otus Anti-Bot, Remove Red, and Limitless Anti-Bot, "threaten to undermine this line of defense, potentially exposing more users to sophisticated phishing attempts," according to the post.

**How Anti-Bot Services Work**

Though each service has its own unique features, they are all based on a combination of several techniques that allow malicious content to bypass Google's Red Page feature. Most rely on bot detection mechanisms that analyze user-agent strings and IP addresses to filter known security bot traffic that would otherwise be blocked, according to SlashNext.

"Public lists of cybersecurity crawlers are widely available (for example, Shodan), making it easy to filter known security bot traffic," according to the post. "Once an IP address or user-agent is flagged as a security crawler, it is blocked, ensuring the page remains accessible to real users but hidden from cybersecurity entities."

The services also use cloaking techniques such as context-switching or JavaScript obfuscation to serve different content based on the visitor’s profile. These techniques effectively redirect security crawlers to benign content while directing a user to a phishing page.

Another common feature of the anti-bot services is to introduce CAPTCHA or challenge pages to filter out automated scanners that typically would analyze a webpage for malicious content. "Since most bots cannot solve CAPTCHAs, this technique effectively blocks them while allowing real users through," according to the post.

Some anti-bot services might even introduce a time delay, which further confuses security bots by making them "time out" before they can scan the page and thus warn users of a potential security threat.

They also can bypass the Google Red Page by delivering region-specific content and blocking foreign traffic, according to SlashNext. For example, if a phishing campaign is targeting a Korean bank, the service might allow only Korean traffic to visit the site while blocking foreign IP addresses, the researchers noted. Moreover, these methods can get extremely specific in terms of geography, even narrowing campaigns down to the city level, which would prevent international cybersecurity services from detecting the page entirely, according to the post.

**Not Completely Foolproof**

While these anti-bot services can significantly reduce the scope of Google Red Page, they do have their limitations, the researchers noted. The malicious services work best in less sophisticated phishing campaigns because they can identify and block known crawlers in the user-agent string — where many security vendors declare their bots and crawlers, the researchers noted.

"This allows cybercriminals to filter out bot traffic, prolonging the lifespan of phishing campaigns," according to the post. However, in more sophisticated phishing operations, manual analysis by analysts will eventually detect the page, leading to its inclusion on blocklists.

Still, anything that can limit the detection of phishing by end users is a threat to the overall security, not just of individuals but also enterprises. That's because despite being one of the oldest forms of cybercrime, phishing is still one of the primary ways attackers gain initial entry onto corporate networks to perform other types of malicious activities, such as ransomware attacks.

Moreover, the rise in the availability of phishing kits that make it easy for attackers to create campaigns, the growing sophistication of phishing tactics and now the emergence of anti-bot services make detection by individuals and defenders more complex.

The best defense against the use of anti-bot services to bypass Google Red Page is to use security platforms that can detect threats in real-time across email, mobile, and messaging apps with as much accuracy as possible, according to SlashNext. Aforementioned manual analysis of phishing pages and the subsequent addition of malicious sites to blocklists also can prevent these services from being effective.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Anti-Bot Services Help Cybercrooks Bypass Google 'Red Page'

Hi there! Here’s your quick update on the latest in cybersecurity.
Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.
Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.

Cybersecurity / Weekly Recap

Hi there! Here's your quick update on the latest in cybersecurity.

Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.

Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle. For you, staying protected means keeping your devices and apps up to date.

In this newsletter, we'll break down the top stories. Whether you're protecting personal data or managing security for a business, we've got tips to help you stay safe.

Let's get started!

****⚡ Threat of the Week****

**China Calls Volt Typhoon an Invention of the U.S.:** China's National Computer Virus Emergency Response Center (CVERC) has claimed that the threat actor tracked Volt Typhoon is an invention of U.S. intelligence agencies and their allies. It also accused the U.S. of carrying out false flag operations in an attempt to conceal its own malicious cyber attacks and that it has established a "large-scale global internet surveillance network."

****‎️‍Trending CVEs****

CVE-2024-38178, CVE-2024-9486, CVE-2024-44133, CVE-2024-9487, CVE-2024-28987, CVE-2024-8963, CVE-2024-40711, CVE-2024-30088, CVE-2024-9164

****🔔 Top News****

*   **Apple macOS Flaw Bypasses Privacy Controls in Safari Browser:** Microsoft has disclosed details about a now-patched security flaw in Apple's Transparency, Consent, and Control (TCC) framework in macOS that could be abused to get around a user's privacy preferences and access data. There is some evidence that the vulnerability, tracked as CVE-2024-44133, may have been exploited by AdLoad adware campaigns. The issue has been addressed in macOS Sequoia 15 released last month.
*   **Legitimate Red Team Tool Abuse in Real-World Attacks:** Threat actors are attempting to weaponize the open-source EDRSilencer tool as part of efforts to interfere with endpoint detection and response (EDR) solutions and hide malicious activity. In doing so, the aim is to render EDR software ineffective and make it a lot more challenging to identify and remove malware.
*   **TrickMo Can Now Steal Android PINs:** Researchers have spotted new variants of the TrickMo Android banking trojan that incorporate features to steal a device's unlock pattern or PIN by presenting to victims' a bogus web page that mimics the device's actual unlock screen.
*   **FIDO Alliance Debuts New Specs for Passkey Transfer:** One of the major design limitations with passkeys, the new passwordless sign-in method becoming increasingly common, is that it's impossible to transfer them between platforms such as Android and iOS (or vice versa). The FIDO Alliance has now announced that it aims to make passkeys more interoperable through new draft protocols such as the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) that allow for secure credential exchange.
*   **Hijack Loader Uses Legitimate Code-Signing Certificates:** Malware campaigns are now leveraging a loader family called Hijack Loader that's signed legitimate code-signing certificates in a bid to evade detection. These attacks typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies.

****📰 Around the Cyber World****

*   **Apple Releases Draft Ballot to Shorten Certificate Lifespan to 45 Days:** Apple has published a draft ballot that proposes to incrementally phase the lifespan of public SSL/TLS certificates from 398 days to 45 days between now and 2027. Google previously announced a similar roadmap of its intention to reduce the maximum validity for public SSL/TLS certificates from 398 days to 90 days.
*   **87,000+ Internet-Facing Fortinet Devices Vulnerable to CVE-2024-23113:** About 87,390 Fortinet IP addresses are still likely susceptible to a critical code execution flaw (CVE-2024-23113, CVSS score: 9.8), which was recently added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. watchTowr Labs researcher Aliz Hammond described it as a "super complex vulnerability" that could result in remote code execution. The development comes as Google revealed that of the 138 exploited security vulnerabilities that were disclosed in 2023, 97 of them (70%) were first weaponized as zero-days. The time-to-exploit (TTE) has dropped from an average of 63 days in 2018-19 to just five days in 2023.
*   **Researchers Outline Early Cascade Injection:** Researchers have disclosed a novel-yet-stealthy process injection technique called Early Cascade Injection that makes it possible to evade detection by endpoint security software. "This new Early Cascade Injection technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique," Outflank researcher Guido Miggelenbrink said. "Unlike Early Bird APC Injection, this new technique avoids queuing cross-process Asynchronous Procedure Calls (APCs), while having minimal remote process interaction."
*   **ESET Israeli Partner Breached to Deliver Wiper Malware:** In a new campaign, threat actors infiltrated cybersecurity company ESET's partner in Israel, ComSecure, to send phishing emails that propagated wipers to Israeli companies disguised as antivirus software. "Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes," the company said in a post on X, adding it was not compromised as a result of the incident.
*   **Google Outlines Two-Pronged Approach to Tackle Memory Safety Challenges:** Google said it's migrating to memory-safe languages such as Rust, Kotlin, Go, as well as exploring interoperability with C++ through Carbon, to ensure a seamless transition. In tandem, the tech giant emphasized it's focusing on risk reduction and containment of memory-unsafe code using techniques like C++ hardening, expanding security boundaries like sandboxing and privilege reduction, and leveraging AI-assisted methods like Naptime to uncover security flaws. As recently disclosed, the number of memory safety vulnerabilities reported in Android has dropped significantly from more than 220 in 2019 to a projected 36 by the end of this year. The tech giant has also detailed the ways it's using Chrome's accessibility APIs to find security bugs. "We're now 'fuzzing' that accessibility tree – that is, interacting with the different UI controls semi-randomly to see if we can make things crash," Chrome's Adrian Taylor said.

**Cybersecurity Resources & Insights****LIVE Webinars**

**1.** **DSPM Decoded: Learn How Global-e Transformed Their Data Defense**: Are your data defenses crumbling? Discover how Data Security Posture Management (DSPM) became Global-e's secret weapon. In this can't-miss webinar, Global-e's CISO breaks down:

*   The exact steps that transformed their data security overnight
*   Insider tricks to implement DSPM with minimal disruption
*   The roadmap that slashed security incidents by 70%

**2.** **Identity Theft 2.0: Defending Against LUCR-3's Advanced Attacks**: LUCR-3 is picking locks to your digital kingdom. Is your crown jewel data already in their crosshairs?

Join Ian Ahl, Mandiant's former threat-hunting mastermind, as he:

*   Decrypts LUCR-3's shadowy tactics that breach 9 out of 10 targets
*   Unveils the Achilles' heel in your cloud defenses you never knew existed
*   Arms you with the counterpunch that leaves LUCR-3 reeling

This isn't a webinar. It's your war room strategy session against the internet's most elusive threat. Seats are filling fast – enlist now or risk becoming LUCR-3's next trophy.

**Cybersecurity Tools**

*   **Vulnhuntr****: AI-Powered Open-Source Bug Hunting Tool —** What if AI could find vulnerabilities BEFORE hackers? Vulnhuntr uses advanced AI models to find complex security flaws in Python code. In just hours, it uncovered multiple 0-day vulnerabilities in major open-source projects.

**Tip of the Week**

**Secure Your Accounts with Hardware Security Key:** For advanced protection, hardware security keys like YubiKey are a game-changer. But here's how to take it up a notch: pair two keys—one for daily use and a backup stored securely offline. This ensures you're never locked out, even if one key is lost. Also, enable "FIDO2/WebAuthn" protocols when setting up your keys—these prevent phishing by ensuring your key only works with legitimate websites. For businesses, hardware keys can streamline security with centralized management, letting you assign, track, and revoke access across your team in real-time. It's security that's physical, smart, and almost foolproof.

****Conclusion****

That's the roundup for this week's cybersecurity news. Before you log off, take a minute to review your security practices—small steps can make a huge difference. And don't forget, cybersecurity isn't just for the IT team; it's everyone's responsibility. We'll be back next week with more insights and tips to help you stay ahead of the curve.

Stay vigilant, and we'll see you next Monday!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 14 - Oct 20)

Donald Trump's opposition to “woke” safety standards for artificial intelligence would likely mean the dismantling of regulations that protect Americans from misinformation, discrimination, and worse.

If Donald Trump wins the US presidential election in November, the guardrails could come off of artificial intelligence development, even as the dangers of defective AI models grow increasingly serious.

Trump’s election to a second term would dramatically reshape—and possibly cripple—efforts to protect Americans from the many dangers of poorly designed artificial intelligence, including misinformation, discrimination, and the poisoning of algorithms used in technology like autonomous vehicles.

The federal government has begun overseeing and advising AI companies under an executive order that President Joe Biden issued in October 2023. But Trump has vowed to repeal that order, with the Republican Party platform saying it “hinders AI innovation” and “imposes Radical Leftwing ideas” on AI development.

Trump’s promise has thrilled critics of the executive order who see it as illegal, dangerous, and an impediment to America’s digital arms race with China. Those critics include many of Trump’s closest allies, from X CEO Elon Musk and venture capitalist Marc Andreessen to Republican members of Congress and nearly two dozen GOP state attorneys general. Trump’s running mate, Ohio senator JD Vance, is staunchly opposed to AI regulation.

“Republicans don't want to rush to overregulate this industry,” says Jacob Helberg, a tech executive and AI enthusiast who has been dubbed “Silicon Valley’s Trump whisperer.”

But tech and cyber experts warn that eliminating the EO’s safety and security provisions would undermine the trustworthiness of AI models that are increasingly creeping into all aspects of American life, from transportation and medicine to employment and surveillance.

The upcoming presidential election, in other words, could help determine whether AI becomes an unparalleled tool of productivity or an uncontrollable agent of chaos.

**Oversight and Advice, Hand in Hand**

Biden’s order addresses everything from using AI to improve veterans’ health care to setting safeguards for AI’s use in drug discovery. But most of the political controversy over the EO stems from two provisions in the section dealing with digital security risks and real-world safety impacts.

One provision requires owners of powerful AI models to report to the government about how they’re training the models and protecting them from tampering and theft, including by providing the results of “red-team tests” designed to find vulnerabilities in AI systems by simulating attacks. The other provision directs the Commerce Department’s National Institute of Standards and Technology (NIST) to produce guidance that helps companies develop AI models that are safe from cyberattacks and free of biases.

Work on these projects is well underway. The government has proposed quarterly reporting requirements for AI developers, and NIST has released AI guidance documents on risk management, secure software development, synthetic content watermarking, and preventing model abuse, in addition to launching multiple initiatives to promote model testing.

Supporters of these efforts say they’re essential to maintaining basic government oversight of the rapidly expanding AI industry and nudging developers toward better security. But to conservative critics, the reporting requirement is illegal government overreach that will crush AI innovation and expose developers’ trade secrets, while the NIST guidance is a liberal ploy to infect AI with far-left notions about disinformation and bias that amount to censorship of conservative speech.

At a rally in Cedar Rapids, Iowa, last December, Trump took aim at Biden’s EO after alleging without evidence that the Biden administration had already used AI for nefarious purposes.

“When I’m reelected,” he said, “I will cancel Biden’s artificial intelligence executive order and ban the use of AI to censor the speech of American citizens on Day One.”

**Due Diligence or Undue Burden?**

Biden’s effort to collect information about how companies are developing, testing, and protecting their AI models sparked an uproar on Capitol Hill almost as soon as it debuted.

Congressional Republicans seized on the fact that Biden justified the new requirement by invoking the 1950 Defense Production Act, a wartime measure that lets the government direct private-sector activities to ensure a reliable supply of goods and services. GOP lawmakers called Biden’s move inappropriate, illegal, and unnecessary.

Conservatives have also blasted the reporting requirement as a burden on the private sector. The provision “could scare away would-be innovators and impede more ChatGPT-type breakthroughs,” Representative Nancy Mace said during a March hearing she chaired on “White House overreach on AI.”

Helberg says a burdensome requirement would benefit established companies and hurt startups. He also says Silicon Valley critics fear the requirements “are a stepping stone” to a licensing regime in which developers must receive government permission to test models.

Steve DelBianco, the CEO of the conservative tech group NetChoice, says the requirement to report red-team test results amounts to de facto censorship, given that the government will be looking for problems like bias and disinformation. “I am completely worried about a left-of-center administration … whose red-teaming tests will cause AI to constrain what it generates for fear of triggering these concerns,” he says.

Conservatives argue that any regulation that stifles AI innovation will cost the US dearly in the technology competition with China.

“They are so aggressive, and they have made dominating AI a core North Star of their strategy for how to fight and win wars,” Helberg says. “The gap between our capabilities and the Chinese keeps shrinking with every passing year.”

**“Woke” Safety Standards**

By including social harms in its AI security guidelines, NIST has outraged conservatives and set off another front in the culture war over content moderation and free speech.

Republicans decry the NIST guidance as a form of backdoor government censorship. Senator Ted Cruz recently slammed what he called NIST’s “woke AI ‘safety’ standards” for being part of a Biden administration “plan to control speech” based on “amorphous” social harms. NetChoice has warned NIST that it is exceeding its authority with quasi-regulatory guidelines that upset “the appropriate balance between transparency and free speech.”

Many conservatives flatly dismiss the idea that AI can perpetuate social harms and should be designed not to do so.

“This is a solution in search of a problem that really doesn't exist,” Helberg says. “There really hasn’t been massive evidence of issues in AI discrimination.”

Studies and investigations have repeatedly shown that AI models contain biases that perpetuate discrimination, including in hiring, policing, and health care. Research suggests that people who encounter these biases may unconsciously adopt them.

Conservatives worry more about AI companies’ overcorrections to this problem than about the problem itself. “There is a direct inverse correlation between the degree of wokeness in an AI and the AI's usefulness,” Helberg says, citing an early issue with Google’s generative AI platform.

Republicans want NIST to focus on AI’s physical safety risks, including its ability to help terrorists build bioweapons (something Biden’s EO does address). If Trump wins, his appointees will likely deemphasize government research on AI’s social harms. Helberg complains that the “enormous amount” of research on AI bias has dwarfed studies of “greater threats related to terrorism and biowarfare.”

**Defending a “Light-Touch Approach”**

AI experts and lawmakers offer robust defenses of Biden’s AI safety agenda.

These projects “enable the United States to remain on the cutting edge” of AI development “while protecting Americans from potential harms,” says Representative Ted Lieu, the Democratic cochair of the House’s AI task force.

The reporting requirements are essential for alerting the government to potentially dangerous new capabilities in increasingly powerful AI models, says a US government official who works on AI issues. The official, who requested anonymity to speak freely, points to OpenAI’s admission about its latest model’s “inconsistent refusal of requests to synthesize nerve agents.”

The official says the reporting requirement isn’t overly burdensome. They argue that, unlike AI regulations in the European Union and China, Biden’s EO reflects “a very broad, light-touch approach that continues to foster innovation.”

Nick Reese, who served as the Department of Homeland Security’s first director of emerging technology from 2019 to 2023, rejects conservative claims that the reporting requirement will jeopardize companies’ intellectual property. And he says it could actually benefit startups by encouraging them to develop “more computationally efficient,” less data-heavy AI models that fall under the reporting threshold.

AI’s power makes government oversight imperative, says Ami Fields-Meyer, who helped draft Biden’s EO as a White House tech official.

“We’re talking about companies that say they’re building the most powerful systems in the history of the world,” Fields-Meyer says. “The government’s first obligation is to protect people. ‘Trust me, we’ve got this’ is not an especially compelling argument.”

Experts praise NIST’s security guidance as a vital resource for building protections into new technology. They note that flawed AI models can produce serious social harms, including rental and lending discrimination and improper loss of government benefits.

Trump’s own first-term AI order required federal AI systems to respect civil rights, something that will require research into social harms.

The AI industry has largely welcomed Biden’s safety agenda. “What we're hearing is that it’s broadly useful to have this stuff spelled out,” the US official says. For new companies with small teams, “it expands the capacity of their folks to address these concerns.”

Rolling back Biden’s EO would send an alarming signal that “the US government is going to take a hands off approach to AI safety,” says Michael Daniel, a former presidential cyber adviser who now leads the Cyber Threat Alliance, an information sharing nonprofit.

As for competition with China, the EO’s defenders say safety rules will actually help America prevail by ensuring that US AI models work better than their Chinese rivals and are protected from Beijing’s economic espionage.

**Two Very Different Paths**

If Trump wins the White House next month, expect a sea change in how the government approaches AI safety.

Republicans want to prevent AI harms by applying “existing tort and statutory laws” as opposed to enacting broad new restrictions on the technology, Helberg says, and they favor “much greater focus on maximizing the opportunity afforded by AI, rather than overly focusing on risk mitigation.” That would likely spell doom for the reporting requirement and possibly some of the NIST guidance.

The reporting requirement could also face legal challenges now that the Supreme Court has weakened the deference that courts used to give agencies in evaluating their regulations.

And GOP pushback could even jeopardize NIST’s voluntary AI testing partnerships with leading companies. “What happens to those commitments in a new administration?” the US official asks.

This polarization around AI has frustrated technologists who worry that Trump will undermine the quest for safer models.

“Alongside the promises of AI are perils,” says Nicol Turner Lee, the director of the Brookings Institution’s Center for Technology Innovation, “and it is vital that the next president continue to ensure the safety and security of these systems.”

A Trump Win Could Unleash Dangerous AI

A list of topics we covered in the week of October 14 to October 20 of 2024

October 18, 2024 - Microsoft disclosed details about the HM Surf vulnerability that could allow an attacker to gain access to the user’s data in Safari

October 17, 2024 - Sure, you can request a deletion of your data from 23andMe, but that doesn’t mean the company will delete it entirely.

October 16, 2024 - Mozilla warns that a vulnerability in Firefox and Tor Browser is actively being exploited against both browsers

October 15, 2024 - Typical AI supported scams are after your Google account by pretending to follow up on account recovery requests

October 15, 2024 - The US presidential election is stirring fears amongst a third of people who worry that their vote could be exposed to outsiders.

 A week in security (October 14 &#8211; October 20) 

The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.

Source: Eric Anthony Johnson via Alamy Stock Photo

The North Korea-backed advanced persistent threat known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer Web browser over the summer, using it to mount a zero-click supply chain campaign on South Korean targets, researchers revealed.

While IE reached end of life in 2022 and many organizations don't use it anymore, there are plenty of legacy applications that do. In this case, APT37 (aka RedAnt, RedEyes, ScarCruft, and Group123) specifically targeted a Toast ad program that is usually installed alongside various free software, according to AhnLab SEcurity intelligence Center (ASEC). "Toasts" are pop-up notifications that appear at the right-bottom of a PC screen.

"Many Toast ad programs use a feature called WebView to render Web content for displaying ads," according to AhnLab researchers. "However, WebView operates based on a browser. Therefore, if the program creator used IE-based WebView to write the code, IE vulnerabilities could also be exploited in the program."

**A Hot-Buttered Zero-Click Toast Exploit**

According to AhnLab's analysis released last week, the state-sponsored cyberattack group compromised an ad agency, and then used the bug, tracked as CVE-2024-38178 (CVSS 7.5), to inject malicious code into the Toast script the agency uses to download ad content to people's desktops. Instead of ads, the script began delivering malware.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

"This vulnerability is exploited when the ad program downloads and renders the ad content," the researchers explained in their report on the attack, which they called "Code on Toast." "As a result, a zero-click attack occurred without any interaction from the user."

The malware delivered is the RokRAT, which APT37 has consistently used in the past.

"After infecting the system, various malicious behaviors can be performed, such as remote commands," the researchers noted, adding, "In this attack, the organization also uses Ruby to secure malicious activity persistence and performs command control through a commercial cloud server."

The campaign had the potential to cause significant damage, they said, but the attack was detected early. "In addition, security measures were also taken against other Toast advertising programs that were confirmed to have the potential for exploitation before the vulnerability patch version was released," according to AhnLab.

**IE Lurks in Apps, Remains a Cyber Threat**

Microsoft patched the bug in its August Patch Tuesday update slate, but the continued use of IE as a built-in component or related module within other applications remains a concerning attack vector, and an incentive for hackers to continue to acquire IE zero-day vulnerabilities.

Related:BlankBot Trojan Targets Turkish Android Users

"Such attacks are not only difficult to defend against with users' attention or antivirus, but can also have a large impact depending on the exploited software," AhnLab researchers explained in the report (PDF, Korean).

They added, "Recently, the technological level of North Korean hacking groups is becoming more advanced, and attacks that exploit various vulnerabilities other than IE are gradually increasing."

Accordingly, users should make sure to keep operating systems and software up to date, but "software manufacturers should also be careful not to use development libraries and modules that are vulnerable to security when developing products," they concluded.

Translation provided by Google Translate.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Researchers at Microsoft discovered a new macOS vulnerability, “HM Surf” (CVE-2024-44133), which bypasses TCC protections, allowing unauthorized access…

Researchers at Microsoft discovered a new macOS vulnerability, “HM Surf” (CVE-2024-44133), which bypasses TCC protections, allowing unauthorized access to sensitive data like the camera and microphone. Patch now to stay protected.

A vulnerability discovered by cybersecurity researchers at Microsoft Threat Intelligence in macOS allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, granting unauthorized access to sensitive user data.

Dubbed “HM Surf” by researchers; researchers warned that active exploitation may be taking place. The vulnerability has been assigned CVE-2024-44133.

The HM Surf vulnerability involves removing the TCC protection for the **Safari browser** directory and modifying a configuration file, enabling attackers to access users’ browsing history, camera, microphone, and location without their consent. The vulnerability is serious as it also allows attackers to gather sensitive information and use it for malicious purposes.

****How the Vulnerability Works****

The **TCC technology** prevents apps from accessing users’ personal information without their prior consent and knowledge. However, the HM Surf vulnerability exploits a weakness in the way TCC protects the Safari browser directory. By removing the TCC protection and modifying the configuration file, attackers can gain access to sensitive user data.

Microsoft’s blog post shared with Hackread.com ahead of publishing on October 18, 2024, detected “potential exploitation” activity associated with **Adload**, a prevalent macOS malware (adware) family.

The company’s behavioural monitoring protections in Microsoft Defender for Endpoint have identified suspicious activity, including anomalous modification of the Preferences file through HM Surf or other methods.

**John Bambenek**, President at Bambenek Consulting weighed in on the situation, urging users to install patches and save their data, especially their videos.

_“_In essence, this is a privilege escalation vulnerability that requires executing malicious instructions on the victim machine, which running malware could do and the most obvious risk here is to target home users to try to capture video of a victim in a compromising position for later sextortion use,_“_ John warned. _“_Security teams should update, however, it is important to have defences in place that prevent malware getting on the machines in the first place._“_

****Apple’s Response****

Apple has released a fix for the vulnerability as part of **security updates for macOS Sequoia**, which was released on September 16, 2024. The company has also introduced new APIs for App Group Containers that make System Integrity Policy (SIP) protect configuration files from being modified by an external attacker.

To protect themselves from this vulnerability, macOS users are urged to apply the security updates as soon as possible. Additionally, users should be cautious when granting permissions to apps and ensure that they only allow access to sensitive information when necessary.

****Install Patches ASAP!****

The identification, reporting, and patching of the HM Surf vulnerability highlight one key point: cross-platform threat intelligence sharing is essential for a secure cybersecurity future. Businesses and users should install the security patches released by Apple in September. For the future, it’s recommended to enable auto-updates on macOS devices so that such threats are automatically addressed with new security updates.

1.  **Apple Safari Safest, Google Chrome Riskiest Browser**
2.  **Apple Issues Device Updates to Patch Critical Vulnerability**
3.  **Hackers Could Exploit Microsoft Teams on macOS to Steal Data**
4.  **Scylla Ad Fraud on iOS, Android Users Halted by Apple and Google**
5.  **Apple Shortcuts Vulnerability Exposes Sensitive Data, Update Now!**

“HM Surf” macOS Flaw Lets Attackers Access Camera and Mic – Patch Now!

Hackers impersonate ESET in phishing attacks targeting Israeli organizations. Malicious emails, claiming to be from ESET, deliver wiper…

Hackers impersonate ESET in phishing attacks targeting Israeli organizations. Malicious emails, claiming to be from ESET, deliver wiper malware. Security researcher Kevin Beaumont exposes the attack. ESET denies direct compromise and points to partner involvement.

In a recent cyberattack, hackers targeted Israeli organizations by impersonating the cybersecurity firm ESET. The attackers sent phishing emails impersonating Slovak-based ESET, warning recipients of state-backed hackers targeting their devices.

The emails included a link to download a non-existent “ESET Unleashed program” that claimed to counter the attack. Clicking the link downloaded a ZIP file containing **wiper malware**, designed to wipe data from the infected device.

Security researcher Kevin Beaumont raised the alarm noting that the hackers had successfully breached ESET’s defences and were hosting malicious files on their servers. The emails were flagged as dangerous by Google, but many recipients may have fallen victim to the deception. 

The email, styled as ESET Advanced Threat Defense Team, and the downloads, styled as ESET Unleashed, contain various ESET DLLs and a file called setup.exe and call out to a legitimate org in Israel-www.oref.org.il. If a victim opened the ZIP file and ran the malware, it would proceed to delete files and data from their device. However, the malware required a physical PC and time to activate its destructive capabilities.

“ESET Israel definitely got compromised, this thing is fake ransomware that talks to an Israeli news org server for whatever reason,” Beaumont wrote in his **blog post**.

ESET responded to the incident by acknowledging that a security incident had occurred at their partner company in Israel, Comsecure, denying that their own infrastructure had been compromised. The official **statement** from ESET on X (Twitter) read:

_“We are aware of a security incident which affected our partner company in Israel last week. Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes. ESET technology is blocking the threat and our customers are secure. ESET was not compromised and is working closely with its partner to further investigate and we continue to monitor the situation.”_

The phishing campaign specifically targeted cybersecurity personnel within Israeli organizations, suggesting that the attackers were aiming to disrupt the country’s digital defences. The emails were sent on October 8th, the day after the anniversary of Hamas’ and other Palestinian militant groups’ armed incursions into Israel. A user on the **ESET Security Forum** quickly noticed the suspicious email and reported it.

The attackers gained access to Comsecure’s infrastructure likely through a security vulnerability or social engineering techniques. They then crafted carefully designed phishing emails that closely resembled ESET’s official style and branding.

The specific threat actor behind the campaign remains unclear. However, the tactics used are similar to those employed by the **pro-Palestine group Handala**, which recently **targeted** Israeli organizations with wiper malware and other cyberattacks. Cybersecurity firm Trellix has described Handala’s attacks as sophisticated and suggested possible links to Iran.

The ESET impersonation campaign is now blocked but it highlights the ongoing threat of phishing attacks and raises concerns about the security of ESET’s partner infrastructure and the potential for future attacks. To prevent similar attacks, organizations should prioritize verifying the authenticity of messages and implement advanced security measures.

1.  **Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack**
2.  **Facebook, Meta, Apple, Amazon Most Impersonated in Phishing Scams**
3.  **UpdateAgent malware variant impersonates legitimate macOS software**
4.  **Hackers Claim 10TB Data Breach at Russian Cybersecurity Firm Dr.Web**
5.  **Internet Crime Complaint Center Impersonated in Malware, Phishing Scam**

Hackers Use Fake ESET Emails to Target Israeli Firms with Wiper Malware

Plus: The alleged SEC X account hacker gets charged, Kroger wriggles out of a face recognition scandal, and Microsoft deals with missing customer security logs.

In what may be a first, the US Department of Justice this week charged a hacker with attempting to cause injury and death by launching distributed denial-of-service (DDoS) attacks against hospitals. Ahmed Omer and his brother Alaa are accused of carrying out a cyberattack spree that targeted hundreds of victims under the hacktivist banner Anonymous Sudan. The group’s DDoS victims included Microsoft’s Azure cloud services, OpenAI’s ChatGPT, and Israel’s missile alert system, according to prosecutors. It was the brothers’ alleged attacks on hospitals, however, that drew the most serious accusations from the Justice Department, which singled out Ahmed for allegedly seeking to kill people with the crude cyberattacks that overwhelm systems, knocking them offline.

If someone told you there’s a tool that can—using only open source information—create a “cyber profile” of you that can locate your phone in real time or place you at the scene of a crime at any date in the past, would you believe them? Canadian firm Global Intelligence claims to have created such a tool, dubbed Cybercheck, which it has sold to police departments across the US. Cybercheck-generated reports have been used to help convict at least two people of murder. However, a WIRED investigation found that Cybercheck’s reports have produced information that is either inaccurate or impossible to verify. And open source experts say some of the information Cybercheck claims to include—such as a device’s pings to a specific wireless network—would be impossible to obtain from publicly available sources.

The scourge of nonconsensual deepfake images has continued to proliferate, including on Telegram, where millions of people used “nudify” bots to “remove the clothes” of anyone—usually women and girls. A WIRED investigation identified 50 such bots and 25 channels linked to the creation of these abusive AI-generated explicit images. Telegram removed all 75 channels and bots after WIRED reached out, but many of them will likely respawn.

The slow death of the password may have gotten a speed boost this week. The FIDO Alliance, a tech industry association, announced new efforts to help hasten the adoption of passkeys, the cryptographically generated codes that are already replacing less-secure passwords. These efforts include a new Credential Exchange Protocol, which makes it easier to migrate passkeys between platforms and devices, and Passkey Central, a resource for company IT departments that aims to make it easier for organizations to adopt passkeys.

A group of researchers revealed this week that they created an algorithm that generates a malicious prompt capable of instructing an AI chatbot to identify personal information fed into it by a user and secretly send it to an attacker.

Finally, we went back in time to explore how well the US Army’s “solider of tomorrow,” unveiled 65 years ago this week, predicted the future of US military tech.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

If you use uBlock Origin’s Chrome extension to filter out online ads, expect to get mildly annoyed in the near future. Google has begun implementing new Chrome extension standards, called Manifest V3, that will disable the legacy version of uBlock Origin’s extension that most users likely have installed. And while you might be thinking, “Google is a silverback gorilla of online advertising, of course they’re finally forcing me to see ads!” there is some good news. A new version of the ad-filtering extension that meets the Manifest V3 standards, uBlock Origin Lite, is now available. Then again, it won’t block as much as the previous iteration of uBlock. Still, as a Google spokesperson told The Verge, you have options: “The top content filtering extensions all have Manifest V3 versions available — with options for users of AdBlock, Adblock Plus, uBlock Origin and AdGuard.” Either way, you’ll need to install a new extension soon.

**Alabama Man Charged in Hack of the SEC’s X Account**

US authorities announced charges this week against a 25-year-old Alabama man accused of hacking the Security and Exchange Commission’s X account. Prosecutors claim Eric Council Jr. obtained personal information and the materials for a fake ID of a person who controlled the @SECGov account from unidentified coconspirators. Council allegedly used the fake ID to carry out a SIM-swapping attack, duping AT&T retail store staff into giving him a new SIM card, which he ultimately used to take control of the victim’s phone account. The coconspirators used that to gain access to the SEC’s X account, where they posted a fake announcement about Bitcoin’s regulatory status, which was followed by a price jump of $1,000 per bitcoin. Council stands charged of conspiracy to commit aggravated identity theft and access device fraud.

**Kroger Says It Won’t Use Facial Recognition in Its Grocery Stores**

The grocery store chain Kroger has never used facial-recognition technology broadly in its stores and has no current plans to, a spokesperson told Fast Company this week. The company has been facing a firestorm over its use of electronic shelving labels over concerns that ESLs could be used to impose surge pricing on popular items, and fears that the devices could also be deployed with facial recognition. The company did a single-store facial-recognition pilot of a technology called EDGE in 2019, but it did not move forward with the service. US lawmakers including Rashida Tlaib, Elizabeth Warren, and Robert Casey have publicly raised concerns about Kroger’s use of ESLs.

**Microsoft Is Missing More Than 2 Weeks of Cloud Customers’ Security Logs**

Microsoft told customers that it failed to capture more than two weeks of security logs from certain cloud services in September, including Microsoft Entra, Sentinel, Defender for Cloud, and Purview. News of the lost logs was first reported by Business Insider. The company said in the notification that “a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform.” The blank extends from September 2 to September 19. A Microsoft executive confirmed to TechCrunch that the incident was caused by an “operational bug within our internal monitoring agent.”

System activity logs are crucial for all sorts of operations and are particularly used for security monitoring and investigations, because they can expose breaches and malicious activity. After Russian hackers breached US government networks through SolarWinds software in 2020, many agencies couldn’t detect the activity in their Microsoft Azure cloud services because they weren’t paying for Microsoft’s premium tier features, so they didn’t have adequate network activity logs. Lawmakers were outraged about the up-charge, and the Biden administration worked for more than two years to get Microsoft to make the logging services free. The company ultimately announced the change in July 2023.

Tag

#google