Mastercard's $2.65 billion deal to acquire the threat intelligence provider will boost the credit-card company's AI-based cybersecurity protection capabilities.

Source: SOPA Images Limited via Alamy Stock Photo

The largest credit-card providers have made sizeable investments in advanced cybersecurity capabilities in recent years, but Mastercard is upping the ante with last week's agreement to buy Recorded Future from Insight Partners for $2.65 billion.

The deal, scheduled to close in the first quarter of 2025, would mark the second-largest acquisition in Mastercard's 58-year history. The price tag also nearly equals the $3 billion Mastercard is estimated to have previously spent on nine cybersecurity-related companies since launching its cybersecurity business unit in 2017, Strategy of Security analyst Cole Grolmus wrote on LinkedIn.

Recorded Future says it has 1,900 customers worldwide, including governments and half of the Fortune 100. According to a recent Frost & Sullivan report, the Recorded Future Intelligence Cloud hosts one of the largest threat repositories in the world. Recorded Future's Collective Insights integrates broadly with governance, risk, and compliance; third-party risk management; attack surface management; and other analytics tools, a May 2024 Forrester Research report noted.

"Combining Recorded Future's threat intelligence capabilities with Mastercard's extensive insight and knowledge of and partnership with merchants and financial institutions should provide greater protection to digital payment transactions," says Forrester principal research analyst Brian Wrozek. "This also gives Mastercard more direct control over a critical cybersecurity capability: threat intelligence."

Last year, Recorded Future added OpenAI's GPT model to the threat intelligence platform to enhance its real-time analytics capabilities. Using the pretrained transformer model, Recorded Future AI includes 10 years of threat analysis from its Insikt Group threat research subsidiary, which is integrated with the Recorded Future Intelligence Graph.

**Expanding Threat Intelligence Capabilities**

Mastercard has been investing in threat and risk intelligence capabilities for over a decade. In 2014, Mastercard launched SafetyNet, a tool to detect risks based on activity throughout its network. SafetyNet thwarted $20 billion in fraud attempts directed at its network in 2023, says Johan Gerber, Mastercard's EVP of security solutions.

"It's our AI-enabled Decision Intelligence \[solution\] that provides a score to banks, helping them identify and stop fraudulent transactions," he says.

Last year, Mastercard added AI-based risk management capabilities by acquiring Baffin Bay Networks, a threat protection provider based in Sweden. Mastercard integrated Baffin Bay's automated threat protection service to prevent attackers from penetrating or disabling cybersecurity systems through ransomware and distributed denial-of-service (DDoS) attacks.

Mastercard is not alone in its focus on threat and risk intelligence. Visa has invested more than $9 billion in cybersecurity over the past few years in new tools and services to help address fraud and account security in its payment services. The credit card company has embedded AI and analytics in more than 60 different services to stop and block payment fraud. The Visa Account Attack Intelligence (VAAI) offering uses generative AI components to identify and score enumeration attacks. The VAAI Score tool assigns each transaction with a risk score in real time to detect and prevent enumeration attacks in card-not-present transactions.

**Building on Mastercard's AI Capabilities**

Gerber says Recorded Future promises to build on Mastercard's AI-enabled Decision Intelligence capability, which gives scores to its member banks.

"Recorded Future has pioneered the use of AI in analyzing and reporting cyber threat intelligence," he says. "The ability to draw these trends from a wide range of sources will allow our customers to quickly access relevant insights and safeguard their critical operations and infrastructure. It allows us to quantify risk more accurately and simulate attacks based on the latest trends."

Gerber also sees the potential for adding Recorded Future's AI capabilities to RiskRecon, the third-party threat scanning and rating provider Mastercard acquired in 2020 that provides enterprise security monitoring and measures third-party and supply chain risk. Similarly, Recorded Future can boost two Mastercard service offerings launched in 2022: Cyber Front, which provides a threat simulation, and Cyber Quant, a service that identifies and prioritizes risks.

"The insights allow us to quantify risk more accurately," Gerber says. "Our customers will see benefits from the real-time threat insights that Recorded Future brings to the table."

Recorded Future will enhance the intelligence and security of all its products, he adds.

"It will help us create smarter models and anticipate emerging threats before cyberattacks can take place — in payments and beyond," Gerber notes.

Forrester's Wrozek says that Recorded Future promises to give Mastercard more direct control over critical threat intelligence, now a critical cybersecurity capability.

"This aligns perfectly with Mastercard's journey towards leading the defense of the global digital economy," he says.

Citing a 2024 Forrester survey, Wrozek notes that improving threat intelligence capabilities is consistently a top tactical security priority for companies, which typically purchase, on average, over half a dozen threat intelligence feeds.

"Companies need more threat intelligence to improve decision-making, expedite incident remediation, and shift from a reactive to a more proactive security posture," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Mastercard's Recorded Future Deal Furthers Its AI Security Goals

PRESS RELEASE

AUSTIN, Texas and Fal.Con 2024, Las Vegas – September 16, 2024 — CrowdStrike (NASDAQ: CRWD) today announced the launch of its second annual Cybersecurity Startup Accelerator with Amazon Web Services (AWS). NVIDIA also joins in supporting the Accelerator program, powering the next generation of artificial intelligence (AI) and cloud security startups. Targeting cybersecurity’s next market-defining disruptors across the U.S. and EMEA, AWS and CrowdStrike with NVIDIA through its Inception program, will provide mentorship, technical expertise, funding and go-to-market opportunities.  
Applications for the AWS and CrowdStrike Cybersecurity Startup Accelerator with NVIDIA are open from September 16, 2024 to January 10, 2025. Selected startups will be enrolled in a free eight-week program developed by AWS, CrowdStrike and NVIDIA that offers mentorship and guidance from industry experts and executives. Startups will also have access to top-tier global cybersecurity investors, enablement sessions, and up to $25,000 in AWS Activate credits, among other exclusive benefits.

At the end of the program, participants can present their innovations at an in-person Demo Day at the AWS Startup Loft in San Francisco, which will take place during the RSA Conference in April 2025. Winning presentations may be eligible to receive funding from the CrowdStrike Falcon® Fund. 

“CrowdStrike and AWS created the Cybersecurity Startup Accelerator as a formative, value creation experience for innovative startups to learn, create and grow. Since participating in the Accelerator, last year’s cohort participants raised over $150 million from leading global VCs,” said Daniel Bernard, chief business officer, CrowdStrike. “We’re proud to welcome NVIDIA as a supporter of the Accelerator program – bringing together market-leading cybersecurity, cloud and AI expertise to cultivate tomorrow’s great innovators.”

“For startups seeking to tackle the most pressing security challenges, the Cybersecurity Startup Accelerator provides the AI technologies, accelerated computing resources and technical expertise they need,” said Bartley Richardson, director of cybersecurity engineering at NVIDIA.

To apply, visit this website. Startups are encouraged to review the terms and conditions here.

You May Also Like

CrowdStrike Expands Cybersecurity Startup Accelerator With AWS and NVIDIA

PRESS RELEASE

SAN FRANCISCO, Sept. 18, 2024 /PRNewswire/ -- Abstract Security, building the future of AI-enabled security operations, today announced it has added support for deployments within Google Cloud Platform (GCP).

The support for GCP follows Abstract Security's existing support for AWS and Azure. Abstract enables multi-cloud deployments of its SOC platform, deploying multiple instances of Abstract Security around the world to support data localization requirements and eliminate data transfer costs. Additionally, Abstract supports transactions through both AWS and Azure marketplaces with GCP coming soon.

"Abstract's ability to offer customers a true multi-cloud offering with three different cloud platforms in AWS, Azure and now GCP is something we're very proud of for this growing startup," said Colby DeRodeff, co-founder and CEO of Abstract Security. "Because we deploy directly into our customers' cloud environment, we enable those customers to truly own their own data, which separates us from most of our competitors."

Abstract Security's SOC platform offers:

*   Seamless integration with local GCP services - Ensuring strong security coverage and visibility into GCP services.
    
*   Abstract Intel Gallery - As part of Abstract's data fabric, organizations can leverage no-code ETL to enrich events with real-time threat intelligence, enhancing detection accuracy and relevancy.
    
*   Real-time streaming threat detection - Security analytics are powered by AI, enabling enterprises to stay ahead of rapidly evolving cyber threats.
    
*   Compliance and data sovereignty - Providing a single search and reporting view across regional deployments, enabling compliance with data localization requirements.
    

Abstract has seen growing demand since emerging from stealth and announcing its Seed funding in March 2024. In April, Abstract announced the opening of its first Middle East office. In May, the company announced the addition of Christopher Key to its Board of Directors and was selected as a "Pioneering Cybersecurity Startup" winner, as part of the 2024 Global Infosec Awards.

About Abstract Security

Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

The leadership team of Colby DeRodeff, Ryan Clough, Aaron Shelmire, Chris Camacho, and Stefan Zier bring a unique set of experiences and backgrounds in product development and company-building expertise, at companies such as ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and Sumo Logic. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

You May Also Like

Abstract Security Expands Multi-Cloud Security Operations

Company urges organizations using self-hosting GitLab instances to apply updates for CVE-2024-45409 as soon as possible.

Source: T. Schneider via Shutterstock

Organizations with self-hosted GitLab instances configured for SAML-based authentication might want to update immediately to new versions of the DevOps platform that the company released this week.

The update addresses a maximum severity bug in GitLab Community Edition (CE) and Enterprise Edition (EE) that allows an attacker to bypass authentication checks and log in as an arbitrary user in an affected system. Depending on the level of access, an attacker could then steal leak or modify source code, inject malicious code into production systems, steal secrets and sensitive data, and execute a variety of other malicious actions.

**Maximum Severity Threat**

The bug, identified as CVE-2024-45409, has a severity score of 10.0, which is as critical as it gets on the CVSS rating scale. The bug has garnered the rating because of its high impact and also because exploiting it involves low-attack complexity, no special privileges, and no user interaction.

CVE-2024-45409 affects both GitLab Dedicated, the fully managed cloud-hosted version, and also self-managed instances of GitLab. The company already has updated all instances of GitLab Dedicated and says that customers of the managed version are already protected against the vulnerability. However, those running self-managed GitLab installations must patch now, the vendor advised. "We strongly recommend that all installations running a version affected by the issues … are upgraded to the latest version as soon as possible."

GitLab has recommended that organizations enable two-factor authentication for all user accounts for self-managed GitLab installations to mitigate against exploits targeting CVE-2024-45409. "Enabling identity provider multifactor authentication does not mitigate this vulnerability," GitLab cautioned. The company also recommends that organizations not allow the SAML two-factor bypass option in GitLab. In addition, GitLab's advisory provides detailed guidance on how to hunt for and detect signs of exploit activity tied to the flaw.

CVE-2024-45409 is present in versions 12.2 and older and versions 1.13.0 to 1.16.0 of Ruby SAML, a library which is a part of GitLab's SAML-based authentication feature. Ruby SAML is what allows organizations to authenticate users to GitLab via external identity providers.

**Improper Signature Verification**

The National Vulnerability Database's description of the flaw shows that affected Ruby SAML versions either aren't verifying or are incorrectly verifying the cryptographic signature in a SAML response. This allows an attacker with access to any signed SAML document from an identity provider to forge a SAML response. "This would allow the attacker to log in as \[an\] arbitrary user within the vulnerable system," the NVD said.

In its advisory, GitLab said that in order to craft a successful exploit for the flaw, an attacker would need to find a way to craft SAML assertions that are identical to those from an organization's legitimate identity provider. This would involve having the information needed to accurately replicate key fields like username, role, identity, and privileges.

"When crafting an exploit, there are many SAML assertions an attacker would need to craft to perfectly replicate a legitimate login," GitLab said. "These include both the key and value fields that you specify at your \[identity provider\] and may be unknown to unauthorized individuals — especially if you have customized these attributes."

**Particularly Troubling on Dev Platforms**

Researchers consider vulnerabilities in DevOps platforms like GitHub to be particularly troublesome because of the opportunities they provide attackers to compromise application development environments in multiple ways.

"The ability to bypass authentication checks is a huge threat, as it gives attackers the window of opportunity to easily enter development environments and cause tremendous damage — all without triggering any alerts," says Katie Teitler-Santullo, cybersecurity strategist at OX Security. "Presumably, and hopefully, organizations are using strong authentication — MFA least privilege, and zero-trust principles — to ensure that all access is fully authorized."

Jeff Williams, founder and CTO at Contrast Security, stresses the importance of addressing authentication bypass flaws. "In this case, a forged SAML assertion can be created to log on as any user and take any actions that a user can do," he says. "This might include tampering with pipelines, embedding malicious code in software products, stealing intellectual property, installing malware, or just about any other bad thing you can imagine."

CVE-2024-45409 is the most critical among 18 vulnerabilities that GitHub disclosed this month as part of its regular security updates. GitHub assessed one of the other 17 vulnerabilities as critical. The flaw (CVE-2024-6678), with a CVSS severity score of 9.9, affects multiple GitLab CE and EE versions. It is one of several in recent months that allows an unauthenticated, remote attacker to run a pipeline in the context of any user within a GitLab environment.

The vulnerability is similar to flaws that GitLab disclosed in May, June, and July and suggests a pattern of not taking security seriously, Williams says. "Critical vulns month after month. Maybe they're doing better testing? Good. Or maybe they aren't being proactive. We need transparency."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

GitLab Warns of Max Severity Authentication Bypass Bug

Inc ransomware — one of the most popular among cybercriminals today — meets healthcare, the industry sector most targeted by RaaS.

Source: Photo 12 via Alamy Stock Photo

Inc ransomware is on the rise, with one well-known threat actor recently using it to target American healthcare organizations.

Vice Society, which Microsoft tracks as Vanilla Tempest, has been active since July 2022. In that time, the Russian-speaking group has made use of various families of ransomware to aid its double extortion attacks, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin — including its own variant — and its own, eponymous program.

In a series of posts on X, Microsoft Threat Intelligence Center (MSTIC) flagged the group's latest weapon: Inc ransomware.

"Vanilla Tempest is one of the most active ransomware operators MSTIC tracks," says Jeremy Dallman, senior director of threat intelligence for MSTIC. "While we've seen them targeting healthcare for quite a while, the notable shift here is their use of an Inc ransomware payload as they leverage the larger ransomware-as-a-service ecosystem."

**Vice Society's Latest Foray into Healthcare**

Vice Society flirts with various industries, including IT and manufacturing, but it's best known for its campaigns against the education and healthcare sectors.

In that sense, it's in line with the broader threat landscape. According to Check Point Research, healthcare is the industry most frequently targeted by ransomware actors. Other kinds of cybercriminals like it too, evidently, with global healthcare organizations experiencing an average of 2,018 attacks per week, a 32% rise over last year.

It only makes sense, warns Cindi Carter, Check Point's CISO for the Americas. Besides being hamstrung by outdated legacy technology and bureaucracy, "The type of data that healthcare organizations capture, create, and share is of high value to cybercriminals," she says. "Your medical record is the single most identifiable piece of digital information about you besides your own fingerprint," she says.

In recent activity leveraging the healthcare sector's inherent weaknesses, Vice Society received initial access to victims that previously had been infected with the Gootloader backdoor-loader. Then it deployed tools including the Supper backdoor, AnyDesk's remote monitoring and management (RMM) solution, and MEGA's data synchronization tool, the latter two of which are legitimate commercial products. The group used Remote Desktop Protocol (RDP) to perform lateral movement in affected networks, and abused the Windows Management Instrumentation (WMI) provider host to drop Inc ransomware.

**The Rise of Inc Ransomware**

Active since last summer, the Inc ransomware-as-a-service (RaaS) operation has earned plenty of headlines for its compromises of particularly large organizations — Xerox and Scotland's National Health Service (NHS), among others. And its modus operandi fits the scope of its ambition, says Jason Baker, threat intelligence consultant for GuidePoint Security.

"The aspect of Inc affiliates in particular that makes them stand out is that they have a very structured way of working through the negotiations process. There's no winging it. There are no off-the-cuff remarks. Agitation and threats are kept relatively minimal," he recalls from dealing with them firsthand.

"It's like the difference between somebody robbing a bank and somebody sticking somebody up in an alley. You can tell when somebody's put thought into \[an attack\] and knows what they're doing," he says.

As Dark Reading reported last month, Inc's malware leaked information about the nature and success of its data encryption. Though this could potentially lend defenders a leg up in remediation and potential negotiations with its affiliates, Baker warns that the reality is more complicated, especially when it comes to healthcare.

"If an organization knows that they can recover, and that they don't need a decryptor, that substantially decreases the feeling that they need to pay a ransom," he notes. "But where it's complicated is in modern double extortion, particularly if there's sensitive personally identifiable health information (PHI), or if there's sensitive intellectual property involved. There's a reason why the double extortion methodology has stuck around for as long as it has: It does, to some extent, overcome even an ability to recover."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Vice Society Pivots to Inc Ransomware in Healthcare Attack

This year, Congress only allocated $55 million in federal grant dollars to states for security and other election improvements.

Thursday, September 19, 2024 14:00

Last week, six Secretaries of State testified to U.S. Congress about the current state of election security ahead of November’s Presidential election. 

Some of the same topics came up as usual — disinformation campaigns, influence from foreign actors, and the physical protection of poll workers on election day. 

It’s good that these conversations are continuing after the various revelations that came out after the 2016 presidential election, and election security is an issue globally, especially this year when there are major elections taking place in hundreds of countries.  

As with many things in politics and life, though, there is still an issue of money. 

Talk of the importance of election security is positive, but at the end of the day, states and municipalities will need monetary and human resources to implement the appropriate defenses and protect everything from voting machines to online vote-tallying systems and social media disinformation campaigns.  

Arizona Secretary of State Adrian Fontes used his time in front of Congress to ask for additional funding, because his state has been unable to execute all their election security goals.  

“None of this is free and none of it is cheap,” he said. “Our operations, administration and security depend on intermittent, rare and never enough funding for the Help America Vote Act grants that we are occasionally given by Congress.” 

Additional federal funds became available for U.S. elections in 2017 after the Department of Homeland Security deemed election systems to be critical infrastructure. But this year, Congress only allocated $55 million in federal grant dollars to states for security and other improvements to elections. For comparison’s sake, presidential and Congressional candidates in the U.S. spent $14 billion on their election campaigns, more than double the amount from 2016. 

At the time, Republican lawmakers in the House voted to totally zero out the fund for the Help America Vote Act, or HAVA, grants, which have existed since 2002. 

One lobbyist even told the Stateline outlet earlier this year that many states were trying to stretch the money they do get from the HAVA program across multiple years for fear of a lack of funding in the coming election cycles.  

JP Martin, deputy communications director for the Arizona secretary of state, said in that same article that Arizona (a crucial swing state in most presidential elections) has had to put a hiring freeze in place because a lack of federal funding. 

So, talk, awareness and planning to secure elections are all positive things. But at the end of the day, all these technologies and solutions, and the people that provide them, cost money. 

**The one big thing **

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

**Why do I care? **

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

**So now what? **

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Top security headlines of the week **

**Experts and governments are still unpacking a wave of pager and handheld radio explosions in the Middle East.** The attacks appeared to target members of the armed group Hezbollah in Lebanon when hundreds of devices exploded simultaneously on Tuesday, killing multiple people. The international community has been left wondering if this was some type of cyber attack or intentional physical implants in the devices. Messages sent at the time of the attack appeared to come from Hezbollah leadership but instead triggered the explosions. Most analysts are assuming that this was a hardware supply chain attack, in which the pagers were tampered with somehow during manufacturing or while they were in transit. Supply chain attacks are normally carried out at the software level. So far, no one has taken credit for the attacks, though Hezbollah is blaming Israel, one of its chief antagonists. (Reuters, BBC) 

**Ransomware gangs are increasingly leveraging Microsoft Azure to steal victims’ information and store it.** New research findings indicate that groups like BianLian and Rhysida use Microsoft's Azure Storage Explorer and AzCopy to steal data from infiltrated networks, then store it in Azure Blob storage until it can be transferred to an attacker-controlled network. Because Azure is a popular and trusted service, corporate firewalls and security tools are unlikely to block it, making the data transfers more likely to pass undetected. Potential targets that use Azure are recommended to log out of the application after each use to prevent attackers from using the active session for file theft. (Bleeping Computer, modePUSH) 

**Health care facilities and medical devices continue to be top targets for ransomware actors, and industry leaders are calling on the U.S. federal government to do more to assist them.** This year, several massive health care providers across the globe have been affected by cyber attacks, forcing countless surgeries and appointments to be rescheduled and putting sensitive medical records at risk. Past victims include Change Healthcare, Kaiser Permanente and Ascension. One health care executive told NPR that their company was still trying to calculate the financial impact of the Change attack, which paused payments from insurance for months. They are only just now being paid out for services rendered in July. U.S. Sen. Ron Wyden, the chair of the Senate Finance Committee, recently publicly called on the Health and Human Services Department to revise its current approach to cybersecurity, because the current system “is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” Other experts have said that HHS has traditionally focused on physical disasters like earthquakes, storms and power outages, and not enough on cyberspace. (NPR, Security Intelligence) 

**Can’t get enough Talos? **

*   Despite Russia warnings, Western critical infrastructure remains unprepared 
*   The Cybersecurity Cat-And-Mouse Game 
*   DragonRank Manipulates SEO Rankings To Direct Users To Malicious Sites 

**Upcoming events where you can find Talos**

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd  

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668   
**MD5:** 49d35332a1c6fefae1d31a581a66ab46   
**Typical Filename:** 49d35332a1c6fefae1d31a581a66ab46.virus   
**Claimed Product:** N/A     
**Detection Name:** W32.Auto:70ff63.in03.Talos 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos

Talk of election security is good, but we still need more money to solve the problem

The explosion of thousands of rigged pagers and walkie-talkies will likely make Hezbollah operatives fear any means of electronic communication. It’s having the same effect on the Lebanese population.

“They don't trust their smartphones, so they reach back to these more archaic devices, and those blow up. What's next?” says Schneier. “Everything becomes less efficient, because they can't communicate well.”

Schneier describes the paranoia-inducing effect of the operation as a kind of ongoing “tax” on Hezbollah as an organization. “There are a lot of things you can't do if you can't trust your comms,” he says. Schneier compares the end result to the nearly incommunicado state of a hunted figure like Osama bin Laden, who in his final years was reduced to sending messages only via the human couriers who visited his secret compound in Pakistan.

That paranoia, in fact, has been seeded among Lebanon's population for years. Israel's pager- and walkie-talkie-based attacks follow repeated public warnings from Hezbollah leader Hassan Nasrallah about the surveillance dangers of smartphones, given Israeli intelligence's well-known hacking prowess. “Please break it, bury it, lock it up in a metal box,” Nasrallah said in one speech. In another, he appeared on Lebanese television next to an image of an iPhone circled in red with a slash across it. “These are deadly spies,” he warned. Cell phones were reportedly banned from Hezbollah meetings in favor of pagers.

Now the older, alternative devices Hezbollah has fallen back to carry even greater fears of injury or death. And that fear has come to encompass communications electronics more broadly: At Wednesday's funeral for victims of Tuesday's attack, for instance—an event that was itself the target of another attack—attendees were asked to remove the batteries from their phones.

Creating distrust of communication devices within Hezbollah may well be Israel's purposeful tactic of “preparing the battle space” ahead of impending Israeli military operations against Lebanon, says Thomas Rid, a professor of strategic studies at Johns Hopkins University and author of _Active Measures_, who specializes in disinformation and influence operations. He compares the operation to cyberattacks or physical attacks on “command-and-control” infrastructure at the beginning of a conflict, such as the United States' efforts, documented in former NSA chief Michael Hayden's book _Playing to the Edge_, to destroy the Iraqi military's fiber-optics-based communications in 2003 in order to “herd” the enemy's military toward more easily intercepted radio-based communications.

“This is taking attacks on command-on-control to a whole new level,” Rid says. “They sent the message: ‘No, we’re not just penetrating these devices and bugging them, we're literally blowing them up, taking away the confidence you might have had in your command-and-control and also in any future devices that you might procure.’”

For Israeli intelligence, Rid notes, the attack also represents a stunning reassertion of its power and public image following its disastrous failure to prevent Hamas' attacks of October 7. “This operation goes a long way in terms of demonstrating that they are, perhaps, the most creative and the most ruthless intelligence establishment on the planet right now,” he says.

Thanks to the collateral damage of Israel's brazen offensive, however, its effects—both physical and psychological—have by no means been limited to Hezbollah operatives. The French-Lebanese security researcher Kobeissi, who now works as the founder and CEO of Paris-based tech firm Symbolic Software, says he's already seen false rumors and misleading videos spread among Lebanese people, suggesting for instance that iPhones, too, are exploding. “People are losing their minds, because it's scary as shit, and that's the point,” he says. “It's impossible to think about this as limiting Hezbollah's communications and capabilities without realizing it's also going to have a terrorizing effect on the adjacent population.”

Kobeissi argues that the attack's collateral damage will shape how a generation of people think about Western technology in Lebanon and beyond. “The average Lebanese person doesn't have a specific understanding of what it means to conduct a supply chain attack,” he says. “What they see is that a device made by an American ally, a device they rely on, may blow up. And it's unfortunate that the Israeli intelligence community didn't consider the knock-on effects that this could have globally.”

Aside from that issue of trust, Israel's attack also represents an escalation, says Harvard's Bruce Schneier—a new kind of attack that, now that it's been demonstrated, is sure to be seen again in some form, perhaps even in an act of retaliation against Israel itself.

“It’s not just Hezbollah that should worry. If I were Ukraine, I’d be worried. If I were Russia, I’d worry. If I were Israel, I’d worry. This doesn’t just go one way,” he says. “Now we all live in a world of connected devices that can be weaponized in unexpected ways. What does that world look like?”

First Israel’s Exploding Pagers Maimed and Killed. Now Comes the Paranoia

By enhancing threat detection, enabling real-time risk assessment, and providing predictive insights, AI is empowering organizations to build more robust defenses against cyber threats.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

Traditional cybersecurity measures are increasingly inadequate against sophisticated threats in the rapidly evolving digital security landscape. Artificial intelligence (AI) has emerged as a transformative force to revolutionize risk assessment and management in the cybersecurity domain. As organizations grapple with an increasing array of cyber threats, AI-driven approaches to risk scoring are becoming more important and essential tools in the modern security arsenal.

At the forefront of this technological revolution is the development of AI-driven risk assessment models tailored specifically to cybersecurity threats. These systems are designed to identify vulnerabilities that often elude traditional methods by offering a more comprehensive and nuanced approach to risk scoring. Leveraging machine learning algorithms and deep neural networks, these AI models can analyze vast amounts of unstructured data, uncovering complex patterns and insights that might otherwise remain hidden from human analysts. These threats can range from univariate anomalies, like a user logging in from a different IP address, to more complex multivariate risks that involve deviations in user behavior patterns and anomalies in their typical sign-on activities.

A simple one-dimensional risk assessment approach is insufficient in real-life scenarios; instead, a weighted average risk system capable of detecting and evaluating these multivariate risks is essential. Each of these threat detection methodologies can and very well be independent of each other, assessing risks on different (combinations) of variables in play.

**An AI Advantage**

An important advantage of AI in cybersecurity is its ability to process and analyze data at a scale and speed far beyond human capabilities. These advantages enable real-time threat detection and dynamic risk scoring, which allows security teams to prioritize and respond to threats incredibly efficiently. By continuously analyzing network traffic, user behavior, and external threat intelligence, AI-driven systems can update risk scores in real time, providing a constantly evolving picture of an organization's security posture.

The integration of AI into risk-scoring systems also enhances the overall security strategy of an organization. These systems are not static, but rather learn and adapt over time, becoming increasingly effective as they encounter new threat patterns and scenarios. This adaptive capability is crucial in the face of rapidly evolving cyber threats, allowing organizations to stay one step ahead of potential attackers. An example of this in action is detecting anomalies during user sign-on by analyzing physical attributes and comparing them to typical behavior patterns. This approach helps prevent unauthorized access by identifying and blocking suspicious sign-ins before the user can enter the system.

**AI Is Not a Cure-All**

It's important, however, to realize that AI is not a cure-all for every cybersecurity challenge. The most impactful strategies combine the analytical power of AI with human expertise. While AI excels at processing vast amounts of data and identifying patterns, human analysts provide critical contextual understanding and decision-making capabilities. It's crucial for AI systems to continuously learn from the input of small and medium-sized enterprises (SMEs) through a feedback loop to refine their accuracy and minimize alert fatigue; this collaboration between human and artificial intelligence creates a robust defense against a wide range of cyber threats.

The application of AI in cybersecurity extends beyond threat detection. Advanced AI models are also being used to simulate potential attack scenarios, allowing organizations to proactively identify and address vulnerabilities before they can be exploited. This predictive capability represents a significant shift from reactive to proactive security measures, potentially saving organizations millions in breach-related costs.

AI's role in cybersecurity is expected to grow exponentially as AI technology continues to advance. Future developments may include more sophisticated predictive models, enhanced automation of threat response, and even AI systems capable of autonomously patching vulnerabilities. These advancements promise to create more resilient and adaptive security infrastructures, better equipped to handle the challenges of an increasingly digital world.

The integration of AI into cybersecurity risk-scoring systems represents a significant leap forward in the field of digital security. By enhancing threat detection, enabling real-time risk assessment, and providing predictive insights, AI is empowering organizations to build more robust defenses against cyber threats. As the digital landscape continues to evolve, embracing AI-driven approaches to cybersecurity will be crucial for organizations seeking to protect their assets and maintain their competitive edge in an increasingly interconnected world.

**About the Author**

AI and Data Science Leader, Cybersecurity Expert

Venkat Gopalakrishnan is an accomplished AI and data science leader with extensive experience driving AI initiatives in high-impact industries. The holder of two patents in AI and cybersecurity, Venkat has expertise in integrating traditional AI and generative AI into complex systems, having successfully led global teams and delivered innovative AI solutions across various domains, including cybersecurity, finance, and sales.

An AI-Driven Approach to Risk-Scoring Systems in Cybersecurity

Thousands of beepers and two-way radios exploded in attacks against Hezbollah, but mainstream consumer devices like smartphones aren’t likely to be weaponized the same way.

For two days this week, Hezbollah has been rocked by a series of small explosions across Lebanon, injuring thousands and killing at least 25. But these attacks haven’t come from rockets or drones. Instead, they’ve resulted from boobytrapped electronics—including pagers, walkie-talkies, and even, reportedly, solar equipment—detonating in coordinated waves. As details come into view of the elaborate supply chain attack that compromised these devices, citizens on the ground in Lebanon and people around the world are questioning whether such attacks could target any device in your pocket.

The campaign to compromise key Hezbollah communication infrastructure with explosives was clearly elaborate and involved. The operation, which is widely believed to have been perpetrated by Israel, goes far beyond past examples of hardware supply chain attacks and may be a source of inspiration for future spycraft around the world. But sources tell WIRED that the specific scale and scope of the effort would not be easily replicated in other contexts. And, more broadly, the resources and precision involved in carrying out such an attack would be prohibitively difficult to maintain over time for key consumer devices like smartphones—which are used so widely and regularly scrutinized by researchers, product testers, and repair technicians.

“I do think there is absolutely potential to see more of this in the longer term, not targeting civilians, but generally targeting other military actors,” says Zachary Kallenborn, an adjunct nonresident fellow with the Center for Strategic and International Studies. Kallenborn says militaries are increasingly relying on commercial technology—from drones to communications devices—all of which could be compromised if supply chains can be exploited by adversaries. “These systems are being sourced from all over the globe,” he says. “What that means, then, is that you also have these global supply chains supporting them.”

While full details of the attacks are still coming to light, the devices that detonated were seemingly compromised with explosives before they arrived in Hezbollah members’ hands. Alan Woodward, a cybersecurity professor at the University of Surrey, says he suspects that an attacker would plant explosives in a device during the manufacturing process, rather than intercepting gadgets after they are finished and then taking them apart to plant explosives. Reporting by the New York Times on Wednesday evening seemed to confirm this theory, indicating that Israel directly manufactured the compromised devices via shell companies. Israel has not commented on any of the attacks.

Early theories that cyberattacks caused device batteries to overheat and explode have been ruled out by cybersecurity experts. The force of the blasts seen in on-the-ground footage would not be consistent with battery fires or explosions, especially given the small size of pager and walkie-talkie batteries.

Lebanon’s political landscape and ongoing economic crisis, coupled with regional fighting between Hezbollah and Israel, created specific opportunities for sabotage. Hezbollah is isolated globally, with countries like the United States and United Kingdom classifying it as a terrorist organization while other countries, such as Russia and China, maintain relations. This impacts Hezbollah’s avenues for importing equipment and vetting suppliers.

Amid ongoing violent conflict with Israel, Hezbollah’s digital communications and activities are also under constant barrage from Israeli hackers. In fact, this constant digital assault reportedly played a role in pushing Hezbollah away from smartphone communication and toward pagers and walkie-talkies in the first place. “Your phone is their agent,” Hezbollah leader Hassan Nasrallah said in February, referring to Israel.

The commercial spyware industry has shown it is possible to fully compromise target smartphones by exploiting chains of vulnerabilities in their mobile operating systems. Developing spyware and repeatedly finding new operating system vulnerabilities as older ones are patched is a resource-intensive process, but it is still less complicated and risky than conducting a hardware supply chain attack to physically compromise devices during or shortly after manufacturing. And for an attacker, monitoring a target’s entire digital life on a smartphone or laptop is likely more valuable than the device’s potential as a bomb.

“I’d hazard a guess that the only reason we aren’t hearing about exploding laptops is that they’re collecting too much intelligence from those,” says Jake Williams, vice president of research and development at Hunter Strategy, who formerly worked for the US National Security Agency. “I think there’s also potentially an element of targeting, too. The pagers and personal radios could pretty reliably be expected to stay in the hands of Hezbollah operatives, but more general purpose electronics like laptops could not.”

There are other more practical reasons, too, that the attacks in Lebanon are unlikely to portend a global wave of exploding consumer electronics anytime soon. Unlike portable devices that were originally designed in the 20th century, the current generation of laptops and particularly smartphones are densely packed with hardware components to offer the most features and the longest battery life in the most efficient package possible.

University of Surrey’s Woodward, who regularly takes apart consumer devices, points out that within modern smartphones there is very limited space to insert anything extra, and the manufacturing process can involve robots precisely placing components on top of each other. X-rays show how tightly packed modern phones are.

“When you open up a smartphone, I think the only way to get any sort of meaningful amount of high explosive in there would be to do something like replace one of the components,” he says, such as modifying a battery to be half battery, half explosives. But “replacing a component in a smartphone would compromise its functionality,” he says, which could lead a user to investigate the malfunction.

In contrast, the model of pager linked to the explosions—a “rugged” device with 85 days of battery life—included multiple replaceable parts. Ang Cui, founder of the embedded device security firm Red Balloon Security, examined the schematics of the pager model apparently used in the attacks and told WIRED that there would be free space inside to plant explosives. The walkie-talkies that exploded, according to the manufacturer, were discontinued a decade ago. Woodward says that when opening up redesigned, current versions of older technologies, such as pagers, many internal electronic components have been “compressed” down as manufacturing methods and processor efficiency have improved.

Smartphone production lines also operate under stricter security measures, especially for high-cost devices like Apple’s iPhones and Google’s flagship Pixel phones. This is partly to guarantee production quality, but also to ensure that employees don’t leak trade secrets or prototypes. Not all low-end Android phones are manufactured with such intense oversight, but it would be more difficult to secretly take over manufacturing of a smartphone than a forgotten pager model. In countries like China, where many devices are manufactured, there is always the possibility of a domestic operation to plant backdoors, but such a scheme would need to be elaborate to skirt international scrutiny of the devices

To find exploding cell phones, you have to go back to 20th century tech. In 1996, Palestinian bombmaker Yahya Ayyash was killed when his mobile phone exploded as he answered a call. His old-style phone—which the New York Times said was ”reportedly a small, slim model that fits in a pocket”—had 50 grams of explosives planted inside it, likely by Israel’s security services. The explosion was reportedly triggered by a radio signal emitted from a plane flying above. And unlike the pager and walkie-talkie attacks this week, Ayyash’s phone was part of a highly targeted attack on him alone.

Even if this week’s exploding device campaign doesn’t have immediate implications for every smartphone in every pocket, though, it expands enormously the specter of hardware supply chain attacks.

“I think that every shady organization worldwide will now be checking their new devices—especially those ordered in bulk from the manufacturer—for explosives,” says a longtime hardware hacker and tech procurement specialist who asked to be identified as Null Pointer. “This hit so hard because it was novel and no one in that community knew to look for it. It's ingenious.”

Your Phone Won’t Be the Next Exploding Pager

The U.S. Treasury sanctions the Intellexa Consortium and key figures for distributing Predator spyware, a serious national security…

The U.S. Treasury sanctions the Intellexa Consortium and key figures for distributing Predator spyware, a serious national security threat. Intellexa, a rival to NSO Group, offers invasive Android and iOS hacking services globally.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on five individuals and one entity associated with the Intellexa Consortium. According to authorities, this group has been linked to developing and distributing spyware technology, posing substantial risks to U.S. national security.

The Intellexa Consortium, an international network of companies based in Europe, has emerged as a prominent organisation in the commercial spyware industry. Known primarily for its invasive “Predator” spyware, Intellexa Consortium has positioned itself as a rival to the NSO Group, the creators of the infamous Pegasus spyware.

As previously reported by Hackread.com, Intellexa offers hacking services targeting both Android and iOS devices, with contracts reportedly valued at up to $8 million.

“The United States will not tolerate the reckless propagation of disruptive technologies that threaten our national security and undermine the privacy and civil liberties of our citizens,” said Bradley T. Smith, Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence in a press release. He emphasized that the government will hold accountable those responsible for the spread of exploitative technologies.

The sanctions reflect an ongoing effort to address the misuse of spyware by both state and non-state actors. Previous U.S. government measures have included sanctions, export controls, and visa bans targeting those involved in the commercial spyware market.

**Intellexa’s Global Reach**

Founded by Tal Jonathan Dilian, the Intellexa Consortium has a wide international footprint, with offices and research facilities spread across the European Union. The company’s flagship product, Predator spyware, can infiltrate devices through one-click and zero-click attacks, giving its operators access to sensitive data such as photos, geolocation, personal messages, and even microphone recordings.

Additionally, the spyware has been used by various state-sponsored actors to target government officials, journalists, political opponents, and policy experts.

The latest sanctions target key figures within the Intellexa network, including Felix Bitzios, Andrea Nicola Constantino Hermes Gambazzi, Merom Harpaz, Panagiota Karaoli, and Artemis Artemiou, along with the Aliada Group, a company based in the British Virgin Islands.

These individuals and entities have been accused of facilitating the development and distribution of Predator spyware, with several directly involved in supplying it to foreign governments.

**Sanctions and Legal Ramifications**

As a result of the sanctions, all U.S. assets and interests connected to the designated individuals and entities have been blocked. OFAC has prohibited U.S. persons from engaging in transactions involving the sanctioned parties.

Additionally, non-U.S. persons could face penalties for helping others evade these sanctions or otherwise violate U.S. regulations. Financial institutions and businesses engaging with the designated entities risk exposure to sanctions or enforcement actions themselves.

While initially marketed as tools for legitimate law enforcement purposes, these technologies have increasingly been misused to invade privacy and infringe upon civil liberties.

Nevertheless, with the rise of companies like Intellexa, which challenge known players such as the NSO Group, the stakes for regulating and controlling the spread of spyware are higher than ever.

1.  **Police confiscate surveillance van loaded with hacking tools**
2.  **QuaDream, Israeli iPhone hacking spyware firm, to shut down**
3.  **Amnesty Intl. accuses Indian cyber security firm of spyware attacks**

Tag

#intel