The threat intelligence business, which is set to be acquired by Mastercard for billions, is officially vendor non grata in Putin's regime.

Source: JHG via Alamy Stock Photo

NEWS BRIEF

The Russian government has set a new precedent for itself by officially designating Recorded Future, the cyber threat intelligence (CTI) company, as "undesirable." It's a development that the company's CEO sees as a badge of honor.

The term is the country's official parlance for sanctioning, and it means that Recorded Future won't be able to operate within Russia or interact with any Russian companies or individuals. It's a status that was first introduced in 2015 as a way to cut off Russian citizens from the influence of nongovernmental organizations (NGO), media organizations, and other members of civil society that call out human rights abuses and other concerns about Vladimir Putin's regime, which is widely characterized as repressive and authoritarian.

Recorded Future is the first infosec organization and one of very few businesses to "earn" the designation, though the Russia Federation's Office of the Prosecutor General incorrectly labeled it as an NGO in its Dec. 18 announcement about the "undesirable" labeling.

Among the company's supposed crimes against the state: being funded by American businesses; providing services for searching, processing, and analyzing data including on the Dark Web; "specializing in cyber threats"; and actively interacting with the CIA and other foreign intelligence forces.

The Prosecutor General also called out the company, which incidentally is being acquired by Mastercard for $2.65 billion, for spreading "propaganda" and engaging in "offensive information campaigns" regarding its war with Ukraine, tracking Russian Army activities, and feeding intelligence to the Ukrainian authorities.

For his part, Recorded Future CEO Christopher Ahlberg took the news better than in stride, posting on X, "Some things in life are rare compliments. This being one."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

The Russian-based attack group uses legitimate red-team tools, 200 domain names, and 34 back-end RDP servers, making it harder to identify and block malicious activity.

Source: Funtap via Shutterstock

An ongoing cyber-espionage campaign by Russia's Midnight Blizzard threat group may be much larger in scope than generally assumed, targeting international entities in government, armed forces, and academic institutions, Trend Micro said in recently released research.

At its peak in October, Trend Micro researchers observed Midnight Blizzard — which they track as Earth Koshchei — hitting as many as 200 entities a day with phishing emails containing a malicious Remote Desktop Protocol (RDP) file and red-team testing tools to take control of victim systems and steal data or plant malware on them. That volume is roughly what other groups with similar capabilities to — such as Pawn Storm — typically target over multiple weeks, Trend Micro said in a report this week.

In these attacks, intended victims received tailored spear-phishing emails containing a malicious or rogue RDP configuration file that, if used, would direct the victim's system to a remote attacker-controlled system. RDP configuration files simplify and automate remote access to enterprise systems by storing settings — such as a target computer's address and connection preferences — to enable remote desktop connections.

Trend Micro found the threat actor using the open source PyRDP tool as a sort of adversart-in-the-middle proxy to redirect connection requests from victim systems to attacker-controlled domains and servers. "The attack technique is called 'rogue RDP,' which involves an RDP relay, a rogue RDP server, and a malicious RDP configuration file," the researchers explained. "A victim of this technique would give partial control of their machine to the attacker, potentially leading to data leakage and malware installation."

**Careful Planning**

In August, Midnight Blizzard began setting up what would eventually be more than 200 domain names to direct victims to as part of the attack chain. Trend Micro also observed the attacker using 34 rogue RDP backend servers as part of its sprawling infrastructure.

The domain names that the threat actor used suggested government and military targets in the US, Europe, Japan, Australia, and Ukraine. Intended victims included ministries of foreign affairs, academic researchers, and military entities.  "The scale of the RDP campaign was huge," Trend Micro found.

Midnight Blizzard is a cyber-espionage group that the US government has identified as working for on or behalf of Russia's foreign intelligence service. The group is tied to numerous well known breach incidents, including ones at Microsoft, SolarWinds, HPE, and multiple US federal government agencies. Its campaigns typically involve sophisticated spear-phishing emails, stolen credentials, and supply chain attacks to gain initial access to target systems. It is also known to target vulnerabilities in widely used networking and collaboration tools from vendors such as Pulse Secure Citrix, Zimbra, and Fortinet.

The group has also has a penchant for using legitimate pen testing and red-team tools to evade detection by endpoint security controls. In the current campaign. Midnight Blizzard's use of legitimate tools like RDP and PyRDP has allowed the threat actor to operate largely under the radar on compromised networks. In addition, the threat actors often have a tendency to tap resident proxy services, Tor, and VPNs as anonymization layers while it operates in stealth on compromised networks.

"Notably no malware is installed on the victim's machines per se. Instead, a malicious configuration file with dangerous settings facilitates this attack, making it a stealthier living-off-the-land operation that is likely to evade detection," according to Trend Micro's report.

The security vendor wants organizations that don't block outbound RDP connection requests to begin doing so straight away. They also recommend blocking RDP configuration files in email.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Midnight Blizzard Taps Phishing Emails, Rogue RDP Nets

With AI, it's not only the sky that's the limit, it's the entire universe.

This is no secret, online criminals are leveraging artificial intelligence (AI) and large language models (LLMs) in their malicious schemes. While AI tends to be abused to trick people (i.e. deepfakes) in order to gain something, sometimes, it is meant to defeat computer security programs.

With AI, this process has just become easier and we are seeing more and more cases of fake content produced for deception purposes. In the criminal underground, web pages or sites that are meant to be decoys are sometimes called “white pages,” as opposed to the “black pages” (malicious landing pages).

In this blog post, we take a look at a couple of examples where threat actors are buying Google Search ads and using AI to create white pages. The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check.

**Fake-faced executives**

The first example is a phishing campaign targeting Securitas OneID. The threat actors are very cautious about avoiding detection by running ads that most of the time redirect to a completely bogus page unrelated to what one would expect, namely a phishing portal.

It did cross our minds they could very well be trolling security researchers, but if that was truly the case, why not simply go for Rick Astley’s _Never Gonna Give You Up_?

The entire site was created with AI, including the team’s faces. While in the past, criminals would go for stock photos or maybe steal a Facebook profile, now it’s easier and faster to make up your own, and it’s even copyright-free!

When Google tries to validate the ad, they will see this cloaked page with pretty unique content and there is absolutely nothing malicious with it.

**Parsec and the universe**

Our second example is another Google ad for Parsec this time, a popular remote desktop program used by gamers.

It so happens that a parsec is also an astronomical measurement unit and the threat actors (or should we say AI) went wild with it, creating a white page heavily influenced by Star Wars:

The artwork, including posters, is actually quite nice, even for a non-fan.

Once again, this cloaked content is a complete diversion which will take detection engines for a ride.

**AI vs AI: humans to the rescue**

These are just some of the many examples of AI being misused. In the early days of deepfakes, one may remember companies already training AI to detect AI.

There will naturally be content produced by AI for legitimate reasons. After all, nothing prohibits anyone from creating a website entirely with AI, simply because it’s a fun thing to do.

In the end, AI can be seen as a tool which on its own is neutral but can be placed in the wrong hands. Because it is so versatile and cheap, criminals have embraced it eagerly.

Ironically, it is quite straightforward for a real human to identify much of the cloaked content as just fake fluff. Sometimes, things just don’t add up and are simply comical. Do jokes trigger the same reaction in an AI engine as they would to a human? It doesn’t seem like it… yet.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 AI-generated malvertising &#8220;white pages&#8221; are fooling detection engines 

Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click "yes" to a Google prompt on his mobile device.

Image: Shutterstock, iHaMoo.

**Adam Griffin** is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real **Google** phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click “yes” to a Google prompt on his mobile device.

Griffin is a battalion chief firefighter in the Seattle area, and on May 6 he received a call from someone claiming they were from Google support saying his account was being accessed from Germany. A Google search on the phone number calling him — **(650) 203-0000** — revealed it was an official number for Google Assistant, an AI-based service that can engage in two-way conversations.

At the same time, he received an email that came from a google.com email address, warning his Google account was compromised. The message included a “Google Support Case ID number” and information about the Google representative supposedly talking to him on the phone, stating the rep’s name as “Ashton” — the same name given by the caller.

Griffin didn’t learn this until much later, but the email he received had a real google.com address because it was sent via Google Forms, a service available to all **Google Docs** users that makes it easy to send surveys, quizzes and other communications.

A phony security alert Griffin received prior to his bitcoin heist, via Google Forms.

According to tripwire.com’s **Graham Cluely**, phishers will use Google Forms to create a security alert message, and then change the form’s settings to automatically send a copy of the completed form to any email address entered into the form. The attacker then sends an invitation to complete the form to themselves, not to their intended victim.

“So, the attacker receives the invitation to fill out the form – and when they complete it, they enter their intended victim’s email address into the form, not their own,” Cluely wrote in a December 2023 post. “The attackers are taking advantage of the fact that the emails are being sent out directly by Google Forms (from the google.com domain). It’s an established legitimate domain that helps to make the email look more legitimate and is less likely to be intercepted en route by email-filtering solutions.”

The fake Google representative was polite, patient, professional and reassuring. Ashton told Griffin he was going to receive a notification that would allow him to regain control of the account from the hackers. Sure enough, a Google prompt instantly appeared on his phone asking, “Is it you trying to recover your account?”

Adam Griffin clicked “yes,” to an account recovery notification similar to this one on May 6.

Griffin said that after receiving the pop-up prompt from Google on his phone, he felt more at ease that he really was talking to someone at Google. In reality, the thieves caused the alert to appear on his phone merely by stepping through Google’s account recovery process for Griffin’s Gmail address.

“As soon as I clicked yes, I gave them access to my Gmail, which was synched to **Google Photos**,” Griffin said.

Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet. Armed with that phrase, the phishers could drain all of his funds.

“From there they were able to transfer approximately $450,000 out of my Exodus wallet,” Griffin recalled.

Griffin said just minutes after giving away access to his Gmail account he received a call from someone claiming to be with Coinbase, who likewise told him someone in Germany was trying to take over his account.

Griffin said a follow-up investigation revealed the attackers had used his Gmail account to gain access to his Coinbase account from a VPN connection in California, providing the multi-factor code from his Google Authenticator app. Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in one’s Google account online.

But when the thieves tried to move $100,000 worth of cryptocurrency out of his account, Coinbase sent an email stating that the account had been locked, and that he would have to submit additional verification documents before he could do anything with it.

**GRAND THEFT AUTOMATED**

Just days after Griffin was robbed, a scammer impersonating Google managed to phish 45 bitcoins — approximately $4,725,000 at today’s value — from **Tony**, a 42-year-old professional from northern California. Tony agreed to speak about his harrowing experience on condition that his last name not be used.

Tony got into bitcoin back in 2013 and has been investing in it ever since. On the evening of May 15, 2024, Tony was putting his three- and one-year-old boys to bed when he received a message from Google about an account security issue, followed by a phone call from a “Daniel Alexander” at Google who said his account was compromised by hackers.

Tony said he had just signed up for Google’s **Gemini AI** (an artificial intelligence platform formerly known as “Bard”), and mistakenly believed the call was part of that service. Daniel told Tony his account was being accessed by someone in Frankfurt, Germany, and that he could evict the hacker and recover access to the account by clicking “yes” to the prompt that Google was going to send to his phone.

The Google prompt arrived seconds later. And to his everlasting regret, Tony clicked the “Yes, it’s me” button.

Then came another call, this one allegedly from security personnel at **Trezor**, a company that makes encrypted hardware devices made to store cryptocurrency seed phrases securely offline. The caller said someone had submitted a request to Trezor to close his account, and they forwarded Tony a message sent from his Gmail account that included his name, Social Security number, date of birth, address, phone number and email address.

Tony said he began to believe then that his Trezor account truly was compromised. The caller convinced him to “recover” his account by entering his cryptocurrency seed phrase at a phishing website (**verify-trezor\[.\]io**) that mimicked the official Trezor website.

“At this point I go into fight or flight mode,” Tony recalled. “I’ve got my kids crying, my wife is like what the heck is going on? My brain went haywire. I put my seed phrase into a phishing site, and that was it.”

Almost immediately, all of the funds he was planning to save for retirement and for his children’s college fund were drained from his account.

“I made mistakes due to being so busy and not thinking correctly,” Tony told KrebsOnSecurity. “I had gotten so far away from the security protocols in bitcoin as life had changed so much since having kids.”

Tony shared this text message exchange of him pleading with his tormentors after being robbed of 45 bitcoins.

Tony said the theft left him traumatized and angry for months.

“All I was thinking about was protecting my boys and it ended up costing me everything,” he said. “Needless to say I’m devastated and have had to do serious therapy to get through it.”

**MISERY LOVES COMPANY**

Tony told KrebsOnSecurity that in the weeks following the theft of his 45 bitcoins, he became so consumed with rage and shame that he was seriously contemplating suicide. Then one day, while scouring the Internet for signs that others may have been phished by Daniel, he encountered Griffin posting on Reddit about the phone number involved in his recent bitcoin theft.

Griffin said the two of them were initially suspicious of each other — exchanging cautious messages for about a week — but he decided Tony was telling the truth after contacting the FBI agent that Tony said was working his case. Comparing notes, they discovered the fake Google security alerts they received just prior to their individual bitcoin thefts referenced the same phony “Google Support Case ID” number.

Adam Griffin and Tony said they received the same Google Support Case ID number in advance of their thefts. Both were sent via Google Forms, which sends directly from the google.com domain name.

More importantly, Tony recognized the voice of “Daniel from Google” when it was featured in an interview by **Junseth**, a podcaster who covers cryptocurrency scams. The same voice that had coaxed Tony out of his considerable cryptocurrency holdings just days earlier also had tried to phish Junseth, who played along for several minutes before revealing he knew it was a scam.

Daniel told Junseth he was a teenager and worked with other scam callers who had all met years ago on the game **Minecraft**, and that he recently enjoyed a run of back-to-back Gmail account compromises that led to crypto theft paydays.

“No one gets arrested,” Daniel enthused to Junseth in the May 7 podcast, which quickly went viral on social media. “It’s almost like there’s no consequences. I have small legal side hustles, like businesses and shit that I can funnel everything through. If you were to see me in real life, I look like a regular child going to school with my backpack and shit, you’d never expect this kid is stealing all this shit.”

Daniel explained that they often use an automated bot that initiates calls to targets warning that their account is experiencing suspicious activity, and that they should press “1” to speak with a representative. This process, he explained, essentially self-selects people who are more likely to be susceptible to their social engineering schemes. \[It is possible — but not certain — that this bot Daniel referenced explains the incoming call to Griffin from Google Assistant that precipitated his bitcoin heist\].

Daniel told Junseth he and his co-conspirators had just scored a $1.2 million theft that was still pending on the bitcoin investment platform SwanBitcoin. In response, Junseth tagged SwanBitcoin in a post about his podcast on Twitter/X, and the CEO of Swan quickly replied that they caught the $1.2 million transaction that morning.

Apparently, Daniel didn’t appreciate having his voice broadcast to the world (or his $1.2 million bitcoin heist disrupted) because according to Junseth someone submitted a baseless copyright infringement claim about it to Soundcloud, which was hosting the recording.

The complaint alleged the recording included a copyrighted song, but that wasn’t true: Junseth later posted a raw version of the recording to Telegram, and it clearly had no music in the background. Nevertheless, Soundcloud removed the audio file.

“All these companies are very afraid of copyright,” Junseth explained in a May 2024 interview with the podcast whatbitcoindid.com, which features some of the highlights from his recorded call with Daniel.

“It’s interesting because copyright infringement really is an act that you’re claiming against the publisher, but for some reason these companies have taken a very hard line against it, so if you even claim there’s copyrighted material in it they just take it down and then they leave it to you to prove that you’re innocent,” Junseth said. “In Soundcloud’s instance, part of declaring your innocence is you have to give them your home address and everything else, and it says right on there, ‘this will be provided to the person making the copyright claim.'”

**AFTERMATH**

When Junseth asked how potential victims could protect themselves, Daniel explained that if the target doesn’t have their Google Authenticator synced to their Google cloud account, the scammers can’t easily pivot into the victim’s accounts at cryptocurrency exchanges, as they did with Griffin.

By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app.

To change this setting, open Authenticator on your mobile device, select your profile picture, and then choose “Use without an Account” from the menu. If you disable this, it’s a good idea to keep a printed copy of one-time backup codes, and to store those in a secure place.

You may also wish to download Google Authenticator to another mobile device that you control. Otherwise, if you turn off cloud synching and lose that sole mobile device with your Google Authenticator app, it could be difficult or impossible to recover access to your account if you somehow get locked out.

Griffin told KrebsOnSecurity he had no idea it was so easy for thieves to take over his account, and to abuse so many different Google services in the process.

“I know I definitely made mistakes, but I also know Google could do a lot better job protecting people,” he said.

In response to questions from KrebsOnSecurity, Google said it can confirm that this was a narrow phishing campaign, reaching a “very small group of people.”

“We’re aware of this narrow and targeted attack, and have hardened our defenses to block recovery attempts from this actor,” the company said in a written statement, which emphasized that the real Google will never call you.

“While these types of social engineering campaigns are constantly evolving, we are continuously working to harden our systems with new tools and technical innovations, as well as sharing updated guidance with our users to stay ahead of attackers,” the statement reads.

Both Griffin and Tony say they continue to receive “account security” calls from people pretending to work for Google or one of the cryptocurrency platforms.

“It’s like you get put on some kind of list, and then those lists get recycled over and over,” Tony said.

Griffin said that for several months after his ordeal, he accepted almost every cryptocurrency scam call that came his way, playing along in the vain hope of somehow tricking the caller into revealing details about who they are in real life. But he stopped after his taunting caused one of the scammers to start threatening him personally.

“I probably shouldn’t have, but I recorded two 30-minute conversations with these guys,” Griffin said, acknowledging that maybe it wasn’t such a great idea to antagonize cybercriminals who clearly already knew everything about him. “One guy I talked to about his personal life, and then his friend called me up and said he was going to dox me and do all this other bad stuff. My FBI contact later told me not to talk to these guys anymore.”

Sound advice. So is hanging up whenever anyone calls you about a security problem with one of your accounts. Even security-conscious people tend to underestimate the complex and shifting threat from phone-based phishing scams, but they do so at their peril.

When in doubt: Hang up, look up, and call back. If your response to these types of calls involves anything other than hanging up, researching the correct phone number, and contacting the entity that claims to be calling, you may be setting yourself up for a costly and humbling learning experience.

Understand that your email credentials are more than likely the key to unlocking your entire digital identity. Be sure to use a long, unique passphrase for your email address, and never pick a passphrase that you have ever used anywhere else (not even a variation on an old password).

Finally, it’s also a good idea to take advantage of the strongest multi-factor authentication methods offered. For Gmail/Google accounts, that includes the use of passkeys or physical security keys, which are heavily phishing resistant. For Google users holding measurable sums of cryptocurrency, the most secure option is Google’s free Advanced Protection program, which includes more extensive account security features but also comes with some serious convenience trade-offs.

How to Lose a Fortune with Just One Bad Click

Specialized AI models provide precise, domain-specific solutions for robotics, biotech, and materials science challenges.

Owing to its relative nascency, the realm of artificial intelligence (AI) has continued to undergo a rapid transformation while being faced with several developmental challenges. Most recently, the issue of a one-size-fits-all approach of traditional large language models (LLMs) has become increasingly prominent — especially as different industries have sought out more precise, efficient, and contextually aware AI solutions. 

Current generalist models such as Perplexity, ChatGPT, Claude, etc while undoubtedly impressive in their overall scope of operation and knowledge, often fall short when it comes to solving nuanced and complex challenges specific to domains like robotics, biotechnology, and materials science.

In fact, there is enough statistical data highlighting this need for such specialized AI systems. For instance, the robotics market is projected to reach a massive valuation of $97 billion by 2029, with its associated software segment alone expected to expand to $80 billion by 2032. 

(L) Global robotics market and its projected valuation  (R) Pharmaceutical sector wholesale and distribution market size

Similarly, the materials science and drug discovery sectors have also witnessed exponential growth, with markets for advanced materials and pharmaceuticals projected to reach $121 billion and $2.4 trillion respectively in the mid-to-long term.  

**ASI Train and its novel approach to domain-specific AI**

On November 26, 2024, the Artificial Superintelligence (ASI) Alliance — a conglomerate consisting of industry giants like SingularityNET, Fetch.ai, and Ocean Protocol — introduced ‘ASI Train,’ a platform offering a strategic shift from generalist AI models to highly specialized, domain-specific systems. 

Its inaugural model, Cortex, is designed to be a $100 million brain-inspired robotics framework demonstrating how targeted AI can revolutionize industries by addressing their unique computational and analytical requirements.

At its core, ASI Train leverages a decentralized framework that democratizes AI development and ownership. By utilizing Fetch.ai’s Autonomous Inference Model (AIM) Agents, the platform creates a collaborative ecosystem where researchers, investors, and technology enthusiasts can actively work with each other.

This has been done in order to not only distribute the system’s computational and financial burden but also ensure that the benefits of advanced AI are shared equitably among all of the involved stakeholders.

****The proof is in the pudding****

From the outside looking in, ‘Cortex’ serves as a proof of concept for ASI Train’s operational methodology. Inspired by the day-to-day functioning of the human brain, the model seeks to create robots that are not merely reactive but contextually aware and adaptive. 

By combining vision-language-action data sets with brain-inspired architectures, Cortex can help propel robotics to another level; especially since it does not rely on preprogrammed instructions for its operational autonomy.

The potential impact of such specialized tools extends across multiple critical sectors. In materials science, for instance, the platform can accelerate high-throughput screening processes, thus dramatically reducing the computational limitations that have currently bottlenecked discoveries in energy storage, electronics, and nanotechnology.

Similarly, within the drug discovery landscape, ASI Train’s approach promises to transform molecular design by improving the efficiency of identifying viable drug candidates. By implementing algorithms that can accurately predict protein-ligand interactions, the platform could significantly reduce the time and astronomical costs associated with pharmaceutical research. 

To this point, it bears mentioning that developing a single new drug can currently range anywhere up to a whopping $2.3 billion, making any efficiency gain potentially transformative for the industry.

****The future of AI is unfolding as we speak****

In addition to its aforementioned capabilities, ASI Train comes replete with a unique tokenomics structure wherein users can stake $FET to gain ownership of specific AI models, creating a unique value proposition where community members are not just passive consumers.

In fact, such a decentralized/non-local setup allows for secondary market trading of AI model assets, effectively turning cutting-edge technological development into a collaborative, economically engaging endeavor. On the subject, Humayun Sheikh, CEO of Fetch.ai and chairman of the ASI Alliance was recently quoted as saying:

“By combining domain-specific models like ‘Cortex’ with decentralized ownership, we’re creating a DeSci ecosystem where individuals support groundbreaking technology and share value creation.” 

Lastly, it is estimated that Cortex’s initial 12-14 week training period will begin by the end of December and will most likely generate an annual revenue exceeding $10 million (from customers ranging from educational institutions to warehouse companies to robotics).

Therefore, looking ahead, the ASI Alliance has set its sights on expanding its portfolio with additional AI models spanning domains like biotechnology, quantum science, and even space tech.

1.  Augmenting Training Datasets Using Generative AI
2.  AI-based Model to Predict Extreme Wildfire Danger
3.  IT and Cybersecurity Jobs in the Age of AI Technologies
4.  Volkswagen Goes AI, Integrates ChatGPT into its Vehicles
5.  ChatGPT Enhances Healthcare, But Secure Databases Are Key

The Need for Specialized AI Models in Today’s Transforming Industry Challenges

Yet another day, yet another data leak tied to Cisco!

****SUMMARY:****

*   **Partial Data Leak**: Hackers leaked 2.9GB of Cisco’s data on _Breach Forums_ on December 16, 2024.

*   **Exposed Records**: The leaked data is part of a 4.5TB dataset that was allegedly left unprotected by Cisco in October 2024.

*   **Previous Incident**: IntelBroker previously claimed responsibility for accessing the exposed data and attempted to sell it, including sensitive information from companies like Verizon, AT&T, and Microsoft.

*   **Cisco’s Response**: Cisco previously denied any compromise of core systems, attributing the issue to a misconfigured public-facing DevHub resource.

*   **Proof of Legitimacy**: IntelBroker released this partial leak to demonstrate the validity of their claims and attract buyers for the remaining data.

**RIBridges Breach**: Hackers infiltrated Rhode Island’s health and benefits system, demanding ransom and threatening to leak sensitive data.

On Monday, December 16, 2024, hackers leaked what they referred to as “partial data” belonging to technology and cybersecurity giant Cisco. The leak occurred on the cybercrime and data breach platform Breach Forums, where IntelBroker, a notorious hacker and the forum’s owner, released 2.9 GB of data for download.

****Important Background****

The leaked data is part of the 4.5TB content that hackers claim was left exposed by Cisco without any password protection or security authentication, allowing them to download the entire dataset in October 2024.

Hackread.com exclusively reported on the incident on October 14, 2024, when IntelBroker attempted to sell the data, which allegedly included source codes, confidential documents, and credentials belonging to global firms like Verizon, AT&T, Microsoft, and others.

At the time, Cisco did not respond to Hackread.com but denied any compromise of their core systems, attributing the incident to a misconfigured public-facing DevHub resource. However, IntelBroker maintained they had access until October 18 and provided evidence to Hackread.com showing they exploited an exposed token for JFrog, a software supply chain platform, to access the exposed content.

****What’s in the Leaked Data?****

This time, IntelBroker has leaked a portion of the data in an attempt to prove its legitimacy to potential buyers. “Hopefully, this proves the legitimacy of the breach to others wanting to buy the full version,” the hacker stated.

The 2.9GB leak reportedly contains the following:

*   **Cisco ISE (Identity Services Engine)**: A security policy platform that provides secure network access control and identity management.

*   **Cisco SASE (Secure Access Service Edge)**: A cloud-delivered solution that combines networking and security functions for secure access from anywhere.

*   **Cisco Webex**: A collaboration platform offering video conferencing, messaging, and calling solutions for teams and businesses.

*   **Cisco Umbrella**: A cloud-based DNS security solution that protects users from threats by securing internet access and blocking malicious domains.

*   **Cisco IOS XE & XR**: Network operating systems used in Cisco routers and switches, enabling advanced networking, automation, and programmability.

*   **Cisco C9800-SW-iosxe-wlc.16.11.01**: A software-based Wireless LAN Controller (WLC) image that manages and controls wireless networks running on Cisco Catalyst 9800 Series platforms.

Here’s a screenshot from Breach Forums showing what the hackers have leaked and the claims they are making:

IntelBroker on Breach Forums (Screenshot credit: Hackread.com)

****Intel Broker and Previous Breaches****

Intel Broker is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **Staffing giant Robert Half**
*   **U.S. contractor Acuity Inc.**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Nevertheless, the partial leak goes on to show ongoing exploitation of misconfigured systems and exposed data. The scale of exploitation is evident, as even high-profile hackers like ShinyHunters and Nemesis **have targeted** misconfigured servers and S3 buckets.

While Cisco has yet to respond to this latest development, IntelBroker’s actions also show how such incidents can escalate into extortion attempts. Whether the remaining 4.5TB dataset will be sold, leaked, or resolved remains to be seen, but it’s a reminder for organizations to maintain their security practices and protect sensitive data.

1.  IntelBroker Claim Access to Nokia Internal Data, Selling for $20K
2.  Europol Hacked: IntelBroker Claims Major Law Enforcement Breach
3.  IntelBroker Space-Eyes Breach, Targeting US National Security Data
4.  IntelBroker Claims Breach of Top Cybersecurity Firm, Selling Access
5.  AMD Data Breach: IntelBroker Claims Theft of Employee, Product Info

Hackers Leak Partial Cisco Data from 4.5TB of Exposed Records

PRESS RELEASE

SAN FRANCISCO--(BUSINESS WIRE)-- Delinea, a pioneering provider of solutions for securing identities through centralized authorization, today announced it has been authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CVE Numbering Authority (CNA).

The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. CNAs are organizations responsible for regularly assigning CVE Identifiers (CVE IDs) to vulnerabilities and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. Delinea proudly joins a list of partners, including 420+ organizations from 40 countries, to further expand the community-driven CVE Program.

As a CNA, Delinea is authorized to review and assign CVE IDs to newly discovered zero-day vulnerabilities in the company’s software products. This will allow Delinea to directly establish new CVEs, streamline the reporting process, and continue to foster collaboration with the industry as a whole.

“Joining the CVE Program as a CNA reinforces our commitment and dedication to collaborating with the global cybersecurity community to identify and address emerging threats and shape the future of cybersecurity,” said Phil Calvin, Chief Product Officer at Delinea. “As identity security becomes the new frontline in cyber defense, safeguarding identities and governing their interactions is more critical than ever. Delinea’s involvement in this program will ensure our identity security solutions continue to be the most reliable in the market.”

Delinea provides the only identity security platform that enables organizations to seamlessly govern interactions across the modern enterprise through intelligent authorization. It applies context and intelligence throughout the identity lifecycle, eliminating threats while boosting productivity.

**A community-based approach to strengthening cybersecurity**

The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (DHS) and is operated by the MITRE Corporation in close collaboration with international industry, academic, and government stakeholders. It is an international, community-based effort to discover vulnerabilities and then assign and publish them to the CVE List, which CNAs build.

Use of CVE Records enables information technology and cybersecurity professionals to ensure they are discussing the same issue and coordinate their efforts to prioritize and address vulnerabilities, resulting in significant time and cost savings.

For more information on Delinea’s responsible disclosure program, visit its Trust Center: https://trust.delinea.com

Delinea Joins CVE Numbering Authority Program

In a previously unreported August memo, the Department of Homeland Security urged state and local police to conduct exercises to test their ability to respond to weaponized drones.

The Department of Homeland Security issued warnings to state and local law enforcement agencies this summer regarding the “growing illicit use” of commercial drones, internal documents show. Among the recommended steps was to conduct “exercises to test and prepare response capabilities.”

A DHS memo from August, which has not been previously reported, paints US cities as woefully underprepared for the “rising” threat of weaponized drones. The capabilities of unmanned aircraft systems (UAS) are “progressing faster” than available countermeasures offered under “federal prevention frameworks,” the memo says, adding that it’s common for state and local authorities to observe “nefarious” and “noncompliant” flights but still lack the authority to intervene.

The memo states that violent extremists in the US are increasingly searching for ways to modify “off-the-shelf” drones to ferry dangerous payloads, including “explosives, conductive materials, and chemicals,” with major advancements in the area being propelled largely by rampant experimentation on foreign battlefields, including those in Ukraine.

The document indicates that DHS has been urging local agencies for months to scout for possible launch sites near and around critical assets, while offering a slew of recommendations designed to mitigate a threat that the agency insists is growing by the day. Local officials have been advised to reposition CCTV cameras to aid in capturing evidence of airborne threats, and to start training local police on how to handle downed drones believed to carry hazardous and explosive materials. Additionally, the agency has urged local agencies to generously deploy, where legal, sensors capable of detecting and identifying commercial drones.

The memo, first obtained by Property of the People, a nonprofit focused on transparency and national security, was circulated roughly three months before the recent flurry of alleged drone sightings along the East Coast—growing national interest in which has been driven in part by the government’s own nebulous response.

New Jersey residents have been steadily reporting bright lights and flying objects in the sky over the past few weeks. At the same time, federal authorities have worked to downplay the significance of the reports. While Homeland Security secretary Alejandro Mayorkas conceded in an interview on Sunday that “people are seeing drones,” DHS had issued a statement days earlier declaring that “numerous detection methods” had failed to corroborate “any of the reported visual sightings.”

In the memo obtained by WIRED, DHS displays less confidence in its ability to detect menacing drones. The document, which authorities were instructed not to make public, states that “tactics and technology to evade counter-UAS capabilities are circulated and sold online with little to no regulation.” In reality, the ability of police to track errant drones is hindered by a range of evolving technologies, the memo says, including “autonomous flight, 5G command and control, jamming protection technology, swarming technology, and software that disables geofencing restrictions.”

The mystery in New Jersey and similar phenomena in Pennsylvania, New York, and Maryland, among other states, have put a spotlight on the ongoing efforts of state and federal legislators to expand the government’s access to counter-UAS technology. Speaking to reporters via Zoom on Saturday, a DHS official said the agency is urging Congress to “extend and expand existing counter-drone authorities,” and ensure “state and local authorities are provided the tools they need to respond to such threats as well.”

Currently, only a handful of federal agencies—including DHS and the Departments of Energy, Justice, and Defense—are legally permitted to bring down a drone inside US airspace.

Property of the People’s executive director, Ryan Shapiro, says the August memo makes clear that DHS is working steadily to obtain new technologies and legal privileges for law enforcement. But any impact to Americans’ civil liberties, he says, should not be justified by simply pointing to a “nebulous, misleadingly constructed threat.”

While terms like “violent extremists” conjure images of neo-Nazis and domestic terrorists hoping to incite a second US civil war, Shapiro says the government has also deceptively applied such labels to help undermine animal rights groups at the behest of corporations. Activists have relied heavily on drones over the past decade, he says, to help gather evidence of cruelty on factory farms—where recording undercover has been criminalized under so-called “ag-gag” laws.

During Saturday’s briefing, FBI officials said authorities had received roughly 5,000 drone tips in connection with the East Coast sightings, ultimately generating around 100 viable leads. Most of the reports appeared consistent, they said, with misidentified flights landing and taking off from major airports in the region.

While the FBI worked to allay concerns stemming from the recent sightings, it also urged Americans not to wholly dismiss the idea that rogue drones pose a serious threat. “It is well known to us that criminals breaking the law do, in fact, use \[drones\] to support their actions,” an official said, adding that, in contrast, the recent widespread sightings appear largely benign.

In a statement to WIRED, a DHS spokesperson said the agency is continuing to “advise federal, state, and local partners to remain vigilant to potential threats and encourages the public to report any suspicious activity to local authorities.”

Intel Officials Warned Police That US Cities Aren’t Ready for Hostile Drones

Getting inside the mind of a threat actor can help security pros understand how they operate and what they're looking for — in essence, what makes a soft target.

Ben Barrontine, Vice President of Executive Services & Partnerships, 360 Privacy

December 17, 2024

4 Min Read

Source: Igor Stevanovic via Alamy Stock Photo

COMMENTARY

What are cybercriminals thinking? Inside the mind of a threat actor, the devil is in the details. Cybersecurity is composed of so many details that it's easy to miss some of them. For instance, even if you have all other employees protected, just one person not using two-factor authentication could put them all at risk.

Back in the day, a 99% success rate for security solutions was considered good. But the problem is that there's still a 1% chance of an attack getting through. To defeat that 1% chance, you must have layers of security. If you've got 10 layers of 99% success, you stack the odds in your favor that you will catch just about every security threat.

Defenses are getting more advanced, so threat actors will always search for the point of least resistance. In our day and age, that point is the human element. According to IBM, 41% of all cybersecurity incidents start with phishing as the initial attack vector. Fortunately, though, it's not all doom and gloom. By understanding the enemy, you can better prepare your organization against cyberattacks.

**The State of Security: Understanding Where Threat Actors Look**

Many threat actors are returning to the basics of social engineering by using information they get from data brokers. They're using basic phishing tactics to hook a target, because it avoids the automated cybersecurity tools and directly engages the individual human.

Cybercriminals rarely commit direct attacks against the designated target person. They typically find someone in the target's support system: an executive assistant, a spouse, kids, or the live-in grandmother. Whoever is the softest target in that support system will be the one who clicks a link. It doesn't matter if they have the latest, greatest security software update. Think of the Trojan horse story: A walled city's defenses were no match for a clever scheme that went right past all those defenses. In fact, the defenders opened the gates wide and unwittingly let the threat in.

**Train the Company's Cyber-Spidey Senses**

You have to develop a certain level of "Spidey sense" in employees, and it can be as simple as realizing that they need a second opinion before clicking a link. They don't have to be subject matter experts; they just have to know enough to recognize when they should ask someone else. After all, the Verizon "2024 Data Breach Investigations Report" notes that more than two-thirds (68%) of breaches analyzed included a nonmalicious human element, which involves insider errors or falling for social engineering schemes.

Part of developing this sense is looking for red flags in emails. While this may be getting harder with AI, there are still some obvious signs. Misspellings, odd phrasing, strange fonts, or out-of-character requests are all good indicators that something is amiss. For example, you would never get an email from your mom saying, "Hello, I need you to buy me gift cards." In addition, train employees to hover over the sender's name to see the email address. If the subject line says "Comcast," but the email address ends in "gmail.com," they can bet the email is a scam.

If a bad actor can access someone's packets by Wi-Fi sniffing or other means, the actor doesn't have to follow the person — they can just build out an electronic pattern of life and figure out where the target is going. That jeopardizes physical and digital safety. So, employees need to know not to connect to free Wi-Fi without a VPN and to turn Wi-Fi off when not using it.

People sometimes have the mistaken notion that they aren't targets for bad actors because they aren't famous and don't have a high net worth. But that's simply not the case today. Anyone with any online presence is a potential target to attackers. That means everyone needs to know their cyber hygiene.

Basic cyber hygiene is essential and easy. Steps to train employees on include:

*   Be more stringent about the info they share online
    
*   Review and adjust privacy settings
    
*   Use strong and unique passwords
    
*   Enable two-factor authentication
    

*   Be skeptical of unsolicited requests
    
*   Regularly audit third-party apps
    

*   Separate personal and professional identities
    

All of these points can be taught and tested via ongoing training.

**Outmaneuvering the Cybercriminals**

Getting inside the mind of a threat actor can help security pros understand how they operate and what they're looking for — in essence, what makes a soft target. Criminals go after the low-hanging fruit, such as people who click on suspicious links. Your job is to harden all targets at your organization. 

One of the security layers needed to close that 1% gap mentioned earlier is ongoing cyber-hygiene training for all employees from the bottom to the top. This aspect of a full-spectrum security plan is crucial, as humans are typically the weakest link in the security chain. However, with the proper education and training, they can become a solid first line of defense that helps keep everyone in the organization safe.

**About the Author**

Vice President of Executive Services & Partnerships, 360 Privacy

Ben Barrontine joined 360 Privacy in 2021 and currently holds the position of vice president of executive services and partnerships. Prior to 360 Privacy, Ben worked as a targeting specialist with the National Security Agency (NSA) under the US Army’s CSS Program. During his time in service he has worked with the US Marshalls, Special Forces, and US Embassy Security Teams as a cyber and signals intelligence collector and targeting subject matter expert. Ben created and leads the Executive Services Division at 360 Privacy, which helps to educate and protect families, family offices, business executives, professional athletes, and entertainers.

To Defeat Cybercriminals, Understand How They Think

The cybersecurity startup's data loss protection platform uses contextual redaction to help organizations safely use private business information across AI platforms.

Source: f:nalinframe via Alamy Stock Photo

NEWS BRIEF

As more organizations explore ways to use AI tools such as ChatGPT, Gemini, Claude, and Llama, they are grappling with the challenge of using business information while protecting personally identifiable information and other confidential data.

Wald.ai, which launched its data loss protection platform on Dec. 10, offers contextual redaction, where sensitive information is sanitized from conversations with AI assistants. The Wald Context Intelligence platform connects businesses with AI assistants while protecting confidential data and managing regulatory compliance. The platform redacts any sensitive or proprietary information and inserts intelligent data substitutions so that the AI model can still respond with optimal results, the company said in a statement. The sensitive data is repopulated – outside of the AI – before the end user sees the query response.

Wald.ai allows generative AI to integrate into daily workflows, making it safe, accessible, affordable, and seamless for users, the company said. All user data is encrypted end-to-end, so even Wald is unable to access the sensitive information. The platform also offers organizations the ability to create secure Custom Assistants using internal knowledge bases.

“As companies face the risk of data leakage, the solution is not to block use of these platforms, but to put in place effective, user friendly guardrails to enable employee productivity,” Vinay Goel, co-founder and CEO of Wald.ai, said in a statement.

Wald’s platform is already in use in various industry sectors including healthcare, financial services, and legal. The company named two customers – Kiavi, who provides bridge loans to real estate investors, and Suki, a provider of AI-powered voice solutions for healthcare organizations. The platform is available as a software-as-a-service officering priced at $19.99 per user per month and customers can start with a 14-day free trial. Developers should contact Wald.ai to discuss their use cases for early access to the Context Intelligence API, the company said.

The company also announced it has closed a $4 million seed round from Inventus Capital, Entrada Ventures, and several angel investors.

**About the Author**

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Tag

#intel