A vulnerability was identified in a ABB Cylon Aspect version 3.08.00 where an off-by-one error in array access could lead to undefined behavior and potential denial of service. The issue arises in a loop that iterates over an array using a less than or equals to condition, allowing access to an out-of-bounds index. This can trigger errors or unexpected behavior when processing data, potentially crashing the application. Successful exploitation of this vulnerability can lead to a crash or disruption of service, especially if the script handles large data sets.

    ABB Cylon Aspect 3.08.00 (log(Mix/Yum)Lookup.php) Off-by-One Error in Log ParsingVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.00Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: A vulnerability was identified in a PHP script where an off-by-oneerror in array access could lead to undefined behavior and potential DoS.The issue arises in a loop that iterates over an array using a <= condition,allowing access to an out-of-bounds index. This can trigger errors or unexpectedbehavior when processing data, potentially crashing the application. Successfulexploitation of this vulnerability can lead to a crash or disruption of service,especially if the script handles large data sets.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5861Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5861.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ cat logYumLookup.php......    $line = file($logFile);    {        $x = 0;        $data = "";        for ($i = 0; $i <= count($line); $i++) { // Off-by-one error            $data = $data . $line[$i];           // Potential out-of-bounds access            $nextNumber = $i + 1;            //need to check to see what the next line starts with so we know to include the next line in this bucket of data or a new bucket.            $arrValues[$x] = $data;            $x++;            $data = "";        }    }......$ cat logMixLookup.php......        $x = 0;        $data = "";        for ($i = 0; $i <= count($line); $i++) { Off-by-one error            if ((strncmp($line[$i], "INFO", 4) == 0) || (strncmp($line[$i], "DEBUG", 5) == 0) || (strncmp($line[$i], "WARN", 4) == 0) || (strncmp($line[$i], "ERROR", 5) == 0) || (strncmp($line[$i], "FATAL", 5) == 0)) {                $logCode = lookupLogOptionValue(substr($line[$i], 0, 5));......$ curl http://192.168.73.31/logMixLookup.php?logFile=/var/log/yum.log......PHP Warning:  Undefined array key 31337 in /var/log/yum.log on line 1337

ABB Cylon Aspect 3.08.00 Off-By-One

Government and industry want to jump-start the conversation around "human-centric cybersecurity" to boost the usability and effectiveness of security products and services.

Source: whiteMocca via Shutterstock

Many security teams view their nonsecurity coworkers as the potential weak point in any cybersecurity plan, so they bring in technology to mitigate their inevitable poor choices. The viewpoint is understandable: The "human element" contributed to 68% of breaches in 2023 and 74% of breaches in 2022, according to Verizon's "Data Breach Investigations Report."

Yet, the approach is failing companies that want to improve their cybersecurity, experts say. In a US government handout titled "Users Are Not Stupid," the National Institute of Standards and Technology (NIST) urges organizations to avoid creating insider threats through poor usability, layering on too much security, and failing to consider user feedback.

Instead, organizations should pursue a human-centric cybersecurity (HCC) approach, focusing on processes and products that account for users' needs and motivations and incentivize secure behaviors. An HCC program includes security-awareness and anti-phishing training, adds user feedback channels to security products, and aims to reduce the security responsibility placed on the average person. Tools that are critical for companies taking an HCC approach include security monitoring and user/entity behavior analytics (UEBA).

Yet HCC goes beyond just looking for user-centric or user-friendly security products, says Julie Haney, HCC program lead at NIST's Information Technology Lab.

Related:Time to Get Strict With DMARC

"It's really all about putting people at the forefront when we're designing and implementing security," Haney says. "If you don't have human-centered cybersecurity where you're considering that person, then you have unusable security solutions — so people are more prone to making errors or making risky decisions or implementing less secure work-arounds because they just need to get their jobs done."

Last month NIST launched its Human-Centered Cybersecurity Community of Interest (COI) to bring together practitioners, academics, and policymakers to discuss how to make security more effective and user-friendly.

**Cybersecurity Power to People**

The government agency isn't the only organization to focus on the human aspect of security. Increasingly, HCC has become a focus of enterprise security teams, with business intelligence firm Gartner expecting CISOs at half of large enterprises to adopt human-centric practices and designs for cybersecurity by 2027. In fact, Gartner listed human-centric security design as a top cybersecurity trend last year. The firm changed the name but continued to identify security behavior and culture programs (SBCPs) as a top cybersecurity trend in 2024.

Related:AI-Augmented Email Analysis Spots Latest Scams, Bad Content

Security teams need to stop talking at other workers and instead talk to them and work with them to build a cybersecurity-focused culture, says Victoria Cason, a senior principal analyst at Gartner.

"Taking a human-centric approach is recognizing that we're not dealing with an inanimate object," she says. "We're dealing with a human that has different behaviors, different actions, different needs, and really trying to address their wants, desires, and behaviors when it comes to best security practices, as opposed to just telling them what to do."

Among the steps that Gartner identifies as part of an SBCP are conducting threat simulations, adding automation and data analytics to aid users in making secure choices, rewarding workers for reporting potential security incidents, and tracking metrics to demonstrate SBCP impact. Nearly half of companies focused on SBCP are taking each of those steps, according to Gartner data.

Minimizing cybersecurity-induced friction will not only improve companies' security posture but will also reduce the stress that comes with a traditionally adversarial job. Gartner expects that half of cybersecurity leaders will change jobs between 2023 and 2025, with a quarter of those exiting their positions actually leaving the industry for good due to stress.

Related:Compliance Automation Pays Off for a Growing Company

**HCC: A Work in Progress**

Currently, there is no standard definition for HCC, which is partly why NIST is pushing for more research into how companies can better support the security growth of their workers. HCC broadly includes workers' attitudes about cybersecurity, their training, the usability of security products, and the creation of policies.

The latest "Federal Cybersecurity Research and Development Plan," published by the Biden administration in December 2023, identifies HCC as a priority for protecting the nation. Among the research areas espoused by the plan are finding models to determine the impacts of digital technologies and how their security properties can be validated.

"There is a need to reduce the burden of cybersecurity requirements on people, organizations, communities, and society, and to improve the usability and the user experience of digital technologies and systems," the plan states. "Research on human-centered computing aspects has indicated that including end users early in the process of design and development creates more usable systems and an improved user experience."

Gartner has come up with its own approach to implementing SBCPs, which it dubs the PIPE framework, short for practices, influences, platforms, and enablers.

"Most traditional awareness programs just rely on yearly or quarterly training, but that doesn't address the root cause of behavior," says Gartner's Cason. "So going beyond just the traditional computer-based training and phishing simulation, leveraging existing tools and capabilities like identity and access management (IAM) or security monitoring, to even emerging tools like AI can increase engagement and efficiency."

The most significant product category to encapsulate HCC may be human risk management, an evolution of the security-awareness and training market that adds adaptive human protection, according to business intelligence firm Forrester. As opposed to the checkbox compliance of many security-awareness training programs, human risk management focuses on positively educating workers while at the same time reducing the risk posed by their actions, according to a Forrester note published in February.

**Employees Do Worry Over Cybersecurity**

For the most part, workers are cognizant of the critical role in protecting the business. They are worried that they could be the cause of the next breach, with a third of workers (34%) concerned that they may take an action that leaves their organizations vulnerable, according to a survey of 1,000 workers by consultancy Ernst & Young.

Companies should work with those users and find ways to direct those concerns into productive action, rather than failing to support them and then blaming them when something goes wrong, says NIST's Haney.

"If someone clicks on that phishing link, organizations tend to put all the blame on the employee, but they're not actually looking up the chain to all of the procedural things, the process things, the people things that maybe went wrong in the organization before that," she says. "It's not just about the fault of the person at the end of the chain — there's often a lot of other things that have gone wrong before that."

Cybersecurity professionals should strive to develop a culture and mindset that does not label users as the enemy or the weakest link. Having conversations with users can uncover problems in the way security is being implemented, while empowering users to report issues can lead to earlier detection.

Finally, the advent of products — such as human risk analysis services — should be adopted carefully and with the right expectations. Tracking users who may make repeated mistakes can be useful but should not be punitive; rather, the approach should inform security teams about procedural problems or raise the possibility of additional training opportunities, Haney says.

"The data can be useful, but you have to be really careful to not, you know, start labeling people \[as\] a bad employee, or they're bad at security, and this is a person that's good at security," she says. "So there's that fine line that you have to walk."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Oh, the Humanity! How to Make Humans Part of Cybersecurity Design

The advent of Generative AI and its application in real-life use cases has been on the cards for…

The advent of Generative AI and its application in real-life use cases has been on the cards for a few years now. With advancements in chip manufacturing, neural networks and other deep learning technology, Machine Learning has slowly made way for Generative AI applications, powered by large foundation models that learn from a vast pool of data. However, this is not the impetus for demand.

As a lifelong student of the markets, I observed that use cases required to enhance customer experience with products, services and brands, became challenging to serve with traditional Machine Learning. This in turn caused innovators in academia and industry to develop Large Language Models and Foundation Models, to support and exceed customer expectations.

Customers today expect quick and insightful responses, highly personalized recommendations, expert advice, and the ability to generate media, all at their fingertips. A Google Cloud research found that 95% of retail decision-makers believe that generative AI will have an impact on customer experience. With the proliferation of services and products that are comparable in terms of technology and the solutions offered, customer experience has become a crucial differentiator and business driver.

Statista found that customer experience is considered a primary competitive differentiator by 44.5% of organizations globally. Use cases such as personalization, summarization, Q&A, and intelligent chat-bots, to improve customer interactions, increase employee productivity and ensure a positive brand recall. 

In this article, I explore how generative AI can be leveraged to improve customer experiences, and the best practices across 3 use cases, that can help organizations of all sizes create a differentiated value proposition for themselves.

Let’s start with a ubiquitous use case, personalization. Whether it be content recommendations on your favourite streaming platform, or product recommendations on your preferred online stores, personalization, when done right, can help boost customer engagement.

For organizations, understanding individual preferences can help design targeted customer journeys. These targeted customer journeys can be designed to contain tailored marketing campaigns, product placement and support responses. According to Adobe, 72% of consumers worldwide express confidence in generative AI’s ability to enhance their customer experience.

Foundation models like BLOOM (BigScience Large Open-science Open-access Multilingual Language Model) and the Llama family of models from Meta are popular open-source choices for building personalization engines. By leveraging multiple foundations and smaller machine learning models in conjunction, organizations can create hyper-personalized applications, where responses are tailored to every unique individual.

The possibilities here are unbound, with smart marketers able to create actionable customer cohorts from personalized campaigns. Generative AI enhances customer data sets, providing actionable insights that inform business decisions. By identifying patterns and correlations in customer behaviour, organizations can make informed choices about product development, marketing strategies, and customer engagement efforts.

This data-driven approach leads to improved performance and competitiveness. Where generic marketing messages often fail to resonate with customers, we notice a large group of market-savvy organizations adopt personalized advertisement placements across relevant social media.

This practice helps organizations of all sizes reach their target customers more effectively, and allows smaller organizations to compete for the same markets, increasing customer choice and creating a fair market.

Victoria’s Secret is a good example of an organization that has implemented an AI-powered search feature that leverages Google Cloud’s Vision API. Customers can upload images to find specific products, creating a highly personalized shopping experience. 

The second use case that has benefited greatly from imbibing generative AI is Customer Support. This enhanced customer support helps organizations retain customers, derive insights into products and customer behaviour, and increase employee productivity.

Studies across the National Bureau of Economics, Shakked Noy and Whitney Zhang, Sida Peng, Eirini Kalliamvakou, Peter Cihon, and Mert Demirer display how organizations, including a Fortune 500 enterprise software firm, increase productivity by 66% on average!

The benefits don’t stop there either, as implementing generative AI tools can help cover knowledge gaps among employees and upskill them in additional areas of expertise. Another benefit is the undifferentiated heavy lift of document generation that is routine and process-led.

Leveraging generative AI tools for such tasks frees up an organization’s workforce to focus on value creation and innovation, in turn fulfilling employees’ career and personal goals. Organizations can observe productivity gains, improved employee retention and greater customer satisfaction as a result of creating impactful employee assistant tools.

One approach to enhanced customer support is automation, where organizations can design AI-powered chatbots and virtual assistants to handle routine inquiries, allowing human agents to focus on more complex issues. This not only improves efficiency but also enhances customer satisfaction by providing quicker responses. 

A second approach is agent assistants, which help employees get resolutions to customer issues in real-time, by relying on vast troves of proprietary data. Organizations are building tools to conduct Retrieval Augmented Generation (RAG) on this proprietary data, ensuring that responses are relevant and accurate to the customer.

The best examples of this are from the financial services, Banking and Healthcare industries, where generic responses to customer queries can be confusing and misleading, necessitating responses that are use case, issue and organization relevant.

A third approach rising in prevalence is code assistance, with tools that can help code developers reduce the lead times in project development, version migrations, debugging and updates. The advancements in this field will be interesting to follow, as organizations and society grapple with questions about right-sizing workforces based on the tools available.

Regardless, I believe that these tools further democratize the market for organizations of all sizes and help people focus on pursuing value-added activities. This in turn spurs innovation and improves customer experience.     

The third and last use case I explore here is dynamic content creation. Generative AI has empowered organizations to create impactful content leveraging their creative skills, by outsourcing the heavy burden of background tasks to powerful tools. Large models such as Stable Diffusion and Dall-E allow organizations to build innovative applications where their users can generate images based on text inputs, bringing a creative flair and unmatched user engagement to these organizations.

As large, open-source models become more powerful, expect capabilities such as creating rich presentations and powerful story-telling with word prompts to become prevalent in business. 

To summarize, the evolution of generative AI promises to be the biggest game-changer to customer experiences since the internet, with rich experiences now within the grasp of organizations large and small.

As more enterprises develop powerful, purpose-built tools and capabilities, forward-looking players in the space will move fast and develop enhanced customer experiences that aid in customer retention, create positive top and bottom-line growth, and improve user experience for all consumers.

****References****

_National Bureau of Economic Research (NBER)- Generative AI at Work_

_PR Newswire- Google Cloud Shares New Research on 2024 Outlook on Generative AI in Retail  
_  
_Statista- Share of professionals perceiving customer experience (CX) as a competitive differentiator for their organization worldwide in 2021_

_Adobe- Consumers and marketers see a role for (responsible) generative AI in customer experiences_

Enhance customer experiences with Generative AI

A Dark Reading poll reveals widespread concern over disinformation about election integrity and voter fraud, even as Russia steps up deepfake attacks meant to sow distrust in the voting process among the electorate.

Source: Brain light via Alamy Stock Photo

As voting in the 2024 US presidential election draws to a close today, disinformation remains the most top-of-mind voting-adjacent threat for cybersecurity professionals.

That's according to a fresh Dark Reading poll of nearly 1,000 readers, who were asked: "What are you most concerned about when it comes to election-related security threats?"

The top answer, accounting for 41% of the responses, was "deepfakes, misinformation, and disinformation." That was followed by tampering of polling data (23%); hacking operations by other countries like Russia, China, and Iran (20%); and AI-powered high-volume phishing using election lures (16%).

**Debunking Deepfaked Videos US Elections "Never More Secure"**

The results come as US federal agencies dismissed two inflammatory videos purporting to show vote tampering; the videos, they said, are merely the work of Russian adversaries using deepfake technologies to sow distrust in the electoral process and call the results into question.

One of the videos, debunked by the Office of the Director of National Intelligence (ODNI), the FBI, and the Cybersecurity and Infrastructure Agency (CISA), shows protestors supposedly destroying ballots in the battleground district of Bucks County, Pennsylvania. The other shows what it claims is video evidence of an illegal immigrant from Haiti voting over and over, in multiple counties in Georgia. The FBI and CISA also discounted the clip as fake and the work of Russian threat actors.

The videos are the latest efforts by a threat actor known as Storm-1516, which in September reached millions of viewers with a video showing alleged Harris supporters attacking attendees at a rally with Republican candidate Donald Trump; and with another that claimed Democratic candidate Kamala Harris’ was responsible for a hit-and-run car accident.

"US govt calls out more election-related Russian troll farm nonsense. Expect more of this. They’re flooding the zone, exploiting historical (and current) tropes, including racial issues," former CISA Director Chris Krebs said in a series of posts on social platform X. "This will only continue thru the count & certification process. Important to rapidly identify and debunk this garbage, and for platforms to label as foreign generated or remove entirely."

He added, "Some mental toughness is in order right now. Voters regardless of political affiliation need to remain aware they’re being targeted and not fall for it."

Blackbird.AI senior intelligence analyst Rennie Westcott agrees with Krebs that Election Day is unlikely to be the end of the efforts to create distrust in US election processes.  

"Foreign adversaries will try to confuse Americans about the authenticity of state election results after the polls close and tallies begin to trickle in," he says, adding that there will likely be ongoing efforts to "fan internal social division," including targeting minorities in swing states.

Current CISA Director Jen Easterly also has acknowledged the "firehouse of disinformation" that has been swirling around the election so far, driving fears of voter fraud and election tampering, especially among Republicans. The onslaught of distrust has been advanced considerably in the last year through the use of generative AI and deepfake capabilities. But she reiterated in a series of interviews with media that voting infrastructure is nearly bulletproof, and the US elections "have never been more secure."

“I can say \[that\] with confidence based on all the work that we've done together since 2016," Easterly told National Public Radio. “There are cyber threats, there are physical threats to election officials, but we're at a point now with our election infrastructure secure and the election community prepared to meet the moment on the 5th of November.”

In the meantime though, Blackbird.AI senior intelligence analyst Rennie Westcott agrees with Krebs that Election Day is unlikely to be the end of the efforts to create distrust in US election processes, so it's best to be prepared for more conspiracy theories about voting fraud and the like to continue to circulate.

"Foreign adversaries will try to confuse Americans about the authenticity of state election results after the polls close and tallies begin to trickle in," he says, adding that there will likely be ongoing efforts to "fan internal social division," including targeting minorities in swing states with tailored disinformation.

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

On Election Day, Disinformation Worries Security Pros the Most

The Iran-linked group Emennet Pasargad aims to undermine public confidence in Israeli and Western nations by using hack-and-leak campaigns and disrupting government services, including elections.

Source: Muhammad Toqueer via Shutterstock

An Iranian cyber-operations group, Emennet Pasargad — also known as Cotton Sandstorm — has broadened its attacks, expanding its targets beyond Israel and the United States and targeting new IT assets, such as IP cameras.

In an advisory published last week, the US Departments of Justice and Treasury — along with the Israel National Cyber Directorate (INCD) — called out the change in tactics and noted that the group had provided resources and infrastructure services to Middle Eastern threat groups by operating as a legitimate company, Aria Sepehr Ayandehsazan (ASA). In addition, since the beginning of the year, Emennet Pasargad has scanned for IP cameras, targeted organizations in France and Sweden, and actively probed a variety of election sites and systems, according to the government advisory.

"Similar to the Emennet campaign that targeted the 2020 U.S. Presidential election, the FBI judges the group's recent campaigns include a mix of computer intrusion activity and exaggerated or fictitious claims of access to victim networks or stolen data to enhance the psychological effects of their operations," the advisory stated.

The latest intelligence highlights Iran's increasing use of cyber operations as a way to target its perceived enemies. In 2020 and 2022, Emennet Pasargad created disinformation campaigns to target the US presidential and midterm elections, posing as Proud Boys volunteers and sending fake videos to Republican lawmakers. The US Department of Justice indicted two Iranian nationals for the crimes, as well as for sending threats through email and attempting to hack election websites.

Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Over the past year, Iran has stepped up its attempts to use cyberattacks to disrupt its enemies using bolder tactics, says John Fokker, head of threat intelligence for Trellix, a threat detection and response firm.

"Since October 2023, the beginning of the Israeli-Palestine crisis, Iranian hackers have intensified their activities against the United States and Israel, targeting critical sectors such as government, energy, and finance," he says. "We have observed Iran-linked actors disrupting organizations by stealing sensitive data, conducting denial-of-service attacks, and also deploying destructive malware such as ransomware or wiper strains, like the Handala wiper."

**Iranian Cyberattackers Broaden Their Sights**

Emennet Pasargad often operates by posing as a legitimate IT services company, ASA, as a front for accessing large language model (LLM) services and to scan and harvest data on IP cameras. The group has "used several cover hosting providers for infrastructure management and obfuscation," the Joint Cybersecurity Advisory added.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

The use of a cover organization to hide operations and make them seem legitimate is a common approach for Iranian threat actors, says Tomer Bar, vice president of security research at SafeBreach, a breach and attack simulation platform provider which has offices in Tel Aviv. For instance, Charming Kitten, or APT35, conducted reconnaissance and attacks under the guise of two companies, Najee Technology and Afkar System, which were sanctioned by the US Treasury Department in 2022.

"The usage of a cover company is not new, and it has been used by Iran both for espionage and distractive purposes," Bar says.

It also gives groups the ability to use commercial services as part of their infrastructure and hide their activities — for a time, says Trellix's Fokker.

"Threat actors have to acquire resources, software and hosting for their illicit activities," he says. "Having a 'legitimate' front company will make it easier to acquire these services and can serve as additional backstopping to give a plausible deniability."

**Governments, Businesses Should Take Stock**

The changing tactics underscore that organizations need to continually adjust their defenses to head off threat groups. Companies and government agencies should only buy technology and software from trusted vendors, and should make sure that those vendors have their own supply chain validation and vulnerability-remediation processes.

Related:BlankBot Trojan Targets Turkish Android Users

The Joint Cybersecurity Advisory called for organizations to review any successful authentications to network or cloud services that come from virtual private network services, such as Private Internet Access, ExpressVPN, and NordVPN. In addition to regularly applying updates and creating a resilient backup process, companies should consider deploying a "demilitarized zone" (DMZ) between any internet-facing assets and the corporate network, validating user input, and implementing least-privilege policies across their networks and applications.

SafeBreach has encountered attackers regularly scanning LinkedIn for workers who update their profiles with a new position, sending a spear-phishing text or email as a company administrator requesting that they log into a corporate system. The attackers then capture the victim's credentials through a malicious link.

Trellix's Fokker also stressed that companies should focus on their connected devices, applying patches for cameras and other hardware, using network segmentation to protect them, and regularly scanning their own IP space, before an attacker does.

"More and more governments are exploring the proactive scanning of IP spaces and notification of domestic organizations as an additional layer on top of stronger manufacturer requirements," he says. "First and foremost, it should be the responsibility of the organization itself. However, it will help if the government assists in this process and alerts unknowing organizations of their vulnerable cameras."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

The Pakistan-based advanced persistent threat actor has been carrying on a cyber-espionage campaign targeting organizations on the subcontinent for more than a decade, and it's now using a new and improved "ElizaRAT" malware.

Source: Mehaniq vis Shutterstock

Pakistan's APT36 threat group is using a new and improved version of its core ElizaRAT custom implant, in what appears to be a growing number of successful attacks on Indian government agencies, military entities, and diplomatic missions over the past year.

The latest ElizaRAT variant includes new evasion techniques, enhanced command-and-control (C2) capabilities, and an additional dropper component that makes it harder for defenders to detect the malware, researchers at Check Point Research (CPR) discovered when analyzing the group's activities recently. Heightening the threat is a new stealer payload dubbed ApoloStealer, which APT36 has begun using to collect targeted file types from compromised systems, store their metadata, and transfer the information to the attacker's C2 server.

**A Step-by-Step Cyberattack Capability**

"With the introduction of their new stealer, the group can now implement a 'step-by-step' approach, deploying malware tailored to specific targets," says Sergey Shykevich, threat intelligence group manager at Check Point Software. "This ensures that even if defenders detect their activities, they primarily find only a segment of the overall malware arsenal."

Heightening the challenge is the threat group's using of legitimate software, living off the land binaries (LoLBins), and legitimate services like Telegram, Slack, and Google Drive for C2 communications. The use of these services has significantly complicated the task of tracking malware communications in network traffic, Shykevich says.

APT36, who security vendors variously track as Transparent Tribe, Operation C-Major, Earth Karkaddan, and Mythic Leopard, is a Pakistani threat group that. since around 2013, has primarily targeted Indian government and military entities in numerous intelligence gathering operations. Like many other tightly focused threat groups, APT36s campaigns have occasionally targeted organizations in other countries, including Europe, Australia, and the US.

The threat actor's current malware portfolio includes tools for compromising Windows, Android, and increasingly, Linux devices. Earlier this year, BlackBerry reported an APT36 campaign where 65% of the group's attacks involved ELF binaries (Linkable Executable and Linkable Format) targeting Maya OS, a Unix-like operating system that India's defense ministry has developed as an alternative to Windows. And SentinelOne last year reported observing APT36 using romantic lures to spread malware called CopraRAT on Android devices belonging to Indian diplomatic and military personnel.

ElizaRAT is malware that the threat actor incorporated into its attack kit last September. The group has been distributing the malware via phishing emails containing links to malicious Control Panel files (CPL) stored on Google Storage. When a user opens the CPL file, it runs code that initiates the malware infection on their device, potentially giving the attacker remote access or control over the system.

**Three Campaigns, Three Versions**

Check Point researchers observed APT36 actors using at least three different versions of ElizaRAT in three separate campaigns — all targeting Indian entities — over the past year.

The first was an ElizaRAT variant that used Slack channels as C2 infrastructure. APT36 began using that variant sometime late last year and about a month later began deploying ApoloStealer with it. Starting early this year, the threat group switched to using a dropper component to stealthily drop and unpack a compressed file containing a new and improved version of ElizaRAT. The new variant, like its predecessor first checked to verify if the time zone of the machine it was on was set to Indian Standard Time before executing and further malicious activity.

The latest — third — version uses Google Drive for C2 communications. It lands on victim systems via malicious CPL files that act as a dropper for ElizaRAT. The CPL files execute a variety of tasks including creating a working directory for the malware, establishing persistence and registering the victim with the C2 server. What sets the latest version apart from the two previous ElizaRAT iteration is its continuous use of cloud services like Google Cloud for its C2 communication, Shykevich says. In addition, the latest APT36 campaign features a new USB stealer called ConnectX that the threat actor is using to examine files on USBs and other external drives that might be attached to a compromised device, he says.

"Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment," CPR said in its report. "These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

APT36 Refines Tools in Attacks on Indian Targets

Companies are attaching the term "AI" to everything these days, but in cybersecurity, machine learning is more than hype.

Artificial intelligence and machine learning tools are gaining traction in enterprises, and the rate of adoption is particularly notable in cybersecurity operations, where these technologies are being used to improve enterprise security posture, according to Dark Reading’s latest research on enterprise cybersecurity.

Dark Reading's Artificial Intelligence and Machine Learning in Cybersecurity survey found that enterprises are using AI and ML in a range of cybersecurity technologies, such as firewalls, endpoint detection and response platforms, security information and event management systems, and network traffic analyzers. Antivirus/anti-malware was the only security technology enhanced with AI and ML that was used by more than half of the respondents (51%). This is not surprising, as back in 2017, practitioners were already beginning to implement AI/ML in corporate antivirus measures.

Cybersecurity professionals have to match the bad actors who are sourcing AI/ML technologies for their purposes. The arms race between CISOs and their adversaries may be driving adoption of tools with AI and ML capabilities in areas such as phishing detection (49%), threat detection and response (45%), and endpoint security (40%). One third of the AI/ML integration in real-world security teams comes in the form of malware analysis (38%), intrusion detection and prevention (35%), threat intelligence (35%), identity and access management (34%), network security/network traffic analysis (33%), vulnerability management (32%), and security information and event management (31%).

About a quarter of respondents mentioned using AI/ML in user behavior analytics/predictive analytics (27%), fraud detection (27%), automated security operations (26%), and automated incident response (25%). While that is still a sizeable chunk of companies, the slightly lower adoption rate suggests that this grouping represents developing features.

For more on the impact of AI/ML on cybersecurity, download the Dark Reading report "The State of Artificial Intelligence and Machine Learning in Cybersecurity."

**About the Author**

Antivirus, Anti-Malware Lead Demand for AI/ML Tools

As businesses worry over deepfake scams and other AI attacks, organizations are adding guidance for cybersecurity teams on how to detect, and respond to, next-generation threats. That includes Exabeam, which was recently targeted by a deepfaked job candidate.

Source: Family Stock via Shutterstock

Deepfakes and other generative artificial intelligence (GenAI) attacks are becoming less rare, and signs are pointing to a coming onslaught of such attacks: Already, AI-generated text is becoming more common in emails, and security firms are finding ways to detect emails likely not created by humans. Human-written emails have declined to about 88% of all emails, while text attributed to large language models (LLMs) now accounts for about 12% of all email, up from around 7% in late 2022, according to one analysis.

To help organizations develop stronger defenses against AI-based attacks, the Top 10 for LLM Applications & Generative AI group within the Open Worldwide Application Security Project (OWASP) released a trio of guidance documents for security organizations on Oct. 31. To its previously released AI cybersecurity and governance checklist, the group added a guide for preparing for deepfake events, a framework to create AI security centers of excellence, and a curated database on AI security solutions.

While the previous Top 10 guide is useful for companies building models and creating their own AI services and product, the new guidance is aimed at the users of AI technology, says Scott Clinton, co-project lead at OWASP.

Those companies "want to be able to do AI safely with as much guidance as possible — they're going to do it anyway, because it's a competitive differentiator for the business," he says. "If their competitors are doing it, \[then\] they need to find a way to do it, do it better ... so security can't be a blocker, it can't be a barrier to that."

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**One Security Vendor's Job Candidate Deepfake Attack**

In an example of the kinds of real-world attacks that are now happening, one job candidate at security vendor Exabeam had passed all the initial vetting and moved onto the final interview round. That's when Jodi Maas, GRC team lead at the company, recognized that something was wrong.

While the human resources group had flagged the initial interview for a new senior security analyst as "somewhat scripted," the actual interview started with normal greetings. Yet, it quickly became apparent that some form of digital trickery was in use. Background artifacts appeared, the female interviewee's mouth did not match the audio, and she hardly moved or expressed emotion, says Maas, who runs application security and governance, risk, and compliance within Exabeam's security operations center (SOC).

"It was very odd — just no smile, there was no personality at all, and we knew right away that it was not a fit, but we continued the interview, because \[the experience\] was very interesting," she says.

Related:Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

After the interview, Maas approached Exabeam's chief information security officer (CISO), Kevin Kirkwood, and they concluded it had been a deepfake based on similar video examples. The experience shook them enough that they decided the company needed better procedures in place to catch GenAI-based attacks, embarking on meetings with security staff and an internal presentation to employees.

"The fact that it got past our HR group was interesting. ... They passed them through because they had answered all the questions correctly," Kirkwood says.

After the deepfake interview, Exabeam's Kirkwood and Maas started revamping their processes, following up with their HR group, for example to let them know to expect more such attacks in the future. For now, the company advises its employees to treat video calls with suspicion. (Half-jokingly, Kirkwood requested this correspondent to turn on my video midway through the interview as proof of humanness. I did.)

"You're going to see this more often now, and you know these are the things you can check for, and these are the things that you will see in a deepfake," Kirkwood says.

Related:Okta Fixes Auth Bypass Bug After 3-Month Lull

**Technical Anti-Deepfake Solutions Are Needed**

Deepfake incidents are capturing the imagination — and fear — of IT professionals, with about half (48%) very concerned over deepfakes at present, and 74% believing deepfakes will pose a significant future threat, according to a survey conducted by email security firm Ironscales.

The trajectory of deepfakes is quite easy to predict — even if they are not good enough to fool most people today, they will be in the future, says Eyal Benishti, founder and CEO of Ironscales. That means that human training will likely only go so far. AI videos are getting eerily realistic, and a fully digital twin of another person controlled in real time by an attacker — a true "sock puppet" — is likely not far behind.

"Companies want to try and figure out how they get ready for deepfakes," he says. "The are realizing that this type of communication cannot be fully trusted moving forward, which ... will take people some time to realize and adjust."

In the future, since the telltale artifacts will be gone, better defenses are necessary, Exabeam's Kirkwood says.

"Worst case scenario: The technology gets so good that you're playing a tennis match — you know, the detection gets better, the deepfake gets better, the detection gets better, and so on," he says. "I'm waiting for the technology pieces to catch up, so I can actually plug it into my SIEM and flag the elements associated with deepfake."

OWASP's Clinton agrees. Rather focus on training humans to detect suspect video chats, companies should create infrastructures for authenticating that a chat is with a human who is also an employee, building processes around financial transactions, and creating an incident-response plan, he says.

"Training people on how to identify deepfakes — that's not really practical, because it's all subjective," Clinton says. "I think there have to be more unsubjective approaches, and so we went through and came up with some tangible steps that you can use, which are combinations of technologies and process to really focus on a few areas."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

OWASP Beefs Up GenAI Security Guidance Amid Growing Deepfakes

Hackers claim to have breached MIT Technology Review Magazine via a third-party contractor, leaking nearly 300,000 user records…

Hackers claim to have breached MIT Technology Review Magazine via a third-party contractor, leaking nearly 300,000 user records on Breach Forums. Data includes full names, email addresses, and activity details, posing risks for phishing and targeted scams.

In a new data breach disclosed today, the hacker known as Intel Broker claims to have stolen the personal data of 290,762 individuals from MIT’s _Technology Review_ website via a third-party contractor. The data, which could be the website’s newsletter subscribers list, was posted on Breach Forums, a popular cybercrime platform, earlier today.

Intel Broker, notorious for **recent attacks on high-profile organizations**, alleges that the data includes Personally Identifiable Information. Hackread.com analyzed the leaked data and can confirm it includes personal details, which, while not as sensitive as financial data, could be leveraged in phishing attempts or targeted scams. Here is what the hacker has leaked:

*   **Full names**
*   **Dates of activity**
*   **Educational details**
*   **Email addresses (3,924 – After removal of duplicates: 1,343)**

Screenshot from the leaked data (Credit: Hackread.com)

Though the leak does not appear to contain highly sensitive information like passwords, social security numbers or financial data, the compromised data is still a privacy risk, as it could be exploited for phishing scams or identity verification attacks.

It is worth noting that this is not the first time Intel Broker has targeted a technology publication. In June 2024, an affiliate of Intel Broker **breached the “Tech in Asia” news outlet**, leaking the personal data of 221,470 users.

MIT Technology Review, an esteemed publication from the Massachusetts Institute of Technology, is known for its analysis of emerging technologies and their impact on society. This data breach potentially exposes readers and contributors who engaged with the platform, a situation that may lead to reputational challenges for the publication, as well as privacy concerns for its user base.

**Recent Activity of Intel Broker**

The alleged breach of Technology Review comes on the heels of another claim by Intel Broker, who recently advertised the sale of **sensitive internal data from Nokia** on the same forum, allegedly obtained through a similar contractor vulnerability. In the Nokia case, the hacker reportedly set a price of $20,000 for access to the stolen data, which included SSH keys, source code, and login credentials.

**Privacy Implications and MIT’s Response**

With names, email addresses, and activity data accessible, cybercriminals may use this information to craft sophisticated schemes aimed at those connected with the platform. Hackread.com has reached out to MIT’s Technology Review for a response regarding the data breach. Updates will be provided as more information becomes available. Stay tuned.

1.  **US Microchip Giant Cyberattack Disrupts Operations**
2.  **Hacker IntelBroker Leaks Sensitive US DoD Documents**
3.  **IntelBroker Apple Breach: Steals Source Code for Internal Tools**
4.  **AMD Data Breach: IntelBroker Steals Employee and Product Info**
5.  **Europol Hacked: IntelBroker Claims Major Law Enforcement Breach**

Hackers Leak 300,000 MIT Technology Review Magazine User Records

A research tool by the company found a vulnerability in the SQLite open source database, demonstrating the "defensive potential" for using LLMs to find vulnerabilities in applications before they're publicly released.

Source: Krot Studio via Alamy Stock Photo

Google has discovered its first real-world vulnerability using an artificial intelligence (AI) agent that company researchers are designing expressly for this purpose. The discovery of a memory-safety flaw in a production version of a popular open source database by the company's Big Sleep large language model (LLM) project is the first of its kind, and it has "tremendous defensive potential" for organizations, the Big Sleep team wrote in a recent Project Zero blog.

Big Sleep — the work of a collaboration between the company's Project Zero and Deep Mind groups — discovered an exploitable stack buffer underflow in SQLite, a widely used open source database engine.

Specifically, Big Sleep discovered a pattern in the code of a publicly released version of SQLite that creates a potential edge case that needs to be handled by all code that uses the field, the researchers noted. A function in the code failed to correctly handle the edge case, "resulting in a write into a stack buffer with a negative index when handling a query with a constraint on the 'rowid' column," thus creating an exploitable flaw, according to the post.

Google reported the bug to SQLite developers in early October. They fixed it on the same day and before it appeared in an official release of the database, so users were not affected.

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

**Inspired by AI Bug-Hunting Peers**

"We believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software," the Big Sleep team wrote in the post. While this may be true, it's not the first time an LLM-based reasoning system autonomously found a flaw in the SQLite database engine, Google acknowledged.

An LLM model called Atlantis from a group of AI experts called Team Atlanta discovered six zero-day flaws in SQLite3 and even autonomously identified and patched one of them during the AI Cyber Challenge organized by ARPA-H, DARPA, and the White House, the team revealed in a blog post in August.

In fact, the Big Sleep team used one of the Team Atlanta discoveries — of "a null-pointer dereference" flaw in SQLite —  to inspire them to use AI "to see if we could find a more serious vulnerability," according to the post.

**Software Review Goes Beyond Fuzzing**

Google and other software development teams already use a process called fuzz-testing, colloquially known as "fuzzing," to help find flaws in applications before release. Fuzzing is an approach that targets the software with deliberately malformed data — or inputs — to see if it will crash so they can investigate and fix the cause.

Related:Privacy Anxiety Pushes Microsoft Recall AI Release Again

In fact, Google earlier this year released an AI-boosted fuzzing framework as an open source resource to help developers and researchers improve how they find software vulnerabilities. The framework automates manual aspects of fuzz-testing and uses LLMs to write project-specific code to boost code coverage.

While fuzzing "has helped significantly" to reduce the number of flaws in production software, developers need a more powerful approach "to find the bugs that are difficult (or impossible) to find" in this way, such as variants for previously found and patched vulnerabilities, the Big Sleep team wrote.

"As this trend continues, it's clear that fuzzing is not succeeding at catching such variants, and that for attackers, manual variant analysis is a cost-effective approach," the team wrote in the post.

Moreover, variant analysis is a better fit for current LLMs because its provides them with a starting point —  such as the details of a previously fixed flaw — for a search, and thus removes a lot of ambiguity from AI-based vulnerability testing, according to Google. In fact, at this point in the evolution of LLMs, lack of this type of starting point for a search can cause confusion, they noted.

Related:OWASP Releases AI Security Guidance

"We're hopeful that AI can narrow this gap," the Big Sleep team wrote. "We think that this is a promising path towards finally turning the tables and achieving an asymmetric advantage for defenders."

**Glimpse Into the Future**

Google Big Sleep is still in its research phase, and using AI-based automation to identify software flaws overall is a new discipline. However, there already are tools available that developers can use to get a jump on finding vulnerabilities in software code before public release.

Late last month, researchers at Protect AI released Vulnhuntr, a free, open source static code analyzer tool that can find zero-day vulnerabilities in Python codebases using Anthropic's Claude artificial intelligence (AI) model.

Indeed, Google's discovery shows promising progress for the future of using AI to help developers troubleshoot software before letting flaws seep into production versions.

"Finding vulnerabilities in software before it's even released means that there's no scope for attackers to compete: the vulnerabilities are fixed before attackers even have a chance to use them," Google's Big Sleep team wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#intel