Artificial intelligence (AI) is being introduced to just about every facet of life these days. AI is being used to develop code, communicate with customers, and write in various media. Cyber security, particularly product security is another place AI can have a significant impact. AI is being built into security tools, and, on the flip side, into the realm of exploitation. AI is now mainstream and won't be going away anytime soon, so security professionals need to learn how to best use it to help enhance the security of their systems and products.AI and its implications for securityThe term "a

**Artificial intelligence** (AI) is being introduced to just about every facet of life these days. AI is being used to develop code, communicate with customers, and write in various media. Cyber security, particularly product security is another place AI can have a significant impact. AI is being built into security tools, and, on the flip side, into the realm of exploitation. AI is now mainstream and won't be going away anytime soon, so security professionals need to learn how to best use it to help enhance the security of their systems and products.

**AI and its implications for security**

The term "artificial intelligence" refers to using computer systems to simulate human intelligence. AI systems are able to perform a growing variety of tasks, such as pattern recognition, learning and problem solving. Within AI there are different fields like machine learning (ML), which enables systems to learn and improve over time; natural language processing (NLP), which attempts to mimic human speech; computer vision, which utilizes cameras as input to perform various tasks, and more.

These applications of AI are being woven into a vast array of systems to automate, analyze and improve current processes. Within the world of cyber security, AI is filling—or assisting with—a number of roles and processes. It's being used to analyze logs, predict threats, read source code, identify vulnerabilities and even to create or exploit vulnerabilities.

**Using AI to detect cyber security attacks**

Considering AI’s proficiency in pattern recognition, detecting cyber security anomalies is an obvious use case for it. Behavior anomaly detection is a good example of this. Through the use of machine learning, a model can identify what normal behavior within a system looks like, and single out any instances that deviate from the norm. This can help identify potential attacks as well as help identify systems that are not working as intended by catching outliers in their behavior.

Even user behavior that might be an issue, such as accidental data leaking or exfiltration, can potentially be discovered through AI pattern recognition or other mechanisms. Using datasets either made or consumed by the organization can be also used to watch for patterns and outlier behavior on a broader scale, in an attempt to determine the likelihood of the organization being targeted by cyber security incidents happening throughout the world.

**Use case 1: Anomaly detection**

Anomaly detection—the identification of unusual, rare, or otherwise anomalous patterns in logs, traffic, or other data—is a good fit for the pattern recognition power of ML. Whether its network traffic, user activities, or other data, given the right algorithm and training, AI/ML is ideally suited for spotting potentially harmful outliers. This can be done in a number of ways, starting with real time monitoring and alerting. This method starts with preset norms for a system such as network traffic, API calls or logs, and can employ statistical analysis to continuously monitor system behavior and actions. The model is able to trigger an alert anytime anomalous or rare actions are discovered.

Not only is AI/ML great at spotting patterns, it is also able to categorize and group them. This is essential for assigning priority levels to various events, which can help prevent "alert fatigue," which can happen if a user or team is inundated with alerts, many of which may be little more than noise. What often happens is that the alerts lose their importance, and many if not all alerts are viewed as noise and not properly investigated. Using these capabilities, AI/ML is able to provide intelligent insights, helping users make more informed choices.

**Use case 2: AI-assisted cyber threat intelligence**

The ability to monitor systems and provide real time alerts can be vital, but AI/ML can also be used to help enhance the security of systems before a security event takes place. Cyber Threat Intelligence (CTI) works by collecting information about cyber security attacks and events. The goal of CTI is to be informed about new or ongoing threats with the intent being to proactively prepare teams about the possibility of an attack to your organization before an attack takes place. CTI also provides value in dealing with existing attacks by helping incident response teams better understand what they are dealing with.

Traditionally, the collection, organization and analysis of this data was done by security professionals, but AI/ML is able to handle many of the routine or mundane tasks, and help with organization and analysis, letting those teams focus on the decision making required when they have the necessary information in an actionable format.

**Using AI to prevent vulnerabilities**

While leveraging AI/ML to detect and prevent cyber security attacks is valuable, preventing vulnerabilities in software is also hugely important. AI assistants in code editors, build pipelines and the tools used to test or validate running systems are quickly becoming the norm in many facets of IT.

As with CTI, AI systems can help alleviate mundane tasks, freeing humans to spend more time working on more valuable projects and innovations. Code reviews, while important, can be improved by leveraging Static Application Security Testing (SAST). While SAST platforms have existed for some time now, their biggest issue is the often large quantity of false positives they generate. Enter AI/ML’s ability to take a more intelligent look at source code, along with infrastructure and configuration code. AI is also starting to be used to run Dynamic Application Security Testing (DAST) to test running applications to see if common attacks would be successful.

**Use case 3: AI-assisted code scanning**

SAST has long used a “sources and sinks” approach to code scanning. This refers to a way to track the flow of data, looking for common pitfalls. The various tools produced for static code scanning often use this model. While this is a valid way to look at code, it can lead to many false positives that then need to be manually validated.

AI/ML can provide value here by learning and understanding the context or intent around possible findings in the code base, reducing false positives and false negatives. Not only that, but both SAST tools and AI assistants have been added to code editors, helping developers catch those errors before they are ever submitted. There are a few limitations, however, including language support and scalability with very large code bases, but these are quickly being addressed.

**Use case 4: Automate discovery of vulnerabilities**

Code reviews can be a time consuming process, but once that code is submitted, testing doesn’t usually end. DAST is used to test common attacks against a running application. There are a few tools on the market that help with this well, but like coding itself, there is some ramp up time involved. A user needs to understand these attack types, and how to replicate them through the DAST tool and then automate them.

Recently, DAST and related application testing tools have begun to implement AI/ML either directly into their platforms, or as plugins, allowing for a great deal of improved automated scanning. Not only does this free up staff who would need that ramp up time and the time needed to run the different attacks, it also frees up the time and money needed to do full blown penetration testing. Penetration testing still very much requires a human who is capable of thinking like an attacker and recognizing potential weaknesses, often creating novel ways of verifying that they are indeed exploitable.

**Protecting AI itself**

Although AI can help eliminate many human errors, it itself is still susceptible. First there is the bane of many IT problems, poor or improper configuration. Closely related is the need to more securely train and validate the model and its processes. Failure to do so can quickly lead to a system that is not well understood by its users, creating a kind of black box and a poor model lifecycle management process.

One of the most commonly discussed security concerns related to AI is data poisoning. Human beings often collect data that is then used to train AI/ML algorithms, and as humans, we can introduce bias into the data. This is a simple enough concept to watch out for, but sometimes that bias is added on purpose. Attackers, through various mechanisms, can intentionally poison the dataset used to train and validate AI/ML systems. It is then conceivable that the new biased output from the system can be used for nefarious purposes.

As AI is quickly becoming more mainstream, our understanding and training is lagging behind, especially security training around AI/ML. Much of the inner workings of AI/ML systems are not well understood by many outside the tech community, and this can become worse if systems are neglected and lack transparency.

This leads to another fairly common problem in technology: proper documentation. Systems require documentation that is easy to understand and comprehensive enough to cover the great majority of the system in question.

Finally, governments around the world are discussing and planning (or even already making) regulations related to AI/ML systems. It's not inconceivable that secure AI/ML certifications will be developed, so doing what we can to make sure that systems being developed today are as secure and valid as possible will likely save work down the road.

**Final thoughts**

As we become more and more dependent on AI systems, the speed and accuracy of machine learning in securing the systems we use won’t just be a “nice to have,” but will increasingly become a “must have.” It is all but a guarantee that bad actors will use AI/ML systems to conduct their attacks, so the defenders will need to implement these systems to help protect and defend their organizations and systems.

Ideally, students getting ready to enter the workforce will learn about AI/ML systems, but the grizzled veterans will need to embrace this as well. The best thing individuals can do is make sure they have at least a basic understanding of AI, and the best thing organizations can do is to start looking at how they can best leverage AI/ML in their products, systems and security.

**How Red Hat can help**

Red Hat OpenShift AI can help build out models and integrate AI into applications. For organizations in the security space, OpenShift AI can help you build the power of AI into your products. AI-enabled applications are only going to become more prevalent, and OpenShift AI is a powerful, scalable AI development platform that can help bring those applications to production.

Try Red Hat OpenShift AI

4 use cases for AI in cyber security

The tech giant tosses together a word salad of today's business drivers — AI, cloud-native, digital twins — and describes a comprehensive security strategy for the future, but can the company build the promised platform?

Source: Peach Shutterstock via Shutterstock

The cybersecurity industry has no shortage of problems: Attackers are using automation to shorten their time to exploit, patching software is burdensome, establishing defenses such as segmentation remains difficult, and a shortage of cybersecurity-skilled workers holds back efforts in all of these areas.

No wonder, then, that Cisco has decided to launch an AI-powered, distributed security platform for protecting cloud workloads and artificial intelligence (AI) systems from cybersecurity threats. Dubbed Hypershield, the platform will push security out to the edge, using AI-augmented agents to maintain security controls around every workload in the data center and even distributed, connected devices. Cisco says the platform will be able to patch environments automatically, test software updates within the environment using simulated systems known as digital twins, and block attacks by detecting anomalous behavior.

Hyperbole was not in short supply, and "reimagined" seemed to be the word of the day.

Jeetu Patel, executive vice president and general manager of Cisco's security and collaboration division, called it "one of the largest platform shifts that we've experienced during our lifetimes."

"For the past gazillion years, when we've looked at security, the advantage has always been on the side of the adversary," Patel said during a press conference announcing Hypershield. "We are now approaching an era ... where ... because \[of this platform\], you might have a world where you might have an advantage as a defender, and wouldn't that be a wonderful world to live in."

Cybersecurity is certainly a field that could benefit from using AI for augmentation or as an assistant, and pushing security to the distributed edge — closer to the devices to be secured — can help simplify some aspects of vast networks that need to be secured.

The company's choice of technologies makes sense, says David Holmes, a principal analyst with Forrester Research. By using eBPF, a technology that allows sandboxed programs to run in a privileged context, pieces of the workload can be instrumented, and data processing units (DPUs) allow efficient processing of data using high-bandwidth network interfaces.

"They are describing a more modern approach to building a private cloud data center architecture, and that’s good," Holmes says. "eBPF for automation \[and\] security, container-like workloads — their DPUs — overall, this is good for the industry if they pull it off."

**Digital Twins Allow Automated Patching**

Craig Connors, chief technology officer of Cisco's security business group, demonstrated how a workload or application could be automatically patched and run in parallel using digital-twin technology to test the stability and correctness of the updated software. Digital twins are simulations — originally used in product development and manufacturing — that allow software engineers to test and observe a version of a device or application.

If patched code passes all tests and satisfies policies, then it can be promoted to production, Connors said during the demonstration.

"What we've done is we've essentially introduced the digital twin into every enforcement point that we deploy," Connors stated. "So we're actually bringing CI/CD \[continuous integration and continuous delivery\] to the embedded world by running the end-of-the-promotion pipeline as a digital twin on every single enforcement point for every single customer in the world in a transparent way. That allows us to test every possible combination that could happen in your real environment everywhere."

While the company will start with Linux environments, Cisco hinted at future plans to support other operating systems.

The same digital-twin approach can be applied to developing segmentation policies for networks of devices and workloads, according to Connors. The AI assistant built into the Hypershield platform could recommend microsegmentation policies and give a confidence score that each policy would behave well inside a given environment.

"Imagine if AI wasn't just recommending microsegmentation policies, but it was modeling them in a digital twin of your environment, and telling you exactly how it tested those policies to make sure they were correct before it recommended them to you," Connors said. "So we're really trying to bring that trust aspect in and not just 'AI bomb' you with recommendations."

**Distributed Exploit Protection**

Cisco says the platform will also protect against exploits in real time by using threat intelligence to inform anomaly detection and response. Because companies never know which vulnerabilities will be picked up by an attacker, the system allows all high-impact vulnerabilities to be treated the same.

This approach benefits companies with legacy hardware and software that has reached end of life and is no longer receiving updates, according to Connors.

"There are cases where we can never patch. ... Let's say the software's end of life, but my business still relies on it and a critical vulnerability exists," Connors said. "So while these are intended to be short-lived patches to bridge that gap between that availability and patch deployment and then we'll automatically pull back these distributed shields, it is potentially feasible that you may want to run this for the life of the application to continue protecting you against \[exploitation\]."

Having the vision and individual technologies is a good first step, but like the platform managing driver-assist features in cars, the trick is how it all comes together, says Jon Oltsik, analyst emeritus at Enterprise Strategy Group. Coordinating the pieces across multiple systems, rather than looking at each one in isolation — as well as figuring out "normal" activity — and then responding will be tricky.

"It's a good goal, but a lot of things need to come together to make it happen, including user buy-in," he says. "AI-based security must go through rigorous testing and be proven in the field before security professionals will trust it."

Cisco has promised the platform will be generally available by August.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Cisco's Complex Road to Deliver on Its Hypershield Promise

Existing AI technology can allow hackers to automate exploits for public vulnerabilities in minutes flat. Very soon, diligent patching will no longer be optional.

Source: Rokas Tenys via Shutterstock

AI agents equipped with GPT-4 can exploit most public vulnerabilities affecting real-world systems today, simply by reading about them online.

New findings out of the University of Illinois Urbana-Champaign (UIUC) threaten to radically enliven what's been a somewhat slow 18 months in artificial intelligence (AI)-enabled cyber threats. Threat actors have thus far used large language models (LLMs) to produce phishing emails, along with some basic malware, and to aid in the more ancillary aspects of their campaigns. Now, though, with only GPT-4 and an open source framework to package it, they can automate the exploitation of vulnerabilities as soon as they hit the presses.

"I'm not sure if our case studies will help inform how to stop threats," admits Daniel Kang, one of the researchers. "I do think that cyber threats will only increase, so organizations should strongly consider applying security best practices."

**GPT-4 vs. CVEs**

To gauge whether LLMs could exploit real-world systems, the team of four UIUC researchers first needed a test subject.

Their LLM agent consisted of four components: a prompt, a base LLM, a framework — in this case ReAct, as implemented in LangChain — and tools such as a terminal and code interpreter.

The agent was tested on 15 known vulnerabilities in open source software (OSS). Among them: bugs affecting websites, containers, and Python packages. Eight were given "high" or "critical" CVE severity scores. There were 11 that were disclosed past the date at which GPT-4 was trained, meaning this would be the first time the model was exposed to them.

With only their security advisories to go on, the AI agent was tasked with exploiting each bug in turn. The results of this experiment painted a stark picture.

Of the 10 models evaluated — including GPT-3.5, Meta's Llama 2 Chat, and more — nine could not hack even a single vulnerability.

GPT-4, however, successfully exploited 13, or 87% of the total.

It only failed twice for utterly mundane reasons. CVE-2024-25640, a 4.6 CVSS-rated issue in the Iris incident response platform, survived unscathed because of a quirk in the process of navigating Iris' app, which the model couldn't handle. Meanwhile, the researchers speculated that GPT-4 missed with CVE-2023-51653 — a 9.8 "critical" bug in the Hertzbeat monitoring tool because its description is written in Chinese.

As Kang explains, "GPT-4 outperforms a wide range of other models on many tasks. This includes standard benchmarks (MMLU, etc.). It also seems that GPT-4 is much better at planning. Unfortunately, since OpenAI hasn't released the training details, we aren't sure why."

**GPT-4 Good**

As threatening as malicious LLMs might be, Kang says, "At the moment, this doesn't unlock new capabilities an expert human couldn't do. As such, I think it's important for organizations to apply security best practices to avoid getting hacked, as these AI agents start to be used in more malicious ways."

If hackers start utilizing LLM agents to automatically exploit public vulnerabilities, companies will no longer be able to sit back and wait to patch new bugs (if ever they were). And they might have to start using the same LLM technologies as well as their adversaries will.

But even GPT-4 still has some ways to go before it's a perfect security assistant, warns Henrik Plate, security researcher for Endor Labs. In recent experiments, Plate tasked ChatGPT and Google's Vertex AI with identifying samples of OSS as malicious or benign, and assigning them risk scores. GPT-4 outperformed all other models when it came to explaining source code and providing assessments for legible code, but all models yielded a number of false positives and false negatives.

Obfuscation, for example, was a big sticking point. "It looked to the LLM very often as if \[the code\] was deliberately obfuscated to make a manual review hard. But often it was just reduced in size for legitimate purposes," Plate explains.

"Even though LLM-based assessment should not be used instead of manual reviews," Plate wrote in one of his reports, "they can certainly be used as one additional signal and input for manual reviews. In particular, they can be useful to automatically review larger numbers of malware signals produced by noisy detectors (which otherwise risk being ignored entirely in case of limited review capabilities)."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories

One juror in former US president Donald Trump’s criminal case in New York has been excused over fears she could be identified. It could get even messier.

You’ve been asked to serve on the jury in the first-ever criminal prosecution of a United States president. What could possibly go wrong? The answer, of course, is everything.

A juror in former president Donald Trump’s ongoing criminal trial in New York was excused on Thursday after voicing fears that she could be identified based on biographical details that she had given in court. The dismissal of Juror 2 highlights the potential dangers of participating in one of the most politicized trials in US history, especially in an age of social media frenzies, a highly partisan electorate, and a glut of readily available personal information online.

Unlike jurors in federal cases, whose identities can be kept completely anonymous, New York law allows—and can require—the personal information of jurors and potential jurors to be divulged in court. Juan Merchan, the judge overseeing Trump’s prosecution in Manhattan, last month ordered that jurors’ names and addresses would be withheld. But he could not prevent potential jurors from providing biographical details about themselves during the jury selection process, and many did. Those details were then widely reported in the press, potentially subjecting jurors and potential jurors to harassment, intimidation, and threats—possibly by Trump himself. Merchan has since blocked reporters from publishing potential jurors’ employment details.

The doxing dangers that potential jurors face became apparent on Monday, day one of the proceedings. An update in a _Washington Post_ liveblog about Trump’s trial revealed the Manhattan neighborhood where one potential juror lived, how long he’d lived there, how many children he has, and the name of his employer. Screenshots of the liveblog update quickly circulated on social media, as people warned that the man could be doxed, or have his identity revealed publicly against his will with the intent to cause harm, based solely on that information.

“It's quite alarming how much information someone skilled in OSINT could potentially gather based on just a few publicly available details about jurors or potential jurors,” says Bob Diachenko, cyber intelligence director at data-breach research organization Security Discovery and an expert in open source intelligence research.

Armed with basic personal details about jurors and certain tools and databases, “an OSINT researcher could potentially uncover a significant amount of personal information by cross-referencing all this together,” Diachenko says. “That's why it's crucial to consider the implications of publicly revealing jurors' personal information and take steps to protect their privacy during criminal trials.”

Even without special OSINT training, it can be trivial to uncover details about a juror’s life. To test the sensitivity of the information the _Post_ published, WIRED used a common reporting tool to look up the man’s employer. From there, we were able to identify his name, home address, phone number, email address, his children’s and spouse’s identities, voter registration information, and more. The entire process took roughly two minutes. The _Post_ added a clarification to its liveblog explaining that it now excludes the man’s personal details.

The ready availability of those details illustrates the challenges in informing the public about a highly newsworthy criminal case without interfering in the justice process, says Kathleen Bartzen Culver, the James E. Burgess Chair in Journalism Ethics and director of the School of Journalism & Mass Communication at the University of Wisconsin-Madison.

“Simply because a notable figure is on trial does not mean that a juror automatically surrenders any claim to privacy,” Bartzen Culver says. “People who have been drawn into a case that is exceptionally newsworthy are not aware that a simple statement that they make about where they work might identify them and open them up to scrutiny and possibly risk.”

The dangers to jurors or potential jurors has only increased since the first day of jury selection, which remains ongoing, in part due to the challenges of prosecuting a former US president and the presumptive Republican nominee in the 2024 US presidential election. Trump is charged with 34 counts of falsifying business records, a class E felony in New York state, for payments made ahead of the 2016 presidential election related to alleged affairs with two women, adult performer Stormy Daniels and Playboy model Karen McDougal. Trump has claimed his prosecution is a “communist show trial” and a “witch hunt” and has pleaded not guilty.

On Fox News, coverage of Trump’s trial has repeatedly focused on the potential political motivations of the jurors, bolstering the former president’s claims. Trump, in turn, has repeated the claims by the conservative news network’s hosts. In a post on Truth Social on Wednesday, Trump quoted Fox News commentator Jesse Watters claiming on air that potential jurors in Trump’s trial are “undercover liberal activists lying to the judge in order to get on the Trump jury.” This, despite a gag order that forbids Trump from “making or directing others to make public statements about any prospective juror or any juror in this criminal proceeding.”

Broader media coverage of the Trump trial jurors appears to often be the work of political reporters who are unfamiliar with the journalism ethics specific to covering a criminal trial, says UW-Madison’s Bartzen Culver. “It's like when political reporters covered Covid and science journalists lost their minds.” She adds that it’s important for any journalist covering a criminal case—Trump’s or otherwise—to “consider our role within the justice system.”

“Unethical behavior by journalists can delay trials. It can result in overturned convictions and the people having to go back and do a retrial,” Bartzen Culver says. “That all works against our system of justice.”

The New York case is one of four ongoing criminal proceedings against Trump. In Georgia, where he faces multiple felony charges for alleged attempts to interfere with the state’s electoral process in 2020, Trump supporters leaked the addresses of members of the grand jury, after their names were listed in the 98-page indictment against the former president, as required by state law. Georgia’s Fulton County Sheriff’s Office said last August that it was investigating threats against the jury members. The incident highlights the persistent dangers people can face from Trump’s supporters, both in the near term and for the rest of their lives, if they’re viewed as having acted against him.

The leaks were discovered by Advance Democracy Inc. (ADI), a nonpartisan, nonprofit research and investigations organization founded by Daniel J. Jones, a former investigator for the FBI and the US Senate Intelligence Committee. So far, Jones tells WIRED, ADI has not uncovered attempts to dox jurors in Trump’s New York trial. But it’s still early days.

“We have not yet found identifying information on the extremist forums we monitor,” Jones says. “Having said that, I share your concern that it is only a matter of time before this happens.”

The Trump Jury Has a Doxing Problem

At most, someone who intentionally or repeatedly shares information on their social platform that’s misleading or downright false may have their account blocked, suspended or deleted.

Thursday, April 18, 2024 14:00

If you’re a regular reader of this newsletter, you already know about how strongly I feel about the dangers of spreading fake news, disinformation and misinformation. 

And honestly, if you’re reading this newsletter, I probably shouldn’t have to tell you about that either. But one of the things that always frustrates me about this seemingly never-ending battle against disinformation on the internet, is that there aren’t any real consequences for the worst offenders. 

At most, someone who intentionally or repeatedly shares information on their social platform that’s misleading or downright false may have their account blocked, suspended or deleted, or just that one individual post might be removed.  

Twitter, which has become one of the worst offenders for spreading disinformation, has gotten even worse about this over the past few years and at this point doesn’t do anything to these accounts, and in fact, even promotes them in many ways and gives them a larger platform. 

Meta, for its part, is now hiding more political posts on its platforms in some countries, but at most, an account that shares fake news is only going to be restricted if enough people report it to Meta’s team and they choose to take action.  

Now, I’m hoping that Brazil’s Supreme Court may start imposing some real-world consequences on individuals and companies that support, endorse or sit idly by while disinformation spreads. Specifically, I’m talking about a newly launched investigation by the court into Twitter/X and its owner, Elon Musk.  

Brazil’s Supreme Court says users on the platform are part of a massive misinformation campaign against the court’s justices, sharing intentionally false or harmful information about them. Musk is also facing a related investigation into alleged obstruction.  

The court had previously asked Twitter to block certain far-right accounts that were spreading fake news on Twitter, seemingly one of the only true permanent bans on a social media platform targeting the worst misinformation offenders. Recently, Twitter has declined to block those accounts. 

This isn’t some new initiative, though. Brazil’s government has long looked for concrete ways to implement real-world punishments for spreading disinformation. In 2022, the Supreme Court signed an agreement with the equivalent of Brazil’s national election commission “to combat fake news involving the judiciary and to disseminate information about the 2022 general elections.” 

Brazil’s president (much like the U.S.) has been battling fake news and disinformation for years now, making any political conversation there incredibly divisive, and in many ways, physically dangerous. I’m certainly not an authority enough on the subject to comment on that and the ways in which the term “fake news” has been weaponized to literally challenge what is “fact” in our modern society.  

And I could certainly see a world in which a high court uses the term “fake news” to charge and prosecute people who are, in fact, spreading \*correct\* and verifiable information.  

But, even just forcing Musk or anyone at Twitter to answer questions about their blocking policies could bring an additional layer of transparency to this process. Suppose we want to really get people to stop sharing misleading information on social media. In that case, it needs to eventually come with real consequences, not just a simple block when they can launch a new account two seconds later using a different email address. 

**The one big thing **

Talos recently discovered a new threat actor we're calling “Starry Addax” targeting mostly human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause. Starry Addax primarily uses a new mobile malware that it infects users with via phishing attack, tricking their targets into installing malicious Android applications we’re calling “FlexStarling.” The malicious mobile application (APK), “FlexStarling,” analyzed by Talos recently masquerades as a variant of the Sahara Press Service (SPSRASD) App. 

**Why do I care? **

The targets in this campaign's case are considered high-risk individuals, advocating for human rights in the Western Sahara. While that is a highly focused particular demographic, FlexStarling is still a highly capable implant that could be dangerous if used in other campaigns. Once infected, Starry Addax can use their malware to steal important login credentials, execute remote code or infect the device with other malware.  

**So now what? **

This campaign's infection chain begins with a spear-phishing email sent to targets, consisting of individuals of interest to the attackers, especially human rights activists in Morocco and the Western Sahara region. If you are a user who feels you could be targeted by these emails, please pay close attention to any URLs or attachments used in emails with these themes and ensure you’re only visiting trusted sites. The timelines connected to various artifacts used in the attacks indicate that this campaign is just starting and may be in its nascent stages with more infrastructure and Starry Addax working on additional malware variants. 

**Top security headlines of the week **

**A threat actor with ties to Russia is suspected of infecting the network belonging to a rural water facility in Texas earlier this year.** The hack in the small town of Muleshoe, Texas in January caused a water tower to overflow. The suspect attack coincided with network intrusions against networks belonging to two other nearby towns. While the attack did not disrupt drinking water in the town, it would mark an escalation in Russian APTs’ efforts to spy on and disrupt American critical infrastructure. Security researchers this week linked a Telegram channel that took credit for the activity with a group connected to Russia’s GRU military intelligence agency. The adversaries broke into a remote login system used in ICS, which allowed the actors to interact with the water tank. It overflowed for about 30 to 45 minutes before officials took the machine offline and switched to manual operations. According to reporting from CNN, a nearby town called Lockney detected “suspicious activity” on the town’s SCADA system. And in Hale Center, adversaries also tried to breach the town network’s firewall, which prompted them to disable remote access to its SCADA system. (CNN, Wired) 

**Meanwhile, Russia’s Sandworm APT is also accused of being the primary threat actor carrying out Russia’s goals in Ukraine.** New research indicates that the group is responsible for nearly all disruptive and destructive cyberattacks in Ukraine since Russia's invasion in February 2022. One attack involved Sandworm, aka APT44, disrupting a Ukrainian power facility during Russia’s winter offensive and a series of drone strikes targeting Ukraine’s energy grid. Recently, the group’s attacks have increasingly focused on espionage activity to gather information for Russia’s military to use to its advantage on the battlefield. The U.S. indicated several individuals for their roles with Sandworm in 2020, but the group has been active for more than 10 years. Researchers also unmasked a Telegram channel the group appears to be using, called “CyberArmyofRussia\_Reborn.” They typically use the channel to post evidence from their sabotage activities. (Dark Reading, Recorded Future) 

**Security experts and government officials are bracing for an uptick in offensive cyber attacks between Israel and Iran** after Iran launched a barrage of drones and missiles at Israel. Both countries have dealt with increased tensions recently, eventually leading to the attack Saturday night. Israel’s leaders have already been considering various responses to the attack, among which could be cyber attacks targeting Iran in addition to any new kinetic warfare. Israel and Iran have long had a tense relationship that included covert operations and destructive cyberattacks. Experts say both countries have the ability to launch wiper malware, ransomware and cyber attacks against each other, some of which could interrupt critical infrastructure or military operations. The increased tensions have also opened the door to many threat actors taking claims for various cyber attacks or intrusions that didn’t happen. (Axios, Foreign Policy) 

**Can’t get enough Talos? **

*   Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services 
*   Decade-old malware haunts Ukrainian police 
*   Attackers are pummeling networks around the world with millions of login attempts 
*   OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal 
*   Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials 
*   Talos Takes Ep. #179: Why we need to stop calling as-a-service group takedowns "takedowns" 

**Upcoming events where you can find Talos **

 **Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

The missing ingredient in NIST's newest cybersecurity framework? Recovery.

Alex Janas, Field Chief Technology Officer, Commvault

April 18, 2024

5 Min Read

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY

As the digital landscape grows more treacherous, companies are finally beginning to treat cybersecurity as a top operational risk. And for enterprises revising their data security strategies, the updated guidance from the National Institute of Standards and Technology (NIST), the US government's key technical standards adviser, is a good starting point. NIST's cybersecurity framework, first released in 2014, has functioned as the leading educational and academic guide. The newest version includes important updates, like the addition of data governance as one of the core pillars. Unfortunately, it falls short in a significant way. It doesn't say nearly enough about the most crucial ingredient of any comprehensive and contemporary cybersecurity plan: the ability to recover from a cyberattack. 

It's important to keep in mind that recovering from an attack is not the same as disaster recovery or business continuity. It's not enough to simply tack the recovery function onto a broader incident response plan. Recovery must be ingrained into the security stack and into your response plans. And even outside a crisis scenario, there must be a continual feedback loop established, where all parts of the cybersecurity function — including recovery — are always sharing information and are a part of the same workflow. 

Given the persistent threat landscape and the growing number of mandatory regulations, such as the EU's Digital Operational Resilience Act (DORA), companies must urgently address the gaps in their cybersecurity preparedness plans.

**Shifting From a Frontline Mentality **

While NIST is a comprehensive framework, the cybersecurity industry (and, by proxy, most companies) put far more attention on the part that focuses on preventing cyberattacks. That's important, but prevention can never be assured and should not be done at the expense of a comprehensive security plan. 

A company that only uses the NIST Cybersecurity Framework will put that company in a position where they are underinvested in responding to current and future cyberattack scenarios. That's a risk no organization can afford to take. You will be breached. In fact, you are breached, you just don't know it yet. This means the restoration platform must be integrated with the security stack to help protect itself and the business environment to ensure the company can get back to business — which is one of the main goals of this work.

Vendors and customers alike must put resources toward returning to a post-attack state: How to get there, and how to test and verify that capability. The secret to a robust recovery is planning. To truly be safe, businesses must take steps now to integrate the technology and people responsible for recovery into the rest of their cybersecurity function. 

Once that happens, although recovery teams can still operate independently, there's a continual feedback loop. So, all the different parts of the security teams can still easily send and receive information to and from the other functions. 

**Test, Test, Test**

While companies often have time frames in mind of how quickly systems must be back online, far fewer have fully considered what it takes to get to that safe state following an attack. 

Testing helps inform how long each step in the identification and remediation of a breach should take, so companies have a benchmark to use when an actual incident occurs. And without adequately testing backup environments, the recovery function becomes much more difficult — and potentially more dangerous. When restoring from an untested backup environment, the company might inadvertently restore implanted malicious code, provide attacker access, or return to a vulnerable state. 

Companies must actively run simulated or real-world drills that test all facets of their cyber resilience to uncover the weak points, including any issues that could impact a company's ability to get their IT systems operational again. 

**Linking the Steps  **

Integrating recovery tools into the larger incident response arsenal can yield valuable intelligence, both in preparing for and responding to an attack. 

These days, modern recovery systems can actively monitor backup repositories and regularly send feeds back to the security teams to detect any abnormal behavior far quicker than in the past — a vital capability as attackers increasingly aim their efforts at the last-mile data centers. And as a cyber-resilient restoration platform becomes integrated into the modern security stack, it must connect with the systems that transform the intelligence from the various systems and services to provide security teams with better context about the events that are happening in their environment as well as better auditing required under the various compliance and regulations around the globe. 

**Aligning the People to the Process **

While many organizations have experts attached to every other process in the NIST framework, few have teams or even individuals dedicated to managing recovery. 

Often, the function falls between the domain of the chief information security officer (CISO) and chief information officers (CIO), which leads to both assuming the other owns it. The overworked security team typically views recovery as tedious — and something that occurs only at the tail end of a chaotic process that should be handled by the IT team. 

Meanwhile, the IT team, unless steeped in security, may not even know what the NIST framework is. Facing a deluge of complaints, their focus is on simply getting the environment back online as quickly as possible, and they may not recognize how perilous an unplanned, hasty recovery can be. 

Taking this seriously involves dedicating resources to oversee recovery, making sure this step doesn't get overlooked in the ongoing planning and testing — let alone in the chaos that often accompanies a breach. 

When given strategic direction from the C-suite, and assigned the right ongoing responsibilities, the recovery individual or team can ensure that the response protocols are regularly tested, as well as serve as the bridge to connecting recovery with the rest of the cybersecurity function.  

**The Most Vital Step**

In this era when every business should assume they are breached, recovery must be recognized as just as important as the other steps in the NIST framework. Or maybe even more important.

Companies that only play cyber defense will eventually lose. They are playing a game where they think the score matters. Defenders can have 1,000 points but will lose to an attacker who scores once. There's simply no way to guarantee victory against an opponent who plays outside the rules and controls when and how the game is played.

Businesses must allocate resources to prepare for cyberattacks. Without a tested response plan to resume operations safely and securely, companies will have no choice but to capitulate to attackers' demands, pay the ransom, and thereby embolden an attacker.

**About the Author(s)**

Field Chief Technology Officer, Commvault

As the Field Chief Technology Officer for Commvault, Alex Janas is responsible for overseeing cybersecurity. He is a distinguished cybersecurity expert with over 20 years of diverse experience, spanning the private sector and the Department of Defense (DOD). 

In his work within the private sector, Alex has excelled in a wide range of security responsibilities; Cyber and Physical Security Penetration Assessments, Incident Response and Forensics, Virtual Chief Information Security Officer (vCISO), Cyber Executive Protection and Technical Surveillance Countermeasures (TSCM).

Alex’s government experience is highlighted by his tenure at the National Security Agency (NSA), where he served for 11 years in the Tailored Access Operations as an Analyst, Operator, and Division Technical Director. Alex is a proud recipient of the Master Operator designation, a prestigious honor bestowed upon a highly select cadre of Computer Network Operations personnel.

Rebalancing NIST: Why 'Recovery' Can't Stand Alone

The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak).
"FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights," the BlackBerry research and intelligence team said in a new write-up.
"They

FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor

Watch how smooth-talking scammers known as “Yahoo Boys” use widely available face-swapping tech to carry out elaborate romance scams.

The compliments start flowing as soon as she answers the video call. “Wow, you so pretty, honey,” says the man on the other side of the screen. His video feed shows he’s white, with short hair, likely a few years younger than her, and is sitting in front of his camera wearing a plaid shirt.

“You’re looking different with that beard and stuff gone,” the woman says in an American accent as the conversation gets going. The man doesn’t miss a beat. “I told you I was going to shave my beard so I will look good.”

Except, he isn’t who he claims to be. His videofeed is a lie. And—beard or not—the face the woman can see over the video call is not his: It’s a deepfake.

In reality, the man is a scammer using face-swapping technology to totally change his appearance in real time. In a video of the call—filmed by the scammer’s accomplice likely thousands of miles away from the woman—his real face can be seen on this laptop alongside the fake persona as he speaks to his victim.

This self-shot video is one of scores posted online by scammers known as Yahoo Boys, a loose collective of con artists, often based in Nigeria. The video reveals how they are using deepfakes and face-swapping to ensnare victims in romance scams, building trust with victims using fake identities, before tricking them into parting with thousands of dollars. More than $650 million was lost to romance fraud last year, the FBI says.

A Yahoo Boy scammer uses multiple phones and face-swapping software against a victim. It’s one of two techniques the group uses for real-time calls.

The Yahoo Boys have been experimenting with deepfake video clips for around two years and shifted to more real-time deepfake video calls over the last year, says David Maimon, a professor at Georgia State University and the head of fraud insights at identity verification firm SentiLink. Maimon has monitored the Yahoo Boys on Telegram for more than four years and shared dozens of videos with WIRED revealing how the scammers are using deepfakes.

A WIRED review of the videos and three associated Yahoo Boy Telegram channels shows how the con artists’ techniques have evolved as deepfake applications and artificial intelligence have improved. It is one of the first times the specific tactics and outlandish techniques of scammers using deepfake video calls has been documented in this detail.

The videos show Yahoo Boys using the technology on setups involving both laptops and phones. In multiple videos, the scammers often brazenly show their own faces, as well as those of the victims they are scamming. “I don't think they're doing this because they’re stupid,” Maimon says. “I think that they simply don’t care, and they’re not afraid of the repercussions.”

The Yahoo Boys are experienced scammers—and they openly brag about it. Photos and videos of their conning and recruitment can be found all across social media, from Facebook to TikTok. However, the cybercriminals, who have links back to Nigerian prince email scams, are arguably their most open on Telegram.

In groups containing thousands of members, Yahoo Boys organize and advertise their individual skills for a smorgasbord of scams. They’re skilled social manipulators, who can have long-lasting impacts on their victims. Business email compromise, crypto scams, and impersonation scams are all touted in hundreds of posts per day. Members claim to be selling photo and video editing skills and entire albums of explicit photographs that can be used to build a convincing persona. Fake IDs and legitimate-looking social media profiles are for sale. Scam “scripts” are free to download.

“The Yahoo Boys have elements of organized crime and disorganized crime,” says Paul Raffile, an intelligence analyst at the Network Contagion Research Institute, who has investigated Yahoo Boys sextorting teenagers and driving them towards suicide. “They don't have a leader, they don’t have a governance structure.” Rather, Raffile says, they organize in clusters and share advice and tips online. Telegram did not respond to WIRED’s request for comment about Yahoo Boys’ channels, but the three channels no longer appear to be accessible.

The digital con artists started using deepfakes as part of their romance scams around May 2022, says Maimon. “What folks were doing was just posting videos of themselves, changing their appearance, and then sending them to the victim—trying to lure them to talk to them,” he says. Since then, they’ve moved on.

To create their videos, the Yahoo Boys are using a handful of different software and apps. WIRED is not naming the specific software, to limit people’s ability to copy the attacks. However, the tools they are using are often advertised for entertainment purposes, such as allowing people to swap their faces with celebrities or influencers.

The Yahoo Boys’ live deepfake calls run in two different ways. In the first, shown above, the scammers use a setup of two phones and a face-swapping app. The scammer holds the phone they are calling their victim with—they’re mostly seen using Zoom, Maimon says, but it can work on any platform—and uses its rear camera to record the screen of a second phone. This second phone has its camera pointing at the scammer’s face and is running a face-swapping app. They often place the two phones on stands to ensure they don’t move and use ring lights to improve conditions for a real-time face-swap, the videos show.

The second common tactic—shown below—uses a laptop instead of a phone. (WIRED has blurred real faces in both videos.) Here, the scammer uses a webcam to capture their face and software running on the laptop changes their appearance. Videos of the setup show scammers are able to see their own face alongside the altered deepfake, with just the manipulated image being displayed over the live video call.

Maimon says he and his teams have tracked down some of the victims, both in deepfake videos and photo albums being sold by Yahoo Boys, and have tried to contact them. WIRED was not able to determine the real identities of victims or scammers, and it is not clear how many times deepfakes have been used. Still, the videos appearing to feature victims reveal how the scammers build rapport with their targets.

Videos show scammers telling people they “love” them and frequently complimenting their appearance. In one video, a scammer says they want to travel to Canada to meet their target, and when they do, they will pay them “instantly,” suggesting the target has sent them money that the scammer has falsely promised to pay back. Other videos contain deeply personal information, showing the levels of trust that scammers can create with the people they target. “Some victims, they talk about their eating disorders, they talk about their depression,” Maimon says.

The videos are likely only a snapshot of the Yahoo Boys’ romance-scamming activity, and many of the videos they self-publish are partly intended to show off their capabilities to allow others to “buy” the approach. Raffile says that, as he investigated the groups for sextortion, he noticed most face-swapping was being used for romance scams. However, there were also instances where Yahoo Boys claimed to use deepfake “nude” generators on photographs.

The scammers can run face-swapping software on laptops. It mimics their facial expressions and mouth movements.

Artificial intelligence will supercharge scams. While deepfake videos have been around for more than half a decade—mostly used for nonconsensual pornography—they’re often glitchy and easy to spot. Lips don’t sync up as people talk, and errors are relatively trivial to detect. However, the technology is quickly improving and becoming easier for anyone to use.

Some of the Yahoo Boy videos are unbelievable, obvious fakes, while others appear plausible. When they’re viewed live, on a mobile phone, with unstable connections, any obvious flaws may be masked—especially if a scammer has spent months social-engineering their victim.

Rachel Tobac, the cofounder and CEO of SocialProof security, who along with company CTO Evan Tobac reviewed a selection of Yahoo Boy videos for WIRED, says she has generally seen some face swapping being used in romance scams over the past 12 months. “They were not super convincing last year, when I checked them out. This year, a lot has changed,” Rachel Tobac says. “Especially the ones where they’re able to change the pitch of their voice and the look of their face—sometimes changing skin tone, hair, eye color, everything’s matched. It’s pretty wild.”

The Yahoo Boys appear to often use existing personas and faces built into the apps. The scammers largely talk using their own voices, although in a couple of videos this may have also been altered. In many of the videos seen by WIRED, the onscreen characters can turn their heads but not move their entire bodies. Their lips and facial expressions move with those made by the face of the scammer. The capabilities of these tools will only improve over time.

Andrew Newell, the chief scientific officer at identity verification company iProov, says he has seen a “massive change” in the number of face-swapping systems being used in the last year, tracking more than 100 different tools. Only a fraction of these tools allow for real-time face-swapping, he says. “We have seen quite big advances in terms of how good these live tools are.”

While the Yahoo Boys may not develop their own software or be technically sophisticated, Maimon says, they are versatile. They’ll run multiple scams at once, speak with dozens of victims at a time, and different individuals will have the skills needed to complete an entire scam. “There's a constant evolution,” Maimon says.

Ronnie Tokazowski, the chief fraud fighter at Intelligence for Good, which works with cybercrime victims, says because the Yahoo Boys have used deepfakes for romance scams, they’ll pivot to using the technology for their other scams. “This is kind of an early warning where it's like: ‘OK, they’re really good at doing these things. Now, what’s the next thing they're going to do?’”

The Real-Time Deepfake Romance Scams Have Arrived

A survey of cybercrime experts assessing the top cybercrime-producing nations results in some expected leaders — Russia, Ukraine, and China — but also some surprises.

Source: Wavebreakmedia Ltd IFE-221116 via Alamy Stock Photo

An academic research project to gain insight into which nations produce the most cybercrime has ranked the usual suspects of Russia, Ukraine, China, and the United States at the very top but also found some relative surprises with Nigeria at No. 5, Romania at No. 6, and Brazil at No. 9.

Nations with high technology levels typically scored fairly high on the World Cybercrime Index (WCI), especially if those countries also have state-sponsored threat actors that overlap with cybercriminal groups. Yet other nations dominated in one of the five areas, such as Nigeria taking the top score for scams and Romania scoring highly in data and identity theft, according to the university research effort by academic institutions in the United Kingdom, Australia, and France.

While cybersecurity experts have long associated different countries with different types of cybercrime — Russia with banking and ransomware and China with intellectual-property theft and financial crimes, for example — this is the first time that researchers have been able to compare various countries based on specific attributes and cybercriminal approaches, says Miranda Bruce, a postdoctoral fellow in sociology at the University of Oxford.

"If you look closely at these five indices, you'll get more insight into the character of each country as a cybercrime hotspot," she says. "Nigeria is No. 1 in the Scams index, but comes between 5th and 10th in the other four cybercrime types. Clearly they're a significant producer of all types of cybercrime, but it's also clear that, as a country, they specialize."

The researchers collected survey data from 92 cybercrime experts, asking them to pick the top five cybercrime-producing nations in five different categories of crime: technical products and services; attacks and extortion; data and identity theft; scams; and cashing out or money laundering. For each nation, participants were asked to rate the nation on the impact of the crimes, the actors' professionalism, and their technical skill.

The top 15 nations as ranked by their overall World Cybercrime Index. Source: PLOS One

In all, the cybercrime experts nominated 97 different countries, according to a paper the group published in the journal PLOS One.

The WCI scores may not, however, discern between true cybercriminals residing in a nation and those mercenary groups that also conduct operations on behalf of their state sponsors, says Sean McNee, vice president of research and data at DomainTools, a domain security services firm.

"When evaluating cybercrime groups in locales such as Russia, China, Iran, or North Korea, it is always challenging to determine if groups are operating purely on their own accord or operating on behalf of a nation-state sponsor," McNee says. "This makes cybercrime actors in other countries more interesting to look into, such as Nigeria, India, and Brazil."

**Low Technical Score, High Threat**

Nigeria's top marks in the scams category — in which the researchers lumped together advance-fee fraud, business email compromise, and online auction fraud — underscore that a highly developed cybercrime ecosystem does not necessarily require significant depth of technical skills and infrastructure. While Nigeria has prioritized its cybersecurity capabilities, the country remains a bastion for email fraud, as demonstrated by the case of a Nigerian-based group conducting romance scams with a US-based national, who was sentenced earlier this year.

Romania, which ranked No. 6 on the list, has a long history of hosting a cybercriminal ecosystem, so its ranking is a bit of a surprise, says Chester Wisniewski, director and field CTO at cybersecurity firm Sophos.

"Romania has always had elevated cybercrime activity ... likely due to its well-educated population and proximity and relationships with neighboring cybercrime states like Ukraine, Russia, and Moldova," he says. "Romania has been cooperative with cybercrime takedowns, but I am not sure they are very proactive in nature."

The researchers plan to investigate how the World Cybercrime Index correlates with other characteristics of each nation — such as gross domestic product (GDP), income inequality, Internet penetration, and corruption — and how cybercrime policies can impact their scores, the University of Oxford's Bruce says.

"There's still much to learn about how and why countries like Russia, China, and the USA have become major cybercrime hotspots, but the countries that appear lower in the Index will tell us more about the nuances of cyber criminality," she says. "That is, the specific combination of factors that enable a region to become a thriving economic hub of cybercriminal activity. It's important that we pay attention to these countries and regions in the coming years."

**Room for Improvement**

Unfortunately, the data gives little actionable information to defenders, although it could be useful to policymakers and diplomats interested in influencing countries and gaining cooperation, says Sophos' Wisniewski.

"If these stats are accurate, only the countries listed are in a position to address the problem of them being a source country for cybercrime," he says. "Many of those listed might not only be uninterested in reducing their rank, but they may also be proud of it."

The researchers conducted the survey in 2021, so unfortunately, that means that the rankings have aged, and do not include major changes to the cyberthreat landscape, such as Russia's invasion of Ukraine, the most recent rise in romance scams, and an increase in cryptocurrency scams from North Korea, says DomainTools' McNee.

"This suggests that encouraging policies to promote technology sectors in these countries — turn cybercriminals to entrepreneurs — could have a net positive impact on the economy," he says. "It may be more beneficial to track these trends in countries further down the WCI to help encourage such policies before a notable cybercrime industry takes hold."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Nigeria &amp; Romania Ranked Among Top Cybercrime Havens

Threat actors are actively exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access to Kubernetes workloads and leverage them for cryptocurrency mining activity.
That's according to the Microsoft Threat Intelligence team, which said the flaws have been weaponized since the start of April 2024.
OpenMetadata is an open-source platform that operates as a

Tag

#intel