When it comes to keeping patient information safe, people empowerment is just as necessary as deploying new technologies.

Source: Yuri Arcurs via Alamy Stock Photos

COMMENTARY

Some say artificial intelligence (AI) has changed healthcare in ways we couldn't have imagined just a few years ago. It's now used for everything from paperwork to helping doctors make better diagnoses. But like any new tech, there are risks involved.

Currently, AI is both a potent defense mechanism and an attacker enabler. Therefore, the question that must be asked is clear: Is AI an enemy or a friend of cybersecurity in healthcare? Honestly, the answer is both.

**AI as the Defender: Enhancing Healthcare Security**

Healthcare systems are rich targets for malicious actors, with considerable protected health information (PHI) spread across interconnected assets such as electronic health records, Internet of Things (IoT)-enabled medical devices, and telehealth platforms. It has been proven that traditional cybersecurity tools often lack the resources and features required to protect such complex ecosystems and, as in different industries, struggle to keep pace with both the volume of data being generated and evolving attack methodologies.

The advantage of machine learning algorithms is that they can find a potential threat before it is serious. AI-powered security tools can detect anomalies in system behaviors, such as unauthorized data transfer or suspicious login activities, and thus proactively prevent a breach. Indeed, several hospitals using AI-powered systems have been able to avert ransomware attacks and maintain operational integrity and patient safety.

Artificial Intelligence is also incomparable in terms of its critical role in reducing administrative burdens and further complying with the Health Insurance Portability and Accountability Act (HIPAA) and other regulations. AI-powered tools, such as virtual assistants and data processing systems, take over administrative work while safeguarding sensitive data. These tools protect PHI and free human resources to focus on patient care.

**AI as the Enabler of Cyber Threats**

While AI hardens the defense, it turbocharges the attacker side, too. In such a way, cyber threats in healthcare have become increasingly sophisticated. The game changed with generative AI tools that let attackers create unbelievably realistic tailor-made emails with perfect grammar and formatting that quickly slipped through traditional security filters.

Deepfakes add another layer to these deceptions: generating hyperreal audio and video that makes an attacker sound like senior health leaders or other trusted voices. These fabrications have been used to deceive staff into granting unauthorized access, sharing PHI, and even making fraudulent financial transactions. In some cases, attackers have used deepfakes to spread false medical information or to undermine public confidence, further destabilizing an already complex threat landscape.

AI-powered malware leverages machine learning to make live changes, evade traditional detection, and zero in on critical systems, such as IoT-enabled devices and electronic health records. Attackers manipulate diagnostic data, alter medical imaging, and gain entry through vulnerabilities in lightly secured IoT devices, enabling them to create avenues to coordinate attacks. Combining AI with IoT could pose a greater threat to patient safety and trust in healthcare systems than just financial losses. 

AI-powered threats sound an alarm for information security, IT, and healthcare leaders. These risks are reshaping the cybersecurity landscape. Preemptive defenses require advanced AI tools, employee training, and collaboration across cross-functional teams. This would, in turn, involve policy and detection system reviews to grant top priority for countering AI-impelled social engineering and malware. Constantly being one step ahead of the bad actors requires constant vigilance, innovative thinking, and a core commitment to data safety and patient care.

**Balancing AI's Potential with Realistic Implementation**

As an expert or executive, you face the critical decision of managing the promise of AI and the risk it further introduces into an already overcomplicated cybersecurity landscape. AI is not the Holy Grail; it's a tool that can be used for and against us. AI’s transformative potential in healthcare and security comes from how it is implemented, so leaders must approach its adoption with a balanced perspective. They should be excited yet cautious, knowing full well that attackers are leveraging the very same technology to undermine our systems, data, and trust.

In my experience, the excitement around adopting AI tools like transcript generators, grammar checkers, or automated note-taking systems often takes precedence over critical security assessments. I have seen teams advocate for rapid implementation to save time and resources without assessing the risks; common questions such as where the data is stored, how it is processed, or if the vendor is compliant often are not asked. This rush to embrace convenience creates gaps that attackers can exploit, especially in healthcare, where even minor oversights can lead to significant breaches of PHI or personally identifiable information (PII).

Deepfakes, adaptive malware, and the exploitation of IoT devices, all powered by AI, require a new type of thinking to address these threats — one that changes from legacy defenses or even leading-edge AI-powered tools to placing those tools within an extended proactive security framework encompassing audits, employee training, and reliable governance. For that to happen, health workers and administrators must be empowered to recognize sophisticated attacks, faked video calls, or some other unexpected data transfer AI flagged up. People empowerment is just as necessary in deploying new technologies.

Drive collaboration between IT, security, and clinical teams in developing customized strategies for technical vulnerabilities and operational realities. This means vigilance, from systems monitoring to continuing review of AI's evolving role in your institution.

Safeguarding healthcare systems includes protecting the trust and well-being of the patients it cares for and its entire community. This depends entirely on the type of leadership that doesn't just react to threats but proactively takes bold measures to mitigate risks before they spread. Security embedded in all facets of the organization should ensure continuity of critical operations and uncompromised care of the patients by leaders in healthcare.

**About the Author**

Lead Security Engineer, C4HCO

Claudio Gallo is a lead security engineer of the Colorado Marketplace Exchange, dedicated to protecting critical information in the healthcare and insurance industries. With expertise in application security, cloud architecture, and compliance, Claudio designs innovative strategies to safeguard sensitive data and ensure trust in important services. Passionate about making a meaningful difference, he is equally committed to mentoring aspiring professionals in the information security industry, sharing knowledge, and fostering the next generation of cybersecurity talent.

Is AI a Friend or Foe of Healthcare Security?

More than half of attacks on Indian businesses come from outside the country, while 45% of those targeting consumers come from Cambodia, Myanmar, and Laos.

Source: NicoElNino via Shutterstock

India continues to see a surge in cybercrime affecting both citizens and businesses, with cyber fraud against citizens jumping 51% over the past year and cyberattackers targeting businesses in volumes significantly higher than global averages.

Overall, Indian citizens filed more than 1.7 million cybercrime complaints in 2024, up from 1.1 million complaints in 2023, according to the latest data from India's National Cyber Reporting Platform (NCRP) released in early February. While many of those cyber scams came from domestic sources, about 45% of the cyberattacks came from cybercriminal havens in Cambodia, Myanmar, and Laos, according to the report.

The problem underscores the dark side of increasing access to online services. While the country is digitizing many of its government services — giving citizens easier access — crime has followed online, President Droupadi Murmu said during a speech to Parliament on Jan. 31.

"\[I\]n an increasingly digital society, cybersecurity has become a crucial issue of national importance," Murmu said. "Digital fraud, cybercrime, and emerging technologies like deepfakes pose challenges to our social, economic, and national security."

India's citizens are not the only targets of cybercriminals — business sites increasingly face online attacks. Cyber-risks and digital/technology risks are the most pressing concerns for companies in India, with businesses in the region prioritizing those issues more than their global counterparts, according to PricewaterhouseCoopers' "2025 Global Digital Trust Insights — India Edition."

Source: PricewaterhouseCoopers, "2025 Global Digital Trust Insights — India Edition"

"Over the next 12 months, Indian organizations are prioritizing the mitigation of three key risks: cyberthreats, digital vulnerabilities and inflation," PwC India stated in the report. "This focus highlights the critical need for robust cybersecurity, reliable technological infrastructure, and strategies to counter rising costs and ensure resilience and sustained growth."

**Businesses See Different Threat Profile**

Compared with other regions of the world, India is seeing a greater volume of attacks. The average website in India sees about 6.9 million unwanted requests — often referred to as "attacks" by vendors — every year, with 26% more attacks per site compared with the global average, according to Indusface. Denial-of-service attacks are also more common against Indian targets, compared with the global average, says Venky Sundar, founder and president for the Americas at Indusface.

The threat actors have gone mobile-first, with API servers for mobile applications targeted with 43% more requests per host compared with websites, he says.

There is "a shift in attack strategies towards disrupting mobile and connected services," Sundar says. "Cybercrime is increasingly targeting external-facing APIs associated with mobile apps rather than just traditional web platforms."

The attacks are split fairly evenly between domestic sources and global ones, he adds. Overall, about half of the malicious traffic targeting company sites and API servers are domestic, with much of the rest coming from four countries: US, France, UK, and Singapore.

**Government Moves to Protect Citizens**

The government is currently taking steps to make life harder for attackers. The Reserve Bank of India (RBI), for example, has created exclusive Internet domains for banks (bank.in) and for non-bank financial institutions (fin.in), which will be run by the Institute for Development and Research in Banking Technology (IDRBT). India also passed its first privacy and data-protection law in 2023, and drafted implementation rules last month, which together define the rights of Indian citizens and requirements for companies handling data.

India and the US also recently signed a memorandum of understanding (MoU) that allows the two countries to cooperate on intelligence gathering, the exchange of information on cybercrime cases, and collaborative training. India has also fought to rescue and repatriate its citizens from forced labor camps for criminal syndicates in Cambodia, Myanmar, and Laos, where they are forced to conduct a variety of online scams.

Yet the country still faces a shortage of cybersecurity professionals. In September, the government announced an effort to train 5,000 "cyber commandos" over the next five years, to help national and state governments with cyber investigations.

Training citizens in cybersecurity can have additional benefits, President Murmu said in her remarks to Parliament.

"My government has taken numerous measures to control these cyber threats, creating opportunities for employment in the field of cybersecurity for the youth \[and\] is continuously working to ensure competence in cybersecurity," she said, noting that the country has reached Tier 1 status in the International Telecommunication Union's Global Cybersecurity Index.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

India's Cybercrime Problems Grow as Nation Digitizes

Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.

**Microsoft** today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.

All supported Windows operating systems will receive an update this month for a buffer overflow vulnerability that carries the catchy name CVE-2025-21418. This patch should be a priority for enterprises, as Microsoft says it is being exploited, has low attack complexity, and no requirements for user interaction.

**Tenable** senior staff research engineer **Satnam Narang** noted that since 2022, there have been nine elevation of privilege vulnerabilities in this same Windows component — three each year — including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193).

“CVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems,” Narang said. “At this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group.”

The other zero-day, CVE-2025-21391, is an elevation of privilege vulnerability in Windows Storage that could be used to delete files on a targeted system. Microsoft’s advisory on this bug references something called “CWE-59: Improper Link Resolution Before File Access,” says no user interaction is required, and that the attack complexity is low.

**Adam Barnett**, lead software engineer at **Rapid7**, said although the advisory provides scant detail, and even offers some vague reassurance that ‘an attacker would only be able to delete targeted files on a system,’ it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service.

“As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links,”Barnett wrote.

One vulnerability patched today that was publicly disclosed earlier is CVE-2025-21377, another weakness that could allow an attacker to elevate their privileges on a vulnerable Windows system. Specifically, this is yet another Windows flaw that can be used to steal NTLMv2 hashes — essentially allowing an attacker to authenticate as the targeted user without having to log in.

According to Microsoft, minimal user interaction with a malicious file is needed to exploit CVE-2025-21377, including selecting, inspecting or “performing an action other than opening or executing the file.”

“This trademark linguistic ducking and weaving may be Microsoft’s way of saying ‘if we told you any more, we’d give the game away,'” Barnett said. “Accordingly, Microsoft assesses exploitation as more likely.”

The SANS Internet Storm Center has a handy list of all the Microsoft patches released today, indexed by severity. Windows enterprise administrators would do well to keep an eye on askwoody.com, which often has the scoop on any patches causing problems.

It’s getting harder to buy Windows software that isn’t also bundled with Microsoft’s flagship Copilot artificial intelligence (AI) feature. Last month Microsoft started bundling Copilot with **Microsoft Office 365**, which Redmond has since rebranded as “**Microsoft 365 Copilot**.” Ostensibly to offset the costs of its substantial AI investments, Microsoft also jacked up prices from 22 percent to 30 percent for upcoming license renewals and new subscribers.

Office-watch.com writes that existing Office 365 users who are paying an annual cloud license do have the option of “Microsoft 365 Classic,” an AI-free subscription at a lower price, but that many customers are not offered the option until they attempt to cancel their existing Office subscription.

In other security patch news, **Apple** has shipped iOS 18.3.1, which fixes a zero day vulnerability (CVE-2025-24200) that is showing up in attacks.

**Adobe** has issued security updates that fix a total of 45 vulnerabilities across **InDesign**, **Commerce**, **Substance 3D** **Stager**, **InCopy**, **Illustrator**, **Substance 3D Designer** and **Photoshop Elements**.

**Chris Goettl** at **Ivanti** notes that **Google Chrome** is shipping an update today which will trigger updates for Chromium based browsers including **Microsoft Edge**, so be on the lookout for Chrome and Edge updates as we proceed through the week.

Microsoft Patch Tuesday, February 2025 Edition

In a letter to a US senator, a Florida-based data broker says it obtained sensitive data on US military members in Germany from a Lithuanian firm, revealing the global nature of online ad surveillance.

Last year, a media investigation revealed that a Florida-based data broker, Datastream Group, was selling highly sensitive location data that tracked United States military and intelligence personnel overseas. At the time, the origin of that data was unknown.

Now, a letter sent to US senator Ron Wyden’s office that was obtained by an international collective of media outlets—including WIRED and 404 Media—reveals that the ultimate source of that data was Eskimi, a little-known Lithuanian ad-tech company.

Eskimi’s role highlights the opaque and interconnected nature of the location data industry: A Lithuanian company provided data on US military personnel in Germany to a data broker in Florida, which could then theoretically sell that data to essentially anyone.

“There’s a global insider threat risk, from some unknown advertising companies, and those companies are essentially breaking all these systems by abusing their access and selling this extremely sensitive data to brokers who further sell it to government and private interests,” says Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, referring to the ad-tech ecosystem broadly.

In December, the joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org analyzed a free sample of location data provided by Datastream. The investigation revealed that Datastream was offering access to precise location data from devices likely belonging to American military and intelligence personnel overseas—including at German airbases believed to store US nuclear weapons. Datastream is a data broker in the location data history, sourcing data from other providers and then selling it to customers. Its website previously said it offered “internet advertising data coupled with hashed emails, cookies, and mobile location data.”

That dataset contained 3.6 billion location coordinates, some logged at millisecond intervals, from up to 11 million mobile advertising IDs in Germany over a one-month period. The data was likely collected through SDKs (software development kits) embedded in mobile apps by developers who knowingly integrate tracking tools in exchange for revenue-sharing agreements with data brokers.

Following this reporting, Wyden’s office demanded answers from Datastream Group about its role in trafficking the location data of US military personnel. In response, Datastream identified Eskimi as its source, stating it obtained the data “legitimately from a respected third-party provider, Eskimi.com.” Vytautas Paukstys, CEO of Eskimi, says that “Eskimi does not have or have ever had any commercial relationship with Datasys/Datastream Group,” referring to another name that Datastream has used, and that Eskimi “is not a data broker.”

In an email responding to detailed questions from the reporting collective, M. Seth Lubin, an attorney representing Datastream Group, described the data as lawfully sourced from a third party. While Lubin acknowledged to Wyden that the data was intended for use in digital advertising, he stressed to the reporting collective that it was never intended for resale. Lubin declined to disclose the source of the data, citing a nondisclosure agreement, and dismissed the reporting collective’s analysis as reckless and misleading.

The Department of Defense (DOD) declined to answer specific questions related to our investigation. However, in December, DOD spokesperson Javan Rasnake said that the Pentagon is aware that geolocation services could put personnel at risk and urged service members to remember their training and adhere strictly to operational security protocols.

In an email, Keith Chu, chief communications adviser and deputy policy director for Wyden, explained how their office has tried to engage with Eskimi and Lithuania’s Data Protection Authority (DPA) for months. The office contacted Eskimi on November 21 and has not received a response, Chu says. Staff then contacted the DPA multiple times, “raising concerns about the national security impact of a Lithuanian company selling location data of US military personnel serving overseas.” After receiving no response, Wyden staff contacted the defense attaché at the Lithuanian embassy in Washington, DC.

It was only after that, and on January 13, that the DPA responded, asking for more information. “Once additional information is received, we will assess the situation within the scope of our competence and determine the appropriate course of action,” the DPA said, according to Chu.

The Lithuanian DPA told reporters in an email that it “currently is not investigating this company” and it “is gathering information and assessing the situation in order to be prepared to take well-informed actions, if needed.” If the Lithuanian DPA does decide to investigate and finds Eskimi in violation of GDPR provisions, the company could face significant consequences—including fines up to €20 million.

Wyden’s office also contacted Google in November, to alert them to Datastream saying that Eskimi, a Google advertising partner, was selling the location data of DOD personnel overseas, Chu says.

Jacel Booth, Google spokesperson, wrote in an email that “Eskimi is currently part of Google’s Authorized Buyer program and must abide by our policies.”

“Google regularly audits its Authorized Buyers program participants, and reviews allegations of potential misconduct,” the spokesperson adds.

Even if Google does act against Eskimi, there may be plenty more advertising companies ready to sell harvested location data.

“Advertising companies are merely surveillance companies with better business models,” Edwards says.

_This story was produced as part of an ongoing reporting project from an international coalition of media outlets, including Netzpolitik.org and Bayerischer Rundfunk (Germany), Schweizer Radio und Fernsehen (Switzerland), BNR Nieuwsradio (Netherlands), NRK (Norway), Dagens Nyheter (Sweden), Le Monde (France), and WIRED and 404 Media (US)._

This Ad-Tech Company Is Powering Surveillance of US Military Personnel

The combined companies will create a seamless ecosystem of trust, governance, risk, and compliance.

Source: Srabin via iStock Photo

NEWS BRIEF

Drata, a trust management platform provider, announced plans on Tuesday to acquire SafeBase to streamline security reviews, strengthen vendor risk management, and maintain customer trust through continuous compliance. The acquisition, valued "at a quarter of a billion dollars," according to a company spokesperson, is expected to close by the end of the month.

Stricter regulatory requirements, increased cloud adoption, and growing dependency on artificial intelligence tools are driving market demand for a "full stack" Trust Management platform, Drata said in a statement. The companies have a "shared vision of being the go-to 'trust layer' between companies," Drata said. The goal is to create a comprehensive trust management platform, combining Drata's compliance automation and vendor risk management capabilities with SafeBase's Trust Center Platform, which streamlines security questionnaires.

SafeBase, founded in 2020 by CEO al Yang and CTO Adar Arnon, helps customers fill out security questionnaires before buying a new piece of software or hardware. These questionnaires can be time-consuming and difficult to complete, especially for more complex products. SafeBase can reduce the time spent on inbound security questionnaires by up to 98%, according to Drata. The company, which raised $33 million in a Series B round last April, counts organizations including CrowdStrike, HubSpot, LinkedIn, T-Mobile, Twilio, and "one-third of the Cloud 100" as customers.

**About the Author**

Drata Acquires SafeBase to Strengthen GRC Portfolio

A CSRF vulnerability has been identified in the ABB Cylon FLXeon series. However, exploitation is limited to specific conditions due to the server's CORS configuration (Access-Control-Allow-Origin: * without Access-Control-Allow-Credentials: true). The vulnerability can only be exploited under the following scenarios:
Same Domain: The attacker must host the malicious page on the same domain as the target server.
Man-in-the-Middle (MitM): The attacker can intercept and modify traffic between the user and the server (e.g., on an unsecured network).
Local Area Network (LAN) Access: The attacker must have access to the same network as the target server.
Subdomains: The attacker can host the malicious page on a subdomain if the server allows it.
Misconfigured CORS: The server’s CORS policy is misconfigured to allow certain origins or headers.
Reflected XSS: The attacker can exploit a reflected XSS vulnerability to execute JavaScript in the context of the target origin.

Title: ABB Cylon FLXeon 9.3.4 Limited Cross-Site Request Forgery (RCE)  
Advisory ID: ZSL-2025-5918  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (3/5)  
Release Date: 11.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

A CSRF vulnerability has been identified in the ABB Cylon FLXeon series. However, exploitation is limited to specific conditions due to the server's CORS configuration (Access-Control-Allow-Origin: \* without Access-Control-Allow-Credentials: true). The vulnerability can only be exploited under the following scenarios:  
Same Domain: The attacker must host the malicious page on the same domain as the target server.  
Man-in-the-Middle (MitM): The attacker can intercept and modify traffic between the user and the server (e.g., on an unsecured network).  
Local Area Network (LAN) Access: The attacker must have access to the same network as the target server.  
Subdomains: The attacker can host the malicious page on a subdomain if the server allows it.  
Misconfigured CORS: The server’s CORS policy is misconfigured to allow certain origins or headers.  
Reflected XSS: The attacker can exploit a reflected XSS vulnerability to execute JavaScript in the context of the target origin.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[11.02.2025\] Public security advisory released.

**PoC**

abb\_flxeon\_csrf1.html

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch

**Changelog**

\[11.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 Limited Cross-Site Request Forgery (RCE)

State-led data privacy laws and commitment to enforcement play a major factor in shoring up business data security, an analysis shows.

Source: Oleckii Mach via Alamy Stock Photo

States are increasingly embracing data privacy regulation, and Kentucky, Rhode Island, and Tennessee are leading the charge. That has earned them high marks from security experts and landed them at the top of the list of states with the lowest rates of data breaches.

These three states are effectively protecting data because of a dual approach of drafting smart data privacy legislation, and then enforcing those laws when appropriate, according to Anonta Khan, who is with DesignRush, the firm that conducted the state data privacy study. Conversely, South Dakota (which got the lowest safety score in the survey, 65.14 out of 100) and Alaska (66.50) rank at the bottom.

"Some states, like Kentucky (the highest rated at 99.32) and Rhode Island (97.14), do a good job protecting data," Khan says. "They have fewer cybercrimes and data leaks. Others, like South Dakota and Alaska, have weak laws and a lot of cyber threats."

However, she stresses, "having strong laws doesn't always mean a state is safe."

It's more nuanced than that.

**Higher Safety Scores Don't Mean Less Cybercrime**

In general, the results of the study suggest that states with less data breach regulation tend to have higher rates of cybercrime overall. That includes Nevada (with a safety score of 77.64), which last year logged 309.7 cyber incidents per 100,000 people, which is more than triple the national average. But there are other contributing factors. Nevada, for instance, has businesses that are attractive targets for hackers, like casinos, Kahn points out.

Related:CISA Places Election Security Staffers on Leave

Going further, California (89.3) has strong privacy laws but high cybercrime rates; that's because hackers are consistently targeting the state's tech sector, Khan explains. Delaware is another state with strong privacy laws that is likewise plagued by high rates of data breaches, being the state where most financial lending services are incorporated.

The takeaway? "This shows that laws need to be enforced well," Khan says.

A similar report from the Electronic Privacy Information Center (EPIC) in late January outlined areas where states should, in its view, take a more aggressive position against companies leaking personal data. And state governments appear to be moving in that direction, with a new wave of reform efforts on the horizon.

**New State-Led Data Privacy Efforts Are Brewing**

Delaware, for example, has kicked off 2025 with its new Data Privacy Protection Act going into effect. Other states, including Iowa, Nebraska, New Hampshire, and New Jersey, are also adding fresh data privacy laws this year and increasing enforcement budgets.

Related:DeepSeek AI Fails Multiple Security Tests, Raising Red Flag for Businesses

States like Texas have also provided a model for aggressive data privacy regulation enforcement. On Jan. 13, Texas Attorney General Ken Paxton filed suit against the Allstate insurance company for what he alleges was an effort to skirt his state's data privacy rules and track citizens' data without consent.

As these new laws come online, Khan and others are optimistic that data privacy practices are improving across the US, thanks to re-upped efforts at the state level. Moving forward, these laws will be tailored to fit emerging technology use cases, Khan adds.

"Artificial Intelligence (AI) is also becoming a bigger issue," Kahn says. "Colorado's Anti-Discrimination in AI Law starts in 2026, and other states are considering similar rules. Meanwhile, lawsuits over website tracking, biometric data, and online privacy will continue in 2025."

Regardless of state of residence, companies should look at this new era of data privacy protection as an opportunity, according to Ojas Rege, senior vice president and general manager of privacy and data governance at OneTrust.

"With 20 distinct US data privacy laws enacted — all with different requirements and obligations — this is a risk most organizations won't want to take," Rege says. "By moving off spreadsheets, bringing in automation, and designating a senior data privacy leader, organizations can proactively comply with the current wave of US state privacy laws. Adopting AI responsibly also requires an effective data privacy program as a starting point and foundation."

Related:XE Group Shifts From Card Skimming to Supply Chain Attacks

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Data Leaks Happen Most Often in These States — Here's Why

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats.

Source: vska via Alamy Stock Photo

COMMENTARY

The Chinese-linked hacking group Salt Typhoon recently was detected lurking in major US telecommunication systems, exposing nearly every American's communications to Chinese intelligence and security services. 

In response, on Dec. 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint statement recommending that American citizens and companies adopt end-to-end encrypted communication tools to avoid exposing sensitive information to China. While this advice is prudent to secure communications, hasty adoption of these technologies could result in regulatory noncompliance for organizations in highly regulated industries. These organizations should carefully examine both their security risk and regulatory obligations as they adopt new security solutions.

**Background: Salt Typhoon**

Salt Typhoon exploited legacy systems throughout the telecommunications industry that were too old to implement modern cybersecurity practices, with some parts dating back to the late 1970s. Commonly accepted baseline cyber protections like multifactor authentication were not implemented. While the scope of this attack is widespread, including voice calls and SMS messages, US intelligence officials noted that communications within encrypted communication applications such as Apple's iMessage, Meta's WhatsApp, and Signal were not exposed.

Salt Typhoon marks one of the most sophisticated attacks on US critical infrastructure in history. US officials have concluded that every major telecommunications provider has been implicated. China remains the most active and persistent cyber threat to the United States, and the Salt Typhoon campaign marks one of the most sophisticated attacks on US critical infrastructure in history. 

**Security vs. Compliance: Adopting End-to-End Encryption Technologies**

US cybersecurity and intelligence officials advised companies and individuals to adopt end-to-end encrypted applications for communications where only the sender and the intended recipients can access the content of the communication. End-to-end encryption works by securing the content of communications using cryptographic keys at both the sender and recipient. The end result is data in transit is secure, rendering the contents of any intercepted or compromised communications indecipherable without the cryptographic key, including by Internet service providers and telecommunications companies — and foreign hackers targeting those entities.

While end-to-end encrypted applications provide obvious advantages for security, many are not designed to comply with the data retention and access requirements imposed upon certain highly regulated industries. 

In the financial services sector, Securities and Exchange Commission (SEC) Rule 17a-4(b)(4) requires that communications received and sent by a member, broker, or dealer that relate to the business of an organization are to be retained for at least three years. Additionally, Section 802 of the Sarbanes-Oxley Act requires accountants who audit or review financial statements to retain records, which include any communications relevant to the audit or review. 

In the healthcare sector, Section 164.312(e) of the Health Insurance Portability and Accessibility Act (HIPAA) requires that covered entities implement technical safeguards to prevent unauthorized access to electronic protected health information (ePHI) that is being transmitted over an electronic communications network. Many encrypted communications applications restrict a covered entity's ability to monitor for or audit unauthorized disclosure of ePHI. Additionally, Section 164.350(j) of HIPAA requires that covered entities retain documentation of any communications containing ePHI for at least six years. 

**Recommendations**

As Salt Typhoon has revealed, unsecured communications of executives and employees across every sector may be targeted by Chinese intelligence services for exploitation. In this new environment, balancing communications security with compliance can be challenging. To appropriately navigate these risks, organizations in every sector should consider three things.

First, organizations should implement end-to-end encryption for all business communications internally and, to the greatest extent practicable, externally. There are numerous mobile and desktop applications currently available that are designed to serve this purpose. For companies in regulated industries, it is important to also consider regulatory retention, monitoring, and auditing requirements when considering these tools. Such organizations should seek to implement solutions that can ensure appropriate encryption standards for messaging, collaboration, and voice and video calls specifically configured to allow for auditing and data preservation. 

Second, organizations should implement policies and procedures to guide the use of encrypted communications. For example, many encrypted communication applications allow users to individually establish time-based purge rules for messages. While valuable for information security, this could render an organization non-compliant with data retention and audit requirements. Where possible, such functions should be disabled for individuals and archiving tools should be in place. Additionally, employees should receive regular training on communications security and regulatory compliance.

Third, a key lesson from Salt Typhoon is that baseline cybersecurity measures still provide meaningful defenses against malicious parties. Cybersecurity measures such as multifactor authentication, use of password managers, encrypting data at rest and in motion, and ensuring that all software and hardware are modern and equipped with the latest updates will give organizations a much stronger cybersecurity posture. 

**Conclusion**

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats. However, in doing so, organizations need to balance the security imperatives with their regulatory obligations. 

**About the Authors**

Co-Leader, Cybersecurity and Data Privacy Practice Group, Buchanan Ingersoll & Rooney

Michael McLaughlin is the co-leader of Buchanan Ingersoll & Rooney’s Cybersecurity and Data Privacy practice group. Michael advises clients in matters involving cybersecurity, public policy, and government relations. Michael helps clients navigate the complexities of cybersecurity, data privacy and the related regulatory landscape. Michael is the co-author of Battlefield Cyber: How China and Russia Are Undermining Our Democracy and National Security.

Jillian Cash, Associate, Corporate Section, Buchanan Ingersoll & Rooney

Jillian Cash is an associate Buchanan’s Corporate Section, where she focuses on a variety of corporate, transactional, and cybersecurity matters.

Kellen Carleton, Associate, Corporate Finance and Technology Group, Buchanan Ingersoll & Rooney

Kellen Carleton is an associate in Buchanan’s Corporate Finance and Technology group where he focuses on a variety of corporate, transactional, and cybersecurity matters.

Salt Typhoon's Impact on the US &amp; Beyond

The popular generative AI (GenAI) model allows hallucinations, easily avoidable guardrails, susceptibility to jailbreaking and malware creation requests, and more at critically high rates, researchers find.

Source: Mundissima via Alamy Stock Photo

Organizations might want to think twice before using the Chinese generative AI (GenAI) DeepSeek in business applications, after it failed a barrage of 6,400 security tests that demonstrate a widespread lack of guardrails in the model.

That's according to researchers at AppSOC, who conducted rigorous testing on a version of the DeepSeek-R1 large language model (LLM). Their results showed the model failed in multiple critical areas, including succumbing to jailbreaking, prompt injection, malware generation, supply chain, and toxicity. Failure rates ranged between 19.2% and 98%, they revealed in a recent report.

Two of the highest areas of failure were the ability for users to generate malware and viruses using the model, posing both a significant opportunity for threat actors and a significant threat to enterprise users. The testing convinced DeepSeek to create malware 98.8% of the time (the "failure rate," as the researchers dubbed it) and to generate virus code 86.7% of the time.

Such a lackluster performance against security metrics means that despite all the hype around the open source, much more affordable DeepSeek as the next big thing in GenAI, organizations should not consider the current version of the model for use in the enterprise, says Mali Gorantla, co-founder and chief scientist at AppSOC.

Related:CISA Places Election Security Staffers on Leave

"For most enterprise applications, failure rates about 2% are considered unacceptable," he explains to Dark Reading. "Our recommendation would be to block usage of this model for any business-related AI use."

**DeepSeek's High-Risk Security Testing Results**

Overall, DeepSeek earned an 8.3 out of 10 on the AppSOC testing scale for security risk, 10 being the riskiest, resulting in a rating of "high risk." AppSOC recommended that organizations specifically refrain from using the model for any applications involving personal information, sensitive data, or intellectual property (IP), according to the report.

AppSOC used model scanning and red teaming to assess risk in several critical categories, including: jailbreaking, or "do anything now," prompting that disregards system prompts/guardrails; prompt injection to ask a model to ignore guardrails, leak data, or subvert behavior; malware creation; supply chain issues, in which the model hallucinates and makes unsafe software package recommendations; and toxicity, in which AI-trained prompts result in the model generating toxic output.

The researchers also tested DeepSeek against categories of high risk, including: training data leaks; virus code generation; hallucinations that offer false information or results; and glitches, in which random "glitch" tokens resulted in the model showing unusual behavior.

Related:Data Leaks Happen Most Often in These States — Here's Why

According to Gorantla's assessment, DeepSeek demonstrated a passable score only in the training data leak category, showing a failure rate of 1.4%. In all other categories, the model showed failure rates of 19.2% or more, with median results in the range of a 46% failure rate.

"These are all serious security threats, even with much lower failure rates," Gorantla says. However, the high failure results in the malware and virus categories demonstrate significant risk for an enterprise. "Having an LLM actually generate malware or viruses provides a new avenue for malicious code, directly into enterprise systems," he says.

**DeepSeek Use: Enterprises Proceed With Caution**

AppSOC's results reflect some issues that have already emerged around DeepSeek since its release to much fanfare in January with claims of exceptional performance and efficiency even though it was developed for less than $6 million by a scrappy Chinese startup.

Soon after its release, researchers jailbroke DeepSeek, revealing the instructions that define how it operates. The model also has been controversial in other ways, with claims of IP theft from OpenAI, while attackers looking to benefit from its notoriety already have targeted DeepSeek in malicious campaigns.

Related:XE Group Shifts From Card Skimming to Supply Chain Attacks

If organizations choose to ignore AppSOC's overall advice not to use DeepSeek for business applications, they should take several steps to protect themselves, Gorantla says. These include using a discovery tool to find and audit any models used within an organization.

"Models are often casually downloaded and intended for testing only, but they can easily slip into production systems if there isn't visibility and governance over models," he says.

The next step is to scan all models to test for security weaknesses and vulnerabilities before they go into production, something that should be done on a recurring basis. Organizations also should implement tools that can check the security posture of AI systems on an ongoing basis, including looking for scenarios such as misconfigurations, improper access permissions, and unsanctioned models, Gorantla says.

Finally, these security checks and scans need to be performed during development (and continuously during runtime) to look for changes. Organizations should also monitor user prompts and responses, to avoid data leaks or other security issues, he adds.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

DeepSeek AI Fails Multiple Security Tests, Raising Red Flag for Businesses

SystemBC RAT now targets Linux, enabling ransomware gangs like Ryuk & Conti to spread, evade detection, and maintain encrypted C2 traffic for stealthy cyberattacks.

Threat analysts have identified a new and emerging threat: a variant of the SystemBC RAT (Remote Access Trojan) that is now actively targeting Linux-based platforms. This development puts corporate networks, cloud infrastructures, and IoT devices at risk.

The latest version of SystemBC RAT is more stealthy and harder to detect, using encrypted communication to stay hidden while letting attackers move freely through compromised systems.

****SystemBC RAT: From Windows to Linux****

SystemBC is a Remote Access Trojan (RAT) commonly used in cyberattacks to provide attackers with remote control over infected systems. 

Initially a Windows-only threat, it has now expanded to Linux, making it even more dangerous as Linux-based servers are widely used in enterprise environments.

ANY.RUN’s analysts compared SystemBC’s Windows and Linux traffic

****What Makes the Linux Version of SystemBC RAT Dangerous?****

Let’s look at how this malware operates and why it poses a serious threat to Linux-based systems.

****Encrypted Communication with C2 Servers****

The SystemBC RAT for Linux maintains encrypted communication with C2 servers using the same custom protocols as its Windows counterpart. 

This allows attackers to keep a stable connection across a unified infrastructure of both Windows and Linux implants, making it easier to control infected machines without raising suspicion.

While SystemBC RAT is designed to keep its C2 communication encrypted and hidden, it becomes fully visible inside an ANY.RUN analysis session. By running a real sample in the sandbox, security teams can see the malware’s network connections, file modifications, and process activities in real time.

**View ANY.RUN analysis session**

SystemBC RAT analyzed inside ANY.RUN sandbox

Below the Linux Virtual Machine window, all network connections and system modifications related to this specific attack are clearly displayed. 

Suricata rule triggered by SystemBC RAT

In the Threats section, we can see that an alert was triggered by the Suricata rule: “Malware Command and Control Activity Detected – BOTNET SystemBC.Proxy Connection.” This immediate detection allows analysts to track the infection process and understand how the malware operates.

****Proxy Implant for Lateral Movement****

The malware operates as a proxy implant, meaning it can facilitate lateral movement within a compromised network without deploying additional, easily detectable tools. This makes it a powerful weapon for attackers who seek persistence and deeper infiltration within corporate infrastructures.

****Evasion of Traditional Detection****

One of the most concerning aspects is that security vendors struggle to detect this version as belonging to the SystemBC family. This stealthy approach allows the RAT to remain undetected for extended periods, making it a persistent threat.

****Sandbox and Virtualization Evasion****

Besides signature-based evasion, SystemBC also detects virtualized environments to resist dynamic analysis. In a real ANY.RUN analysis session mentioned above, the MITRE ATT&CK framework flags reveal “Virtualization/Sandbox Evasion- System Checks,” showing that the malware actively performs system checks to determine if it’s running inside a security sandbox or virtual machine. 

By identifying these environments, SystemBC can alter its behaviour or terminate execution, helping attackers bypass automated malware analysis tools while remaining fully operational on real infected systems.

Defense evasion techniques and tactics detected by ANY.RUN sandbox

****Integration with Other Malware Strains****

SystemBC is rarely deployed on its own. It often works alongside other malware to expand an attack’s impact. In Windows attacks, it has been observed delivering ransomware like Ryuk and Conti, as well as banking trojans and infostealers. 

With its new Linux variant, similar threats will likely follow, putting enterprise servers and cloud environments at greater risk of data theft, ransomware encryption, and persistent backdoor access.

****Unmasking Hidden Threats Before They Strike****

Cyber threats are getting smarter, and businesses can’t afford to play catch-up. With SystemBC RAT now hitting Linux, attackers have a new way to hide C2 traffic, move through networks unnoticed, and drop additional malware. Traditional security tools often miss these stealthy tactics, leaving corporate networks, and critical infrastructure at risk.

However, with tools like ANY.RUN interactive sandbox, hidden doesn’t mean unstoppable. Your security team can:

*   Analyze threats safely in a controlled environment.
*   Respond faster, containing threats before they spread and cause real harm.
*   Spot evasion techniques before they do damage, exposing how threats slip past defences.
*   Extract key IOCs, strengthening your threat intelligence and prevention strategies.
*   See hidden malware behaviours in real-time, from network traffic to system changes.

Tag

#intel