PRESS RELEASE

BIRMINGHAM, Mich., Jan. 15, 2025 /PRNewswire/ -- IT-Harvest, the premier data-driven industry analyst firm, is excited to announce the launch of HarvestIQ.ai, a groundbreaking platform featuring two cutting-edge AI assistants designed to redefine how professionals navigate the complex cybersecurity landscape.

The Analyst AI provides unparalleled access to IT-Harvest's comprehensive database of 4,070 cybersecurity vendors, offering users instant insights into market players, trends, and innovations. Meanwhile, the Architect AI empowers users with tailored guidance on cybersecurity products, leveraging IT-Harvest's in-depth analysis of over 11,300 products to help organizations make informed decisions about their cybersecurity strategies.

"HarvestIQ.ai is a game-changer for cybersecurity professionals. By combining our vast database with the power of AI, we're equipping analysts, architects, and decision-makers with tools that provide instant, actionable insights," said Richard Stiennon, Chief Research Analyst at IT-Harvest. "Whether you're evaluating vendors or designing a security architecture, HarvestIQ.ai ensures you're making data-driven decisions."

Key Features:

*   Analyst Assistant: Instant access to detailed information on 4,070 cybersecurity vendors through a familiar chat interface. A user holds a conversation with a powerful industry analyst with full vendor knowledge, including funding, security rating & health, headcount growth, and more.
    
*   Architect Assistant: Expert guidance on 11,300 cybersecurity products to streamline decision-making. Hold a conversation with a product-oriented assistant with in-depth technical knowledge of all cybersecurity solutions, compliance frameworks, capabilities, and more.
    
*   User-Friendly Platform: Get immediate access at harvestiq.ai.
    

"At IT-Harvest, we understand the critical need for precision and speed in cybersecurity decision-making," said Maximillian Schweizer, Chief Technology Officer. "HarvestIQ leverages the latest AI technology to deliver not just data, but actionable intelligence, enabling our users to stay ahead of evolving demands on their teams."

HarvestIQ is available now at harvestiq.ai. Monthly subscriptions are priced at $179 for the Architect Assistant and $159 for the Analyst Assistant, making it an accessible solution for enterprises, cybersecurity professionals, and consultants alike. Trial users can sign up for free answers to ten questions a month.

About IT-Harvest: IT-Harvest is a data-driven industry analyst firm specializing in cybersecurity market intelligence. With a mission to provide actionable insights and foster informed decision-making, IT-Harvest delivers unparalleled analysis and data-driven solutions to clients worldwide. The IT-Harvest Dashboard is the only platform for researching the entire cybersecurity industry. Data on 4,070 vendors and 11,300 products are continuously updated. Enterprise subscribers use the Dashboard for industry analysis, product discovery and selection, gap analysis, and acquisition hunting.

For more information, visit www.it-harvest.com or contact IT-Harvest at \[email protected\].

You May Also Like

IT-Harvest Launches HarvestIQ.ai

PRESS RELEASE

SEATTLE, Jan. 15, 2025 /PRNewswire/ -- Spectral Capital Corporation (OTCQB: FCCN), a pioneer in providing its deep quantum technology platform, is pleased to announce the filing of a critical patent in quantum cybersecurity.

"Over the past three decades, I have been deeply involved in the cybersecurity industry, including founding a leading-edge company that addressed some of the most complex challenges in the field," said Sean Michael Brehm, chairman of Spectral. "Quantum computing elevates cybersecurity risks to an entirely new level. With its potential to break RSA encryption—the foundation of global data security—quantum technology presents an unprecedented threat. In response, our team has developed a solution to ensure RSA encryption remains secure, even in the quantum era," concluded Spectral chairman Sean Michael Brehm.

"Out of the 104 patentable innovations acquired in the Vogon Cloud acquisition, the patent application around protecting RSA encryption from quantum hacking could be one of our most important. According to Allied Market Research, the global RSA encryption market, primarily measured within the broader "hardware encryption" category, is estimated to hold a significant share, with some reports stating that the RSA segment represents around 50% of the hardware encryption market, which is projected to reach a size of approximately $1.2 trillion by 2031, indicating a substantial market for RSA encryption alone. We are proud to be a part of protecting that market, even as new technologies for encryption emerge, like Spectral's unhackable distributed quantum ledger database technology," said Spectral's Chief Executive Officer, Jenifer Osterwalder. 

Spectral has a portfolio of patents and trade secrets designed to meet the enormous demand for hybrid computing systems which combine current classical computing technologies with emerging quantum computing technologies as these are made commercially available. An entire ecosystem of hardware and software will be needed to support hybrid and quantum computing and Spectral has ambitious plans to build one of the largest intellectual property portfolios in the industry, including its previously announced goal of filing for more than 500 patents by the end of 2025.

About Spectral Capital  
Spectral Capital (OTCQB: FCCN) is a quantum technology platform company at the forefront of innovation. Focusing on sustainable green cloud computing, quantum databases, and advanced quantum chip technology, Spectral Capital is revolutionizing industries such as telecommunications, AI, and green technology. With flagship offerings like the Vogon Cloud and Vogon DQLDB, the company is pioneering a future of decentralized, secure, and scalable computing.

Forward-Looking Statements

This press release contains forward-looking statements (as defined in Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended) concerning future events and FCCN's growth and business strategy. Words such as "expects," "will," "intends," "plans," "believes," "anticipates," "hopes," "estimates," and variations on such words and similar expressions are intended to identify forward-looking statements. Although FCCN believes that the expectations reflected in such forward-looking statements are reasonable, no assurance can be given that such expectations will prove to have been correct. These statements involve known and unknown risks and are based upon a number of assumptions and estimates that are inherently subject to significant uncertainties and contingencies, many of which are beyond the control of FCCN. Actual results may differ materially from those expressed or implied by such forward-looking statements. Factors that could cause actual results to differ materially include, but are not limited to, changes in FCCN's business; competitive factors in the market(s) in which FCCN operates; risks associated with operations outside the United States; and other factors listed from time to time in FCCN's filings with the Securities and Exchange Commission. FCCN expressly disclaims any obligations or undertaking to release publicly any updates or revisions to any forward-looking statements contained herein to reflect any change in FCCN's expectations with respect thereto or any change in events, conditions or circumstances on which any statement is based.

Spectral Capital Files Quantum Cybersecurity Patent

Amid ongoing fears over TikTok, Chinese generative AI platform DeepSeek says it’s sending heaps of US user data straight to its home country, potentially setting the stage for greater scrutiny.

The United States’ recent regulatory action against the Chinese-owned social video platform TikTok prompted mass migration to another Chinese app, the social platform “Rednote.” Now, a generative artificial intelligence platform from the Chinese developer DeepSeek is exploding in popularity, posing a potential threat to US AI dominance and offering the latest evidence that moratoriums like the TikTok ban will not stop Americans from using Chinese-owned digital services.

DeepSeek, an AI research lab created by a prominent Chinese hedge fund, recently gained popularity after releasing its latest open source generative AI model that easily competes with top US platforms like those developed by OpenAI. However, to help avoid US sanctions on hardware and software, DeepSeek created some clever workarounds when building its models. On Monday, DeepSeek’s creators limited new sign-ups after claiming the app had been overrun with a “large-scale malicious attack.”

While DeepSeek has several AI models, some of which can be downloaded and run locally on your laptop, the majority of people will likely access the service through its iOS or Android apps or its web chat interface. Like with other generative AI models, you can ask it questions and get answers; it can search the web; or it can alternatively use a reasoning model to elaborate on answers.

DeepSeek, which does not appear to have established a communications department or press contact yet, did not return a request for comment from WIRED about its user data protections and the extent to which it prioritizes data privacy initiatives.

As people clamor to test out the AI platform, though, the demand brings into focus how the Chinese startup collects user data and sends it home. Users have already reported several examples of DeepSeek censoring content that is critical of China or its policies. The AI setup appears to collect a lot of information—including all your chat messages—and send it back to China. In many ways, it’s likely sending more data back to China than TikTok has in recent years, since the social media company moved to US cloud hosting to try to deflect US security concerns

“It shouldn’t take a panic over Chinese AI to remind people that most companies in the business set the terms for how they use your private data” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab. “And that when you use their services, you’re doing work for them, not the other way around.”

**What DeepSeek Collects About You**

To be clear, DeepSeek is sending your data to China. The English-language DeepSeek privacy policy, which lays out how the company handles user data, is unequivocal: “We store the information we collect in secure servers located in the People's Republic of China.”

In other words, all the conversations and questions you send to DeepSeek, along with the answers that it generates, are being sent to China or can be. DeepSeek’s privacy policies also outline the information it collects about you, which falls into three sweeping categories: information that you share with DeepSeek, information that it automatically collects, and information that it can get from other sources.

The first of these areas includes “user input,” a broad category likely to cover your chats with DeepSeek via its app or website. “We may collect your text or audio input, prompt, uploaded files, feedback, chat history, or other content that you provide to our model and Services,” the privacy policy states. Within DeepSeek’s settings, it is possible to delete your chat history. On mobile, go to the left-hand navigation bar, tap your account name at the bottom of the menu to open settings, and then click “Delete all chats.”

This collection is similar to that of other generative AI platforms that take in user prompts to answer questions. OpenAI’s ChatGPT, for example, has been criticized for its data collection although the company has increased the ways data can be deleted over time. Regardless of these types of protections, privacy advocates emphasize that you should not disclose any sensitive or personal information to AI chat bots.

“I would not input personal or private data in any such an AI assistant,” says Lukasz Olejnik, independent researcher and consultant, affiliated with King's College London Institute for AI. Olejnik notes, though, that if you install models like DeepSeek’s locally and run them on your computer, you can interact with them privately without your data going to the company that made them. Additionally, AI search company Perplexity says it has added DeepSeek to its platforms but claims it is hosting the model in US and EU data centers.

Other personal information that goes to DeepSeek includes data that you use to set up your account, including your email address, phone number, date of birth, username, and more. Likewise, if you get in touch with the company, you’ll be sharing information with it.

Bart Willemsen, a VP analyst focusing on international privacy at Gartner, says that, generally, the construction and operations of generative AI models is not transparent to consumers and other groups. People don’t know exactly how they work or the exact data they have been built upon. For individuals, DeepSeek is largely free, although it has costs for developers using its APIs. “So what do we pay with? What do we usually pay with: data, knowledge, content, information,” Willemsen says.

As with all digital platforms—from websites to apps—there can also be a large amount of data that is collected automatically and silently when you use the services. DeepSeek says it will collect information about what device you are using, your operating system, IP address, and information such as crash reports. It can also record your “keystroke patterns or rhythms,” a type of data more widely collected in software built for character-based languages. Additionally, if you purchase DeepSeek’s premium services, the platform will collect that information. It also uses cookies and other tracking technology to “measure and analyze how you use our services.”

A WIRED review of the DeepSeek website's underlying activity shows the company also appears to send data to Baidu Tongji, Chinese tech giant Baidu's popular web analytics tool, as well as Volces, a Chinese cloud infrastructure firm. In a social media post, Sean O'Brien, founder of Yale Law School's Privacy Lab, said that DeepSeek is also sending “basic” network data and “device profile” to TikTok owner ByteDance “and its intermediaries.

The final category of information DeepSeek reserves the right to collect is data from other sources. If you create a DeepSeek account using Google or Apple sign-on, for instance, it will receive some information from those companies. Advertisers also share information with DeepSeek, its policies say, and this can include “mobile identifiers for advertising, hashed email addresses and phone numbers, and cookie identifiers, which we use to help match you and your actions outside of the service.”

**How DeepSeek Uses Information**

Huge volumes of data may flow to China from DeepSeek’s international user base, but the company still has power over how it uses the information. DeepSeek’s privacy policy says the company will use data in many typical ways, including keeping its service running, enforcing its terms and conditions, and making improvements.

Crucially, though, the company’s privacy policy suggests that it may harness user prompts in developing new models. The company will “review, improve, and develop the service, including by monitoring interactions and usage across your devices, analyzing how people are using it, and by training and improving our technology,” its policies say.

DeepSeek’s privacy policy also says the company will also use information to “comply with \[its\] legal obligations”—a blanket clause many companies include in their policies. DeepSeek’s privacy policy says data can be accessed by its “corporate group,” and it will share information with law enforcement agencies, public authorities, and more when it is required to do so.

While all companies have legal obligations, those based in China do have notable responsibilities. Over the past decade, Chinese officials have passed a series of cybersecurity and privacy laws meant to allow state officials to demand data from tech companies. One 2017 law, for instance, says that organizations and citizens should “cooperate with national intelligence efforts.”

These laws, alongside growing trade tensions between the US and China and other geopolitical factors, fueled security fears about TikTok. The app could harvest huge amounts of data and send it back to China, those in favor of the TikTok ban argued, and the app could also be used to push Chinese propaganda. (TikTok has denied sending US user data to China’s government.) Meanwhile, several DeepSeek users have already pointed out that the platform does not provide answers for questions about the 1989 Tiananmen Square massacre, and it answers some questions in ways that sound like propaganda.

Willemsen says that, compared to users on a social media platform like TikTok, people messaging with a generative AI system are more actively engaged and the content can feel more personal. In short, any influence could be larger. “Risks of subliminal content alteration, conversation direction steering, in active engagement ought by that logic to lead to more concern, not less,” he says, “especially given how the inner workings of the model are widely unknown, its thresholds, borders, controls, censorship rules, and intent/personae largely left unscrutinized, and it being already so popular in its infancy stage.”

Olejnik, of King's College London, says that while the TikTok ban was a specific situation, US law makers or those in other countries could act again on a similar premise. “We can’t rule out that 2025 will bring an expansion: direct action against AI firms,” Olejnik says. “Of course, data collection may again be named as the reason.”

_Updated 5:27 pm EST, January 27, 2025: Added additional details about the DeepSeek website's activity._

_Updated 10:05 am EST, January 29, 2025: Added additional details about DeepSeek's network activity._

DeepSeek’s Popular AI App Is Explicitly Sending US Data to China

CISOs are planning to adjust their budgets this year to reflect their growing concerns for cybersecurity preparedness in the event of a cyberattack.

Source: Irina Guzovataya via Alamy Stock Photo

NEWS BRIEF

In 2025, chief information security officers (CISOs) will be directing their attention to becoming more cyber prepared in the event of an attack, by enhancing their crisis simulation capabilities.

That's according to a study conducted by researchers at Hack The Box, which found that out of 200 US- and UK-based CISOs, 74% said they plan to up their crisis simulation budgets this year.

These changes likely stem from rising concerns about the growing number of cyberattacks, the lack of incident-response planning, and inadequate stress-testing of crisis scenarios. Major cyberattacks and cyber incidents have impacted organizations such as NHS, 23andMe, and a host of businesses impacted by the CrowdStrike faulty update in 2024, affecting enterprises on a global level. CISOs are trying to reassess their organizations' capabilities in order to manage the chaos when it inevitably arises.

A full 77% of those surveyed said they would allocate greater budgets for cyber-crisis simulations if the exercises themselves were more realistic and actionable. 

"Preparedness is the foundation of resilience, and crisis simulations play a crucial role in testing organizations security and workforce performance when it's most critical," said Haris Pylarinos, CEO and founder at Hack The Box, in a statement. "Organizations are right to prioritize crisis simulation, and must ensure that these are implemented in the right way."

Also, 73% of survey respondents reported that crisis simulations and incident-response exercises for both their technical and non-technical teams were their top business priority this year.

Pylarinos highlighted that crisis simulation will continue to evolve, pairing artificial intelligence with expert knowledge in order to provide tailored and realistic scenarios that reflect challenges that security teams and management will face on digital front lines. "It will unite previously disparate business units as one," he said, "and allow real-world performance to be benchmarked in a controlled environment."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Crisis Simulations: A Top 2025 Concern for CISOs

DeepSeek, a new China-backed AI platform, faces a cyberattack disrupting new user registrations. Learn about its rapid growth,…

DeepSeek, a new China-backed AI platform, faces a cyberattack disrupting new user registrations. Learn about its rapid growth, challenges, and the importance of cybersecurity.

DeepSeek, a rising star in the world of artificial intelligence, has confirmed it is facing a large-scale cyberattack that has disrupted its services. The company released a statement on its website, informing users:

_“_Due to large-scale malicious attacks on DeepSeek’s services, registration may be busy. Please wait and try again. Registered users can log in normally. Thank you for your understanding and support._“_

Screenshot: Hackread.com

**What is DeepSeek?**

DeepSeek, a Chinese AI startup, has quickly gained prominence as an AI assistant designed to rival established names like **OpenAI’s ChatGPT**. The platform has been lauded for its intuitive features and user-friendly design, which have captured the attention of millions worldwide.

In just days, it climbed to the top spot in the free application section of Apple’s App Store in the United States, overtaking ChatGPT. This rapid surge in popularity has placed DeepSeek squarely in the spotlight, making it a tempting target for cybercriminals.

**The Attack and Its Impact**

The large-scale attack has primarily impacted new user registrations, leaving prospective users unable to join the platform. Current users, however, can still log in and use the service without interruption. Despite the disruption, DeepSeek remains optimistic, thanking users for their patience and support as they work to resolve the situation.

**Cybersecurity Expert’s Perspective**

Commenting on the incident, Jake Moore, Global Cyber Security Advisor at ESET, highlighted the risks associated with DeepSeek’s rapid rise: _“_DeepSeek has certainly been in the limelight in recent days, which can act as a huge honeypot for cybercriminals. This is typical for any new platform which contentiously dominates the media for multiple reasons and can attract multiple groups of threat actors looking for any potential vulnerability to exploit._“_

_“_Irrespective of who is behind DeepSeek and its values, such attacks act as a reminder to bolster existing defences and to expect the unexpected; especially when attention grows quickly,” Jake told Hackread.com.

**Growing Pains of Rapid Success**

The cyberattack shows the challenges faced by platforms experiencing rapid growth. As new platforms gain popularity, they often become targets for threat actors seeking to exploit vulnerabilities. This incident is a wake-up call for DeepSeek, highlighting the importance of strong cybersecurity measures, especially as its user base grows so rapidly.

This story is developing. Stay Tuned!

1.  **Sora and ChatGPT Currently Down Worldwide**
2.  **GhostGPT: Malicious AI Chatbot Fueling Cybercrime**
3.  **Cyberattack on American Water Shuts Down Customer Portal**

DeepSeek Faces Large-scale Cyberattack, Halts New User Registrations

Critical security flaw in SonicWall SMA 1000 appliances (CVE-2025-23006) exploited as a zero-day. Rated CVSS 9.8, patch immediately…

Critical security flaw in SonicWall SMA 1000 appliances (CVE-2025-23006) exploited as a zero-day. Rated CVSS 9.8, patch immediately to protect systems.

**SonicWall** has identified a critical security flaw in its Secure Mobile Access (SMA) 1000 Series appliances, which it believes has been exploited as a zero-day vulnerability. Learn about the vulnerability, impact, and how to mitigate the risk.

SonicWall issued a security advisory (SNWLID-2025-0002) on January 22nd, 2025, urging customers to address a critical zero-day vulnerability (**CVE-2025-23006)** impacting its Secure Mobile Access (SMA) 1000 Series appliances. Microsoft Threat Intelligence Centre discovered the flaw.

The vulnerability, rated 9.8 out of 10.0 on the CVSS scoring system, occurs due to improper handling of untrusted data during deserialization in the AMC (Appliance Management Console) and CMC (Central Management Console) components of the SMA 1000. Deserialization is a technical term for converting a stream of data back into a usable format. 

In this case, attackers can exploit weaknesses in how the SMA 1000 handles external data, possibly injecting malicious code to execute arbitrary commands on the system. The consequences of exploiting this vulnerability are severe. A successful attack could allow remote, unauthenticated attackers to gain complete control over affected devices. 

Moreover, attackers could steal sensitive information stored on the appliance, including user credentials, configuration data, or even confidential business documents, and may manipulate or disable critical system functions, rendering the appliance inoperable. Furthermore, a compromised SMA 1000 appliance could be used as a launching pad for further attacks within the network. 

Under certain conditions, this flaw could allow remote attackers to execute arbitrary commands, potentially compromising confidentiality, integrity, and availability.

SonicWall, a provider of secure remote access solutions for organizations like managed security service providers, enterprises, and government agencies, has been notified of potential active exploitation by unknown threat actors and urges customers to apply the fixes promptly. Germany’s CERT-Bund has also **issued advisories** (PDF) for immediate patch implementation, citing online exposure of 2,380 SMA1000 devices on Shodan.

Here’s what SonicWall recommended in its **advisory**:

*   Apply the Hotfix Immediately: Update your SMA 1000 appliance to the latest hotfix version (12.4.3-02854 or higher) to patch the vulnerability.

*   Restrict Access to Management Consoles: As a temporary workaround, limit access to the AMC and CMC consoles to trusted sources only. Refer to the SMA 1000 Administration Guide for best practices on securing these consoles.

This vulnerability exclusively impacts SonicWall SMA 1000 Series appliances running version 12.4.3-02804 (or earlier). SonicWall Firewalls and SMA 100 series products are not affected.

In a comment to Hackread.com, Bugcrowd founder **Casey Ellis** described the vulnerability as “gnarly” and emphasized that it reflects a broader trend of attackers increasingly targeting weaknesses in remote access systems and network devices.

_“_This vulnerability is gnarly and continues the trend of targeting vulnerabilities in Remote Access systems and network concentrators. Aside from patching, organizations should ensure that management interfaces for the SMA 1000, or any other device for that matter given the cluster of vulnerabilities, research, and exploitation, are not publicly accessible._“_

1.  **UNC5820 Exploits FortiManager 0-Day Flaw (CVE-2024-47575)**
2.  **Millions of Email Servers Exposed Due to Missing TLS Encryption**
3.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw**
4.  **Fake PoC Exploit Targets Cybersecurity Researchers with Malware**
5.  **Zendesk’s Subdomain Registration Exposed to Pig Butchering Scams**

SonicWall SMA Appliances Exploited in Zero-Day Attacks

Plus: A hacker finds an issue with Cloudflare’s systems that could reveal app users’ rough locations, and the Trump administration puts a wrench in a key cybersecurity investigation.

This week started off with a bang and just kept going. In the wee hours of Saturday night, TikTok cut off access to users in the United States ahead of Sunday’s deadline that forced Apple and Google to remove the video-sharing app from their app stores. While TikTok was dark, US users raced to get around the TikTok ban while several other unexpected apps saw their access to Americans severed as well. By midday on Sunday, however, TikTok access was already coming back in the US. By Monday night, newly inaugurated US president Donald Trump had signed an executive order delaying the TikTok ban by 75 days.

On Tuesday, Trump made good on his promise to free Ross Ulbricht, the imprisoned creator of the Silk Road dark-web market, where users sold drugs, guns, and worse. Ulbricht had spent more than 11 years behind bars after he was arrested by the FBI in 2013 and later sentenced to life in prison. Trump’s decision to pardon Ulbricht is largely seen as linked to the support he’s received from the libertarian cryptocurrency community, which has long considered the Silk Road creator a martyr.

As the world enters the second Trump era, WIRED sat down with Jen Easterly, who recently left her top spot as director of the Cybersecurity and Infrastructure Security Agency to discuss the cyber threats facing the US and CISA’s uncertain future as the frontline watchdog against nation-state hackers and other digital security threats facing the US.

Lastly, we detailed new research that revealed how trivial bugs had exposed Subaru’s system for tracking the locations of its customers’ vehicles. The researchers found they could access a web portal for Subaru employees that allowed them to pinpoint up to a years’ worth of a car’s location—down to the parking spots they use. The flaws are now patched, but Subaru employees still have access to sensitive driver location data.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Judge Says Controversial FBI Searches Require a Warrant**

A US judge in New York this week found that the FBI’s practice of searching data on US persons under Section 702 of the Foreign Intelligence Surveillance Act without obtaining a warrant is unconstitutional. FISA gives the US government the authority to collect the communications of foreign entities through internet providers and companies like Apple and Google. Once this data was collected, the FBI could perform “backdoor searches” for information on US citizens or residents who communicated with foreigners, and it did so without first obtaining a warrant. Judge DeArcy Hall found that these searches do require a warrant. “To hold otherwise would effectively allow law enforcement to amass a repository of communications under Section 702—including those of US persons—that can later be searched on demand without limitation,” the judge wrote.

**Cloudflare Function Could Expose App Users’ Rough Location**

An “issue” with the basic functionality of internet infrastructure company Cloudflare’s content delivery network, or CDN, can reveal the coarse location of people using apps, including those meant for protecting privacy, according to findings from an independent security researcher. Cloudflare has servers in hundreds of cities and more than 100 countries around the world. Its CDN works by caching peoples’ internet traffic across its servers then delivering that data from the server closest to a person’s location. The security researcher, who goes by Daniel, found a way to send an image to a target, collect the URL, then use a custom-built tool to query Cloudflare to find out which data center delivered the image—and thus the state or possibly the city the target is in. Fortunately, Cloudflare tells 404 Media that it fixed the issue after Daniel reported it.

**Trump Administration Disbands Review Board Investigating China’s Salt Typhoon Attacks**

In one of its first moves after Trump took office on Monday, the Department of Homeland Security let go everyone on the agency’s advisory committees. This includes the Cyber Safety Review Board, which was investigating widespread attacks on the US telecommunications system by the China-backed hacker group Salt Typhoon. US authorities revealed in mid-November that Salt Typhoon had embedded itself in at least nine US telecoms for espionage purposes, potentially exposing anyone using unencrypted calls and text message to surveillance by Beijing. While the future of the CSRB remains uncertain, sources tell reporter Eric Geller that their investigation into Salt Typhoon’s attacks is effectively “dead.”

US Privacy Snags a Win as Judge Limits Warrantless FBI Searches

The MITRE framework's applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.

In 2025, an international fintech firm will face attacks through its hybrid cloud infrastructure by some of the most sophisticated cyber operators on the Internet, targeting the company's Active Directory instance, employees' LinkedIn profiles, and shared code repositories to further their compromises.

A prediction? Not quite.

The scenario is the premise of the latest MITRE ATT&CK Evaluations test, an annual assessment gauntlet that pits cybersecurity firms against the techniques and tactics of the latest cyber threats actors. For vendors, the exercises — conducted by government contractor MITRE — allow them to test their detection, protection, and response capabilities in real-world scenarios to see what can be improved. For cybersecurity professionals, the results of the assessments can help them determine whether they are prepared to defend against sophisticated attacks.

While some vendors tout their detection ratings in the evaluations, the point is less about grades for security software and more about improving companies' defenses and vendors' products, says Lex Crumpton, principal cybersecurity engineer at MITRE.

"ATT&CK Evaluations is more of an adversary-emulation, purple-teaming, collaboration effort, if you will — we assess the vendors tooling on an environment that we build in-house," she says. "They don't know which techniques we are going to choose, or what we're not going to choose, based off of that techniques and scope document."

The MITRE ATT&CK Framework is well-known as a taxonomy of tactics and techniques used by cyberattackers, but every year MITRE also conducts testing of security products against the latest threats targeting organizations. In 2024, for example, the exercise mimicked attacks by the LockBit ransomware-as-a-service group, the Cl0p ransomware gang, and North Korean state-sponsored threat groups, which have commonly used ransomware to fund national goals.

A variety of ransomware attacks were emulated in the test environment, including those targeting Windows and MacOS, MITRE said in a December 2024 statement.

For 2025, one part of the evaluation — known as the Managed Services Evaluation — will focus on "cloud-based attacks, response/containment strategies, and post-incident analysis," according to the organization's scenario outline.

Companies can use the ATT&CK Evaluations in two ways, says Greg Young, vice president of cybersecurity at Trend Micro, which participated in the 2024 Evaluations along with 18 other companies.

"For \[a company's\] purchase decisions, this is one sort of data input — it should not be the only data input because the testing for MITRE is exceptionally narrow against a few techniques and tactics," he says. "For the second part, the tests \[can inform\] companies' own security ops centers and their own red teaming behavior — looking at it and saying, 'Well, what are adversaries using today?'"

**Developing More Realistic Adversaries**

The ATT&CK evaluations use cybersecurity observations and threat reporting from analysts worldwide, collected from both MITRE's in-house cyber threat intelligence team and from the CTI community at large. The group collects information on attacks and selects the adversaries for the evaluations. A red development team creates a set of tools to emulate current techniques used by selected adversaries, while the detection team — the blue team — confirms whether those approaches are legitimate in terms of the evaluation.

MITRE conducts two distinct rounds of testing. One is a managed-service round, in which the organization creates a black-box testing environment, giving no information about the attack to the vendor being evaluated except for the general category of threat. In an enterprise round, the vendor is given the technical scope and potential information about the adversaries, such as whether they are a nation-state, such as China or the DPRK, or using some other tactics.

Like many testing organizations, MITRE has faced some pushback on aspects of its scenarios, Crumpton says.

"One of the biggest comments we had this year is — because we brought in false-positive noise \[such as\] benign user activity — some vendors argued that, 'Hey, this could be deemed malicious activity'," she says. "I think one of the benign use cases was disabling the firewall. One vendor said, 'Hey, the sys admins from our companies would never disable the firewall.'"

**Evaluations Push for Improvement**

Vendors get graded on how they perform, but the focus is on giving information to both the vendors and businesses about how they can improve their defenses, Crumpton says.

"Ultimately, we are there to improve the tools," she explains. "If we're emulating this adversary and we find this technique that your tool can't detect, can we help you improve your tool so that you can now detect that technique? That's something that I think also the customers or the community should look at."

Defenders can take a page from the ATT&CK evaluations as well, creating playbooks to detect and protect against the tested threats, says Trend Micro's Young. During the ATT&CK Evaluation, MITRE logs activity and takes screenshots, giving organizations a detailed picture of the attack unfolding and mapping the steps against the ATT&CK Framework.

"Knowing that adversaries are now using this kind of technique — say, this kind of lateral movement, or they're going to go after this kind of resource — that's exceptionally helpful for \[a company\] designing their defenses," he says. "I almost think there's more value in looking at the \[ATT&CK\] framework than the evaluations, but it depends on your purpose."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

MITRE's Latest ATT&amp;CK Simulations Tackle Cloud Defenses

Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive…

Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive data via Telegram-based C&C.

CloudSEK has discovered a new campaign involving a Trojanized version of the **XWorm RAT** builder. The malware spread through various channels, including file-sharing services (like Mega and Upload.ee), Github repositories (such as LifelsHex/FastCryptor and FullPenetrationTesting/888-RAT), Telegram channels (including HAX\_CRYPT and inheritedeu), and even Youtube and other websites. 

This campaign resulted in compromising over 18,459 devices globally. The stolen data included sensitive information like browser credentials, Discord tokens, Telegram data, and system information from the compromised devices.

“This builder provides attackers with a streamlined tool to deploy and operate a highly capable RAT, which features advanced capabilities like system reconnaissance, data exfiltration, and command execution,” CloudSEK’s **blog post** authored by the company’s Threat Intelligence Researcher, Vikas Kundu, revealed.

Threat actors specifically distributed a modified XWorm RAT builder to target inexperienced attackers (aka **Script Kiddies**). Once installed, the malware exfiltrated sensitive data like browser credentials, Discord tokens, Telegram data, and system information from the victim’s device. It also boasted advanced features like virtualization checks, the ability to modify the registry, and extensive command and control capabilities.

Furthermore, this malware relies on Telegram for its command and control functionality. It used bot tokens and Telegram API calls to receive commands from the attacker and exfiltrate stolen data.

Researchers were able to identify and leverage a “kill switch” functionality within the malware. This functionality was used to disrupt operations on active devices infected with the malware. However, this approach had limitations. Offline machines and Telegram’s rate limiting mechanisms prevented complete disruption.

Based on the investigation, researchers were able to link the threat actor to aliases “@shinyenigma” and “@milleniumrat.” Additionally, they were able to identify associated GitHub accounts and a ProtonMail address.

It is worth noting that XWorm has become a persistent threat with Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) **reporting** its usage in Russian cyber operations against Ukraine in the first half of 2024. 

To protect against such threats, organizations and individuals should use Endpoint Detection and Response (EDR) solutions to detect suspicious network activity and even malware identification.

Additionally, network monitoring using Intrusion Detection and Prevention Systems (IDPS) can block communication between infected devices and the malicious C&C server on Telegram. Proactive measures like blocking access to known malicious URLs and enforcing application whitelisting can prevent malware from being downloaded and executed.

**RELATED ARTICLES**

1.  **P2PInfect: Self-Replicating Worm Hits Redis Instances**
2.  **FBI Warns of HiatusRAT Malware Targeting Webcams and DVRs**
3.  **Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation**
4.  **NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT**
5.  **Black Basta-Style Attack Hits Inboxes with 1,165 Emails in 90 Minutes**

Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices

For the first time in a long while, the federal government and the software sector alike finally have the tools and resources needed to do security well — consistently and cost-effectively.

Source: Vladimir Stanisic via Alamy Stock Photo

COMMENTARY

The federal government is often slow moving when it comes to various technology modernization efforts (thanks to the obstacles posed by resourcing, staffing, and politics), so it's no surprise that a lack of cybersecurity awareness and action has caused federal infrastructure to reach new levels of criticality. 

Year after year we see data breaches become more commonplace, with ransomware plaguing organizations and agencies of all sizes, while foreign adversaries continue to work their way into our networks and most high-value infrastructure. There's a good reason why trust has been slowly eroding across our federal institutions over the past 20 years. But aptly timed in this tumultuous era — and released during his final days in office — is the Biden administration's executive order on Strengthening and Promoting Innovation in the Nation's Cybersecurity. 

My take is that it's certainly good. And it's certainly needed. There's clearly a problem in shoring up our national supply chain. Our adversaries are getting stronger every day, and they're exploiting gaps and weaknesses in our interconnected systems in a way that's very real and urgent. Plus, as our workforce (federal and private) continues to modernize, digitalize, and work from anywhere, our inability to reconcile secure-by-design development with fast work-from-anywhere productivity has created a harsh reality. 

The takeaways from this executive order are the same as ever. People have long deprioritized getting the basics right when it comes to cybersecurity. A history of sporadic and continuous investment in legacy IT has left organizations ripe for and open to attacks. In fact, 90% of organizations lack visibility over all their endpoints at any given time, and in 2024, breaches caused by the successful exploitation of vulnerabilities went up 180% year over year. There remains an evident education, enforcement, and skills gap in cyber. How much longer will it take us to recognize and make the necessary changes to overcome these issues? 

But there are some positives. In my mind, here's why this executive order is different: It comes at a time when there's an actual, viable solution readily available to help the US federal government — and the larger software supply chain — overcome the challenges that have long stifled our collective resilience efforts. AI and automation pose a real and lasting way for the US federal government to shore up resilience, improve the integrity of the software supply chain, and upskill the federal workforce. AI allows organizations working with the federal government to reach a balance between productivity, growth, and security in a way that's never before been possible. 

As written in the executive order, "Artificial intelligence (AI) has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense." AI, when used strategically to analyze, synthesize, and inform security actions — particularly in areas like patch management and vulnerability assessment — not only presents the opportunity to help the federal government achieve resilience, solidifying infrastructure and streamlining operations in the process, but also frees up critical talent to reach new goals and mission critical resilience objectives as they evolve. 

For the first time in a long while, the federal government and the software sector alike finally have the tools and resources needed to do security well — consistently and cost-effectively. Though like anything else in technology, not all of AI is created equal, and thoughtful adoption in addition to rigorous coding, testing, and transparent disclosure practices will be essential to ensure that we as a community and as a software supply chain continue to implement, grow, and refine accordingly. 

Even if this executive order gets overturned, mandates like these serve as a helpful reminder of all that is important — and possible — to prioritize and achieve in this new AI era. While utilizing AI won't be without its challenges, and no development program will ever be perfect, AI offers organizations a unique opportunity to strive for more, strengthen development and compliance practices, and grow, while upskilling the next crop of cybersecurity talent to more proactively get ahead of the next generation of threats. 

**About the Author**

Chief Trust Officer, NinjaOne

Mike Arrowsmith is the Chief Trust Officer at Ninjaone where he leads the organization’s IT, security, and support infrastructure to ensure NinjaOne meets customers’ security and data privacy demands as it scales. Prior to NinjaOne, Arrowsmith held top security roles at Guardant Health and Splunk, where he focused on managing and scaling IT and security teams. Arrowsmith brings a deep understanding of how high-value, fast-growth companies can navigate security challenges, embed a culture of security, and bake in data ethics to everything they do. Most of all, Arrowsmith has an unrelenting focus on customer experiences and is heavily involved in product development at NinjaOne, bringing a "company zero" mentality to his team.

Tag

#intel