The campaign heavily uses Dropbox folders and PowerShell scripts to evade detection and quickly scrapped infrastructure components after researchers began poking around.

North Korea-linked threat groups are increasingly using living-off-the-land (LotL) techniques and trusted services to evade detection, with a recent Kimsuky campaign showcasing the use of PowerShell scripts and storing data in Dropbox folders, along with improved operational security.

In the campaign, dubbed "DEEP#DRIVE" by security firm Securonix, the threat group used fake work logs, insurance documents, and crypto-related files to convince users to download and run a zipped shortcut file that gathers system configuration information and then executes PowerShell and .NET scripts. The attack tools upload the system data to Dropbox folders and then download additional commands and capabilities for further compromise.

While the attackers showed some interest in quick financial wins — such as targeting cryptocurrency users — for the most part, the threat group focused on stealing sensitive data from South Korean government agencies and businesses, says Tim Peck, a senior threat researcher at Securonix.

"We observed evidence of both espionage and financial motivation, though leaning more toward espionage," he says. "This aligns with Kimsuky's historical targeting of South Korean government agencies, enterprises, and strategic industries."

North Korean cyber-operations groups have consistently targeted South Korea and the US, with South Korean government agencies and companies among the most popular targets. In September 2024, the FBI warned that North Korean groups planned to launch a surge of attacks against organizations with significant cryptocurrency reserves, and Kimsuky launched a similar multistage attack against South Korean targets last year.

**A Prolific Group**

Kimsuky isn't monolithic, but has five threat groups that have overlap with what other companies consider to be the same group, says threat intelligence firm Recorded Future. One group tends to focus on the healthcare and hospitality sectors, for example, while another focuses on cryptocurrency markets.

By mid-2023, Kimsuky became the most prolific North Korean group. (More recent data not available.) Source: Recorded Future's "North Korea's Cyber Strategy" report

The Kimsuky groups accounted for the most attacks identified as North Korean in origin between 2021 and 2023, according to Recorded Future's "North Korea Cyber Strategy" report. In 2024, the groups continued to account for a high volume of attacks, says Mitch Haszard, senior threat intelligence analyst with Recorded Future.

"These groups conduct high volume phishing campaigns, primarily targeting individuals and organizations in South Korea, while occasionally targeting entities in other countries," he says. "In the activity we see, these groups appear to be going for volume, rather than more time-consuming, tailored spear-phishing operations."

Other well known North Korean groups, such as Lazarus and Andariel, are not as prolific as the Kimsuky threat actors. While some of those groups are more focused on gathering sensitive information, nearly all also have a financial motivation.

**Thousands of Victims?**

In the DEEP#DRIVE campaign, following the compromise of a system, the Kimsuky group's attack scripts upload data on the system configuration to one of several Dropbox folders. While the Securonix researchers were not able to gather intelligence from all the suspected Dropbox locations, they uncovered signs of more than 8,000 configuration files, although some appear to be duplicates, Peck says.

While that means they likely came from the same victim organizations, the campaign appears to be quite successful, he says.

"There were two factors which contributed to the 'uniqueness' of the configuration file, the username, and IP address," Peck says. "Some usernames were associated with dozens of similar IP addresses, which could indicate lateral movement by the attacker — \[that is\], infecting dozens of machines from the same entity."

The data from a compromised system includes the host IP address, the system uptime, details about the OS type and version, any installed security software, and a list of running processes.

**Kimsuky Improves Its OpSec**

The campaign also highlighted North Korean cyber-operations groups' improvements to operational security. The group used OAuth-based authentication on its Dropbox folders, preventing traditional URL-blocking or network-based defenses from following the links. The threat actors also quickly took down components of their infrastructure soon after the Securonix researchers began investigating, Securonix's Peck says.

"This level of operational awareness is not always present in phishing-driven malware campaigns," he says.

For companies, the threat group's tactics underscore that the hidden file extensions should be disabled, shortcut files should be blocked from executing in user folders, and only signed PowerShell scripts be allowed to execute. Those three countermeasures make the attackers' activity much easier to detect, Peck says.

In addition, companies in targeted industries — such as cryptocurrency exchanges and government agencies — should bolster their email security and regularly train employees on how to spot phishing threats, says Recorded Future's Haszard.

"Most North Korean cyberattacks still start with social engineering and a phish," he says. "Companies should ensure that they have an email security solution in place and regularly train employees on phishing threats, as well as conduct simulated phishing tests."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

North Korea's Kimsuky Taps Trusted Platforms to Attack South Korea

Acquisition strengthens Deepwatch Platform capabilities with actionable insights and risk-based prioritization.

Source: Gajus via Adobe Stock Photo

NEWS BRIEF

Deepwatch, an artificial intelligence (AI) and human cyber-resilience platform provider, has announced its acquisition of security intelligence solutions startup Dassana. Deepwatch plans to integrate Dassana's AI-powered risk and threat exposure management technology, CISO Copilot, into its Deepwatch Platform.

The integration will also allow CISOs and security leaders to get real-time insights into their security posture, said Deepwatch CEO John DiLullo in a statement. The acquisition will give Deepwatch's internal SOC operations and customers better tools around automation, compliance reporting, and proactive security management.

Dassana's products integrate with existing security infrastructure and aggregate and normalize data from various security tools to provide a unified view of an organization's security environments. Organizations gain real-time visibility into their security posture and can apply the actionable insights to expedite remediation efforts and enhance the effectiveness of security controls. CISO Copilot automates evidence collection for compliance, allocates resources based on business impact, and accesses real-time board-level metrics, allowing CISOs to make data-driven decisions.

"By joining forces with Dassana, our mission to democratize and make our AI capabilities available to companies of all sizes has taken a giant leap forward," DiLullo said. "We believe cyber-resilience should be available to all and that everyone deserves to conduct their businesses free from the scourge of cyber attacks."

Financial details of the deal were not disclosed.

**About the Author**

Deepwatch Acquires Dassana to Boost Cyber-Resilience With AI

Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.

Source: Africa Studio via Alamy Stock Photo

Attackers are wielding a new variant of one of the biggest threats to the macOS platform, malware called XCSSET, Microsoft is warning. The fresh version has so far been seen in a handful of attacks targeting Apple developers, but its reach could grow much longer in the coming weeks.

XCSSET can read and dump data from Safari browsers; inject JavaScript backdoors into websites; steal information from the victim's Skype, Telegram, WeChat, Notes, and other apps; take screenshots; encrypt files; and exfiltrate data to attacker-controlled systems. The new variant — which features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies — is the first known update to the malware since 2022, Microsoft Threat Intelligence revealed in a post on X this week.

"These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files," according to the post.

Researchers at Trend Micro first discovered XCSSET in 2020 when investigating a security incident related to Xcode developer projects; the malware in the past has targeted software developers by exploiting vulnerabilities and then infecting their projects, using this as a means to spread. If one of the infected projects is downloaded and built by another developer, XCSSET also infects their projects, which could in turn be downloaded by others. This gives the malware wormable capability, and the potential for a broader supply chain attack.

**Significant Enhancements to macOS Malware**

The variant appears to be a significant update to the modular malware, with various new features that make it easier for attackers to spread XCSSET and also obscure their malicious activities.

Enhanced obfuscation methods present in XCSSET use "a significantly more randomized approach for generating payloads to infect Xcode projects," randomizing both its encoding technique and a number of encoding iterations, according to Microsoft.

And while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64 and obfuscates module names. This makes it more challenging to determine the intent of the malware's modules, Microsoft said.

Its operators also have outfitted the variant with two distinct new persistence mechanisms: the "zshrc" method and the "dock" method. In the former method, the malware creates a file named ~/.zshrc\_aliases that contains the payload, according to Microsoft. "It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware's persistence across shell sessions," according to the post.

The dock method involves downloading a signed dockutil tool from a command-and-control (C2) server to manage the dock items, and then creating a fake Launchpad application, replacing the legitimate Launchpad's path entry in the dock with this fake one.

"This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed," according to Microsoft.

The variant also employs new infection methods that determine where the payload is placed in Xcode projects. The method is chosen from one of the following options: TARGET, RULE, or FORCED\_STRATEGY, while an additional method involves placing the payload inside the TARGET\_DEVICE\_FAMILY key under build settings and running it at a later phase.

**Advice for macOS Cyber Defenders**

Though traditionally not a target for threat actors, the macOS platform has become increasingly more at risk to malware and other security threats in recent years, mainly due to Apple's growing market share in a shrinking PC market.

To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware.

"They should also only install apps from trusted sources, such as a software platform’s official app store," according to Microsoft.

Users of Microsoft Defender for Endpoint on Mac should be protected against XCSSET, including its new variant, the company added, because it can detect all currently known versions of the malware.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft: New Variant of macOS Threat XCSSET Spotted in the Wild

Microsoft warns Apple developers about a new XCSSET malware variant targeting macOS, posing security risks through stealthy infections…

Microsoft warns Apple developers about a new XCSSET malware variant targeting macOS, posing security risks through stealthy infections and data theft.

Cybersecurity researchers at Microsoft Threat Intelligence have identified a new strain of the XCSSET malware targeting macOS users. This modular malware focuses on attacking Apple developers by infecting Xcode projects, tools necessary for building applications on the macOS platform.

While the current spread of this updated version appears limited, experts are urging developers and organizations to implement precautionary measures to safeguard their systems.

****What is XCSSET?****

XCSSET was first identified by Trend Micro in 2020. It has since gained a reputation as a sneaky piece of malware. This latest version builds upon its predecessor’s capabilities with major improvements in its design, making it even harder to detect and defend against.

According to Microsoft’s findings, the new variant comes equipped with advanced obfuscation techniques, more sophisticated persistence mechanisms, and updated methods for infecting systems. These upgrades make XCSSET a persistent and stealthy threat that can carry out a mix of different malicious activities, including targeting digital wallets, stealing data from the Notes app, stealing sensitive system information, and exfiltrating files.

****Harder to Detect****

One of the main capabilities of this new XCSSET variant is its focus on evasion. To avoid detection by anti-virus and other security tools, the malware generates its payloads in a highly randomized manner. It randomizes both the encoding process and the number of iterations used, creating challenges for researchers attempting to analyze the code.

What’s more, older versions of XCSSET relied on a single tool, xxd (hexdump), for encoding its payloads. The latest version, however, adds Base64 encoding to its arsenal, further complicating analysis efforts. Even the names of the malware’s modules have been obfuscated, making it difficult to discern their purpose or function within the code.

****Harder to Remove****

The new XCSSET variant employs two innovative methods to ensure it remains active on infected systems, even after a reboot or user logout.

1.  **“zshrc” Method**: This tactic involves creating a hidden file called ~/.zshrc_aliases to house the malicious payload. The malware then manipulates the ~/.zshrc configuration file, adding a command that automatically loads the malicious file whenever a new shell session starts. This means that every time a user opens their terminal, the malware activates in the background.
2.  **“Dock” Method**: This approach hijacks the macOS Dock. The malware downloads a signed utility called “dockutil” from a remote command-and-control server to modify Dock items. It replaces the legitimate “Launchpad” app with a malicious version, ensuring that the malware executes every time the user interacts with the Dock.

****Targeting Xcode Projects****

As its name suggests, XCSSET primarily targets Xcode, Apple’s powerful integrated development environment (IDE) for macOS. The malware infiltrates Xcode projects using one of three placement strategies: **TARGET**, **RULE**, or **FORCED\_STRATEGY**. These strategies determine how and where the malicious payload is embedded within the project files.

Additionally, the malware can target the TARGET_DEVICE_FAMILY key within the project’s build settings. By inserting its code here, XCSSET ensures that the payload only activates when the app is built and run on specific devices, evading detection during development or testing phases.

> Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. While we’re only seeing this new XCSSET variant in limited attacks at this time, we’re sharing this information… pic.twitter.com/oWfsIKxBzB
> 
> — Microsoft Threat Intelligence (@MsftSecIntel) February 17, 2025

****How to Protect Yourself****

If you are an Apple developer or a macOS user in general, here are some simple yet vital tips to protect your devices from XCSSET malware:

*   **Inspect Xcode Projects**: Always review and verify Xcode projects, especially if they are downloaded from external repositories or shared by third parties.
*   **Stick to Trusted Sources**: Download apps and tools exclusively from official Apple channels or reputable software platforms. Avoid third-party app stores or unofficial downloads.
*   **Keep Up with the Updates**: Keep up-to-date with the latest security advisories from Microsoft, Apple, and other cybersecurity organizations.

New XCSSET Malware Variant Targeting macOS Notes App and Wallets

London, United Kingdom, 18th February 2025, CyberNewsWire

Intel by Intruder now uses AI to contextualize NVD descriptions, helping security teams assess risk faster.

Intruder, a leader in attack surface management, has launched AI-generated descriptions for Common Vulnerabilities and Exposures (CVEs) within its free vulnerability intelligence platform, Intel. This new feature enhances cybersecurity professionals’ ability to quickly understand and assess vulnerabilities, addressing a common pain point: the often vague and technical descriptions provided by the National Vulnerability Database (NVD).

With thousands of vulnerabilities published every year, security teams rely on NVD as a key resource for researching CVEs. However, NVD descriptions frequently lack clarity or context, making it difficult to determine potential impact at a glance. Intel’s AI summaries transform NVD descriptions into clear, concise, and actionable insights, helping teams assess and respond to risks faster.

> “Vulnerability management is challenging enough without the added complexity of deciphering cryptic CVE descriptions,” said **Chris Wallis, CEO & Founder of Intruder**. “With Intel’s AI Overviews, we’re making it easier for security professionals to quickly gauge what a vulnerability is and decide what action to take.”

Additionally, Intruder’s in-house security experts manually review the AI descriptions of the most critical vulnerabilities. These expert-reviewed CVEs are clearly marked in Intel with a “Verified by Intruder” label.

Intel, which is completely free to use, already provides powerful features such as a real-time feed of trending CVEs, a unique hype score rated out of 100, and in-depth analysis from Intruder’s security team. The addition of AI-generated CVE descriptions further strengthens Intel’s value as a go-to resource for cybersecurity professionals.

**Availability**

The AI-generated CVE descriptions are **available now** within **Intel** at intel.intruder.io. Cybersecurity professionals can access Intel for free today.

For more information, users visit www.intruder.io or follow Intruder on LinkedIn and Twitter.

**About Intruder**

Intruder was founded in 2015 to solve the information overload crisis in vulnerability management. Its mission from day one has been to help divide the needles from the haystack, focusing on what matters, while ignoring the rest. Effective cyber security is about getting the basics right. Intruder helps do that, saving time on the easy stuff, so users can focus on the rest. It has been awarded multiple accolades, was selected for GCHQ’s Cyber Accelerator, and is now proud to have over 3,000 happy customers all over the world.

Intruder Enhances Free Vulnerability Intelligence Platform ‘Intel’ with AI-Generated CVE Descriptions

Researchers earned a $50,500 Bug Bounty after uncovering a critical supply chain flaw in a newly acquired firm,…

Researchers earned a $50,500 **Bug Bounty** after uncovering a critical supply chain flaw in a newly acquired firm, highlighting security risks in business acquisitions.

Two cybersecurity researchers have walked away with a $50,500 bug bounty after finding a critical vulnerability in a major company’s software supply chain. The exploit targeted a recently acquired company, exposing a flaw that could have widespread ramifications.

The duo, Lupin (Roni Carta) and Snorlhax, have a history of collaboration; recently turned their focus to the often-overlooked area of business acquisitions. They noticed that these integrations frequently present security gaps as newly acquired entities may not always uphold the same rigorous security standards as their parent companies. This insight guided their hunt for a “game-changing” vulnerability.

Their approach began with a detailed examination of the acquired company’s online presence, including its code repositories and package registries. The researchers employed advanced techniques, transforming JavaScript files into Abstract Syntax Trees (ASTs) and Docker image analysis to identify dependencies and uncover possible flaws. This investigation led them to a DockerHub organization linked to the acquisition.

The real breakthrough occurred after the researchers downloaded and examined a Docker image. Inside, they discovered the complete source code for the company’s backend systems. But the story did not end there, as the researchers unearthed even more sensitive information.

According to Lupin’s technical blog post, the duo discovered that a “.git” folder was still included in the image. Within the folder, they found an authorization token for GitHub Actions (GHS). This token, if exploited, could have given the attacker the capability to manipulate the company’s build pipelines. The token could have allowed them to inject malicious code, tamper with software releases, or even gain access to additional repositories.

Further investigation revealed that the Docker image had removed the .npmrc configuration file, but the researchers recognized that earlier layers of the image could still hold traces of it. They leveraged tools like Dive and Dlayer to explore these layers, ultimately locating a private npm token. This token provided read-and-write access to the target company’s private packages.

The team realized they now had a path to insert malicious code into one of the private packages, which the company’s developers, pipelines, and production systems would then automatically fetch. Since these were private packages, the attack would bypass security scans, enabling them to compromise systems at every level leading to large-scale data theft and data breaches.

Software supply chain vulnerabilities have affected thousands of businesses in recent months. Cyberattacks targeting companies like Snowflake Inc., Blue Yonder, and MOVEit Transfer continue to be exploited, impacting organizations worldwide.

The good news is that the duo documented their findings and demonstrated the vulnerability’s impact to the impacted company’s security team. Their report outlined how attackers could use a poisoned npm package to harvest secrets, infiltrate into internal systems, and compromise CI/CD pipelines. As a result, the company awarded the researchers a $50,500 bug bounty, recognizing the severity of the vulnerability.

This incident shows how attacks can succeed when multiple overlooked flaws come together. In this case, the issue originated from software supply chain gaps and security flaws in a newly acquired company. The team pointed out the importance of securing every part of the build process, from the code itself to the components and external packages involved. It’s an example of how protecting a software development pipeline isn’t simple; it requires careful attention to every detail.

1.  Multichain hack: Hacker returns $1m, keeps $150k as bug bounty
2.  Apple Launches ‘Apple Intelligence’ – $1M Bug Bounty for Security
3.  Google Launches $250,000 kvmCTF Bug Bounty for KVM Exploits

Duo Wins $50K Bug Bounty for Supply Chain Flaw in Newly Acquired Firm

Microsoft said it has discovered a new variant of a known Apple macOS malware called XCSSET as part of limited attacks in the wild.
"Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies," the Microsoft Threat Intelligence team said in a post shared on X.
"These enhanced features add to

Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics

SOC challenges like alert fatigue, skill shortages and slow response impact cybersecurity. AI-driven solutions enhance SOC efficiency, automation…

SOC challenges like alert fatigue, skill shortages and slow response impact cybersecurity. AI-driven solutions enhance SOC efficiency, automation and threat detection.

In the latest technological era, SOCs which stands for Security Operations Centers play a prominent role in organizational protection. It protects organizations from cyber-attacks and threats. However, there are a lot of issues happening to the SOCs at the same time. These issues may be skills shortages, increasing complexities of the IT environment alert fatigue, etc. 

These issues create a heavy problem for SOC operations and leave the organizations at the corner target for cyber attacks. But in this technological era, there may be a lot of solution available that makes an easy for Artificial Intelligence (AI).

As AI plays a crucial role in autonomous SOC benefits, therefore it proves a game changer for the SOC. In this article, we can discuss the SOC challenges and also shed light on the factors by which you can address these issues. This way you can able to find solutions and success to build a successful cybersecurity posture.

****Addressing SOC Issues & The Role of AI Solutions********1\. Alert Fatigue********Challenge:****

Security Organization Centers (SOCs) have a high range of cybersecurity issues along with a high volume of alerts. There may be also low-priority incidents and false positives.

This puts pressure on the analysts and increases the risk of missing critical threat attacks.

****How AI Helps?****

AI-powered tools prioritize and analyze alerts based on their context and severity by using machine learning (ML). 

In this way, AI minimizes alert fatigue by filtering the noise focusing on high-risk alerts, and prioritizing autonomous SOC benefits. And ensures the SOC analysts that they concentrate and focus on genuine threats.

****2\. Skill Shortages********Challenge:** **

Because of the shortage of skilled cybersecurity professionals, it is impossible and difficult for SOCs to operate and work effectively, especially when dealing with advanced threats.

****How AI Helps:** **

AI helps in this regard by automating routine tasks like threat detection, incident triage, and log analysis, minimizing the dependency on human expertise. Autonomous SOC benefits allow the SOC teams to concentrate on more complex tasks, even with limited staff.

****3\. Slow Incident Response********Challenge:** **

The manual incident response process is slow and time-consuming, which allows the attackers to accelerate and speed up their activities and cause more damage.

****How AI Helps:** **

AI automates the response workflows, enabling faster containment and remediation of threats by using AI-driven tools like Automation and Response (SOAR) and Security Orchestration platforms. 

****4\. Complex IT Environments********Challenge:** **

Today’s IT environments are highly complex and complicated because they use IoT devices, cloud services, and remote workforces which create visibility gaps for SOCs.

****How AI Helps:** **

AI correlates data from multiple sources by providing autonomous SOC benefits and unified visibility across hybrid environments. It identifies the alerts and possible threats across the whole infrastructure, to ensure that no blind spot is left unchecked. 

****5\. Advanced Threat Detection********Challenge:** **

Traditional tools are in process and struggling to find and detect advanced threats like fileless malware, zero-day exploits, and APTs ( Advanced Persistent Threats).

****How AI Helps:** **

Artificial Intelligence (AI) utilizes anomaly detection for the proof and setting of unusual patterns. These unusual patterns help to indicate upcoming attacks and threats. 

Autonomous SOC benefits can detect previously unknown threats in real-time by learning from historical data.

****6\. Insufficient Threat Intelligence********Challenge:** **

It may be tough to respond to the issue of security organized centers. The reason behind this is that they often lack threat intelligence. 

****How AI Helps:** **

Threat intelligence platforms which are powered by AI study and analyze data from multiple sources, and give us real-time data and insights of emerging threats. This enables the SOCs to stay ahead of attackers and make informed decisions. 

****7\. High Volume of Data********Challenge:** **

SOCs analyze and process large amounts of data from endpoints, network traffic, and logs, which is impossible for human analysts to analyze and study and becomes a burden for them.

****How AI Helps:** **

AI proceeds large amounts of data efficiently and quickly by identifying the correlations, anomalies, and patterns that would be impossible for humans to detect manually, and enables more accurate and faster threat detection. 

****8\. Proactive Threat Hunting********Challenge:** **

Instead of proactive threat hunting, many SOCs operate in a reactive mode for responding to alerts.

****How AI Helps:** **

AI by analyzing the historical data and by identifying the indicators of compromise (IOC) enables proactive threat hunting. Autonomous SOC benefits also give us suggestions for further investigation. So we can say that it further empowers SOC analysts to take a proactive approach.

****9\. Insider Threats********Challenge:** **

With traditional tools, it is difficult to detect insider threats like compromised accounts and malicious employees. 

****How AI Helps:** **

To monitor the user activity and to detect the anomalies that may indicate insider threats this AI uses User and Entity Behaviour Analytics (UEBA). AI can also identify suspicious actions and alert SOC teams by analyzing the behaviour patterns.

****10\. Resource Constraints********Challenge:** **

There is a lack of budget and resources for many organizations to build and maintain a fully functional and working SOC.

****How AI Helps:** **

AI helps in this regard in such a way, by automating repetitive tasks and improving efficiency and this results in a reduction of operational costs. Without any substantial investments in infrastructure and personnel, it also enables small organizations to leverage advanced cybersecurity capabilities. 

****Conclusion:****

The challenges faced by the SOCs are many, but AI offers and gives simple solutions for them on how to overcome them. SOCs increase their ability to respond, detect, and mitigate cyber threats by using AI-driven tools and technologies. 

With the continuous evolution of cyber threats, organizations that are equipped with AI are in a better position to build effective and proper cybersecurity protection. 

AI is just not a tool, it is a strategic autonomous SOC benefit in the war against cybercrime. AI is completely changing the way how SOCs operate by minimizing alert fatigue and improving incident response to enable proactive threat hunting and addressing skills shortages.

Featured Image via: PixaBay/Cliff1126

10 Key SOC Challenges and How AI Addresses Them

South Korea has formally suspended new downloads of Chinese artificial intelligence (AI) chatbot DeepSeek in the country until the service makes changes to its mobile apps to comply with data protection regulations.
Downloads have been paused as of February 15, 2025, 6:00 p.m. local time, the Personal Information Protection Commission (PIPC) said in a statement. The web service remains

South Korea Suspends DeepSeek AI Downloads Over Privacy Violations

Plus: Researchers find RedNote lacks basic security measures, surveillance ramps up around the US-Mexico border, and the UK ordering Apple to create an encryption backdoor comes under fire.

As the United States reels from the upheaval caused by Elon Musk’s so-called Department of Government Efficiency (DOGE), hackers from countries the US considers hostile continue to wreak havoc from afar.

New research shows that China’s Salt Typhoon hacking group has expanded its targets list to include universities around the world and at least two more telecoms operating in the US. That brings the total number of US telecommunications networks breached by Salt Typhoon to at least 11.

Russia’s notorious Sandworm hacking unit may be best known for its attacks on Ukraine, including multiple blackouts caused by its cyberattacks and its release of the destructive NotPetya malware. However, a hacking group within Sandworm is now taking aim at targets in Western nations, including Australia, Canada, the UK, and the US, according to research released this week by Microsoft. The group, which Microsoft calls BadPilot, is known as an “initial access operation,” breaching targets for the purpose of handing over access to those systems to other Sandworm hackers.

Meanwhile, we dug into the slimy world of romance scammers who are making ill-gotten fortunes by capitalizing on the loneliness epidemic, and we dipped into the opaqueness of online advertising data that could pose a threat to US national security. Finally, we found that US funding cuts under the new Trump administration are hurting the organizations protecting children from exploitation, abuse, and human trafficking.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**The Official DOGE Website Launch Was a Security Mess**

Elon Musk’s DOGE finally started publishing some information about its activities on its threadbare website this week. But it wasn’t the only entity publishing on the site.

Two web developers, working independently, found that it is possible to push updates to the DOGE.gov domain, which claims to be an official US government website. The website uses a database that can be edited by anyone online, the experts told 404Media. To demonstrate the insecurity, they left a couple of messages on the DOGE site: “This is a joke of a .gov site,” one read, while the other says: “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN.”

The messages stayed on the website for at least 12 hours and remained visible for some time on Friday. The DOGE website was launched in January and until this week was a single landing page containing very little information. The web experts who discovered the vulnerabilities told 404Media that the website appeared to have been “slapped together.”

The website only started being populated this week—with some figures purporting to show the size of the US government—after Musk promised his organization would be “maximally transparent.” That transparency may have gone a step too far, however, with HuffPost reporting on Friday that the site included classified material.

As well as being insecure, the DOGE website heavily leans on X, the social media platform owned by Musk. DOGE’s homepage is a feed of its own X posts, but it also uses code that directs search engines to X.com instead of DOGE.gov, a WIRED review of the site found. “This isn't usually how things are handled, and it indicates that the X account is taking priority over the actual website itself,” one developer told WIRED.

**RedNote Security Flaws Come Into Focus**

Chinese TikTok alternative RedNote gained around 700,000 US users and courted American influencers when the ban on TikTok loomed in January. While many of those people may have only used RedNote for a few days, a new analysis from the University of Toronto’s Citizen Lab has highlighted how a lack of encryption could have opened up US users to “surveillance by any government or ISP \[Internet Service Provider\], and not just the Chinese government.”

The analysis of RedNote found a host of network security issues in both its Android and iOS apps. RedNote fetched images and videos using HTTP connections, not the industry standard and encrypted HTTPS; some versions of the app contained a vulnerability that allows an attacker to have “read” permissions on a phone; and it “transmitted insufficiently encrypted device metadata.” The flaws were contained in RedNote’s app and several third-party software libraries that it uses. Citizen Lab reported the issues to the companies starting in November 2024 but has not heard back from any of them.

The security researchers say that the vulnerabilities could risk surveillance for all users, including those in China. “As the Chinese government might already have mechanisms to lawfully obtain detailed data from RedNote about their users, the issues that we found also make Chinese users especially vulnerable to surveillance by non-Chinese governments,” the research says.

It underscores that within China even widely used apps may not meet the same security standards as those developed outside the country. “Applications that are popular in China often use no encryption, proprietary encryption protocols, or use TLS without certificate validation to encrypt sensitive data,” the analysis says.

**Military Spy Planes Increase Surveillance Flights at US-Mexico Border**

Over the last two weeks, US spy planes have flown at least 18 missions around the Mexico border, analysis from CNN has shown. The flights mark a “dramatic escalation in activity,” the publication reports, and come as the Trump administration has designated drug cartels as terrorist organizations and has turned the nation’s security apparatus toward deporting millions of migrants. According to CNN, various military planes, including Navy P-8s and a U-2 spy plane, were used in the operations and are capable of collecting both imagery and signals intelligence. Also this week, US Immigration and Customs Enforcement has advertised new contracts that would allow it to monitor “negative” social media posts that people make about it.

**Backlash Mounts Against UK’s Secret Apple Encryption Order**

Last month, the UK government hit Apple with a secret order demanding the company create a way to access data stored in encrypted iCloud backups. The order, called a Technical Capability Notice and issued under the UK’s controversial 2016 surveillance law, was first reported by The Washington Post last week. Since then, there’s been a growing backlash against the demands from the UK government, with many highlighting how a change would impact the security of millions around the world.

US senator Ron Wyden and representative Andy Biggs have sent a letter to Tulsi Gabbard, the new director of national intelligence, saying the order undermines trust between the US and UK. “If the UK does not immediately reverse this dangerous effort, we urge you to reevaluate US-UK cybersecurity arrangements and programs as well as US intelligence sharing with the UK,” the pair said, drawing comparisons to the Chinese-linked Salt Typhoon hacks of US telecom firms that utilized a surveillance “backdoor.” Since details of the order emerged, Human Rights Watch has called it an “alarming overreach,” while 109 civil society organizations, companies, and other groups signed an open letter saying the “demand jeopardizes the security and privacy of millions.”

Tag

#intel