In a previously unreported August memo, the Department of Homeland Security urged state and local police to conduct exercises to test their ability to respond to weaponized drones.

The Department of Homeland Security issued warnings to state and local law enforcement agencies this summer regarding the “growing illicit use” of commercial drones, internal documents show. Among the recommended steps was to conduct “exercises to test and prepare response capabilities.”

A DHS memo from August, which has not been previously reported, paints US cities as woefully underprepared for the “rising” threat of weaponized drones. The capabilities of unmanned aircraft systems (UAS) are “progressing faster” than available countermeasures offered under “federal prevention frameworks,” the memo says, adding that it’s common for state and local authorities to observe “nefarious” and “noncompliant” flights but still lack the authority to intervene.

The memo states that violent extremists in the US are increasingly searching for ways to modify “off-the-shelf” drones to ferry dangerous payloads, including “explosives, conductive materials, and chemicals,” with major advancements in the area being propelled largely by rampant experimentation on foreign battlefields, including those in Ukraine.

The document indicates that DHS has been urging local agencies for months to scout for possible launch sites near and around critical assets, while offering a slew of recommendations designed to mitigate a threat that the agency insists is growing by the day. Local officials have been advised to reposition CCTV cameras to aid in capturing evidence of airborne threats, and to start training local police on how to handle downed drones believed to carry hazardous and explosive materials. Additionally, the agency has urged local agencies to generously deploy, where legal, sensors capable of detecting and identifying commercial drones.

The memo, first obtained by Property of the People, a nonprofit focused on transparency and national security, was circulated roughly three months before the recent flurry of alleged drone sightings along the East Coast—growing national interest in which has been driven in part by the government’s own nebulous response.

New Jersey residents have been steadily reporting bright lights and flying objects in the sky over the past few weeks. At the same time, federal authorities have worked to downplay the significance of the reports. While Homeland Security secretary Alejandro Mayorkas conceded in an interview on Sunday that “people are seeing drones,” DHS had issued a statement days earlier declaring that “numerous detection methods” had failed to corroborate “any of the reported visual sightings.”

In the memo obtained by WIRED, DHS displays less confidence in its ability to detect menacing drones. The document, which authorities were instructed not to make public, states that “tactics and technology to evade counter-UAS capabilities are circulated and sold online with little to no regulation.” In reality, the ability of police to track errant drones is hindered by a range of evolving technologies, the memo says, including “autonomous flight, 5G command and control, jamming protection technology, swarming technology, and software that disables geofencing restrictions.”

The mystery in New Jersey and similar phenomena in Pennsylvania, New York, and Maryland, among other states, have put a spotlight on the ongoing efforts of state and federal legislators to expand the government’s access to counter-UAS technology. Speaking to reporters via Zoom on Saturday, a DHS official said the agency is urging Congress to “extend and expand existing counter-drone authorities,” and ensure “state and local authorities are provided the tools they need to respond to such threats as well.”

Currently, only a handful of federal agencies—including DHS and the Departments of Energy, Justice, and Defense—are legally permitted to bring down a drone inside US airspace.

Property of the People’s executive director, Ryan Shapiro, says the August memo makes clear that DHS is working steadily to obtain new technologies and legal privileges for law enforcement. But any impact to Americans’ civil liberties, he says, should not be justified by simply pointing to a “nebulous, misleadingly constructed threat.”

While terms like “violent extremists” conjure images of neo-Nazis and domestic terrorists hoping to incite a second US civil war, Shapiro says the government has also deceptively applied such labels to help undermine animal rights groups at the behest of corporations. Activists have relied heavily on drones over the past decade, he says, to help gather evidence of cruelty on factory farms—where recording undercover has been criminalized under so-called “ag-gag” laws.

During Saturday’s briefing, FBI officials said authorities had received roughly 5,000 drone tips in connection with the East Coast sightings, ultimately generating around 100 viable leads. Most of the reports appeared consistent, they said, with misidentified flights landing and taking off from major airports in the region.

While the FBI worked to allay concerns stemming from the recent sightings, it also urged Americans not to wholly dismiss the idea that rogue drones pose a serious threat. “It is well known to us that criminals breaking the law do, in fact, use \[drones\] to support their actions,” an official said, adding that, in contrast, the recent widespread sightings appear largely benign.

In a statement to WIRED, a DHS spokesperson said the agency is continuing to “advise federal, state, and local partners to remain vigilant to potential threats and encourages the public to report any suspicious activity to local authorities.”

Intel Officials Warned Police That US Cities Aren’t Ready for Hostile Drones

Getting inside the mind of a threat actor can help security pros understand how they operate and what they're looking for — in essence, what makes a soft target.

Ben Barrontine, Vice President of Executive Services & Partnerships, 360 Privacy

December 17, 2024

4 Min Read

Source: Igor Stevanovic via Alamy Stock Photo

COMMENTARY

What are cybercriminals thinking? Inside the mind of a threat actor, the devil is in the details. Cybersecurity is composed of so many details that it's easy to miss some of them. For instance, even if you have all other employees protected, just one person not using two-factor authentication could put them all at risk.

Back in the day, a 99% success rate for security solutions was considered good. But the problem is that there's still a 1% chance of an attack getting through. To defeat that 1% chance, you must have layers of security. If you've got 10 layers of 99% success, you stack the odds in your favor that you will catch just about every security threat.

Defenses are getting more advanced, so threat actors will always search for the point of least resistance. In our day and age, that point is the human element. According to IBM, 41% of all cybersecurity incidents start with phishing as the initial attack vector. Fortunately, though, it's not all doom and gloom. By understanding the enemy, you can better prepare your organization against cyberattacks.

**The State of Security: Understanding Where Threat Actors Look**

Many threat actors are returning to the basics of social engineering by using information they get from data brokers. They're using basic phishing tactics to hook a target, because it avoids the automated cybersecurity tools and directly engages the individual human.

Cybercriminals rarely commit direct attacks against the designated target person. They typically find someone in the target's support system: an executive assistant, a spouse, kids, or the live-in grandmother. Whoever is the softest target in that support system will be the one who clicks a link. It doesn't matter if they have the latest, greatest security software update. Think of the Trojan horse story: A walled city's defenses were no match for a clever scheme that went right past all those defenses. In fact, the defenders opened the gates wide and unwittingly let the threat in.

**Train the Company's Cyber-Spidey Senses**

You have to develop a certain level of "Spidey sense" in employees, and it can be as simple as realizing that they need a second opinion before clicking a link. They don't have to be subject matter experts; they just have to know enough to recognize when they should ask someone else. After all, the Verizon "2024 Data Breach Investigations Report" notes that more than two-thirds (68%) of breaches analyzed included a nonmalicious human element, which involves insider errors or falling for social engineering schemes.

Part of developing this sense is looking for red flags in emails. While this may be getting harder with AI, there are still some obvious signs. Misspellings, odd phrasing, strange fonts, or out-of-character requests are all good indicators that something is amiss. For example, you would never get an email from your mom saying, "Hello, I need you to buy me gift cards." In addition, train employees to hover over the sender's name to see the email address. If the subject line says "Comcast," but the email address ends in "gmail.com," they can bet the email is a scam.

If a bad actor can access someone's packets by Wi-Fi sniffing or other means, the actor doesn't have to follow the person — they can just build out an electronic pattern of life and figure out where the target is going. That jeopardizes physical and digital safety. So, employees need to know not to connect to free Wi-Fi without a VPN and to turn Wi-Fi off when not using it.

People sometimes have the mistaken notion that they aren't targets for bad actors because they aren't famous and don't have a high net worth. But that's simply not the case today. Anyone with any online presence is a potential target to attackers. That means everyone needs to know their cyber hygiene.

Basic cyber hygiene is essential and easy. Steps to train employees on include:

*   Be more stringent about the info they share online
    
*   Review and adjust privacy settings
    
*   Use strong and unique passwords
    
*   Enable two-factor authentication
    

*   Be skeptical of unsolicited requests
    
*   Regularly audit third-party apps
    

*   Separate personal and professional identities
    

All of these points can be taught and tested via ongoing training.

**Outmaneuvering the Cybercriminals**

Getting inside the mind of a threat actor can help security pros understand how they operate and what they're looking for — in essence, what makes a soft target. Criminals go after the low-hanging fruit, such as people who click on suspicious links. Your job is to harden all targets at your organization. 

One of the security layers needed to close that 1% gap mentioned earlier is ongoing cyber-hygiene training for all employees from the bottom to the top. This aspect of a full-spectrum security plan is crucial, as humans are typically the weakest link in the security chain. However, with the proper education and training, they can become a solid first line of defense that helps keep everyone in the organization safe.

**About the Author**

Vice President of Executive Services & Partnerships, 360 Privacy

Ben Barrontine joined 360 Privacy in 2021 and currently holds the position of vice president of executive services and partnerships. Prior to 360 Privacy, Ben worked as a targeting specialist with the National Security Agency (NSA) under the US Army’s CSS Program. During his time in service he has worked with the US Marshalls, Special Forces, and US Embassy Security Teams as a cyber and signals intelligence collector and targeting subject matter expert. Ben created and leads the Executive Services Division at 360 Privacy, which helps to educate and protect families, family offices, business executives, professional athletes, and entertainers.

To Defeat Cybercriminals, Understand How They Think

The cybersecurity startup's data loss protection platform uses contextual redaction to help organizations safely use private business information across AI platforms.

Source: f:nalinframe via Alamy Stock Photo

NEWS BRIEF

As more organizations explore ways to use AI tools such as ChatGPT, Gemini, Claude, and Llama, they are grappling with the challenge of using business information while protecting personally identifiable information and other confidential data.

Wald.ai, which launched its data loss protection platform on Dec. 10, offers contextual redaction, where sensitive information is sanitized from conversations with AI assistants. The Wald Context Intelligence platform connects businesses with AI assistants while protecting confidential data and managing regulatory compliance. The platform redacts any sensitive or proprietary information and inserts intelligent data substitutions so that the AI model can still respond with optimal results, the company said in a statement. The sensitive data is repopulated – outside of the AI – before the end user sees the query response.

Wald.ai allows generative AI to integrate into daily workflows, making it safe, accessible, affordable, and seamless for users, the company said. All user data is encrypted end-to-end, so even Wald is unable to access the sensitive information. The platform also offers organizations the ability to create secure Custom Assistants using internal knowledge bases.

“As companies face the risk of data leakage, the solution is not to block use of these platforms, but to put in place effective, user friendly guardrails to enable employee productivity,” Vinay Goel, co-founder and CEO of Wald.ai, said in a statement.

Wald’s platform is already in use in various industry sectors including healthcare, financial services, and legal. The company named two customers – Kiavi, who provides bridge loans to real estate investors, and Suki, a provider of AI-powered voice solutions for healthcare organizations. The platform is available as a software-as-a-service officering priced at $19.99 per user per month and customers can start with a 14-day free trial. Developers should contact Wald.ai to discuss their use cases for early access to the Context Intelligence API, the company said.

The company also announced it has closed a $4 million seed round from Inventus Capital, Entrada Ventures, and several angel investors.

**About the Author**

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Wald.ai Launches Data Loss Protection for AI Platforms

Experts say the catchall term for online fraud furthers harm against victims and could dissuade people from reporting attempts to bilk them out of their money.

The rise of so-called pig butchering investment scams over the past few years largely caught the world unawares, capitalizing on conditions surrounding pandemic lockdowns and global economic instability to fool people into giving away their money to attackers. But as researchers and law enforcement have scrambled to raise awareness about the crisis—including scammers’ use of forced labor—any way they can, the term “pig butchering” itself has emerged as an attention-grabbing and recognizable symbol. Because the term was coined by scammers themselves, though, officials from the intergovernmental law enforcement organization Interpol now say that they will stop using it.

The wording originated from a Chinese version of the phrase, _shāzhūpán_, in which scammers were referring to victims as pigs who were being gradually fattened for slaughter. The attacks are typically investment or romance scams in which attackers cold contact many people at a time and then develop a rapport with those who respond, eventually convincing them to send money, typically in cryptocurrency, to scammers under the guise of making a potentially lucrative investment. Invoking scammers’ derogatory terminology, though, is dehumanizing and further perpetuates the stigma that many scam victims feel about having been deceived. Interpol says that, beyond its own organization, it is encouraging everyone to stop using the term and replace it with more straightforward names like “investment scams” or “romance baiting.”

“‘Pig butchering’ is a phrase which would appear to have been created by the gangs to talk about their victims and how they deal with them,” Nick Court, an assistant director in Interpol’s financial crime and anti-corruption program, tells WIRED. “I think we’re giving the gangs too much credit if we use that phrase. More importantly, we’re damaging how victims may perceive themselves. I don’t think anyone would want to be called a victim of pig butchering.”

Interpol says its web pages, previous press releases, and working materials such as factsheets will be updated to remove the terminology, with prior news announcements on its site including an explanation about the change in terminology. The agency says it has advised the 196 member countries it works with of the change in language too.

In recent months, both independent researchers and some at major tech companies have told WIRED they had concerns about the phrase “pig butchering,” its origins, and implications.

The criminal enterprises behind the scams run complex logistical operations, spanning both physical and digital activity. More than 200,000 people are believed to have been trafficked to giant “scam centers” in Southeast Asia, where they are forced to scam victims abroad and can be beaten or tortured if they refuse or try to leave.

Workers set up legitimate-looking social media accounts they can use to target potential victims, and they follow scripts for interacting with targets. Managers of the scam operations also oversee efforts to launder money once victims have made payments. With billions being made from the fraud, those running these scams have quickly reinvested some of the ill-gotten gains to incorporate artificial intelligence and make the scams more efficient.

Mina Chiang, the founder of anti-human-trafficking firm Humanity Research Consultancy, says she is not a fan of the “pig butchering” name not only because of its dehumanizing impact but also because it “restricts people’s imagination of the nature of the scam factories.”

“Those hundreds of compounds with hundreds of thousands of workers don't just work on romance-investment scams, they also do ‘task scams,’ ‘sextortion,’ ‘sport gambling scams,’ ‘fake-authority-related scams,’ and many more,” Chiang says, pointing out the United Nations’ Office on Drugs and Crime has called the behavior “organized fraud.”

“Focusing on only one type of scam would risk missing the bigger picture that scams are being organized and industrialized by transnational criminal groups,” Chiang adds, “and that scam tactics are constantly changing as long as the criminals are able to extract money from their victims.”

Interpol’s Nick Court says the organization recognizes that the “pig butchering” umbrella includes multiple types of criminality. He notes that there may be multiple different names for each sub-category of activity, but almost all of it falls under the international legal definition of fraud. He adds, too, that while not everyone agrees that phrases like “romance baiting” are a perfect replacement for “pig butchering,” it is necessary nonetheless to move away from the original name.

Over the past few decades, Court says, law enforcement agencies, researchers, and those who work with various types of victims have launched similar initiatives to evolve the language used to describe other crimes, such as domestic violence, sexual assault, and online child sexual exploitation. In all of these cases, he says, the goal is to reduce stigma and attempt to create a safer space for people to come forward and report crimes.

“We do know that across a range of crime types, the use of language, the use of words matters a great deal,” Court says.

Stop Calling Online Scams ‘Pig Butchering,’ Interpol Warns

Addressing cyber threats before they have a chance to strike or inflict serious damage is by far the best security approach any company can embrace. Achieving this takes a lot of research and proactive threat hunting. The problem here is that it is easy to get stuck in endless arrays of data and end up with no relevant intel. 
To avoid this, use these five battle-tested techniques that are

5 Practical Techniques for Effective Cyber Threat Hunting

Arctic Wolf plans to integrate Cylance's endpoint detection and response (EDR) technology into its extended detection and response (XDR) platform.

Source: DigtialStorm via iStock

NEWS BRIEF

Arctic Wolf has announced plans to acquire Cylance from its owner, BlackBerry, to add endpoint security to its Aurora Platform, which also includes managed detection and response, vulnerability management, managed security awareness, and cloud security capabilities.

The integration addresses a growing demand for unified security solutions and could potentially position Arctic Wolf to take on competitors, such as CrowdStrike and SentinelOne. Arctic Wolf will be offering a native endpoint security solution as well as giving customers the option to work with any of the 15 supported endpoint products.

"By adding endpoint security to our platform, we will be delivering the security outcomes organizations want in one, frictionless operational platform to go toe-to-toe with today's advanced threats, while maintaining our commitment to customers and partners leveraging other endpoint solutions," said Dan Schiappa, Arctic Wolf's chief product and services officer, in a statement.

In a separate blog post, Schiappa said Aurora has integrated with Cylance for over seven years, and the "ability to stop 98% of endpoint attacks before they begin is something we have seen first-hand in our SOC." He assured existing Cylance customers that their endpoint security products will continue to be fully supported.

The transaction is a mix of $160 million in cash and 5.5 million Arctic Wolf common shares of Arctic Wolf. Arctic Wolf is currently privately owned but has IPO plans. The deal is expected to close in BlackBerry's fourth fiscal quarter, which ends in February.

The combination of Cylance and Arctic Wolf would "rapidly eliminate alert fatigue, reduce total risk exposure, and help customers unlock further value with our warranty and insurability programs," said Nick Schneider, president and chief executive officer of Arctic Wolf, said in a statement.

Cylance is Arctic Wolf's sixth acquisition. Previous deals include secure intelligence platform RootSecure, threat-hunting platform Rank Software, security training company Habitu8, digital forensics firm Tetra Defense, and security orchestration software developer Revelstoke.

Arctic Wolf is getting Cylance at a significant discount. BlackBerry originally paid $1.4 billion to acquire Cylance in 2018. Cylance was key to BlackBerry's transformation away from a mobile handset company into a provider of cybersecurity services.

"As Arctic Wolf leverages its scale to build upon and grow the Cylance business, BlackBerry will benefit as a reseller of the portfolio to our large government customers and as a shareholder of the company," said BlackBerry CEO John Giammatteo in a statement.

BlackBerry will retain its Secure Communications portfolio, including Unified Endpoint Management (UEM) for securing devices, AtHoc for critical event management, and SecuSUITE for secure messaging and phone calls.

**About the Author**

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

BlackBerry to Sell Cylance to Arctic Wolf

Artificial intelligence capabilities are coming to a desktop near you — with Microsoft 365 Copilot, Google Gemini with Project Jarvis, and Apple Intelligence all arriving (or having arrived). But what are the risks?

Source: 'Who is Danny' via Shutterstock

Artificial intelligence has come to the desktop.

Microsoft 365 Copilot, which debuted last year, is now widely available. Apple Intelligence just reached general beta availability for users of late-model Macs, iPhones, and iPads. And Google Gemini will reportedly soon be able to take actions through the Chrome browser under an in-development agent feature dubbed Project Jarvis.

The integration of large language models (LLMs) that sift through business information and provide automated scripting of actions — so-called "agentic" capabilities — holds massive promise for knowledge workers but also significant concerns for business leaders and chief information security officers (CISOs). Companies already suffer from significant issues with the oversharing of information and a failure to limit access permissions — 40% of firms delayed their rollout of Microsoft 365 Copilot by three months or more because of such security worries, according to a Gartner survey.

The broad range of capabilities offered by desktop AI systems, combined with the lack of rigorous information security at many businesses, poses a significant risk, says Jim Alkove, CEO of Oleria, an identity and access management platform for cloud services.

"It's the combinatorics here that actually should make everyone concerned," he says. "These categorical risks exist in the larger \[native language\] model-based technology, and when you combine them with the sort of runtime security risks that we've been dealing with — and information access and auditability risks — it ends up having a multiplicative effect on risk."

Related:Citizen Development Moves Too Fast for Its Own Good

Desktop AI will likely take off in 2025. Companies are already looking to rapidly adopt Microsoft 365 Copilot and other desktop AI technologies, but only 16% have pushed past initial pilot projects to roll out the technology to all workers, according to Gartner's "The State of Microsoft 365 Copilot: Survey Results." The overwhelming majority (60%) are still evaluating the technology in a pilot project, while a fifth of businesses haven't even reached that far and are still in the planning stage.

Most workers are looking forward to having a desktop AI system to assist them with daily tasks. Some 90% of respondents believe their users would fight to retain access to their AI assistant, and 89% agree that the technology has improved productivity, according to Gartner.

**Bringing Security to the AI Assistant**

Unfortunately, the technologies are black boxes in terms of their architecture and protections, and that means they lack trust. With a human personal assistant, companies can do background checks, limit their access to certain technologies, and audit their work — measures that have no analogous control with desktop AI systems at present, says Oleria's Alkove.

Related:Cleo MFT Zero-Day Exploits Are About to Escalate, Analysts Warn

AI assistants — whether they are on the desktop, on a mobile device, or in the cloud — will have far more access to information than they need, he says.

"If you think about how ill-equipped modern technology is to deal with the fact that my assistant should be able to do a certain set of electronic tasks on my behalf, but nothing else," Alkove says. "You can grant your assistant access to email and your calendar, but you cannot restrict your assistant from seeing certain emails and certain calendar events. They can see everything."

This ability to delegate tasks needs to become part of the security fabric of AI assistants, he says.

**Cyber-Risk: Social Engineering Both Users & AI**

Without such security design and controls, attacks will likely follow.

Earlier this year, a prompt injection attack scenario highlighted the risks to businesses. Security researcher Johann Rehberger found that an indirect prompt injection attack through email, a Word document, or a website could trick Microsoft 365 Copilot into taking on the role of a scammer, extracting personal information, and leaking it to an attacker. Rehberger initially notified Microsoft of the issue in January and provided the company with information throughout the year. It's unknown whether Microsoft has a comprehensive fix for the issue.

Related:Generative AI Security Tools Go Open Source

The ability to access the capabilities of an operating system or device will make desktop AI assistants another target for fraudsters who have been trying to get a user to take actions. Instead, they will now focus on getting an LLM to take actions, says Ben Kilger, CEO of Zenity, an AI agent security firm.

"An LLM gives them the ability to do things on your behalf without any specific consent or control," he says. "So many of these prompt injection attacks are trying to social engineer the system — trying to go around other controls that you have in your network without having to socially engineer a human."

**Visibility Into AI's Black Box**

Most companies lack visibility into and control of the security of AI technology in general. To adequately vet the technology, companies need to be able to examine what the AI system is doing, how employees are interacting with the technology, and what actions are being delegated to the AI, Kilger says.

"These are all things that the organization needs to control, not the agentic platform," he says. "You need to break it down and to actually look deeper into how those platforms actually being utilized, and how do people build and interact with those platforms."

The first step to evaluating the risk of Microsoft 365 Copilot, Google's purported Project Jarvis, Apple Intelligence, and other technologies is to gain this visibility and have the controls in place to limit an AI assistant's access on a granular level, says Oleria's Alkove.

Rather than a big bucket of data that a desktop AI system can always access, companies need to be able to control access by the eventual recipient of the data, their role, and the sensitivity of the information, he says.

"How do you grant access to portions of your information and portions of the actions that you would normally take as an individual, to that agent, and also only for a period of time?" Alkove asks. "You might only want the agent to take an action once, or you may only want them to do it for 24 hours, and so making sure that you have those kind of controls today is critical."

Microsoft, for its part, acknowledges the data-governance challenges, but argues that they are not new, just made more apparent due to AI’s arrival.

"AI is simply the latest call to action for enterprises to take proactive management of controls their unique, respective policies, industry compliance regulations, and risk tolerance should inform – such as determining which employee identities should have access to different types of files, workspaces, and other resources," a company spokesperson said in a statement.

The company pointed to its Microsoft Purview portal as a way that organizations can continuously manage identities, permission, and other controls. Using the portal, IT admins can help secure data for AI apps and proactively monitor AI use though a single management location, the company said. Google declined to comment about its forthcoming AI agent.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Does Desktop AI Come With a Side of Risk?

While low-code/no-code tools can speed up application development, sometimes it's worth taking a slower approach for a safer product.

Source: Westend61 GmbH via Alamy Stock Photo

COMMENTARY

Say you're working on an important financial report for your company, with a strict deadline. You need to share it with external financial advisers, but security restrictions are preventing you from adding them directly. You grab the report, open your personal email, upload the report — and just before you hit send, you realize this is probably not a wise decision. You delete your draft.

I'm sure you can think of many other examples where you got into a similar situation in the heat of the moment; hopefully you bumped into a security guardrail that made you think twice. Sometimes some friction is needed to slow us down and get us to rethink.

**Low-Code/No-Code Makes Things Too Easy**

Business units can't wait around for IT and development units to get to their items on an ever-growing backlog. Low-code/no-code platforms have really made a difference in large enterprises in the past few years, and generative artificial intelligence has turbocharged this trend. Nontechnical users are empowered to create applications by describing them to a chatbot that does everything from generate the database to the user interface. They are also creating automations to streamline business processes, either by chatting with a chatbot or using drag-and-drop. This is all happening at the heart of the enterprise and is wonderful for productivity.

Security controls provided by low-code/no-code platforms typically focus on the point that an application inherits its user's permissions. That means that, theoretically, a user could manually do everything the application or automation does on their behalf. So what's the problem?

People are not robots. We don't move the same amount of data, we are not consistent when we do something again and again, and — most importantly — we have common sense. A human can understand that sharing a financial report externally is not a good idea, while sharing nonsensitive files might be all right. But if an automation is set up to sync data between you and your external vendors, with the intent of sharing nonsensitive files, no one is going to be there to flag it or second-guess when sensitive files are also transferred unintentionally.

You could say that the person who created the automation should have thought about it, and you're right. But that requires them to stop and think. If you can create an automation by talking to a chatbot, then you quickly get into a situation where you're creating automations left and right without fully thinking through the consequences. Low-code/no-code platforms are lowering the bar to be creative within the enterprise, which is wonderful but also dangerous.

**Tapping the Brakes, Not Taking the Keys**

Some friction could make all the difference in the world, if carefully used. Allowing citizen developers to create automations and applications is great, but perhaps if there are external data sources or vendors, somebody needs to take a second look. Low-code/no-code doesn't really follow the software development life cycle process, but notifying the security team or center of excellence for selective reviews where it matters is feasible. We must be careful not to add too much friction, however, or we'll lose the productivity benefits that citizen development brings — or people are going to find ways around our controls.

To hit the right balance, we should let citizen developers build freely but intervene where needed. We should set up automated guardrails that catch when developers go outside of our approved risk zone and intervene — even if just by nudging them to stop and rethink.

**About the Author**

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

Citizen Development Moves Too Fast for Its Own Good

SUMMARY The Cl0p ransomware group has recently claimed responsibility for exploiting a critical vulnerability in Cleo’s managed file…

****SUMMARY****

*   **Cleo Vulnerability Exploited**: The Cl0p ransomware group claims to have exploited a critical vulnerability in Cleo’s managed file transfer software, targeting businesses globally.

*   **Data Leak Threats**: Cl0p has announced plans to publish stolen data from affected organizations, increasing pressure on victims to pay ransom.

*   **Repeat Tactics**: The attack mirrors Cl0p’s strategy used in the MOVEit and GoAnywhere breaches, focusing on high-impact vulnerabilities in widely used software.

*   **Supply Chain Risks**: The exploitation of Cleo software poses a significant risk to supply chains, potentially disrupting operations across multiple industries.

*   **Urgent Patching Advised**: Security experts urge organizations using Cleo products to immediately apply patches, review system security, and monitor for signs of compromise.

The **Cl0p ransomware** group has recently claimed responsibility for exploiting a critical vulnerability in Cleo’s managed file transfer (MFT) software, specifically targeting Cleo Harmony, VLTrader, and LexiCom products. This mirrors their **previous attack** on Progress Software’s MOVEit Transfer in 2023, where they exploited a zero-day vulnerability to breach systems and steal data.

In the MOVEit incident, Cl0p utilized a SQL injection vulnerability (**CVE-2023-34362**) to deploy a web shell named LEMURLOOT, enabling unauthorized access to databases and the extraction of sensitive information. This attack impacted several organizations globally, including government agencies and private enterprises, leading to significant data breaches and operational disruptions.

****Cleo Vulnerability****

The recent exploitation of Cleo’s software follows a similar modus operandi. Cl0p has announced its involvement, indicating the use of zero-day exploits to breach corporate networks and steal data. The specific vulnerability, now identified as **CVE-2024-55956**, has been acknowledged by Cleo, and organizations utilizing these products are urged to apply patches immediately to mitigate potential risks.

On its dark web blog, as seen by Hackread.com, the group posted the following message to substantiate its claims:

> _“Dear companies Due to recent events (attack of CLEO) all links to data of all companies will be disabled and data will be permanently deleted from servers. We will work only with new companies Happy New Year © CL0P^\_.”_

Screenshot from Cl0p Ransomware’s dark web leak site (Credit: Hackread.com)

Ferhat Dikbiyik, Chief Research and Intelligence Officer at Black Kite commented on the situation:

_“_The Cl0p ransomware group has announced they’ll begin publishing victims from attacks exploiting CLEO vulnerabilities. This mirrors the MOVEit attacks of 2023, following Cl0p’s signature playbook: they don’t operate year-round but execute mass exploitation of Managed File Transfer (MFT) vulnerabilities in single, high-impact campaigns. We’ve seen this with GoAnywhere, with MOVEit, and now with CLEO,_“_ said Ferhat.

_“_Considering the impact of MOVEit, thousands of companies could be affected, either directly or indirectly. Organizations must stay vigilant, patch immediately, and assess their exposure to these vulnerabilities. It’s the holiday gift nobody wanted,_“_ he warned.

Cl0p’s strategy involves identifying and exploiting vulnerabilities in widely used MFT solutions and **conducting large-scale attacks** that can affect thousands of organizations simultaneously. Their approach emphasizes the importance of timely patch management and the need for organizations to maintain robust security postures, especially concerning third-party software dependencies.

1.  **Starbucks Goes Manual After Blue Yonder Ransomware Attack**
2.  **Cl0p ransomware group members arrested, infrastructure seized**
3.  **Cl0p ransomware gang leaks sensitive data from 6 US universities**
4.  **TDECU Data Breach: 500,000+ Members Affected by MOVEit Exploit**
5.  **Massive MOVEit Hack: 630K+ US Defense Officials’ Emails Breached**

Cl0p Ransomware Exploits Cleo Vulnerability, Threatens Data Leaks

The ABB Cylon Aspect BMS/BAS controller allows users to bypass authentication by setting the 'content' POST parameter. This enables an attacker to inject arbitrary configuration overrides, potentially leading to unauthorized changes and compromising system integrity. The vulnerability can be exploited to update the /usr/local/aam/etc/override.properties file. This file contains critical configuration overrides such as enabling overrides (Override.enabled=true) and setting specific properties like debug.level=1. The runjava.VARIANT* script then sources this file during execution, applying the overrides when the system reboots or the application restarts. This allows attackers to manipulate critical system settings, potentially causing performance degradation, introducing security risks, or resulting in a denial of service scenario.

Title: ABB Cylon Aspect 3.08.02 (editOverride.php) Authentication Bypass MIX Override  
Advisory ID: ZSL-2024-5884  
Type: Local/Remote  
Impact: Manipulation of Data, DoS, Security Bypass  
Risk: (5/5)  
Release Date: 16.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB Cylon Aspect BMS/BAS controller allows users to bypass authentication by setting the 'content' POST parameter. This enables an attacker to inject arbitrary configuration overrides, potentially leading to unauthorized changes and compromising system integrity. The vulnerability can be exploited to update the /usr/local/aam/etc/override.properties file. This file contains critical configuration overrides such as enabling overrides (Override.enabled=true) and setting specific properties like debug.level=1. The runjava.VARIANT\* script then sources this file during execution, applying the overrides when the system reboots or the application restarts. This allows attackers to manipulate critical system settings, potentially causing performance degradation, introducing security risks, or resulting in a denial of service scenario.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[16.12.2024\] Coordinated public security advisory released.

**PoC**

abb\_aspect\_auth1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5879.php  
\[2\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[3\] https://www.cve.org/CVERecord?id=CVE-2024-48840  
\[4\] https://nvd.nist.gov/vuln/detail/CVE-2024-48840  
\[5\] https://ergotech.com/mix  
\[6\] https://packetstorm.news/files/id/183179/

**Changelog**

\[16.12.2024\] - Initial release  
\[23.12.2024\] - Added reference \[6\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tag

#intel