The notorious spyware from Israel's NSO Group has been found targeting journalists, government officials, and corporate executives in multiple variants discovered in a threat scan of 3,500 mobile phones.

Source: Coredesign via Shutterstock

Researchers have discovered seven new Pegasus spyware infections targeting journalists, government officials, and corporate executives that started several years ago and span both iPhone and Android devices, demonstrating that the range of the notorious spyware may be even greater than once thought.

Researchers from iVerify discovered multiple devices compromised by Israeli company NSO Group's spyware via attacks initiated between 2021 and 2023 that affect Apple iPhone iOS versions 14, 15, and 16.6, as well as Android, they revealed in a blog post published on Dec. 4. The infections were discovered in May during a threat-hunting scan of 3,500 devices from iVerify users who opted in to the checks.

Specifically, the investigation uncovered multiple Pegasus variants in five unique malware types across iOS and Android. The researchers detected forensic artifacts in diagnostic data, shutdown logs, and crash logs found on the devices.

"Our investigation detected 2.5 infected devices per 1,000 scans — a rate significantly higher than any previously published reports," Matthias Frielingsdorf, Verify co-founder and iOS security researcher, wrote in the post. Each of the infections "represented a device that could have been silently monitored, its data compromised without the owner's knowledge," he wrote.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

"The discovery supported our thesis about the prevalence of spyware on mobile devices — it was hiding in plain sight, undetected by traditional endpoint security measures."

**Pegasus Spyware Reach Underestimated?**

The findings also demonstrate that security researchers, in general, may have underestimated the reach of mobile spyware, particularly Pegasus, Rocky Cole, co-founder and COO of iVerify, tells Dark Reading.

Pegasus, developed by NSO Group — an adversary that iVerify tracks as "Rainbow Ronin" — is a particularly nasty piece of spyware that allows the controller to exploit OS vulnerabilities and leverage zero-click attacks to access and extract whatever they want from an exploited mobile device. Attackers can intercept and transmit messages, emails, media files, passwords, and detailed location information without a user's knowledge or interaction.

Pegasus gained initial notoriety in 2021 when security researchers found that it was being used by state-sponsored actors in illegal surveillance against journalists, politicians, human rights advocates, and other persons of interest to government intelligence agencies. Since then, numerous other infections have surfaced that show how governments have wielded the spyware, with journalists in particular in the crosshairs.

Related:Name That Edge Toon: Shackled!

Now iVerify's discovery suggests that state-sponsored actors not only are using mobile spyware in a narrow way to surveil the most high-profile of targets, but also could be spying on people within typically targeted populations who wouldn’t seem likely to be on their radar, Cole says.

"Previously considered a rare and highly targeted threat, Pegasus was found to be more prevalent and capable of infecting a wider range of devices, not just those belonging to high-risk users," he says.

Moreover, as iVerify’s investigation uncovered multiple Pegasus infections across several iOS versions, some dating back years, it's clear that traditional security measures often fail to detect such threats. This suggests that mobile device users themselves must be included in the detection of malware so they have "the power to understand and defend against threats that were previously invisible," Frielingsdorf wrote.

**Hunt Your Own Device Threats**

Cole says that best practices for preventing spyware infections before they occur include regularly updating devices to the latest OS as soon as possible, as spyware often exploits unpatched vulnerabilities. And though EDR may not pick up every infection, it can be a useful tool for organizations to use alongside more proactive device-specific threat-hunting to "help detect and respond to threats in real time," he says.

Related:Microsoft Boosts Device Security With Windows Resiliency Initiative

Organizations also should educate employees, Cole adds, especially those in high-risk roles, about the risks and best practices for mobile security as an essential protection against spyware infections.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The mobile device security firm iVerify has been offering a tool since May that makes spyware scanning accessible to anyone—and it’s already turning up victims.

In recent years, commercial spyware has been deployed by more actors against a wider range of victims, but the prevailing narrative has still been that the malware is used in targeted attacks against an extremely small number of people. At the same time, though, it has been difficult to check devices for infection, leading individuals to navigate an ad hoc array of academic institutions and NGOs that have been on the front lines of developing forensic techniques to detect mobile spyware. On Tuesday, the mobile device security firm iVerify is publishing findings from a spyware detection feature it launched in May. Of 2,500 device scans that the company's customers elected to submit for inspection, seven revealed infections by the notorious NSO Group malware known as Pegasus.

The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1. These users can walk through steps to generate and send a special diagnostic utility file to iVerify and receive analysis within hours. Free users can use the tool once a month. iVerify's infrastructure is built to be privacy-preserving, but to run the Mobile Threat Hunting feature, users must enter an email address so the company has a way to contact them if a scan turns up spyware—as it did in the seven recent Pegasus discoveries.

“The really fascinating thing is that the people who were targeted were not just journalists and activists, but business leaders, people running commercial enterprises, people in government positions,” says Rocky Cole, chief operating officer of iVerify and a former US National Security Agency analyst. “It looks a lot more like the targeting profile of your average piece of malware or your average APT group than it does the narrative that’s been out there that mercenary spyware is being abused to target activists. It is doing that, absolutely, but this cross section of society was surprising to find.”

Seven out of 2,500 scans may sound like a small group, especially in the somewhat self-selecting customer base of iVerify users, whether paying or free, who want to be monitoring their mobile device security at all, much less checking specifically for spyware. But the fact that the tool has already found a handful of infections at all speaks to how widely the use of spyware has proliferated around the world. Having an easy tool for diagnosing spyware compromises may well expand the picture of just how often such malware is being used.

“NSO Group sells its products exclusively to vetted US & Israel-allied intelligence and law enforcement agencies,” NSO Group spokesperson Gil Lainer told WIRED in a statement. "Our customers use these technologies daily.”

iVerify says that it took significant investment to develop the detection tool because mobile operating systems like Android, and particularly iOS, are more locked down than traditional desktop operating systems and don't allow monitoring software to have kernel access at the heart of the system. Cole says that the crucial insight was to use telemetry taken from as close to the kernel as possible to tune machine learning models for detection. Some spyware, like Pegasus, also has characteristic traits that make it easier to flag. In the seven detections, Mobile Threat Hunting caught Pegasus using diagnostic data, shutdown logs, and crash logs. But the challenge, Cole says, is in refining mobile monitoring tools to reduce false positives.

Developing the detection capability has already been invaluable, though. Cole says that it helped iVerify identify signs of compromise on the smartphone of Gurpatwant Singh Pannun, a lawyer and Sikh political activist who was the target of an alleged, foiled assassination attempt by an Indian government employee in New York City. The Mobile Threat Hunting feature also flagged suspected nation state activity on the mobile devices of two Harris-Walz campaign officials—a senior member of the campaign and an IT department member—during the presidential race.

“The age of assuming that iPhones and Android phones are safe out of the box is over,” Cole says. “The sorts of capabilities to know if your phone has spyware on it were not widespread. There were technical barriers and it was leaving a lot of people behind. Now you have the ability to know if your phone is infected with commercial spyware. And the rate is much higher than the prevailing narrative.”

_Updated at 12:12 pm EST, December 4, 2024, to include a statement from NSO Group._

A New Phone Scanner That Detects Spyware Has Already Found 7 Pegasus Infections

Western authorities say they’ve identified a network that found a new way to clean drug gangs’ dirty cash. WIRED gained exclusive access to the investigation.

She Was a Russian Socialite and Influencer. Cops Say She’s a Crypto Laundering Kingpin

The evolving regulatory environment presents both challenges and opportunities for businesses.

Michael McLaughlin, Co-Leader, Cybersecurity and Data Privacy Practice Group, Buchanan Ingersoll & Rooney

December 4, 2024

4 Min Read

Source: filmfoto via Alamy Stock Photo

COMMENTARY

In 2024, the cybersecurity regulatory landscape underwent significant changes, as major economies worldwide introduced new rules to combat increasingly sophisticated cyber threats, such as advanced ransomware and AI-driven attacks. For businesses, navigating this evolving landscape is not merely a compliance issue but a strategic imperative that demands careful attention and adaptation.

**Understanding the Current Regulatory Landscape**

In the United States, the cybersecurity regulatory framework has evolved to address the growing complexity of cyber threats. This framework consists of a combination of federal laws, agency regulations, and state-specific requirements, each targeting different aspects of cybersecurity and data protection. At the federal level, the National Cybersecurity Strategy outlines a comprehensive approach, emphasizing the redistribution of cybersecurity responsibilities from individuals and small businesses to larger organizations with more resources. 

Several key regulations shape the landscape. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates that critical infrastructure entities report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery, enhancing the federal government's ability to respond to these threats. The Securities and Exchange Commission (SEC) has implemented rules requiring publicly traded companies to disclose material cybersecurity risks and incidents promptly, ensuring investors receive timely information. The Health Infrastructure Security and Accountability Act (HISAA) proposes mandatory cybersecurity standards for healthcare organizations, focusing on electronic protected health information (e-PHI) and system resilience. State breach notification laws further add complexity, requiring organizations to notify affected individuals and state authorities following a data breach, with varying requirements across states.

**Increasing Cybersecurity Budgets and Strategies**

In response to heightened regulatory demands and sophisticated cyber threats, organizations are significantly increasing their cybersecurity budgets. While awareness of cyber-risks is widespread, many companies still face gaps in implementation and preparedness. The rise of ransomware-as-a-service and other complex attack vectors has prompted businesses to invest in robust cybersecurity infrastructure, including advanced threat detection systems, multifactor authentication, enhanced incident response capabilities, and zero-trust architectures. By integrating cybersecurity as a core business function, organizations can better protect their digital assets and maintain operational resilience.

Furthermore, businesses are recognizing the importance of C-suite collaboration in cybersecurity initiatives. Chief information security officers (CISOs) are increasingly involved in strategic planning and board reporting, ensuring that cybersecurity considerations are integrated into broader business strategies. This alignment is crucial for developing comprehensive cybersecurity strategies that are informed by regulatory requirements and industry best practices.

**Expectations for the Legal Landscape in Cybersecurity**

The legal landscape for cybersecurity is poised for continued evolution, with increasing emphasis on transparency, accountability, and compliance. The Supreme Court's overturning of the Chevron deference in Loper Bright Enterprises v. Raimondo grants courts greater authority to interpret laws, potentially leading to more challenges against agency regulations, including cybersecurity rules. This landmark decision is likely to result in more prescriptive language in federal legislation regarding agency authorities.

This shift underscores the need for businesses to stay informed about legal developments and adapt their compliance strategies accordingly. Organizations must be prepared to navigate a more dynamic regulatory environment, where judicial scrutiny may alter the consistency and scope of regulatory guidance. Legal frameworks will increasingly focus on ensuring that businesses not only comply with existing regulations but also demonstrate proactive measures to mitigate cyber-risks, including adopting best practices for data protection, incident reporting, and risk management.

**Insights From Government and Federal Roles**

In the United States, public-private partnerships play a crucial role in securing the digital ecosystem and enhancing cybersecurity. Timely dissemination of threat intelligence by the government enables organizations to quickly update security protocols and deploy countermeasures, thereby protecting sensitive data and infrastructure from breaches. In the military context, such intelligence is vital for both defensive and offensive operations, ensuring the protection of networks and supporting strategic cyber operations against adversaries.

Intelligence sharing also underpins effective legal and diplomatic responses to cyber threats. It provides law enforcement agencies with the evidence needed to indict cybercriminals, serving as a deterrent to future attacks. By presenting clear evidence of malicious activities, nations can engage in diplomatic negotiations to resolve cyber conflicts. Economic sanctions, informed by shared intelligence, can target entities or individuals involved in cyberattacks, applying economic pressure to curtail state-sponsored cyber behavior.

**Preparing for a Cyber-Secure Future**

To effectively navigate the cybersecurity regulatory landscape, businesses must prioritize cybersecurity as a strategic business function. This involves aligning cybersecurity initiatives with business objectives, understanding regulatory and statutory requirements, and demonstrating the return on investment in cybersecurity measures.

Organizations should leverage industry benchmarks to assess their cybersecurity posture and identify areas for improvement. Moreover, businesses must remain vigilant to the evolving threat landscape and continuously update their cybersecurity strategies to address emerging risks. This includes investing in advanced technologies, conducting regular risk assessments, and fostering a culture of cybersecurity awareness across the organization.

**Conclusion**

The evolving regulatory environment presents both challenges and opportunities for businesses. By investing in robust cybersecurity measures and aligning them with business objectives, ensuring effective incident response plans are in place and regularly exercised, and continuously keeping pace with industry-specific threats, organizations can build a resilient digital future that is prepared to withstand the challenges of an ever-changing cyber landscape.

**About the Author**

Co-Leader, Cybersecurity and Data Privacy Practice Group, Buchanan Ingersoll & Rooney

Michael McLaughlin is the Cybersecurity and Data Privacy Practice Group co-leader at Buchanan, Ingersoll & Rooney, a leading national law firm, where he helps clients navigate the complexities of cybersecurity, data privacy, and the related regulatory landscape. Previously, Michael served in the United States Navy as a Naval Intelligence Officer, and has held multiple postings worldwide, including senior counterintelligence adviser for United States Cyber Command and chief of counterintelligence and human intelligence for the Cyber National Mission Force, where he directed all counterintelligence, human intelligence, and law enforcement operations, investigations, and support to the Department of Defense's global cyberspace operations.

Navigating the Changing Landscape of Cybersecurity Regulations

In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as "Wazawaka," a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies.

In January 2022, KrebsOnSecurity identified a Russian man named **Mikhail Matveev** as “**Wazawaka**,” a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies.

An FBI wanted poster for Matveev.

Matveev, a.k.a. “Wazawaka” and “**Boriselcin**” worked with at least three different ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies, U.S. prosecutors allege.

Russia’s interior ministry last week issued a statement saying a 32-year-old hacker had been charged with violating domestic laws against the creation and use of malicious software. The announcement didn’t name the accused, but the Russian state news agency _RIA Novosti_ cited anonymous sources saying the man detained is Matveev.

Matveev did not respond to requests for comment. **Daryna Antoniuk** at _TheRecord_ reports that a security researcher said on Sunday they had contacted Wazawaka, who confirmed being charged and said he’d paid two fines, had his cryptocurrency confiscated, and is currently out on bail pending trial.

Matveev’s hacker identities were remarkably open and talkative on numerous cybercrime forums. Shortly after being identified as Wazawaka by KrebsOnSecurity in 2022, Matveev published multiple selfie videos on Twitter/X where he acknowledged using the Wazawaka moniker and mentioned several security researchers by name (including this author). More recently, Matveev’s X profile (@ransomboris) posted a picture of a t-shirt that features the U.S. government’s “Wanted” poster for him.

An image tweeted by Matveev showing the Justice Department’s wanted poster for him on a t-shirt. image: x.com/vxunderground

The golden rule of cybercrime in Russia has always been that as long as you never hack, extort or steal from Russian citizens or companies, you have little to fear of arrest. Wazawaka claimed he zealously adhered to this rule as a personal and professional mantra.

“Don’t shit where you live, travel local, and don’t go abroad,” Wazawaka wrote in January 2021 on the Russian-language cybercrime forum Exploit. “Mother Russia will help you. Love your country, and you will always get away with everything.”

Still, Wazawaka may not have always stuck to that rule. At several points throughout his career, Wazawaka claimed he made good money stealing accounts from drug dealers on darknet narcotics bazaars.

Cyber intelligence firm Intel 471 said Matveev’s arrest raises more questions than answers, and that Russia’s motivation here likely goes beyond what’s happening on the surface.

“It’s possible this is a shakedown by Kaliningrad authorities of a local internet thug who has tens of millions of dollars in cryptocurrency,” Intel 471 wrote in an analysis published Dec. 2. “The country’s ingrained, institutional corruption dictates that if dues aren’t paid, trouble will come knocking. But it’s usually a problem money can fix.

Intel 471 says while Russia’s court system is opaque, Matveev will likely be open about the proceedings, particularly if he pays a toll and is granted passage to continue his destructive actions.

“Unfortunately, none of this would mark meaningful progress against ransomware,” they concluded.

Although Russia traditionally hasn’t put a lot of effort into going after cybercriminals within its borders, it has brought a series of charges against alleged ransomware actors this year. In January, four men tied to the REvil ransomware group were sentenced to lengthy prison terms. The men were among 14 suspected REvil members rounded up by Russia in the weeks before Russia invaded Ukraine in 2022.

Earlier this year, Russian authorities arrested at least two men for allegedly operating the short-lived **Sugarlocker** ransomware program in 2021. **Aleksandr Ermakov** and **Mikhail Shefel** (now legally **Mikhail Lenin**) ran a security consulting business called **Shtazi-IT**. Shortly before his arrest, Ermakov became the first ever cybercriminal sanctioned by Australia, which alleged he stole and leaked data on nearly 10 million customers of the Australian health giant Medibank.

In December 2023, KrebsOnSecurity identified Lenin as “**Rescator**,” the nickname used by the cybercriminal responsible for selling more than 100 million payment cards stolen from customers of Target and Home Depot in 2013 and 2014. Last month, Shefel admitted in an interview with KrebsOnSecurity that he was Rescator, and claimed his arrest in the Sugarlocker case was payback for reporting the son of his former boss to the police.

Ermakov was sentenced to two years probation. But on the same day my interview with Lenin was published here, a Moscow court declared him insane, and ordered him to undergo compulsory medical treatment, The Record’s Antoniuk notes.

U.S. Offered $10M for Hacker Just Arrested by Russia

The vulnerability was first identified in 2014.

****SUMMARY:****

*   **Critical Patch Alert:** Cisco ASA users must urgently address a 10-year-old WebVPN vulnerability (CVE-2014-2120) that attackers are now actively exploiting.

*   **XSS Risk Identified:** The flaw allows unauthenticated attackers to perform cross-site scripting (XSS) attacks via malicious links, potentially compromising sensitive data and injecting malware.

*   **Active Exploitation:** Recent reports highlight that malware like AndroxGh0st is leveraging CVE-2014-2120, prompting Cisco to update its advisory in November 2024.

*   **Government Action Required:** CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue, mandating federal agencies to patch it by December 3, 2024.

*   **No Workaround Available:** Upgrading the Cisco ASA software to a patched version is the only solution—reach out to Cisco support or service providers to secure your network.

If you are using a Cisco Adaptive Security Appliance (ASA) for your network security, it is time to patch a critical vulnerability that’s been around, surprisingly, for ten years.

Cisco recently updated an advisory about a security flaw in the WebVPN login page of their ASA software, which can allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack on anyone using WebVPN on the Cisco ASA.

This vulnerability, tracked as CVE-2014-2120, is a medium-severity vulnerability caused due to insufficient input validation of a parameter, which could be exploited by convincing a user to access a malicious link. Clicking this link can force them into giving away sensitive information, hijacking browsing sessions, or even injecting malware. 

The vulnerability itself isn’t new – Cisco originally issued a warning back in March 2014. However, the company’s recent update highlights a concerning development: attackers are actively trying to exploit this decade-old bug. 

In November 2024, the Cisco Product Security Incident Response Team (PSIRT) identified this emerging pattern of new exploitation attempts. This coincides with a report from security firm CloudSEK, which revealed that malware called AndroxGh0st is using CVE-2014-2120 (among others) to spread.

It is worth noting that CISA added CVE-2014-2120 to its KEV (Known Exploited Vulnerabilities) catalogue on November 12, requiring government agencies to address it by December 3, 2024.

The re-exploitation of this flaw shows the need for timely software updates and security patches. Unfortunately, there’s no quick fix or workaround for this vulnerability. Your only protection is to upgrade your Cisco ASA software to a version that includes a patch. Don’t wait – contact your Cisco support channel and get the update process rolling. Upgrading is crucial to ensure your network remains secure. 

Customers with Cisco products that are provided or maintained through agreements with third-party support organizations like Cisco Partner/resellers/service providers should consult their service providers to identify the best workaround or fix for their networks before deployment.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) weighed in on the situation stating, _“_These attacks highlight how technical debt and low cybersecurity maturity can compound risk. Many organizations struggle with basic cybersecurity capabilities, leaving them vulnerable to both historical and emerging threats._“_

_“_If adversaries can exploit older flaws, they will. Addressing the risks associated with legacy systems is imperative, however, it demands investments that many organizations lack the resources to make,_”_ Jason explained.

1.  **Decade Old Software Bug Sets 3000 US Prisoners Free**
2.  **Goldoon Botnet Exploits 9-Year-Old Flaw on D-Link Devices**
3.  **7-Year-Old Pre-Installed Google Pixel App Flaw Risks Millions**
4.  **Intel Broker Cisco Breach: Selling Stolen Data from Major Firms**
5.  **Cisco Web UI Flaw Exploited Massly, Impacting Over 40K Devices  
    **

Cisco Urges Immediate Patch for Decade-Old WebVPN Vulnerability

Organizations that rely on their content delivery network provider for Web application firewall services may be inadvertently leaving themselves open to attack.

Source: ArtemisDiana via Shutterstock

Many organizations using Web application firewall (WAF) services from content delivery network (CDN) providers may be inadvertently leaving their back-end servers open to direct attacks over the Internet because of a common configuration error.

The problem is so pervasive that it affects nearly 40% of Fortune 100 companies leveraging their CDN providers for WAF services, according to researchers at Zafran who studied the cause and scope of the problem recently. Among the organizations that the researchers found susceptible to attacks included recognizable brands, including Chase, Visa, Intel, Berkshire Hathaway, and UnitedHealth.

**Pervasive Issue**

WAFs act as intermediaries between users and Web applications. They inspect traffic for a range of threats and block or filter anything deemed suspicious or matching known patterns of malicious activity. Many organizations have deployed WAFs in recent years to protect Web applications against vulnerabilities they haven't had time to patch.

Organizations have multiple options for deploying WAFs, including on-premises in the form of physical or virtual appliances. There are also cloud- and host-based WAFs.

In total, Zafran found some 2,028 domains belonging to 135 companies among the Fortune 1000 that contain at least one supposedly WAF-protected server that an attacker could directly access over the Internet to launch denial-of-service (DoS) attacks, distribute ransomware, and execute other malicious activities.

"The responsibility \[for\] the misconfiguration lies primarily \[with\] the customers of CDN/WAF providers," says Ben Seri, chief technology officer of Zafran. But CDN providers who offer WAF services share some responsibility as well for failing to offer customers proper risk avoidance measures and for not building their networks and services to circumvent misconfigurations in the first place, he says. 

The problem, as Seri explains it, has to do with organizations not adequately validating Web requests to back-end origin servers that host the actual content, applications, or data that users are trying to access.

**A Failure to Follow Best Practices**

With a CDN-integrated WAF service, the CDN provider — like a Cloudflare or an Akamai — provides the WAF as part of its edge infrastructure. All incoming traffic to an organization's Web applications is routed through the CDN's WAF — a reverse proxy server within the vendor's edge network. The reverse proxy identifies which back-end server or resource a particular Web request is intended for and then routes it there in an encrypted fashion. "This means that when a CDN service is used as a WAF, the web application it protects is open to Internet traffic and is expected to validate that it responds only to web traffic that originates from and by the CDN service," according to the Zafran blog post.

If the customer is using best practices, the IP address of the back-end server is something that only the customer and CDN provider would know. CDN providers also recommend that organizations add IP filtering mechanisms to ensure that only requests from the CDN provider's IP address range are permitted access to back-end servers. Other recommendations include using pre-shared digital secrets known only to the CDN provider and the back-end server as a validation mechanism, and using what is known as mutual TLS authentication to validate both the origin server and the CDN provider's proxy server.

These measures are effective in protecting back-end servers when implemented correctly. But what Zafran discovered was that many organizations have not adopted any of these recommended validation precautions, thereby leaving back-end servers directly accessible over the Internet. "It is a lack of validation in Web applications that are designed to be protected by a CDN/WAF that leaves them open to all Internet traffic," Seri says. "It is like having a private S3 bucket left open to the Internet as a public bucket. Only in this case, it is protected Web applications that are left open to the Internet, instead of allowing only inbound traffic from the CDN provider."

**Easy to Find**

Exacerbating the situation is the fact that the IP addresses of enterprise origin services are not as private as many assume, Zafran's researchers found. The security vendor pointed to certificate transparency (CT) logs as one example of a relatively easy place for attackers and researchers to discover all domains belonging to a specific organization. CT logs provide a publicly accessible record of all SSL/TLS certificates that certificate authorities issue to website operators and are meant to improve trust and accountability around certificate issuance. Unfortunately, they also provide a starting point for attackers to gather detailed information on all the domains and subdomains belonging to an organization, including those associated with critical back-end servers and services.

"The issue was discovered to be extremely widespread," Seri says. "From a random sample of Internet servers that were designed to be protected by Cloudflare, 13% were found to suffer from this misconfiguration. This means that, potentially, 13% of all domains protected by Cloudflare can be directly attacked." Unfortunately, CDN/WAF providers require the cooperation of their customers, who control their own load balancers and Web applications, to mitigate this threat, he adds. Zafran is contacting affected companies as well as impacted CDN/WAF providers to help them quickly identify the full extent of this misconfiguration and address it, Seri says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Misconfigured WAFs Heighten DoS, Breach Risks

PRESS RELEASE

NEW YORK, Dec. 3, 2024 /PRNewswire/ -- BigID, a data security, privacy, compliance, and AI data management company, today announced the launch of Data Activity Monitoring. BigID empowers organizations to proactively identify risks, respond faster to potential threats, and help strengthen regulatory compliance. BigID's Data Activity Monitoring helps organizations manage the risk of data breaches and strengthens their overall security posture by alerting on potential insider risk, unauthorized access, and data misuse.

Unlike traditional Data Detection & Response (DDR) tools that are limited to sensitive data discovery and policy violations, BigID's Data Activity Monitoring goes further by tracking data access activity. With insights into who is accessing data, when, how, and what they're doing with it, Data Activity Monitoring enhances the contextual intelligence needed for comprehensive data security and proactive breach prevention.

Key Benefits of BigID's Data Activity Monitoring:

*   Enhanced Security Decision-Making: Get contextual, data-driven insights for more accurate decisions on access control, retention, and remediation.
    
*   Proactive Risk & Access Management: Monitor activity around sensitive data to identify unnecessary permissions, over-permissioned users, and potential insider threats before breaches occur.
    
*   Streamlined Compliance & Auditing: Generate detailed audit trails that help meet regulatory requirements, simplifying compliance and enhancing data governance.
    
*   Efficient Security Investigations: Gather contextual insights into data access patterns, enabling faster investigations and accurate remediation.
    
*   Improved Data Ownership Accountability: Track user interactions with data to clarify ownership and facilitate efficient delegation of security tasks.
    

"With Data Activity Monitoring, we're redefining the level of control and visibility organizations have over their data," said Dimitri Sirota, CEO of BigID. "Our customers need to be able to not only have visibility into their sensitive data but also understand how it's accessed and used, and enact controls around it. BigID's Data Activity Monitoring goes beyond detection, providing near real-time insights necessary to help prevent data breaches, support compliance, and empower security teams to make informed decisions."

To learn more: 

About BigID

BigID empowers organizations to know their enterprise data and take action for data-centric security, privacy, compliance, AI innovation, and governance. Customers deploy BigID to proactively discover, manage, protect, and get more value from their regulated, sensitive, and personal data across their data landscape.

BigID has earned numerous accolades, including being highlighted as CRN's top 100 security companies two years in a row in 2024 and 2023, a finalist in CRN's 2024 Tech Innovator Awards, recognized as the most innovative security company of the year for its AI data security in the 2024 Globee Awards, and named as a "Market Leader Data Security Posture Management (DSPM)" in the 2023 Global InfoSec Awards. Additionally, BigID's impressive growth earned it a spot on the 2024 Deloitte 500 for the fourth consecutive year, one of CNBC's Top 25 Startups for the Enterprise, named to the Forbes Cloud 100, and recognized on the 2024 Inc. 5000 for the fourth consecutive year.

You May Also Like

BigID Releases Data Activity Monitoring to Extend DDR, Detect Malicious Actors, and Strengthen Data Security Posture

Companies today constantly look for ways to improve their work with customers and perform better overall. The transition…

Companies today constantly look for ways to improve their work with customers and perform better overall. The transition to a more digital approach has become important for businesses that want to stay ahead in the market. A big part of this change is using customer relationship management (CRM) systems. Salesforce is one of the top choices for CRMs because it offers a wide range of features that can be adapted to different industries. This article will explore how using Salesforce can help drive digital transformation in organizations.

****Understanding Digital Transformation****

Digital transformation involves integrating technology into various aspects of business operations to change how companies function and fundamentally provide value to customers. It encompasses a culture shift that requires organizations to question traditional approaches, test new technologies, and adjust to evolving market trends.

According to Skydog Ops, a Salesforce integration company, Salesforce hosts more than 150,000 customers worldwide including Apple, Amazon Web Service and Walmart Inc, showcasing productivity and enhanced customer satisfaction.

****The Significance of CRM Systems****

Customer Relationship Management (CRM) systems play a critical role in driving transformation initiatives by enabling businesses to manage interactions with current and prospective customers more efficiently. These tools assist companies in gathering and analyzing customer data to improve decision-making and tailor experiences. Through the use of CRM systems, businesses can optimize their operations, automate tasks, and cultivate meaningful connections with customers.

****Salesforce: A Leader in CRM Solutions****

Salesforce has emerged as a leader in the CRM industry with its range of cloud-based solutions designed for sales support, customer service, and other business needs. Among the platform’s functionalities are wide applications that help businesses organize customer information, analyze interactions, and gather valuable insights. These tools are customized to fit an organization’s goals during its digital transformation efforts.

****Enhancing Customer Experience****

One of the primary goals of digital transformation is to enhance the customer experience, and Salesforce aids in achieving this by enabling companies to offer personalized and seamless interactions across various platforms. Leveraging real-time customer data allows businesses to customize their marketing strategies, delivering relevant content and promotions. Furthermore, with Salesforce’s automation features, organizations can provide timely responses to customer queries, improving satisfaction and fostering customer loyalty.

**Streamlining Business Processes**

Integrating Salesforce into business operations can greatly improve efficiency by automating routine tasks and enabling employees to focus on strategic priorities instead of manual work such as data entry, reporting, or workflow management. This shift toward automation helps minimize errors and boosts productivity across the organization. These improvements align with the goals of digital transformation, which seek to enhance both efficiency and effectiveness.

****Data-Driven Decision Making****

In today’s digital age, data is a valuable asset, and Salesforce equips businesses with the tools to unlock its full potential. By utilizing the in-depth analytics and reporting tools provided by Salesforce, businesses can gain insights into customer behaviour, discover sales patterns, and identify market opportunities. This data-driven approach allows companies to make informed decisions, refine strategies, and highlight areas for improvement—ultimately leading to enhanced agility and adaptability in response to evolving market dynamics.

****Fostering Collaboration and Innovation****

Salesforce’s use of cloud technology promotes collaboration by improving communication between departments and sparking creativity through shared access to information and ideas across the organization. The ability to work together seamlessly helps foster innovation and drives organizational growth.

****Scalability and Flexibility****

As companies grow and evolve, their requirements change. Salesforce’s scalability allows businesses to adapt their CRM system to meet the demands of growth and shifting circumstances. The platform’s versatility enables organizations to integrate new functionalities and applications, tailoring the system to meet their specific needs. This flexibility ensures that Salesforce remains a valuable tool throughout the entire transformation process.

****Overcoming Implementation Challenges****

Implementing Salesforce comes with its own set of challenges that organizations must address. Proper planning and execution are essential to avoid setbacks. To ensure a smooth rollout, it’s important to evaluate business requirements, set clear goals, and provide adequate training for employees. Working with professionals or consultants can also make the process more efficient, allowing businesses to fully leverage the benefits of Salesforce.

****Conclusion****

The use of Salesforce is crucial in leading the digital evolution of businesses across various sectors. Its wide range of features, flexibility, and focus on customer satisfaction make it an effective tool for improving productivity, promoting creativity, and gaining a competitive advantage. By adopting Salesforce, organizations can unlock the full benefits of digital transformation and position themselves for long-term success in an increasingly digital world.

1.  A Look at the 4 Main Functionalities of NetSuite
2.  The Role of Artificial Intelligence in Lead Generation
3.  How to Find Success with the Salesforce Admin Exam
4.  Types of SaaS Applications: Categories and Examples
5.  Effective, and powerful tools for identifying site visitors

The Role of Salesforce Implementation in Digital Transformation

The FTC is targeting data brokers that monitored people’s movements during protests and around US military installations. But signs suggest the Trump administration will be far more lenient.

The United States Federal Trade Commission is taking action against two American data brokers accused of unlawfully trafficking in people’s sensitive location data. The data was used, the agency says, to track Americans in and around churches, military bases, and doctors’ offices, among other protected sites. It was sold not only for advertising purposes but also for political campaigns and government uses, including immigration enforcement.

Mobilewalla, a Georgia-based data broker that’s said to have digitally tracked the residents of domestic abuse shelters, is accused by the agency of purposefully tracking protesters in the wake of George Floyd’s murder in 2020. In a court filing, the FTC says Mobilewalla attempted to unmask the protesters’ racial identities by tracking their mobile devices to, for example, Hindu temples and Black churches.

The FTC also accused Gravy Analytics and its subsidiary Venntel of harvesting and exploiting consumers’ location data without consent, alleging that the company used that data to unfairly infer health decisions and religious beliefs.

According to the FTC, Gravy Analytics collected over 17 billion location signals from approximately a billion mobile devices daily. It has reportedly sold access to that data to federal law enforcement agencies such as the Department of Homeland Security, the Drug Enforcement Agency, and the Federal Bureau of Investigation.

Gravy Analytics could not be immediately reached for comment.

A spokesperson for Mobilewalla says the company's privacy policies are constantly evolving, adding: “While we disagree with many of the FTC’s allegations and implications that Mobilewalla tracks and targets individuals based on sensitive categories, we are satisfied that the resolution will allow us to continue providing valuable insights to businesses in a manner that respects and protects consumer privacy.”

“This data can be used to identify and target consumers based on their religion,” the FTC says. The location data collected by the two companies makes it possible, the agency says, to “identify where individual consumers lived, worked, and worshipped, thus suggesting the mobile device user’s religion and routine and identifying the user’s friends and families.”

According to the two settlements, which must be finalized in court before they would go into effect, Gravy Analytics and Mobilewalla are barred from collecting sensitive location data from consumers and must delete the historical data they gathered on millions of Americans. Mobilewalla would be banned from acquiring location data and other sensitive information from online auctions known as real-time bidding exchanges, marketplaces where advertisers compete to instantaneously deliver ads to targeted consumers. This case marks the first time the FTC has moved to police the collection of data directly from an ad exchange.

In another first, the proposed Gravy Analytics settlement would introduce military installations to the list of “sensitive locations” where the FTC bans location tracking. Under the terms, the company would be prohibited from selling, disclosing, or using data drawn from these locations, which include mental health clinics, substance abuse centers, and child care service providers.

In November, a collaborative investigation by WIRED, Bayerischer Rundfunk, and Netzpolitik.org revealed that over 3 billion phone location data points, collected by a US-based data broker, exposed the movements of US military and intelligence personnel in Germany. These movements included visits to nuclear vaults and brothels. In that story, WIRED first reported on FTC chair Lina Khan’s efforts to shield US military and intelligence personnel from data brokers.

US senator Ron Wyden of Oregon, who first urged the FTC to take action against Mobilewalla in 2020, praised the announcements, calling the companies’ actions “outrageous violations of Americans’ privacy.”

“These companies enabled US government agencies to surveil Americans without a warrant and enabled foreign countries to spy on service members with just a credit card,” says Wyden, who also previously investigated Venntel with other members of Congress.

While the FTC’s orders don’t directly tackle the issue of government agencies purchasing Americans’ location data—information for which a warrant is normally required—Wyden says the cases nevertheless undermine the government’s case for allowing the purchases. The orders make clear, he says, that federal agencies are hiding behind a “flimsy claim that Americans consented to the sale of their data.”

In a statement, FTC commissioner Alvaro Bedoya notes that while surveillance conducted by private companies won't raise the same constitutional issues as surveillance by government, the difference between the two is “porous if not irrelevant” to the people being watched. "Governments have long relied on private citizens for work that would be impractical or illegal for law enforcement," he says.

Whether the orders against Gravy Analytics and Mobilewalla will be enforced remains to be seen. Major changes are coming to the agency under the future Trump administration—most expected to undermine years of work by Khan and her staff. Many of Donald Trump's allies have been vocally critical of Khan's aggressive pro-consumer approach, including Republican megadonor Elon Musk, who has taken command of an ad hoc office that will purportedly advise the White House on improving “government efficiency.”

FTC commissioner Andrew Ferguson, whose name was floated last month as a potential Khan replacement, partially concurred with the agency’s decision to bring cases against the two data brokers on Tuesday. He agreed the companies had taken insufficient steps to ensure consumer data was properly anonymized, adding that they’d failed to obtain the “meaningfully informed consent” of the consumers they targeted.

Unlike Khan, however, Ferguson argues that the companies did not run afoul of the law by “categorizing consumers based on sensitive characteristics,” such as whether they attend church or political meetings. “These are all public acts that people carry out in the sight of their fellow citizens every day,” he says.

Ferguson likewise chastised the agency for attempting to restrict the power of data brokers to target protesters specifically. “Treating attendance at a political protest as uniquely private and sensitive is an oxymoron,” he says.

In a separate action Tuesday morning, the Consumer Financial Protection Bureau announced it was taking steps to crack down on predatory data brokers that traffic in people’s financial information, calling the practice a gateway for “scamming, stalking, and spying.”

Musk, who donated more than $100 million toward Trump’s reelection, called publicly last week for the bureau to be “deleted.”

Tag

#intel