The Apple iOS 18.3 update fixes 28 other vulnerabilities identified by the tech company, though there is little information on them.

Source: Shahid Jamil via Alamy Stock Photo

NEWS BRIEF

In its latest security update for users, Apple has released a patch for a zero-day vulnerability tracked as CVE-2025-24085 (no CVSS score assigned yet).

The vulnerability, not yet added to the National Vulnerability Database (NVD), can be found in iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. As a privileged escalation security flaw, it is located in Apple's Core Media framework. The bug is being actively exploited in the wild.

The Core Media framework, according to Apple, is "the media pipeline used by AVFoundation and other high-level media frameworks found on Apple platforms." It allows users to process media samples as well as manage queues of media data.

This patch comes in the form of iOS 18.3, which fixes 28 other vulnerabilities as well. Apple has yet to divulge many details about any of the issues that have been patched by this update, likely to prevent attackers from exploiting them before users can apply the necessary fix.

Impacted devices from this bug include:

*   Apple Watch Series 6 and later
    

*   Apple TV HD and Apple TV 4K (all models)
    
*   iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
    

Though the tech giant has disclosed that "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2," it has not published any details of the attacks nor attributed its discovery to a researcher.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Apple Patches Actively Exploited Zero-Day Vulnerability

PRESS RELEASE

SEATTLE, Jan. 15, 2025 /PRNewswire/ -- Spectral Capital Corporation (OTCQB: FCCN), a pioneer in providing its deep quantum technology platform, is pleased to announce the filing of a critical patent in quantum cybersecurity.

"Over the past three decades, I have been deeply involved in the cybersecurity industry, including founding a leading-edge company that addressed some of the most complex challenges in the field," said Sean Michael Brehm, chairman of Spectral. "Quantum computing elevates cybersecurity risks to an entirely new level. With its potential to break RSA encryption—the foundation of global data security—quantum technology presents an unprecedented threat. In response, our team has developed a solution to ensure RSA encryption remains secure, even in the quantum era," concluded Spectral chairman Sean Michael Brehm.

"Out of the 104 patentable innovations acquired in the Vogon Cloud acquisition, the patent application around protecting RSA encryption from quantum hacking could be one of our most important. According to Allied Market Research, the global RSA encryption market, primarily measured within the broader "hardware encryption" category, is estimated to hold a significant share, with some reports stating that the RSA segment represents around 50% of the hardware encryption market, which is projected to reach a size of approximately $1.2 trillion by 2031, indicating a substantial market for RSA encryption alone. We are proud to be a part of protecting that market, even as new technologies for encryption emerge, like Spectral's unhackable distributed quantum ledger database technology," said Spectral's Chief Executive Officer, Jenifer Osterwalder. 

Spectral has a portfolio of patents and trade secrets designed to meet the enormous demand for hybrid computing systems which combine current classical computing technologies with emerging quantum computing technologies as these are made commercially available. An entire ecosystem of hardware and software will be needed to support hybrid and quantum computing and Spectral has ambitious plans to build one of the largest intellectual property portfolios in the industry, including its previously announced goal of filing for more than 500 patents by the end of 2025.

About Spectral Capital  
Spectral Capital (OTCQB: FCCN) is a quantum technology platform company at the forefront of innovation. Focusing on sustainable green cloud computing, quantum databases, and advanced quantum chip technology, Spectral Capital is revolutionizing industries such as telecommunications, AI, and green technology. With flagship offerings like the Vogon Cloud and Vogon DQLDB, the company is pioneering a future of decentralized, secure, and scalable computing.

Forward-Looking Statements

This press release contains forward-looking statements (as defined in Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended) concerning future events and FCCN's growth and business strategy. Words such as "expects," "will," "intends," "plans," "believes," "anticipates," "hopes," "estimates," and variations on such words and similar expressions are intended to identify forward-looking statements. Although FCCN believes that the expectations reflected in such forward-looking statements are reasonable, no assurance can be given that such expectations will prove to have been correct. These statements involve known and unknown risks and are based upon a number of assumptions and estimates that are inherently subject to significant uncertainties and contingencies, many of which are beyond the control of FCCN. Actual results may differ materially from those expressed or implied by such forward-looking statements. Factors that could cause actual results to differ materially include, but are not limited to, changes in FCCN's business; competitive factors in the market(s) in which FCCN operates; risks associated with operations outside the United States; and other factors listed from time to time in FCCN's filings with the Securities and Exchange Commission. FCCN expressly disclaims any obligations or undertaking to release publicly any updates or revisions to any forward-looking statements contained herein to reflect any change in FCCN's expectations with respect thereto or any change in events, conditions or circumstances on which any statement is based.

Spectral Capital Files Quantum Cybersecurity Patent

Amid ongoing fears over TikTok, Chinese generative AI platform DeepSeek says it’s sending heaps of US user data straight to its home country, potentially setting the stage for greater scrutiny.

The United States’ recent regulatory action against the Chinese-owned social video platform TikTok prompted mass migration to another Chinese app, the social platform “Rednote.” Now, a generative artificial intelligence platform from the Chinese developer DeepSeek is exploding in popularity, posing a potential threat to US AI dominance and offering the latest evidence that moratoriums like the TikTok ban will not stop Americans from using Chinese-owned digital services.

DeepSeek, an AI research lab created by a prominent Chinese hedge fund, recently gained popularity after releasing its latest open source generative AI model that easily competes with top US platforms like those developed by OpenAI. However, to help avoid US sanctions on hardware and software, DeepSeek created some clever workarounds when building its models. On Monday, DeepSeek’s creators limited new sign-ups after claiming the app had been overrun with a “large-scale malicious attack.”

While DeepSeek has several AI models, some of which can be downloaded and run locally on your laptop, the majority of people will likely access the service through its iOS or Android apps or its web chat interface. Like with other generative AI models, you can ask it questions and get answers; it can search the web; or it can alternatively use a reasoning model to elaborate on answers.

DeepSeek, which does not appear to have established a communications department or press contact yet, did not return a request for comment from WIRED about its user data protections and the extent to which it prioritizes data privacy initiatives.

As people clamor to test out the AI platform, though, the demand brings into focus how the Chinese startup collects user data and sends it home. Users have already reported several examples of DeepSeek censoring content that is critical of China or its policies. The AI setup appears to collect a lot of information—including all your chat messages—and send it back to China. In many ways, it’s likely sending more data back to China than TikTok has in recent years, since the social media company moved to US cloud hosting to try to deflect US security concerns

“It shouldn’t take a panic over Chinese AI to remind people that most companies in the business set the terms for how they use your private data” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab. “And that when you use their services, you’re doing work for them, not the other way around.”

**What DeepSeek Collects About You**

To be clear, DeepSeek is sending your data to China. The English-language DeepSeek privacy policy, which lays out how the company handles user data, is unequivocal: “We store the information we collect in secure servers located in the People's Republic of China.”

In other words, all the conversations and questions you send to DeepSeek, along with the answers that it generates, are being sent to China or can be. DeepSeek’s privacy policies also outline the information it collects about you, which falls into three sweeping categories: information that you share with DeepSeek, information that it automatically collects, and information that it can get from other sources.

The first of these areas includes “user input,” a broad category likely to cover your chats with DeepSeek via its app or website. “We may collect your text or audio input, prompt, uploaded files, feedback, chat history, or other content that you provide to our model and Services,” the privacy policy states. Within DeepSeek’s settings, it is possible to delete your chat history. On mobile, go to the left-hand navigation bar, tap your account name at the bottom of the menu to open settings, and then click “Delete all chats.”

This collection is similar to that of other generative AI platforms that take in user prompts to answer questions. OpenAI’s ChatGPT, for example, has been criticized for its data collection although the company has increased the ways data can be deleted over time. Regardless of these types of protections, privacy advocates emphasize that you should not disclose any sensitive or personal information to AI chat bots.

“I would not input personal or private data in any such an AI assistant,” says Lukasz Olejnik, independent researcher and consultant, affiliated with King's College London Institute for AI. Olejnik notes, though, that if you install models like DeepSeek’s locally and run them on your computer, you can interact with them privately without your data going to the company that made them. Additionally, AI search company Perplexity says it has added DeepSeek to its platforms but claims it is hosting the model in US and EU data centers.

Other personal information that goes to DeepSeek includes data that you use to set up your account, including your email address, phone number, date of birth, username, and more. Likewise, if you get in touch with the company, you’ll be sharing information with it.

Bart Willemsen, a VP analyst focusing on international privacy at Gartner, says that, generally, the construction and operations of generative AI models is not transparent to consumers and other groups. People don’t know exactly how they work or the exact data they have been built upon. For individuals, DeepSeek is largely free, although it has costs for developers using its APIs. “So what do we pay with? What do we usually pay with: data, knowledge, content, information,” Willemsen says.

As with all digital platforms—from websites to apps—there can also be a large amount of data that is collected automatically and silently when you use the services. DeepSeek says it will collect information about what device you are using, your operating system, IP address, and information such as crash reports. It can also record your “keystroke patterns or rhythms,” a type of data more widely collected in software built for character-based languages. Additionally, if you purchase DeepSeek’s premium services, the platform will collect that information. It also uses cookies and other tracking technology to “measure and analyze how you use our services.”

A WIRED review of the DeepSeek website's underlying activity shows the company also appears to send data to Baidu Tongji, Chinese tech giant Baidu's popular web analytics tool, as well as Volces, a Chinese cloud infrastructure firm. In a social media post, Sean O'Brien, founder of Yale Law School's Privacy Lab, said that DeepSeek is also sending “basic” network data and “device profile” to TikTok owner ByteDance “and its intermediaries.

The final category of information DeepSeek reserves the right to collect is data from other sources. If you create a DeepSeek account using Google or Apple sign-on, for instance, it will receive some information from those companies. Advertisers also share information with DeepSeek, its policies say, and this can include “mobile identifiers for advertising, hashed email addresses and phone numbers, and cookie identifiers, which we use to help match you and your actions outside of the service.”

**How DeepSeek Uses Information**

Huge volumes of data may flow to China from DeepSeek’s international user base, but the company still has power over how it uses the information. DeepSeek’s privacy policy says the company will use data in many typical ways, including keeping its service running, enforcing its terms and conditions, and making improvements.

Crucially, though, the company’s privacy policy suggests that it may harness user prompts in developing new models. The company will “review, improve, and develop the service, including by monitoring interactions and usage across your devices, analyzing how people are using it, and by training and improving our technology,” its policies say.

DeepSeek’s privacy policy also says the company will also use information to “comply with \[its\] legal obligations”—a blanket clause many companies include in their policies. DeepSeek’s privacy policy says data can be accessed by its “corporate group,” and it will share information with law enforcement agencies, public authorities, and more when it is required to do so.

While all companies have legal obligations, those based in China do have notable responsibilities. Over the past decade, Chinese officials have passed a series of cybersecurity and privacy laws meant to allow state officials to demand data from tech companies. One 2017 law, for instance, says that organizations and citizens should “cooperate with national intelligence efforts.”

These laws, alongside growing trade tensions between the US and China and other geopolitical factors, fueled security fears about TikTok. The app could harvest huge amounts of data and send it back to China, those in favor of the TikTok ban argued, and the app could also be used to push Chinese propaganda. (TikTok has denied sending US user data to China’s government.) Meanwhile, several DeepSeek users have already pointed out that the platform does not provide answers for questions about the 1989 Tiananmen Square massacre, and it answers some questions in ways that sound like propaganda.

Willemsen says that, compared to users on a social media platform like TikTok, people messaging with a generative AI system are more actively engaged and the content can feel more personal. In short, any influence could be larger. “Risks of subliminal content alteration, conversation direction steering, in active engagement ought by that logic to lead to more concern, not less,” he says, “especially given how the inner workings of the model are widely unknown, its thresholds, borders, controls, censorship rules, and intent/personae largely left unscrutinized, and it being already so popular in its infancy stage.”

Olejnik, of King's College London, says that while the TikTok ban was a specific situation, US law makers or those in other countries could act again on a similar premise. “We can’t rule out that 2025 will bring an expansion: direct action against AI firms,” Olejnik says. “Of course, data collection may again be named as the reason.”

_Updated 5:27 pm EST, January 27, 2025: Added additional details about the DeepSeek website's activity._

_Updated 10:05 am EST, January 29, 2025: Added additional details about DeepSeek's network activity._

DeepSeek’s Popular AI App Is Explicitly Sending US Data to China

CISOs are planning to adjust their budgets this year to reflect their growing concerns for cybersecurity preparedness in the event of a cyberattack.

Source: Irina Guzovataya via Alamy Stock Photo

NEWS BRIEF

In 2025, chief information security officers (CISOs) will be directing their attention to becoming more cyber prepared in the event of an attack, by enhancing their crisis simulation capabilities.

That's according to a study conducted by researchers at Hack The Box, which found that out of 200 US- and UK-based CISOs, 74% said they plan to up their crisis simulation budgets this year.

These changes likely stem from rising concerns about the growing number of cyberattacks, the lack of incident-response planning, and inadequate stress-testing of crisis scenarios. Major cyberattacks and cyber incidents have impacted organizations such as NHS, 23andMe, and a host of businesses impacted by the CrowdStrike faulty update in 2024, affecting enterprises on a global level. CISOs are trying to reassess their organizations' capabilities in order to manage the chaos when it inevitably arises.

A full 77% of those surveyed said they would allocate greater budgets for cyber-crisis simulations if the exercises themselves were more realistic and actionable. 

"Preparedness is the foundation of resilience, and crisis simulations play a crucial role in testing organizations security and workforce performance when it's most critical," said Haris Pylarinos, CEO and founder at Hack The Box, in a statement. "Organizations are right to prioritize crisis simulation, and must ensure that these are implemented in the right way."

Also, 73% of survey respondents reported that crisis simulations and incident-response exercises for both their technical and non-technical teams were their top business priority this year.

Pylarinos highlighted that crisis simulation will continue to evolve, pairing artificial intelligence with expert knowledge in order to provide tailored and realistic scenarios that reflect challenges that security teams and management will face on digital front lines. "It will unite previously disparate business units as one," he said, "and allow real-world performance to be benchmarked in a controlled environment."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Crisis Simulations: A Top 2025 Concern for CISOs

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability. A critical flaw allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. Affected systems include Fortinet devices running FortiOS (e.g., FortiGate NGFW) and FortiProxy. 🔹 On January 10, Arctic Wolf reported attacks on Fortinet devices that began in November 2024. Attackers create […]

**About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability.** A critical flaw allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. Affected systems include Fortinet devices running FortiOS (e.g., FortiGate NGFW) and FortiProxy.

🔹 On January 10, Arctic Wolf reported attacks on Fortinet devices that began in November 2024. Attackers create accounts with random names, modify device settings, and gain access to internal systems.

🔹 The vendor advisory was published on January 14. The vulnerability was added to the CISA KEV.

🔹 A public exploit has been available on GitHub since January 21.

🔹 As of January 26, Shadow Server reports around 45,000 vulnerable devices accessible from the Internet.

The vendor recommends updating FortiOS and FortiProxy to secure versions and restricting or disabling administrative HTTP/HTTPS interfaces.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability

A critical vulnerability in Brave Browser allows malicious websites to appear as trusted sources during file uploads/downloads. Learn…

A critical vulnerability in Brave Browser allows malicious websites to appear as trusted sources during file uploads/downloads. Learn how to protect yourself and update your browser to the latest version.

A critical security vulnerability has been discovered in the popular Brave Browser, enabling malicious websites to deceive users into believing they are interacting with trusted sources. This flaw tracked as **CVE-2025-23086** (classified under CWE-60), impacts desktop versions of Brave from 1.70.x to 1.73.x.

The problem lies within a feature designed to enhance user safety: displaying the **origin of a website** in the operating system’s file selector dialogue during file uploads or downloads. This is intended to provide a visual cue, confirming the legitimacy of the site involved in the file transfer. However, in specific scenarios, this crucial origin information was not accurately inferred, leaving a critical gap in user protection.

This misrepresentation of origin becomes particularly dangerous when combined with an “open redirect” vulnerability on a legitimate website. Open redirects mean that a trusted website lets user-controlled input redirect users to external URLs and does not validate it properly. By exploiting this combination, malicious actors can craft scenarios where a malicious website, through the open redirect, appears as a trusted source in the file selector dialogue, tricking users into interacting with it.

In May 2024, Hackread.com **reported** HP’s quarterly Wolf Security Threat Insights series findings, which revealed a rise in cybercriminals employing “cat-phishing” tactics, exploiting open redirect vulnerabilities and other Living-off-the-Land techniques to bypass traditional security measures

The vulnerability has a base score of 6.1, classified as Medium in severity, with an attack vector of NETWORK and low attack complexity and user interaction requirements. The consequences of this vulnerability could be drastic. Users could be unknowingly tricked into downloading malware, sharing sensitive information with malicious actors, or falling victim to sophisticated phishing attacks. This dents the core principle of user trust and **security that browsers** are designed to uphold.

To mitigate CVE-2025-23086, update to Brave Desktop Browser version 1.74.48 or later, check for open redirect vulnerabilities, and make sure to verify the file download sources and recognize suspicious prompts.

In addition, use security tools and browser extensions to protect against open redirects and phishing tactics. Regular updates and user awareness can significantly reduce exploitation risks. Trusted site administrators should also review their platforms to remove or fix open redirect vulnerabilities. Check out **this article** to learn more about how to ensure browser security.

1.  **Brave browser Tor feature leaked .Onion queries to ISPs**
2.  **New Vcurms Malware Targets Popular Browsers for Data Theft**
3.  **Fake Brave browser site dropped malware, thanks to Google Ads**
4.  **New Tech Support Scam Freezes Chrome, Firefox & Brave Browser**
5.  **DOJ Proposes Breaking Up Google: Calls for Sale of Chrome Browser**

Brave Desktop Browser Vulnerability Lets Malicious Sites Appear Trusted

Cary, North Carolina, 26th January 2025, CyberNewsWire

**Cary, North Carolina, January 26th, 2025, CyberNewsWire**

INE Security, a leading global provider of cybersecurity training and certifications, today announced a new initiative designed to accelerate compliance with the Department of Defense’s (DoD) newly streamlined Cybersecurity Maturity Model Certification (CMMC) 2.0. This initiative aims to assist Defense Industry Base (DIB) contractors in swiftly adapting to the updated certification standards, which are critical to securing and maintaining defense contracts.

With the DoD’s reduction of CMMC levels from five to three, the path to compliance has become more direct but not less demanding. Recognizing the urgency for contractors to comply without delay, INE Security is offering a guide to strategic compliance acceleration. This includes a comprehensive checklist and guidance on how to implement the compliance requirements. 

> “The DoD’s updated framework requires greater clarity and speed in the compliance process than ever before,” said Dara Warn, CEO of INE Security. “At INE Security, we recognize the challenges organizations face in navigating the complexities of CMMC compliance. Our goal is to empower organizations to not only meet but exceed their compliance objectives by providing them with the tools and strategies needed for a faster and smoother journey. We are committed to simplifying the path to compliance, enabling our clients to focus on what they do best: securing their operations and contributing to our national defense.”

**Certification Requirements**

Each level carries its own stringent requirements, ranging from broad in scope at Level 1 to highly specialized at Level 3. Organizations can use this checklist to track progress and identify areas requiring attention before assessment. 

**Level 1 Certification Requirements**

**Technical Controls**

*   Basic password management
*   Access control implementation
*   Information integrity checks
*   Basic endpoint protection

**Documentation Needs**

*   System security policies
*   Access control documentation
*   Asset inventory
*   Basic security procedures

**Assessment Preparation**

*   Self-assessment documentation
*   Evidence collection
*   Policy review
*   Annual review planning

**Level 2 Certification Requirements**

**Technical Controls**

*   Multi-factor authentication
*   Network segmentation
*   Security monitoring tools
*   Incident response capabilities
*   Audit logging systems

**Documentation Needs**

*   System Security Plan (SSP)
*   Configuration management plans
*   Incident response procedures
*   Risk assessment documentation
*   POA&M development

**Assessment Preparation**

*   Third-party assessment readiness
*   Evidence compilation
*   Technical demonstrations
*   Staff interview preparation
*   Control validation testing

**Level 3 Certification Requirements**

**Technical Controls**

*   Advanced threat detection
*   Security orchestration
*   Continuous monitoring
*   Zero-trust implementation
*   Advanced access control

**Documentation Needs**

*   Enhanced SSP
*   Threat modeling documentation
*   Advanced security procedures
*   Risk management framework
*   Continuous monitoring plan

**Assessment Preparation**

*   Government assessment readiness
*   Advanced evidence compilation
*   Security control testing
*   Personnel training records
*   Program effectiveness metrics

**Implementation Guidance**

Successfully navigating the compliance requirements of CMMC 2.0 demands a structured approach to implementation and preparation. Each step, from initial technical review to mock assessments, is designed to build upon the previous, ensuring a seamless path to CMMC certification. 

**Technical Control Implementation**

*   Reviewing current architecture
*   Identifying gaps in controls
*   Developing implementation plan
*   Testing controls in staging
*   Deploying to production
*   Validating effectiveness

**Documentation Best Practices**

*   Using standard templates
*   Including revision history
*   Maintaining clear procedures
*   Documenting configurations
*   Tracking changes
*   Regular reviews

**Assessment Readiness**

*   Internal pre-assessment
*   Documentation review
*   Technical validation
*   Staff preparation
*   Evidence organization
*   Mock assessment

**How INE Security Helps Organizations Accelerate Compliance**

**Technical Training**

*   INE Security’s comprehensive technical training program provides hands-on experience through practical labs focused on control implementation and security tool configuration. Structured learning paths cover essential skills in network security implementation and monitoring system setup, giving users real-world experience with the tools and techniques required for CMMC compliance.

**Assessment Preparation**

*   Organizations can prepare confidently for CMMC assessment with INE Security’s practical scenarios and technical training tools. The training helps students master control validation exercises and provides thorough interview preparation guidance, ensuring students are prepared and the assessment process is smooth. 

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Director of Global Strategic Communications and Events**  
**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Security Alert: Expediting CMMC 2.0 Compliance

The MITRE framework's applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.

In 2025, an international fintech firm will face attacks through its hybrid cloud infrastructure by some of the most sophisticated cyber operators on the Internet, targeting the company's Active Directory instance, employees' LinkedIn profiles, and shared code repositories to further their compromises.

A prediction? Not quite.

The scenario is the premise of the latest MITRE ATT&CK Evaluations test, an annual assessment gauntlet that pits cybersecurity firms against the techniques and tactics of the latest cyber threats actors. For vendors, the exercises — conducted by government contractor MITRE — allow them to test their detection, protection, and response capabilities in real-world scenarios to see what can be improved. For cybersecurity professionals, the results of the assessments can help them determine whether they are prepared to defend against sophisticated attacks.

While some vendors tout their detection ratings in the evaluations, the point is less about grades for security software and more about improving companies' defenses and vendors' products, says Lex Crumpton, principal cybersecurity engineer at MITRE.

"ATT&CK Evaluations is more of an adversary-emulation, purple-teaming, collaboration effort, if you will — we assess the vendors tooling on an environment that we build in-house," she says. "They don't know which techniques we are going to choose, or what we're not going to choose, based off of that techniques and scope document."

The MITRE ATT&CK Framework is well-known as a taxonomy of tactics and techniques used by cyberattackers, but every year MITRE also conducts testing of security products against the latest threats targeting organizations. In 2024, for example, the exercise mimicked attacks by the LockBit ransomware-as-a-service group, the Cl0p ransomware gang, and North Korean state-sponsored threat groups, which have commonly used ransomware to fund national goals.

A variety of ransomware attacks were emulated in the test environment, including those targeting Windows and MacOS, MITRE said in a December 2024 statement.

For 2025, one part of the evaluation — known as the Managed Services Evaluation — will focus on "cloud-based attacks, response/containment strategies, and post-incident analysis," according to the organization's scenario outline.

Companies can use the ATT&CK Evaluations in two ways, says Greg Young, vice president of cybersecurity at Trend Micro, which participated in the 2024 Evaluations along with 18 other companies.

"For \[a company's\] purchase decisions, this is one sort of data input — it should not be the only data input because the testing for MITRE is exceptionally narrow against a few techniques and tactics," he says. "For the second part, the tests \[can inform\] companies' own security ops centers and their own red teaming behavior — looking at it and saying, 'Well, what are adversaries using today?'"

**Developing More Realistic Adversaries**

The ATT&CK evaluations use cybersecurity observations and threat reporting from analysts worldwide, collected from both MITRE's in-house cyber threat intelligence team and from the CTI community at large. The group collects information on attacks and selects the adversaries for the evaluations. A red development team creates a set of tools to emulate current techniques used by selected adversaries, while the detection team — the blue team — confirms whether those approaches are legitimate in terms of the evaluation.

MITRE conducts two distinct rounds of testing. One is a managed-service round, in which the organization creates a black-box testing environment, giving no information about the attack to the vendor being evaluated except for the general category of threat. In an enterprise round, the vendor is given the technical scope and potential information about the adversaries, such as whether they are a nation-state, such as China or the DPRK, or using some other tactics.

Like many testing organizations, MITRE has faced some pushback on aspects of its scenarios, Crumpton says.

"One of the biggest comments we had this year is — because we brought in false-positive noise \[such as\] benign user activity — some vendors argued that, 'Hey, this could be deemed malicious activity'," she says. "I think one of the benign use cases was disabling the firewall. One vendor said, 'Hey, the sys admins from our companies would never disable the firewall.'"

**Evaluations Push for Improvement**

Vendors get graded on how they perform, but the focus is on giving information to both the vendors and businesses about how they can improve their defenses, Crumpton says.

"Ultimately, we are there to improve the tools," she explains. "If we're emulating this adversary and we find this technique that your tool can't detect, can we help you improve your tool so that you can now detect that technique? That's something that I think also the customers or the community should look at."

Defenders can take a page from the ATT&CK evaluations as well, creating playbooks to detect and protect against the tested threats, says Trend Micro's Young. During the ATT&CK Evaluation, MITRE logs activity and takes screenshots, giving organizations a detailed picture of the attack unfolding and mapping the steps against the ATT&CK Framework.

"Knowing that adversaries are now using this kind of technique — say, this kind of lateral movement, or they're going to go after this kind of resource — that's exceptionally helpful for \[a company\] designing their defenses," he says. "I almost think there's more value in looking at the \[ATT&CK\] framework than the evaluations, but it depends on your purpose."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

MITRE's Latest ATT&amp;CK Simulations Tackle Cloud Defenses

Third-party API security requires a tailored approach for different scenarios. Learn how to adapt your security strategy to outbound data flows, inbound traffic, and SaaS-to-SaaS interconnections.

Source: Elena Uve via Alamy Stock Photo

COMMENTARY

API security often involves third-party, rather than first-party, APIs, and each use case can have different requirements. Rather than trying to make one technological approach work for all instances, security and risk management leaders must adapt their approach to the specific use case.

According to a recent Gartner survey, 71% of IT leaders report using third-party application programming interfaces (APIs) in their organizations. Many security and risk management leaders must focus on API security when dealing with consumption and integration with third-party APIs, rather than exposure of first-party APIs. 

In addition, when it comes to third-party APIs, many remediation measures, such as patching for exposures, are not under the organization's direct control. Therefore, the approach will have to be fundamentally different as compared to first-party APIs. 

Three use cases should be top of mind for these security leaders.

**Use Case 1: Discover and Manage Outbound Data Flows to Third-Party APIs**

In this first use case, the enterprise sends data to third parties via APIs, typically by invoking them from homegrown applications. In an e-commerce scenario, for instance, the service providing the API could be a payment gateway. In this example, the outgoing traffic would contain payment data used to process a payment. There are different ways to invoke the API from within the application, such as direct integration, using a software development kit or a webhook.

A main risk is that sensitive data may be sent toward the API. This activity may conflict with enterprise policies or industry regulations. Third-party APIs may also put the data, or the data of customers, in danger. For example, an attacker may be able to steal payment data from customers by using a vulnerable payment API. Depending on the scenario, injecting a malicious payload could also corrupt the database of a business partner.

In this scenario, security leaders should discover third-party APIs by performing traffic inspection, code repository inspection, and software composition analysis, as certain third-party APIs may be invoked via third-party libraries, not homegrown code.

Security leaders should also liaise with the team that manages sourcing, procurement, and vendor management (SPVM) and third-party cyber-risk to ensure software-as-a-service (SaaS) applications are vetted and comply with organizational policies.

Security leaders must also identify sensitive data exfiltration by monitoring the outgoing traffic in these API exchanges. This is typically achieved by implementing data loss prevention (DLP) capabilities. Disparate tools could apply—for example, security service edge (SSE), DLP, and API protection tools all have certain DLP capabilities.

*   Differentiators could include whether the tool can categorize data while in transit (“on the fly”) or whether it can perform remediation actions, such as blocking the exchange, anonymizing, or encrypting the data.
    
*   The monitoring point may also matter, as some tools may already be installed or have access to unencrypted traffic.
    
*   Most importantly, the way security leaders have configured a tool matters. If it is set up to act as a choke point, it could be a better option than a tool configured to process only specific types of traffic or incoming traffic, for example.
    
*   Internal considerations, such as which team owns and operates each tool, will also play a role in determining which tool to choose.
    

Finally, security leaders can implement proper authentication and authorization of the API client (in this scenario, the application) using the mechanisms offered by the API provider. At a minimum, favor tokens over API keys for authorization. Assess how opaque and proof-of-possession tokens (or at least frequently rotated access credentials) and certificate pinning may efficiently mitigate token leakage and interception risks in specific use cases. Be mindful of the technical burdens they may require to set them up and issues with traffic inspection.

**Use Case 2: Protect From Inbound Traffic From Third-Party APIs**

In this use case, the organization consumes the third-party API, and the data is incoming. A typical example could be an enterprise application that makes an API call to obtain data from a commercial SaaS provider or a business partner.

One risk in this use case is receiving potentially harmful input from the API. Malicious input from third-party APIs may endanger applications, its users, or the infrastructure hosting applications. For example, if an API response with a malicious payload is sent to a database, it could result in an injection attack.

Data exfiltration is still a risk for this use case, and many of the recommendations from the first use case still apply here. If the outgoing API request contains sensitive data, that data could be intercepted. For example, if an API call requests a list of restaurants based on GPS coordinates, said GPS coordinates could be intercepted if the connection is not secure. Most importantly, the third-party API could be fetching the specific data of the enterprise. (Think, for example, of an API fetching data about customers from specific instances of a CRM SaaS application.)

Security leaders should perform input validation. Ask developers to add input validation controls when ingesting any input, including input from third-party APIs. This will prevent a large spectrum of attacks from malicious input, such as SQL injection attacks. Application security testing (AST) tools can help automate these checks.

Use Web application firewall functionality from a Web application and API protection tool in-line to add contingencies against injection attacks and other types of malicious input.

Finally, vet the input with an antivirus, sandboxing, or content disarm and reconstruction solution by integrating applications typically via Internet content adaptation protocol or APIs with one or more of these tools.

**Use Case 3: Discover, Vet and Manage the Data for Third-Party Apps That Communicate via APIs**

Many security leaders are focused on API security but describe a scenario where one or more SaaS applications typically communicate via APIs, exchanging enterprise data. This issue can be exacerbated because users may be able to interconnect SaaS applications without having administrative privileges. While the underlying communication may be API-based, this problem's solution is closer to the best practices for SaaS security.

This situation is particularly challenging when an authorized SaaS application user connects it via API to an unauthorized SaaS app. Many organizations will have little to no visibility of the connection's existence, let alone of any data transfers across it. Second, visibility is limited to what SaaS providers reveal through their own management APIs, as there's no clear place to insert an in-line control. The main risk with this scenario is that the SaaS application may expose sensitive enterprise data via the API, and that data may be transferred to an unapproved and even unknown location that security has not vetted.

Security leaders should discover the SaaS applications used by performing a census, releasing a policy, and inspecting traffic. Use SSE, firewalls, SaaS management platforms, or other tools to identify the SaaS applications users are accessing, especially those housing sensitive data. Until they know what applications users are accessing, they cannot check for SaaS-to-SaaS connectivity

Discover rogue SaaS access tokens by querying the SaaS applications used, where supported. Create and promote policy to users about connecting SaaS apps via OAuth.

For the previous use cases, liaise with the team that manages SPVM and third-party cyber-risk to ensure SaaS applications are vetted and comply with organizational policies, such as data security and third-party sharing ones. In addition, inventory SaaS-to-SaaS interconnections; automated tooling, such as SSPM offerings, can help ensure this is a continuous process.

By adapting their approaches to these three specific use cases and their possible variations, security leaders can address the risks that third-party APIs present for their organizations.

**About the Author**

VP Analyst, Gartner

Dionisio Zumerle is a VP Analyst at Gartner, where he is currently focused on application and mobile security topics. Zumerle's coverage includes API security, mobile application security, DevSecOps, and mobile threat defense.

3 Use Cases for Third-Party API Security

Attackers can use a zero- or one-click flaw to send a malicious image to targets — an image that can deanonymize a user within seconds, posing a threat to journalists, activists, hackers, and others whose locations are sensitive.

Source: Brian Jackson via Alamy Stock Photo

A flaw in the widely used Cloudflare content delivery network (CDN) can expose someone's location by sending them an image on platforms like Signal and Discord, deanonymizing them in seconds without their knowledge.

That's according to a 15-year-old security researcher who goes by only "Daniel," who published research on GitHub Gist about the flaw — which he discovered three months ago — as a warning for journalists, activists, and hackers, who could be at physical risk.

The flaw allows an attacker to grab the location of any target within a 250-mile radius when a vulnerable app is installed on a target's phone, or even as a background application on their laptop. Using either a one-click or zero-click approach, an attacker can use the app to "send a malicious payload and deanonymize you within seconds — and you wouldn't even know," Daniel wrote.

**Cloudflare Content Caching Is the Cyber Culprit**

The core of the flaw lies in one of Cloudflare's most used features: caching, Daniel explained. Cloudflare's cache stores copies of frequently accessed content, such as images, videos, or webpages, in its datacenters, ostensibly to reduce server load and improve website performance.

When a device sends a request for a resource that can be cached, Cloudflare retrieves the resource from its local data center storage, if possible, or from the origin server. It then caches it locally, and returns it. "By default, some file extensions are automatically cached but site operators can also configure new cache rules," Daniel explained.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

Because of this process flow, if an attacker can get a user's device to load a resource on a Cloudflare-backed site, causing it to be cached in their local datacenter, they can then enumerate all Cloudflare data centers to identify which one cached the resource. "This would provide an incredibly precise estimate of the user's location," Daniel explained.

Daniel did have to overcome a hurdle to this attack flow in that someone "can't simply send HTTP requests to individual Cloudflare datacenters," he wrote. However, he discovered a bug via a forum post that demonstrates how someone can send requests to specific Cloudflare datacenters with Cloudflare Workers, and created a tool called Cloudflare Teleport, a proxy powered by Cloudflare Workers that redirects HTTP requests to specific datacenters.

**How to Exploit the Cloudflare Location Flaw**

Daniel went on to demonstrate how he could send images via both Signal and Discord that would expose the recipient's location. For Signal, which is an app favored by journalists and activists due to its privacy features, a one-click attack allows someone to send either an attachment or an avatar to a user that exploits the cache geolocation method to pinpoint the recipient's location.

Related:84% of Healthcare Organizations Spotted a Cyberattack in the Late Year

An attacker also could use a zero-click attack in Signal by taking advantage of push notifications, which occur when a message is sent to a user while they are not actively using the app. In this case, the recipient doesn't even have to open the Signal conversation for their device to download the attachment, he said.

Attackers can exploit the flaw similarly in Discord, with potentially wider impact, using a custom emoji that's loaded from Discord's CDN and configured to be cached on Cloudflare, he explained.

"So, instead of sending an attachment in a Discord channel, an attacker can display a custom emoji in their user status and simply wait for the target to open their profile to run a deanonymization attack," Daniel wrote. A one-click attack vector also is possible in Discord by changing a user's avatar and sending a friend request to someone, which triggers a push notification, he added.

**Signal, Discord, Cloudflare Response & Mitigation**

Daniel contacted Signal, Discord, and Cloudflare about the bug. The first two companies did nothing to mitigate it, with Signal claiming users are responsible for protecting their own identities, and Discord claiming it was Cloudflare's responsibility.

Related:Trump Overturns Biden Rules on AI Development, Security

For its part, Cloudflare did fix the Cloudflare Workers bug that allowed Daniel to create the Teleport tool. The bug was reported to its HackerOne program a year ago by another researcher, but the company had not responded to the report. It reopened the case after Daniel's report and mitigated the issue, awarding him a $200 bug bounty in the process.

However, even after the mitigation, Daniel was able to exploit the flaw by reprogramming his Cloudflare Teleport tool to use a VPN instead, choosing a VPN provider with more than 3,000 servers located in various locations across 31 different countries worldwide. "Using this new method, I'm able to reach about 54% of all Cloudflare datacenters again," he explained.

At this time, "any app using a CDN for content delivery and caching can still be vulnerable if the proper precautions aren’t taken," Daniel wrote.

And this can be especially dangerous for people who need to protect their location for various reasons, such as a woman who may be hiding from a violent boyfriend or husband, or a political dissident who is being targeted by a hostile government, says Roger Grimes, data-driven defense evangelist at KnowBe4.

“At first glance, the flaw seems really innocuous and barely relevant, but there are scenarios … where it could be a problem," he tells Dark Reading. Moreover, Grimes suspects that Cloudflare CDN is not the only CDN affected by such a flaw, as "the attack is just generic enough that I think it can be applied to more CDNs," he says.

Daniel advised that people concerned about their privacy should limit their exposure on the affected apps, which "can make a significant difference" when it comes to protecting their location data.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#ios