**Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?**

This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. This purpose of this CVE is to provide further transparency.

Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.

CVE-2024-38190: Power Platform Information Disclosure Vulnerability

Intel Broker claims a major data breach at Cisco, allegedly stealing source codes, confidential documents, and credentials from…

Intel Broker claims a major data breach at Cisco, allegedly stealing source codes, confidential documents, and credentials from global firms like Verizon, AT&T, Microsoft, and more. Data is now for sale on Breach Forums.

Intel Broker, a hacker notorious for high-profile data breaches, is claiming to have breached the technology giant Cisco Systems, Inc. In a post on the cybercrime platform **Breach Forums**, the hacker stated that the breach enabled them to steal a massive amount of sensitive information from Cisco’s systems.

According to the hacker, the alleged data breach took place on October 10, 2024, while the Breach Forum post was published earlier today on October 14, 2024.

Intel Broker’s post (Screenshot: Hackread.com)

****What Was Allegedly Stolen?****

As seen by the Hackread.com research team, Intel Broker has listed a massive amount of data that was allegedly stolen in the breach, including:

*   **Source Code**: Projects from GitHub, GitLab, and SonarQube, critical to Cisco’s development efforts.
*   **Hard-Coded Credentials**: Sensitive information like login details embedded in source code.
*   **Certificates and Keys**: SSL certificates, and public and private keys crucial for secure communications.
*   **Confidential Documents**: Internal documents and information classified as “Cisco Confidential.”
*   **API Tokens and Storage Buckets**: AWS private buckets, Azure storage buckets, and API tokens that could be used to access critical systems.
*   **Other Sensitive Information**: Jira tickets, Docker builds, and Cisco premium products are also listed.

****Impact on Major Corporations****

Intel Broker also shared a list of companies whose production source codes were allegedly taken during the breach. The list includes several high-profile firms, particularly in the telecommunications and financial sectors, such as:

*   **Telecom Companies**: Verizon, AT&T (USA and Mexico), British Telecom, T-Mobile (USA and Poland), Vodafone (Albania and Australia), and Turkcell.
*   **Financial Institutions**: Bank of America, Barclays, and National Australian Bank.
*   **Tech and Health**: Microsoft, Liberty Global, and Dignity Health.

Sample documents shared by the hacker (Screenshot: Hackread.com)

****Data for Sale****

Intel Broker is offering the stolen data for sale in exchange for Monero (XMR), a cryptocurrency known for its privacy features. The hacker indicated that they are open to using a middleman to facilitate the transaction, ensuring **anonymity** for both the buyer and seller. This method is a common practice among cybercriminals to avoid detection and tracking by authorities.

****Unverified but Serious Claims****

At the time of writing, Hackread.com, which first spotted the hacker’s claims, has reached out to Cisco for comment, but no official response has been given. The breach, if confirmed, could have major consequences for Cisco and the affected companies, raising concerns about the extent of the damage and the potential exploitation of the compromised data.

****Intel Broker and Previous Breaches****

Intel Broker is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **U.S. contractor Acuity Inc.**
*   **Staffing giant Robert Half**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Although the hacker’s origins and affiliates are unknown, according to the United States government, IntelBroker is alleged to be the perpetrator behind one of the **T-Mobile data breaches**.

Nevertheless, these claims regarding the Cisco data breach go on to show the cybersecurity risks faced even by large organizations. As more details emerge, the scale of this breach and its potential fallout will be closely watched.

1.  **Akira Ransomware Targets Businesses via Exploited CISCO VPNs**
2.  **Cisco Network Breach as Employee’s Google Account** **was** **Hacked**
3.  **Hackers Claim 10TB Breach at Russian Cybersecurity Firm Dr.Web**
4.  **Hackers leave US flag after targeting Cisco switches in Russia & Iran**
5.  **Ex-worker hacked Cisco AWS Infrastructure; erased virtual machines**

Intel Broker Claims Cisco Breach, Selling Stolen Data from Major Firms

Education, including K-12 schools and universities, has become the third most targeted sector due to the high variety of sensitive data it stores in its databases.

Source: SeventyFour Images via Alamy Stock Photo

Malicious actors are increasingly targeting K-12 and higher education institutions, an "industry of industries" as Microsoft's new report calls it, due to the immense amount of private data that these enterprises handle.

From information regarding financial data to health records and other sensitive information, hackers have a host of pickings to choose from if they are successful in their exploitation attempts, Microsoft's Threat Intelligence report explained.

"The combination of value and vulnerability found in education systems has attracted the attention of a spectrum of cyberattackers — from malware criminals employing new techniques to nation-state threat actors engaging in old-school spy craft," Microsoft said.

Education as an industry faces a variety of issues that prompt attacks from hackers: security staffing limitations; difficult-to-secure IT systems; virtual/remote learning environments; extensive QR code usage; open email systems; lack of funding; and more. There's also the issue of users — some as young as 6 years old — who are too young to know safe cybersecurity habits and are liable to compromise a network. 

The education sector deals with an average of 2,507 attempted cyberattacks on a weekly basis from nation-state groups to ransomware gangs, with universities especially presenting their own unique challenges due to the culture of sharing information, research, and innovation, Microsoft found.

Some of the nation-state actors that Microsoft highlights are Peach Sandstorm, Mint Sandstorm, Mabna Institute, Emerald Sleet, and Moonstone Sleet, with an honorable mention for Storm-1877, which is still in development. 

Education institutions can protect themselves from these threats by implementing a new security curriculum, such as maintaining and scaling core cyber hygiene, prioritizing cyber awareness at all levels, whether students, IT staff, or faculty. Microsoft also advised hardening overall security posture as well as centralizing the technology stack, and implementing better monitoring procedures to get a clear picture of security posture and potential vulnerabilities.  

Microsoft highlighted some institutions such as Oregon State University and the Arizona Department of Education, which are both doing noteworthy jobs of implementing an ace cyber posture. The former's progress came in response to a major cybersecurity incident, prompting its Security Operations Center (SOC) alongside the help of AI and automated capabilities; the latter which focuses on zero-trust principles by blocking any traffic outside of the US from its 365 environment, Azure, and data center.

Microsoft: Schools Grapple With Thousands of Cyberattacks Weekly

Attackers can introduce a malicious document in systems such as Microsoft 365 Copilot to confuse the system, potentially leading to widespread misinformation and compromised decision-making processes.

Source: Mopic via Shutterstock

Attackers can add a malicious document to the data pools used by artificial intelligence (AI) systems to create responses, which can confuse the system and potentially lead to misinformation and compromised decision-making processes within organizations.

Researchers from the Spark Research Lab at the University of Texas (UT) at Austin discovered the attack vector, which they've dubbed ConfusedPilot because it affects all retrieval augmented generation (RAG)-based AI systems, including Microsoft 365 Copilot. This includes other RAG-based systems that use Llama, Vicuna, and OpenAI, according to the researchers.

"This attack allows manipulation of AI responses simply by adding malicious content to any documents the AI system might reference," Claude Mandy, chief evangelist at Symmetry, wrote in a paper about the attack, which was presented at the DEF CON AI Village 2024 conference in August but was not widely reported. The research was conducted under the supervision of Symmetry CEO and UT professor Mohit Tiwari.

Given that 65% of Fortune 500 companies currently implement or are planning to implement RAG-based AI systems, the potential impact of these attacks cannot be overstated," Mandy wrote. Moreover, the attack is especially dangerous that it requires only basic access to manipulate responses by all RAG-based AI implementations, can persist even after malicious content is removed, and bypasses current AI security measures, he said.

**Malicious Manipulation of RAG**

RAG is a technique for improving response quality and eliminating a large language model (LLM) system’s expensive retraining or fine-tuning phase. It adds a step to the system in which the model retrieves external data to augment its knowledge base, thus enhancing accuracy and reliability in generating responses without the need for retraining or fine-tuning, the researchers said.

The researchers chose to focus on Microsoft 365 Copilot for the sake of their presentation and their paper, even though it is not the only RAG-based system affected. Rather, "the main culprit of this problem is misuse of RAG-based systems … via improper setup of access control and data security mechanisms," according to the ConfusedPilot website hosted by the researchers.

In normal circumstances, a RAG-based AI system will use a retrieval mechanism to extract relevant keywords to search and match with resources stored in a vector database, using that embedded context to create a new prompt containing the relevant information to reference.

**How the Attack Works**

In a ConfusedPilot attack, a threat actor could introduce an innocuous document that contains specifically crafted strings into the target’s environment. "This could be achieved by any identity with access to save documents or data to an environment indexed by the AI copilot," Mandy wrote.

The attack flow that follows from the user's perspective is this: When a user makes a relevant query, the RAG system retrieves the document containing these strings. The malicious document contains strings that could act as instructions to the AI system that introduce a variety of malicious scenarios.

These include: content suppression, in which the malicious instructions cause the AI to disregard other relevant, legitimate content; misinformation generation, in which the AI generates a response using only the corrupted information; and false attribution, in which the response may be falsely attributed to legitimate sources, increasing its perceived credibility.

Moreover, even if the malicious document is later removed, the corrupted information may persist in the system’s responses for a period of time because the AI system retains the instructions, the researchers noted.

**Victimology and Mitigations**

The ConfusedPilot attack basically has two victims: The first is the LLM within the RAG-based system, while the second is the person receiving the response from the LLM, who very likely could be an individual working at a large enterprise or service provider. Indeed, these two types of companies are especially vulnerable to the attack, as they allow multiple users or departments to contribute to the data pool used by these AI systems, Mandy noted.

"Any environment that allows the input of data from multiple sources or users — either internally or from external partners — is at higher risk, given that this attack only requires data to be indexed by the AI Copilots," he wrote.

Enterprise systems likely to be negatively affected by the attack include enterprise knowledge-management systems, AI-assisted decision support systems, and customer-facing AI services.

Microsoft did not immediately respond to request for comment by Dark Reading on the attack's affect on Copilot. However, the researchers noted in their paper that the company has been responsive in coming up with "practical mitigation strategies" and addressing the potential for attack in its development of its AI technology. Indeed, the latter is key to long-term defense against such an attack, which depends on "better architectural models" that "try to separate the data plan from the control plan in these models," Mandy noted.

Meanwhile, current strategies for mitigation include: data access controls that limit and scrutinize who can upload, modify, or delete data that RAG-based systems reference; data integrity audits that regularly verify the integrity of an organization's data repositories to detect unauthorized changes or the introduction of malicious content early; and data segmentation that keeps sensitive data isolated from broader datasets wherever possible to prevent the spread of corrupted info across the AI system.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

ConfusedPilot Attack Can Manipulate RAG-Based AI Systems

Ultimately, the goal of creating a trusted environment around all digital assets and devices is about modernizing the way you do business.

Alex Simons, Corporate VP, Product Management, Microsoft Identity and Network Access

October 14, 2024

5 Min Read

Source: Brian Jackson via Alamy Stock Photo

COMMENTARY

In today's digital world, threats are around every corner. The technology behind attacks is increasingly sophisticated. Actors include criminal organizations seeking big payouts and nation-states conducting espionage and looking for opportunities to create chaos.  

At the same time, the world continues to transform rapidly around us. With artificial intelligence (AI), we're about to go through the biggest business transformation since the widespread adoption of the Internet, and the bad guys are also exploring how they can use AI for harm.  

In a mobile, cloud-first, AI-driven world, companies must be ready to use world-class technology and processes to protect themselves, their data, and their people, wherever they go.  

Today, those technologies are coalescing around a modern vision for what is, at its heart, one of our most ancient security solutions: our own unique identity. Let's take a look at how a modern version of this ancient solution can help protect our digital lives.  

**Your Castle Walls Have Fallen. What Now? **

Fifteen years ago, the world's security best practice was a "moat-and-castle" model. Organizations kept their most important resources inside their office networks and wrapped a firewall around them.  

As long as their people and resources were inside the wall, everybody could connect to everything as the entire estate was trusted and contained. Your biggest concerns were insider threats or invaders trying to storm your firewall.  

Today, many employees are embracing hybrid and mobile workstyles. We're also adding cloud-scale AI that, by design, is not inside the firewall, while highly mobile workers use VPNs to access applications while outside the network. All this makes the old moat-and-castle security paradigm terribly outdated.  

Additionally, in many ways, companies are becoming cloud services — as their partners, suppliers and customers increasingly interact with them through digital experiences for product discovery, ordering, payment, invoicing, customer service, and customer loyalty programs.  

**Since Data and People Are Always in Transit, Security Should Flow Wherever They Go**

In a world where every organization is a cloud service that needs to securely interact with everybody and everything, companies must ensure that all of their connections are secure and that only the right people, software, devices, and networks are allowed access.  

This is known as a zero-trust model. In a zero-trust environment, every time a user, a device, or a workload wants to access your digital assets and services, they have to prove that they, their software, and the network they're using are all trustworthy. This is why identity plays such an important role in this new security model. By default, all access to everything is closed off until you have a strong proof of the identity and authenticity of the person and of their device. 

Designing, deploying, and running this kind of identity powered zero-trust enterprise environment can be challenging. It requires having a coordinated strategy across multiple teams to design, deploy, and run a security solution that brings together user and workload accounts, device management, device protection, network state, and an inventory of digital resources and permissions, and enables the enforcement of adaptive, granular access policies across the enterprises entire digital estate. 

**Identity: Even More Important in the Era of AI **

If your organization doesn't have this kind of identity-centric zero-trust model in place today, moving to an AI future is going to be risky and challenging. When you deploy a large language model (LLM) assistant, it becomes incredibly easy for employees to find content from across all your  documents and files, even the ones you didn’t know they had rights to access.  

And that also means an intruder could use the AI assistant to run queries for assets that they never should be able to find. Where organizations used to have the benefit of obscure file hierarchies to waste an attacker's time, today's super-smart AI engines make it incredibly easy to quickly find information anywhere it's stored.  

The solution is something called "workload identities." A workload identity is the identity your software systems use to get things done. Having your co-pilot or your LLM use a workload identity with well-managed permissions means that it can only get to the specific documents and files you allow it to access, which enables you to govern and secure the LLM's access just like you would for any user.  

**Modern Security Benefits Everyone**

Ultimately, creating a trusted environment can modernize the way you do business. Now, employees can work from anywhere. The company can hire talent it wouldn't have access to before. The company can work directly with customers and suppliers digitally. And you can do all that in a world of cloud, AI, and mobile resources that can easily scale up and down.  

Employees, partners, and customers all get a seamless experience on the devices they choose, wherever they want to work. And chief information security officers (CISOs) can be confident that it's happening with security omnipresent.  

And it's all made possible by focusing on the oldest access solution of all — your own unique identity.  

**About the Author**

Corporate VP, Product Management, Microsoft Identity and Network Access

Alex Simons is corporate vice president, product management, Microsoft Identity and Network Access Division. He is responsible for driving the vision and strategy, product roadmap, and feature design of the Microsoft Entra Suite. He prides himself on being deeply connected to customers and has direct relationships with many of Microsoft’s largest enterprise customers. In addition to managing his own team, Alex is responsible for partnering with teams across Office, Windows, Azure, Visual Studio, Dynamics, Xbox, and LinkedIn to deliver world-class identity experiences and security and compliance controls.

Why Your Identity Is the Key to Modernizing Cybersecurity

“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

The password-killing tech known as “passkeys” have proliferated over the past two years, developed by the tech industry association known as the FIDO Alliance as an easier and more secure authentication alternative. And although superseding any technology as entrenched as passwords is difficult, new features and resources launching this week are pushing passkeys toward a tipping point.

At the FIDO Alliance's Authenticate Conference in Carlsbad, California, on Monday, researchers are announcing two projects that will make passkeys easier for organizations to offer—and easier for everyone to use. One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded. The other is a website, called Passkey Central, where developers and system administrators can find resources like metrics and implementation guides that make it easier to add support for passkeys on existing digital platforms.

“To me, both announcements are part of the broader story of the industry working together to stop our dependence on passwords,” Andrew Shikiar, CEO of the FIDO Alliance, told WIRED ahead of Monday's announcements. “And when it comes to CXP, we have all these companies who are fierce competitors willing to collaborate on credential exchange."

CXP comprises a set of draft specifications developed by the FIDO Alliance's “Credential Provider Special Interest Group.” Development of technical standards can often be a fraught bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Researchers from the password managers 1Password, Bitwarden, Dashlane, NordPass, and Enpass all worked on CXP, as did those from the identity providers Okta as well as Apple, Google, Microsoft, Samsung, and SK Telecom.

The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. In many ways, though, this problem already exists with passwords. Export features that allow you to move all of your passwords from one manager to another are often dangerously exposed and essentially just dump a list of all of your passwords into a plaintext file.

It's gotten much easier to sync passkeys across your devices through a single password manager, but CXP aims to standardize the technical process for securely transferring them between platforms so users are free—and safe—to roam the digital landscape. Importantly, while CXP was designed with passkeys in mind, it is really a specification that can be adapted to securely exchange other secrets as well, including passwords or other types of data.

“In the future, this could apply to mobile driver's licenses, say, or passports—any secrets that you want to export somewhere and import into another system,” Christiaan Brand, identity and security group product manager at Google, tells WIRED. “We've got most of the rough edges sanded down with passkeys, but one of the main pieces of negative feedback over the past year has been around portability and potential vendor lock-in. I think with this, we are signaling to the world that passkeys are growing up.”

The goal of the resource repository Passkey Central is similarly to help the ecosystem expand and mature. Product leads or security professionals who want to implement passkeys for their user base may need to make a business case to executives to get budget for the project. The FIDO Alliance is basically aiming to help them with the pitch—providing data and communications materials—and then support their rollout with prefab materials like implementation and roll-out guides, user experience and design guidelines, documentation around accessibility, and troubleshooting.

“We've made amazing progress on passkeys,” FIDO's Shikiar says. “Usability and user experience are pretty much there. But we do have a punch list and we’re actively working on it. Portability is an important feature on that list. And while the biggest brands on the planet are now using passkeys at scale, there’s a very long tail of companies that haven’t gotten started yet. So we want to offer resources and the assets they need to be successful."

Craig Newmark Philanthropies' Cyber Civil Defense coalition provides some funding to advance passkeys. In an interview with WIRED ahead of Monday's announcements, Newmark said he believes that passkeys can make a real difference both for the digital security of individual people and for internet security overall.

“There are a lot of vulnerable systems out there,” Newmark says. “You need to make it a lot harder for bad actors to defeat password schemes. You need to make everything more secure, and passkeys is part of that.”

The War on Passwords Is One Step Closer to Being Over

Hey there, it's your weekly dose of "what the heck is going on in cybersecurity land" – and trust me, you NEED to be in the loop this time. We've got everything from zero-day exploits and AI gone rogue to the FBI playing crypto kingpin – it's full of stuff they don't 🤫 want you to know.
So let's jump in before we get FOMO.
⚡ Threat of the Week
GoldenJackal Hacks Air-Gapped Systems: Meet

Hey there, it's your weekly dose of "_what the heck is going on in cybersecurity land_" – and trust me, you NEED to be in the loop this time. We've got everything from zero-day exploits and AI gone rogue to the FBI playing crypto kingpin – it's full of stuff they don't 🤫 want you to know.

So let's jump in before we get FOMO.

****⚡ Threat of the Week****

**GoldenJackal Hacks Air-Gapped Systems:** Meet GoldenJackal, the hacking crew you've probably never heard of – but should definitely know about now. They're busting into super-secure, air-gapped computer systems with sneaky worms spread through infected USB drives (yes, really!), proving that even the most isolated networks aren't safe. ESET researchers caught them red-handed using two different custom-made tools to target high-profile victims, including a South Asian embassy in Belarus and a European Union government organization.

****🔔 Top News****

*   **Mozilla Patches Firefox 0-Day:** Mozilla patched a critical zero-day flaw in its Firefox browser that it said has been actively exploited in the wild to target Tor browser users. While there are currently no details on the attacks, users are advised to update to Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1.
*   **Contagious Interview Remains Lucrative for N. Korea:** Ever since details about a North Korean hacking campaign called Contagious Interview came to light nearly a year ago, it has continued to target the technology sector with no signs of stopping anytime soon. These attacks aim to deliver backdoors and information-stealing malware by deceiving developers into executing malicious code under the pretext of a coding assignment as part of a job interview after approaching them on platforms like LinkedIn.
*   **OpenAI Disrupts Malicious Operations:** OpenAI said it has disrupted over 20 malicious cyber operations since the start of the year that abused its generative artificial intelligence (AI) chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and vulnerability research. One of the activity clusters was observed targeting OpenAI employees via spear-phishing attacks to deploy the SugarGh0st RAT.
*   **FBI Creates Fake Crypto to Disrupt Fraudulent Operation:** The U.S. Federal Bureau of Investigation (FBI) took the "unprecedented step" of creating its own cryptocurrency token and a company called NexFundAI to take down a fraud operation that allegedly manipulated digital asset markets by orchestrating an illegal scheme known as wash trading. A total of 18 people and entities have been charged in connection with the pump-and-dump scam, with three arrests reported so far.
*   **Gorilla Botnet Launches 300,000 DDoS Attacks Across 100 Countries:** A botnet malware family called Gorilla issued over 300,000 attack commands in the month of September 2024 alone, targeting universities, government websites, telecoms, banks, gaming, and gambling sectors. China, the U.S., Canada, and Germany. The botnet is based on the leaked Mirai botnet source code.

****📰 Around the Cyber World****

*   **Microsoft Announces Windows 11 Security Baseline:** Microsoft has released the Windows 11, version 24H2 security baseline with added protections to LAN Manager, Kerberos, User Account Control, and Microsoft Defender Antivirus. It also includes Windows Protected Print (WPP), which the company described as the "new, modern and more secure print for Windows built from the ground up with security in mind." In a related development, the tech giant announced a redesigned Windows Hello experience and API support for third-party passkey providers like 1Password and Bitwarden to plug into the Windows 11 platform.
*   **Apple macOS iPhone Mirroring is Broken:** Apple announced a new iPhone mirroring feature with macOS 15.0 Sequoia, but cybersecurity firm Sevco has uncovered a privacy risk that could expose metadata associated with apps on an employee's personal iPhone to their corporate IT department. The issue stems from the fact that the iOS apps mirrored to the Mac populate the same application metadata as native macOS applications, thereby leaking information about the apps that may be installed on their phones. Apple has acknowledged the problem and is said to be working on a fix.
*   **Social Engineering Via Phone Calls:** Threat actors have found an effective social engineering vector in phone calls in order to trick users into performing an unintended action, a technique also called telephone-oriented attack delivery (TOAD), callback phishing, and hybrid vishing (a combination of voice and phishing). Intel 471 said it has observed a "sharp increase in underground offers for illicit call center services that can aid in malware delivery, ransomware-related calls, and other fraud-oriented social-engineering attempts."
*   **Malicious Extensions Can Bypass Manifest V3:** Google has said Manifest V3, its latest version of the extensions platform, avoids the security loopholes of its predecessor, which allowed browser add-ons to have excessive permissions and inject arbitrary JavaScript. However, new research has found that it's still possible for malicious actors to exploit minimal permissions and steal data. The findings were presented by SquareX at the DEF CON conference back in August. The research also coincides with a study that discovered "hundreds of extensions automatically extracting user content from within web pages, impacting millions of users."
*   **What can a USB reveal?:** A new analysis from Group-IB goes into detail about the artifacts generated in the USB device when files are accessed or modified on devices running various operating systems. "USB formatted with NTFS, FAT32, and ExFAT often create temporary files, particularly during file modifications," the company said. "USB formatted with NTFS on Windows provided more information on file system changes from the $Logfile due to its journaling capabilities." USB formatted with HFS+ has been found to store versions of files that have been edited with GUI tools in a versioning database. Likewise, USB formatted with FAT32/ExFAT on macOS generates ". \_filename" files to ensure file system compatibility for storing extended attributes.

**🔥 **Cybersecurity Resources & Insights****

*   **Expert Webinars**
    *   **Building a Successful Data Security Posture Management Program**: Drowning in data security headaches? Hear directly from Global-e's CISO how Data Security Posture Management (DSPM) transformed their data security. Get real-world insights, and practical advice, get your questions answered and actionable strategies in this exclusive webinar, and walk away with a clear roadmap. Reserve your seat today!
    *   **Ex-Mandiant Expert Exposes Identity Theft Tactics**: LUCR-3 is breaching organizations like yours through identity-based attacks. Learn how to protect your cloud and SaaS environments from this advanced threat. Cybersecurity expert Ian Ahl (former Mandiant) reveals the latest tactics and how to defend your organization. Register for this crucial webinar to gain the upper hand.
*   **Ask the Expert**
    *   **Q: With mobile devices increasingly targeted by cybercriminals, how can individuals protect their devices from network-based attacks, especially in unfamiliar or high-risk environments, such as when traveling?**
    *   **A:** When you're traveling, your mobile device can be a target for attacks like rogue base stations—fake cell towers set up to steal data or track your location. To protect yourself, start by enabling Lockdown Mode on iPhones, which blocks vulnerable 2G connections. Always use a VPN to keep your internet traffic encrypted and avoid using public Wi-Fi without it. A great tool to boost your awareness is the CellGuard app for iOS. It scans your network for suspicious activity, like rogue base stations, by analyzing things like signal strength and network anomalies. While it may flag some false alarms, it gives you an extra layer of protection.
*   **Cybersecurity Tools**
    *   **Broken Hill: A New Tool to Test AI Models' Weaknesses** \- It is an advanced tool that makes it easy to trick large AI models into misbehaving by bypassing their restrictions. It uses the Greedy Coordinate Gradient (GCG) attack to craft clever prompts that push popular models, like Llama-2 and Microsoft's Phi, to respond in ways they normally wouldn't. The best part? You can run it on consumer GPUs, like the Nvidia RTX 4090, without needing costly cloud servers. Ideal for researchers and security testers, Broken Hill helps uncover and fix vulnerabilities in AI models, making it a must-have tool in the fight against AI threats.
*   **Tip of the Week**
    *   **Your Browser Extensions Are Spying on You:** Browser extensions can be useful but also risky, with potential access to your data or hidden malware. Protect yourself by removing unused extensions, checking their permissions, and only allowing them to run on specific sites. Enable "Click to activate" for more control, and use tools like Chrome's Extension Source Viewer to spot any suspicious behavior. Keep extensions updated, monitor network traffic for unusual activity, and consider using a separate browser for sensitive tasks. Features like Firefox's Temporary Container Tabs can also help by isolating extension access. These simple steps can keep your browsing safer.

****Conclusion****

And that's how the cybersecurity cookie crumbles this week! But listen, before you log off and chill, remember this: always double-check the sender's email address before clicking any links, even if it looks like it's from your bestie or your bank. Phishing scams are getting sneakier than ever, so stay sharp! Until next time, stay safe and cyber-aware!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and Trends (Oct 7 - Oct 13)

The Iranian threat actor known as OilRig has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a cyber espionage campaign targeting the U.A.E. and the broader Gulf region.
"The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities

The Iranian threat actor known as OilRig has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a cyber espionage campaign targeting the U.A.E. and the broader Gulf region.

"The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation," Trend Micro researchers Mohamed Fahmy, Bahaa Yamany, Ahmed Kamal, and Nick Dai said in an analysis published on Friday.

The cybersecurity company is tracking the threat actor under the moniker Earth Simnavaz, which is also referred to as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten.

The attack chains entail the deployment of a previously undocumented implant that comes with capabilities to exfiltrate credentials through on-premises Microsoft Exchange servers, a tried-and-tested tactic adopted by the adversary in the past, while also incorporating recently disclosed vulnerabilities to its exploit arsenal.

CVE-2024-30088, patched by Microsoft in June 2024, concerns a case of privilege escalation in the Windows kernel that could be exploited to gain SYSTEM privileges, assuming the attackers can win a race condition.

Initial access to target networks is facilitated by means of infiltrating a vulnerable web server to drop a web shell, followed by dropping the ngrok remote management tool to maintain persistence and move to other endpoints in the network.

The privilege escalation vulnerability subsequently serves as a conduit to deliver the backdoor, codenamed STEALHOOK, responsible for transmitting harvested data via the Exchange server to an email address controlled by the attacker in the form of attachments.

A notable technique employed by OilRig in the latest set of attacks involves the abuse of the elevated privileges to drop the password filter policy DLL (psgfilter.dll) in order to extract sensitive credentials from domain users via domain controllers or local accounts on local machines.

"The malicious actor took great care in working with the plaintext passwords while implementing the password filter export functions," the researchers said. "The threat actor also utilized plaintext passwords to gain access and deploy tools remotely. The plaintext passwords were first encrypted before being exfiltrated when sent over networks."

It's worth noting that the use of psgfilter.dll was observed back in December 2022 in a connection with a campaign targeting organizations in the Middle East using another backdoor dubbed MrPerfectionManager.

"Their recent activity suggests that Earth Simnavaz is focused on abusing vulnerabilities in key infrastructure of geopolitically sensitive regions," the researchers noted. "They also seek to establish a persistent foothold in compromised entities, so these can be weaponized to launch attacks on additional targets."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf

PRESS RELEASE

SAN FRANCISCO, Oct. 10, 2024 /PRNewswire/ -- Relyance AI, the leading AI-powered data governance platform that provides complete visibility and control over enterprise-wide data, today announced a $32.1 million Series B funding round to scale operations and meet the needs of the exploding use of artificial intelligence in the enterprise. Thomvest Ventures led the round. M12, Microsoft Ventures Fund, also participated in addition to Cheyenne Ventures and existing investors Menlo Ventures and Unusual Ventures.

As demand for AI surges in the enterprise, global regulators are mandating data protection safeguards that companies find impossible to implement. At the same time, legal, security, and engineering teams are grappling with endless questions about how customer data is being used to train AI models. The impact? Executives are stifled by their inability to realize AI's innovation potential, and according to KPMG, more than two-thirds (76%) of enterprises are worried about data privacy and security when they partner with third parties. The result could be catastrophic: more than a quarter of the Fortune 500 identified AI regulation as a risk in annual reports to the SEC, and many continue to struggle with established data privacy regulations such as GDPR, which led to a record €2.1 billion in fines in 2023.

This has become a business-critical problem for all enterprises that was impossible to solve before Relyance AI's fully integrated governance platform. Until now, privacy and security have been seen as separate challenges, with one woefully unaware of the other. Privacy teams didn't know if their commitments to regulations and customers were being met, and security teams didn't know what data should be in AI models. Relyance AI marries the two into one joint solution, which is the only way to enable innovation while ensuring compliance in a rapidly evolving regulatory landscape.

"The era of accepting subpar privacy, DSPM, and AI governance solutions is over. Relyance AI sets a new standard where data protection and innovation are not mutually exclusive," said Abhi Sharma, CEO and co-founder of Relyance AI. "It's impossible to keep up with the current state of regulations, especially when GDPR, HIPAA, the EU's AI Act, and a mosaic of local U.S. privacy laws are all different and sometimes at odds. We're making it possible to demystify this and embolden the C-suite, engineers, and legal teams to urgently green-light AI in the enterprise with an integrated governance approach." 

Relyance AI safeguards businesses from fines and reputation damage while boosting customer trust to accelerate business growth. The platform provides complete visibility into enterprise-wide data processing and compares it against contractual commitments, global privacy regulations, and compliance frameworks. The company has scaled significantly to meet recent demand for these capabilities. In the first half alone, Relyance AI increased its enterprise customer base by 30%, and the company is projected to double its annual recurring revenue in 2024. Its client list now includes Coinbase, Fivetran, Verkada, Snowflake, Logitech, Plaid, and Notion.

"We're thrilled to lead the investment in Relyance AI, a unique, automated data governance platform that addresses the urgent need for real-time data visibility and compliance in a world of explosive data growth and emerging regulations," said Umesh Padval, Managing Director, Thomvest Ventures. "Relyance AI empowers Chief Privacy, Security, and Information Officers to manage data privacy and compliance, avoiding costly penalties while driving safe and responsible AI adoption. We are excited to partner with CEO Abhi Sharmaand his team, who have built a solution that transforms compliance into a competitive advantage, enabling businesses to scale AI with trust and transparency."

"The future of AI governance isn't about compliance alone – it's about building trust, transparency, and accountability into every layer of your technology," said Todd Graham, Managing Partner at M12. "Relyance AI is the catalyst for that transformation, paving the way for AI implementation that is both compliant and incredibly fast."

"With Relyance AI, we established enhanced visibility of data processing activities, seeing an impressive increase of 1,660% within three weeks of deployment," said Deborah Usry, Senior Privacy and Product Counsel at NextRoll. "What used to be a time-consuming manual process is now an automated task that produces a robust record of our processing activities."

The funding will further develop Relyance AI's platform and scale its go-to-market efforts in response to significant recent momentum. Learn more here.

About Relyance AI  
Relyance AI is the new standard for organizations trust and data governance infrastructure. Relyance AI is the only platform providing real-time visibility into how and where data is being used compared to customer agreements, global privacy regulations, and compliance frameworks. Companies of all industries and sizes – including Coinbase, Snowflake, Logitech, Plaid, Notion, and more – trust Relyance AI to safeguard businesses from fines and reputational damage and to deliver the most complete customer trust experiences.

Relyance AI Raises $32M Series B Funding to Safeguard AI Innovation in the Enterprise

The future of cybersecurity will be shaped by how well we manage the explosion of NHIs.

Source: Brain light via Alamy Stock Photo

COMMENTARY

Imagine a vast and invisible army silently infiltrating your organization's digital defenses. No, this isn't the plot of a sci-fi thriller — it's the reality of non-human identities (NHIs) in today's cybersecurity landscape. As a seasoned security architect, I've watched this hidden force grow from a manageable contingent to a sprawling, often ungoverned multitude that's keeping chief information security officers (CISOs) awake at night. 

In my journey across startups and Fortune 500 companies, I've witnessed firsthand the mixed effects of NHIs. They keep our digital machinery running smoothly — but they are also a potential treasure trove for attackers looking to exploit our blind spots. It's time to shine a light on this invisible army and develop strategies to harness its power while mitigating its risks. 

**The Scale of the Problem**

Consider this: For every 1,000 human users in your organization, you likely have 10,000 non-human connections or credentials. Some estimates suggest the ratio could be as high as 45-to-1. These NHIs include service accounts, system accounts, API keys, tokens, and other forms of machine-based authentication that facilitate the complex web of interactions in our modern digital ecosystem. 

**Why NHIs Matter**

1.  Attack surface expansion: Each NHI represents a potential entry point for attackers. With their often-elevated privileges and lack of human oversight, compromised NHIs can be a goldmine for malicious actors. 
    
2.  Visibility challenges: Unlike human users, NHIs often operate in the background, created by developers or systems without proper governance. This lack of visibility makes them a significant blind spot for many security teams. 
    
3.  Privilege sprawl: Studies show that only 2% of permissions granted for NHIs are actually used. This massive overprovisioning of access rights creates an unnecessary risk landscape. 
    
4.  Third-party risk: NHIs often facilitate connections to external services and partners. When these third parties experience a breach, your organization's NHIs become a potential vector for lateral movement. 
    

**Real-World Implications**

The importance of securing NHIs is more than just theoretical. Recent high-profile incidents underscore their critical role in modern attacks. 

Nation-state actors have demonstrated proficiency in abusing OAuth applications to move laterally across cloud environments. At the same time, major software companies like Microsoft and Okta have fallen victim to attacks leveraging compromised machine identities. In a recent Securities and Exchange Commission (SEC) filing, even Dropbox disclosed a material incident involving a compromised service account. 

**Practical Steps for Mitigation**

1.  Discovery and inventory: You can't secure what you can't see. Implement tools and processes to continuously discover and catalog NHIs across all environments, including software-as-a-service (SaaS) applications. 
    
2.  Posture management: Go beyond simple inventory. Understand the permissions associated with each NHI, their usage patterns, and the potential risk they pose. 
    

**A Call to Action**

The explosion of NHIs represents both a challenge and an opportunity for the cybersecurity community. While the scale of the problem can seem daunting, we're ahead of the curve compared to where we were with human identity access management (IAM) decades ago. 

In my conversations with CISOs and security leaders, I've started to see a shift in mindset. There's a growing recognition that NHI security needs to be elevated to a top-tier priority, on par with traditional IAM and network security initiatives. 

As we move forward, I'm cautiously optimistic. The technology and practices to secure NHIs are evolving rapidly. We can turn the tide on this silent tsunami of risk with the right mix of visibility, automation, and a security-first culture. 

The future of cybersecurity will be shaped by how well we manage the explosion of non-human identities. As security professionals, it's our responsibility to lead the charge in this new frontier of identity security. Are you ready to meet the challenge? 

**About the Author**

Partner Solutions Architect

Vaibhav Malik has more than 14 years of experience in networking and security. He collaborates with global partners to create and deploy robust security solutions for enterprise clients. Malik is a recognized thought leader and expert in zero-trust security architecture. His previous roles at large service providers and security companies involved assisting Fortune 500 clients with network, security, and cloud transformation projects. He champions an identity and data-centric approach to security and is a popular speaker at industry events. With a master's in telecommunication from the University of Colorado Boulder and an MBA from the University of Illinois Urbana-Champaign, Malik's extensive expertise and hands-on experience make him an invaluable asset for organizations aiming to strengthen their cybersecurity posture in today's complex threat landscape.

Tag

#microsoft