CISOs need to recognize the new threats AI can present — while also embracing AI-powered solutions to stay ahead of those threats.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

Security teams have always had to adapt to change, but new developments that will play out over the next year could make 2025 particularly challenging. The accelerating pace of AI innovation, increasingly sophisticated cyber threats, and new regulatory mandates will require chief information security officers (CISOs) to navigate a more complex landscape.

Vendors are rapidly adding AI-enabled features to existing products, and the foundational large language models (LLMs) they are using present a new attack surface that malicious actors will try to exploit. CISOs will need to understand their level of exposure to these threats and how to mitigate them.

Simultaneously, the dynamic landscape of cybersecurity regulations, particularly in regions like the European Union and California, demands enhanced collaboration between security and legal teams to ensure compliance and mitigate risks. This convergence of new technologies and laws means CISOs must balance board-level compliance needs with novel security challenges to protect their organizations.

Despite the potential security challenges posed by generative AI (GenAI), it also offers opportunities to improve the security of software development processes. By proactively identifying vulnerabilities and enabling greater automation, AI will help close the gap between developers and security teams. 

Below are three trends that will dominate the enterprise security landscape in 2025. 

**Trends to Watch in 2025****1\. Vulnerabilities in Proprietary LLMs Open the Possibility of Broad-Impact Security Incidents**

Software vendors are rushing to add AI-enabled features to their products, often by leveraging proprietary foundational LLMs. As attackers start to find vulnerabilities in these models, they will open a new attack vector with potentially wide-scale consequences. Industry consolidation increases risk.

Proprietary models reveal little information about their provenance or internal guard rails, making them much harder for security professionals to understand and manage. As such, attackers can embed malware or exploit lesser-known attack surfaces in a model's feature space. 

Because the industry relies heavily on a few proprietary LLMs, these attacks could have cascading effects throughout the software ecosystem, potentially leading to wide-scale outages or impacts. 

**2\. AI and Cloud-Native Workloads Will Increase Demand for Highly Adaptive Identity Management **

The growth of cloud-native and AI applications creates new challenges for identity management systems. This year, access control must become more adaptive to deal with the increase in non-human, service-based identities. 

Systems that manage identity and permissions have already been transitioning from their traditional, static state to a more ephemeral and adaptable framework, reflecting the agility required for modern digital interactions. These needs will become even greater in the year ahead. 

AI-driven applications, in particular, demand a solid understanding of transitive identities. These applications require systems that provide secure and efficient access, even as roles and needs constantly evolve.

**3\. AI Will Help Scale Security Within DevOps**

In a recent survey, 58% of developers said they feel some degree of responsibility for application security. However, the demand for security-skilled DevOps professionals still outpaces supply. 

AI will continue democratizing security expertise within DevOps teams by automating routine tasks, providing smart coding recommendations, and further bridging the skills gap. Security will be integrated throughout the build pipeline, enabling the early identification of potential vulnerabilities at the design stage by leveraging reusable security templates that can be integrated into developer workflows.

Authentication and authorization will also be improved, with AI automatically assigning roles and permissions as services are deployed across cloud environments. 

The net result will be improved security outcomes, reduced risk, and enhanced collaboration between developers and their security peers. 

**Embracing AI-Powered Solutions to Secure the Threat Landscape **

As the technology landscape continues to evolve and cyber threats become increasingly sophisticated, CISOs must recognize the new threats that AI can present while embracing AI-powered solutions to stay ahead of them. 

By leveraging AI to automate security tasks, identify vulnerabilities, and respond to threats in real-time, organizations can strengthen their security posture and stay ahead of the fast-evolving threat landscape.

**About the Author**

CISO, GitLab

Josh Lemos is the CISO at GitLab Inc., where he brings 20 years of experience leading information security teams to his role. He is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected, fortifying the GitLab DevSecOps platform and ensuring the highest level of security for customers. A talented security practitioner and technology leader, Josh is widely recognized for his strategic vision, his ability to drive growth and innovation, and his passion for building and empowering teams. He believes in technology's potential to transform the world and the need to secure it against emerging threats. Josh has led security teams at numerous high-growth technology companies including ServiceNow, Cylance, and most recently Block (formerly known as Square).

New AI Challenges Will Test CISOs &amp; Their Teams in 2025

Aggregators of actively discussed vulnerabilities. Alexander Redchits updated his list of services that highlight TOP CVE vulnerabilities and uploaded it with descriptions to teletype (in Russian). Now there are 11 of them: 1. Intruder’s Top CVE Trends & Expert Vulnerability Insights2. Cytidel Top Trending3. CVE Crowd4. Feedly Trending Vulnerabilities5. CVEShield6. CVE Radar7. Vulners “Discussed in […]

**Aggregators of actively discussed vulnerabilities.** Alexander Redchits updated his list of services that highlight TOP CVE vulnerabilities and uploaded it with descriptions to teletype (in Russian). Now there are 11 of them:

1\. Intruder’s Top CVE Trends & Expert Vulnerability Insights  
2\. Cytidel Top Trending  
3\. CVE Crowd  
4\. Feedly Trending Vulnerabilities  
5\. CVEShield  
6\. CVE Radar  
7\. Vulners “Discussed in social networks”  
8\. Vulmon Vulnerability Trends  
9\. SecurityVulnerability Trends  
10\. CVESky  
11\. Vulnerability-lookup

It’s great that there are so many of them! 👍 But for the most part, these services are NOT about real attacks and exploitability, but about **the desire of the information security community to discuss** some vulnerabilities. What is being discussed may not always be important to you.

And the attention span of the information security community is like that of a goldfish: they analyze a vulnerability/incident, demonstrate their expertise and immediately forget about it. 🤷‍♂️😏

It’s fascinating to look at these selections of CVE vulnerabilities, but **using these lists to prioritize vulnerabilities** in the VM process is a bad idea. It’s better to focus on the trending vulnerability lists provided by Positive Technologies. 😉😇

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Aggregators of actively discussed vulnerabilities

This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes Malwarebytes recently uncovered...

_This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes_

Malwarebytes recently uncovered a widespread cyberattack—referred to here as the “zqxq” campaign as it closely mirrors NDSW/NDSX-style malware behavior—that compromised GroupGreeting\[.\]com, a popular platform used by major enterprises to send digital greeting cards.  

Upon learning of the attack, GroupGreeting quickly responded and resolved the threat.

This attack is part of a broader malicious campaign that takes advantage of trusted websites with high traffic, especially those that could experience a spike in visitors during busy seasons like the winter holidays. That includes greeting card websites, like GroupGreeting\[.\]com, that allow users to send group e-cards for birthdays, retirements, weddings, and, of course, holidays like Christmas and New Year’s.  

According to public data, over 2,800 websites have been hit with similar malicious code. The seasonal increase in user interactions with greeting card sites provides ample opportunities for cybercriminals to quietly inject malware and target unsuspecting visitors. 

****Explaining the “zqxq” malware****

Understanding this cybercriminal campaign requires a little bit of understanding of the web. Online today, nearly every single modern webpage uses a programming language called JavaScript. JavaScript allows developers to make interactive webpages, but it can also be vulnerable to attacks, as cybercriminals can “inject” pieces of JavaScript into a website that are not approved by the site’s developers. 

At the core of this breach is an obfuscated JavaScript snippet designed to blend in with legitimate site files. Hidden within themes, plugins, or other critical scripts, the malicious code uses scrambled variables (e.g., zqxq) and custom functions (HttpClient, rand, token) to evade detection and hamper analysis. 

Despite its complexity, the malware performs some very typical functions seen in large-scale JavaScript injection campaigns: 

*   **Token generation and redirection**. Generates random tokens (rand() + rand()) for queries or URLs, a technique often used in Traffic Direction Systems (TDS) to disguise malicious links. 

*   **Conditional checks and evasion**. References properties in navigator, document, window, or screen to determine if the user has visited before, or to avoid re-infecting the same machine. This helps keep the campaign under the radar by reducing repeated alerts. 

*   **Remote payload retrieval**. Uses an XMLHttpRequest (labeled as HttpClient in the code) to silently fetch further malicious scripts or to redirect visitors to exploit kits, phishing sites, or other malicious destinations. 

****Overlap with NDSW/NDSX and TDS Parrot campaigns** **

Though Malwarebytes recently discovered the attack on GroupGreeting\[.\]com, the malware campaign bears similarities to another malware injection campaign that is referred to as both “NDSW/NDSX” and “TDS Parrot.” 

According to security researchers from Sucuri, who label these attacks under the “NDSW/NDSX” moniker, this campaign accounted for 43,106 detections in 2024. Similar research was published by Unit 42, which refers to the campaign as “TDS Parrot.”  

From these analyses, we can identify the following parallels to known **NDSW/NDSX** or **TDS Parrot** malware campaigns: 

*   **Obfuscated redirect scripts**. Much like NDSW/NDSX, the zqxq script deeply obfuscates its variables, methods, and flow. The layering of functions (Q, d, rand, token) and the repeated usage of base64-like decoding are standard indicators of TDS JavaScript-based threats. 

*   **Traffic Distribution System behavior**. After running checks (e.g., domain name, cookies), these scripts funnel traffic to external pages hosting additional malware payloads or phishing sites. This is precisely how TDS Parrot campaigns divert user traffic across multiple malicious domains to maximize infection rates. 

*   **Large-scale website infections**. Both NDSW/NDSX and the zqxq campaign have infected thousands of websites, suggesting a systematic approach—possibly automated—that exploits vulnerabilities in popular CMS platforms (like WordPress, Joomla, or Magento) or outdated plugins, similar to documented TDS Parrot behaviors. 

****Analysis of the breach and why GroupGreeting was a prime target** **

Cybercriminals hardly strike at random. Instead, the attack on GroupGreeting was likely coordinated because of its potential for success. Here are a few reasons why: 

*   **High-profile site**. GroupGreeting boasts over 25,000 workplace clients, including major brands like Airbnb, Coca-Cola, and eBay, making it a lucrative target. Visitors are more inclined to trust links from a service they deem reputable. 

*   **Seasonal traffic spikes**. During holidays and other high-traffic periods, the site sees a surge in e-card use. Cybercriminals exploit this surge to maximize the spread of redirects and malware. 

*   **Sophisticated persistence**. Malicious code can hide in multiple files or within the database. Deleting one infected file may not remove all traces, allowing reinfection to occur. 

*   **Potential consequences**. Once the malware activates in a user’s browser, it typically redirects them to external domains that host secondary payloads. These payloads can range from phishing pages—designed to steal credentials—to more devastating forms of malware like info stealers or ransomware. Attackers often generate random or “tokenized” URLs, making it difficult for basic blocklists to keep pace. 

*   **Timely patching and updates**. Attacks often succeed by exploiting vulnerabilities in outdated CMS installations or plugins, underscoring the importance of regular updates. 

*   **File integrity checks**. Automated monitoring systems can detect and flag any unauthorized file changes, prompting swift action. 

*   **User training**. Educate users on potential risks and signs of compromise—even “safe” or well-known websites can be hijacked. 

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 GroupGreeting e-card site attacked in “zqxq” campaign  

SUMMARY Cybersecurity researchers at watchTowr have identified over 4,000 live hacker backdoors, exploiting abandoned infrastructure and expired domains.…

****SUMMARY****

*   **Cybersecurity firm watchTowr discovered over 4,000 active hacker backdoors relying on expired domain names.**

*   **These backdoors are pre-existing entry points on already compromised systems, allowing new actors to exploit previous breaches.**

*   **By registering these expired domains, watchTowr observed compromised systems “phoning home,” including government hosts in multiple countries.**

*   **The research highlights a concerning trend of attackers exploiting abandoned backdoors left by other hackers, creating a “hacking-on-autopilot” scenario.**

*   **Many older web shells, tools used for remote access, contain built-in mechanisms that unintentionally expose compromised systems through callbacks to now-expired domains.**

Cybersecurity researchers at watchTowr have identified over 4,000 live hacker backdoors, exploiting abandoned infrastructure and expired domains. These backdoors, hidden in compromised systems worldwide, have exposed a huge network of vulnerable government and educational institutions.

The investigation began when watchTowr registered over 40 expired domains, previously used by hackers, and set up logging servers to track incoming requests. The team collected 300MB of data, revealing a network of compromised hosts, including government-owned systems in Bangladesh, China, Nigeria, and more.

The researchers discovered that hackers had been using these abandoned backdoors to gain access to thousands of systems, without investing effort in identifying and compromising them. This technique has been termed by researchers as a _“mass-hacking-on-autopilot”_ approach, allowing hackers to commandeer and control compromised hosts, potentially leading to devastating consequences.

One notable example, according to watchTowr’s technical report shared with Hackread.com, is a backdoor linked to the Lazarus Group, a notorious hacking collective associated with North Korea. The researchers found over 3,900 unique compromised domains using this backdoor, which was designed to load a .gif image from the logging server, leaking the location of the compromised system.

**Simple Explanation**

To understand this better, consider the concept of a “web shell.” These are essentially small snippets of code secretly placed on a web server after a successful breach. They act as remote control panels, allowing attackers to execute commands, manage files, and even deploy further malicious tools.

Historically, these web shells often included mechanisms that “phoned home” to a specific domain or server controlled by the attacker. When that domain expires and is re-registered by someone else, those “phone calls” are now answered by an unexpected recipient.

Older web shells, like the infamous “r57shell” and “c99shell,” while outdated, still appear to be in use. Interestingly, some of these older shells even contained built-in backdoors _for the shell’s creator_. This meant that even if the initial attacker secured their access with a password, the original author could still gain entry using a secret “master key.” This highlights a history of the hacking community itself having a somewhat chaotic approach to security.

In one example, researchers observed a web shell constantly sending the login credentials (in plain text!) to a domain that watchTowr now controlled. The attacker believed they had secured their access, but the very tool they were using was betraying them.

One of the sites with a live Shell – This time it is a c99shell (Via watchTowr)

The report also highlights the vulnerability of government institutions, with compromised systems found in the Federal High Court of Nigeria and other government entities. The researchers emphasize that these findings demonstrate the importance of responsible infrastructure management and the need for increased awareness about the risks of abandoned and expired domains.

****Dangerous Situation****

The watchTowr team warns that problems like this will persist, with consequences for software updates, cloud infrastructure, and SSLVPN appliances. The report also highlights that even attackers can make mistakes, as demonstrated by another research from researchers at vpnMentor. They identified high-profile groups, such as ShinyHunters and Nemesis, that exploited AWS buckets to steal over 2 terabytes of sensitive data. In the process, these groups inadvertently exposed their own S3 buckets.

The good news is that The Shadowserver Foundation has agreed to take ownership of the implicated domains and sinkhole them, preventing further exploitation. The watchTowr team’s research serves as a crucial reminder of the importance of responsible infrastructure management and the need for increased awareness about the risks of abandoned and expired domains.

1.  **99% of UAE’s .ae Domains Exposed to Phishing and Spoofing**
2.  **Controller flaws let hackers physically damage moving bridges**
3.  **US and Europe Account for 73% of Global Exposed ICS Systems**
4.  **Thousands of Exposed ICSs in US and UK Threaten Water Supplies**
5.  **“Revolver Rabbit” Hacker Uses RDGA to Register 500,000 Domains**

Thousands of Live Hacker Backdoors Found in Expired Domains

The inside story of the teenager whose “swatting” calls sent armed police racing into hundreds of schools nationwide—and the private detective who tracked him down.

The School Shootings Were Fake. The Terror Was Real

Threat actors are attempting to take advantage of a recently disclosed security flaw impacting GFI KerioControl firewalls that, if successfully exploited, could allow malicious actors to achieve remote code execution (RCE).
The vulnerability in question, CVE-2024-52875, refers to a carriage return line feed (CRLF) injection attack, paving the way for HTTP response splitting, which could then

Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-22445

**Mattermost has Improper Check for Unusual or Exceptional Conditions**

Low severity GitHub Reviewed Published Jan 9, 2025 to the GitHub Advisory Database • Updated Jan 9, 2025

**Package**

gomod github.com/mattermost/mattermost/server/v8 (Go)

**Affected versions**

\>= 10.0, < 10.3.0

< 8.0.0-20250102081831-64c566a8280b

**Patched versions**

10.3.0

8.0.0-20250102081831-64c566a8280b

**Description**

Published to the GitHub Advisory Database

Jan 9, 2025

GHSA-7rgp-4j56-fm79: Mattermost has Improper Check for Unusual or Exceptional Conditions

A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-7w6r-748w-mh52: pgAdmin has Incorrect Default Permissions

Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

GHSA-q8fg-cp3q-5jwm: Mattermost Incorrect Authorization vulnerability

Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-20033

**Mattermost Improper Validation of Specified Type of Input vulnerability**

Moderate severity GitHub Reviewed Published Jan 9, 2025 to the GitHub Advisory Database • Updated Jan 9, 2025

**Package**

gomod github.com/mattermost/mattermost/server/v8 (Go)

**Affected versions**

\>= 9.11.0, < 9.11.16

\>= 10.0.0, < 10.0.4

\>= 10.1.0, < 10.1.4

\= 10.2.0

< 8.0.0-20250102081831-64c566a8280b

**Patched versions**

9.11.16

10.0.4

10.1.4

10.2.1

8.0.0-20250102081831-64c566a8280b

Published to the GitHub Advisory Database

Jan 9, 2025

Tag

#vulnerability