Netflix’s “Zero Day” TV Series: Is a Devastating Global Cyberattack Really Possible?

The upcoming Netflix show Zero Day paints a dramatic picture of a disastrous cyberattack on the United States, with severe infrastructural damage and thousands of casualties. Although the show has not been released yet, it has already raised an important question: Could such a catastrophic event happen in real life? 

Ilia Sotnikov, Security Strategist at Netwrix, explains why we can all enjoy the series, while those in charge of national critical infrastructure must continue their work to keep such a prolonged nationwide cybersecurity disaster improbable:

Nations around the globe have suffered attacks on their critical infrastructure in the past few years. Cyberattacks such as the ransomware attack on Colonial Pipeline have led to short-lived regional disruptions, and state-sponsored advanced persistent threat (APT) groups have tried to establish a foothold in various environments, from government agencies to telecom providers. 

Nevertheless, a devastating attack like the one in Zero Day is unrealistic in today’s world. There are three key reasons:

•Increasing security oversight for critical infrastructure — Critical infrastructure organizations like power plants, transportation networks and healthcare providers are not left to fend for themselves when it comes to cybersecurity. Governments around the world not only enact strict regulations but provide resources to help organizations adhere to them. In the US, the Cybersecurity and Infrastructure Agency (CISA) facilitates cybersecurity oversight across critical infrastructure and coordinates implementation efforts across the public and private sectors. In addition, national security and intelligence agencies keep their eyes on potential harmful activity that could impact critical infrastructure. This constant monitoring and collaboration reduce the likelihood of a successful attack on multiple critical systems simultaneously. 

•Operational and technical complexity — While a particular organization may be vulnerable to adversaries, executing a coordinated attack on a nation’s entire critical infrastructure requires overcoming significant technical and operational hurdles. Adversaries would have to establish persistence in multiple diverse environments, learn how each of them operates, and determine how to cause the most destruction and chaos. Then they would need to weaponize their presence in each environment by gaining access to the most impactful systems and controls. Such an operation would require not only gaining extremely high levels of access across multiple technology stacks in multiple highly secured environments but also being able to maintain it for a long time without raising any alarms. Realistically, this is a military-grade operation that very few nation-states have the means and motivation to contemplate, let alone hacker groups who will realize no financial gain from their efforts.

•Global monitoring and diplomacy — Intelligence services around the world are collecting information about other nation-states, whether they see them as hostile, competitive or even friendly; it’s a part of international politics. However, conducting a cyberoperation against another nation’s civilian infrastructure is a different thing altogether. Even if the incursion is limited to infiltration “only as preparation,” it’s akin to massing a huge invasion force at the border — an act that demands a response. In the modern world, the stakes are way too high for any nation-state to undertake such an attack, knowing that it will inevitably be seen as an act of war.

Still, risk management formulas always consider not just the probability of an adverse event but the severity of its impact. Even if an event is extremely unlikely, if the impact is completely unacceptable, then the organization or government must prepare for the scenario. That’s exactly the case with the risk of a coordinated cyberattack on a nation’s critical infrastructure — however unlikely such an event is, it is not impossible, so it’s essential to take steps to reduce the probability down as close to zero as possible. As we have seen, the government, the intelligence community and critical infrastructure organizations are already doing exactly that.

In short, while successful cyberattacks have damaged critical infrastructure on a modest scale in recent years, there is little risk of a doomsday event like the one in Netflix’s Zero Day. So sit back, relax and enjoy the show.

The post Netflix’s “Zero Day” TV Series: Is a Devastating Global Cyberattack Really Possible? appeared first on Cybersecurity Insiders.

February 01, 2025 at 11:16AM

Read More

Is data minimization the new data ethics in subscription management?

Data could be your biggest asset but it could also be your weakest link. The more you collect, the more there is to be guarded, the more to be held accountable for, the more to sift through to find something of value. With increasing customer awareness and a growing need for greater control over personal data, it’s never been more critical for SaaS providers to reassess how much of what’s collected can even be meaningfully analyzed? Data minimization is not a trend, it’s a strategic priority that translates into a distinct business advantage,

More isn’t always better, intentionality always is

Organizations around the world collect heaps of customer data— some of which proves to be crucial for decision making while the rest may sit unused in anticipation of future use. Extracting valuable insights from such a vast expanse of data is, in itself, challenging— like finding a needle in a haystack, so to speak. As much as 60-73% of all data within an enterprise is left underutilized for analytics, according to research. Indeed, service providers should get pickier and more intentional about the customer data they collect and store.

The onboarding process is often the most crucial touchpoint for new customers. Initial interactions customers have with the service can make or break their entire experience. For instance, a sign-up interface overloaded with too many input fields is likely to make users stop in their tracks and wonder, do I really need to provide all this information just to sign up? The inconvenience aside, security concerns are a major factor that often lead to users abandoning online forms. This is not surprising, given how much more aware users are of privacy than ever before, wanting as much control over what they share and with whom.

If service providers wonder whether users would even notice if they are being minimal with the data they ask for, the answer is a resounding yes. A Mckinsey survey found that 87% of North American respondents would avoid engaging with a company if they had concerns about its security practices. The survey also found that consumers are more likely to trust companies that request only relevant information or limit the amount of personal data they ask for. Users are averse to entitlement, and they appreciate intentionality. 

Consider how something as simple as gradual data gathering makes the sign up process feel easy and stress-free for users, as they don’t want to be rushed or feel pressured to share their details from the get go. This approach builds trust by clearly demonstrating respect for user privacy and encouraging engagement without the fear of oversharing. While mapping out user journeys, it’s helpful to step into the users’ shoes and consider whether they might second-guess their decision to share any specific detail. By identifying potential moments of hesitation or discomfort, service providers can refine the process to ensure it feels intuitive, transparent and respectful of their privacy.

Data is a high-stakes game 

Consumers’ concerns about security are extremely valid. Recently, a massive data breach exposed the personal records of 2.9 billion people. Moreover, Gartner predicts that by 2025, software supply chain attacks will have impacted 45% of organizations globally. In addition to reputational damage, organizations also face hefty fines for failing to protect user data, as privacy regulations like GDPR and CCPA impose strict penalties for non-compliance and breaches. 

Collecting and storing only the data that is absolutely necessary reduces the amount of sensitive information at risk in the event of a breach. Less data stored means there is less for attackers to exploit. Reducing the number of potential vulnerabilities that attackers can target is crucial here. Especially for smaller SaaS providers who may lack the resources for sophisticated security infrastructures, keeping the data they store to a minimum makes it easier to secure, monitor and manage.

At the same time, when users see that only essential information is collected, it reassures them that their privacy is not infringed upon, alleviating security concerns regarding the service they want to use and fostering greater confidence in the provider. 

Collect only what you really need and make a plan for it 

There is no one way to approach data minimization. Service providers could simply start with a bit of introspection. How effectively is data governance managed internally? Are we collecting more information than necessary? What data can we do without, and how might removing it impact our operations? 

For startups, zeroing down on goals and assessing what data points will be essential to achieve them is a good starting point. On the other hand, reverse engineering with the data points you already have will help eliminate unnecessary data collection. For example, what value does  collecting a user’s employment status provide? By focusing only on the essential data, service providers can streamline the process and ensure they’re collecting only the information that adds value. Nothing more, nothing less. 

Cutting down on data doesn’t mean that you’re working in the dark. It’s more like shedding light on what truly matters, allowing you to focus on the insights that drive value. Service providers can achieve minimisation without sacrificing functionality. For instance, standard options like “Log in with Google/Microsoft/Facebook” have made it easier for users to access multiple services without adding to their list of passwords. However, it’s now possible to take this a step further by moving towards reusable accounts. Instead of creating new accounts for each new subscription or when accessing data, this approach extends reusability, offering both service providers and consumers a more streamlined and efficient way to handle authentication and access control.

The account being reusable across all services ensures that the users’ personal information stays secure, without the risk of numerous third parties handling the data separately. In turn, this substantially reduces the number of places user data is stored, lowering the chances of it being compromised. This way, users can also enjoy a greater degree of control over their information, as they can easily update or modify their credentials across all services, without needing to do it individually for each provider

Working with only what’s necessary frees up resources and mental space, allowing room for creativity and innovation. With a clearer focus, SaaS providers can explore new ways to enhance user experience, redefine product offerings, and even discover new opportunities that might have been overlooked amidst the clutter. By shifting the perspective on data minimization from merely a legal precaution to a strategic advantage, you begin to see the full breadth of its opportunities. 

 

The post Is data minimization the new data ethics in subscription management? appeared first on Cybersecurity Insiders.

January 31, 2025 at 01:26PM

Read More

5 cybersecurity practices for custom software development

Whether you are going to build a custom CRM system, custom ERP tool, or any other bespoke solution, you need to ensure that this software is properly secured. Otherwise, it can be exposed to a wide range of cyber threats, which puts your corporate and customer data at risk. Even a single data breach could be devastating for a business, which is highlighted by examples of NVIDIA, CNA Financial, and hundreds other companies.

As a software development firm with 25+ years of experience, we use a mix of practices to prevent vulnerabilities in the solutions we implement and ensure maximum data protection for our clients. In this article, we share some of the most useful techniques to help you build a more secure bespoke solution.

1. Establish a secure software development policy

Before starting the development process, your company should establish a secure software development policy. Generally speaking, this document includes rules a company and its developer teams should adhere to reduce software development security risks. A practical and effective secure development policy should cover three key software development aspects:

•Security expertise

First of all, the policy should define a set of requirements for developers’ qualifications and experience in ensuring software security. By hiring specialists that meet these conditions, you can increase the chances of developing a secure solution.

•Processes

The policy should also describe key software development processes, including coding, testing, and deployment, and specify how developers should perform them to ensure the security of both the software and the development environment. For example, this can involve validating a new piece of source code against the company’s security standards before committing it into the code repository.

•Technology

Finally, the policy should guide developers on tools and technologies to use during the software development lifecycle. For instance, it can prescribe developers to only use development frameworks and libraries that have been approved by a company’s security team.

You can develop such a policy from scratch, which can be challenging, especially if this is your first development project. To streamline the creation of such a policy, a company can purchase a pre-made policy template from one of the cybersecurity practitioners and develop their own on its basis.

2. Create a secure-by-design software architecture 

To ensure maximum software security, you should build a custom solution secure by design, choosing the right software architecture. We recommend adhering to the following universal principles during the software design phase:

•Defense in depth

This principle prescribes software architects to implement multi-layered security controls to ensure comprehensive software defense.

•Economy of mechanism

This principle implies that software architects should avoid overcomplicating the solution’s design since the more complex the software is, the more difficult it becomes to test and secure.

•Weakest link

This principle emphasizes the need to pay attention to all parts of the solution, even those considered unimportant or less important, since any software system is only as secure as its weakest link.

3. Conduct threat modeling

Once you have created the optimal software architecture, we recommend you to thoroughly evaluate it from a security perspective before continuing with the development. To begin with, you can create a comprehensive data flow diagram (DFD) to highlight all user paths and data flows and have a full overview of the solution’s work. 

Once you understand the solution’s architecture better, you should study the existing threat landscape to determine what risks exist in your industry and market niche. Then, you should conduct a threat analysis to understand whether the solution would be vulnerable to these risks, and if it is, consider refining the architecture.

4. Write secure code and review it regularly

When developers proceed to coding, it’s critical that they adhere to secure coding practices to help them prevent the creation of vulnerabilities that hackers can exploit. For example, the official secure coding checklist from OWASP requires developers to ensure code integrity by using unique identifiers, such as hashes or checksums. It also prescribes developers to encrypt their code stored in code repositories by using secure cryptographic libraries.

In addition, developers should regularly review their code to identify potential security issues early on. To optimize this aspect of development (which can be especially relevant in large custom development projects), teams can use automated code review tools, such as PHP Coding Standards Fixer, Snyk Code, or Pylint.

5. Use a mix of security testing techniques

Regular testing is an important aspect of software security where developers identify and fix vulnerabilities before attackers exploit them. Developer teams should conduct multiple types of tests to gain a more comprehensive view of the solution’s security state. These should include penetration testing (which involves simulating a hacker attack), API security testing (which helps identify common vulnerabilities in API code), software composition analysis (which involves analyzing third-party tools and libraries for vulnerabilities), and other types of tests.

Final thoughts

If you are planning to develop a custom solution, you should prioritize software security to minimize any potential risks of sensitive data exposure. The practices listed in this article can help you achieve the desired protection level of your solution. Regardless of your custom project’s specifics, scale, and complexity, it’s also recommended to involve third-party experts in the software development. 

An experienced development company can provide you with a tailored secure software development policy, help design a fully-protected software architecture, and assist you with coding, testing, or any other development aspects to help you build a more robust bespoke solution.

 

The post 5 cybersecurity practices for custom software development appeared first on Cybersecurity Insiders.

January 31, 2025 at 12:24PM

Read More

Ransomware attack makes Tata Technologies suspend whole of its IT services

Tata Technologies, a multinational business that is into the sector of Technology engineering from India has released a press statement that whole of its IT services were suspended as a precautionary measure to mitigate cyber risks associated with the attack. However, the good news is that all the services that were facing suspension were restored to the fullest, within a time frame of just 3 hours, thus reducing the downtime scare to a large extent.

 

A ransomware attack is a kind of malware attack, where a hacking group targets the computer network of a public or private entity with malicious software that thereafter encrypts data until a ransom is paid.

 

In some cases, the hackers initially siphon data from the victimized servers and then encrypt the data. Thus launching a double extortion based attack in which they threaten the victim to leak the stolen data, if otherwise, their ransom demands are not paid heed on time. Strangely, the situation transformed into more difficulty in the past 4 years, and ransomware spreading gangs are calling or contacting the customers, partners or family members of the victimized companies and asking them to put pressure on the victim to pay the demanded sum in cryptocurrency for sure.

 

Rarest of the cases, hacking gangs target the same victim twice or thrice in a year, and make repeated ransom demands, to satiate their malicious funding needs.

 

Thus, the law enforcement is discouraging the victims from paying a ransom, and instead is urging them to report the instances to their departments, via proper channel. As there is no assurance that the threat actors will surely return the decryption key, upon receiving the ransom.

 

Tata Tech has an excellent team of IT staff who not are capable of recovering the data and applications from the incident. But can also audit the current security risks, to fill up with patches.

 

As of now, it is unclear on who launched the malware attack on the IT services giant. And a reputed news daily from the Indian Sub Continent suggest that it could be the work of a Russian gang, operating under the disguise of Chinese state funded actor.

 

The post Ransomware attack makes Tata Technologies suspend whole of its IT services appeared first on Cybersecurity Insiders.

January 31, 2025 at 11:15AM

Read More

Doppler announces integration with Datadog to streamline security and monitoring

San Francisco, United States / California, January 30th, 2025, CyberNewsWire

Doppler, the leading provider of secrets management solutions, announced a new integration with Datadog, a cloud application monitoring and security platform. This collaboration provides engineering and operations teams with an integrated solution for securely managing sensitive credentials and gaining insights into cloud environments through real-time monitoring.

In an era of rapid cloud adoption, DevOps and security teams face mounting challenges in safeguarding sensitive data across distributed systems. By combining Doppler’s automated secrets management capabilities with Datadog’s comprehensive monitoring platform, this integration enables teams to enhance their security practices while maintaining operational visibility. Doppler’s automated secrets storage and rotation, paired with Datadog’s continuous monitoring, empowers teams to mitigate risks of secret sprawl and prevent unauthorized access in a scalable, automated fashion.

Streamlining security and visibility across cloud environments

Many DevOps teams need help maintaining consistent security practices as secrets are often scattered across environments, increasing the risk of misconfigurations. The Doppler integration with Datadog addresses this issue head-on by creating a centralized workflow for managing secrets and monitoring activity across all environments. With Datadog’s alerts and Doppler’s automated security measures, teams can detect and respond to suspicious activity, helping to ensure security and compliance.

“We are thrilled to integrate with Datadog to combine our secrets management capabilities with their monitoring platform,” said Brian Vallelunga, CEO and Founder of Doppler. “This integration simplifies security for developers and gives organizations the ability to manage secrets at scale, gaining visibility and control over sensitive information across the entire cloud environment. Together, we’re helping teams protect their data while allowing them to stay focused on building great software.”

How the Doppler-Datadog Integration Solves Key Security Challenges

• Automated secrets management: Doppler’s platform automates the rotation, storage, and encryption of secrets, minimizing the risk of human error and unauthorized access.
• Real-time monitoring and alerts: Datadog’s continuous monitoring enables teams to track secret usage, receive alerts for suspicious access, and respond quickly to any anomalies.
• Security across hybrid environments: This integration unifies secrets management and monitoring, providing consistency in security practices across hybrid and multi-cloud setups.

Centralized deployment for DevOps and Security teams

The integration allows teams to centralize secrets management in Doppler while benefiting from Datadog’s secret usage observability. This provides a simplified solution for both managing and monitoring sensitive information. This approach enhances security without disrupting workflows, helping organizations to meet compliance requirements, reduce risk, and modernize their operations.

Availability

The integration is available now. For more information on how this integration can improve users’ security posture and improve secrets management, users can visit the Datadog Integration Documentation.

About Doppler

Doppler is a leader in secrets management, providing a centralized, secure solution that automates handling sensitive information such as API keys, tokens, and credentials. Thousands of development teams worldwide trust Doppler to simplify secrets management, improve operational efficiency, and prevent data breaches.

Contact

Doppler Press
press@doppler.com

The post Doppler announces integration with Datadog to streamline security and monitoring appeared first on Cybersecurity Insiders.

January 30, 2025 at 09:21PM

Read More

Ransomware news trending on Google

Smith Engineering Group Hit by Ransomware Attack

Smith Group Plc, a multinational engineering giant based in Britain, has issued a public statement confirming that it was recently targeted by a ransomware attack. The breach was detected and contained in time by the company’s IT team, preventing any further damage. However, the company is still in the process of investigating the full extent of the attack, including which systems were affected and, crucially, identifying the cybercriminals behind it.

Although the company has yet to formally label the incident as a ransomware attack, it did acknowledge unauthorized access to its internal computer network. Smith Group has pledged to provide more information as its investigation progresses, emphasizing its commitment to transparency and security.

In the wake of the breach, Smith Group’s share value took a significant hit, dropping by 2.3% in early trading. This is a stark reminder that even major multinational corporations like Smith Group are not immune to the disruptive power of cybercrime. While the company is working diligently to minimize the damage, incidents like this can have long-lasting effects on business operations and investor confidence. For smaller companies, such cyber attacks can be financially devastating, sometimes pushing them to the brink of closure. Even for large firms, the ripple effects on reputation, operations, and financial performance can linger long after the immediate crisis is over.

Akira Ransomware Targets VMware ESXi Servers

The notorious Akira ransomware group has resurfaced, this time targeting VMware, a leading provider of virtualization software, by exploiting vulnerabilities in its ESXi server infrastructure. This particular strain of ransomware is uniquely sophisticated, having been developed using the Rust programming language, which allows it to operate seamlessly within Linux environments. The use of Rust makes it harder for traditional cybersecurity measures to detect and neutralize the malware before it spreads.

VMware’s ESXi servers are used globally by thousands of organizations, making them a prime target for cybercriminals. These servers host millions of applications and critical business functions across the globe, so infecting them not only boosts the chances of widespread infection but also increases the likelihood of securing a ransom payout from victims.

The best defense against ransomware attacks of this nature is a robust backup strategy. Relying on secure, offline backups can help organizations restore their data without succumbing to the demands of the attackers. Furthermore, companies should report such incidents to law enforcement agencies, who have the resources and expertise to track down cybercriminals on the dark web and prevent the stolen data from being leaked. Paying the ransom is never recommended, as it doesn’t guarantee the safe return of encrypted files and only fuels the cycle of cybercrime.

New York Blood Center Falls Victim to Ransomware

The New York Blood Center Enterprises (NYBC), a vital healthcare provider responsible for collecting and distributing blood to hospitals across the region, has become the latest victim of a ransomware attack. While the specific cybercriminal group responsible for the attack has not yet been confirmed, reports suggest that the Interlock ransomware gang could be behind the breach.

Ransomware attacks on healthcare organizations are particularly alarming, as they pose a direct threat to patient safety. The encryption of critical systems within hospitals and blood banks can delay or disrupt essential services, potentially jeopardizing lives. In this case, it remains unclear how the attack has affected the NYBC’s operations, but historically, such attacks can lead to significant delays in inventory management and supply chains. With digital systems controlling blood stocks and tracking demand, the attack may cause disruptions that become apparent only days or weeks later.

The repercussions of such an attack could be severe. Not only are these organizations facing potential financial and operational damage, but they also risk becoming targets for future attacks as cybercriminals increasingly see the healthcare sector as a profitable avenue for exploitation.

Conclusion

In summary, these high-profile ransomware attacks serve as a stark reminder of the growing threat posed by cybercriminals across various industries. The scale and sophistication of these attacks are increasing, and the impact on businesses, healthcare providers, and other critical sectors can be devastating. Organizations must take proactive steps to strengthen their cybersecurity measures, including regular backups, employee training, and collaboration with law enforcement agencies to prevent, detect, and mitigate such threats.

The post Ransomware news trending on Google appeared first on Cybersecurity Insiders.

January 30, 2025 at 08:48PM

Read More

SquareX Discloses “Browser Syncjacking” , a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk

Palo Alto, USA, January 30th, 2025, CyberNewsWire

SquareX discloses a new attack technique that shows how malicious extensions can be used to completely hijack the browser, and eventually, the whole device.

PALO ALTO, Calif., Jan. 30, 2025 — Browser extensions have been under the spotlight in enterprise security news recently due to the wave of OAuth attacks on Chrome extension developers and data exfiltration attacks. However, until now, due to the limitations browser vendors place on the extension subsystem and extensions, it was thought to be impossible for extensions to gain full control of the browser, much less the device.

SquareX researchers Dakshitaa Babu, Arpit Gupta, Sunkugari Tejeswara Reddy and Pankaj Sharma debunked this belief by demonstrating how attackers can use malicious extensions to escalate privileges to conduct a full browser and device takeover, all with minimal user interaction. Critically, the malicious extension only requires read/write capabilities present in the majority of browser extensions on the Chrome Store, including common productivity tools like Grammarly, Calendly and Loom, desensitizing users from granting these permissions. This revelation suggests that virtually any browser extension could potentially serve as an attack vector if created or taken over by an attacker. To the best of our understanding, extensions submitted to the Chrome Store requesting these capabilities are not put through additional security scrutiny at the time of this writing.

The browser syncjacking attack can be broken up into three parts: how the extension silently adds a profile managed by the attacker, hijacks the browser and eventually gains full control of the device.

Profile Hijacking

The attack begins with an employee installing any browser extension – this could involve publishing one that masquerades as an AI tool or taking over existing popular extensions that may have up to millions of installations in aggregate. The extension then “silently” authenticates the victim into a Chrome profile managed by the attacker’s Google Workspace. This is all done in an automated manner in a background window, making the whole process almost imperceptible to the victim. Once this authentication occurs, the attacker has full control over the newly managed profile in the victim’s browser, allowing them to push automated policies such as disabling safe browsing and other security features.

Using a very clever social engineering attack that exploits trusted domains, the adversary can then further escalate the profile hijacking attack to steal passwords from the victim’s browser. For example, the malicious extension can open and modify Google’s official support page on how to sync user accounts to prompt the victim to perform the sync with just a few clicks. Once the profile is synced, attackers have full access to all credentials and browsing history stored locally. As this attack only leverages legitimate sites and has no visible sign that it has been modified by the extension, it will not trigger any alarm bells in any security solutions monitoring the network traffic.

Browser Takeover

To achieve a full browser takeover, the attacker essentially needs to convert the victim’s Chrome browser into a managed browser. The same extension monitors and intercepts a legitimate download, such as a Zoom update, and replaces it with the attacker’s executable, which contains an enrollment token and registry entry to turn the victim’s Chrome browser into a managed browser. Thinking that they downloaded a Zoom updater, the victim executes the file, which ends up installing a registry entry that instructs the browser to become managed by the attacker’s Google Workspace. This allows the attacker to gain full control over the victim’s browser to disable security features, install additional malicious extensions, exfiltrate data and even silently redirect users to phishing sites. This attack is extremely potent as there is no visual difference between a managed and unmanaged browser. For a regular user, there is no telltale sign that a privilege escalation has occurred unless the victim is highly security aware and goes out of their way to regularly inspect their browser settings and look for associations with an unfamiliar Google Workspace account.

Device Hijacking

With the same downloaded file above, the attacker can additionally insert registry entries required for the malicious extension to message native apps. This allows the extension to directly interact with local apps without further authentication. Once the connection is established, attackers can use the extension in conjunction with the local shell and other available native applications to secretly turn on the device camera, capture audio, record screens and install malicious software – essentially providing full access to all applications and confidential data on the device.

The browser syncjacking attack exposes a fundamental flaw in the way remote-managed profiles and browsers are managed. Today, anyone can create a managed workspace account tied to a new domain and a browser extension without any form of identity verification, making it impossible to attribute these attacks. Unfortunately, most enterprises currently have zero visibility into the browser – most do not have managed browsers or profiles, nor any visibility to the extensions employees are installing often based on trending tools and social media recommendations.

What makes this attack particularly dangerous is that it operates with minimal permissions and nearly no user interaction, requiring only a subtle social engineering step using trusted websites – making it almost impossible for employees to detect. While recent incidents like the Cyberhaven breach have already compromised hundreds, if not thousands of organizations, those attacks required relatively complex social engineering to operate. The devastatingly subtle nature of this attack – with an extremely low threshold of user interaction – not only makes this attack extremely potent, but also sheds light on the terrifying possibility that adversaries are already using this technique to compromise enterprises today.

Unless an organization chooses to completely block browser extensions via managed browsers, the browser syncjacking attack will completely bypass existing blacklists and permissions-based policies. SquareX’s founder Vivek Ramachandran says “This research exposes a critical blind spot in enterprise security. Traditional security tools simply can’t see or stop these sophisticated browser-based attacks. What makes this discovery particularly alarming is how it weaponizes seemingly innocent browser extensions into complete device takeover tools, all while flying under the radar of conventional security measures like EDRs and SASE/SSE Secure Web Gateways. A Browser Detection-Response solution isn’t just an option anymore – it’s a necessity. Without visibility and control at the browser level, organizations are essentially leaving their front door wide open to attackers. This attack technique demonstrates why security needs to ‘shift up’ to where the threats are actually happening: in the browser itself.”

SquareX has been conducting pioneering security research on browser extensions, including the DEF CON 32 talk Sneaky Extensions: The MV3 Escape Artists that revealed multiple MV3 compliant malicious extensions. This research team was also the first to discover and disclose the OAuth attack on Chrome extension developers one week before the Cyberhaven breach. SquareX was also responsible for the discovery of Last Mile Reassembly attacks, a new class of client-side attacks that exploits architectural flaws and completely bypasses all Secure Web Gateway solutions. Based on this research, SquareX’s industry-first Browser Detection and Response solution protects enterprises against advanced extension-based attacks including device hijacking attempts by conducting dynamic analysis on all browser extension activity at runtime, providing a risk score to all active extensions across the enterprise and further identifying any attacks that they may be vulnerable to.

For more information about the browser syncjacking attack, additional findings from this research are available at sqrx.com/research.

About SquareX

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

Additionally, with SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

Contact

Head of PR
Junice Liew
SquareX
junice@sqrx.com

The post SquareX Discloses “Browser Syncjacking” , a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk appeared first on Cybersecurity Insiders.

January 30, 2025 at 07:00PM

Read More

DeepSeek AI data under scrutiny as Microsoft investigates OpenAI data steal

DeepSeek AI, a Chinese chatbot service that recently gained traction on the Apple App Store, is now in the spotlight due to allegations of unauthorized data access from Microsoft-backed OpenAI. According to sources familiar with the situation, DeepSeek AI’s founder, Liang Wenfeng, has strongly denied these accusations, dismissing them as baseless and labeling them as a coordinated attempt by Western media to undermine the company’s advancements.

Despite these denials, industry analysts suspect that DeepSeek AI may have leveraged OpenAI’s proprietary data to enhance its DeepSeek R1 model, which runs on the DeepSeek V3 algorithmic framework. Reports indicate that the company may have accessed extensive datasets through OpenAI’s Application Programming Interfaces (APIs)—a common method through which software developers integrate AI models into their applications.

Potential Exploitation of OpenAI’s API

Typically, Microsoft allows licensed software developers to utilize OpenAI’s models via API access, enabling them to integrate GPT-based conversational AI into their platforms. However, concerns have emerged that DeepSeek AI might have systematically extracted large volumes of data from OpenAI’s cloud infrastructure, potentially bypassing usage restrictions or rate limits designed to prevent unauthorized large-scale data extraction.

Given Microsoft’s strict data policies and security mechanisms, any potential misuse of the API would likely involve sophisticated techniques such as data scraping, API tunneling, or parallelized request handling to evade detection. Although OpenAI’s API includes monitoring features like token-based authentication and query rate limitations, malicious actors could theoretically work around these controls by distributing requests across multiple accounts or cloud proxies.

Microsoft’s Investigation and European GDPR Concerns

Currently, Microsoft, under CEO Satya Nadella, is investigating the matter. However, an anonymous insider has suggested that DeepSeek AI does not necessarily need external data sources, as China’s own AI ecosystem—especially Baidu’s extensive language model infrastructure—could provide ample training data for the chatbot.

Meanwhile, European regulatory bodies have also taken notice. Italy’s Garante per la Protezione dei Dati Personali (Italian Data Protection Authority) has initiated an inquiry into whether DeepSeek AI complies with General Data Protection Regulation (GDPR) requirements. This follows a formal complaint from Belgium’s data protection agency, citing potential GDPR violations in how the chatbot processes user data.

The European Commission is expected to form a committee to scrutinize the issue further. If DeepSeek AI is found to be in breach of European data privacy laws, it may face financial penalties or even a temporary ban from operating within EU jurisdictions. The investigation aligns with broader concerns from privacy-conscious nations such as the Netherlands, the Czech Republic, Finland, and Denmark, where citizens express strong preferences for retaining control over their personal data.

Alibaba’s AI Challenge and Data Transfer Restrictions

Adding to the competitive AI landscape, Chinese tech giant Alibaba has officially announced that its QWEN 2.5 Max model outperforms leading Western AI systems, including OpenAI’s ChatGPT, Meta’s LLaMA, Google’s Gemini, and even DeepSeek’s own chatbot. While Alibaba claims its model offers superior capabilities, both DeepSeek and Alibaba have remained silent on critical questions regarding data privacy, cross-border storage, and compliance with Western data sovereignty laws.

Recent regulatory shifts in Western nations have imposed strict constraints on AI firms transferring user-generated data to servers located in foreign jurisdictions. This move is intended to prevent unauthorized surveillance, mitigate cybersecurity risks, and enhance user data control. Both Chinese firms face growing pressure to clarify their data governance policies, especially as regulatory scrutiny intensifies worldwide.

Conclusion

As AI development accelerates, the clash between global tech giants and regulatory bodies highlights the importance of data ethics, security, and fair competition. Whether DeepSeek AI has indeed exploited OpenAI’s API remains uncertain, but the controversy underscores the broader geopolitical and technological tensions shaping the AI landscape today.

The post DeepSeek AI data under scrutiny as Microsoft investigates OpenAI data steal appeared first on Cybersecurity Insiders.

January 30, 2025 at 10:12AM

Read More

Taking a Threat Adapted Approach to Vulnerability Management

As cyber threats continue to grow in complexity and frequency, vulnerability management requires more than just patching systems; it demands  a dynamic, threat-adapted approach. As part of Cyber Rhino Threat Week (December 9-13, 2024) which aimed to inform, sharing threat intelligence insights and best practices with our customers, partners and industry ecosystem, we held a session that explored  how integrating Threat Intelligence into Vulnerability Management can transform the way organizations prioritize and respond to risks. 

Vulnerability management is a continuous, proactive process that keeps systems, networks, and enterprise applications safe from cyberattacks  and data breaches. It is an important part of an overall security program. The panel discussion explored how vulnerability management has changed over the years and how in the past it simply involved patching servers and endpoints, which working in collaboration  with the IT team is what drove the patching cadence. Today it is more complex with the Internet of Things (IoT), kiosks, mobile devices, display screens and more. There are many assets involved in the vulnerability management cycle that increase the attack  surface potential for adversaries to gain access to an infrastructure.  Now teams need to understand every asset connected to the network, they need to make sure they are up to date on firmware, and they understand when to patch, how to patch and whether this will cause any disruption to the business.  

The role of vulnerability management teams is to disseminate all this information to system owners so they can understand why they need to patch and what to prioritize. But this is easier said than done with an enterprise comprising hundreds of thousands of employees across multiple geographic locations.  

Breaking down silos 

The discussion delved into the importance of breaking down silos between teams such as system information management teams, incident response teams and cyber threat intelligence teams and how there is a lack of data sharing across these silos. That’s often because there isn’t an automated way to get a bidirectional flow of information, and this is one area that a threat intelligence platform can help to address. 

This is one of the reasons why a threat-adapted approach is so important. Such an approach analyzes behaviors and events in readiness to adapt to threats before they happen. An organization can continuously assess risk and provide appropriate enforcement using an adapted approach. However, if the team hasn’t operationalized their threat intelligence and it doesn’t have processes in place to bring everything together overlaying their vulnerability posture, then all the threat intelligence collected is wasted. One of the panelists likened this to having an external library card or an encyclopedia Britannica about all your threat actors that provides  information but doesn’t activate a robust response. Teams need a way to contextualize and prioritize based on what threat actors are targeting and this process needs to be automated.  

The key question is how you take that expensive library card and plug it into the vulnerability management program so that the team can easily and quickly prioritize information. They need context about what an asset does, what business value it delivers and how it functions to prioritize risk and make the CTI program relevant. All panelists agreed that if all you are doing is building a giant library without context and integration to drill down into what’s important to the organization then your CTI program simply becomes a cost center. 

The importance of compensating controls   

This is where it is important to work with teams, business and system owners and any other stakeholders to understand requirements and what’s  important to them and what they need to action so they can proactively push and escalate. To achieve this, organizations must break down the silos working with all teams involved in security, such as the governance, risk and control teams, to understand where their concern lies and what technologies they are tracking. This is not just about understanding the organization’s cyber hygiene, it’s also about understanding the layers that an attacker would have to get through to exploit. Once this insight is gained,  teams are enabled to work through requirements and align the CTI program for specific stakeholders.   

Ultimately there is always the desire to patch, but it’s not always possible. This is where compensating controls are important: finding another way to protect the organization while preparing to get a patch. One panelist asked how you achieve this and whether it should be left up to the vulnerability management team, or can the CTI team assist in helping to make those all-important decisions?    

All agreed that you must have both offense and defense teams working together. This means mapping out the attack path and gaining a better understanding of defense, which will provide a better understanding of offense as teams scout to look at what would be effective, going to the next layer to consider what might be vulnerable and whether there are mitigating controls in place to provide any additional prevention. 

Teams need to move at the speed of business and act fast while doing this safely.  To achieve this comes down to having a holistic program with a good knowledge of both offensive and defensive strategies. 

A fusion of threat intelligence, risk and vulnerability management  

The tools required for a threat adapted approach include an inventory of all assets, plus an understanding of the frequency of vulnerability scanning so that the team knows how frequently it can expect to get new information. Any data and external threat intelligence needs to be operationalized into the threat intelligence program.  

Looking at the future of vulnerability management, the group discussed how CTI teams need to champion vulnerability teams, working together with bidirectional communication, presenting to stakeholders together. How vulnerability management needs to expand to the external attack surface, understanding cloud environments, analyzing configurations and misconfigurations and default credentials.  

Ultimately, all agreed that there will be a fusing of threat intelligence, vulnerability management and risk – coordinating all three will be critical for cyber hygiene and planning, prioritizing, and mitigating threats. 

 

The post Taking a Threat Adapted Approach to Vulnerability Management appeared first on Cybersecurity Insiders.

January 29, 2025 at 03:54PM

Read More

Cybersecurity in Banking: Strengthening Security Amid Rising AI Threats

As technology continues to evolve in today’s digital landscape, cybersecurity threats are becoming increasingly sophisticated. Financial institutions are one of the most vulnerable industries for cyberattacks due to their increasing reliance on technology and open banking for consumers to share their financial data with third-party service providers. While institutions embrace AI and open banking, the complexity and volume of cyberthreats are also growing, making it more challenging for institutions to protect themselves. 

To address these evolving risks, financial institutions must implement robust cybersecurity strategies. By leveraging AI-powered defenses, strengthening access management protocols and proactively mitigating both internal and external threats, banks can safeguard themselves against the most complex attacks. 

Fighting AI with AI

As the industry adopts AI, so do cybercriminals. Cybercriminals are leveraging AI to bypass traditional defenses, developing malware capable of mimicking legitimate system behavior and exploiting vulnerabilities faster than ever before. 

This makes the financial services industry particularly vulnerable since most institutions heavily rely on digital infrastructure and its high-value data. To address these threats, banks must adopt AI-based cybersecurity tools that can detect and respond to anomalies in real time. For example, machine learning algorithms can identify patterns of suspicious behavior that human analysts might overlook such as subtle changes in network traffic or unusual login patterns. Integrating AI to detect AI threats allows financial institutions to protect themselves from vulnerabilities that humans would likely be unable to detect. 

Open Banking and Increased Exposure

In the past year, we’ve seen a multitude of banking institutions integrate open banking. Open banking has transformed the industry by enabling customers to share their financial data with third-party providers, allowing banks to provide personalized services and customers to view a comprehensive financial picture by managing multiple accounts in a single place. However, this comes at a cost for institutions: increased vulnerability to cyberattacks. 

Sharing customer data with third parties increases the risk of data breaches and unauthorized access. Financial institutions must implement stringent security measures to safeguard the usage of Application Programming Interface (API), the integration software that is the backbone of open banking systems. This includes adopting robust encryption protocols, monitoring continuously for vulnerabilities, and ensuring parameters are in place for third-party vendors to comply with cybersecurity standards. By implementing and enforcing robust API security protocols, banks can reduce the risks associated with open banking while continuing to innovate. 

Strengthening Identity and Access Management

Bank employees have access to vast amounts of private data, so they are often targeted by cybercriminals seeking to exploit weak authentication systems. Unauthorized access can lead to devastating breaches, making it imperative for banks to implement robust identity and access management (IAM) systems. These tools control how users access and utilize digital resources. The most robust and effective IAM systems include multi-factor authentication, biometric verification and adaptive access controls. These measures not only make it harder for unauthorized users to access sensitive information but also help institutions quickly identify and respond to suspicious login attempts. A strong IAM system creates multiple layers of defense, ensuring only authorized personnel can access sensitive information, thereby reducing the likelihood of internal and external breaches. 

Addressing Internal Threats 

While external cyberattacks garner much attention, internal threats are also a significant concern for financial institutions. Employees, often unknowingly, are targeted by cybercriminals, most commonly through social engineering attacks like phishing. In fact, phishing is the most common form of cybercrime, with an estimated 3.4 billion spam emails sent every day. These attacks come with large consequences as the average cost of a data breach against an organization is more than $4 million. Phishing attacks are sometimes successful as cybercriminals exploit human psychology to trick employees into exposing sensitive information or granting access to secure systems. 

Because of this, financial institutions must prioritize employee cybersecurity training. Regular workshops on identifying phishing attempts, password security education, safe internet practices and data protection can significantly reduce the risk of successful social engineering attacks. Additionally, simulated phishing attacks can help employees recognize potential threats in a controlled environment, ensuring they are better prepared to handle real-world scenarios. 

As innovative technology becomes central to financial institutions’ operations, they face an escalating wave of cyberthreats. To protect both their customers and operations, it’s crucial that banks adopt a proactive approach to cybersecurity. By investing in AI-powered defenses, implementing API security protocols, strengthening IAM systems and fostering a culture of vigilance through employee training, financial institutions can navigate the complex world of cybersecurity with confidence. This not only safeguards their own business but also builds trust with their customers in an increasingly interconnected financial ecosystem. 

 

The post Cybersecurity in Banking: Strengthening Security Amid Rising AI Threats appeared first on Cybersecurity Insiders.

January 29, 2025 at 03:01PM

Read More

Whitehall vulnerable to Cyber Attacks and malware threats

Whitehall, a term that refers both to the British government administration and a specific geographic location in central London, has recently garnered attention for its vulnerability to cyberattacks. This issue stems primarily from the reliance on outdated IT infrastructure, a problem that has left critical government departments exposed to potential breaches. The findings were outlined in a report by the National Audit Office (NAO), which highlighted the serious risks posed by outdated systems and a lack of skilled personnel within Whitehall departments.

According to the NAO, every department within Whitehall is susceptible to cyber threats due to a combination of obsolete IT systems and the inability to attract or retain qualified professionals. This is not a unique issue to the UK; governments around the world face similar challenges, often tied to limited budgets and competing priorities. However, the British situation is particularly alarming given the central role these departments play in national security and governance.

The question arises: Is the UK truly vulnerable to the growing cyber threats that are increasingly dominating the global landscape? The NAO report stresses that the government is indeed at risk, primarily because many key technical roles remain vacant. Without the necessary in-house talent, these departments are ill-equipped to defend against sophisticated cyberattacks, leaving critical infrastructure exposed.

Recent incidents have only underscored these concerns. For example, in 2023, both the National Health Service (NHS) and the British Library suffered data breaches that were directly linked to outdated systems and a lack of cybersecurity expertise. In the case of the NHS, the use of Windows 8—an operating system that is no longer supported—made it vulnerable to threats such as the WannaCry ransomware attack. Similarly, the British Library experienced information leaks, highlighting the consequences of failing to modernize IT infrastructure and secure sensitive data.

While some Whitehall departments have started to take action by overhauling their IT resources and bolstering cybersecurity measures, these efforts are struggling to keep up with the increasing sophistication of cybercriminals. Experts argue that despite these improvements, the pace at which hackers are evolving their tactics means that the government’s current defenses are often inadequate.

Ironically, a report from the NAO published in April 2024 served as a stark warning to the government, yet it arrived during a period of political instability. At the time, Prime Minister Rishi Sunak’s government was facing significant political challenges, and public disillusionment was growing. In this context, adequate funding for cybersecurity and IT infrastructure improvements failed to be prioritized. As a result, the UK government has struggled to secure the financial resources necessary to build robust cybersecurity resilience across Whitehall.

This situation underscores the need for a more proactive and long-term approach to cybersecurity, particularly in an era where cyber threats are becoming more complex and widespread. For the UK to safeguard its national interests, it will need to address the underlying issues of outdated technology, staffing shortages, and underinvestment in its cybersecurity infrastructure. Only then can it hope to mitigate the risks posed by the rapidly evolving cyber threat landscape.

The post Whitehall vulnerable to Cyber Attacks and malware threats appeared first on Cybersecurity Insiders.

January 29, 2025 at 11:22AM

Read More

Ransomware Insurance: Rising Premiums, Uncertain Returns, and Alternative Strategies

You probably think of ransomware insurance as a safeguard against ransomware attacks and data loss – and it is, to a certain extent. But what if we told you cyber or ransomware insurance may not end up covering against financial losses you experience due to ransomware? Or that ransomware insurance is actually making the scourge of ransomware worse?

If those statements sound surprising, keep reading for details on why cyber insurance not only fails to offer the protections that companies often think they’re obtaining when they purchase cybersecurity policies, but also how it makes the overall problem of ransomware worse than it needs to be.

What is ransomware insurance?

Ransomware insurance – also sometimes called cyber insurance – is a type of insurance coverage designed to help protect businesses against the financial fallout of cyberattacks (technically, ransomware insurance is a subcategory of cyber insurance, since the latter can also offer financial protection against other types of cybersecurity risks).

Ransomware insurance works in a pretty straightforward fashion: Businesses pay premiums in exchange for coverage against data breaches. In the event that such an attack occurs, the affected business can file a claim to seek reimbursement of costs it incurred due to data loss. Assuming the insurer agrees that the incident was indeed covered, the business will receive a payout.

The history and evolution of cyber insurance

The first cyber insurance policy became available in 1997, when an innovative insurance broker named Steve Haase convinced a large insurance firm to offer a novel type of policy known at the time as Internet Security Liability (ISL) coverage. Then as now, the premise behind the cyber insurance coverage was simple – if a company experienced a cyberattack or data breach event, the insurer would pay out.

Over the following decades, cyber insurance grew gradually in popularity. As of 2024, 90 percent of businesses whose employee headcounts fell in the 100-5000 range had some form of cyber insurance coverage, a statistic that likely reflects widespread awareness of the high costs to businesses of ransomware attacks.

Escalating premiums in ransomware insurance

As ransomware insurance adoption has grown, so has the cost of cyber insurance. Over the past few years, average pricing policy has surged by as much as 100 percent per quarter, and cyber insurance premium costs have risen faster than costs for any other type of insurance.

You don’t need a Ph.D. in actuarial science to guess why the cost of ransomware insurance has risen so sharply in recent years. The increase in pricing coincides with steady growth in the frequency of ransomware attacks, which have increased on a year-over-year basis of 71 percent since the early 2020s. As of 2023, 72 percent of businesses had been impacted by a ransomware attack.

The more widespread ransomware becomes, the more insurers can charge for ransomware insurance.

Uncertain outcomes: No guarantee of data recovery

Unfortunately for businesses that have purchased cyber insurance in the hope that it will protect them against ransomware and other cybersecurity risks, having this type of policy in place is hardly a guarantee that your company will be able to weather a data breach event. For several reasons, cyber insurance may not offer the level of protection that businesses often expect.

Failure to recover data

Arguably the biggest pitfall of ransomware insurance is that it can never guarantee you’ll get your data back. It only offers payment to reimburse you for the costs of lost data.

This is a problem because without the ability to recover data, your business may experience long-term disruptions to its operations that no financial payout can fully alleviate. The information that ransomware attackers destroy could take years to generate, and once it’s gone, it’s gone.

Note, too, that even if you pay the ransom (and assume your insurance provider will reimburse you for the ransom payment), you may still not end up getting your data back. As many as 92 percent of businesses report that they were unable to recover data fully following a ransomware attack despite paying a ransom.

Lack of protection against third-party claims

There are multiple types of cyber insurance policies, and the scope of what they cover varies significantly.

One popular form of cyber insurance is what’s known as first-party insurance. This covers companies against losses that they experience directly – such as the destruction of important business data.

However, first-party cyber insurance doesn’t cover losses experienced by a business’s customers or partners. You need what’s known as third-party coverage for that type of protection. Companies often don’t purchase third-party policies because they’re more expensive.

This means that businesses may find themselves in a situation where they only obtained first-party coverage because they thought that was sufficient, but their clients end up suing them because the clients experienced financial harm due to a ransomware event for which they hold the business responsible. In this case, the cost of judgments against the business may end up being far higher than the cost of direct losses, and cyber insurance will be of no help.

Cyber insurance vs. silent cyber coverage

Some companies don’t purchase explicit cyber insurance at all; instead, they rely on generic property and casualty (P&L) insurance to protect them against cybersecurity incidents. This is known as silent cyber coverage.

Silent cyber coverage may seem sensible because it’s a way to fold cybersecurity coverage in with broader policies. The problem, though, is that because generic P&L policies are often not specific about which types of cyber events they cover, companies can end up in protracted battles with insurers over whether a given ransomware event qualifies for reimbursement. Such battles could drag on for years, and without a fast payout, your business may not be able to recover quickly enough to restore normal operations. 

Non-covered losses

Even when you do have explicit first- or third-party cyber insurance, it’s likely that certain types of attacks or losses are not covered. The details vary between policies, but common examples of items that cyber insurance doesn’t address include loss of intellectual property, loss of future profits, and loss due to attacks caused by a malicious insider.

For these reasons, it’s problematic to assume that as long as you have a cyber policy, you can expect to go to your insurer following an attack and be made fully whole. You may end up discovering that the attack wasn’t covered at all, or that your payout is much smaller than you expected because the insurer doesn’t reimburse for all of your losses.

Losses that exceed payouts

Having an air-tight claim based on a fully covered event is also no guarantee of complete financial recovery from a ransomware attack because your losses may exceed your insurance coverage limits.

Recent data about average coverage limits is elusive, but a 2013 study found that among companies with revenues in excess of $1 billion, cyber insurance limits averaged $11.5 million. Let’s go out on a limb and say that since 2013, average coverage limits have increased ten-fold (the number is probably actually much lower), to $115 million.

That’s a lot, and it’s enough to cover the average cost of a data breach, which is a little over $5 million as of 2024. But it falls far short of protecting against attacks that result in above-average costs – such as a February 2024 attack against Change Healthcare whose total costs are expected to exceed $1.5 billion.

In short, cyber insurance may protect you if you’re lucky enough to experience a breach whose total costs are just a few million dollars. But breaches can be much, much more expensive than that, and your policy likely won’t protect you.

Incentivizing criminals: The dilemma of ransomware payments

We just explained why ransomware insurance may not be enough to protect the typical company against ransomware and other risks.

But this is only part of the reason why excess faith in cyber insurance as a salve against ransomware misses the mark. The problem is even worse when you consider that cyber insurance is likely a key factor in triggering cyber attacks in the first place.

The reason why is simple: When threat actors believe that a company has a cyber insurance policy that will cover ransomware payments, they are more likely to assume that they’ll receive payment if they hold the company’s data for ransom. This means that as more and more companies obtain cyber insurance – and as premiums and coverage limits for those policies increase – the bad guys are increasingly incentivized to do what bad guys do: Launch ransomware attacks and demand ever-higher ransoms.

Ann Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, put it this way: “Some insurance company policies — for example covering reimbursement of ransomware payments — incentivise payment of ransoms that fuel cyber crime ecosystems. This is a troubling practice that must end.”

She goes on to call for insurance companies to demand that businesses demonstrate responsible cyber hygiene and data protection practices – such as regular backups of their data – as a condition for obtaining cyber insurance.

So, Neuberger’s position is not that cyber insurance is inherently a bad thing. She only believes it’s bad when policies merely reimburse businesses for ransoms they pay to threat actors, without doing much to encourage the businesses to protect themselves against ransomware in the first place or invest in techniques that would allow them to restore data without paying ransoms.

Alternative strategies to mitigate ransomware attacks

At N2WS, we agree with Neuberger. We believe that the best way to prevent ransomware attacks and mitigate the fallout of those that do occur is not to invest in expensive insurance policies that will (maybe) reimburse your business in the event that you experience a data breach and need to pay a ransom to restore operations.

Instead, it’s to invest in data backup and recovery solutions that enable reliable, fast restoration of business operations following a breach. And we’re not talking here simply about periodic data backups. We’re also referring to capabilities such as cross-cloud and cross-account recovery, which can speed recovery operations in the event that one of your cloud environments or accounts is compromised.

We’re also thinking of features like network environment cloning, which helps speed recovery operations by allowing businesses to back up and restore the network settings that their workloads depend on, instead of having to recreate them from scratch.

Coupled with other cybersecurity best practices – like enforcing zero-trust authentication and training employees in recognizing threats – advanced backup and recovery capabilities are the true key to ransomware defense.

You should certainly feel free to purchase cyber insurance coverage as an additional safeguard. But if your ransomware defense strategy hinges on ransomware insurance alone, you’re likely setting yourself up for a rude awakening.

Author Bio: Sebastian Straub, Principal Solutions Architect at N2WS

Sebastian is the Principal Solutions Architect at N2WS bringing in more than 2 decades of experience in enterprise technology, data protection and cybersecurity. With previous critical roles at Dell, Oracle, the FBI and the Department of Defense, he has established himself as a leading expert in enterprise security, backup & DR and identity management solutions.

 

 

The post Ransomware Insurance: Rising Premiums, Uncertain Returns, and Alternative Strategies appeared first on Cybersecurity Insiders.

January 28, 2025 at 01:55PM

Read More

InvisibleFerret: Everything About Lazarus APT’s New Backdoor

During October and November 2024, researchers observed a surge in North Korean cyber activity leveraging a well-documented tactic: staging fake job interviews. 

This approach, employed by the notorious Lazarus Group, targets employees in the technological, financial, and cryptocurrency sectors. 

Disguised as coding challenges or video conferencing software, these fake interviews deliver a variety of malware families, including the QRLog, Docks/RustDoor, and now BeaverTail and InvisibleFerret.

Let’s find out how dangerous InvisibleFerret actually is and how it can be analyzed easier using advanced malware analysis tools, such as ANY.RUN’s sandbox.

What is InvisibleFerret? A Messy but Silent Backdoor

InvisibleFerret is Python-based malware with a complex, messy structure, featuring over 100 functions riddled with compact and obfuscated code. Its capabilities include reconnaissance, data exfiltration, and persistence, all aimed at stealing sensitive files, source code, and cryptocurrency wallets.

Key capabilities of InvisibleFerret:

• Reconnaissance: Gathers geolocation, OS details, and user information by querying legitimate services like ip-api.com
• Data theft: Extracts files such as source code, credentials, and sensitive corporate data. Specifically targets browser data, including cookies, saved passwords, and history, across Chrome, Brave, Edge, and others
• Exfiltration techniques: Files are compressed and encrypted using weak passwords. Browsers and crypto wallet extensions like Metamask and Google Authenticator are key targets
• Persistence and control: Downloads and executes tools like AnyDesk for remote access. Includes keylogging capabilities, monitoring clipboard changes for passwords and keys

Technical Analysis of InvisibleFerret

A critical component of the latest InvisibleFerret attack is the deployment of a malicious NPM module, BeaverTail, which delivers a portable Python environment (p.zip) as part of its operation. 

BeaverTail serves as the initial stage in a sophisticated, multi-layered attack chain, paving the way for InvisibleFerret. This backdoor exhibits advanced obfuscation techniques and incorporates persistence mechanisms, making it a formidable tool in the hands of attackers.

To discover how InvisibleFerret behaves, let’s submit it for analysis to ANY.RUN’s interactive sandbox. The sandbox will show real-time analysis with all its completed process in more details:

View ANY.RUN analysis session

InvisibleFerret processes analyzed by ANY.RUN sandbox

All the processes are displayed on the right side of the sandbox screen. By clicking on a specific process, you can access detailed information about its behavior and actions, making it easier to analyze and understand its role in the malware’s operation.

Exfiltrated information displayed inside ANY.RUN sandbox

Inside the analysis session, the ferret’s first move is to gather fundamental information about the victim. 

It queries legitimate services like ip-api.com, commonly exploited by other malware and even cryptocurrency drainers like “ETH Polygon BNB,” to determine the victim’s geolocation. 

Besides that, it collects system details, including the operating system release, version, hostname, and username, before generating a unique host ID to establish its presence within the adversary’s infrastructure.

Sign up for a free ANY.RUN account to identify threats with proactive analysis

Another indication of the malicious behavior within the processes is observed beneath the ANY.RUN virtual machine, where the network communication threads are highlighted in orange and red. 

This visualization reveals how legitimate traffic seamlessly blends with malicious requests, all generated by the same script. The combination of these traffic streams underscores the stealthy nature of the malware, as it masks its malicious activities within normal system behavior.

Malicious requests are mixed with legitimate traffic, all directed by the same script

Within ANY.RUN’s sandbox, we can also observe the TTPs employed by InvisibleFerret. Simply click on the ATT&CK button located in the upper-right corner of the screen, and you’ll be presented with all the tactics, techniques, and procedures relevant to that specific sandbox session:

 

Main TTPs used by InvisibleFerret

Understanding these tactics and techniques allows researchers and businesses to standardize threat behaviors, making it easier to identify patterns and collaborate effectively. 

For instance, whether malware uses ip-api or another service to geolocate victims, it falls under the same technique (T1016, “System Network Configuration Discovery”). Grouping these actions under a shared framework reduces confusion and provides businesses with clearer insights to strengthen their defenses.

T1016 detected by ANY.RUN

Don’t Let Threats Like InvisibleFerret Catch Your Business Off Guard

Malware like InvisibleFerret disrupts businesses, damages trust, and puts your valuable assets at risk. 

Understanding these threats gives you the upper hand, helping you spot vulnerabilities, stop attacks before they spread, and keep your business running smoothly.

Stay protected and prepared!

Sign up for a free ANY.RUN account today and see how proactive threat analysis can make all the difference.

The post InvisibleFerret: Everything About Lazarus APT’s New Backdoor appeared first on Cybersecurity Insiders.

January 28, 2025 at 11:35AM

Read More

Cyber Attack on China AI startup DeepSeek halts registrations on iPhones

DeepSeek, a rising AI startup from China, has recently issued a warning that it is temporarily halting user registrations after its servers were hit by a large-scale cyber attack. Preliminary investigations suggest that the attack was a Distributed Denial of Service (DDoS) attack, a method in which fake web traffic is generated to overwhelm a server, preventing it from functioning properly and blocking legitimate users from accessing the service.

DeepSeek is known for offering an AI-powered chatbot service for free to Apple Inc. users, which appears to have made it a target for the cyber attack. The overwhelming traffic caused severe disruptions, forcing the company to take its service offline temporarily. The attack was later traced back to networked bots that flooded DeepSeek’s servers, triggering red alerts from the company’s threat monitoring systems and prompting the suspension of registration processes to mitigate further damage.

From a business perspective, DeepSeek has seen significant success, with its latest AI models gaining traction in major markets like the UK and the USA. The company’s AI chat assistants, including the DeepSeek-R1 powered by the DeepSeek-V3 model released on January 10th, have become popular among iPhone users. These models were praised for their transparency, performance, and consistency, as well as for being open-source creations, which contributed to their rapid adoption in Western markets.

As a result, DeepSeek has become a formidable player in the AI space, creating business opportunities for the startup, which was founded in 2023 by Baidu, the Chinese tech giant. However, this success also raises some concerns, particularly around the storage and handling of user data.

As DeepSeek’s services are now being used in countries like the USA and the UK, there is uncertainty about how the company plans to comply with data protection regulations. Current laws in both countries dictate that user data should be stored on local soil, prohibiting the transfer of such data to servers in China.

At present, there is little clarity on where DeepSeek will store and manage this data. Due to these uncertainties and the recent cyber attack, the company has halted registrations for users outside of China, allowing only Chinese phone numbers to register for the service, but only after official login procedures. Until these issues are resolved, it remains unclear how DeepSeek will navigate the complex landscape of data privacy laws in Western markets while continuing to grow its user base internationally.

The post Cyber Attack on China AI startup DeepSeek halts registrations on iPhones appeared first on Cybersecurity Insiders.

January 28, 2025 at 10:40AM

Read More

Google launches new Identity Check feature for data security

Google, the web search giant owned by Alphabet Inc., has introduced a new security feature designed to protect your data in case your phone is stolen. At the moment, this feature is available on select Android devices, specifically Google Pixel models running Android 15 and certain Samsung Galaxy smartphones running One UI 7 and above.

The feature, called “Identity Check,” is aimed at enhancing your phone’s security by locking sensitive settings when the device is taken outside of trusted locations. However, it’s important to note that this feature does not come enabled by default—it must be manually activated by the user.

What Does the Identity Check Feature Do?

Once activated, the Identity Check feature ensures that only those with authorized access can make changes to sensitive settings on the device. These settings are protected through biometric authentication, such as fingerprint or facial recognition, which must be verified before any changes can be made. The feature activates when the device is taken out of trusted locations—locations you’ve previously set based on your 4G or 5G service provider’s geolocation services.

Sensitive Settings Protected by Identity Check:

Changing the Lock Screen, PIN, or Password: Unauthorized users can’t alter your security settings without biometric verification.

Changing Biometrics (e.g., fingerprint or face unlock): Any changes to biometric authentication settings will require authentication.

Accessing Password Manager: Passwords and passkeys saved in the Password Manager are locked from unauthorized access.

Performing a Factory Reset: Unauthorized users cannot reset the phone without the proper biometric authentication.

Disabling Theft Protection Features: Any anti-theft protections cannot be disabled without authentication.

Viewing or Changing Trusted Locations: Users cannot alter the list of trusted locations or disable the Identity Check feature.

Setting Up a New Device or Transferring Data: A new device setup or data transfer from a stolen or existing device will require biometric authentication.

Removing a Google Account: Unauthorized users cannot remove the Google account from the device.

Accessing Developer Options: Developer settings are locked from unauthorized access.

How Does It Work?

The Identity Check feature is activated whenever the phone’s geolocation changes and it moves outside of the trusted locations set by the user. For example, if the phone is stolen and moved to an unfamiliar location, the phone will prompt the user for biometric verification before allowing access to sensitive settings.

While this functionality isn’t entirely new (Android devices have always used location-based security features), the introduction of Identity Check focuses on making this kind of security feature more effective and reliable, especially in the case of theft.

Why It’s a Game Changer

In regions where smartphone thefts are on the rise, like London, this feature could be a major step forward in preventing unauthorized access to stolen devices. Mobile thefts have become an increasing problem, and this added layer of security could make it much harder for thieves to access or manipulate sensitive data on stolen phones.

By requiring biometric authentication when sensitive settings are accessed outside of trusted locations, Identity Check offers an additional layer of security that could potentially deter theft or reduce the likelihood of data breaches following a stolen device.

In short, Google’s new Identity Check feature is a proactive and effective solution to improve the security of Android devices, particularly when dealing with theft or unauthorized access.

 

The post Google launches new Identity Check feature for data security appeared first on Cybersecurity Insiders.

January 27, 2025 at 08:47PM

Read More