CSOonline

Diese Open-Source-Tools adressieren spezifische Security-Probleme – mit minimalem Footprint. Foto: N Universe | shutterstock.com Cybersicherheitsexperten verlassen sich in diversen Bereichen auf Open-Source-Lösungen – nicht zuletzt weil diese im Regelfall von einer lebendigen und nutzwertigen Community gestützt werden. Aber auch weil es inzwischen Hunderte qualitativ hochwertiger, quelloffener Optionen gibt, um Breaches und Datenlecks auf allen Ebenen des Unternehmens-Stacks zu verhindern. Falls Sie nun gedanklich bereits die xz-utils-Backdoor-Keule bereitlegen: Ja, es kann sein, dass es in der Zukunft zu weiteren Vorfällen dieser Art kommt. Allerdings darf bezweifelt werden, dass eine ähnliche Schwachstelle in einem proprietären Stack ebenso schnell entdeckt worden wäre. Schließlich ermöglicht Open Source erst, dass unabhängige Sicherheitsexperten Probleme wie diesen zeitnah auf die Spur kommen können. Um es kurz zu machen: Die Vorteile von Open Source Tools überwiegen – auch im Bereich der Cybersicherheit – die möglichen Gefahren. Auf die folgenden quelloffenen Security-Tools sollten CSOs, CISOs und ihre Teams nicht verzichten. Beispielsweise, um: Schwachstellen zu identifizieren, Protokolle zu analysieren, forensische Untersuchungen anzustoßen sowie Support für Threat Intelligence und Verschlüsselung sicherzustellen. 1. ZAP für Vulnerability Scans Bei Zed Attack Proxy – kurz ZAP – handelt es sich um ein kostenloses Open-Source-Werkzeug für Penetrationstests. Das Scanner-Tool ist darauf konzipiert, potenzielle Schwachstellen und Sicherheitslücken in Webanwendungen aufzuspüren und stützt sich dazu auf umfangreiches Community-Wissen. Dabei sitzt ZAP zwischen Browser und der zu testenden Web-App und ist in der Lage, sämtliche Packets zu modifizieren, während es mögliche Angriffsvektoren durchläuft. Im Grunde handelt es sich um einen Proxy mit erweiterten Fähigkeiten, um nach Schwachstellen zu suchen. Dazu stellt ZAP eine Sammlung vordefinierter Angriffsmethoden zur Verfügung. Um auf spezifische Risiken zu testen, kann das quelloffene Tool auch mit benutzerdefinierten Payloads und Regeln ausgestattet werden. ZAP wird aktiv weiterentwickelt und kann mit Blick auf kommende Features eine ambitionierte Roadmap vorweisen. Optimiertes Scripting ist dort ebenso vertreten wie ein breiterer Support für Protokolle wie gRPC. Das Tool steht in Form diverser Installer für alle gängigen Betriebssysteme zum Download zur Verfügung. 2. Wireshark für Paketanalysen Ein Auge auf die Kommunikationslinien im Netzwerk zu werfen, ist eine der zielführendsten Methoden, um Datenlecks aufzuspüren. Für diese Zwecke ist Wireshark ein ebenso bewährtes wie hochwertiges Tool: Es analysiert die Bits, die sich durch – kabelgebundene oder auch kabellose – Netzwerke bewegen und gleicht diese mit einem Regelwerk ab, das wiederum auf den Informationen Hunderter verschiedener Networking-Quellen fußt. Wenn Sie sich für eine bestimmte Art von Daten-Traffic interessieren, die von einem spezifischen Softwarepaket ausgeht, ist es zudem möglich, dafür entsprechende Filter zu definieren. Auch dieses Open-Source-Tool läuft auf den meisten gängigen Betriebssystemen – inklusive aller Unix-Variationen. Die Wireshark-Community ist in den letzten Jahren weiter gewachsen und engagiert sich insbesondere in Sachen Dokumentation und Schulungsmaterialien, wie ein Blick auf die offizielle Webseite unterstreicht. 3. Bloodhound Community Edition für Incident Response Tritt ein Security Breach auf, nutzen Security-Profis Forensik-Tools, um die Angriffswege der Angreifer nachzuvollziehen. Das geht beispielsweise mit Bloodhound Community Edition, der Open-Source-Version des bekannten Enterprise-Tools (die vom selben Team gepflegt wird). Das Open-Source-Werkzeug sorgt für Transparenz im Beziehungsgeflecht zwischen Active-Directory- und Azure-Umgebungen und ist so in der Lage, auch hochkomplexe “Attack Paths” zu identifizieren und die in diesem Rahmen gefundenen Sicherheitslücken zu schließen. Das Tool ist sowohl für Red- als auch für Blue Teams geeignet. 4. Autopsy für Cyberforensik Bei Autopsy handelt es sich um eine quelloffene IT-Forensik-Plattform, um Festplatten(-Images) gründlich zu untersuchen. Dabei lässt sich die Software über zahlreiche Module auch erweitern, um spezifische Datentypen, die mit bestimmten Kompromittierungsarten in Verbindung stehen, zu identifizieren. Beispielsweise untersucht das “Extension Mismatch Module” die interne Struktur von Dateien und gleicht diese mit ihrer Benennung ab. Entstehen hierbei Diskrepanzen, ist das ein erster Hinweis darauf, dass Angreifer den Traffic nutzen, um etwas zu verbergen. Darüber hinaus bietet Autopsy unter anderem auch Erweiterungsmodule für Schulungen und Support. 5. MISP für Threat Intelligence Geht es um breit angelegte, kollektive Bemühungen, können Open-Source-Tools und -Plattformen glänzen. Die Malware Information Sharing Platform – kurz MISP – ist dafür das beste Beispiel. Die Plattform kommt ins Spiel, wenn es darum geht, die Daten von IT-Forensik-Tools zu analysieren: Sie sammelt Informationen über potenzielle Angriffsvektoren in einer umfassenden Datenbank und bietet die Möglichkeit, diese Informationen über eine Suchmaschine mit eigenen Daten zu korrelieren. Dabei unterstützt die Lösung ein flexibles, objektbasiertes Datenmodell, das verschiedene Kompromittierungsindikatoren (Indicators of Compromise, IoC) visualisiert und sowohl über technische als auch nicht-technische Details Auskunft gibt. Ein Indexierungsalgorithmus der Support für “Fuzzy Matching” bietet, deckt mögliche Übereinstimmungen automatisch auf. MISP wurde gezielt für Sicherheitsteams entwickelt, um über geteilte Timelines und Event-Graphen zusammenzuarbeiten. Dieses quelloffene Projekt wird von der Europäischen Union unterstützt und erfreut sich diverser, umfassender Communities. Die webbasierten, größtenteils in PHP geschriebenen Tools von MISP stehen auch in Quellcode-Form zum Download zur Verfügung. 6. Let’s Encrypt für Verschlüsselung Verschlüsselungsalgorithmen schaffen die Basis für Security, Datenschutz und Authentifizierung und sind in einer ganzen Reihe von quelloffenen Bibliotheken verfügbar. Zudem stützen sich auch viele Open-Source-Tools auf diese Algorithmen. Zum Beispiel die Skript-Sammlung Let’s Encrypt. Sie ist darauf ausgelegt, Systemadministratoren das Leben leichter zu machen, indem sie Webserver mit Encryption-Fähigkeiten ausstattet. Dazu müssen die Admins nur einige Fragen beantworten – die entsprechenden Zertifikate für die Benutzer werden automatisiert generiert und gewährleisten, dass alle Daten die in diesem Rahmen übertragen werden, geschützt sind. 7. GNU Privacy Guard für Verschlüsselung Eine vollständige Implementierung des PGP-Standards zum Zwecke des Kommunikationsschutzes bietet GNU Privacy Guard. Die Zielsetzung besteht dabei darin, die Endbenutzer zu befähigen, ihre E-Mail-Nachrichten zu verschlüsseln und zu signieren. Dabei werden sowohl Secure-Shell- als auch S/MIME-Interaktionen unterstützt. 8. Yara für Pattern Matching Wenn Malware-Samples identifiziert und klassifiziert werden sollen, verlassen sich viele Schadsoftwarespezialisten auf das Open-Source-Projekt Yara. Das quelloffene Tool kann jedoch noch mehr und ist auch in Sachen Incident Response und IT-Forensik hilfreich: Es sucht auf Grundlage vorkonfigurierter und benutzerdefinierter Regeln nach identischen Mustern in Dateien oder auch laufenden Prozessen. Zusätzlich können auch Signaturinformationen von Viren über das quelloffene Tool ClamAV sowie Regelsätze aus dem von der Community gepflegten YaraRules-Repository einfließen. Wichtig ist an dieser Stelle, sich der Grenzen der signaturbasierten Erkennung bewusst zu sein – und sich nicht ausschließlich auf dieses Open-Source-Werkzeug zu verlassen. Yara kann entweder über die Kommandozeile ausgeführt werden oder über eine Python-Bibliothek in entsprechende Skripte integriert werden. 9. OSquery für Endpunktabfragen Einfach per SQL-Abfrage nach bösartigen Prozessen, Plugins oder auch Sicherheitslücken auf Windows-, Mac- und Linux-Endpunkten zu suchen – das ist die Idee hinter OSquery, einem quelloffenen Tool, das von Softwareingenieuren bei Facebook entwickelt wurde. Die Software sammelt Betriebssysteminformationen wie laufende Prozesse, geladene Kernelmodule, offene Netzwerkverbindungen, Browser-Plugins oder Datei-Hashes in einer relationalen Datenbank. Diese können Sie mit einfachen SQL Queries abfragen – ganz ohne komplexen Python-Code. Damit löst OSquery ein bedeutendes Problem auf unkomplizierte und elegante Weise. Zu den Komponenten des Tools gehören die interaktive OSqueryi-Shell, die mit PowerShell genutzt werden kann sowie der Daemon OSqueryd, der für (Low-Level) Host Monitoring zum Einsatz kommt, und es ermöglicht, Datenbankabfragen zu planen. (fm) View the full article

Miha Creative – shutterstock.com In modernen Unternehmensumgebungen werden Investitionen in Sicherheitstechnologien nicht mehr nur anhand ihres technischen Reifegrades beurteilt. Die Finanzierung hängt vermehrt davon ab, inwieweit sich damit Umsatz generieren lässt, Risiken gemindert und Mehrwerte für Aktionäre geschaffen werden. Von CISOs wird erwartet, dass sie ihre Strategien nicht als technische Upgrades, sondern als Wegbereiter für Umsatzsteigerungen präsentieren. Die Herausforderung besteht dabei nicht nur darin, die richtigen Investitionsentscheidungen zu treffen, sondern diese auch auf Vorstandsebene zu rechtfertigen. Am Anfang muss die Herausforderung stehen CISOs geraten oft in Erklärungsnot, wenn sie Lösungen präsentieren, bevor die Herausforderung definiert ist. Ein solches Vorgehen schafft Distanz anstelle von Übereinstimmung. Vorstände wollen verstehen, was ihre Organisation mit einem neuen Lösungsansatz erreichen kann, welche Fallstricke vermieden werden und warum Cybersecurity-Investitionen nicht aufschiebbar sind. Bei der Präsentation einer Cybersicherheitsstrategie wie Zero Trust sollte deshalb der Kommunikationsschwerpunkt mit dem Vorstand darauf liegen, wie das Cyberrisiko-Profil des Unternehmens zum Positiven verändert werden kann. Technologie mit strategischen Prioritäten verknüpfen Um in der Vorstandsetage glaubwürdig zu sein, müssen CISOs ihre geplanten Ausgaben anhand der Unternehmenszielsetzung definieren. Der Vorstand konzentriert sich auf Prioritäten wie neue Märkte zu erschließen, die Margen zu verbessern, die Widerstandsfähigkeit zu steigern und die Compliance zu gewährleisten. Ein gut durchdachter Vorschlag knüpft direkt an diese Anliegen an. Wenn eine Sicherheitsplattform die Reaktionszeit bei Vorfällen verkürzt, ist das Ergebnis operative Stabilität und damit eine höhere Resilienz. Wenn sie Tools konsolidiert, sorgt sie für Kosteneffizienz. Wenn sie eine sichere Expansion in neue Regionen ermöglicht, ist Umsatzwachstum die Folge. Eine solche Argumentationskette schafft Glaubwürdigkeit und hilft dabei, Investitionen bewilligt zu bekommen. Eine Sprache für Risiken und Rendite Vorstände treffen Entscheidungen unter der Berücksichtigung von Begrifflichkeiten wie Risiko und Rendite. Dazu gehören finanzielle Risiken, operative Risiken und Reputationsrisiken für das Unternehmen. Vorstandsmitglieder bewerten Wahrscheinlichkeit, Exposition und Auswirkungen von Vorfällen in jedem dieser Bereiche. Dementsprechend besteht die Aufgabe des CISOs darin, zu verdeutlichen, wie eine vorgeschlagene Investition Schwachstellen reduziert, Auswirkungen von Vorfällen begrenzt oder die Resilienz der Infrastruktur erhöht. Diese Gespräche sollten Kostenmodelle, Szenarien für mögliche Sicherheitsverletzungen, Zeitpläne für die Wiederherstellung nach einem Cyberangriff und den geschäftlichen Nutzen aufzeigen. Das Ziel sollte sein, Ausfallzeiten zu vermeiden und dabei die Sprache der Vorstände zu sprechen, ohne die technische Integrität zu vernachlässigen. Shareholder Value bedenken Der Reifegrad und auch die Denkweisen von Vorständen in Bezug auf die Cybersicherheit variieren deutlich. Einige Kontrollgremien reagieren erst nach einem größeren Cybervorfall oder einem nicht bestandenen Audit. Andere sind sehr viel proaktiver in ihrer Vorgehensweise und fordern Cybersicherheitsbewertungen als Teil ihrer Marktexpansion oder M&A-Aktivitäten. Andere beziehen Cybersicherheit in Simulationen ein und stellen zukunftsorientierte Fragen zur Widerstandsfähigkeit angesichts potenzieller Angriffsszenarien. Das Verständnis dieses Reifegrades hilft dabei, die Kommunikationsstrategie anzupassen. Ein reaktiver Vorstand benötigt möglicherweise eine klare Erklärung der negativen Folgen. Ein informierter Vorstand erwartet eher quantifizierbare Ergebnisse und eine Roadmap. Die besten Vorstandsdiskussionen finden statt, wenn sich der CISO an das Technologieverständnis des Vorstands anpasst und gleichzeitig dessen Perspektive behutsam erweitert. Lesetipp: 10 Kennzahlen, die CISOs weiterbringen Operative Exzellenz als Ergebnis positionieren Eines der wirksamsten Argumente in den Gesprächen mit dem Vorstand zum Thema Cybersicherheit ist operative Exzellenz. Wenn Unternehmen in unterschiedlichen Regionen und Branchen tätig sind, müssen sie agil, abgesichert und kontrolliert arbeiten. Eine IT-Architektur sollte globale Anforderungen adressieren und dabei Mitarbeitende unterstützen, die von überall aus arbeiten, Drittparteien integrieren, eine Reihe von regulatorischen Anforderungen erfüllen und geistiges Eigentum schützen. Ein derart umfangreiches Anforderungsprofil kann sehr schnell zu einer komplexen Umsetzung und dadurch zu Ineffizienzen führen. CISOs setzen mit einer starken Technologiestrategie auf eine vereinfachte Infrastruktur, ermöglichen sichere globale Datenflüsse und verkürzen Markteintrittszeiten. Eine solche Positionierung hebt die Diskussion von der Systemauswahl auf eine strategische Ebene. Zukünftige Risiken im Fokus Von einem Vorstand wird erwartet, dass er sich nicht nur auf aktuelle Risiken konzentriert, sondern auch auf zukünftige Szenarien. Dazu gehören beispielsweise die Regulierung der ethischen Nutzung von KI, das Verständnis der Auswirkungen von Datenmissbrauch und die Vorbereitung auf die Auswirkungen des Quantencomputings. Der Vorstand wird für den sicheren und regulierten Umgang mit Daten verantwortlich und sogar haftbar gemacht. Dies sind keine abstrakten Themen mehr. Deshalb sollten sie bereits jetzt als künftige technologische Herausforderungen auf der CISO-Agenda stehen. Die Nutzung von KI hat in Unternehmen zugenommen und Vorstände haben für die Verwendung von Daten geradezustehen. Quantencomputing ist zwar noch im Anfangsstadium, aber das Risiko der zukünftigen Technologie für heutige Verschlüsselungen macht es schon jetzt zu einem notwendigen Bestandteil jeder langfristigen Planung. Viele CISOs nutzen die Chance bereits, das Thema beim Vorstand zu positionieren und zu erklären, welche Maßnahmen in absehbarer Zukunft zum Schutz der Daten erforderlich sind. Die Macht der Zahlen Die finanzielle Ausgestaltung ist genauso wichtig wie die strategische Vorgehensweise. Da immer mehr Unternehmen von hardwareintensiven Architekturen zu Cloud-nativen SaaS- Modellen übergehen, verändert sich die Wirtschaftlichkeit der Sicherheit. Die Kosten verlagern sich von Kapitalausgaben zu Betriebsausgaben. Dies kann zwar zunächst zu einer Verringerung des EBITDA (betriebswirtschaftliche Kennzahl/Earnings Before Interest,Taxes, Depreciation and Amortization) führen, eliminiert jedoch auch Hardware-Erneuerungszyklen, verbessert die Prognosegenauigkeit und senkt die langfristigen Gesamtbetriebskosten. Abrechnungsmodelle pro User für Cloud-Services sorgen für Vorhersehbarkeit und höhere Flexibilität als Reaktion auf Veränderungen. Weiteres Einsparpotenzial besteht in der Konsolidierung von Tools auf wenige Plattformanbieter. Zusätzlich kann die Automatisierung von Prozessen den Service Desk entlasten und die Produktivität verbessern. Letztlich sollten CISOs aufzeigen, wie potenzielle Investitionen in neue Technologien den Cashflow verbessern, Margen sichern und mit dem Unternehmenswachstum skalieren. CFOs und Prüfungsausschüsse möchten wissen, wie sich jeder Vorschlag auf die Finanzergebnisse auswirkt. Sie möchten auch verstehen, was kapitalisiert werden kann, welche Ausgleichseffekte zu erwarten sind und wie sich die Investitionen mit der Nachfrage entwickeln werden. Fazit Letztendlich geht es bei der Rechtfertigung von Security-Investitionen nicht um Überzeugungsarbeit, sondern um Einflussnahme. Es geht darum, die Geschäftsprioritäten mit sicheren, skalierbaren und kostengünstigen Lösungen in Einklang zu bringen. Dementsprechend müssen CISOs eine Strategie präsentieren, die Risiken reduziert, die Agilität verbessert und das Unternehmen für langfristigen Erfolg positioniert. Wenn die IT-Führungsriege die Sprache des Mehrwerts von Lösungsansätzen spricht, klingen ihre Vorschläge nicht mehr wie technische Anforderungen, sondern wie geschäftliche Notwendigkeiten. (jm) View the full article

It’s bad enough that threat actors are leveraging AI for their attacks, but now they can also access a new remote access trojan (RAT) that makes it easy to launch data theft and ransomware attacks on Windows computers from a single management pane. The tool is called Steaelite, and according to researchers at BlackFog, it’s been advertised and available to customers on underground cybercrime sites since last November. In addition, there’s a promotional video on YouTube showing off its capabilities. The tool could lower the barrier to the execution of sophisticated, end-to-end ransomware campaigns. But BlackFog CEO Darren Williams told CSO that this isn’t the most sophisticated RAT he’s seen. “The novel aspect here,” he said, “is the convergence. Steaelite bundles remote access, credential harvesting, data exfiltration, and ransomware (currently in development) in a single package.” Traditionally, he explained, these capabilities have occupied different parts of the cybercrime toolchain, but Steaelite unifies the functions, giving operators persistent access, surveillance, and data theft from a single browser-based dashboard. And once the ransomware module has been completed, “operators will be able to exfiltrate data first and encrypt second, enabling double extortion without switching tools, which is quite rare.” That’s enough power “to fully compromise a business,” he noted. “The damage scales with the victim’s access, so one infected employee with privileged credentials could hand over the keys to the entire environment.” Just over a decade ago, a researcher counted more than 250 RATs, and threat actors continue to create new RATs to evade evolving defenses; today Malwarebytes lists the currently best known RATs as SubSeven, Back Orifice, ProRat, Turkojan and Poison-Ivy. And earlier this month, security researchers at Point Wild disclosed yet another Windows malware campaign that uses a multi-stage infection chain to establish persistent, memory-resident access on compromised systems and steal sensitive data. RATs are spread in many ways, including by employees clicking on phishing lures and by threat actors tricking staff into installing what they’re told is necessary software. Because of that, security awareness training is a prime defense. What Steaelite includes The browser-based Steaelite toolkit includes modules for remote code execution, file management, live streaming, webcam and microphone access, process management, clipboard monitoring, password recovery, installed program enumeration, location tracking, arbitrary file execution, URL opening, DDoS attacks, and VB.NET payload compilation. As well, an ‘advanced tools’ panel provides ransomware deployment, hidden RDP (remote desktop management) access, the ability to disable Windows Defender and exclusion management, and persistence installation. Real-time screen streaming ability shows the victim’s desktop with a “LIVE STREAM” indicator. “Combined with webcam and microphone modules, this turns Steaelite into a persistent surveillance platform for as long as the victim remains connected,” says the report. The ‘developer tools’ panel adds keylogging, client-to-victim chat, file searching, USB spreading, bot killing (for removing competing malware), message box delivery, wallpaper modification, UAC bypass, and a clipper that swaps cryptocurrency wallet addresses with an attacker-controlled address during copy-paste operations. Perhaps most worrisome for CSOs and infosec leaders, the tool allows a single threat actor to browse the victim’s files, exfiltrate documents, harvest credentials, and deploy ransomware – in other words, to enable double extortion – from the same dashboard. Usually double extortion requires separate tools or steps, says BlackFog: malware for initial access and exfiltration, then a separate ransomware payload for encryption, often involving co-ordination between initial access brokers and ransomware affiliates. In fact, the report says, the automated credential harvesting means data theft begins before the criminal operator even interacts with the dashboard. The Android ransomware module on the tool’s roadmap extends this further, says the report. “If the developer delivers [the ransomware module], a single Steaelite licence could cover both corporate Windows endpoints and the mobile devices employees use for authentication and messaging.” Steaelite is malware-as-a-service. The seller quotes $200 per month for access, or $500 for three months, with buyers contacting the seller through Telegram to arrange payment and receive access. Defenders should focus on data exfiltration prevention rather than just perimeter defense, said Williams. “Tools like Steaelite assume they will get past initial defenses and prioritize getting data out fast,” he said. “Stopping the exfiltration at the point it happens is more reliable than trying to prevent every possible initial infection vector.” View the full article

Cybersecurity agencies across the Five Eyes alliance have issued an emergency directive warning that a critical Cisco SD-WAN vulnerability is being actively exploited to gain unauthorized access to federal networks. Officials confirmed that threat actors are targeting core SD-WAN control systems —infrastructure that manages traffic across government and enterprise networks — and urged organizations to patch affected devices immediately. Cisco’s Talos threat intelligence group disclosed that attackers have been exploiting a previously unknown vulnerability affecting Cisco Catalyst SD-WAN controllers, tracked as CVE-2026-20127. The flaw allows an unauthenticated attacker to bypass authentication controls and gain administrative-level access to vulnerable SD-WAN control plane components. Talos said the activity is associated with a threat cluster it tracks as UAT-8616, and that evidence suggests exploitation may have begun as early as 2023. Successful exploitation would allow attackers to manipulate controller-to-device communications, alter network configurations, and potentially establish persistent access within enterprise environments. Attackers are attempting active exploitation Nick Andersen, executive assistant director for cybersecurity at the US Cybersecurity and Infrastructure Security Agency, said during a media briefing that threat actors are actively attempting to access and potentially compromise federal networks through exploitation of the flaw, but did not identify which agencies were affected. He also warned that the activity appears to be increasing. “We continue to see the volumetric increase in both threat actor behavior and the extension of the attack surface that they’re targeting,” Andersen said, adding that CISA is in the early stages of remediating the vulnerability. “It’s a far-reaching activity that we’ve seen and the persistent commitment of the cyber threat actor to both take advantage of SD-WAN and other technologies sort of continues to evolve within the space.” CISA is not currently attributing the activity to a specific threat actor, Andersen noted. Software updates available SD-WAN controllers play a central role in orchestrating traffic across distributed enterprise networks, including branch offices and cloud environments. Compromise at the controller level could provide attackers with broad visibility and control across large portions of an organization’s network infrastructure. In a separate security advisory, Cisco confirmed the vulnerability and released software updates to address it. According to the company, the flaw stems from insufficient validation of authentication requests within the SD-WAN peering process. An attacker sending specially crafted traffic could gain unauthorized access to the system and interact with internal interfaces. Cisco said there are no workarounds for the vulnerability and urged customers to apply available patches immediately. The company also recommended reviewing system logs, validating controller integrity, and implementing additional hardening measures where possible. CISA and other Five Eyes agencies advise organizations operating Cisco SD-WAN systems to prioritize patch deployment and conduct thorough compromise assessments to determine whether exploitation has already occurred. CISA and the authoring organizations strongly urge network defenders to take the following steps immediately: Inventory all in-scope Cisco SD-WAN systems. Collect artifacts, including virtual snapshots and logs of SD-WAN systems. Patch Cisco SD-WAN systems, including for CVE-2026-20127 and CVE-2022-20775. Hunt for evidence of compromise. Implement as outlined in Cisco’s Catalyst SD-WAN Hardening Guide and review their blog. Disclosure comes amid strain at CISA The disclosure comes amid heightened scrutiny of network infrastructure security. It also comes at a time when CISA, facing staffing reductions and operating under constraints tied to the ongoing Department of Homeland Security shutdown, is managing limited resources during a period of elevated threat activity. CISA’s Andersen, however, said that despite the ongoing multi-week Department of Homeland Security shutdown, “CISA remains fully committed to protecting federal networks from a malicious separate threat.” Emergency directives are binding on federal civilian agencies and are reserved for vulnerabilities that pose significant, immediate threats. Although the order applies specifically to government networks, CISA frequently encourages private-sector organizations to follow similar remediation timelines when critical vulnerabilities are being exploited in the wild. Shift toward control plane targets The coordinated disclosures from Talos, Cisco, and the government agencies highlight an ongoing shift in attacker priorities. Rather than targeting only endpoints or user-facing applications, sophisticated groups are increasingly pursuing control-plane technologies such as SD-WAN, firewalls, and identity systems that offer strategic network access. Compromising SD-WAN infrastructure can yield high operational leverage. Because controllers manage routing, policy enforcement, and device authentication across distributed environments, an attacker with privileged access could disrupt traffic flows, redirect communications, or use the position to move laterally into cloud and on-premises assets. The disclosures also reinforce long-standing concerns about the risk window between the discovery of a vulnerability and the deployment of patches. In this case, Talos indicated that exploitation activity may have preceded public disclosure by a significant period, suggesting that attackers were able to leverage the flaw before customers were aware of it. View the full article

Microsoft says it has uncovered a coordinated campaign targeting software developers through malicious repositories posing as legitimate Next.js projects and technical assessments. The campaign employs carefully crafted lures to blend into routine workflows, such as cloning repositories, opening projects, and running builds, thereby allowing the malicious code to execute undetected. Telemetry collected during an incident investigation by Microsoft suggested the campaign’s alignment with a broader cluster of threats using job-themed tricks. “During initial incident analysis, Defender telemetry surfaced a limited set of malicious repositories directly involved in observed compromises,” the company wrote in a security blog post. “Further investigation uncovered additional related repositories that were not directly referenced in observed logs but exhibited the same execution mechanisms, loader logic, and staging infrastructure.” The campaign exploits developers’ trust in shared code, gaining persistence within high-value developer systems that often contain source code, environment secrets, credentials, and access to build or cloud infrastructure. Multiple triggers for remote control Microsoft researchers found that the malicious repositories were engineered with redundancy, offering several execution paths that ultimately result in the same backdoor behavior. In some cases, simply opening the project in Visual Studio Code was enough. The attackers abused workspace automation by embedding tasks configured to run automatically when a folder is opened and trusted. This causes code execution without the developer running anything. Other variants rely on build processes or server startup routines, ensuring that the malicious code runs when developers perform typical actions such as launching a development server. Regardless of the trigger, the repositories retrieve additional JavaScripts from remote infrastructure and execute it in memory, reducing traces on disk. The retrieved payload operates in stages. An initial registration component identifies the host and can deliver bootstrap instructions, after which a separate C2 controller provides persistence and enables follow-on actions such as payload delivery and data exfiltration. Infection through a fake “coding test” Microsoft said the investigation started with analyzing the suspicious outbound connections from Node.js processes communicating with attacker-controlled servers. Correlating network activity with process telemetry led analysts back to the original infection through recruiting exercises. One of the repositories was hosted on Bitbucket and presented as a technical assessment, along with a related repository using the Cryptan-Platform-MVP1 naming convention. “Multiple repositories followed repeatable naming conventions and project ‘family’ patterns, enabling targeted searches for additional related repositories that were not directly referenced in observed telemetry but exhibited the same execution and staging behavior,” Microsoft wrote. When an infection is suspected, Microsoft warns that affected organizations must immediately contain suspected endpoints, trace the initiating process tree, and hunt for repeated polling to suspicious infrastructure across the fleet. Because credential and session theft may follow, responders should evaluate identity risk, revoke sessions, and restrict high-risk SaaS actions to limit exposure during investigation. Long-term mitigations include a focus on tightening developer trust boundaries and reducing execution risk, Microsoft added. Other recommendations include enforcing Visual Studio Code Workspace Trust defaults, applying attack surface reduction rules, enabling cloud-based reputation protections, and strengthening conditional access. View the full article

A Ukrainian man has been sentenced to five years in prison after helping North Korean IT workers infiltrate American companies using stolen identities, reports Bleepingcomputer. The 39-year-old man from Kiev pleaded guilty in November 2025 to charges including aggravated identity theft and conspiracy to commit fraud. He has also agreed to surrender assets worth over $1.4 million, including cash and cryptocurrency. According to US authorities, he stole identities from hundreds of people, including US citizens, and sold them to foreign IT workers who used them to obtain remote jobs at around 40 companies in the US. The 39-year-old is also said to have provided hundreds of so-called proxy identities and accounts on freelance platforms, as well as helping to run several laptop farms in different countries. The arrangement made it appear as if the computers and workers were located in the US, even though they were actually working from abroad. View the full article

Security teams live in a world of numbers. Dashboards depict counts of blocked attacks, phishing clicks, vulnerabilities discovered, patches applied, alerts triaged, and incidents closed. Over the past decade, the cybersecurity industry has become adept at measuring activity with increasing precision. Experts say what remains far less consistent is whether those measurements help boards govern risk. For directors and senior executives, the purpose of security metrics reporting is not to catalog effort. It is to understand exposure, trajectory, and consequence. Decision-makers want to know whether risk is increasing or decreasing, whether controls are effective, and whether the organization can limit damage when prevention fails. Metrics are therefore useful when they clarify those questions. “Time is really the universal metric because everyone can understand time,” Richard Bejtlich, strategist and author in residence at Corelight, tells CSO. “How fast do we detect problems, and how fast do we contain them. Dwell time, containment time. That’s the whole game for me.” Organizations cannot prevent every intrusion, Bejtlich argues, but they can measure how quickly they recognize and contain one. That measure translates across technical and nontechnical audiences because it speaks directly to impact. Detection and containment speed function as proxies for business loss avoided. Financial exposure vs. operational clarity Mike Hamilton, CTO of Pisces International, frames board-level security reporting strictly through a fiduciary lens. In his view, metrics matter only insofar as they map directly to financial consequence. “First of all, the board only cares about money,” Hamilton tells CSO. “They don’t care about scary Russian cyber buffer overflow stuff. They care about money.” “While the CISO may be interested in metrics like mean time to detect, mean time to respond, things like that, boards are charged with protecting enterprise value. Detection speed, vulnerability management, and phishing resilience matter more to them because they limit financial loss, regulatory exposure, and operational disruption,” he says. “What they really want to know is how we are lowering the likelihood of those bad outcomes that affect the business.” Bejtlich, on the other hand, argues that boards can engage with a wide range of operationally grounded, governance-relevant metrics, including the number of intrusions over a given period. Those figures become meaningful when paired with consequence. “Was it a breach, or was it simply unauthorized access with no consequence?” Bejtlich says. “I’ve just never had that experience where I felt like boards couldn’t handle anything that I was trying to describe to them,” he adds. “The problem becomes one of, if you’re speaking to them in technical terms for which they have no background, that’s not really going to help.” The seduction of counting Even when metrics are not too technical and align with business impact, another problem emerges: What gets counted can crowd out what matters. Wendy Nather, a longtime CISO who is now an advisor at EPSD, cautions against equating measurement with understanding. “When you are reporting to the board, there are some things you just cannot count that you have to report anyway,” she tells CSO. She points to incidents, near misses, and changes in assumptions as examples. “Anything that changes your assumptions about how you’re managing your security program, you should be bringing those to the board, even if you can’t count them,” Nather says. Regular metrics can create a rhythm of predictability, and that predictability could lull board members into a false sense of security. “Metrics are very seductive,” she says. “They lead us toward things that can be counted, that happen on a regular basis.” The result may be a steady flow of data that obscures structural risk or emerging weaknesses, Nather warns. Metrics also influence behavior across the organization. In phishing programs, Nather favors measures that reinforce reporting rather than punish error. “You want to incentivize the reporting, and you want to praise people for doing it,” Nather says, emphasizing that what boards choose to measure ultimately shapes how the organization behaves. George Tsantes, partner at business advisory firm Newport, highlights the burden of proving a security program’s effectiveness. “I think it’s shocking when I talk to different boards or different companies and discover how much time they spend proving themselves instead of actually doing things,” he tells CSO. This dynamic is especially pronounced in regulated environments, where assurance work consumes resources that might otherwise be directed toward risk reduction. Regulatory scrutiny can also reorder priorities. “Regulators may focus on an item that was 20th on your list, but if they write you up, now it becomes No. 1,” Tsantes says. Boards, he argues, need visibility into those tradeoffs. A mature program reduces the proving burden wherever possible so that security effort is directed toward reducing risk rather than generating documentation. How AI is stress testing board-level cyber metrics Despite reshaping many aspects of cybersecurity operations, the rapid adoption of artificial intelligence has not yet produced a distinct set of board-level security metrics. Instead, AI is exposing long-standing weaknesses in how organizations translate security activity into risk signals directors can act on. Boards are not yet asking for AI-specific dashboards, experts say. What they are asking, often implicitly, is whether AI is increasing exposure, weakening controls, or altering the organization’s ability to limit damage when things go wrong. “I don’t think we have any output-based metrics yet,” says Corelight’s Bejtlich. Before organizations can measure AI risk, he argues, they must first establish basic governance signals: where AI is in use, how widely it is deployed, and whether it is expanding the attack surface or reducing operational burden. That visibility gap is already a concern for many security leaders. “When I talk to CISOs, their biggest concern is that they can’t always see what AI is being used inside of their enterprise,” says EPSD’s Nather. Without that awareness, boards are left with activity metrics that obscure the more fundamental question of whether the organization understands the risks it has introduced. For Bernard Brantley, CISO at Corelight, AI does not warrant a new measurement framework so much as stricter discipline around existing ones. “I don’t think that they should differ from your standard metrics,” he tells CSO. In practice, AI amplifies familiar security challenges — initial access, lateral movement, and data exfiltration — by increasing their scale and speed. That amplification changes what board-level metrics must signal. Expanded AI usage can increase coverage requirements, stretching teams and controls. At the same time, AI-driven automation can compress response timelines. “We were able to reduce MTTR [mean time to remediation] for this portion of our coverage by 60% because we threw an agent at it,” Brantley says. The governance signal for boards is not the presence of AI itself, but how it shifts risk concentration, response capacity, and resource tradeoffs. For Newport’s Tsantes, AI oversight is a test of enforcement rather than measurement. “What the board needs to know is that there are good uses of AI and bad uses of AI,” he says. But visibility without consequence is not governance. “Even knowing where the AI agents might be within your assets is difficult,” Tsantes adds. “If you can’t fire somebody for using the wrong AI, then you really don’t have any teeth in that policy.” View the full article

Rob Schultz / Shutterstock Da Unternehmen Cybersicherheit in ihre GRC (Governance, Risk & Compliance)-Prozesse integrieren, müssen bestehende Programme überarbeitet werden. Nur so lässt sich sicherstellen, dass der zunehmende Einsatz und die Risiken von Generative und Agentic AI Berücksichtigung finden – und Unternehmen compliant bleiben. Die Risiken, die mit KI einhergehen, sind schwierig zu quantifizieren. Aktuelle Daten liefern jedoch Anhaltspunkte. So geht aus dem “AI Security Report 2025” (Download gegen Daten) des Sicherheitsanbieters Check Point hervor, dass jede 80. Anfrage, die von Unternehmensgeräten an GenAI-Dienste gesendet wurde, ein hohes Risiko für den Verlust sensibler Daten aufweist. CISOs stehen dabei vor der speziellen Herausforderung, mit den Innovationsanforderungen des Unternehmens Schritt zu halten und gleichzeitig den KI-Einsatz unter Berücksichtigung der Risiken abzusichern. KI trifft GRC Governance, Risk & Compliance ist ein Konzept, das Anfang der 2000er Jahre von der Open Compliance and Ethics Group (OCEG) entwickelt wurde, um eine Reihe kritischer Fähigkeiten zu definieren. Seitdem hat sich GRC von Regeln und Checklisten mit Schwerpunkt auf Compliance zu einem umfassenderen Ansatz für das Risikomanagement entwickelt. Datenschutzanforderungen, die zunehmende Regulierung, die Bemühungen um digitale Transformation und die Fokussierung auf die Führungsebene haben diesen Wandel vorangetrieben. Gleichzeitig ist Cybersicherheit zu einem zentralen Unternehmensrisiko geworden. Angesichts der zunehmenden Verbreitung von KI, gilt es nun, auch diese neue Risikokategorie in GRC-Frameworks zu integrieren. Branchenumfragen deuten jedoch darauf hin, dass es bis dahin noch ein weiter Weg ist: Laut Lenovos “CIO Playbook 2025” (Download gegen Daten) haben bislang nur 24 Prozent der Unternehmen umfassende Richtlinien für KI-GRC eingeführt – obwohl KI-Governance und Compliance bei den Befragten oberste Priorität genießen. Um eine risikobewusste Einführung von KI zu unterstützen, rät Rich Marcus, CISO bei AuditBoard, seinen Berufskollegen, eine möglichst breite Akzeptanz für das Risikomanagement im gesamten Unternehmen zu fördern: “Um KI-Risiken erfolgreich zu managen, ist es wirklich wichtig, eine kooperative Einstellung an den Tag zu legen und den Mitarbeitern zu vermitteln, dass alle an einem Strang ziehen müssen”. Dieser Ansatz könne dazu beitragen, Transparenz darüber zu schaffen, wie und wo KI im Unternehmen eingesetzt wird. Jamie Norton, CISO der australischen Börsenaufsicht ASIC, merkt jedoch an: “Jedes einzelne Produkt, das Sie heutzutage einsetzen, enthält irgendeine Form von KI. Und es gibt kein Governance-Forum, das alle verschiedenen Formen erfasst”. Norton empfiehlt CISOs deshalb, strategische und taktische Ansätze zu entwickeln, um: die verschiedenen Arten von KI-Tools zu definieren, deren relative Risiken zu erfassen, sowie ihren potenziellen Nutzen in Bezug auf Produktivität und Innovation abzuwägen. Um mit kleineren KI-Tools umzugehen, sind laut Norton taktische Maßnahmen wie Secure-by-Design-Ansätze, Initiativen, um Schatten-KI zu erkennen oder risikobasierte KI-Bestandsaufnahmen und -Klassifizierungen praktische Möglichkeiten. CISOs könnten dann ihre Ressourcen auf die Risiken mit dem größten Impact konzentrieren, ohne schwerfällige oder unpraktikable Prozesse zu schaffen, wie Norton erklärt. “Die Idee ist nicht, alles so zu verzögern, dass fast nichts mehr geht. Es handelt sich also eher um einen relativ schlanken Prozess, bei dem die Risikoüberlegungen entweder zur Freigabe der KI führen oder zum Gegenteil”. Letztendlich sei es Aufgabe der Sicherheitsverantwortlichen, KI unter Verwendung von Governance und Risiko als Teil des umfassenderen GRC-Frameworks aus Sicherheitsperspektive zu betrachten. “Heutzutage geht es nicht mehr darum, dass CISOs ‚Ja‘ oder ‚Nein‘ sagen. Es geht vielmehr darum, die Risiken bestimmter Maßnahmen transparent zu machen und dann dem Unternehmen und der Geschäftsleitung die Entscheidung über diese Risiken zu überlassen.” Frameworks für KI erweitern KI-bezogene Risiken sollten als eigene Kategorie im Risikoportfolio des Unternehmens definiert und in die GRC-Säulen integriert werden, schlägt Dan Karpati, VP of AI Technologies bei Check Point, vor. Sein Konzept sieht vier solcher Säulen vor: Enterprise Risk Management definiert die Risikobereitschaft im Bereich KI und richtet einen KI-Governance-Kommittee ein. Model Risk Management überwacht Modellabweichungen, Verzerrungen und Adversarial Testing. Operational Risk Management umfasst Notfallpläne für KI-Ausfälle und Schulungen für menschliche Aufsichtspersonen. IT Risk Management umfasst regelmäßige Audits, Compliance-Prüfungen für KI-Systeme, Governance-Rahmenwerke und die Ausrichtung auf die Geschäftsziele. Um diese Risiken abzubilden, können CISOs beispielsweise das NIST AI Risk Management Framework (oder andere Rahmenwerke wie COSO und COBIT) heranziehen und deren Kernprinzipien auf KI anwenden. Etwa, wenn es um probabilistische Ergebnisse, Datenabhängigkeit, undurchsichtige Entscheidungsfindungen, Autonomie und schnelle Weiterentwicklung geht. Der relativ junge Benchmark ISO/IEC 42001 bietet zudem einen strukturierten Rahmen für KI-Monitoring und -Kontrolle, der Governance- und Risikopraktiken über den gesamten KI-Lebenszyklus hinweg verankern soll. Diese Frameworks anzupassen, bietet eine Möglichkeit, die Diskussion über KI-Risiken zu verbessern, die Risikobereitschaft im Bereich KI an die übergeordnete Risikotoleranz des Unternehmens anzupassen und eine robuste KI-Governance in allen Geschäftsbereichen zu verankern. “Anstatt das Rad neu zu erfinden, können Sicherheitsverantwortliche KI-Risiken so konkreten geschäftlichen Auswirkungen zuordnen”, meint Karpati. KI-Risiken lassen sich darüber hinaus auch anderen potenziellen Risiken zuordnen. Etwa dem Potenzial für: finanzielle Verluste durch Betrug oder fehlerhafte Entscheidungen, Reputationsschäden durch Datenschutzverletzungen, Bias-behaftete Ergebnisse und damit zusammenhängender Kundenunzufriedenheit, Betriebsstörungen durch schlechte Integration mit Legacy-Systemen, oder rechtliche und regulatorische Strafen. Um die Wahrscheinlichkeit eines KI-bezogenen Ereignisses zu bewerten, den finanziellen Verlust einzuschätzen und Risikokennzahlen zu ermitteln, können CISOs auf Frameworks wie FAIR zurückgreifen. AuditBoard-CISO Marcus empfiehlt Sicherheitsentscheidern zudem, Branchennetzwerke zu nutzen und sich auch mit Kollegen anderer Unternehmen auszutauschen: “Es ist hilfreich zu wissen, welche Risiken sich in der Praxis zeigen und was andere Unternehmen geschützt hätte. Nur so lassen sich gemeinsam wichtige Kontrollen und Verfahren entwickeln, die die Branche in ihrer Gesamtheit widerstandsfähiger macht.” Neue Governance-Richtlinien entwickeln CISOs müssen jedoch nicht nur Risiken definieren und die Compliance managen, sondern auch neue Governance-Richtlinien entwickeln, wie Marcus unterstreicht: “Eine effektive Governance braucht Richtlinien für die akzeptable Nutzung von KI. Eines der ersten Ergebnisse eines Bewertungsprozesses sollte sein, Verhaltensregeln für Ihr Unternehmen festzulegen”. Um KI-Tools für die interne Verwendung zu klassifizieren, schlägt der Sicherheitsentscheider ein Ampelsystem vor. Dabei: sind “grüne” Tools geprüft und genehmigt, erfordern “gelbe” Tools eine zusätzliche Bewertung, verfügen “rote” Tools nicht über die erforderlichen Schutzmaßnahmen und sind damit untersagt. Marcus empfiehlt CISOs und ihren Teams zudem, im Voraus Leitprinzipien festzulegen, das Unternehmen über die wichtigen Aspekte aufzuklären und die Teams bei der Selbstkontrolle zu unterstützen, indem sie Dinge herausfiltern, die nicht dem Standard entsprechen. ASIC-CISO Norton warnt, dass die Sicherheitsteams nun, da die glänzende Oberfläche der KI für jedermann zugänglich sei, ihren Fokus auf das richten müssten, was darunter vor sich geht. “Als CISOs wollen wir Innovationen nicht behindern, aber wir müssen Leitplanken setzen, damit wir nicht ins Leere laufen und unsere Daten verlorengehen”, meint der Manager. (fm) View the full article

Shutterstock/Gorodenkoff Sicherheitsforscher von Amazon Web Services (AWS) berichten, dass es einem russischsprachigen Hacker gelungen ist, zwischen dem 11. Januar und dem 18. Februar 2026 mehr als 600 Fortigate-Firewalls zu kompromittieren. Dem Bericht zufolge wurden keine FortiGate-Sicherheitslücken ausgenutzt – stattdessen griff der Hacker zunächst Firewalls mit schwachen Passwörtern an. Anschließend verschaffte er sich mithilfe eines auf Google Gemini basierenden KI-Tools Zugriff auf weitere Geräte im selben Netzwerk. „Nach dem VPN-Zugriff auf die Netzwerke der Opfer setzte der Bedrohungsakteur unterschiedliche Versionen eines eigenen Reconnaissance-Tools ein, geschrieben in Go und Python“, erklärt CJ Moses, CISO Amazon Integrated Security. „Die Analyse des Quellcodes ergab deutliche Hinweise auf eine KI-gestützte Entwicklung des Tools“, so Moses: „Redundante Kommentare, die lediglich Funktionsnamen wiederholen, eine einfache Architektur mit überproportionalem Fokus auf Formatierung statt Funktionalität, naive JSON-Verarbeitung mittels String-Matching anstelle einer ordnungsgemäßen Deserialisierung sowie Kompatibilitäts-Shims für Sprach-Built-ins mit leeren Dokumentationsvorlagen.“ Die betroffenen Firewalls befinden sich in über 55 Ländern weltweit, darunter Südostasien, Lateinamerika, die Karibik, Westafrika und Nordeuropa. Der beste Schutz gegen derartige Angriffe besteht laut den Sicherheitsexperten darin, starke Passwörter zu verwenden und die Multi-Faktor-Authentifizierung (MFA) zu aktivieren. So besagt der Bericht, dass der Angreifer wiederholt gescheitert sei, als er versuchte, gepatchte oder gehärtete Systeme zu kompromittieren. Anstatt weiterhin zu versuchen, Zugriff zu erlangen, habe er lieber leichter angreifbare Ziele ermittelt. View the full article

Rob Schultz / Shutterstock Da Unternehmen Cybersicherheit in ihre GRC (Governance, Risk & Compliance)-Prozesse integrieren, müssen bestehende Programme überarbeitet werden. Nur so lässt sich sicherstellen, dass der zunehmende Einsatz und die Risiken von Generative und Agentic AI Berücksichtigung finden – und Unternehmen compliant bleiben. Die Risiken, die mit KI einhergehen, sind schwierig zu quantifizieren. Aktuelle Daten liefern jedoch Anhaltspunkte. So geht aus dem “AI Security Report 2025” (Download gegen Daten) des Sicherheitsanbieters Check Point hervor, dass jede 80. Anfrage, die von Unternehmensgeräten an GenAI-Dienste gesendet wurde, ein hohes Risiko für den Verlust sensibler Daten aufweist. CISOs stehen dabei vor der speziellen Herausforderung, mit den Innovationsanforderungen des Unternehmens Schritt zu halten und gleichzeitig den KI-Einsatz unter Berücksichtigung der Risiken abzusichern. KI trifft GRC Governance, Risk & Compliance ist ein Konzept, das Anfang der 2000er Jahre von der Open Compliance and Ethics Group (OCEG) entwickelt wurde, um eine Reihe kritischer Fähigkeiten zu definieren. Seitdem hat sich GRC von Regeln und Checklisten mit Schwerpunkt auf Compliance zu einem umfassenderen Ansatz für das Risikomanagement entwickelt. Datenschutzanforderungen, die zunehmende Regulierung, die Bemühungen um digitale Transformation und die Fokussierung auf die Führungsebene haben diesen Wandel vorangetrieben. Gleichzeitig ist Cybersicherheit zu einem zentralen Unternehmensrisiko geworden. Angesichts der zunehmenden Verbreitung von KI, gilt es nun, auch diese neue Risikokategorie in GRC-Frameworks zu integrieren. Branchenumfragen deuten jedoch darauf hin, dass es bis dahin noch ein weiter Weg ist: Laut Lenovos “CIO Playbook 2025” (Download gegen Daten) haben bislang nur 24 Prozent der Unternehmen umfassende Richtlinien für KI-GRC eingeführt – obwohl KI-Governance und Compliance bei den Befragten oberste Priorität genießen. Um eine risikobewusste Einführung von KI zu unterstützen, rät Rich Marcus, CISO bei AuditBoard, seinen Berufskollegen, eine möglichst breite Akzeptanz für das Risikomanagement im gesamten Unternehmen zu fördern: “Um KI-Risiken erfolgreich zu managen, ist es wirklich wichtig, eine kooperative Einstellung an den Tag zu legen und den Mitarbeitern zu vermitteln, dass alle an einem Strang ziehen müssen”. Dieser Ansatz könne dazu beitragen, Transparenz darüber zu schaffen, wie und wo KI im Unternehmen eingesetzt wird. Jamie Norton, CISO der australischen Börsenaufsicht ASIC, merkt jedoch an: “Jedes einzelne Produkt, das Sie heutzutage einsetzen, enthält irgendeine Form von KI. Und es gibt kein Governance-Forum, das alle verschiedenen Formen erfasst”. Norton empfiehlt CISOs deshalb, strategische und taktische Ansätze zu entwickeln, um: die verschiedenen Arten von KI-Tools zu definieren, deren relative Risiken zu erfassen, sowie ihren potenziellen Nutzen in Bezug auf Produktivität und Innovation abzuwägen. Um mit kleineren KI-Tools umzugehen, sind laut Norton taktische Maßnahmen wie Secure-by-Design-Ansätze, Initiativen, um Schatten-KI zu erkennen oder risikobasierte KI-Bestandsaufnahmen und -Klassifizierungen praktische Möglichkeiten. CISOs könnten dann ihre Ressourcen auf die Risiken mit dem größten Impact konzentrieren, ohne schwerfällige oder unpraktikable Prozesse zu schaffen, wie Norton erklärt. “Die Idee ist nicht, alles so zu verzögern, dass fast nichts mehr geht. Es handelt sich also eher um einen relativ schlanken Prozess, bei dem die Risikoüberlegungen entweder zur Freigabe der KI führen oder zum Gegenteil”. Letztendlich sei es Aufgabe der Sicherheitsverantwortlichen, KI unter Verwendung von Governance und Risiko als Teil des umfassenderen GRC-Frameworks aus Sicherheitsperspektive zu betrachten. “Heutzutage geht es nicht mehr darum, dass CISOs ‚Ja‘ oder ‚Nein‘ sagen. Es geht vielmehr darum, die Risiken bestimmter Maßnahmen transparent zu machen und dann dem Unternehmen und der Geschäftsleitung die Entscheidung über diese Risiken zu überlassen.” Frameworks für KI erweitern KI-bezogene Risiken sollten als eigene Kategorie im Risikoportfolio des Unternehmens definiert und in die GRC-Säulen integriert werden, schlägt Dan Karpati, VP of AI Technologies bei Check Point, vor. Sein Konzept sieht vier solcher Säulen vor: Enterprise Risk Management definiert die Risikobereitschaft im Bereich KI und richtet einen KI-Governance-Kommittee ein. Model Risk Management überwacht Modellabweichungen, Verzerrungen und Adversarial Testing. Operational Risk Management umfasst Notfallpläne für KI-Ausfälle und Schulungen für menschliche Aufsichtspersonen. IT Risk Management umfasst regelmäßige Audits, Compliance-Prüfungen für KI-Systeme, Governance-Rahmenwerke und die Ausrichtung auf die Geschäftsziele. Um diese Risiken abzubilden, können CISOs beispielsweise das NIST AI Risk Management Framework (oder andere Rahmenwerke wie COSO und COBIT) heranziehen und deren Kernprinzipien auf KI anwenden. Etwa, wenn es um probabilistische Ergebnisse, Datenabhängigkeit, undurchsichtige Entscheidungsfindungen, Autonomie und schnelle Weiterentwicklung geht. Der relativ junge Benchmark ISO/IEC 42001 bietet zudem einen strukturierten Rahmen für KI-Monitoring und -Kontrolle, der Governance- und Risikopraktiken über den gesamten KI-Lebenszyklus hinweg verankern soll. Diese Frameworks anzupassen, bietet eine Möglichkeit, die Diskussion über KI-Risiken zu verbessern, die Risikobereitschaft im Bereich KI an die übergeordnete Risikotoleranz des Unternehmens anzupassen und eine robuste KI-Governance in allen Geschäftsbereichen zu verankern. “Anstatt das Rad neu zu erfinden, können Sicherheitsverantwortliche KI-Risiken so konkreten geschäftlichen Auswirkungen zuordnen”, meint Karpati. KI-Risiken lassen sich darüber hinaus auch anderen potenziellen Risiken zuordnen. Etwa dem Potenzial für: finanzielle Verluste durch Betrug oder fehlerhafte Entscheidungen, Reputationsschäden durch Datenschutzverletzungen, Bias-behaftete Ergebnisse und damit zusammenhängender Kundenunzufriedenheit, Betriebsstörungen durch schlechte Integration mit Legacy-Systemen, oder rechtliche und regulatorische Strafen. Um die Wahrscheinlichkeit eines KI-bezogenen Ereignisses zu bewerten, den finanziellen Verlust einzuschätzen und Risikokennzahlen zu ermitteln, können CISOs auf Frameworks wie FAIR zurückgreifen. AuditBoard-CISO Marcus empfiehlt Sicherheitsentscheidern zudem, Branchennetzwerke zu nutzen und sich auch mit Kollegen anderer Unternehmen auszutauschen: “Es ist hilfreich zu wissen, welche Risiken sich in der Praxis zeigen und was andere Unternehmen geschützt hätte. Nur so lassen sich gemeinsam wichtige Kontrollen und Verfahren entwickeln, die die Branche in ihrer Gesamtheit widerstandsfähiger macht.” Neue Governance-Richtlinien entwickeln CISOs müssen jedoch nicht nur Risiken definieren und die Compliance managen, sondern auch neue Governance-Richtlinien entwickeln, wie Marcus unterstreicht: “Eine effektive Governance braucht Richtlinien für die akzeptable Nutzung von KI. Eines der ersten Ergebnisse eines Bewertungsprozesses sollte sein, Verhaltensregeln für Ihr Unternehmen festzulegen”. Um KI-Tools für die interne Verwendung zu klassifizieren, schlägt der Sicherheitsentscheider ein Ampelsystem vor. Dabei: sind “grüne” Tools geprüft und genehmigt, erfordern “gelbe” Tools eine zusätzliche Bewertung, verfügen “rote” Tools nicht über die erforderlichen Schutzmaßnahmen und sind damit untersagt. Marcus empfiehlt CISOs und ihren Teams zudem, im Voraus Leitprinzipien festzulegen, das Unternehmen über die wichtigen Aspekte aufzuklären und die Teams bei der Selbstkontrolle zu unterstützen, indem sie Dinge herausfiltern, die nicht dem Standard entsprechen. ASIC-CISO Norton warnt, dass die Sicherheitsteams nun, da die glänzende Oberfläche der KI für jedermann zugänglich sei, ihren Fokus auf das richten müssten, was darunter vor sich geht. “Als CISOs wollen wir Innovationen nicht behindern, aber wir müssen Leitplanken setzen, damit wir nicht ins Leere laufen und unsere Daten verlorengehen”, meint der Manager. (fm) View the full article

SolarWinds continues to be besieged by security issues, this time in its Serv-U managed file transfer server. The software company has released four patches for critical Serv-U remote code execution (RCE) vulnerabilities that could allow attackers to gain root (administrator) access to unpatched servers. These four common vulnerabilities and exposures (CVEs) are rated “critical,” the highest severity score. These should be treated as “high-urgency patch events,” said Ensar Seker, CISO at SOCRadar. “When you are talking about pre-authentication RCE with potential root-level access, you are effectively talking about full system compromise.” Flaws let attackers execute arbitrary code Serv-U is the SolarWinds self-hosted file transfer tool designed for Windows and Linux. It has managed file transfer (MFT) and file transfer protocol (FTP) capabilities that allow enterprises to exchange files via FTPS, SFTP, and HTTP/S. The patched vulnerabilities are: CVE-2025-40538: The most severe of the four, this broken access control vulnerability gives attackers the ability to create a system admin user and execute arbitrary code. They can gain root domain and group admin privileges. CVE-2025-40539 and CVE-2025-40540: These “type confusion” vulnerabilities trick programs into performing unintended behaviors, thus allowing attackers to access a system and execute malicious code as root or as a privileged account. CVE-2025-40541: Also a broken access control vulnerability that gives threat actors the ability to execute native code as root or as a privileged account. It’s important to note that, to exploit any of these flaws, attackers would have to have already obtained admin or privileged access on targeted servers. However, if threat actors are able to exploit unpatched Serv-U instances, they can execute arbitrary commands, deploy malware, create new privileged accounts, disable security tooling, and pivot laterally into the broader environment, noted SOCRadar’s Seker. Serv-U is particularly at risk because it is, by design, an externally facing file transfer solution. “Many organizations expose it to the internet for partners, vendors, and customers,” said Seker. That “dramatically increases” the attack surface. Attackers could potentially exfiltrate sensitive files, manipulate transferred data, implant backdoors, and use the server as a “staging point for ransomware.” The blast radius further expands in environments where Serv-U is integrated with Active Directory or internal storage systems, Seker pointed out. “At that point, it is no longer a file transfer issue,” he said. “It becomes a domain-wide incident response scenario.” Not a ‘patch when convenient’ situation Security leaders should respond with “urgency and discipline,” said Seker. Immediately patch to the latest version, review whether Serv-U is internet-exposed, validate access controls, check logs for signs of exploitation, and rotate associated credentials. If they suspect exploitation, enterprises should “assume full compromise” of the host and perform a thorough forensic review. “This is not a ‘patch when convenient’ update, it is a ‘patch and verify’ situation,” said Seker. Beyond patching, anyone using ServU must go back and check logs to see if they’ve already lost data, advised David Shipley of Beauceron Security. RCE is “super bad news” for these file transfer tools, he noted, pointing out that MoveIT was one of the largest data breaches in recent years. “Root access equals game over,” he said. “These kinds of tool are used to move highly sensitive personal identifiable information, financial information, medical information.” SolarWinds a favored hacker target SolarWinds continues to be a favorite target for attackers; in late January, the company patched six critical authentication bypass and RCE vulnerabilities in its Web Help Desk (WHD) IT software. Four of these were rated critical. Previously, the company addressed a second patch bypass for a WHD RCE flaw flagged a year prior by the US Cybersecurity and Infrastructure Security Agency (CISA). This recurrence of cybersecurity issues is partly due to visibility, noted Seker. SolarWinds products are widely deployed across both enterprise and government environments, making them “high-value targets” for criminal and nation-state actors. “The more critical the software’s role in infrastructure, the more aggressively it will be researched and attacked,” he said. But these types of repeated critical flaw reinforce a broader lesson, he noted: Vendors that operate in privileged network positions must maintain “extremely mature” secure development lifecycles and perform “aggressive” third-party security testing. “Trust in infrastructure software is earned continuously,” said Seker, “not once.” The bigger takeaway, though, is that organizations cannot rely solely on vendor reputation. Every single externally exposed service, especially when capable of handling authentication and file transfers, should be treated as potentially exploitable, Seker noted. This requires continuous external attack surface monitoring, virtual patching via web application firewall (WAF) where applicable, strict network segmentation, and zero-trust access controls. “The question is not whether critical vulnerabilities will appear again — they will — but whether the organization can detect, patch, and contain them before adversaries do,” he said. View the full article

The latest fake Zoom meeting scam silently pushes surveillance software onto the Windows computers of unwitting employees. That’s according to researchers at Malwarebytes, who warn that staff falling for the scam land in a convincing imitation of a Zoom video call. Moments later, an automatic “Update Available” countdown downloads a malicious installer, without asking permission. The software installed is a covert build of Teramind, a commercial monitoring tool companies use to record what employees do on work computers. Many anti-malware solutions may not catch this because it would look like a legitimate application. But in the hands of a threat actor it’s gold: It logs keystrokes, takes screenshots at regular intervals, records which websites were visited and which applications were opened, captures clipboard contents and tracks email and file activity. Zoom has long been a service that threat actors try to use to their advantage, because employees are used to getting invitations to join a meeting from colleagues, managers, and customers. Fake Zoom meeting scams usually start with phishing emails or text messages, so the first defense CSOs need to deploy is employee security awareness training. “Taking five seconds to confirm a meeting link really leads to zoom.us [instead of an impostor link] is a simple habit that can prevent a serious problem,” Malwarebytes advises. The fake website that victims are sent to in this campaign is uswebzoomus[.]com/zoom/ Roger Grimes, CISO advisor at awareness training provider KnowBe4, said he’s seen many malicious Zoom calls start with meeting invites in both Gmail and Microsoft Outlook. In fact, earlier this month he got one that was automatically added to his online calendar. Like most phishing lures, the calendar notice had a hard-to-miss subject line: “Final Notice: Payroll Acknowledgement Action Required: Meeting with …” One of the key indicators of a possible phishing lure is a subject line that demands fast action so, hopefully, the target doesn’t think before clicking. Another tip this was likely a fake: It arrived on a Sunday afternoon. Employees must be educated to not trust unexpected calendar invites or Zoom meetings, especially when they include unknown names and email addresses, he said. “The way to avoid 99% of scams is to be super skeptical of any unexpected incoming message asking you to do something you’ve never done before (for example, install new software while attending a meeting),” he said. “If you get a message or an invitation including those two traits (they’re unexpected and asking you to do something you’ve never done before), research it using a trusted source outside the message before performing the requested actions.” David Shipley, CEO of awareness training provider Beauceron Security, agreed employee training about fake Zoom invites is essential. “Our research has shown that the two top reasons people click on a phishing link are that it looked legitimate and they were expecting something similar,” he said. “Thanks to AI, phishes look better than ever and can be more precisely targeted.” The key when teaching people isn’t just offering the traditional advice around checking the sender, subject line, or link, he added; 40% of people don’t even think before they click. “The key is teaching people to slow down with e-mail (or any communication tool the outside world can send messages to) and to always ask the following questions: ‘Do I know who is sending me this? Am I expecting it from this person? Does it feel off?’” The second teaching point, he said, is to remind staff to report if, after clicking on a Zoom email invite, it does something new, like installing software. Warnings about fake Zoom invites are widespread, coming from many sources, from a security vendor to the Pennsylvania Association of Realtors. Last October the association warned that so-called potential buyers are targeting agents with listings on the Multiple Listing Service (MLS), Realtor.com, and Zillow, showing interest in a property. Before submitting an offer, the potential client insists on having a Zoom meeting to discuss the property with the agent. The scammer sends a Zoom link, but when an agent clicks on it, malware is installed on their computer or phone. Similarly, last summer the University at Buffalo warned students and staff that hackers were sending fake “Zoom invitation” links to UBmail accounts, with the goal of installing malware. And Zoom itself has blogged on how to avoid being stung by job offer scams. Related content: 7 ways to make Zoom meetings safer How it plays out Malwarebytes didn’t explain how the specific campaign it reports on in the blog is initiated. But if a victim accepts a meeting invite and goes to the fake site, they arrive in what looks like a Zoom waiting room. At the same time, the site quietly sends a message to the attackers letting them know someone has entered. Three scripted fake participants—“Matthew Karlsson,” “James Whitmore,” and “Sarah Chen”—appear to join the call one by one, each announced by a genuine-sounding Zoom join chime. But their conversation audio loops on repeat in the background. Nothing else happens unless the victim tries to interact. Then a permanent “Network Issue” warning is displayed over the main video tile, seemingly to explain the choppy audio and lagging video. When an “Update Available” prompt appears moments later, Malwarebytes says, it feels like a fix for the problem. At that point there is one chance to stop the attack: The victim has to click on the download for the installation to proceed. Many employees would, for it feels like the natural thing to do, says Stefan Dasic, Malwarebytes manager of research and response. That’s why it’s important that employees be trained to never update Zoom from a link in a message. Updates should only come from the Zoom update within the application. If the victim clicks on the download, a pop-up with no close button takes over, saying: “Update Available — A new version is available for download.” A spinner turns and a counter ticks from five to zero; when the counter hits zero, the browser is instructed to silently download a file. At the same moment, the page switches to what looks like the Microsoft Store, showing “Zoom Workplace” mid-installation, spinner and all. While the visitor watches what appears to be a legitimate install resolving the problem, the real installer with the spyware has already landed in their Downloads folder without asking for permission and is compromising their system. The installer contains code to prevent it from being analyzed by anti-malware solutions. “The attackers did not write custom malware,” the blog points out. “They deployed a professionally developed commercial product that is designed to run reliably and persist through restarts. That makes it more durable than many traditional malware strains.” This campaign does not rely on technical sophistication, the blog adds. “No new hacking technique was used. The attacker built a convincing fake Zoom page, set an automatic download to fire before any visitor has a reason to be suspicious, and used a fake Microsoft Store screen to explain it all away. From click to install takes less than thirty seconds. Someone who was expecting a Zoom invite and saw what looked like a Microsoft installation in progress could easily walk away believing nothing unusual had happened.” Malwarebytes advises infosec leaders who learn that an employee visited the uswebzoomus site to treat their computer as compromised. View the full article

VMware has released patches for several high- and medium-risk vulnerabilities that impact its Aria Operations, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure products. The most serious of these flaws allows unauthenticated attackers to execute arbitrary commands on the underlying OS, while another gives authenticated users the ability to elevate to administrator privileges. The issues — CVE-2026-22719, CVE-2026-22720, and CVE-2026-22721 — were privately reported to Broadcom and there is no evidence of in-the-wild exploitation so far. However, critical Aria Operations vulnerabilities have been exploited in the past and enterprise virtualization infrastructure has been targeted by state-sponsored threat actors. Broadcom advises customers to upgrade to Aria Operations 8.18.6, as well as versions 5.2.3 or 9.0.2 VMware Cloud Foundation (VCF). VMware Telco Cloud Platform and Telco Cloud Infrastructure are also impacted because they include Aria Operations, the IT management component for private and multicloud environments. Command injection and privilege escalation Even though CVE-2026-22719 is an unauthenticated command injection flaw that can lead to remote code execution, the vulnerability is rated high rather than critical severity because it can only be exploited when support-assisted product migration is in progress, making widespread exploitation less likely. By comparison in 2023 following the disclosure of a command injection flaw in Aria Operations for Networks, security companies detected almost 700,000 attack attempts. The second vulnerability, CVE-2026-22720, is described as a stored cross-site scripting (XSS) issue that is also rated high severity, with a score of 8.0 on the CVSS scale. This flaw allows attackers with privileges to create custom benchmarks on a deployment to inject persistent scripting that would perform administrative actions. The third flaw is a moderate severity issue with a rating of 6.2 that can be exploited if attackers obtain privileges in vCenter that allow them to access Aria Operations. vCenter is the management platform for vSphere virtual environments, and this vulnerability is considered a privilege escalation issue because it could lead to administrative privileges in Aria. View the full article

Business email compromise (BEC) is the digital con dressed to impress. It’s clean, calculated, and ready to fool even the sharpest eyes. These scammers don’t tell on themselves with sloppy hacks. They whisper in familiar voices, posing as your CEO, HR, or a trusted vendor. And, unlike phishing, they’re a precision strike built on inside intel. Just last year, BEC attacks racked up a staggering $2.7 billion in losses, a jump of 12.5% compared to 2021. That’s not petty cash, that’s financial carnage. And guess what? The scammers don’t need malware. All they need is your trust. Let’s break down 10 email compromise examples that’ll make you double-check every email in your inbox. What’s business email compromise? BEC is when cybercriminals pose as someone you trust—your boss, your lawyer, your vendor—to trick you into handing over money or sensitive info. They study your habits, mimic your contacts, and wait for the perfect moment to make their move. Want to see how these scams play out and how to stay ahead of them? Check out our full breakdown of business email compromise tactics and trends. How’s BEC different from phishing? Here’s a quick summary of how each attack strategy operates: PhishingBusiness email compromiseMass emails, same baitPrecision attacks, sniper-styleNo real intelDeep recon and impersonationFast and sloppySlow, methodical, deliberateUsually small-scaleMulti-million-dollar frauds Types of business email compromise (and their new tricks) BEC is constantly evolving. Check out the latest business email compromise trends: AI-style cloning: They’re using AI to sound exactly like your boss. Fake invoice schemes: Forged invoices look like they’re from trusted vendors, but direct payments to a bogus account. QR code attacks: Embedded QR codes in emails to send victims to phishing sites or trigger malicious downloads. Conversation hacking: Attackers take over legitimate email threads to steal sensitive information or manipulate employees into taking certain actions. This isn’t your grandma’s Nigerian prince scam. It’s Ocean’s Eleven but with Gmail. To give you a taste of how these high-stakes cons play out, here are 10 real-life business email compromise examples. 1. Toyota Supplier: $37 million BEC attack In 2019, a Toyota supplier fell victim to a $37 million BEC attack. A third-party hacker, impersonating a business partner of one of Toyota’s subsidiaries, sent emails to finance and accounting teams requesting that funds be transferred to an account under their control. This type of attack is commonly referred to as a vendor email compromise (VEC). 2. Ubiquiti: $46.7m vendor fraud Ubiquiti, a networking company, was hit in 2015 with a massive $46.7 million loss involving fake vendor impersonations. The attack impersonated emails and made fraudulent requests from an external source, tricking the finance department into approving transfers to overseas accounts controlled by third parties. 3. Facebook and Google: $121m BEC scam Hard to believe, but tech giants like Facebook and Google were duped by a phishing attack that cost them over $121 million between 2013 and 2015. Evaldas Rimasauskas posed as an external vendor, sending emails with convincing invoices to company staffers requesting payment. Once the companies wired the money, he quickly moved the funds to various bank accounts around the world. 4. Fraudsters swipe $2.8 million from Grand Rapids Public Schools in Michigan Grand Rapids Public Schools in Michigan lost $2.8 million. Scammers accessed the email of the district’s benefits coordinator, using it to intercept communications and redirect the district’s insurance payments into a different account. 5. CFO impersonator swindles Children’s Healthcare of Atlanta out of $3.6 million In 2018, Children’s Healthcare of Atlanta was hit when a fraudster impersonated the CFO. The scammer tricked the hospital’s accounts payable department into updating the bank account details on file, resulting in a $3.6 million transfer to a fraudulent account. 6. Real estate developer scammed for €38 million A real estate firm was swindled out of €38 million by an international group of fraudsters using social engineering tactics in 2021. The scammers impersonated lawyers, gaining the firm’s trust by pressing for a confidential and urgent wire transfer. 7. Building deception: $793,000 stolen from church’s construction fund A scammer took advantage of a North Carolina church’s new construction project, stealing $793,000 in 2022. Posing as the contractor, the fraudster subtly altered one letter in the email address to redirect the funds into their own hands. 8. Cybercriminals steal $11.1 million from Medicare and Medicaid In a targeted BEC attack, cybercriminals impersonated trusted figures to target the government healthcare programs Medicare and Medicaid. By spoofing emails, they successfully diverted $11.1 million into fraudulent bank accounts. 9. Save the Children: $1 million Save the Children lost $1 million in 2017 when fraudsters got into an employee’s email account and impersonated a staff member. Using fake invoices and email requests, they convinced the charity to transfer the funds. 10. Guillermo Perez: $2.2 million Between 2018 and 2019, Guillermo Perez orchestrated a BEC scam that defrauded several victims out of $2.2 million. He allegedly impersonated individuals and businesses in routine financial transactions, convincing victims to wire money into accounts he controlled alongside his accomplices. How to fight back: A savvy defense strategy Stopping BEC is about street smarts and systems. Here’s what you can do: Verify requests: Always call or use known contacts to double-check money moves. Two pairs of eyes: Set approval tiers for transfers, especially over a certain dollar amount. Train your people: Teach your team to smell a scam before it lands. The Huntress Managed Security Awareness Training can help with that. Invest in email security: Get tools that flag impersonations and fishy senders. Don’t trust. Verify. Always. BEC scams knock, smile, and ask politely to rob you. These attacks work because they prey on trust, timing, and familiarity. Your best defense against them isn’t fear, but strategy. Create habits that slow things down, require verification, and eliminate easy targets. Because when a BEC hits, you lose trust, reputation, and time. And that’s a price no one wants to pay. We understand what threats like credential theft and unauthorized access mean for your business, and we’re here to help. Huntress has you covered with managed identity threat detection and response (ITDR), protecting identities across your organization 24/7. View the full article

Ransomware isn’t an isolated, potential cyber threat—it’s like a living organism that can shapeshift with multiple strains, tactics, and targets. The cybercriminals behind ransomware attacks run these operations like a business and are motivated to keep up profits at any cost. Their tactics range from quickly locking down an entire network to slowly leaking sensitive data over time; different types of ransomware pose different threats in their own unique ways. In this guide, we’ll discuss some examples of ransomware, explain how they work, and outline how businesses can stay ahead of their malicious ways. What are the main types of ransomware attacks? Like a thief walking around a parking lot checking for a conveniently unlocked car, cybercriminals are always looking for vulnerabilities. Over the years, many different types of ransomware attacks have popped up, each with its own execution plan. Generally speaking, the most common types of ransomware include: Crypto ransomware: Infamous and devastating, this strain encrypts data and will only decrypt it if you pay the ransom. If you don’t pay, you lose your data forever. Double extortion ransomware: Particularly nasty cybercriminals will lock your data, steal it, and threaten to leak it if you don’t pay up. Encryptionless ransomware: Some ransomware actors have decided to go straight to stealing data and extorting victims to pay to avoid its release to the internet. Locker ransomware: This strain locks victims out of their systems, making them totally inaccessible until the ransom is paid, leaving you helpless. Scareware: Especially devious, fake software claiming to be your “knight in shining armor” against a phony virus pressures you to pay for a bogus “fix.” Ransomware-as-a-Service (RaaS): Like legitimate subscription models, cybercriminals rent ransomware tools from developers to help amateur hackers get their kicks. What is the most common ransomware attack? It is well known in the cybersecurity community that crypto ransomware is the most common type that cybercriminals use. Crypto ransomware is the perfect combination of powerlessness and pressure. Cybercriminals go in, use strong encryption (asserting power over the victim), and can put immense pressure on the victim until the ransom is paid. It’s simple and specifically targets valuable data, immediately impacting the business. A variant strain of crypto-ransomware is double extortion, which uses the same “hostage situation” of encrypting data. The main difference is that instead of deleting valuable data like crypto, hackers’ favorite scare tactic for getting people to pay the ransom is the threat of leaking sensitive data. The distinction between these types can sometimes blur, as many modern ransomware attacks use multiple tactics to pressure victims. What are the different types of ransomware detection? Detecting ransomware before it can take hold is crucial, and cybersecurity experts use several methods to stay a step ahead of threat actors. These are the ways you can detect ransomware: Behavior analysis: Behavioral detection looks at how files and applications behave, which can help expose suspicious activity. For example, take mass encryption—behavioral analysis spots this tactic before it spreads. Signature-based detection: One of the most traditional forms of identifying and fighting ransomware strains, signature-based detection looks for unique code signatures associated with common ransomware. Heuristic analysis: “The best defense is a good offense.” This proactive approach looks at file structures and code patterns to detect modified, new, or emerging ransomware strains. Deception technology: Using fake files and bait systems—i.e., “Honeypots”—turns potential threats on themselves by luring ransomware and triggering early alerts before actual data is compromised. A layered approach that includes some or all of the above is the best way to defend against ransomware. This way, both known and unknown threats can be quickly caught and crushed. Looking over past incident reports from January 2025 to May 2025, we’re able to paint a picture of the most common ransomware variants that we’ve seen across our customers. Out of the 606 reports that were actually ransomware-related, the most common variants were unknown ransomware variants, making up 58.4% of the number of reports issued this year. What about malware? You can’t talk about ransomware without talking about malware, as ransomware is just a glimpse of the larger malware picture. Malware attacks come in various forms, and ransomware is just one of the many threats businesses should be aware of. Trojan Horses are disguised as legitimate software. They trick users into installing them and then drop malicious payloads once active. Worms are self-replicating malware that can automatically spread across networks without users interacting with them. Spyware quietly collects sensitive data such as login credentials, credit card numbers, and browsing activity. Adware, though often less dangerous, bombards users with unwanted advertisements and can sometimes lead to further infections. Rootkits are deeply embedded bits of malware that give attackers complete control over compromised systems. While each threat operates differently, they share a common goal: exploiting vulnerabilities to gain unauthorized access and inflict damage. Oftentimes, the data collected will be sold on the dark web by data brokers and can ultimately be leveraged by ransomware gangs to gain access to victims’ networks. How does Huntress stop ransomware attacks from happening? Huntress takes a proactive, human-led approach to stopping ransomware attacks before they can cause harm. With 24/7 threat monitoring, a dedicated team of cybersecurity experts continuously watches over your endpoints for any signs of suspicious activity. Through proactive threat hunting and advanced behavioral analysis, Huntress can spot ransomware tactics before they can be executed. If a ransomware strain is detected, automated containment isolates infected endpoints to prevent further spread. Additionally, the Huntress Security Operations Center (SOC) goes beyond merely flagging threats—it actively helps eliminate them and strengthens defenses to ensure the attack doesn’t happen again. As ransomware attacks evolve daily, relying on outdated defenses just isn’t enough anymore. Huntress’ comprehensive, human-led strategy ensures that threats are halted before they escalate into a full-blown crisis. Reach out for a free demo to see for yourself how Huntress Managed EDR can help take ransomware off your list of worries. View the full article

Attackers are constantly on the prowl, scoping out vulnerabilities of network-connected devices in your systems. These devices—laptops, desktops, servers, IoT, and more—are like unlocked doors waiting for threat actors to stroll through. And here’s the kicker: many of these vulnerabilities are shockingly common and easily preventable. Let’s break down the weaknesses we most frequently track across three million endpoints (not a bad sample size!) and what you can do to patch those holes before a threat actor sneaks in and wreaks havoc. Remote Desktop Protocol (RDP): The open back door Remote Desktop Protocol is a prolific protocol used for remote connectivity, but it’s also one of the most common ways threat actors gain access to endpoint devices. In fact, up to 70% of organizations have RDP exposed to the public internet. Think of an exposed RDP connection as leaving a spare key under the doormat—while not quite in plain sight, it’s a pretty obvious place to look if you want to get inside. Here’s an example of what happens: Attackers often use brute force attacks on RDP, cycling through password options until they unlock a login session. Once the initial intrusion is established, they usually don’t waste time dropping malware and trying to move laterally across your network. An example of event logs showing a successful use of brute force. What you can do: Don’t expose RDP to the public internet unless you really need to. Be a stickler with admin rights. Think about who actually needs access to do their job. Don’t rely on passwords—it’s old school (and way too risky). Enforce multi-factor authentication (MFA) for RDP sessions. Don’t slack on Windows security configurations. Defaults won’t cut it against attackers who want a piece of your network. Be vigilant for suspicious activity, like logins from unknown IP addresses. Phishing attacks: Don’t take the bait Email phishing is a classic cybercrime strategy, and some things just never go out of style. Every day, phishing emails land in inboxes and a staggering number of victims still fall for social engineering scams. This isn’t a new tactic by any stretch of the imagination, but threat actors continue to rely on it because it works—phishing accounts for 15% of all data breaches. But what’s more alarming about phishing attacks these days is that they’re getting craftier, especially as threat actors turn to generative AI tools to fast-track their social engineering tactics. From expertly mimicked branding to fake invoices with urgent requests, hackers have leveled up their game to trick victims into clicking malicious links or giving up personal details to “customer service” over the phone. Phishing isn’t just email anymore—hackers will use any type of communication mechanism: email, text, phone calls, voicemail, QR codes, or any combination of these approaches. Here’s an example of what happens: Let’s take a look at email phishing. When an employee clicks on a malicious link in a phishing email, they might unknowingly hand over sensitive credentials to an attacker or install malware on their system. Or, even worse, they may detonate a ransomware attack. Phishing often uses pressure tactics to prey on victims’ emotions to get a quick response. The attackers walk away with access to your network and sensitive info while leaving you with the mess. It could become an even bigger mess than you’ve bargained for if the attacker gains persistence to endpoints and you don’t immediately find the damage. Got an email asking for sensitive info? Don’t respond directly to the sender to avoid falling into the attacker’s trap. An example of a malicious fake thread email phishing attempt. What you can do: Get your organization smart on phishing tactics! Regularly scheduled security awareness training (SAT) can make users less likely to jump on sketchy requests. You want their “spidey senses” tingling when weird emails show up! Use MFA because it can reduce the damage if (when) credentials are compromised. For more on how attackers use phishing to access your endpoints, check out Tradecraft Tuesday: “Phishing in the Fast Lane.” Remote monitoring and management (RMM) tools: The double-edged sword RMM tools are double-edged swords. On the one hand, they help IT admins, managed service providers (MSPs), and system admins monitor, manage, and troubleshoot fleets of computers with ease. On the other hand, when left unsecured (as they often are), RMM tools are an easy entry point for attackers to hit your endpoints hard. According to Huntress’ 2025 Cyber Threat Report, 17.3% of all remote access methods originated from RMM abuse. Threat actors like to blend in and hide in plain sight, and legitimate RMM tools are an easy way to do this. Top abused remote access tools. Source. Here’s an example of what happens: Attackers abuse RMM software and tools to gain unauthorized remote access to compromise devices. Whether they use pre-existing RMMs or install their own, they can potentially control every connected device across your organization, lurking under the auspices of legitimate software. RMM attacks are dangerous because there’s always a risk that attackers will fly under the radar of your detection systems, moving laterally and gaining persistence without even dropping malware. There are generally two ways attackers abuse RMMs. First, they can hijack or abuse existing software by exploiting outdated, unpatched, or misconfigured tools, or by stealing credentials to log in remotely to RMM tools. Second, they can deploy and install the attacker’s preferred RMM tool via social engineering or portable executables. Portable executables are notable for their ability to skirt around admin privileges and full software installation, giving attackers local user access. Even if a risk management control is supposed to block or audit the RMM software on the network, it doesn’t matter because portable executables don’t require admin privileges, giving the threat actor a free pass into your network. That’s the stuff of nightmares because threat actors drop into your environment undetected without using malware. Your RMM tools should make endpoints more secure, not less. Tighten up those settings and keep potential bad actors out. Example of legitimate RMM tool compromise. What you can do: Use role-based permissions. They are king. If you’re not on the guest list, you don’t get access to the RMM software party. Update and apply patches to RMM software to address vulnerabilities and bug fixes. Monitor activity logs for unusual activity. Unauthorized installs or funky logins should be a red flag. Know what types of RMM tools are supposed to be in your network. Audit, track, and monitor so that an unauthorized instance stands out. For more on keeping RMM tools secure, check out: Think Your ScreenConnect Server Is Hacked? Here’s What To Look For. Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8 Insights: RMM Tools Unpatched software: An open door to your network Unpatched software is the cybersecurity equivalent of leaving your front door open. Yes, the breeze might be nice, but you probably wouldn’t leave it wide open most of the time. It’s too risky. Your pets or kids can get loose, outdoor critters can make themselves at home (who wants raccoons in their kitchen?), and worse, thieves can just walk in. If you wouldn’t expose your physical environment to this type of risk, why would you allow it virtually? Here’s what happens: Software vendors release patches for different reasons, but often to fix publicly known security vulnerabilities, usually referred to as CVEs. Attackers use this public information to target outdated software and systems. A single instance of an unpatched flaw is an opportunity for an attacker to drop ransomware or malware, or to pull off data breaches. When a new vulnerability drops, you’re up against the clock to get your systems patched before a threat actor takes advantage of you. If you’re not updating your software regularly, your endpoints are at unnecessary risk. The door is wide open for unwanted guests. It’s that simple. Example of PowerShell script exploiting CVE-2023-27532 in outdated Veeam software. Patch it up: Set up automatic updates wherever possible. No excuses. Keep a regular patch management schedule and stick to it. Have a battle plan for patching prioritization, since not all vulnerabilities are created equally. Stay proactive, stay protected Endpoint vulnerabilities don’t have to be your Achilles’ heel—they’re manageable with the right strategies and tools. Phishing training, endpoint detection and response (EDR) solutions, RMM audits, patch schedules, and strong authentication measures are just the start. It’s time to take action and secure your systems before attackers target them. Don’t leave it to chance. Examine your cybersecurity tools, train your team, and implement endpoint protection solutions that fit your setup. To learn more about staying protected with Huntress, visit here. View the full article

Business email compromise (BEC) is the cyber equivalent of an expertly forged handwritten note—no malware fireworks, no flashing warnings, just a convincing request that tricks someone into wiring money or handing over sensitive data. Knowing how to prevent BEC should sit at the top of every security to‑do list because even one fraudulent email can siphon six or seven figures in minutes. Why BEC attacks pack such a punch Unlike spray‑and‑pray phishing that relies on infected attachments, BEC is pure social engineering. Attackers do their homework—scraping LinkedIn profiles, spoofing vendor domains, and studying your accounts payable workflow. Sometimes, they’ll even compromise the email account of an upstream vendor that you work with and use that to insert themselves into existing email conversations. To pull off the scam, attackers wait for the perfect moment and send a single, well‑crafted email—perhaps a fake invoice that appears to come from a trusted supplier, a sudden request from “the CEO” to change bank details, or an urgent payroll update landing in your finance team’s inbox just before payday. Since there’s no malicious link or attachment involved, many email scanners give the email a free pass, which is why email fraud prevention must lean on human intuition, identity controls, and layered monitoring. Five preventive measures that actually work 1. Enforce MFA and harden email filters Start with the basics. Multi‑factor authentication stops 99% of credential‑stuffing attempts. Pair that with advanced phishing and spoofing filters that check DMARC, DKIM, and SPF records. If you truly want to secure your email, block look‑alike domains, and flag messages with mismatched reply‑to addresses. 2. Give employees the tools to spot the con Security awareness isn’t an annual slideshow. It’s an ongoing habit. People are either your biggest risk or your strongest firewall. Security awareness training can help staff recognize telltale BEC signals—poor grammar, odd timing, or unusual urgency. Simulated attacks reinforce those lessons so employees will (instinctively) report phishing scams before clicking or replying. Huntress Managed Security Awareness Training delivers short, punchy lessons and simulated BEC emails so your team learns by doing. Learn all about it here. 3. Dual‑key authorization for big money moves Think of large wire transfers like opening a vault—one key isn’t enough. Require two approvers—ideally from separate departments—for payments over a certain preset threshold you determine. Even if one employee falls for the scam, the second authorizer is your fail‑safe to stop business email compromise in its tracks. And then you get to imagine your attacker slamming their clammy fists down on their laptop and swearing their head off. 4. Tighten help desk verification BEC actors often call your support line pretending to be a traveling executive who—gosh, wouldn’t you know—“can’t access their email for some reason.” Stop them cold by adopting non‑repudiable verification: out‑of‑band callbacks to known numbers, employee badges, or secondary email confirmations. If they can’t prove they’re real, no password reset. 5. Treat every unexpected email as suspicious In today’s threat environment, consider all unsolicited messages guilty until proven innocent. If you didn’t ask for it, and you weren’t expecting an attachment, handle with extreme caution. This suspicious mindset helps prevent BEC attacks by forcing an extra verification step before money or data leaves the building, so you don’t find yourself caught in a trap. Detecting trouble before it costs you So, how do you detect a business email compromise? Look for anomalies that stand out against normal patterns: Timing anomalies: Requests outside business hours or right before holidays Financial red flags: Bank detail changes or urgent payment re‑routes (e.g., “Send payment in the next hour!”) Technical markers: Forwarding rules added to an executive’s mailbox, impossible‑travel logins, or a sudden spike in failed MFA attempts BEC incident response Even with strong defenses, attackers occasionally sneak one past the goalie. Here’s your rapid‑response sequence: Freeze the funds: If money got moved, call your bank’s fraud unit ASAP. Many transfers can be recalled if flagged within the first few hours. Lock the account: Rotate passwords, force sign‑outs, and terminate any active sessions associated with the compromised identity. Mine the logs: Preserve original headers, mailbox rules, and endpoint logs. They’ll tell you how far the attacker infiltrated and what else they touched. Run full forensics: Use EDR to hunt for local script executions or credential‑harvesting malware—and isolate any infected devices (if needed). Notify your stakeholders: Transparency always beats secret chaos. Inform leadership, affected vendors, and—if personally identifiable information is involved—legal counsel for compliance reporting. How Huntress locks down BEC Thinking through how to prevent BEC attacks becomes simpler with Huntress: Huntress Managed ITDR watches identity signals 24/7, alerting on suspicious inbox rules, MFA changes, or unusual login geography. Huntress Managed Security Awareness Training keeps staff sharp, reducing click‑through rates and speeding incident reporting. Huntress Managed EDR provides endpoint insight, catching silent malware that installs after credential phishing. Together, these layers give you continuous monitoring, immediate alerts, and human‑led analysis, turning BEC from an existential threat into just another ticket closed. Visit here to try Huntress for free. Get a free demo here. View the full article

When it comes to cyber threats, business email compromise (BEC) is one of the sneakiest, most costly scams out there. These digital predators don’t rely on brute force, but are patient, tactical, and they exploit one weakness above all: human trust. If you’re in the cybersecurity game, spotting a BEC attack can mean the difference between an average Tuesday and a financial disaster. And if you’re wondering, “What are some identifiers of a BEC attack?” think less about firewalls and more about finesse. These scams sweet-talk their way in. BEC tactics are getting sharper every day, making detection feel like finding a needle in a haystack. But don’t sweat it because with the right moves, those red flags won’t stand a chance. The anatomy of BEC: What to look out for The FBI dropped a bombshell: BEC attacks cost companies over $43 billion globally between 2016 and 2022. Yeah, you read that right … billion. These aren’t just stats on a spreadsheet. These represent real businesses getting blindsided by a single email. Let’s talk about the telltale signs that could save you from becoming a victim. Suspicious sender behavior First rule of thumb: don’t trust just the name in the “From” field. BEC attackers are experts in domain spoofing, so they’ll make the email look like it’s from a legit source. Here’s what to look for: Domain tweaks: Attackers might change a single character in a domain. Think “bank.com” versus “b8nk.com.” Display name tricks: You might see “CEO Janet Smith” pop up, but when you check the email address, it’s off by a mile. Reply-to changes: If you hit “reply” and the response goes to some strange email address, you might be walking into a trap. Fresh domains: If a domain was registered in the last 30 days, raise an eyebrow. Timing and contextual red flags Business email compromise detection isn’t a high-tech magic trick. These scammers don’t just wing it. They strike when you’re most vulnerable. That’s why timing and context matter big time. Watch for these red flags: Urgent requests: “Act now! Wire transfer must be made immediately!” If an email is pushing you to do something in a hurry, slow down. CEO authority: If the email says “the CEO needs this right now” or “I’m unavailable by phone,” be suspicious. It’s a classic trick. Off-hours chaos: Getting emails at 2 AM asking for large sums of money? That’s a red flag. Breaking standard procedures: If the process to approve payments or changes gets bypassed, don’t just approve. Double-check. Linguistic and stylistic warning signs If you want to detect BEC attacks, you’ve got to think like a con artist and read between the lines. These scams don’t always scream “fraud” at first glance. Sometimes, the giveaway is buried in the tone, the grammar, or a weird word choice that just doesn’t sit right. Keep your eyes peeled for: Grammatical errors: Your CEO wouldn’t send an email that had typos, spelling errors, or weird phrasing. Tone shifts: If the way someone writes suddenly changes, that’s not normal. Overuse of authority: Excessive language like “This is urgent!” or “Don’t tell anyone about this” is a hallmark of BEC attacks. Cultural misalignment: If the phrasing doesn’t match the sender’s typical style, it’s worth investigating. Technical indicators: The hidden signs If you’re diving deep into BEC detection, sometimes it’s the hidden metadata that will spill the beans. Email header inspection: Look at the email’s behind-the-scenes info (headers). If something doesn’t add up, like a mismatch in SPF/DKIM records, a weird server route, or an IP address that doesn’t match where it’s supposed to come from, call BS. Account behavior: If someone suddenly logs in from a new country or tries to access their account in the middle of the night, that’s a problem. Likewise, any weird forwarding rules in an inbox could mean an attacker is hijacking the account. Common BEC scenarios and how to spot them BEC attacks come in all shapes and sizes. But here are a few classic setups that’ll help you identify them faster. CEO fraud source This is the granddaddy of BEC scams. The attacker impersonates the CEO or high-ranking exec and pressures the target into making financial transactions. Red flags: Requests to wire funds quickly, subtle email address changes, or “CEO unavailable by phone” messages. Vendor fraud Here, attackers spoof vendor emails to get you to pay them instead of your regular supplier. Red flags: Sudden requests to change payment details or new contacts claiming to represent a trusted vendor. HR and employee targeting BEC isn’t always about money. Sometimes, attackers are after sensitive employee info. Red flags: Requests for direct deposit changes or compensation info. When people talk about spoofed emails, they’re usually talking about one of two things: Real spoofing is when the “from” email address actually shows up as someone you know or trust, even though the message didn’t really come from them (this is very difficult to detect). On the other hand, if the attacker is only spoofing the display name (like just setting it to “[email protected]” or “Jane Smith”), it’s notably easier. That’s often called display name spoofing. Gearing up for the BEC battle Okay, so how do you fight back? You need a defense plan that’s got the chops to deal with this stuff. Here’s how: Tech armor DMARC, SPF, and DKIM: These email authentication protocols are the first line of defense. They tell you whether an email really came from the person it says it did. AI-powered filters: Use advanced email filters that analyze patterns and flag suspicious messages. Multi-factor authentication: Ensure email accounts are protected with more than just a password. Endpoint protection: Stop credential harvesting before it starts with Huntress managed detection, investigation, and response for your endpoints. Human armor Phishing simulations: Run mock BEC attacks to see how your employees react. You can either run them on your own or have Huntress fully manage them for you. Security training: Train everyone, but especially those in high-risk departments (Finance, HR, IT), on spotting these attacks. Huntress Managed Security Awareness Training is loved by learners and hated by hackers. Verification culture: Make it standard practice to verify any financial transactions or requests through a secondary communication channel. Process armor Verification for payments: Always get secondary approval for big transfers. Escalation paths: Have clear procedures for when things don’t add up. Regular security drills: Test your defenses regularly and update your procedures as needed. Huntress Managed Security Awareness Training can help with that. What’s next in the fight against BEC detection BEC is evolving. Attackers are always finding new ways to trick you, but so are defenders. Keep an eye out for: AI writing analysis: Detecting odd phrasing and anomalies using AI. Behavioral biometrics: Recognizing how legit users interact with systems. Zero Trust security model: Assuming every request is suspect, even if it looks like it’s coming from a trusted source. We understand what threats like credential theft and unauthorized access mean for your business, and we’re here to help. Huntress has you covered with managed identity threat detection and response (ITDR), protecting identities across your organization 24/7. For more in-depth solutions on preventing BEC attacks, check out our Business Email Compromise resources. Watch the live hack of a Microsoft 365 environment here. View the full article

When systems are attacked, we should respond. But how much better would it be if we could anticipate attacks before they strike and stop them with a proactive defense? Faced with today’s cybersecurity challenges, that is no simple task. “It’s a cat-and-mouse situation. AI is changing the speed and sophistication of attacks, and AI is making phishing and social engineering attacks, thanks to deep fakes, harder to detect,” said Kevin McCall, director, cybersecurity, risk, and regulatory at PwC US, speaking during a webcast titled, “From Risk to Resilience: Building a Smarter Cloud Security Strategy.” McCall also warns of a “supply chain” of cybercrime consisting of ransomware-as-a-service, as well as threats embedded in developers’ toolsets. “Once an attack has occurred, the average time to reduce exposure is 58 days,” noted fellow webinar panelist Nidhu Nalin, principal, cybersecurity, risk, and regulatory at PwC US. A lot of bad things can happen during the nearly two months when malware is on the loose and cyber thieves have access to corporate systems. That’s why being proactive — detecting and preventing threats, rather than reacting to them — is so important. “Being proactive requires efficient automation. It also requires an integrated platform providing a single pane-of-glass view of the environment, with well-designed, tested, and optimized mechanisms to respond and recover,” said Nalin. Automation is also important to help overcome the chronic cybersecurity talent gap. “As AI fuels faster and more sophisticated attacks, relying on staff alone can prolong the detection and prevention of threats,” said Nalin. Being proactive sounds great, but it doesn’t happen overnight. Multiple disciplines are required, and they should work together. Littus Dsouza, senior product manager at Microsoft, said cybersecurity leaders should focus on these priorities: Defense in depth with layered security controls Zero trust, leveraging access controls to never trust but always verify Multicloud infrastructure to reduce risk and provide redundancy Security by design that “shifts left” to start and stay secure Exposure management and attack-path mapping to reduce risk by understanding misconfigurations and vulnerabilities What’s the answer? Microsoft Defender for Cloud is a suite of security products, integrated with other Microsoft products as well as third-party applications, that helps enterprises achieve these goals. Because it automates investigation and response, it helps organizations respond quickly while mitigating the need for a large, highly trained staff. Dsouza noted that Defender for Cloud draws on Microsoft Threat Intelligence, analyzing over 80 trillion signals daily — information that tells cybersecurity leaders what is coming. “Microsoft Defender for Cloud transforms security from reactive to proactive by helping organizations anticipate and prevent attacks with continuous monitoring and automated response,” said Dsouza. Defender for Cloud isn’t only for Azure — it can safeguard workloads across AWS, Google Cloud, and on-premises environments from a single dashboard. PwC works with Microsoft to help organizations implement Defender for Cloud. “PwC helps enterprises design and implement tailored security architectures, enhance multicloud posture, and align security with business goals,” said Dsouza. Those efforts paid off for one Fortune 500 company. PwC helped deploy Defender for Cloud across the organization, during a data center migration. Integration with Microsoft 365 and Azure centralized endpoint policy configuration to confirm consistent security across the overall organization, said Nalin. With bad actors arming themselves with AI, Defender for Cloud and PwC aim to keep you a step ahead. Said McCall, “If you’re not using automation, you’re falling behind.” View the full webcast. For a deeper dive into Microsoft Defender for Cloud, PwC services, and cybersecurity leading practices, visit: www.pwc.com/us/microsoftcyber View the full article

A massive Shai-Hulud-style npm supply chain worm is hitting the software ecosystem, burrowing through developer machines, CI pipelines, and AI coding tools. Socket researchers uncovered the active attack campaign and called it SANDWORM_MODE, derived from the “SANDWORM_*” environment variable switches embedded in the malware’s runtime control logic.” At least 19 typosquatted packages were published under multiple aliases, posing as popular developer utilities and AI-related tools. Once installed, the packages execute a multi-stage payload that harvests secrets from local environments and CI systems, then uses stolen tokens to modify other repositories. The payload also implements a Shai-Hulud-style “dead switch” that remains OFF by default to trigger home directory wiping when the malware is detected. Researchers called the campaign a “real and high-risk” threat, advising defenders to treat the packages as active compromise risks. Typo to takeover The campaign starts with typosquatting, where attackers publish packages with names nearly identical to legitimate ones, banking on a developer typo or an AI hallucinating wrong dependencies. “The typosquatting targets several high-traffic developer utilities in the Node.js ecosystem, crypto tooling, and, perhaps most notably, AI coding tools that are seeing rapid adoption: three packages impersonate Claude Code and one targets OpenClaw, the viral AI agent that recently passed 210k stars on GitHub,” the researchers wrote in a blog post. Once a malicious package is installed and executed, the malware hunts for sensitive credentials, including npm and GitHub tokens, environment secrets, and cloud keys. Those credentials are then used to push malicious changes into other repositories and inject new dependencies or workflows, expanding the infection chain. Additionally, the campaign uses a weaponized GitHub Action that could potentially amplify the attack inside CI pipelines, extracting secrets during builds and enabling further propagation, the researchers added. Poisoning the AI developer interface The campaign was specifically flagged for its direct targeting of AI coding assistants. The malware deploys a malicious Model Context Protocol (MCP) server and injects it into configurations of popular AI tools, embedding itself as a trusted component in the assistant’s environment. Once this is achieved, prompt-injection techniques can trick the AI into retrieving sensitive local data, which can include SSH keys or cloud credentials, and pass it to the attacker without the user’s knowledge. The researchers also found a dormant polymorphic engine capable of rewriting the malware through code-level transformations such as variable renaming, control-flow rewriting, decoy code insertion, and string encoding, though no active mutation was observed during analysis. The engine is compatible with locally hosted models through Ollama, but presently only checks if Ollama is running locally, they wrote. The disclosure noted npm has already hardened the registry against Shai-Hulud-class worms, tightening controls around the credential abuse this campaign exploits. Short-lived, scoped tokens, mandatory two-factor authentication for publishing, and identity-bound “trusted publishing” from CI are designed to contain the blast radius from stolen secrets, though their effectiveness ultimately depends on the scale and speed of maintainer adoption. View the full article

PXLR Studio – shutterstock.com In Leipzig hat der Prozess um den illegalen Streamingdienst «movie2k.to» und einen Milliardengewinn mit Bitcoins begonnen. Vor dem Landgericht ist der 42 Jahre alte mutmaßliche Kopf des Portals unter anderem wegen gewerbsmäßiger Geldwäsche in 146 Fällen angeklagt. Mit ihm auf der Anklagebank sitzt ein 39-Jähriger, der sich wegen Geldwäsche in 46 Fällen und Steuerhinterziehung verantworten muss. Die Vorwürfe – in rund 220.000 Fällen urheberrechtlich geschützte Werke unerlaubt verwertet zu haben – sind inzwischen verjährt und somit nicht mehr Gegenstand der Verhandlung. 350 Seiten Anklageschrift Zum Prozessauftakt beanstandete die Verteidigung des Hauptangeklagten die Verlesung der Anklageschrift. Diese hätte in modifizierter Fassung vorgelegt werden müssen, nachdem das Landgericht einige Teile daraus nicht zugelassen hatte. Die Generalstaatsanwaltschaft Dresden betonte, dass die verjährten Taten wichtig für den Vorwurf der Geldwäsche seien. Die Wirtschaftsstrafkammer wies den Antrag der Verteidigung zurück. Was passiert mit dem Gewinn in Höhe von 2,64 Milliarden Euro? Brisant ist der Fall, weil die Wirtschaftsstrafkammer auch über den Besitz der rund 2,64 Milliarden Euro entscheidet, die aus dem Bitcoinvermögen des Hauptangeklagten erzielt worden waren. Bei einer rechtskräftigen Verurteilung könnte auch der Landeskasse viel Geld zufließen. Laut Anklage hatte das Duo mit einem bereits rechtskräftig verurteilten Mann über das Streamingportal «movie2k.to» jahrelang hunderttausende Raubkopien von Filmen und Serie angeboten. Dabei hatten die Betreiber Millioneneinnahmen aus Werbeverträgen erzielt und damit Bitcoins erworben. 2013 wurde das Portal abgeschaltet, der Hauptangeklagte konnte erst 2023 im Ausland festgenommen werden. Nach seiner Festnahme im Jahr 2023 hatte er den Ermittlern knapp 50.000 Bitcoins übergeben. Der Verkauf brachte nach einem wahren Kurssprung der Kryptowährung etwa 2,64 Milliarden Euro ein. Dieses Geld wird derzeit bei der Landesjustizkasse verwahrt. (dpa/ad) View the full article

PXLR Studio – shutterstock.com In Leipzig hat der Prozess um den illegalen Streamingdienst «movie2k.to» und einen Milliardengewinn mit Bitcoins begonnen. Vor dem Landgericht ist der 42 Jahre alte mutmaßliche Kopf des Portals unter anderem wegen gewerbsmäßiger Geldwäsche in 146 Fällen angeklagt. Mit ihm auf der Anklagebank sitzt ein 39-Jähriger, der sich wegen Geldwäsche in 46 Fällen und Steuerhinterziehung verantworten muss. Die Vorwürfe – in rund 220.000 Fällen urheberrechtlich geschützte Werke unerlaubt verwertet zu haben – sind inzwischen verjährt und somit nicht mehr Gegenstand der Verhandlung. 350 Seiten Anklageschrift Zum Prozessauftakt beanstandete die Verteidigung des Hauptangeklagten die Verlesung der Anklageschrift. Diese hätte in modifizierter Fassung vorgelegt werden müssen, nachdem das Landgericht einige Teile daraus nicht zugelassen hatte. Die Generalstaatsanwaltschaft Dresden betonte, dass die verjährten Taten wichtig für den Vorwurf der Geldwäsche seien. Die Wirtschaftsstrafkammer wies den Antrag der Verteidigung zurück. Was passiert mit dem Gewinn in Höhe von 2,64 Milliarden Euro? Brisant ist der Fall, weil die Wirtschaftsstrafkammer auch über den Besitz der rund 2,64 Milliarden Euro entscheidet, die aus dem Bitcoinvermögen des Hauptangeklagten erzielt worden waren. Bei einer rechtskräftigen Verurteilung könnte auch der Landeskasse viel Geld zufließen. Laut Anklage hatte das Duo mit einem bereits rechtskräftig verurteilten Mann über das Streamingportal «movie2k.to» jahrelang hunderttausende Raubkopien von Filmen und Serie angeboten. Dabei hatten die Betreiber Millioneneinnahmen aus Werbeverträgen erzielt und damit Bitcoins erworben. 2013 wurde das Portal abgeschaltet, der Hauptangeklagte konnte erst 2023 im Ausland festgenommen werden. Nach seiner Festnahme im Jahr 2023 hatte er den Ermittlern knapp 50.000 Bitcoins übergeben. Der Verkauf brachte nach einem wahren Kurssprung der Kryptowährung etwa 2,64 Milliarden Euro ein. Dieses Geld wird derzeit bei der Landesjustizkasse verwahrt. (dpa/ad) View the full article

Despite inroads in the C-suite and rising prominence across the business at large, security leaders are still more likely to operate at a remove from the organization’s executive leadership when it comes to reporting structures. According to IANS Research and Artico Search’s 2026 State of the CISO Benchmark Report, 64% of CISOs still report into IT, typically the CIO or CTO. Just 11% report to the CEO, while others fall under the CFO (5%), chief risk officer (5%), legal counsel (5%), or other business roles (5%). Although the survey found that “reporting lines are slowly shifting, and dotted line responsibility is often just as or more important than direct line reporting,” traditional reporting lines still hold, begging the question: Does that reporting structure still make sense? The age-old problem with CISOs reporting into CIOs is that it could present — or at least appear to present — a conflict of interest. Cybersecurity consultant Brian Levine, a former federal prosecutor who serves as executive director of FormerGov, says that concern is even more warranted today. “It’s the legacy model: Treat security as a technical function instead of an enterprise‑wide risk discipline,” he says. “The problem is that when the CISO sits under the CIO, cost containment may outrank risk reduction.” Conflicts of interest Levine agrees that reporting to the CIO creates “an inherent conflict of interest.” “The CIO is rewarded for efficiency and savings and the CISO is responsible for identifying risks that often require new spending,” he explains. “It’s like asking the fire marshal to report to the person whose bonus depends on cutting the number of sprinklers.” Enterprise CISOs should be reporting a notch higher, Levine argues. “Ideally, the CISO would report to the CEO or the general counsel, high-level roles explicitly accountable for enterprise risk. Security is fundamentally a risk and governance function, not a cost‑center function,” Levine points out. “When the CISO has independence and a direct line to the top, organizations make clearer decisions about risk, not just cheaper ones.” Zach Lewis, CISO at the University of Health Sciences and Pharmacy in St. Louis, agrees that a conflict of interest arises in reporting into IT. “The CIO is all about [system] availability whereas the CISO needs to bring systems down so that things can be patched, fixed,” Lewis says, offering that a hypothetical CIO might tell a CISO, “I don’t want you to do [a patch or a security upgrade] because it would impact my bonus.” Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, sees resources being another conflict of interest. “In many organizations, IT [executives] are heavily incentivized to deliver new capabilities, which could strain the resources available to the CISO when trying to ensure that security and privacy are baked into these projects,” Villanustre says. At the same time, having the CISO report into someone such as the general counsel or CFO “could negatively impact the alignment between CISO and IT, which is paramount to making the CISO job more effective,” Villanustre adds. ”Forcing these types of moves could backfire.” With regulatory pressure mounting, especially in financial services, Villanustre believes CISO reporting structures will come under greater scrutiny. “It’s likely that there will be changes soon that can alter the current statistics [of reporting lines for CISOs] quite significantly,” he says. What’s in a reporting line? Aaron Painter, CEO of security vendor Nametag, contends that reporting structures often mean less than the respect the CISO is granted. Painter is “less dogmatic about where the CISO reports and more focused on whether they actually have a seat at the table,” he says. “Org charts matter far less than influence,” he adds. “Whether the CISO reports to the CIO, the CEO, or someone else, the real question is this: Are they brought in early, listened to, and empowered to shape how the business operates? When that’s true, the structure works. When it’s not, no reporting line will save it.” Sanchit Vir Gogia, chief analyst at Greyhound Research, argues that the trend to have CISOs report to an IT executive “is one of the most structurally damaging legacy habits still entrenched in enterprise security governance.” “On paper, it may seem like a clean alignment,” he says. “In practice, it’s a governance anti-pattern that quietly erodes the CISO’s ability to surface truth, escalate risk, and hold the organization accountable. Keeping security under IT may seem convenient, but in today’s threat landscape, it is a structural vulnerability disguised as tradition.” Like others, Gogia’s argument falls back to the potential for conflicts of interest. “The CIO’s job is to enable business through technology. Innovation, delivery, velocity. The CISO’s job is to identify and mitigate risk, even when that slows things down,” Gogia says. “When the CISO reports to the CIO, risk can be filtered, prioritized out of sight, or reshaped to fit a delivery narrative. It’s not about bad actors. It’s about role tension. And when that tension exists within the same reporting line, risk loses.” Moreover, Gogia believes security reporting to IT “sends all the wrong cultural signals.” “Employees know where power sits. If the CISO is three levels below the CFO, nobody takes their escalation seriously. If the CISO needs to ask their boss’s permission to flag a critical control gap, that’s not empowerment; it’s containment. Over time, the organization learns to route security around the CISO, not through them,” he says. “What matters most is unfiltered visibility and the freedom to present uncomfortable truths without career penalty.” Gogia argues in favor of a better reporting structure for cybersecurity. “We’re seeing the emergence of the chief digital risk officer (CDRO) model, which reframes the role altogether. Rather than being a technologist reporting into infrastructure, the CDRO is a senior executive responsible for digital risk across cyber, data, AI, and third-party exposure,” Gogia says. “This role often sits beside the CRO and CFO, not below them. It reflects the reality that digital risk is not a subset of IT. It is a board-level category in its own right.” View the full article

Since the earliest days of the internet, there has never been a let-up in adversarial activity. According to CrowdStrike’s just-released 12th annual Global Threat Report, malicious activity in cyberspace continues to not only accelerate but also expand its scale and increasingly abuse the trust of targeted organizations. The good news is that, despite discussion of AI democratizing threat activity, the volume of adversaries that government and corporate entities are contending with didn’t grow at an accelerated rate in 2025, according to CrowdStrike’s findings. “We added 24 new adversaries over the course of the last year, which is equivalent to what we did the year before,” Adam Meyers, head of counter adversary operations at CrowdStrike, told reporters during a roundtable discussion about the report. “We track over 281 adversaries today and 150 activity clusters,” he said. The main message of CrowdStrike’s report is that threat actors have moved into evasion mode after previously expanding their toolkits. “The theme of the overall report is what we say is the evasive adversary. Last year, it was the enterprising adversary. They were starting to experiment with some of the techniques that we observed. And now their focus is on avoiding detection. So, we’re calling them the evasive adversary,” Meyers said. Adversarial AI use amplifies known tactics CrowdStrike’s report shows that attacks carried out by AI-enabled adversaries jumped 89% year over year, as threat actors used generative tools to refine phishing lures, generate malware scripts, troubleshoot exploits, and accelerate reconnaissance. The technology did not create entirely new tactics but made existing ones faster, cheaper, and more scalable. At the same time, AI-enabled intrusions became quieter, according to CrowdStrike. Malware-free techniques accounted for 82% of detections in 2025, up from 51% in 2020, reflecting a decisive shift toward credential abuse and hands-on-keyboard activity that blends into legitimate user behavior. “In terms of AI as a weapon, you can use it for social engineering,” Meyers said. “We’ve seen groups like eCrime group Renaissance Spider modify their Click Fix lures and localize them to different languages using generative AI.” CrowdStrike also witnessed AI being used for information operations, Meyers said. “One of the interesting cases that happened over the last couple of months” is a malicious MCP server named postmark-mcp, which impersonated a legitimate server maintained by email delivery service Postmark, he said. “And in this case, the MCP server, which bridges the Postmark API with the LLM, was maliciously created so that it would actually bcc an adversary on every email that was sent.” Big game hunters tighten their grip CrowdStrike’s research highlights how big game hunting (BGH) ransomware actors have remained the dominant force in the eCrime landscape. Punk Spider, a group responsible for developing and maintaining Russian-language Akira ransomware, and its associated Akira dedicated leak site, conducted 198 intrusions in 2025 — a 134% increase year over year. Victim-shaming operations expanded as well, with a 36.8% rise in organizations named on dedicated leak sites. But the story for BGH actors in 2025 was not just volume; it was also refinement. Rather than detonate ransomware on heavily monitored endpoints, BGH actors increasingly encrypt data remotely via Windows Server Message Block (SMB) shares, minimizing their footprint and avoiding the need to execute ransomware on managed hosts. Other big game hunters exploited unmanaged infrastructure. In one incident, eCrime actor Scattered Spider dumped Active Directory credentials from an unmanaged virtual machine within three hours of initial access — interacting with only a single managed endpoint. Supply chain attacks become a weapon of scale One big driver of the evasive tactics used by threat actors in 2025 was supply chain attacks, according to CrowdStrike. The most dramatic example came in February, when North Korea’s state-sponsored threat actor Pressure Chollima, also known as Lazarus, orchestrated the largest cryptocurrency theft in history, stealing $1.46 billion by compromising SafeWallet, a digital asset management platform that supports cryptocurrency exchange Bybit. By injecting malicious code into a trusted frontend and restoring it immediately after execution, the group redirected funds during a legitimate transaction while avoiding detection. Open-source ecosystems proved equally vulnerable. A compromised npm package distributing self-propagating infostealer ShaiHulud malware was downloaded more than 2 million times before discovery. In another campaign, adversary-linked packages were downloaded over 8,000 times, often spreading through dependency chains that infected downstream users far beyond the original target. Zero-day exploitation accelerates During 2025, the race between disclosure and exploitation narrowed to days, sometimes hours, according to CrowdStrike. The researchers report that zero-day exploitation rose 42% year over year in 2025, as adversaries weaponized dozens of previously unknown vulnerabilities for initial access, remote code execution, and privilege escalation. More worrisome is that the average e-crime breakout time — the window between initial access and lateral movement — fell to just 29 minutes, a 65% increase in speed from 2024. In the most extreme case, attackers moved in 27 seconds. China-nexus actors, in particular, demonstrated rapid operationalization. In multiple cases, exploitation began within two to six days of public disclosure. For defenders, that left little room to assess, prioritize, and patch before networks were probed or compromised. Zero-days became more than tactical advantages. They became strategic accelerants, enabling stealthy entry into edge devices, VPN appliances, mail servers, and enterprise software before defenses could adjust. And increasingly, those entry points led straight into the cloud. Cloud becomes the new battleground As enterprises deepen their reliance on SaaS and hybrid identity systems, adversaries continue to follow. CrowdStrike said that cloud-conscious intrusions rose 37% overall in 2025, while activity by state-nexus actors surged 266%. Valid account abuse accounted for 35% of cloud incidents, underscoring how attackers leveraged stolen credentials and session tokens rather than malware. “What’s really interesting is that 35% of the time, cloud intrusions are effectively using legitimate credentials,” Meyers said. “And we’ve noted that nation-state threat actors have had a 266% increase in cloud-related intrusion activity, which indicates nation-states now have recognized what e-crime actors have been noticing for a few years: The cloud is an ideal target.” Adversary-in-the-middle phishing kits became a preferred tool, allowing threat actors to intercept authentication flows and capture live session tokens for Microsoft 365 and Salesforce environments. Hybrid identity systems, which synchronize on-premises and cloud authentication, became particularly attractive targets, offering broad access once compromised. Rather than breaking in, attackers increasingly logged in. And nowhere was that strategy more systematic than in campaigns attributed to China-nexus actors. China-nexus activity expands across regions and sectors CrowdStrike’s analysis indicates that China-nexus adversaries increased overall targeted intrusion activity by 38% in 2025, maintaining a sustained global tempo. Logistics targeting rose 85%, telecommunications 30%, and financial services 20%, all sectors aligned with long-term intelligence and economic priorities. Driving much of the activity was “a massive uptick in zero-day vulnerabilities and exploits being leveraged by Chinese threat actors,” Meyers said. A consistent pattern emerged: perimeter compromise first. Sixty-seven percent of vulnerabilities exploited by China-nexus actors enabled immediate remote code execution, and 40% targeted edge devices such as VPNs, firewalls, and gateways, infrastructure that often lacks robust monitoring and timely patching. In some campaigns, adversaries operationalized exploits within two to three days of disclosure. “If you think about actors like Salt Typhoon, which we track as Operator Panda and Vanguard Panda, which is also known as Volt Typhoon, targeting network devices is important for China. They find lots of vulnerabilities there, and they’re able to stay under the radar on those devices because they’re not managed,” Meyers said. China’s intrusions are never smash-and-grab operations. In multiple cases, actors maintained persistent access for months, sometimes years, prioritizing long-term intelligence collection over short-term disruption, CrowdStrike said. Taken together, the trends of 2025 tell a clear story. Adversaries are faster, quieter, and more willing to exploit the implicit trust embedded in modern infrastructure — from AI tools and SaaS platforms to open-source code and perimeter devices. View the full article

When Anthropic launched a “limited research preview” of its Claude Code Security offering on Friday, Wall Street investors sent the stocks of the largest cybersecurity vendors plunging. But did the Anthropic rollout warrant such a reaction? After all, those companies, including CrowdStrike, Zscaler, Palo Alto Networks and Okta, are preparing their own agentic capabilities, and even if they weren’t, the code-checking capabilities promised by Anthropic are not initially a replacement for their functionality. “Code security is a vital piece of a cybersecurity program and overall tech stack, but far from the only one” Justin Greis, CEO of consulting firm Acceligence pointed out. “There’s no doubt that improving code security and enhancing the Secure Software Development Lifecycle (SDLC) and Product Development Lifecycle (PDLC) will strengthen an organization’s security posture, but it will not eliminate the need for tools and services like EDR/MDR, IAM, threat intel, and data protection.” He added, “however, this is a clear signal that the AI companies are going to continue to expand their use cases and analyze more and more data, code, and bring real insight and action to security organizations. The pace of their innovation is staggering and unprecedented.” Keeps a human in the loop However, Greis offered a warning to CISOs: “For those who blindly rely on any code scanning tool, AI or otherwise, to replace the fundamentals of good security practices and secure coding, this is your red blinking light to not outsource the very expertise that protects the value proposition of the product or service you’re developing. We must keep qualified humans in the loop and ensure we use AI as an accelerator, not a replacement for expertise,” he said. Anthropic’s announcement stated, “Claude Code Security, a new capability built into Claude Code on the web” will “[scan] codebases for security vulnerabilities and suggest targeted software patches for human review, allowing teams to find and fix security issues that traditional methods often miss.” The rollout is limited, at least initially, Anthropic said. “We’re releasing it as a limited research preview to Enterprise and Team customers, with expedited access for maintainers of open-source repositories.” The company did not respond to a request for an interview. Anticipating concerns that the code-checker will take over security functions rather than augment them, Anthropic stressed that it wants to keep humans in the loop. “Rather than scanning for known patterns, Claude Code Security reads and reasons about your code the way a human security researcher would: understanding how components interact, tracing how data moves through your application, and catching complex vulnerabilities that rule-based tools miss,” the announcement said. “Every finding goes through a multi-stage verification process before it reaches an analyst. Claude re-examines each result, attempting to prove or disprove its own findings and filter out false positives.” It noted that validated findings appear in the Claude Code Security dashboard, where teams can review them, inspect the suggested patches, and approve fixes. But, it said, “because these issues often involve nuances that are difficult to assess from source code alone, Claude also provides a confidence rating for each finding. Nothing is applied without human approval: Claude Code Security identifies problems and suggests solutions, but developers always make the call.” Anchors security posture to the model However, those assurances didn’t make all concerns evaporate. “The moment those vibe coders plug a foundation model into their CI pipeline, their entire security posture is no longer anchored only to the company’s code,” I-Gentic AI CEO Zahra Timsah pointed out. “It is anchored to the current behavior of that model. Anthropic can update weights, adjust reasoning heuristics, refine safety layers, or change how semantic patterns are interpreted. None of that requires your approval. None of that triggers your internal change control. Your pipelines stay green. Your dashboards stay stable. But the engine defining what counts as a vulnerability has changed,” she said. “Anthropic is in full control. That means your secure codebase today could be evaluated under a different vulnerability boundary tomorrow without you touching a single line. This is outsourcing part of your security definition to an upstream probabilistic system you do not control.” Outsourcing dependence is nothing new But others have suggested that the security outsourcing has been gradually happening for years, starting with cloud operations and SaaS, then moving to cybersecurity firms that took increasing control of enterprise cyber operations, and finally to genAI and agentic vendors. Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, applauded the fact that Anthropic is at least giving lip service to humans overseeing the process, but, he noted, “this doesn’t mean that people will not cut corners in some cases and add yet another LLM with non-deterministic behavior to the existing problem of code generation by an LLM with non-deterministic behavior too.” An ever-present concern about both agentic and generative AI systems is their tendency to hallucinate, in addition to having other reliability challenges. But several cybersecurity specialists said that is nothing new, in that large security systems always have their fair share of false positives and false negatives. Cybersecurity consultant Brian Levine, executive director of FormerGov, said the Wall Street reaction to Anthropic’s announcement could signal that investors “are recalibrating around the idea that AI‑native security might compress or even reorder parts of the stack. Whether that’s justified or just reflexive fear of disruption, it suggests that people now believe a foundation model could meaningfully compete with, or be more helpful than, traditional detection and analysis engines.” A different category of analysis If Anthropic can continue to deliver, it could mean an even more fundamental shift, he noted. “If a model can reason across sprawling codebases, correlate patterns that static tools miss, and do it continuously, that’s not incremental improvement, it may be a whole different category of analysis. It suggests a world where vulnerability discovery becomes less about signature libraries and more about adaptive interpretation,” Levine said. But he, like Timsah, is concerned about changes in the model impacting an organization’s security posture. “That’s the tradeoff,” he said. “Unprecedented analytical power paired with a new kind of dependency that security leaders will have to evaluate with clear heads.” A single point of trust and a single point of failure Joshua Woodruff, CEO of MassiveScale.AI, said he found the Anthropic move problematic, but not for what it might do to other security companies. He is mostly worried about the benefits to cyber attackers. “If Anthropic’s model found 500+ unknown high-severity vulns in open source projects, that means any attacker running a similar model can find those same vulns right now. Only no one’s reporting them. They’re exploiting them,” Woodruff said. “Vulnerability discovery just went asymmetric. Defenders get a tool that suggests patches for human review. Attackers get a tool that finds zero-days at machine speed with no review step.” There’s another issue, he added: “If an AI agent finds the bug and suggests the fix, who’s checking the patch? You’re trusting the same model to be both auditor and repair crew. No security team would ever let the same person find the vulnerability and write the fix without some sort of independent review. But that’s exactly what happens if teams treat human review as a rubber stamp. The fix becomes the new attack surface.” Ravid Circus, CPO at Seemplicity, agreed with Woodruff that the potential circular use of AI to both find the holes and fix them is a concern. “When the same AI writes the code, finds the vulnerabilities, and proposes the fix, you’ve created a single point of trust and a single point of failure. Compromise that and you don’t just introduce bugs, you potentially manufacture backdoors at scale,” Circus said. “I worry we’re about to see ‘We use Claude Security’ become the new checkbox, like SOC 2 badges or Zero Trust branding. The real question isn’t which AI you use. It’s whether your organization has the operational maturity to validate and govern what it tells you. ‘Claude said we’re secure’ cannot become a security posture.” To be sure, Anthropic has had its own issues with cybersecurity recently, but few disagreed that what it has been delivering for code examination is impressive. The question is whether it will ultimately deliver better pricing, scalability, and reliability than existing partners, and how soon this could occur. In fact, another cyber executive, Gadi Evton, CEO of Knostic, argues that because the speed of innovation is moving far faster than most in the industry have ever seen, some organizations may not be re-evaluating AI offerings often enough. “It is moving so fast. People who tried [Anthropic’s offering] two months ago don’t understand how well it works now,” Evton said. And, said Rock Lambros, director of AI security at Zenity, “as long as genAI remains non-deterministic, secure-at-generation will always have gaps and you’ll always need post-generation validation for something that can’t guarantee the same output twice. The real problem is that nobody is staffed, funded, or even scoped to govern the autonomous systems that are already deployed.” View the full article