Latest news with #Unit42
Axios
5 days ago
- Business
- Axios
Cybersecurity's dual AI reality: Hacks and defenses both turbocharged
Underestimate how quickly adversarial hackers are advancing in generative AI, and your company could be patient zero in an outbreak of AI-enabled cyberattacks. Overestimate that risk, and you could quickly blow millions of dollars only to realize you were preparing for the wrong thing. The big picture: That dichotomy has divided the cybersecurity industry into two competing narratives about how AI is transforming the threat landscape. One says defenders still have the upper hand. Cybercriminals lack the money and computing resources to build out AI-powered tools, and large language models (LLMs) have clear limitations in their ability to carry out offensive strikes. This leaves defenders with time to tap AI's potential for themselves. Then there's the darker view. Cybercriminals are already leaning on open-source LLMs to build tools that can scan internet-connected devices to see if they have vulnerabilities, discover zero-day bugs, and write malware. They're only going to get better, and quickly. Between the lines: While not everyone fits comfortably into one of those two camps, closed-door sessions at Black Hat and DEF CON last week made clear that the primary divide is over how much security execs or researchers expect generative AI tools to advance over the next year. Right now, models aren't the best at making human-like judgments, such as recognizing when legitimate tools are being abused for malicious purposes. And running a series of AI agents will require cybercriminals and nation-states to have enough resources to pay the cloud bills they rack up, Michael Sikorski, CTO of Palo Alto Networks' Unit 42 threat research team, told Axios. But LLMs are improving rapidly. Sikorski predicts that malicious hackers will use a victim organization's own AI agents to launch an attack after breaking into their infrastructure. The flip side: Executives told me the cybersecurity industry isn't as resilient to AI-driven workforce disruptions as they once believed. That means fewer humans and more AI playing defense against the expected wave of AI-powered attacks. During a presentation at DEF CON, a member of Anthropic's red team said its AI model, Claude, will "soon" be able to perform at the level of a senior security researcher. Driving the news: Several cybersecurity companies debuted advancements in AI agents at the Black Hat conference last week — signaling that cyber defenders could soon have the tools to catch up to adversarial hackers. Microsoft shared details about a prototype for a new agent that can automatically detect malware — although it's able to detect only 24% of malicious files as of now. Trend Micro released new AI-driven "digital twin" capabilities that let companies simulate real-world cyber threats in a safe environment walled off from their actual systems. Several companies and research teams also publicly released open-source tools that can automatically identify and patch vulnerabilities as part of the government-backed AI Cyber Challenge. Yes, but: Threat actors are now using those AI-enabled tools to speed up reconnaissance and dream up brand-new attack vectors for targeting each company, John Watters, CEO of iCounter and a former Mandiant executive, told Axios. That's different from the traditional methods, where hackers would exploit the same known vulnerability to target dozens of organizations. "The net effect is everybody becomes patient zero," Watters said. "The world's not prepared to deal with that." The intrigue: Open-source AI models have blown the door wide open for cybercriminals to build custom tools for vulnerability scanning and targeted reconnaissance. Many of these models have improved rapidly in the last year, and many attackers can now run these models solely on their own machines, without connecting to the internet, Shane Caldwell, principal research engineer at Dreadnode, which uses AI tools to test clients' systems, told Axios. The rise of reinforcement learning — a method where AI models learn and adapt through trial-and-error interactions with their environment — means attackers no longer need to rely on more resource-intensive, supervised training approaches to develop powerful tools. What's next: By next year, the threat landscape could be completely turned on its head, Watters warned.
Yahoo
5 days ago
- Business
- Yahoo
Financially motivated cluster a key player in ToolShell exploitation
This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity Dive newsletter. A financially motivated threat actor has been involved in a cluster of activity linked to the ToolShell vulnerability in Microsoft SharePoint, researchers at Palo Alto Networks Unit 42 said Tuesday. The threat actor has developed a custom tool set that includes ransomware, deployment of a malicious backdoor called AK47C2, and loaders. Microsoft in July said the financially motivated actor was the third known entity involved in the exploitation of SharePoint. The threat activity targeting SharePoint was initially linked to China-backed nation-state actors Linen Typhoon and Violet Typhoon. However, Microsoft has also been tracking the financially motivated actor under the name Storm-2603. Unit 42 researchers say the financially motivated threat cluster, which it tracks at CL-CRI-1040, has a prior link to a LockBit 3.0 affiliate and has recently been operating a leak site called Warlock Client Leaked Data Show. The earliest version of the ransomware, known as AK47 or X2ANYLOCK, goes back to April. The ransomware is able to terminate several applications, encrypt specific files and drop ransom notes. Researchers admit, however, there could be some level of cooperation between the financially motivated threat activity and the nation-state hackers. The SharePoint exploitation has been among the most serious threat activity facing the United States in recent years. Several federal agencies in the U.S. were impacted by the hacking campaign, including the Department of Energy, the Department of Homeland Security, and the Department of Health and Human Services. Security researchers have confirmed at least 300 cases of compromise worldwide, though the vast majority of the targeted organizations have not disclosed any specific impacts. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Mid East Info
7 days ago
- Health
- Mid East Info
Platformization holds the key to shifting from treatment to prevention in healthcare - Middle East Business News and Information
Signature Story: Healthcare industry Spokesperson: Tarek Abbas, Senior Director of Technical Solutions for EMEA South at Palo Alto Networks The cybersecurity risks in the healthcare sector are truly unique. While technology is critical to delivering improved patient care, healthcare organisations in the Middle East and around the world face a trivector of challenges; a vast attack surface, often out-of-date security software and the pressure of regulation. As a result, the stakes for security teams in the sector couldn't be higher. Looking from an attacker's perspective, the Unit 42 2025 Global Incident Response Report found that 70% of the incidents that Unit 42 responded to last year occurred on three or more attack surfaces. With many of these threats increasingly powered by AI, defending healthcare providers and systems requires a comprehensive, simplified and sophisticated security posture. But what measures can be taken to tackle these challenges? Platformization is the key to organisations being able to identify ways to consolidate, integrate and simplify security functions and vendors to reduce complexity and cost, while improving overall levels and outcomes of security. Alongside a focus on early detection and prevention, platformization provides healthcare institutions with the capabilities to effectively predict and defend against cyber threats. Investment is vital to counter these threats. The Gulf Cooperation Council (GCC) countries are making concerted efforts to boost their digital defences. By 2030, the cyber threat intelligence market in the Middle East is set to reach upwards of $31 billion, according to the World Economic Forum. The focus on cyber investment in recent years has been partially fuelled in response to attacks. Key sectors in the UAE faced an average of 50,000 cyberattacks daily in 2024, according to the country's cybersecurity authority. Focusing on an AI-powered approach to security and therefore freeing staff resources to solve strategic challenges is critical to tackling healthcare's most prevalent cybersecurity issues. Challenge #1: A vast attack surface From complex networks to unpatched devices – healthcare providers are often an open target – and if they're hit, they will be hit quickly. Unit 42 found that the speed of cyberattacks is increasing with attackers now exfiltrating data three times faster than in 2021. Specific to healthcare, a key issue is that while it used to just be the hospital itself that needed to be secure, with increased digitalisation and a move to the cloud, there is an increasing array of medical records, diagnostic results and Internet of Medical Things (IoMT) technology to consider too. Looking at devices in particular – from ultrasounds to wearables and implantable devices – it is said that by 2026, more than 70% of medical devices will be connected digitally, increasing the attack surface significantly. The result is that devices are getting connected faster than they can be properly protected, creating an epidemic of exposed devices carrying critical healthcare data. This is significant as Palo Alto Networks' 2024 report on 'The State of OT Security' revealed the estimated average cost of a single breach remediation for a connected asset (OT/Internet of Things (IoT)) is between US$10,000 and US$50,000. Phishing remains the #1 entry point across industries. With AI making phishing campaigns scalable and harder to detect and defend against, healthcare has to tackle this and the ever-expanding attack surface. Challenge #2: Out of date software Not only is the number of healthcare devices creating complexity, but the lack of up-to-date security software within healthcare devices is a particular problem. The lifecycle of devices is long and often the operating systems are not updated and security patches not applied. For example, there are still frequent instances of scanners and Magnetic Resonance Imaging (MRI) stations running on outdated software such as Windows 7 or Windows XP. The reality is that updating devices is complex, and too often dependent on the manufacturer of the device. For example, in a case where there were 100 imaging devices with a vulnerability, the manufacturers were required to connect to the device by using a fixed password, in order to do maintenance. However, with that fixed password publicly available in the device user guide, anyone within the hospital network could extract the files and access them. This is a common issue and it makes the devices very easy to exploit. From air filtration systems to the TVs in patient rooms, security policies are needed which can help to create a barrier against cyber attacks, before they even get in. Challenge #3: Regulation As in every industry today, those within healthcare have their eye on how incoming legislation may change compliance requirements. One area likely to receive increased regulatory attention is medical devices – a trend which will be especially pertinent for manufacturers. For example, the UAE introduced the Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS) in 2024. The legislation is designed to provide a comprehensive guide to healthcare entities and professionals for the regulation of the healthcare data in Abu Dhabi. The standard sets high levels of privacy and security of patients' data in line with international standards. In the context of regulation being developed globally, naturally, there are now dedicated companies that focus on digital public infrastructure (DPI), helping healthcare providers stay compliant with directives. But whilst these forms of specialised expertise are always important, the additional tools they require can add another layer of complexity to an organisation's overall security posture. Should the amount of security products in use become excessive, healthcare providers could not only encounter increased difficulties in guarding against cyber risks, but also managing compliance. Lastly, at an operational level, one of the fundamental issues regarding compliance for healthcare providers centres on cost. Whilst new regulations are imposed to protect organisations and their stakeholders, they also incur an added expense which can prove to be a massive headache for providers with restricted budgets. The solution: The healthcare industry is increasingly putting a focus on the prevention of disease as opposed to solely focusing on treatment, and security approaches should mirror this. It starts with an assessment. This could mean an organisation doing a tabletop exercise to gauge their response to a real-world cybersecurity incident. It could also involve creating a clear cartography of data and assets, making sure CISOs know how the organisation's devices are used, by who, how and why. But whilst these measures are beneficial for keeping up with adversaries, the priority for organisations should be geared towards staying one step ahead. This makes AI an essential component of cyber defense strategies, given its ability to proactively gather threat intelligence, detect incoming threats and most notably, guard against AI-based attacks – which have become increasingly prevalent in recent years. This also heightens the importance of recruiting personnel with the skillset to optimise and effectively manage the full benefits of AI-based defence systems. Equally, for organisations that have undertaken cyber risk assessments, what we often see come to light is a high number of security gaps from having too many disparate solutions. By focusing on identifying ways to consolidate, integrate and simplify security functions, organisations can improve overall levels of security without adding to the time needed to manage multiple providers. Considering the pressure on security teams today, a platformed approach will not only deliver a cutting-edge and state of the art, AI-powered security posture, but they'll be better able to allocate staff resources within security teams to strategic priorities for the business. Of course, budget is needed to do this, rather than the task continuing to be for security teams to do more with less. That said, through consolidation, every dollar spent will go that bit further.
Axios
22-07-2025
- Axios
Microsoft hack risk spreads as cybercriminals and nation-states pile in
A critical flaw in a major Microsoft document storage tool is hitting the organizations least able to defend themselves, security researchers and incident responders tell Axios. Why it matters: Schools, hospitals and government agencies are "sitting ducks" as they determine whether their servers have even been affected, one security executive said. Hackers are rushing into the breach, including groups linked to the Chinese government. Driving the news: Microsoft warned over the weekend of "active attacks" targeting a "zero-day" vulnerability in its on-premise SharePoint server. Today, the company said it has observed at least three China-based hacking groups, including two tied to the government, exploiting the vulnerability since as early as July 7. Charles Carmakal, CTO at Google's Mandiant, added that multiple threat groups are also now exploiting the bug. The Cybersecurity and Infrastructure Security Agency confirmed that attackers could exploit the bug to gain access to sensitive files or execute code remotely. At least one estimate puts the number of already compromised organizations near 100. The Washington Post reports that victims include state and federal agencies, universities, an energy company, and an Asian telecommunications firm. "It's not one specific group that is going to be doing the hacking of this anymore," Michael Sikorski, CTO at Palo Alto Networks' Unit 42 threat intelligence team, told Axios. "Everybody's getting on the train." The big picture: Security teams will likely spend weeks, even months, unpacking the full scope of the breach and what damage is still to come. Researchers say the hackers have been stealing machine keys from targeted entities, which will allow them to keep breaking into the organizations even after they patch the SharePoint issue. "Because the attack blends in with just normal, legitimate activity, it's quite hard to detect what's unusual and what's atypical," Kayne McGladrey, a senior member of the Institute of Electrical and Electronics Engineers, told Axios. Zoom in: Sikorski said Unit 42 is actively working with Microsoft to notify affected entities, but many victims likely still don't know they've been hit. "For those organizations that don't have a threat detection or red team capability built in, they are undoubtedly going to be at a longer time of risk for this because they just don't have the visibility," McGladrey said. Between the lines: The flaw mostly threatens legacy SharePoint systems still used by smaller public-sector entities and critical-infrastructure operators. Those organizations are unlikely to have the resources to quickly spin up their own investigations and response teams, Sikorski said. "That's the scary part," Sikorski said. "Not only are they sitting ducks, but they don't have the capability to deal with it." The intrigue: While Microsoft released a patch Monday to fix the issue in all affected versions of SharePoint, even patched systems may not be fully safe if attackers already gained entry, stole machine keys or installed new backdoors. What's next: Security experts say the SharePoint hacking activity will likely unfold in waves. Opportunistic hackers, such as cybercriminal gangs, will race to exploit exposed servers, aiming to steal login credentials, plant backdoors and deploy ransomware. Meanwhile, stealthier groups, including nation-state actors, will burrow into high-value organizations for the long haul, quietly stealing sensitive data and setting up persistent access that could go undetected for months.
Daily Mail
21-07-2025
- Daily Mail
Microsoft hack exposes US agencies and energy giants globally
Dozens of US government agencies and businesses are under attack following an unprecedented global hack on Microsoft servers. Authorities are investigating after tens of thousands of SharePoint servers were compromised in the last few days, The Washington Post reports. The platform is used to share and manage documents. They remain at risk as Microsoft is yet to fix the flaw, per the outlet. Users are being urged to take the servers offline or make changes to the SharePoint programs to protect themselves. 'Microsoft has provided security updates and encourages customers to install them,' a spokesman said. 'We've been coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners around the world throughout our response.' The cyber attack does not target cloud-based services, such as Microsoft 365, and only impacts those housed within an organization. At least two federal agencies have been breached, researchers told the Washington Post although no further details were given. The breach is classed as a 'zero day' attack as it targets a previously unknown vulnerability. 'We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available,' Pete Renals, a senior manager with Palo Alto Networks' Unit 42 told the Washington Post. 'We have identified dozens of compromised organizations spanning both commercial and government sectors.' The hack is being investigated by the US government in partnership with officials in Australia and Canada . It is not yet clear who is responsible. The compromised servers frequently connect to vital services such as Outlook email and Teams, sparking fears sensitive data and passwords have been obtained. Microsoft said the hackers struck after it fixed a similar breach earlier this month by using a similar vulnerability. 'Microsoft is aware of active attacks targeting on-premises SharePoint Server customers exploiting a variant of CVE-2025-49706 which was addressed in July's Update Tuesday,' an alert to users on Saturday read. 'This vulnerability has been assigned CVE-2025-53770. This vulnerability applies to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted. A patch has been made available to mitigate CVE-2025-53770 in SharePoint Subscription Edition which customers should apply immediately.' Eye Security, a Netherlands-based company, told the Washington Post that the hackers may have gained access to keys which will allow them to hack again even after a fix, known as a patch, is issued. 'Pushing out a patch on Monday or Tuesday doesn't help anybody who's been compromised in the past 72 hours,' one researcher told the Washington Post. thE Cybersecurity and Infrastructure Security Agency said it is working with Microsoft. 'CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action,' acting executive assistant director for cybersecurity Chris Butera said. 'Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations. CISA encourages all organizations with on-premise Microsoft Sharepoint servers to take immediate recommended action.' The incident is the latest security breach for Microsoft, which was admonished for lapses in 2023 which allowed a Chinese hack of government emails, including those of former Commerce Secretary Gina Raimond.
