Security Boulevard

This is a news item roundup of privacy or privacy-related news items for 9 MAR 2025 - 15 MAR 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.

TABLE OF CONTENTS

• Privacy Tip of the Week
• Surveillance Tech in the News
• Privacy Tools and Services
• • Privacy Services
• Vulnerabilities and Malware
• • Vulnerabilities
  • Malware
• Phishing and Scams
• • Phishing
  • Scams
• Service Providers' Privacy Practices
• Legislation/Regulations/Lawsuits
• • Lawsuits
  • Legislation and Regulation
• Data Breaches and Leaks
• • Data breaches

Privacy Tip of the Week

Clear your browser cookies regularly.

Surveillance Tech in the News

This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

Data Broker Brags About Having Highly Detailed Personal Information on Nearly All Internet Users

Gizmodo

An owner of a data broker business brags and showcases his company's ability to deliver "personalized messaging at scale." Of course, personalized in this context means leveraging extensive amounts of data collected on people. The CEO claims that thanks to their "CoreAI" product/service/feature, they can leverage extreme personalized (and prediction) advertising for 91 percent of adults around the world.

The 200+ Sites an ICE Surveillance Contractor is Monitoring

404media

A contractor for ICE (and other US government agencies) has built a tool that facilitates pulling a target's publicly available data from various sources - which include social media networks, apps, and services. Most notably these include Bluesky, OnlyFans, Roblox, and various platforms owned/controlled by Meta (Instagram, Facebook). It can also reportedly pull data from sites geared towards specific demographics; for example, Black Planet, a social network for Black people.

More information on what sites this tool can pull from can be found on a Google Docs spreadsheet uploaded by 404media.

US lawmakers urge UK spy court to hold Apple ‘backdoor’ secret hearing in public

TechCrunch

This is yet another addition to the Apple vs secret order by the UK government saga. Various groups have called for Apple's official appeal to the UK order to be completed publicly, with US lawmakers now joining the chorus.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Services

Tuta Mail & Tuta Calendar Updates (+ What’s coming next)

Tuta

Tuta announces updates to Tuta Calendar; specifically, the introduction of advanced repeat rules and a three-day view. Tuta also shares planned updates "coming soon" to Tuta Mail.

Kagi Search introduces Privacy Pass authentication

AlternativeTo

Kagi officially rolls out Privacy Pass support for its Android app.

Telegram introduces Star Messages, cheaper user verification, Chromecast support, and more

AlternativeTo

Telegram introduces enhanced privacy controls for content creators and public figures. Telegram also implemented a detailed info page for users receiving a first-time message from outside their contacts list.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Vulnerabilities

Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)

Tenable

This week included Microsoft Patch Tuesday for March 2025. It included seven zero-day flaws, with six of them being exploited in the wild. Likely the most notable CVEs exploited in the wild for majority of users includes:

• CVE-2025-24985, a remote code execution vulnerability in the Windows Fast FAT File System Driver. Has been exploited in the wild; requires the attacker to trick the user into mounting a specially crafted virtual hard disk.
• CVE-2025-26633, a security feature bypass in Microsoft Management Console. Confirmed exploited in the wild as a zero-day; requires a user to open a malicious file.

Apple discloses zero-day vulnerability, releases emergency patches

Cyberscoop

CVE-2025-24201. On March Patch Tuesday, Apple released emergency updates addressing an out-of-bounds write zero-day in WebKit. Maliciously crafted web content may be able to exploit this vulnerability to escape the Web Content sandbox and potentially take unauthorized actions on the affected device.

Apple disclosed this vulnerability was exploited in attacks on "specific targeted individuals" and described it as "extremely sophisticated."

The ESP32 Bluetooth Backdoor That Wasn’t

HACKADAY

This post stems from Tarlogic's claim of finding a "backdoor" (which is strong language) in ESP32, a bluetooth chip used in approximately 1 billion (and more) devices. The reality is, the original findings found undocumented commands - that were likely manufacturer debugging tools - shipped in the final, consumer-facing products. In theory, these could be abused for malicious actions.

Tarlogic received backlash for the panic induced from using "backdoor" in their findings and has since modified their reporting.

Research on iOS apps shows widespread exposure of secrets

MalwareBytes

Out of 156,000 examined iOS apps, more than 815,000 secrets were hard-coded into. These sensitive secrets included keys to cloud storage, APIs, and keys to payment processors. According to the researchers, "the average app's code exposed 5.1 and 71% of apps leak at least one secret."

While easy to file away as the app publisher's problem, hard-coded secrets to APIs and cloud storage could result in data breaches, which naturally have a direct effect on user privacy.

Malware

North Korean government hackers snuck spyware on Android app store

TechCrunch

APT threat actors associated with the North Korean government uploaded spyware "KoSpy" to Google Play. According to Lookout, these nation-state threat actors also tricked some users into downloading KoSpy in likely targeted attacks.

KoSpy collects sensitive information including (but not necessarily limited to) text messages, call logs, device location data, files/folders on device, keystrokes, Wi-Fi network details, and installed apps. It can...

The post Privacy Roundup: Week 11 of Year 2025 appeared first on Security Boulevard.

 

“Never underestimate the simplicity of the attackers, nor the gullibility of the victims.”

Cyberattacks don’t always rely on sophisticated exploits or advanced malware. In reality, many of the most successful breaches stem from simple tactics like phishing emails, social engineering, and exploiting basic security misconfigurations. Complexity isn’t a prerequisite for effectiveness — attackers often favor the path of least resistance.

Victims can be easily deceived or manipulated. People frequently fall for scams, phishing, and other attacks due to a lack of awareness, trust in seemingly legitimate sources, or simple human error. Even experienced individuals can be tricked when caught off guard.

This Immutable Cybersecurity Law is a reminder that cyber threats often succeed not because of advanced technology but because of human vulnerabilities — both in how attacks are executed and how victims respond. While advanced security measures are necessary, organizations and individuals should not overlook basic security practices or underestimate the effectiveness of simple attack methods. It also highlights the importance of user education and awareness in preventing successful attacks, as even the most sophisticated security systems can be compromised by human error or gullibility.

Attackers benefit when victims are overly trusting, untrained, or distracted — thereby susceptible to simple manipulations that appear obviously suspicious in hindsight. Human error and susceptibility to social engineering tactics continue to be significant vulnerabilities in cybersecurity, accounting for a majority of compromises.

Criminals, like everyone else, seek the easiest means to success. The rudimentary act of asking for login credentials or to install unfamiliar software sometimes works with very little deception effort. Despite the growing sophistication of cyber-attacks, simple and seemingly outdated methods can still be highly effective. Brute force attacks, with a list of commonly used passwords remains popular among cybercriminals, even though there have been widespread campaigns teaching users to not rely on such predictable secrets.

Cybersecurity must address low-tech attack methods and human vulnerabilities which remain significant threats in the digital landscape. Behavioral and cognitive exploitation is fast, easy, and delivers results across a wide range of targets, including everyday users, employees, consumers, and executives. Even technical personnel are not immune. A recent scam targeted GitHib users, with a verification request to prove the user was not a robot — by having them press keyboard combinations which opened a PowerShell window, paste malicious code uploaded to the clipboard, and run the commands — leading to the users credentials harvested by malware. This successful attack targeted code developers — once again proving that technical savvy is not an immunity.

Cybersecurity must protect against the full range of attacks, from the complex to the absurdly simple, and not expect users will, without guidance and motivation, act in a defensive way.

The post Immutable Cybersecurity Law #12 appeared first on Security Boulevard.

Which One Do You Need for Your Software Dev Initiative? When businesses set out to build a software solution, one of the most common sources...Read More

The post Software Developer vs. Software Engineer appeared first on ISHIR | Software Development India.

The post Software Developer vs. Software Engineer appeared first on Security Boulevard.

A software programmer developed a way to use brute force to break the encryption of the notorious Akira ransomware using GPU compute power and enabling some victims of the Linux-focused variant of the malware to regain their encrypted data without having to pay a ransom.

The post New Akira Ransomware Decryptor Leans on Nvidia GPU Power appeared first on Security Boulevard.

Bedrock Security today revealed it has added generative artificial intelligence (GenAI) capabilities along with a metadata repository based on graph technologies to its data security platform.

The post Bedrock Security Embraces Generative AI and Graph Technologies to Improve Data Security appeared first on Security Boulevard.

Each Monday, the Tenable Exposure Management Academy will provide the practical, real-world guidance you need to shift from vulnerability management to exposure management. In our first blog in this new series, we get you started with an overview of the differences between the two and explore how cyber exposure management can benefit your organization. 

Traditional vulnerability management has always been about identifying and fixing vulnerabilities — hopefully as quickly as they arise. In practice, even with reasonable service level agreements (SLAs), IT usually has to mitigate those risks. But they’re not always placed at the top of the IT priority list, leaving open a window that attackers can use to gain a foothold. The growth in CVEs (in 2021, there were 20,161 new CVEs; by 2024, that figure had almost doubled to 40,077) has resulted in teams being overwhelmed chasing down vulnerabilities. But CVEs are only part of the picture. 

A report from the U.S. Cybersecurity and Infrastructure Security Agency reveals that 90% of initial access to critical infrastructure comes via identity compromise — like phishing, compromised passwords, identity systems and misconfigurations. Just as alarming, the Tenable Cloud Risk Report 2024 shows that 74% of organizations have publicly exposed storage assets, including those containing sensitive data. That same research found that 84% of organizations possess unused or longstanding access keys with critical or high severity excessive permissions, which creates a significant security gap.

Faced with these challenges, most security leaders lack a cohesive, enterprise-wide understanding of risk. As new technologies are regularly adopted, they come accompanied by new threats. In response, most security teams simply add a new siloed security tool and team to defend that new attack surface. As a result, security has become disjointed. And, although vulnerability management is a critical ingredient in cybersecurity, it only looks at a portion of preventable risk. The end result is fragmented visibility with gaps that leave organizations vulnerable. 

This is where exposure management comes in. It gives security leaders the processes and technologies they need to continuously assess the accessibility, exploitability and criticality of digital assets across all systems, applications, devices, resources and identities. As a result, security leaders can proactively answer questions about their organization’s exposure risk. 

What is exposure management in cybersecurity?

If you explore risk-based exposure management vs. vulnerability management, you'll see an evolution that provides a more holistic, programmatic approach to cost-effective decision making. It breaks down silos and factors in findings such as the likelihood of attack, identity permissions, attack path viability and business criticality. This enables security teams to prioritize true exposure and mobilize responses to the most impactful risks first. And it means you can more readily handle those questions from the board. 

Exploring the security continuum

To understand where the importance of continuous exposure management fits in the context of your overall cybersecurity program, let’s explore the security continuum. 

Source: Tenable, March 2025

The breach line sits at the center. Everything to the right is the world of reactive security. In this case, attacks or breaches are already underway. To the left of the breach line is the world of proactive security. 

Reactive security is all about managing active threats and incidents. The goal is to minimize potential material impact. For this reason, the greater share of investment has gone into reactive security in recent years. 

But with more governing bodies now requiring disclosure of breaches, such as the U.S. Securities and Exchange Commission (SEC), the burden is changing. 

In addition to regulatory pressures, breaches are often accompanied by revenue impact, and incalculable damage to brand, customer loyalty and investor interest. All of this underscores the need for a more effective approach to proactive security, such as exposure management. 

As a result, exposure management is being embraced by a variety of organizations — from multinational telecommunications companies to public sector agencies — because it fights three core challenges that every organization faces:

• Siloed visibility of the attack surface: The attack surface has evolved, with vendors creating myriad tools that focus on specific technology domains, such as IT, cloud, identity, OT/IoT and apps. Each of these tools often handles a subset of potential risk — across vulnerabilities, misconfigurations or privileges. This siloed approach to attack surface management leaves visibility gaps that attackers can exploit. 
• Little context: Fragmented data also makes it impossible to understand the attacker’s perspective — the asset, identity and risk relationships that form viable attack pathways leading to crown jewel assets. The collection of tools also does little to help security leaders understand the potential material impact of exposures on revenue, business processes and mission-critical data.
• Inability to mobilize resources: Individual security tools provide a fragmented patchwork of remediation guidance and workflows, and limited ways to measure and communicate progress. As a result, it’s a significant challenge for security teams to figure out the best remediations as well as how and where to mobilize resources and track remediation status.

How exposure management helps

Exposure management helps by providing complete visibility into the attack surface and the critical context teams need to prioritize true business exposure. That means security teams are unburdened and can be more efficient while being less reactive. Let’s dig a bit deeper and explore how, in five steps, exposure management helps improve your security posture. 

Step 1: Know your attack surface

Exposure management platforms discover and aggregate asset data across the entire external and internal attack surface, including cloud, IT, OT, IoT, identities and applications, providing a holistic view of the attack surface.

Step 2: Identify all preventable risk

Exposure management detects the three preventable forms of exposure attackers use to gain initial access and move laterally: vulnerabilities, misconfigurations and excessive privileges. Security teams can quickly identify the assets that pose the greatest potential risk to the organization. 

Step 3: Align with business context

Asset tagging enables security staff to logically group assets across technology domains and align them with an important business function, service or process. Cyber exposure scores provide quick business-aligned views of exposure and show changes in exposure over time.

Step 4: Remediate true exposure

Detailed mapping of asset, identity and risk relationships reveal attack paths which lead to an organization’s crown jewels. This gives the security staff the attacker’s perspective, which is critical to separate noisy findings from true exposures that can have a material impact on the organization.

Step 5: Continuously optimize investments

The ability to quantify your overall cyber exposure score and compare it with the benchmark score of peers in your industry streamlines budget justification, while helping security leaders answer the critical question: “Are we secure?”

We explore each of these steps in more detail in the white paper “Attackers Don't Honor Silos: Five Steps to Prioritize True Business Exposure.”

By bridging and integrating people, process and technology across traditional silos, exposure management enhances collaboration and efficiency , and it frees security leaders and IT teams to focus on strategic initiatives rather than the latest crisis. 

Who can benefit from exposure management?

The benefits of exposure management can be transformative. Whether you’re a practitioner who’s stretched thin, a manager who struggles with understanding risk, or a C-level executive who worries about it all, exposure management can help.

• Security practitioners: The backbone of any security organization, practitioners do the heavy lifting. They’re notoriously self-sufficient, but they do need a couple of things: visibility into the attack surface and a unified view of all assets. This is what an exposure management platform brings to the table — making it simpler to prioritize remediating software vulnerabilities, misconfigurations and improperly assigned credential entitlements. 
• Security managers: Just a bit further up the chain, security managers need insight and context about threat exposures, assets and privileges to marshal resources across teams and handle their most pressing security needs. An exposure management platform provides the shared visibility and insights needed to drive better collaboration across teams and better utilize limited resources they have to remediate and respond.
• Security executives: CISOs, business information security officers (BISOs) and other security executives require accurate risk posture assessment to improve investment decisions, make decisions about insurability, meet regulatory and compliance requirements and drive organizational improvement. An exposure management platform provides actionable metrics to help security leaders measure, compare and communicate exposures and cyber risk reduction, not only to operations teams within IT and security, but also up and out to non-technical executives and operating teams throughout the enterprise. 

Takeaways

With so much noise in security, what you don’t do is as important (or even more important) as what you actually do.

Exposure management is an evolutionary approach and it’s being embraced across industries and geographies as a way to remove complexity, focus teams and understand the entire attack surface. It boils down to the unification of visibility, insight and action. 

Exposure management does require a shift in mindset — recognizing that not everything is critical and not all risks are created equal. This can be a challenge at first. But think about it: The everything-is-critical approach leads to burnout, inefficiency and more exposures. Exposure management lets you prioritize the things that matter most: the exposures that can have an actual impact on crown jewels and the organization.

When you embark on the exposure management journey, you’ll be part of an expanding community of security professionals who are blazing a new trail. Join them.

Watch: What is exposure management?

The post What Is Exposure Management and Why Does It Matter? appeared first on Security Boulevard.

I've chosen six new JDK 24 features that are particularly relevant and interesting for developers and those deploying Java.

The post Six JDK 24 Features You Should Know About appeared first on Azul | Better Java Performance, Superior Java Support.

The post Six JDK 24 Features You Should Know About appeared first on Security Boulevard.

How Cloud Monitor and Content Filter Provide Visibility, Safety, and Peace of Mind at an Independent School Windsor Schools, a specialized K-12 learning program in New Jersey, is dedicated to providing a safe and supportive learning environment for its students.  Soon after he started his role as IT Manager—and Windsor Schools’ sole technology staff member—Kyle ...

The post Windsor Schools’ Proactive Approach to Cybersecurity and Student Safety appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.

The post Windsor Schools’ Proactive Approach to Cybersecurity and Student Safety appeared first on Security Boulevard.

Frankfurt am Main, Germany, 17th March 2025, CyberNewsWire

The post European Cyber Report 2025: 137% more DDoS attacks than last year – what companies need to know appeared first on Security Boulevard.

In part one of our three part series with PlexTrac, we address the challenges of data overload in vulnerability remediation. Tom hosts Dahvid Schloss, co-founder and course creator at Emulated Criminals, and Dan DeCloss, CTO and founder of PlexTrac. They share their expertise on the key data and workflow hurdles that security teams face today. […]

The post Tackling Data Overload: Strategies for Effective Vulnerability Remediation appeared first on Shared Security Podcast.

The post Tackling Data Overload: Strategies for Effective Vulnerability Remediation appeared first on Security Boulevard.

In the world of cybersecurity awareness, phishing simulations have long been touted as the frontline defense against cyber threats. However, while they are instrumental, relying solely on these simulations can leave significant gaps in an organization’s security training program. At CybeReady, we understand that comprehensive preparedness requires a more holistic approach. The Limitations of Phishing […]

The post Why Only Phishing Simulations Are Not Enough appeared first on CybeReady.

The post Why Only Phishing Simulations Are Not Enough appeared first on Security Boulevard.

Authors/Presenters: Will Thomas & Morgan Brazier

Our thanks to Bsides Exeter, and the Presenters/Authors for publishing their timely Bsides Exeter Conference content. All brought to you via the organizations YouTube channel.

Permalink

The post BSides Exeter 2024 – Blue Track – Lessons From The ISOON Leaks appeared first on Security Boulevard.

Why Is Management of NHIs Integral for Dynamic Cloud Resources? How often have we heard about data leaks and security breaches? The frequency of such incidents highlights the pressing need for robust security measures. One such measure that often goes overlooked is the management of Non-Human Identities (NHIs), a critical component of cloud security. New […]

The post What are the best practices for managing NHIs with dynamic cloud resources? appeared first on Entro.

The post What are the best practices for managing NHIs with dynamic cloud resources? appeared first on Security Boulevard.

Are Your Cloud Security Architectures Adequate for NHI Protection? The spotlight is often on human identity protection. But have you ever considered the protection of Non-Human Identities (NHIs)? This is quickly becoming a critical point of discussion. But what exactly are NHIs, and why do they matter? NHIs are machine identities used in cybersecurity, created […]

The post How can cloud security architectures incorporate NHI protection? appeared first on Entro.

The post How can cloud security architectures incorporate NHI protection? appeared first on Security Boulevard.

How Crucial is Cloud Non-Human Identities Monitoring? Ever wondered how crucial it is to effectively monitor Non-Human Identities (NHIs) in the cloud? The need for high-grade cybersecurity measures has never been more apparent with the increasing reliance on cloud-based services across various industries. A pivotal aspect of these measures involves the management and careful oversight […]

The post Which tools are available for cloud-based NHI monitoring? appeared first on Entro.

The post Which tools are available for cloud-based NHI monitoring? appeared first on Security Boulevard.

Authors/Presenters: Sophia McCall

Our thanks to Bsides Exeter, and the Presenters/Authors for publishing their timely Bsides Exeter Conference content. All brought to you via the organizations YouTube channel.

Permalink

The post BSides Exeter 2024 – Blue Track – DFIR – Ctrl+Alt+Defeat: Using Threat Intelligence To Navigate The Cyber Battlefield appeared first on Security Boulevard.

(Re-posted from 47 Watch). The State Department, under the stewardship of Secretary Marco Rubio, has just dropped a bombshell determination that’s about as subtle as a foghorn in a library. You can/should review the Federal Register notice before continuing. There is a markdown formatted version of this on the 47 Watch knot. In a nutshell, […]

The post Call To Action: State Department Power Grab appeared first on rud.is.

The post Call To Action: State Department Power Grab appeared first on Security Boulevard.

Major breaches don’t start with hackers—they start with overlooked security gaps. Learn how to find and fix SaaS blind spots before they become attacks.

The post Breaches Often Start Where You Least Expect | Grip Security appeared first on Security Boulevard.

Invisible C2 — thanks to AI-powered techniques

Just about every cyberattack needs a Command and Control (C2) channel — a way for attackers to send instructions to compromised systems and receive stolen data. This gives us all a chance to see attacks that are putting us at risk.

LLMs can help attackers avoid signature based detection

Traditionally, C2 traffic might be disguised as normal web traffic, DNS queries, or go through known platforms like Slack or Telegram. Now, LLMs are helping attackers to even better hide C2 communications in plain sight and even to automate the decision-making on the attacker’s behalf, reducing or eliminating the need for C2. In this post, I explore how AI models can be used to obfuscate C2, making detection extremely challenging. Building off the last post about polymorphic attacks, I look at real examples, why updated approaches escape the detection of network security, and conclude by briefly examining how adaptive models might help.

Once again, this is not intended to be a DeepTempo pitch. Rather, I am examining advanced and emerging attack patterns in some depth. It is only by understanding today’s rapidly innovating adversaries that we can effectively respond.

The Emergence of AI-Covert Channels

Using well-known legitimate services for C2 is not new — “domain fronting” and “living off the land” have been around for a while. What LLMs add is flexibility and improved believability:

• Using AI APIs as C2: As detailed in my last blog, some malware authors have realized they can piggyback on AI APIs, including OpenAI to fetch instructions or code. To a defender, traffic to api.openai.com doesn’t raise an eyebrow, whereas traffic to an unknown IP would. The malware can ask the AI for instructions in natural language, effectively turning the AI into an unwitting proxy for the attacker.
• Natural Language Steganography: LLMs can generate human-like text that includes hidden instructions. For example, an attacker could prompt an LLM to produce an innocuous-looking email or document containing encoded commands, such as the first letter of each sentence or another pattern that the malware knows to parse. To a human or a standard scanner, the text looks legitimate (even meaningful). Only the malware knows that, say, “The weather is lovely today in Paris. News reports show markets are up.” actually encodes a command like “DOWNLOAD UPDATES”. This is textual steganography with the help of AI fluency.
• LLM-driven Autonomy: In an even more advanced twist, threat actors are experimenting with malware that delegates decision-making to an LLM. Instead of a human operator manually typing commands, the malware can consult an AI model for what to do next. A fascinating Proof-of-Concept by researchers at Deep Instinct showed an LLM acting as the brains of the operation — the malware would send the LLM a description of the situation, and the LLM would respond with an action to execute, effectively becoming an AI controller. This not only obfuscates C2, since the “controller” is an AI chat interface, but also speeds up attacks since there is no need to wait for human input.

These approaches result in C2 communications that are highly atypical for traditional detection: they might look like benign chatbot conversations or random text data, with no fixed signatures.

A useful pattern: BlackMamba’s ChatGPT C2

We introduced BlackMamba earlier as polymorphic malware; it’s also a poster child for AI-obfuscated C2. Here are a few ways that BlackMamba’s command and control works — and we are seeing similar approaches in the wild:

• Dynamic Payload Delivery: When BlackMamba wants to log keystrokes, it doesn’t carry a keylogger binary. Instead, it sends a query to ChatGPT’s API asking for a snippet of code to capture keystrokes (the exact query was likely crafted by the malware author). ChatGPT responds with a fresh code snippet, likely in Python or PowerShell, to perform keylogging.. BlackMamba then executes that snippet. The next time, for data exfiltration, it might ask ChatGPT for code to send data over HTTP. Each of these interactions is a command exchange, but it appears as normal Q&A with an AI.
• The hardest C2 to identify is no C2: in this case, there is no attacker IP or server domain to trace. The attacker interacts with ChatGPT or a jail broken equivalent initially, for instance, by setting up the prompt engineering such that the malware’s queries trigger certain responses. Essentially, the AI service acts as a broker between the attacker and malware.
• Relay servers: The idea of using a legitimate API such as ChatGPT could be applied, of course, to the use of relay servers. We’ve seen that technique in the wild recently. A hacker could broaden their attacks to develop a series of relay servers that are legitimate home servers or IoT controllers and then use those. This also eludes rules and behavioral-based indicators.

Another conceptual example: what if an attacker uses something like Twitter in combination with ChatGPT for C2? For instance, malware posts from your environment a tweet that looks like a random quote; at the same time, you have an LLM monitoring a Twitter feed and whenever it sees those patterns, it responds with a direct message containing commands encoded in a story. This is the sort of creativity unlocked by mixing AI with existing platforms. Similar approaches have already been undertaken with the use of stenography to hide messages and patterns in attacks.

Why LLM enabled C2 Confounds Traditional Defenses

Obfuscated C2 via LLMs creates a perfect storm for traditional network and host-based defenses:

• Encryption and Trusted Domains: Most AI API traffic is HTTPS, so security tools don’t see the payload. Instead, many tools rely on domain reputation and they see OpenAI or Azure or a similar public service as benign.
• Lack of Signatures: No fixed indicator like “the malware connects to 192.168.1.100 on port 4444.” The AI domain could be one of many. The content is dynamic natural language or code and lacks repetitive byte patterns. Network anomaly detection might pick up a machine suddenly talking to an API it never did before — but in an age where many apps call out to cloud APIs, this typically wouldn’t raise immediate flags, unless that network anomaly detection was able to look far enough back in time to see additional odd behaviors by that entity or by some class of entities. As machine learning systems today rarely look back beyond a handful of events, they are very unlikely to trigger such an alert.
• IDS/IPS Evasion: Traditional intrusion detection signatures might look for known C2 protocols such as specific HTTP patterns or plaintext keywords in traffic. Today’s AI-adapted C2 does not match these patterns. For example, an IDS may have a rule “alert on powershell keyword over HTTP”; however, this powershell keyword might appear only inside an encrypted AI response. Also — perhaps even simpler — the commands could be phrased differently each time, thus throwing off the pattern-matching system.
• Traffic Volume: While traditional rules and pattern matching ML often look for unexpected increases in traffic, more intelligent AI-enabled C2 can have lower traffic. Since more intelligent malware only calls the AI when it needs something, it might be sporadic and low-bandwidth. This “low and slow” approach is hard to differentiate from normal user behavior.
• Endpoint Blind Spots: It feels like some threat hunters prefer to start at the network and work out to the end point and some move in the opposite direction. So, what could an EDR see? A process, such as a script or an Office macro, makes outbound HTTPS calls to an allowed service and then spawns some system commands. Some EDRs might flag the system commands as suspicious, for example, flagging on “why is Word spawning cmd.exe?”. But if the malware injects into another process or uses a common process for execution, such as running commands through a trusted service binary, it gets harder to discern. Without understanding the longer context that an AI is instructing these actions, the EDR might just see a series of legitimate operations.
• No Operator Signatures: In many intrusions, human C2 has timing patterns or mistakes such as commands typed with certain typos, or working hours driving patterns. AI-driven C2 might be more consistent and continuous or unpredictable in timing. This removes some indicators that threat hunters look for, such as clusters of activity that suggest a human operator in a certain timezone.

Another angle: If an organization tries to block misuse of AI services, they face a dilemma. Blocking them outright might not be feasible if users rely on them for work. And how do you differentiate malicious vs legitimate usage? It gets very tricky unless you have content inspection or advanced AI to analyze the conversations. And to analyze the conversations you have to have the ability to see that conversation, over time, and potentially across contexts.

Defensive Outlook: Fighting AI with AI (again)

Countering AI-obfuscated C2 likely requires behavioral and AI-assisted detection — and more specifically deep learning:

• Network Anomaly Detection: tools could baseline what kind of external services each host typically talks to. If a desktop that never used AI APIs starts doing so, that’s worth an investigation, especially if combined with other context. Obviously existing anomaly detection systems have a reputation for enormous false positive rates.
• Endpoint Analysis of AI API Usage: On endpoints, enterprises might instrument or alert on specific library calls — for example, if a process loads an OpenAI SDK or if a PowerShell script starts doing web requests to known AI hostnames. These could be high-fidelity signals of something unusual since few business apps would dynamically query an AI from a macro or script. That said, each permutation will require another signature-based response.
• AI-enabled SOC — a little over hyped? A Security Operations Center could deploy its own LLMs and AI SOC tools to assist analysts. An analyst might ask an AI assistant: “I see process Y making this series of web requests and then executing commands, does this pattern match any known AI-based attack?” The AI might correlate it with known cases like BlackMamba or others from threat reports, accelerating threat hunting. That said, the innocuous phrase “does this pattern match” is a little trickier to make real than it appears. Will your LLM seek to match on IPs? How exactly will this matching occur? At DeepTempo, we do exactly this sort of matching, however to do so we first embed the logs in a “hyperspace” and compare across 768 dimensions and over 3k events. Users can then simply ask — give me the top 50 sequences like this sequence and the system will look for those sequences that look most similar. There is no querying involved — and crafting such a query in a traditional SIEM would be nearly impossible in any case.

The broader defensive strategy will likely involve adaptive policy. If AI-based C2 becomes rampant, organizations might restrict servers from accessing external AI services or require the use of internal approved AI with logging. Zero-trust principles should also be applied: just because a call is to OpenAI doesn’t mean it’s safe — we can enforce that only certain apps/users can make such calls.

And if we get as creative in imagining defenses to these sorts of imaginative attacks as the attackers are — then what about a deep learning solution that learns from all of the behaviors across all of the environments? I am reminded by Bentham’s theory of the panopticon. We are far from that utopia / dystopia. Today defenders attempt to share our understanding of what to look out for via rules and human-engineered ML systems. What if we also added a layer of deep learning that learned from all of us what is legitimate and hence could quickly discern what is problematic?

What to do now?

To counter obfuscated AI C2, security teams should update their threat models.

Maybe more importantly, you need to start a process now to wean yourself from a sole reliance on rules-based indicators. Experts from Darpa and others have been warning that using human written rules leaves us vulnerable to more advanced attacks.

And now surveys indicate that security professionals are increasingly concerned about AI-enabled attacks — for example, one study indicates that 74% believe they are already under attack, and a similar percentage admit they are likely unprepared.

https://gca.isa.org/blog/most-cybersecurity-teams-are-unprepared-for-ai-cyberattacks

As one of our larger users put it, we need to counter AI with deep learning and collective defense. And of course we agree!

In the next blog I plan to dive further into the ways AI is being used to obscure attacks and evade legacy approaches. Your feedback and suggestions are deeply appreciated. Thank you for reading.

Invisible C2 — thanks to AI-powered techniques was originally published in DeepTempo on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Invisible C2 — thanks to AI-powered techniques appeared first on Security Boulevard.

Do NHIs and Secret Management Play a Vital Role in Cloud Security? If you’ve found yourself grappling with this question, you’re not alone. Machine identities, known as Non-Human Identities (NHIs), are swiftly gaining traction in the world of cybersecurity. If managed effectively, they can play a critical role in enhancing cloud security and control. To […]

The post How do I troubleshoot common issues with NHI automation? appeared first on Entro.

The post How do I troubleshoot common issues with NHI automation? appeared first on Security Boulevard.