A brute-force attack exposed firewall configuration files of every SonicWall customer who used the company’s cloud backup service, the besieged vendor said Wednesday.
An investigation aided by Mandiant confirmed the totality of compromise that occurred when unidentified attackers hit a customer-facing system of SonicWall controls. The company previously said less than 5% of its firewall install base stored backup firewall configuration files in the cloud-based service.
SonicWall did not answer questions about the extent to which the investigation revealed a more widespread impact for its customers, or if its assessment of that 5% figure remained accurate. The company initially revised its disclosure to clarify the scope of exposure was less than 5% of firewalls as of Sept. 17, but has since removed that detail from the blog post.
“The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service,” the company said in a statement.
The convoluted phrasing reignited criticism from threat researchers who have been tracking developments since SonicWall first reported the attack.
Attackers accessed a “treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.
“This raises questions about why the vendor didn’t implement basic protections like rate limiting and stronger controls around public APIs,” he added.
SonicWall customers have confronted a barrage of actively exploited vulnerabilities in SonicWall devices for years.
Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August.
While those attacks were linked to exploited vulnerabilities in SonicWall devices, the latest attack marked a direct hit on SonicWall’s internal infrastructure and practices.
The company said it has notified all impacted customers, released tools to assist with threat detection and remediation and encouraged all customers to log in to the MySonicWall.com platform to check for potential exposure.
“Although the passwords were encrypted, attackers have all the time in the world to crack them offline at their leisure,” Dewhurst said.
“If the passwords used were weak in the first place, it’s almost certain that the threat actor has the plaintext versions already,” he added. “If the threat actor is unable to crack the passwords, you’re not out of the woods, as the information leaked will help in more complex targeted attacks.”
SonicWall said it has implemented additional security hardening measures and is working with Mandiant to improve the security of its cloud infrastructure and monitoring systems.
The post SonicWall admits attacker accessed all customer firewall configurations stored on cloud portal appeared first on CyberScoop.
A long-running theme in the use of adversarial AI since the advent of large language models has been the automation and enhancement of well-established hacking methods, rather than the creation of new ones.
That remains the case for much of OpenAI’s October threat report, which highlights how government agencies and the cybercriminal underground are opting to leverage AI to improve the efficiency or scale of their hacking tools and campaigns instead of reinventing the wheel.
“Repeatedly, and across different types of operations, the threat actors we banned were building AI into their existing workflows, rather than building new workflows around AI,” the report noted.
The majority of this activity still centers on familiar tasks like developing malware, command-and-control infrastructure, crafting more convincing spearphishing emails, and conducting reconnaissance on targeted people, organizations and technologies.
Still, the latest research from OpenAI’s threat intelligence team does reveal some intriguing data points on how different governments and scammers around the world are attempting to leverage LLM technology in their operations.
One cluster of accounts seemed to focus specifically on several niche subjects known to be particular areas of interest for Chinese intelligence agencies.
“The threat actors operating these accounts displayed hallmarks consistent with cyber operations conducted to service PRC intelligence requirements: Chinese language use and targeting of Taiwan’s semiconductor sector, U.S. academia and think tanks, and organizations associated with ethnic and political groups critical of the” Chinese government,” wrote authors Ben Nimmo, Kimo Bumanglag, Michael Flossman, Nathaniel Hartley, Lotus Ruan, Jack Stubbs and Albert Zhang.
According to OpenAI, the accounts also share technical overlaps with a publicly known Chinese cyber espionage group.
Perhaps unsatisfied with the American-made product, the accounts also seemed interested in querying ChatGPT with questions about how the same workflows could be established through DeepSeek — an alternative, open-weight Chinese model that may itself have been trained on a version of ChatGPT.
Another cluster of accounts likely tied to North Korea appeared to have taken a modular, factory-like approach to mining ChatGPT for offensive security insight. Each individual account was almost exclusively dedicated to exploring specific use cases, like building Chrome extensions to Safari for Apple App Store publication, configuring Windows Server VPNs, or developing macOS Finder extensions “rather than each account spanning multiple technical areas.”
OpenAI does not make any formal attribution to the North Korean government but notes that its services are blocked in the country and that the behavior of these accounts were “consistent” with the security community’s understanding of North Korean threat actors.
The company also identified other clusters tied to China that heavily used its platform to generate content for social media influence operations pushing pro-China sentiments to countries across the world. Some of the accounts have been loosely associated with a similar Chinese campaign called Spamouflage, though the OpenAI researchers did not make a formal connection.
The activity “shared behavioral traits similar to other China-origin covert influence operations, such as posting hashtags, images or videos disseminated by past operations and used stock images as profile photos or default social media handles, which made them easy to identify,” the researchers noted.
Another trait the campaign shares with Spamouflage is its seeming ineffectiveness.
“Most of the posts and social media accounts received minimal or no engagements. Often the only replies to or reposts of a post generated by this network on X and Instagram were by other social media accounts controlled by the operators of this network,” they added.
OpenAI’s report does not cover Sora 2, its AI video creation tool. The tool’s deepfaking and disinformation capabilities have been the subject of longstanding concern since last year when it was announced, and in the week since its release the invite-only app has already shown a frightening potential for distorting reality.
OpenAI also battles challenges from scammers who seek to use its products to automate or enhance online fraud schemes, ranging from lone actors refining their own personal scams to “scaled and persistent operators likely linked to organized crime groups.”
Most usage is unsurprising: basic research, translating phishing emails, and crafting content for influence campaigns.Yet, OpenAI’s research reveals that both state and non-state actors use AI as a development sandbox for malicious cyber activities and as an administrative tool to streamline their work.
One scam center likely located in Myanmar used ChatGPT “both to generate content for its fraudulent schemes and to conduct day-to-day business tasks,” like organizing schedules, writing internal announcements, assigning desks and living arrangements to workers and managing finances.
Others leveraged the tool in increasingly elaborate ways, like a Cambodian scam center that used it to generate “detailed” biographies for fake companies, executives and employees, then used the model to generate customized social media messages in those characters’ voices to make the scam appear more legitimate. In some cases, the same accounts returned to query ChatGPT on responses they received from target victims, indicating the scheme was somewhat successful.
Researchers also found an interesting dual-use dynamic: in addition to being used by scammers, many users look to ChatGPT for insight about potential scams they have encountered.
“We have seen evidence of people using ChatGPT to help them identify and avoid online scams millions of times a month; in every scam operation in this report, we have seen the model help people correctly identify the scam and advise them on appropriate safety measures,” the OpenAI researchers claimed, while estimating that the tool is “being used to identify scams up to three times more often than it is being used for scams.”
Because OpenAI claims its model rejected nearly all “outright malicious requests,” in many cases threat intelligence professionals are sifting through clusters and accounts that operate in the “gray zone,” pushing the model to fulfill requests that are dual use in nature and not strictly illegal or against terms of service. For example, a process for improving a tool debugging, cryptography, or browser development can “take on a different significance when repurposed by a threat actor.”
“The activity we observed generally involved making otherwise innocuous requests … and likely utilizing them outside of our platform for malicious purposes,” the authors note.
One example: a group of Russian-speaking cybercriminals attempted to use ChatGPT to develop and refine malware, but when those initial requests were rejected, they pivoted to “eliciting building-block code … which the threat actor then likely assembled into malicious workflows.”
The same actors also prompted the model for obfuscation code, crypter patterns and exfiltration tools that could just as easily be used by cybersecurity defenders, but in this case the threat actors actually posted about their activity on a Russian cybercriminal Telegram.
“These outputs are not inherently malicious, unless used in such a way by a threat actor outside of our platform,” the authors claimed.
The post OpenAI: Threat actors use us to be efficient, not make new tools appeared first on CyberScoop.
Three House Democrats questioned the Department of Homeland Security on Monday over a reported Immigration and Customs Enforcement contract with a spyware provider that they warn potentially “threatens Americans’ freedom of movement and freedom of speech.”
Their letter follows publication of a notice that ICE had lifted a stop-work order on a $2 million deal with Israeli spyware company Paragon Solutions, a contract that the Biden administration had frozen one year ago pending a review of its compliance with a spyware executive order.
Paragon is the maker of Graphite, and advertises it as having more safeguards than competitors that have received more public and legal scrutiny, such as NSO Group’s Pegasus, a claim researchers have challenged. A report earlier this year found suspected deployments of Graphite in countries across the globe, with targets including journalists and activists. WhatsApp also notified users this year about a Paragon-linked campaign targeting them. The tool can infect phones without its target having to click on any malicious lure, then mine data from them.
“Given the Trump Administration’s disregard for constitutional rights and civil liberties in pursuit of rapid mass deportation, we are seriously concerned that ICE will abuse Graphite software to target immigrants, people of color, and individuals who express opposition to ICE’s repeated attacks on the rule of law,” the three congressional Democrats, two of whom serve as ranking members of House Oversight and Government Reform subcommittees, wrote Monday.
The trio behind the letter are Reps. Summer Lee of Pennsylvania, top Democrat on the Subcommittee on Federal Law Enforcement; Ohio Rep. Shontel Brown, ranking member of the Subcommittee on Cybersecurity, Information Technology and Government Innovation; and Rep. Yassamin Ansari of Arizona.
Their letter pointed to two Supreme Court rulings — Riley v. California from 2014 and Carpenter v. United States from 2018 — that addressed warrantless surveillance of cellular data. “Allowing ICE to utilize spyware raises serious questions about whether ICE will respect Fourth Amendment protections against warrantless search and seizure for people residing in the U.S.,” the lawmakers wrote.
The trio also asked for communications and documents about ICE’s use of spyware, as well as legal discussions about ICE using spyware and its compliance with the 2023 Biden executive order. They also sought a list of data surveillance targets.
ICE’s surveillance tactics have long drawn attention, but they’ve gained more attention in the Trump administration, which has sought to vastly expand the agency. ICE has conducted raids that have often swept in U.S. citizens. Other federal contracting records have pointed to ICE’s intentions to develop a 24/7 social media surveillance regime.
DHS and ICE did not immediately answer requests for comment about the Democrats’ letter. ICE has not provided answers about the contract in other media inquiries.
404 Media is suing for information about the ICE contract.
The post House Dems seek info about ICE spyware contract, wary of potential abuses appeared first on CyberScoop.
Tech experts and companies offering encrypted messaging services are warning that pending European regulation, which would grant governments broad authority to scan messages and content on personal devices for criminal activity, could spell “the end” of privacy in Europe.
The European Union will vote Oct. 14 on a legislative proposal from the Danish Presidency known as Chat Control — a law that would require mass scanning of user devices, for abusive or illegal material. Over the weekend, Signal warned that Germany — a longtime opponent and bulwark against the proposal — may now move to vote in favor, giving the measure the support needed to pass into law.
On Monday, Signal CEO Meredith Whittaker warned that her company, which provides end-to-end encrypted communications services, could exit the European market entirely if the proposal is adopted.
“This could end private comms-[and] Signal-in the EU,” Whittaker wrote on BlueSky. “Time’s short and they’re counting on obscurity: please let German politicians know how horrifying their reversal would be.”
According to data privacy experts, Chat Control would require access to the contents of apps like Signal, Telegram, WhatsApp, Threema and others before messages are encrypted. While ostensibly aimed at criminal activity, experts say such features would also undermine and jeopardize the integrity of all other users’ encrypted communications, including journalists, human rights activists, political dissidents, domestic abuse survivors and other victims who rely on the technology for legitimate means.
The pending EU vote is the latest chapter in a decades-long battle between governments and digital privacy proponents about whether, and how, law enforcement should be granted access to encrypted communications in criminal or national security cases.
Supporters point to increasing use of encrypted communications by criminal organizations, child traffickers, and terrorist organizations, arguing that unrestricted encryption impedes law enforcement investigations, and that some means of “lawful access” to that information is technically feasible without imperiling privacy writ-large.
Privacy experts have long argued that there are no technically feasible ways to provide such services without creating a backdoor that could be abused by other bad actors, including foreign governments.
Whittaker reportedly told the German Press Agency that “given a choice between building a surveillance machine into Signal or leaving the market, we would leave the market,” while calling repeated claims from governments that such features could be implemented without weakening encryption “magical thinking that assumes you can create a backdoor that only the good guys can access.”
The Chaos Computer Club, an association of more than 7,000 European hackers, has also opposed the measure, saying its efforts to reach out to Germany’s Home Office, Justice Department and Digital Minister Karsten Wildberger for clarity on the country’s position ahead of the Chat Control vote have been met with “silence” and “stonewalling.”
The association and U.S.-based privacy groups like the Electronic Frontier Foundation have argued that the client-side scanning technology that the EU would implement is error-prone and “invasive.”
“If the government has access to one of the ‘ends’ of an end-to-end encrypted communication, that communication is no longer safe and secure,” wrote EFF’s Thorin Klowsowski.
Beyond the damage Chat Control could cause to privacy, the Chaos Computer Club worried that its adoption by the EU might embolden other countries to pursue similar rules, threatening encryption worldwide.
“If such a law on chat control is introduced, we will not only pay with the loss of our privacy,” Elina Eickstädt, spokesperson for the Chaos Computer Club, said in a statement. “We will also open the floodgates to attacks on secure communications infrastructure.”
The Danish proposal leaves open the potential to use AI technologies to scan user content, calling for such technologies “to be vetted with regard to their effectiveness, their impact on fundamental rights and risks to cybersecurity.”
Because Chat Control is publicly focused on curtailing child sexual abuse material (CSAM), the intital scanning will target both known and newly identified CSAM, focusing on images and internet links. For now, text and audio content, as well as scanning for evidence of grooming — a more difficult crime to define — are excluded.
Still, the Danish proposal specifies that scanning for grooming is “subject to … possible inclusion in the future through a review clause,” which would likely require even more intrusive monitoring of text, audio and video conversations.
It also calls for “specific safeguards applying to technologies for detection in services using end-to-end encryption” but does not specify what those safeguards would be or how they would surmount the technical challenges laid out by digital privacy experts.
The post Potential EU law sparks global concerns over end-to-end encryption for messaging apps appeared first on CyberScoop.
When security researchers issued warnings about the Salesloft Drift issues last month, two prominent cybersecurity companies found themselves facing the same threat — but their stories ended up unfolding in different ways.
Okta and Zscaler, among the larger players in the identity management space, were among the more than 700 Drift customers targeted in what has become one of the most significant supply chain attacks of the year. Within a week of Google security researchers’ warning about the incident, which targeted the widespread theft of Salesforce customer data, both companies went to work in figuring out how bad the damage would be.
The companies had very different experiences. While Okta’s security measures thwarted any lasting damage, Zscaler wasn’t as lucky, having to deal with unauthorized access of both customer and internal company data. Same threat actor. Same timeline. Opposite outcomes.
The divergence in incidents and responses offers a rare opportunity to understand how a cybersecurity strategy works in action. CyberScoop spoke with the security leaders of both companies to learn about how the attack went down from those directly in its crosshairs, and lessons learned that could bolster defenses of their companies and others going forward.
Salesloft hasn’t publicly released a comprehensive root-cause analysis into the attack, but initial results of its investigation revealed a threat group gained access to its GitHub account as far back as March. The group, which Google tracks as UNC6395, achieved lateral movement and set up workflows in the Salesloft application environment before it accessed Drift’s Amazon Web Services environment and obtained OAuth tokens used by Drift customers.
Those tokens allowed the threat group to access and steal data from separate platforms integrated with Drift, an AI chat agent primarily used by sales teams. Google said the “widespread data theft campaign” occurred during a 10-day period in mid-August. Nearly 40 companies, including more than 20 cybersecurity vendors, have publicly disclosed they were caught up in the attack spree.
Zscaler received its first security alert from Salesforce a week after the data theft concluded, warning the security vendor that unauthorized IP addresses were using the application programming interface (API) for its Drift OAuth token. Zscaler immediately revoked the token, “even though it didn’t really matter by that point,” said Sam Curry, the company’s chief information security officer.
The damage was already done. Data on a large number of Zscaler’s customers was exposed, including names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from some support cases.
Since Okta uses Drift, it proactively hunted for signs of compromise when threat intel experts started warning about an issue with the service. The company found a “short burst of attempts” to use Drift tokens from locations outside of the manually configured IP range it set up for security purposes, David Bradbury, Okta’s chief security officer, told CyberScoop.
That control blocked the attack and kept Okta’s Drift integrations secure. Yet, many companies don’t take that approach because setting IP restrictions for API calls is a manual and often laborious process requiring input and support from every vendor in the supply chain.
“If we can put our minds to these problems, we can come up with solutions so that you can implement IP restrictions in a matter of clicks, rather than in a matter of days and weeks of continuous testing, and investigation and discovery,” Bradbury said.
Okta’s investigation revealed a seemingly automated threat campaign. “They were not persistent,” Bradbury said. “The hypothesis that we have at the moment is that there was a single significant script that was engineered that hit all of these all at once and pulled down all of this information in a series of events.”
Zscaler’s compromise was particularly frustrating given the timing: the company had already stopped using Drift in July, a decision completely unrelated to security — and made before any indicators of the attack campaign came to light.
“That OAuth token that was being used with [Drift] was still active,” Curry said. “It was due to be retired by the end of August,” he added, describing that decision as a deliberate delay to make sure the token was fully disconnected and no longer in use.
Salesloft hasn’t explained how the threat group accessed its GitHub account, nor how it accessed Drift’s AWS environment and ultimately obtained customers’ OAuth tokens.
“I don’t actually know how they got the tokens out. I just know they did,” Curry said. “As for how they store it, I don’t know internally, except that they passed our security questionnaire and probably hundreds, if not thousands of others” for third-party risk management, he added.
Okta also doesn’t know how the threat group accessed its Salesloft Drift OAuth token. That information would have to come from Salesloft, Bradbury said.
“The internet is connected by some very brittle, small pieces of information — these tokens that we constantly talk about, these combinations of letters and numbers in files that ultimately provide access to all of the applications that we use,” he said.
“Those tokens need to be stored somewhere, and sadly there are mechanisms in place right now which doesn’t necessitate actually tying these tokens directly to something — to prevent their reuse,” Bradbury added.
Most SaaS applications implement tokens and authentication in rather rudimentary means. “They’re doing what’s easy and what works, and what works is once you’ve granted access you’re actually storing these tokens somewhere,” he said.
While their experiences in the wake of the Salesloft Drift attacks were quite different, Bradbury and Curry shared similar reflections and took many like-minded lessons from the third-party compromise that impacted hundreds of companies.
“APIs are becoming a new highway of access that we need more control over, and we need better control of collectively,” Curry said. “APIs get wider in terms of what you can do with them, and you need the ability to monitor them and to put preventative controls on them to look for behavioral changes.”
Zscaler learned another lesson the hard way — the importance of limiting IP address ranges for API queries, and rotating tokens more frequently.
“For me, this wake-up call is saying API is a new attack-and-control plane that’s far more exposed than most people realize from just a simple risk exercise,” Curry said.
“There are no small vendors in an API-connected world. It’s just like — if you think about border security — there’s no small and insignificant ports of entry,” he added. “They all use the same highway systems.”
Bradbury, who is expectedly pleased Okta wasn’t impacted by this malicious campaign, can’t help but feel frustrated because he believes there are better, more secure methods to protect unauthorized token use. The central issue in this supply-chain attack could have been avoided with Demonstrating Proof of Possession (DPoP), a mechanism that can constrain token use to a specific client and prevent the use of stolen tokens, he said.
Once attackers steal tokens that can be reused without restriction, disastrous consequences await all, Bradbury added.
“We need to see more SaaS vendors actually prioritizing security features on their roadmap, not just the features that will result in customer growth and revenue,” he said.
Security leaders have an important role to play in demanding these changes from their vendors. “It’s about time that we started to use our collective ambitions to raise the bar for security to actually hold our vendors accountable,” Bradbury said.
Curry is taking a similar forward-looking approach. “Let’s learn from one another, instead of bayoneting the wounded,” he said.
“After the fact, in the cold light of day, we’ll all look at what happened,” Curry added. “I’m not interested in blame at this point. I’m interested in better security.”
The post Security leaders at Okta and Zscaler share lessons from Salesloft Drift attacks appeared first on CyberScoop.
Federal courts are upgrading their cybersecurity on a number of fronts, but multifactor authentication for the system that gives the public access to court data poses “unique challenges,” the Administrative Office of the United States Courts told Sen. Ron Wyden in a letter this week.
Wyden, D-Ore., wrote a scathing August letter to the Supreme Court in response to the latest major breach of the federal judiciary’s electronic case filing system. The director of the Administrative Office of the United States Courts responded on behalf of the Supreme Court.
It is “simply not the case” that the courts have, in the words of Wyden, “ignored” advice from experts on securing the Case Management/Electronic Case Files (CM/ECF) system, wrote Robert Conrad Jr., director of the office.
“Substantial planning for the modernization effort began in 2022, and we are now approaching the development and implementation phase of the project,” he wrote in the Sept. 30 letter. “We expect implementation will begin in the next two years in a modular and iterative manner.”
In recent years, the office has been testing technical components on its modernization effort, and is centralizing the operation of data standards to enable security, Conrad said.
Wyden took the office to task for not enabling phishing-resistant multifactor authentication (MFA). Conrad wrote that the office was in the process of rolling out MFA to the 5 million users of PACER, the public case data system.
“The Judiciary has unique challenges in implementing MFA due to the significant diversity of users,” he responded. “PACER users range from sophisticated, high-volume data aggregators and well-resourced law firms to journalists and ordinary citizens, to indigent litigants. All PACER users need access to court records, but some do not have traditional forms of MFA they can use. The design and implementation of our MFA implementation requires consideration of these unique needs.”
Wyden also took issue with the lack of public explanations about the series of court breaches. Conrad wrote that the breaches are “sensitive from both a law enforcement and national security perspective,” and need to be kept confidential, but noted that the courts have briefed congressional Judiciary, Appropriations and Intelligence committees on a classified basis.
“Even after back-to-back catastrophic hacks of the federal court system, Chief Justice [John Roberts] continues to stonewall Congress and cover up the judiciary’s gross negligence that has enabled these hacks,” Wyden said in response to the Conrad letter. “It is long past time for the courts to follow the same minimum cybersecurity standards as the executive branch, but since Chief Justice Roberts and the Judicial Conference refuse to set such requirements, Congress must step in and legislate.”
Court Watch was the first to report on the contents of the letter.
The post Federal judiciary touts cybersecurity work in wake of latest major breach appeared first on CyberScoop.
Login