Even after a fix was issued, lingering prompt injection risks in GitLab’s AI assistant might allow attackers to indirectly deliver developers malware, dirty links, and more.
from darkreading https://ift.tt/DcaNBTw
via IFTTT
News Feed
Centralize visibility of Kubernetes clusters across AWS Regions and accounts with EKS Dashboard
Today, we are announcing EKS Dashboard, a centralized display that enables cloud architects and cluster administrators to maintain organization-wide visibility across their Kubernetes clusters. With EKS Dashboard, customers can now monitor clusters deployed across different AWS Regions and accounts through a unified view, making it easier to track cluster inventory, assess compliance, and plan operational activities like version upgrades.
As organizations scale their Kubernetes deployments, they often run multiple clusters across different environments to enhance availability, ensure business continuity, or maintain data sovereignty. However, this distributed approach can make it challenging to maintain visibility and control, especially in decentralized setups spanning multiple Regions and accounts. Today, many customers resort to third-party tools for centralized cluster visibility, which adds complexity through identity and access setup, licensing costs, and maintenance overhead.
EKS Dashboard simplifies this experience by providing native dashboard capabilities within the AWS Console. The Dashboard provides insights into 3 different resources including clusters, managed node groups, and EKS add-ons, offering aggregated insights into cluster distribution by Region, account, version, support status, forecasted extended support EKS control plane costs, and cluster health metrics. Customers can drill down into specific data points with automatic filtering, enabling them to quickly identify and focus on clusters requiring attention.
Setting up EKS Dashboard
Customers can access the Dashboard in EKS console through AWS Organizations’ management and delegated administrator accounts. The setup process is straightforward and includes simply enabling trusted access as a one-time setup in the Amazon EKS console’s organizations settings page. Trusted access is available from the Dashboard settings page. Enabling trusted access will allow the management account to view the Dashboard. For more information on setup and configuration, see the official AWS Documentation.
A quick tour of EKS Dashboard
The dashboard provides both graphical, tabular, and map views of your Kubernetes clusters, with advanced filtering, and search capabilities. You can also export data for further analysis or custom reporting.
EKS Dashboard overview with key info about your clusters.
There is a wide variety of available widgets to help visualize your clusters.
You can visualize your managed node groups by instance type distribution, launch templates, AMI versions, and more
There is even a map view where you can see all of your clusters across the globe.
Beyond EKS clusters
EKS Dashboard isn’t limited to just Amazon EKS clusters; it can also provide visibility into connected Kubernetes clusters running on-premises or on other cloud providers. While connected clusters may have limited data fidelity compared to native Amazon EKS clusters, this capability enables truly unified visibility for organizations running hybrid or multi-cloud environments.
Available now
EKS Dashboard is available today in the US East (N. Virginia) Region and is able to aggregate data from all commercial AWS Regions. There is no additional charge for using the EKS Dashboard. To learn more, visit the Amazon EKS documentation.
This new capability demonstrates our continued commitment to simplifying Kubernetes operations for our customers, enabling them to focus on building and scaling their applications rather than managing infrastructure. We’re excited to see how customers use EKS Dashboard to enhance their Kubernetes operations.
from AWS News Blog https://ift.tt/KYkm3q9
via IFTTT
Configure System Integrity Protection (SIP) on Amazon EC2 Mac instances
I’m pleased to announce developers can now programmatically disable Apple System Integrity Protection (SIP) on their Amazon EC2 Mac instances. System Integrity Protection (SIP), also known as rootless, is a security feature introduced by Apple in OS X El Capitan (2015, version 10.11). It’s designed to protect the system from potentially harmful software by restricting the power of the root user account. SIP is enabled by default on macOS.
SIP safeguards the system by preventing modification of protected files and folders, restricting access to system-owned files and directories, and blocking unauthorized software from selecting a startup disk. The primary goal of SIP is to address the security risk linked to unrestricted root access, which could potentially allow malware to gain full control of a device with just one password or vulnerability. By implementing this protection, Apple aims to ensure a higher level of security for macOS users, especially considering that many users operate on administrative accounts with weak or no passwords.
While SIP provides excellent protection against malware for everyday use, developers might occasionally need to temporarily disable it for development and testing purposes. For instance, when creating a new device driver or system extension, disabling SIP is necessary to install and test the code. Additionally, SIP might block access to certain system settings required for your software to function properly. Temporarily disabling SIP grants you the necessary permissions to fine-tune programs for macOS. However, it’s crucial to remember that this is akin to briefly disabling the vault door for authorized maintenance, not leaving it permanently open.
Disabling SIP on a Mac requires physical access to the machine. You have to restart the machine in recovery mode, then disable SIP with the csrtutil command line tool, then restart the machine again.
Until today, you had to operate with the standard SIP settings on EC2 Mac instances. The physical access requirement and the need to boot in recovery mode made integrating SIP with the Amazon EC2 control plane and EC2 API challenging. But that’s no longer the case! You can now disable and re-enable SIP at will on your Amazon EC2 Mac instances. Let me show you how.
Let’s see how it works
Imagine I have an Amazon EC2 Mac instance started. It’s a mac2-m2.metal instance, running on an Apple silicon M2 processor. Disabling or enabling SIP is as straightforward as calling a new EC2 API: CreateMacSystemIntegrityProtectionModificationTask. This API is asynchronous; it starts the process of changing the SIP status on your instance. You can monitor progress using another new EC2 API: DescribeMacModificationTasks. All I need to know is the instance ID of the machine I want to work with.
Prerequisites
On Apple silicon based EC2 Mac instances and more recent type of machines, before calling the new EC2 API, I must set the ec2-user user password and enable secure token for that user on macOS. This requires connecting to the machine and typing two commands in the terminal.
# on the target EC2 Mac instance
# Set a password for the ec2-user user
~ % sudo /usr/bin/dscl . -passwd /Users/ec2-user
New Password: (MyNewPassw0rd)
# Enable secure token, with the same password, for the ec2-user
# old password is the one you just set with dscl
~ % sysadminctl -newPassword MyNewPassw0rd -oldPassword MyNewPassw0rd
2025-03-05 13:16:57.261 sysadminctl[3993:3033024] Attempting to change password for ec2-user…
2025-03-05 13:16:58.690 sysadminctl[3993:3033024] SecKeychainCopyLogin returned -25294
2025-03-05 13:16:58.690 sysadminctl[3993:3033024] Failed to update keychain password (-25294)
2025-03-05 13:16:58.690 sysadminctl[3993:3033024] - Done
# The error about the KeyChain is expected. I never connected with the GUI on this machine, so the Login keychain does not exist
# you can ignore this error. The command below shows the list of keychains active in this session
~ % security list
"/Library/Keychains/System.keychain"
# Verify that the secure token is ENABLED
~ % sysadminctl -secureTokenStatus ec2-user
2025-03-05 13:18:12.456 sysadminctl[4017:3033614] Secure token is ENABLED for user ec2-user
Change the SIP status
I don’t need to connect to the machine to toggle the SIP status. I only need to know its instance ID. I open a terminal on my laptop and use the AWS Command Line Interface (AWS CLI) to retrieve the Amazon EC2 Mac instance ID.
aws ec2 describe-instances \
--query "Reservations[].Instances[?InstanceType == 'mac2-m2.metal' ].InstanceId" \
--output text
i-012a5de8da47bdff7Now, still from the terminal on my laptop, I disable SIP with the create-mac-system-integrity-protection-modification-task command:
echo '{"rootVolumeUsername":"ec2-user","rootVolumePassword":"MyNewPassw0rd"}' > tmpCredentials
aws ec2 create-mac-system-integrity-protection-modification-task \
--instance-id "i-012a5de8da47bdff7" \
--mac-credentials fileb://./tmpCredentials \
--mac-system-integrity-protection-status "disabled" && rm tmpCredentials
{
"macModificationTask": {
"instanceId": "i-012a5de8da47bdff7",
"macModificationTaskId": "macmodification-06a4bb89b394ac6d6",
"macSystemIntegrityProtectionConfig": {},
"startTime": "2025-03-14T14:15:06Z",
"taskState": "pending",
"taskType": "sip-modification"
}
}After the task is started, I can check its status with the aws ec2 describe-mac-modification-tasks command.
{
"macModificationTasks": [
{
"instanceId": "i-012a5de8da47bdff7",
"macModificationTaskId": "macmodification-06a4bb89b394ac6d6",
"macSystemIntegrityProtectionConfig": {
"debuggingRestrictions": "",
"dTraceRestrictions": "",
"filesystemProtections": "",
"kextSigning": "",
"nvramProtections": "",
"status": "disabled"
},
"startTime": "2025-03-14T14:15:06Z",
"tags": [],
"taskState": "in-progress",
"taskType": "sip-modification"
},
...The instance initiates the process and a series of reboots, during which it becomes unreachable. This process can take 60–90 minutes to complete. After that, when I see the status in the console becoming available again, I connect to the machine through SSH or EC2 Instance Connect, as usual.
➜ ~ ssh ec2-user@54.99.9.99
Warning: Permanently added '54.99.9.99' (ED25519) to the list of known hosts.
Last login: Mon Feb 26 08:52:42 2024 from 1.1.1.1
┌───┬──┐ __| __|_ )
│ ╷╭╯╷ │ _| ( /
│ └╮ │ ___|\___|___|
│ ╰─┼╯ │ Amazon EC2
└───┴──┘ macOS Sonoma 14.3.1
➜ ~ uname -a
Darwin Mac-mini.local 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:30:27 PST 2023; root:xnu-10002.81.5~7/RELEASE_ARM64_T8103 arm64
➜ ~ csrutil --status
System Integrity Protection status: disabled.
When to disable SIP
Disabling SIP should be approached with caution because it opens up the system to potential security risks. However, as I mentioned in the introduction of this post, you might need to disable SIP when developing device drivers or kernel extensions for macOS. Some older applications might also not function correctly when SIP is enabled.
Disabling SIP is also required to turn off Spotlight indexing. Spotlight can help you quickly find apps, documents, emails and other items on your Mac. It’s very convenient on desktop machines, but not so much on a server. When there is no need to index your documents as they change, turning off Spotlight will release some CPU cycles and disk I/O.
Things to know
There are a couple of additional things to know about disabling SIP on Amazon EC2 Mac:
- Disabling SIP is available through the API and AWS SDKs, the AWS CLI, and the AWS Management Console.
- On Apple silicon, the setting is volume based. So if you replace the root volume, you need to disable SIP again. On Intel, the setting is Mac host based, so if you replace the root volume, SIP will still be disabled.
- After disabling SIP, it will be enabled again if you stop and start the instance. Rebooting an instance doesn’t change its SIP status.
- SIP status isn’t transferable between EBS volumes. This means SIP will be disabled again after you restore an instance from an EBS snapshot or if you create an AMI from an instance where SIP is enabled.
These new APIs are available in all Regions where Amazon EC2 Mac is available, at no additional cost. Try them today.
How is the News Blog doing? Take this 1 minute survey!
(This survey is hosted by an external company. AWS handles your information as described in the AWS Privacy Notice. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)
from AWS News Blog https://ift.tt/UQr3GNL
via IFTTT
It’s Time to Move Away from the “Phonebook” Approach to Cybersecurity
Database expert Dominik Tomicevic highlights the limitations of traditional cybersecurity defense methods and why knowledge graphs could be a better avenue for the CISO to pursue
Data shows that the global cost of cybercrime will soar by four trillion dollars over the next four years, rising from $9.2 trillion in 2024 to an estimated $13.9 trillion by 2028. Does this mean organizations must simply accept cyberattacks, malware, phishing, and other threats as endemic and ever-growing challenges?
Not necessarily. Greater vigilance and innovation in cybersecurity strategies can change the trajectory. While embracing digital technologies and the cloud has undeniably boosted convenience and productivity, it has also introduced significant vulnerabilities. Increasing reliance on open-source libraries to speed development—rather than building all code in-house—has, in turn, exposed organizations to new and serious risks.
Traditional cyber methods don’t work anymore
But the benefits are simply too great to ignore. The drive toward digital, online, and cloud-based operations is unstoppable, as is the growing reliance on externally sourced or AI-generated code. The problem is that most current cybersecurity methods fall short because they rely on models that are too rigid—both in how they represent the world and how they adapt to change. This is where developers we work with have identified a better way to help curb these dangers, at least to some extent.
The reason current systems of record for cyber vulnerabilities often falter is that they are built on the relational data model, which functions much like a “phonebook.” A phonebook offers a static, alphabetical list of individuals—but real life is far more complex, shaped by friendships, families, workgroups, rivalries, and constantly evolving relationships. Static models simply can’t capture the dynamic nature of modern digital environments.
Attackers understand this. They don’t exploit static lists—they target the living, breathing web of human connections. In other words, they aren’t studying organizational charts or formal hierarchies; they focus on the real-world links between people, creeping through systems to exploit user permissions not in isolation, but as gateways into broader networks.
This is why social engineering is so effective. If one person is compromised, who else might be vulnerable? What systems do they access? Who do they interact with daily? Attackers are disturbingly good at tracing these pathways—and exploiting them to devastating effect.
There’s another key limitation with the phonebook model—or more technically, with traditional relational approaches to cybersecurity: speed. Moving fast is essential, but modeling real-world complexity with relational databases requires many JOIN operations, which quickly become computationally expensive. In a multi-step attack, it might take 10 to 20 JOINs just to assemble a clear picture, and by then, the process could either time out or consume so many resources that it becomes impractical.
Trying to defend against adversaries who map and exploit dynamic relationship networks is incredibly challenging. A bad actor can quietly slip in a change request to open port 40 in a cloud security configuration, and in a highly connected system, that single move could silently unlock 1,000 other doors—with no clear way of knowing where they are.
The key element in the security war is relationships
That’s not just a vulnerability. That’s a nightmare. What’s becoming clear is this: a better way to understand the complex relationships and interdependencies within cyberspace could not only strengthen defensive postures, but also enable faster, more decisive action.
In response, more and more organizations—whether protecting their own systems or building cybersecurity solutions—are turning to graph-based approaches to model relationships and information. After all, every employee’s access to business services and systems creates a connection—a relationship—between individuals and the resources they use.
Player No 2 has entered the game
Which is why graph technology matters: it models systems clearly and powerfully by representing users, systems, and data as nodes, and the permissions and connections between them as edges. This “graph thinking” isn’t new—it’s exactly how attackers view your environment during penetration testing. They don’t see a flat network; they see a connected web of relationships and look for paths they can exploit to move laterally.
Graph technology allows defenders to adopt the same perspective before threats emerge. At its core, graph technology is about relationships—and whether it’s employees and devices, users and applications, or systems and services, a graph database can accurately capture the complex way your organization truly operates.
Crucially, graph technology doesn’t just deliver better visibility—it also dramatically improves speed of response. Because graphs eliminate the need for complex queries and costly JOIN operations, problems can be solved on a linear, not logarithmic, timescale. Connections can be mapped in seconds, not hours, giving security teams the clarity and agility they need to stay ahead of threats.
So where does AI fit into this picture? The next natural evolution is leveraging machine learning, AI, and advanced data techniques. A graph-based approach not only strengthens cybersecurity today, it also lays a powerful foundation for future AI initiatives, enabling faster, smarter, and more adaptive defenses.
The potential of a graph-based approach to navigating the intricate network of relationships that underpin cybersecurity challenges is immense. However, without adopting smarter, more adaptive cybersecurity strategies, both businesses and society will continue to fall behind in the relentless battle against cyber threats—threats that often understand our systems and vulnerabilities better than we do ourselves.
The author is the CEO of knowledge graph leader Memgraph
The post It’s Time to Move Away from the “Phonebook” Approach to Cybersecurity first appeared on Cybersecurity Insiders.
The post It’s Time to Move Away from the “Phonebook” Approach to Cybersecurity appeared first on Cybersecurity Insiders.
from Cybersecurity Insiders https://ift.tt/kDhscjp
via IFTTT
KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS
KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling digital assaults that few web destinations can withstand. Read on for more about the botnet, the attack, and the apparent creator of this global menace.
For reference, the 6.3 Tbps attack last week was ten times the size of the assault launched against this site in 2016 by the Mirai IoT botnet, which held KrebsOnSecurity offline for nearly four days. The 2016 assault was so large that Akamai – which was providing pro-bono DDoS protection for KrebsOnSecurity at the time — asked me to leave their service because the attack was causing problems for their paying customers.
Since the Mirai attack, KrebsOnSecurity.com has been behind the protection of Project Shield, a free DDoS defense service that Google subsidiary Jigsaw provides to websites offering news, human rights, and election-related content. Google Security Engineer Damian Menscher told KrebsOnSecurity the May 12 attack was the largest Google has ever handled. In terms of sheer size, it is second only to a very similar attack that Cloudflare mitigated and wrote about in April.
After comparing notes with Cloudflare, Menscher said the botnet that launched both attacks bear the fingerprints of Aisuru, a digital siege machine that first surfaced less than a year ago. Menscher said the attack on KrebsOnSecurity lasted less than a minute, hurling large UDP data packets at random ports at a rate of approximately 585 million data packets per second.
“It was the type of attack normally designed to overwhelm network links,” Menscher said, referring to the throughput connections between and among various Internet service providers (ISPs). “For most companies, this size of attack would kill them.”
A graph depicting the 6.5 Tbps attack mitigated by Cloudflare in April 2025. Image: Cloudflare.
The Aisuru botnet comprises a globally-dispersed collection of hacked IoT devices, including routers, digital video recorders and other systems that are commandeered via default passwords or software vulnerabilities. As documented by researchers at QiAnXin XLab, the botnet was first identified in an August 2024 attack on a large gaming platform.
Aisuru reportedly went quiet after that exposure, only to reappear in November with even more firepower and software exploits. In a January 2025 report, XLab found the new and improved Aisuru (a.k.a. “Airashi“) had incorporated a previously unknown zero-day vulnerability in Cambium Networks cnPilot routers.
NOT FORKING AROUND
The people behind the Aisuru botnet have been peddling access to their DDoS machine in public Telegram chat channels that are closely monitored by multiple security firms. In August 2024, the botnet was rented out in subscription tiers ranging from $150 per day to $600 per week, offering attacks of up to two terabits per second.
“You may not attack any measurement walls, healthcare facilities, schools or government sites,” read a notice posted on Telegram by the Aisuru botnet owners in August 2024.
Interested parties were told to contact the Telegram handle “@yfork” to purchase a subscription. The account @yfork previously used the nickname “Forky,” an identity that has been posting to public DDoS-focused Telegram channels since 2021.
According to the FBI, Forky’s DDoS-for-hire domains have been seized in multiple law enforcement operations over the years. Last year, Forky said on Telegram he was selling the domain stresser[.]best, which saw its servers seized by the FBI in 2022 as part of an ongoing international law enforcement effort aimed at diminishing the supply of and demand for DDoS-for-hire services.
“The operator of this service, who calls himself ‘Forky,’ operates a Telegram channel to advertise features and communicate with current and prospective DDoS customers,” reads an FBI seizure warrant (PDF) issued for stresser[.]best. The FBI warrant stated that on the same day the seizures were announced, Forky posted a link to a story on this blog that detailed the domain seizure operation, adding the comment, “We are buying our new domains right now.”
A screenshot from the FBI’s seizure warrant for Forky’s DDoS-for-hire domains shows Forky announcing the resurrection of their service at new domains.
Approximately ten hours later, Forky posted again, including a screenshot of the stresser[.]best user dashboard, instructing customers to use their saved passwords for the old website on the new one.
A review of Forky’s posts to public Telegram channels — as indexed by the cyber intelligence firms Unit 221B and Flashpoint — reveals a 21-year-old individual who claims to reside in Brazil [full disclosure: Flashpoint is currently an advertiser on this blog].
Since late 2022, Forky’s posts have frequently promoted a DDoS mitigation company and ISP that he operates called botshield[.]io. The Botshield website is connected to a business entity registered in the United Kingdom called Botshield LTD, which lists a 21-year-old woman from Sao Paulo, Brazil as the director. Internet routing records indicate Botshield (AS213613) currently controls several hundred Internet addresses that were allocated to the company earlier this year.
Domaintools.com reports that botshield[.]io was registered in July 2022 to a Kaike Southier Leite in Sao Paulo. A LinkedIn profile by the same name says this individual is a network specialist from Brazil who works in “the planning and implementation of robust network infrastructures, with a focus on security, DDoS mitigation, colocation and cloud server services.”
MEET FORKY
Image: Jaclyn Vernace / Shutterstock.com.
In his posts to public Telegram chat channels, Forky has hardly attempted to conceal his whereabouts or identity. In countless chat conversations indexed by Unit 221B, Forky could be seen talking about everyday life in Brazil, often remarking on the extremely low or high prices in Brazil for a range of goods, from computer and networking gear to narcotics and food.
Reached via Telegram, Forky claimed he was “not involved in this type of illegal actions for years now,” and that the project had been taken over by other unspecified developers. Forky initially told KrebsOnSecurity he had been out of the botnet scene for years, only to concede this wasn’t true when presented with public posts on Telegram from late last year that clearly showed otherwise.
Forky denied being involved in the attack on KrebsOnSecurity, but acknowledged that he helped to develop and market the Aisuru botnet. Forky claims he is now merely a staff member for the Aisuru botnet team, and that he stopped running the botnet roughly two months ago after starting a family. Forky also said the woman named as director of Botshield is related to him.
Forky offered equivocal, evasive responses to a number of questions about the Aisuru botnet and his business endeavors. But on one point he was crystal clear:
“I have zero fear about you, the FBI, or Interpol,” Forky said, asserting that he is now almost entirely focused on their hosting business — Botshield.
Forky declined to discuss the makeup of his ISP’s clientele, or to clarify whether Botshield was more of a hosting provider or a DDoS mitigation firm. However, Forky has posted on Telegram about Botshield successfully mitigating large DDoS attacks launched against other DDoS-for-hire services.
DomainTools finds the same Sao Paulo street address in the registration records for botshield[.]io was used to register several other domains, including cant-mitigate[.]us. The email address in the WHOIS records for that domain is forkcontato@gmail.com, which DomainTools says was used to register the domain for the now-defunct DDoS-for-hire service stresser[.]us, one of the domains seized in the FBI’s 2023 crackdown.
On May 8, 2023, the U.S. Department of Justice announced the seizure of stresser[.]us, along with a dozen other domains offering DDoS services. The DOJ said ten of the 13 domains were reincarnations of services that were seized during a prior sweep in December, which targeted 48 top stresser services (also known as “booters”).
Forky claimed he could find out who attacked my site with Aisuru. But when pressed a day later on the question, Forky said he’d come up empty-handed.
“I tried to ask around, all the big guys are not retarded enough to attack you,” Forky explained in an interview on Telegram. “I didn’t have anything to do with it. But you are welcome to write the story and try to put the blame on me.”
THE GHOST OF MIRAI
The 6.3 Tbps attack last week caused no visible disruption to this site, in part because it was so brief — lasting approximately 45 seconds. DDoS attacks of such magnitude and brevity typically are produced when botnet operators wish to test or demonstrate their firepower for the benefit of potential buyers. Indeed, Google’s Menscher said it is likely that both the May 12 attack and the slightly larger 6.5 Tbps attack against Cloudflare last month were simply tests of the same botnet’s capabilities.
In many ways, the threat posed by the Aisuru/Airashi botnet is reminiscent of Mirai, an innovative IoT malware strain that emerged in the summer of 2016 and successfully out-competed virtually all other IoT malware strains in existence at the time.
As first revealed by KrebsOnSecurity in January 2017, the Mirai authors were two U.S. men who co-ran a DDoS mitigation service — even as they were selling far more lucrative DDoS-for-hire services using the most powerful botnet on the planet.
Less than a week after the Mirai botnet was used in a days-long DDoS against KrebsOnSecurity, the Mirai authors published the source code to their botnet so that they would not be the only ones in possession of it in the event of their arrest by federal investigators.
Ironically, the leaking of the Mirai source is precisely what led to the eventual unmasking and arrest of the Mirai authors, who went on to serve probation sentences that required them to consult with FBI investigators on DDoS investigations. But that leak also rapidly led to the creation of dozens of Mirai botnet clones, many of which were harnessed to fuel their own powerful DDoS-for-hire services.
Menscher told KrebsOnSecurity that as counterintuitive as it may sound, the Internet as a whole would probably be better off if the source code for Aisuru became public knowledge. After all, he said, the people behind Aisuru are in constant competition with other IoT botnet operators who are all striving to commandeer a finite number of vulnerable IoT devices globally.
Such a development would almost certainly cause a proliferation of Aisuru botnet clones, he said, but at least then the overall firepower from each individual botnet would be greatly diminished — or at least within range of the mitigation capabilities of most DDoS protection providers.
Barring a source code leak, Menscher said, it would be nice if someone published the full list of software exploits being used by the Aisuru operators to grow their botnet so quickly.
“Part of the reason Mirai was so dangerous was that it effectively took out competing botnets,” he said. “This attack somehow managed to compromise all these boxes that nobody else knows about. Ideally, we’d want to see that fragmented out, so that no [individual botnet operator] controls too much.”
from Krebs on Security https://ift.tt/SyKOPbW
via IFTTT
Fake Kling AI Malvertisements Lure Victims With False Promises
Researchers noted that they found several similar websites, two of which are still operating and require the same kind of behavior on behalf of the victim.
from darkreading https://ift.tt/ZkYq8VD
via IFTTT
Introducing the AWS Product Lifecycle page and AWS service availability updates
Today, we’re introducing the AWS Product Lifecycle page, a centralized resource that provides comprehensive information about service availability changes across AWS.
The new AWS Product Lifecycle page consolidates all service availability information in one convenient location. This dedicated resource offers detailed visibility into three key categories of changes: 1) services closing access to new customers, 2) services that have announced end of support, and 3) services that have reached their end of support date. For each service listed, you can access specific end-of-support dates, recommended migration paths, and links to relevant documentation, enabling more efficient planning for service transitions.
The AWS Product Lifecycle page helps you stay informed about changes that may affect your workloads and enables more efficient planning for service transitions. The centralized nature of this resource reduces the time and effort needed to track service lifecycle information, allowing you to focus more on your core business objectives and less on administrative overhead.
Today, you will find information on the new Product Lifecycle page about the services and capabilities availability updates summarized in the following paragraphs.
AWS service availability updates in 2025
After careful consideration, we’re announcing availability changes for a select group of AWS services and features. We understand that the decision to end support for a service or feature significantly impacts your operations. We approach such decisions only after thorough evaluation, and when end of support is necessary, we provide detailed guidance on available alternatives and comprehensive support for migration.
Services closing access to new customers
We’re closing access to new customers after June 20, 2025, for the following services or capabilities listed. Existing customers will be able to continue to use the service.
Services that have announced end of support
The following services will no longer be supported. To find out more about service specific end-of-support dates, as well as detailed migration information, please visit individual service documentation pages.
- Amazon Pinpoint
- AWS DMS Fleet Advisor
- AWS IQ
- AWS IoT Analytics
- AWS IoT Events
- AWS SimSpace Weaver
- AWS Panorama
- Amazon Inspector Classic
- Amazon Connect Voice ID
Services that have reached their end of support
The following services have reached their end of support date and can no longer be accessed:
- AWS Private 5G
- AWS DataSync Discovery
The AWS Product Lifecycle page is available and all the changes described in this post are listed on the new page now. We recommend that you bookmark this page and check out What’s New with AWS? for upcoming AWS service availability updates. For more information about using this new resource, contact us or your usual AWS Support contacts for specific guidance on transitioning affected workloads.
from AWS News Blog https://ift.tt/bsaEw2S
via IFTTT
Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery
A threat actor known as Hazy Hawk has been observed hijacking abandoned cloud resources of high-profile organizations, including Amazon S3 buckets and Microsoft Azure endpoints, by leveraging misconfigurations in the Domain Name System (DNS) records.
The hijacked domains are then used to host URLs that direct users to scams and malware via traffic distribution systems (TDSes), according to
from The Hacker News https://ift.tt/9fSEl6v
via IFTTT
The End of VPNs — Part 2: Beyond the Buzz of Zero Trust
[Part 2 of 2 – Based on an interview with Zscaler CSO Deepen Desai]
By Holger Schulze, Cybersecurity Insiders
“Zero Trust isn’t a feature,” Deepen Desai told me during our RSA Conference interview. “It’s an architectural decision to stop trusting the network. You’re either enforcing that by design—or you’re pretending.”
In Part 1 of this series, we explored the failure of VPNs—how attackers exploit them, how they collapse under patching pressure, and how they expand risk instead of containing it. But our conversation in San Francisco didn’t stop at diagnosis. It turned toward what comes next.
The answer is Zero Trust. But not the watered-down, checkbox version.
“If your users connect and get placed on the network—even in the cloud—you’re not doing Zero Trust,” Desai said. “You’ve just moved your VPN to a new address.”
This isn’t about branding. It’s about architecture. And at Zscaler, that architecture is built on one foundational idea: attack surface reduction in the first place.
The Invisible Attack Surface
If the core flaw of VPNs is that they make applications reachable, then Zero Trust flips that completely. Desai described it as eliminating network presence altogether.
With Zscaler Private Access (ZPA), users never access the network. There is no IP assignment. No shared subnet. No inbound access to anything.
Instead, both users and applications establish outbound-only connections to the Zscaler Zero Trust Exchange. If identity, policy, and posture align, Zscaler stitches the user and app connections together.
“If you can scan the network, you’re on the network,” Desai said. “And if you’re on the network, the attacker can be too.”
This approach removes the need for VPN concentrators, inbound firewall rules, or exposed IPs. Applications go dark. And attackers can’t target what they can’t see.
The Philosophy That Replaces the Perimeter
At its core, Zero Trust is a framework built on three non-negotiable principles, defined by NIST and echoed in Zscaler’s architecture:
- Never trust, always verify
Every user, device, and workload must be authenticated and validated continuously—not just at login. Trust is not a location or a certificate. It’s earned, and it expires. - Enforce least-privilege access
Users don’t need broad network access—they need specific access to specific applications, at specific times. Permissions should be as narrow as possible, always. - Assume breach
Compromise is inevitable. The architecture must contain and isolate it. Lateral movement should not just be blocked—it should be impossible by design.
“Every one of those ideas breaks the legacy model,” Desai told me. “That’s why you can’t just rebrand your VPN and call it Zero Trust. It either enforces these tenets—or it doesn’t.”
At Zscaler, these principles are enforced not by firewalls, not by segmentation rules, but by the architecture itself. With ZPA, applications aren’t directly reachable, users aren’t on the network, and policies are enforced every time a connection is made.
From this foundation, the rollout begins.
The Four-Stage Shift to Zero Trust
Zscaler doesn’t advocate a forklift replacement of legacy systems. Instead, Desai laid out a four-stage adoption path—one that starts where the risk is highest and compounds benefit over time.
- Secure Internet Egress with ZIA
Before private apps, start with outbound traffic. Zscaler Internet Access (ZIA) enforces consistent policy and TLS inspection across all users—without backhauling traffic to a central datacenter.
This removes the need for on-prem proxies and applies protection close to the user. It’s the foundation that makes the rest of Zero Trust scalable.
- Replace Inbound VPN with ZPA
The next move is to eliminate VPN tunnels altogether. ZPA makes private applications invisible to the internet—no public IPs, no exposed services, no inbound firewall rules.
“It’s not just blocking access,” Desai said. “It’s removing the ability to even knock on the door.”
Access is determined by who the user is, what device they’re using, and what policy allows. Not where they’re connecting from or what network they’re on.
- Segment User to Application Access
This is where most organizations truly begin to understand the power of Zero Trust.
Instead of segmenting by subnet, VLAN, or NAC, Zscaler segments by user-to-app relationships. Policies are built around identity, not infrastructure. And Zscaler’s machine learning engine can detect real access patterns to suggest adaptive policies over time.
Desai shared one example where a customer believed they had 300 internal applications. Zscaler discovered over 10,000.
“You can’t segment what you don’t know exists,” he said. “But you also don’t have to do it all at once. Start with your crown jewels. Then isolate your riskiest users.”
That might include employees who routinely fail phishing simulations, users on unmanaged devices, or accounts showing anomalous behavior.
- Trap the Attacker Before the Damage Spreads
Even with segmentation in place, breaches happen. But Zero Trust doesn’t stop at prevention—it extends into containment.
Zscaler integrates deception directly into the access layer: decoy applications, seeded with breadcrumbs, are presented to users just like real apps. If touched, access to the real environment is immediately revoked—and the attacker is isolated.
“They don’t even know they’ve been shut out,” Desai said. “But they’ve already lost.”
This eliminates the lateral movement that VPNs so often enable—and turns the attacker’s playbook against them.
This is what makes Zero Trust more than prevention. It’s containment by design.
What Doesn’t Work: NAC and Cloud VPNs
Desai was unequivocal about what Zero Trust is not.
“Putting a VPN in the cloud doesn’t change what it does,” he told me. “If users still get placed on the network, you’ve changed the address, not the architecture.”
Network Access Control (NAC) solutions are equally limited. They may inspect device posture at the edge, but they can’t prevent what happens inside a session—especially if the attacker has valid credentials. They can’t block data exfiltration from within an approved connection. And they certainly can’t make applications invisible.
The Real Benefit: Simplicity That Scales
While the security benefits are clear, Desai pointed out that Zero Trust is also an operations win—especially for organizations struggling with VPN overhead.
According to the VPN Risk Report:
- 54% of security teams say VPNs cause recurring incidents
- 41% say they drain resources from higher-value projects
- ManpowerGroup cut 97% of remote access support tickets after moving to ZPA
“It’s not just your security team that benefits,” Desai said. “It’s your IT team. It’s your users. It’s your CFO who doesn’t want to keep buying concentrators or renewing patching contracts.”
When infrastructure goes away, complexity and resulting cost follows it out the door.
Making the Case to the Board
Desai wrapped our conversation with advice for CISOs working to bring Zero Trust to the boardroom. His recommendation: don’t talk about controls. Talk about containment.
“The question isn’t whether you’ll be breached,” he said. “It’s what happens next. VPNs let that breach spread. Zero Trust stops it where it starts.”
With VPNs, the breach spreads. With Zero Trust, the breach is contained—access is limited by default, and even successful compromise can’t move laterally.
Desai advises CISOs to lead with these three points:
- Zero Trust shrinks breach impact
- It scales with distributed users and cloud adoption
- It replaces assumptions with proof—every time a connection is made
In a security climate where prevention is imperfect, containment is king.
A Shift That’s Already Happening
According to the 2025 VPN Risk Report, the transition is already happening. 65% of organizations are moving away from VPNs. 81% are investing in Zero Trust architecture.
This isn’t about buzzwords. It’s about control.
“VPNs make you reachable,” Desai said as we stood to leave. “Zero Trust makes your network and applications invisible to attackers. That’s the future.”
The post The End of VPNs — Part 2: Beyond the Buzz of Zero Trust first appeared on Cybersecurity Insiders.
The post The End of VPNs — Part 2: Beyond the Buzz of Zero Trust appeared first on Cybersecurity Insiders.
from Cybersecurity Insiders https://ift.tt/pDOtJMx
via IFTTT
Engineering Calm in Crisis: Lessons from the Frontlines of Security
High-pressure incidents can be defining moments for organizations, demanding immediate, coordinated, and often high-stakes responses. In the realm of cybersecurity, where threats evolve rapidly and stakes include sensitive data, reputational damage, and financial loss, the pressure to act quickly is intense. While technical tools and expertise often take center stage in incident response, an equally critical and sometimes underestimated component is effective communication. As leadership expert Simon Sinek famously said, “Leadership is not about being in charge. It is about taking care of those in your charge.” In the heat of a cyber crisis, that care manifests through structured, empathetic, and timely communication that aligns teams, reduces confusion, and drives action.
This article explores practical communication strategies drawn from real-world incident response experiences to help security teams navigate the complexities of an active cyber crisis with clarity, calm, and confidence.
The Role of Communication in Cybersecurity Incidents
In cybersecurity, high-pressure incidents frequently involve fast-moving and complex threats such as ransomware outbreaks, data breaches, supply chain compromises, or insider threats. Each minute during an incident counts, delays in containment can amplify damage exponentially. The ability to communicate clearly both within technical teams and with non-technical stakeholders is crucial to mitigating impact and accelerating recovery.
Consider the handling of the 2020 SolarWinds supply chain compromise, often cited as a textbook example of effective crisis communication in cybersecurity. The victim organization faced a highly sophisticated attack that silently compromised thousands of customers. Rather than resorting to silence or obfuscation, the company published transparent, technically detailed blog posts outlining what was known about the attack, how it was being investigated, and practical mitigations customers could apply. Alongside public communications, internal teams maintained continuous updates and alignment across engineering, security, and leadership functions. This dual internal-external communication approach helped build customer trust and enabled rapid adoption of defensive measures, containing the damage faster than might otherwise have been possible.
Done right, communication transforms incident response from a frantic scramble into a coordinated, focused effort where everyone understands their role, priorities, and next steps. It establishes a rhythm and clarity that reduces panic, eliminates duplicative work, and enable swift decision-making.
Key Elements of Effective Communication During an Incident
Effective communication can make or break an organization’s response to a cybersecurity incident. The following core practices have proven vital in maintaining clarity, control, and confidence during high-pressure moments:
a. Structured Communication Cadence
One of the first lessons is to establish a predictable rhythm for communications. When uncertainty and chaos abound, a set cadence of updates brings much-needed stability. For example, during a ransomware outbreak at a global manufacturing company, the response team instituted two-hourly technical syncs where engineers shared progress on containment and forensics. Meanwhile, a separate briefing for executives occurred every four hours, providing strategic context and business impact summaries. This predictable cadence ensured tactical teams and decision-makers were aligned, and no critical information fell through the cracks.
Choosing appropriate communication channels and intervals is essential. For example, chat platforms work well for rapid-fire technical updates, while email or video calls suit broader leadership briefings. The key is consistency; team members should know when and where to expect updates.
b. Audience-Centric Messaging
Another fundamental principle is tailoring communication to the audience’s needs. Not all stakeholders require or want the same level of technical detail. For instance, during a cloud misconfiguration incident that exposed customer data, the security engineers needed detailed packet captures and logs to identify root causes and patch vulnerabilities. Meanwhile, the executive board required a concise summary outlining the incident’s impact, legal obligations, and remediation timelines.
In a real-world scenario, a financial services company experienced a similar breach where technical teams worked around the clock analyzing system logs and firewall rules. Simultaneously, the C-suite received simplified updates focusing on risk exposure, regulatory reporting deadlines, and customer notification plans. This bifurcated communication approach prevented information overload for executives and ensured engineers had the detailed data they needed to act decisively.
Crafting messages with clarity and purpose for each audience helps avoid confusion, reduces unnecessary alarm, and builds trust. Technical teams value accuracy and completeness, while leadership prioritizes business risk and next steps. Separating these messages and customizing tone and depth helps keep everyone informed and aligned without overwhelming anyone.
c. Cross-Functional Coordination
Cyber incidents ripple beyond the technical realm. They affect legal compliance, public relations, human resources, and customer experience teams. In a recent phishing attack targeting a multinational’s workforce, the incident response team ensured early involvement of HR to notify affected employees and assist with password resets. Legal counsel was looped in promptly to assess breach notification requirements under GDPR. Meanwhile, communications teams prepared customer-facing statements to manage external reputation.
Such cross-functional integration avoids conflicting messages, ensures regulatory compliance, and fosters a unified organizational response. Predefined roles and communication pathways, documented well before incidents occur, enable this coordination to happen smoothly under pressure.
d. Clear Escalation Paths
Time is the most precious resource during a cyber crisis, and ambiguity about decision-making authority can cost valuable minutes or hours. In one incident involving suspected data exfiltration, lack of a clear escalation matrix caused a six-hour delay before containment approvals were obtained. This delay extended the exposure window and increased damage.
Following that event, the company implemented a role-based decision tree that clearly defines who can authorize containment actions, legal escalations, or public disclosures at each incident severity level. This clarity reduced response latency in subsequent drills and real incidents alike, emphasizing the importance of predefined escalation paths in the communication plan.
e. Calm, Concise Communication Style
How information is communicated during a crisis influences team morale and effectiveness as much as what is communicated. During a distributed denial-of-service (DDoS) attack on a major retail platform, the incident commander kept all updates short, factual, and evenly toned, avoiding panic-inducing language. This steady tone helped the engineering teams remain focused on mitigation efforts without distraction, while leadership maintained a clear understanding of progress.
Training teams to communicate calmly and assertively rather than reactively or emotionally can significantly improve performance under pressure. Consistent messaging with a measured tone reduces misunderstandings and builds confidence in the response process.
Recap Putting Communication into Practice
To illustrate these principles, consider a mid-sized financial services company responding to a ransomware infection:
Structured Cadence: The incident manager set up hourly updates via group chat for technical responders, while business leaders received consolidated briefings every four hours via video conference.
Audience-Centric Messaging: Technical teams received detailed logs and mitigation steps, while executives got high-level summaries focusing on customer impact and regulatory notifications.
Cross-Functional Coordination: Legal and compliance teams joined briefings to advise on breach reporting timelines; customer support prepared scripts for incoming inquiries; HR alerted and supported affected employees.
Clear Escalation Paths: Predefined roles ensured that authorization for network isolation and public communications moved quickly from technical leads to CISO and then CEO without delay.
Calm, Concise Style: Incident communications remained steady and factual, avoiding speculation or alarmist language, which helped maintain team focus and stakeholder confidence.
This integrated communication approach allowed the company to contain the attack within 24 hours, minimize business disruption, and meet all regulatory obligations on time.
Conclusion
Senior engineering leaders must recognize that communication is as vital as the technical response during incidents. Clear, timely, and targeted communication helps contain threats, reduces confusion, and enhances decision-making. Structured updates, predefined escalation paths, and cross-functional alignment transform chaos into coordinated action. The tone and clarity set by leaders directly influence team performance under pressure. Communication is infrastructure, not just support, and must be woven into incident response plans to safeguard systems and maintain organizational trust.
The post Engineering Calm in Crisis: Lessons from the Frontlines of Security first appeared on Cybersecurity Insiders.
The post Engineering Calm in Crisis: Lessons from the Frontlines of Security appeared first on Cybersecurity Insiders.
from Cybersecurity Insiders https://ift.tt/SeHnrcN
via IFTTT