SAN FRANCISCO — Cryptography experts say the race to fend off future quantum-computer attacks has entered a decisive but measured phase, with companies quietly replacing the internet plumbing that the majority of the industry once considered unbreakable.

Speaking at Cloudflare’s Trust Forward Summit on Wednesday, encryption leaders at IBM Research, Amazon Web Services and Cloudflare outlined how organizations are refitting cryptographic tools that safeguard online banking, medical data and government communications. The aim is to stay ahead of quantum machines that, once powerful enough, could decode the math protecting today’s digital traffic.

“Over the next five to 10 years you’re going to see a Cambrian explosion of different cryptographic systems,” said Wesley Evans, a product manager for Cloudflare’s research team, referring to an evolutionary period with a rapid diversification of animal life that occurred roughly 540 million years ago. 

“Whether it’s nationalized cryptography out of South Korea [or] new standards from [the National Institute of Standards and Technology], this is a time to think about not just, ‘how am I doing my post-quantum migration?’ but ‘how am I doing my whole crypto-agility platform?’ and ‘how am I thinking through my audits and inventory?’” he said. 

“Harvest-now, decrypt-later” attacks already target data that must remain secret for decades, panelists said. Adversaries are stealing data like encrypted medical records or defense contracts and storing it on cheap cloud servers in hopes of unlocking them once quantum code-breaking matures.

Cloudflare, which routes roughly 20% of global web traffic, said it has spent eight years weaving post-quantum algorithms into its backbone. The company now secures more than 40% of its daily HTTPS requests with so-called hybrid handshakes that combine traditional RSA keys and newer lattice-based methods.

Executives described the rollout as intentionally low-profile. “Trillions of requests per day are already running across Cloudflare’s network in a post-quantum secure manner,” Evans said. “We did it without users noticing a speed decrease, performance impact or incurring any additional cost.”

IBM researchers, who develop quantum hardware as well as defensive tools, cautioned that this change could possibly take a decade before it’s the norm. 

“Moving to a new generation of cryptography, quantum-safe or otherwise, will take us roughly seven to 10 years, maybe longer,” said John Buselli, a business development executive and offering manager for IBM Quantum Safe, additionally pointing out that relics of older code, such as SHA-1, linger long after formal retirement.

NIST is finalizing a first batch of post-quantum algorithms, including the key-encapsulation mechanism known as ML-KEM. Cloudflare and browser makers have already adopted preliminary versions while awaiting NIST’s final parameters. Developers also wrap new keys inside legacy RSA exchanges to guard against unforeseen side-channel flaws.

Beyond mathematics, panelists emphasized logistics. Enterprises must inventory where encryption lives, from custom apps to vendor appliances, then gauge how quickly each layer can swap libraries. Much of that code is “black box,” owned by suppliers that set their own schedules.

“The rate of change is going to be determined by the least agile piece of infrastructure you have,” Buselli said, likening the process to mapping out all the connections in an infrastructure upgrade instead of addressing just a single security issue.

The panel also urged companies to fold cryptography into broader modernization budgets. Boards may balk at paying solely for an invisible security upgrade, they said, but will authorize spending tied to performance gains such as those seen with the newest TLS 1.3 protocol.

No panelist offered a firm deadline for full retirement of RSA and elliptic-curve keys. Instead they described “a long journey” marked by quiet iterations and cooperative testing across browsers, servers and chipmakers.

“Cryptography is a multi-party game,” Evans said. “You’ve got to work with everybody to make sure it’s secure for everyone.”

The post Quantum computer threat spurring quiet overhaul of internet security appeared first on CyberScoop.

from CyberScoop https://ift.tt/VdihU2J
via IFTTT

SAN FRANCISCO — North Korean nationals have infiltrated the employee ranks at top global companies more so than previously thought, maintaining a pervasive and potentially widening threat against IT infrastructure and sensitive data.

“There are hundreds of Fortune 500 organizations that have hired these North Korean IT workers,” Mandiant Consulting CTO Charles Carmakal said Tuesday during a media briefing at the RSAC 2025 Conference. 

“Literally every Fortune 500 company has at least dozens, if not hundreds, of applications for North Korean IT workers,” Carmakal said. “Nearly every CISO that I’ve spoken to about the North Korean IT worker problem has admitted they’ve hired at least one North Korean IT worker, if not a dozen or a few dozen.”

Google, which ranks eighth on the annual list of the top global companies by revenue, is caught up in this widespread threat, too. 

North Korean technical workers have been detected in Google’s talent pipeline as job candidates and applicants, but none have been hired by the company to date, said Iain Mulholland, senior director of security engineering at Google Cloud.

Threat hunters, insider risk management firms and security analysts continue to raise the alarm about North Korean nationals gaining employment at major corporations, highlighting the expansive ecosystem of tools, infrastructure and specialized talent North Korea’s regime has established for this effort.

The latest warnings and intel from Mandiant and Google constitute an escalation of this threat. Insider risk management firm DTEX recently told CyberScoop that 7% of its customer base, representing a fair cross-section of the Fortune 2000, have been infiltrated by North Korean operatives working as full-time employees with privileged access. 

The risk of North Korean nationals working for any large organization has moved from being a possibility to an outright assumption. “If you’re not seeing this, it’s because you’re not detecting it, not because it’s not happening to you,” Mulholland said.

“The way that we’ve watched them put IT workers in Fortune 500 companies has been astounding,” said Sandra Joyce, VP of Google Threat Intelligence. 

For now, this group of specialized North Koreans mostly earn money for the jobs they do and send their salaries back to Pyongyang. 

Carmakal said he was baffled by this scheme a few years ago, because it appeared to be a relatively small amount of money in play. But the money earned by North Korea’s regime has accumulated over time and now has the potential to generate substantial revenue.

A thousand IT workers earning six-figure salaries that are funneled back to the North Korean government works out to $100 million a year, and many of these operatives are working multiple jobs at different organizations concurrently, Carmakal said. 

“Most of this activity is generally a fundraising activity,” said John Hultquist, chief analyst at Google Threat Intelligence Group.

Yet, as more North Korean operatives gain employment for technical roles, the potential threat their access to critical systems presents has grown in kind.

“When they start getting rooted out, it can sort of break bad on you and then start breaking things,” Hultquist said. “We’ve already seen evidence of them doing that, especially when their jobs are essentially threatened.”

Pressure is coming in the form of lost wages. Many enterprises are now aware of the threat posed by North Korean IT workers, and companies are detecting and removing them from systems more quickly.

Mandiant observed a change in activity about six months ago, as North Korea shifted tactics and started extorting companies to supplement the wages it lost from outed employees. 

These extortion scenarios, which represent “a very small percentage of cases,” took on a few forms, Carmakal said. Former employees have followed up with their supervisors, threatening to leak data they had access to during their time of employment if the company didn’t pay their signing bonus or the last month of their salary.

In other cases, new personas sent emails to victim organizations claiming to be a threat actor that had broken into their network and stolen data. 

“As we looked at that sample of data that they took, we were able to tie that back to an investigation that we ran six months prior, and learned that that was the exact data that a suspected North Korean IT worker had taken from the company as part of their employment,” Carmakal said. 

“The concern that we have is that there’s always the potential that at some point in time, these actors that have taken data as part of their employment may publish it on the internet,” Carmakal said. “We haven’t seen it happen yet, but that’s the fear that most of these organizations have today.”

Damage could potentially come in even more destabilizing forms, including outright disruption of critical services or infrastructure. 

Mandiant has seen North Korea’s Reconnaissance General Bureau, which has been linked to previous destructive and disruptive attacks, using the same IP addresses as North Korean IT workers, Hultquist said. 

“There’s various technical connections there, and so I think it’s a very real threat,” he said. “Any place they get, they’re essentially in-house. So they can easily hand it over to the intelligence services, if they’re not literally monitoring everything they did, which I think is very, very possible as well.”

The post North Korean operatives have infiltrated hundreds of Fortune 500 companies appeared first on CyberScoop.

from CyberScoop https://ift.tt/eXDNciJ
via IFTTT

Attackers are having a field day with software defects in security devices, according to a new report released Wednesday by Mandiant 

Exploits were the most common initial infection vector, representing 1 of every 3 attacks in 2024, and the four most frequently exploited vulnerabilities were all contained in edge devices, such as VPNs, firewalls and routers, Mandiant said in its M-Trends report released Wednesday.

“Exploitation of these vulnerabilities represented slightly less than half of all observed vulnerability exploitation,” said Kirstie Failey, principal threat analyst at Google Threat Intelligence Group, under which the Mandiant brand operates.

Threat researchers and federal cyber authorities have been sounding the alarm about attacks targeting network edge devices for more than a year. Since 2024, security device exploits have resulted in attacks on government agencies and some of the most valuable publicly-traded companies in the world.

These lightweight devices and services are designed to improve defenses and prevent intrusions. Yet, because they don’t typically support third-party software, including endpoint detection and response capabilities, organizations are often caught off-guard when attackers gain access to their networks through a highly-privileged system.

“Three of the four vulnerabilities were first exploited as zero-days,” Mandiant said in the report. “While a broad selection of threat actors have recently targeted edge devices, Mandiant also specifically noted an increase in targeting from Russian and Chinese cyber espionage actors.”

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS, CVE-2024-3400, was the most frequently exploited defect across all of Mandiant’s incident response engagements last year. Mandiant said it observed one threat group exploit it as a zero-day, but malicious activities quickly escalated soon after.

Mandiant observed over a dozen threat groups exploiting the vulnerability within two weeks after Palo Alto Networks disclosed the CVE and published a proof-of-concept exploit code in April 2024. Among these was a Ransomhub affiliate, which used the vulnerability — rated a 10 on the CVSS scale — to gain initial access to organizations’ systems and launch a multifaceted extortion campaign.

The next most frequently exploited vulnerabilities in 2024 belong to a pair of defects — CVE-2023-46805 and CVE-2024-21887 — affecting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances, according to Mandiant. Ivanti disclosed the vulnerabilities in January a month after UNC5221, a suspected China state-sponsored espionage group, exploited the vulnerabilities in the wild as zero-days.

Attackers achieved unauthenticated arbitrary command execution on systems by chaining the vulnerabilities together, Mandiant said in the report.

By mid-January 2024, Mandiant observed UNC5135, a group with suspected links to Volt Typhoon, scanning Ivanti Connect Secure appliances but did not observe successful exploitation. Eight distinct clusters, including five suspected Chinese espionage groups, exploited one or more of the Ivanti vulnerabilities, including a third defect tracked as CVE-2024-21893 by April 2024.

An SQL injection vulnerability in Fortinet’s FortiClient Endpoint Management Server, CVE-2023-48788, was the fourth-most frequently exploited vulnerability across all of Mandiant’s incident response engagements last year. 

A financially-motivated threat group exploited the vulnerability within two weeks of Fortinet’s disclosure in March 2024. At the back end of the year, in October and November, another financially motivated threat group tracked as FIN8 exploited the vulnerability to deploy ransomware and steal data.

“Mandiant observed dozens of organizations impacted by exploitation of these vulnerabilities, and our observations are almost certainly only a small fraction of the total number of organizations affected by this activity,” said Kelli Vanderlee, senior manager at Google Threat Intelligence Group. “These campaigns affected organizations across at least 13 industries, located in four different continents.”

Ransomware accounted for 21% of all Mandiant incident response activities last year. These ransomware-related attacks affected organizations in healthcare, local government, energy, technology, education and finance across the Americas, Europe, the Middle East, Asia Pacific and Japan, researchers said in the report.

Brute-force attacks, including password spraying, VPN compromise via default credentials and high-volume remote desktop protocol login attempts, were the most common initial access vector for ransomware attacks last year. Mandiant linked 26% of ransomware attacks to brute-force methods, 21% to stolen credentials, another 21% to exploits, 15% to prior compromise and 10% to third-party compromise.

Mandiant noted that potential deficiencies in enterprise logging and detection capabilities likely contributed to a considerable blind spot with respect to initial access vectors. The incident response firm was unable to determine an initial access vector for 34% of all intrusions.

Mandiant said its annual M-Trends report is based on 450,000 hours of incident response engagements throughout 2024.

The post Attackers hit security device defects hard in 2024 appeared first on CyberScoop.

from CyberScoop https://ift.tt/vuFf3TQ
via IFTTT

Last year, the escalating concerns about Chinese threat actors breaching U.S. organizations reached a crescendo as federal authorities issued increasingly urgent advisories about China’s “Typhoon” groups infiltrating U.S. networks, pressing organizations to take immediate action.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that these groups were engaged in a host of massive intrusions, ranging from infiltrating telecommunications networks and sensitive law enforcement communication platforms in order to preposition themselves on critical infrastructure networks to destroy or disrupt services.

Since late January, however, the U.S. government has issued few alerts about Chinese or other nation-state advanced persistent threat actors (APTs), including Russia, North Korea, and Iran. Experts say that despite the lack of warnings, it is more important than ever to stay alert against these groups, particularly given that rapidly developing artificial intelligence (AI) technologies have enabled defenders to spot these threat actors at machine speed and stop them in their tracks.

“Your ability to respond quickly is really important,” Alex Stamos, CISO at SentinelOne, told CyberScoop. “You can’t spend fifteen, twenty minutes for your security operations center analyst to go to the bathroom and then come back and look at an alert and to make a decision because the threat actors are already ten steps ahead of you.”

“Chinese threat actors are going for very large-scale operations,” Alon Schindel, VP of AI and threat research at Wiz, told CyberScoop. “AI can empower cybersecurity teams to walk faster and reduce the number of issues. You can reduce the remediation time. That’s the thing.”

AI brings it all together

Experts emphasize that AI’s real value in identifying and halting sophisticated threat actors lies in its capacity to process vast amounts of information across an organization’s tech surface. It can then correlate that data to identify and potentially thwart suspicious behavior swiftly. 

“AI is there to augment your efforts by tying in a lot of the disparate context or the context that’s lacking between different siloed systems,” Cristian Rodriguez, Americas Field CTO at CrowdStrike, told CyberScoop. “We are firm believers that AI helps bridge that gap across disparate data sources so that contextually there’s a better understanding of the steps that an adversary needs to take to be successful in their tradecraft.”

“To help and try to understand whether it is a real attack or whether it is just some other activity, whether it’s a false positive alert by a security product, you can use the context that you have from your actual production environment, from your code, and the threat detection products,” Schindel said. “You can feed an LLM with all this information, and within a few seconds, you can get a conclusion with a high level of confidence, whether it is a real attack or whether it is just a false positive or maybe some ordinary activity in your environment.”

Before AI, defenders had massive amounts of information compiled in different locations with little ability to tie events together occurring in different log sources across the tech stack. The logs did not traditionally go into a repository “that allows for hyper scaling and hyper analysis of what those data points mean when they’re put together,” Stamos said.

The cloud nexus is critical

Most experts agree that the increasing adoption of  cloud-based technologies is central to the problem of disparate data sources. As information moves between  cloud and on-premises systems,  it creates more avenues for threat actors to move around laterally within an organization.

“Very few companies have visibility across their cloud infrastructure and their on-premise tech in a way where they see all of it at the same time and detect and track a threat actor in real time across all of those different environments,” Stamos said. “And very few companies can respond fast enough.”

According to Stamos, this lack of visibility specifically benefits Chinese threat actors, notably in the Microsoft-based systems that dominate the enterprise sector’s cloud, security, and operating systems. “What [Chinese threat actors] have gotten very good at is chaining vulnerabilities across those three areas,” he said. “For example, you can have a cloud entry point where they can brute force a username and password.”

“That’s something that’s not getting logged, not getting alerted on,” Stamos said. “And so, they can just brute force for days until they find a user password pair that works for them and then use that against the VPN tied to Microsoft Active Directory, and then get onto the domain controller. Now, they can do a traditional domain controller attack. That’s not something you can do in the cloud; that’s only local.”

The combination of cloud-based technologies and stolen identities is at the crux of where AI can start shedding light on intrusions in a way that genuinely helps defenders. “AI can start to bring context around what are outliers within things like login attempts,” CrowdStrike’s Rodriguez said. 

“Using legitimate credentials to get into your environment in lieu of having to use malware, for example, which is very noisy,” is how most unauthorized intrusions occur, Rodriguez added. “AI can act as that opportunity for analysts to scale themselves across these large data sets to contextually understand outliers for login attempts and outliers for authorization across applications. Think of identity, think of what’s happening on your endpoints, and what happens in your cloud workloads. Those are all major data sources a defender must use when responding or analyzing an attack.”

Warning: AI systems themselves need protection

As beneficial as AI technologies might be in identifying and thwarting threat actors, experts warn that new LLM models and other AI technologies that defenders use to protect assets are themselves prized targets of threat actors. Even worse, these AI technologies can leak organizational secrets.

Chinese threat actors are “targeting these AI companies directly for their intellectual property, whether it’s ChatGPT, Gemini, all these new models,” Wiz’s Schindel said. “They are trying to steal information and then build their own versions that are based on what they stole as part of their threat operations.”

For some of these threat actors, “especially coming out of China and even North Korea, not only are they looking for or using identities, but they’re also looking for these custom large language models or any type of generative AI that you may be hosting within your own cloud services,” CrowdStrike’s Rodriguez said.

“The adversary is looking for misconfigured large language models and any type of other genAI that you may be hosting in your cloud because that can also act as an exfiltration point if they were to access those systems,” he added. “And you’ve inadvertently put sensitive information or IP into those systems. They can ultimately use some prompt engineering or even access to misconfigurations within those models to exfiltrate sensitive data.”

What can defenders do?

According to Stamos, very few organizations are currently using AI in a way that prepares them to tackle threats from sophisticated adversaries to provide real-time intervention. “Out of the Fortune 500, there are maybe 150 to 200 companies playing at that level,” he said.

Stamos said organizations “need to gather as much security telemetry as possible and have it in one data lake that can be queried quickly in real time. You’ve got to do that plumbing, and that’s hard.”

Rodriguez advises organizations to “secure your identities. That is number one. Ensure that you understand the identities that you have for these services, have things like multifactor authentication, and [see to it] that the privileges for these identities are regularly assessed to ensure that you’re not overextending access to any single or handful of identities within environments that are sitting in the cloud, for example.”

Even though using AI to battle Chinese and other threat actors is a complex and high-level task that might need experienced AI engineers to implement, Schindel says that most organizations can easily start the process without this kind of scarce talent. “The only thing you need is someone enthusiastic about AI on your team,” he said. “They don’t necessarily have any significant background with AI, just someone who can use it. These models are easy to use.”

The post AI can help defenders stop nation-state threat actors at machine speed appeared first on CyberScoop.

from CyberScoop https://ift.tt/VhbPvJC
via IFTTT

A Chinese state-sponsored hacking group has been observed using recently released open-source offensive security tools and other tactics in an effort to blend in with more common cybercriminal activity.

The group, UNC5174, is an espionage-minded hacking group that is believed to have ties to the Chinese government and targets Western governments, technology companies, research institutions and think tanks.

In a new campaign observed by researchers at Sysdig, the group was seen using VShell — an open-source Remote Access Trojan made by a Chinese developer and popular among Chinese cybercriminals — to carry out post-exploitation activity.

They were also spotted using WebSockets — a set of open-source communication protocols — to communicate with command-and-control infrastructure, masking much of its malicious traffic through encrypted transmissions.

This was apparently effective, as Sysdig threat research engineer Alessandra Rizzo noted that “our runtime capture confirms that, except for a few random words, we found nothing of note in the network traffic once the connection was upgraded to a WebSocket.”

The observed behavior aligns with a broader trend researchers are seeing, with more advanced and state-sponsored threat actors foregoing bespoke tooling in favor of open source or cheaper tools used by “script kiddies,” or lower technical cybercriminals.  

This approach “seems to hold especially true for this particular threat actor, who has been under the radar for the last year since being affiliated with the Chinese government,” Rizzo wrote. It’s also notable because “nearly all” of UNC5174’s tooling observed until the past year had been custom-built and “not easily-copied.”

UNC5174 was seen using both Vshell and WebSockets as recently as January, even as the group continued to rely on custom malware for post-exploitation while targeting Linux-based systems.

Indeed, one of the calling cards of UNC5174 is the use of SNOWLIGHT, a malware family first identified by researchers at Mandiant that acts in tandem with VShell to deploy fileless malware on victim systems.

In this latest campaign, the actors use a payload called “dnsloger” that is part of the SNOWLIGHT family. They took actions that reflected in-depth knowledge of Linux-based operating systems, including methods for maintaining persistence, defensive evasion, and injection techniques.

It’s not clear how UNC5174 is obtaining initial access to victim systems, but included among the artifacts discovered by Sysdig researchers are a number of command-and-control domains that suggest that typosquatted website domains and phishing tactics were used.

The findings align with other recently reported activity around UNC5174.

In 2024, the French Cybersecurity Agency ANSSI observed an attacker using the same tactics, techniques and procedures as UNC5174’s exploitation of vulnerabilities in Ivanti’s Cloud Service Appliance product, giving them remote code execution privileges on infected machines. That attack included the use of a zero-day flaw (CVE2024-8190) days before Ivanti published a security advisory.

But further investigation of infected victims by the agency found that the group had used “common intrusion set” to gain initial access, and suggested that UNC5174 may have been selling its access to the highest bidder.

“Moderately sophisticated and discreet, this intrusion set is characterised by the use of intrusion tools largely available as open source and by the — already publicly reported — use of a rootkit10 code,” the agency wrote. “Post-exploitation activities do nevertheless differ from one incident to the next, which supports the hypothesis of an intrusion set being used as a means to secure initial access points, to then be sold off or entrusted to other operators.”

Rizzo wrote that UNC5174’s use of open-source tools like VShell and WebSockets has likely helped the group mask its presence in other, yet-to-be discovered campaigns.

“The lack of public documentation on VShell being employed by this threat actor is telling, as the evidence we have gathered shows that this campaign has been active since at least November 2024,” Rizzo noted.

The post Chinese espionage group leans on open-source tools to mask intrusions appeared first on CyberScoop.

from CyberScoop https://ift.tt/9zQhnUL
via IFTTT

Technology experts pressed Congress to maintain export controls on semiconductor chips and other technologies, telling lawmakers Tuesday that the restrictions are among the most effective strategies to slow China and other rival countries in the AI race, thereby helping U.S. companies hold a competitive edge.

Placing export controls on these technologies is not new: both the Trump and Biden administrations have placed restrictions on Chinese companies’ ability to buy newer, more powerful computer chips that are powering the global AI industry.

However, this year’s emergence of multiple high-performance generative AI reasoning models from Chinese companies DeepSeek, Alibaba, Tencent and others has caused some to question whether those efforts were in vain. Experts who once thought the restrictions would ensure American AI dominance are now revisiting their views as China appears to have caught up to the U.S.

But during a House Science, Space and Technology Committee hearing, multiple technology experts advised the U.S. government to continue to impose new restrictions.

“I think an important question here is where might [China’s industry] be if U.S. policy had been different?” said Gregory Allen, director of the Wadhwani Center for AI and Advanced Technologies at the Center for Strategic and International Studies.

Allen argued that previous export restrictions have and will continue to blunt China’s progress in developing more advanced AI models, particularly in the near- and intermediate-term as the Chinese government looks to stand up its own manufacturing capacity.

Previous export restrictions, he said, likely prevented these Chinese companies from making even further progress and potentially surpassing their competitors in the United States.

DeepSeek, he pointed out, was spun out of a Chinese high-frequency finance trading firm, an industry that is “obsessed with their computing infrastructure” because they’re “chasing nanosecond advantages in beating the market.” That pre-existing infrastructure and technical talent enabled firms like DeepSeek to operate without more advanced chips and larger computing capabilities. However,  they will likely need access to those technologies to make the next leap in development.

Indeed, DeepSeek executives themselves have flagged a lack of computing power as one of their biggest challenges going forward. Last year, CEO Liang Wenfeng said in an interview that even top Chinese AI trainers need about twice the computing power compared to their Western counterparts to achieve the same performance.

Wenfeng also lamented the lack of a Chinese parallel to massive chip companies like NVIDIA, which he attributed to a collective effort by Western governments to support such industries.

“They saw the trend of the next generation of technology and had a roadmap in place. For China’s AI development, we also need such an ecosystem,” Wenfeng said, according to an English-translated version of his interview. “Many domestic chip projects can’t get off the ground because there’s no supporting technology community — only second-hand information. Someone in China has to stand on the frontier of innovation.”

While the release of DeepSeek has been compared to “Sputnik,” the Russian rocket that signaled the Soviet Union’s lead in the space race, one major difference is that DeepSeek was built with largely American-made technology.

“This gives us leverage in the form of export controls, and indeed DeepSeek’s founder said it best: the only thing holding them back is access to American chips,” said Tim Fist, director of emerging technology policy at the Institute for Progress.

Fist said the federal government needs a team of technical experts who can work with industry and the intelligence community to proactively study Chinese models and chips and facilitate quicker and more decisive actions around export controls.

Like others, Allen urged lawmakers to push for tighter controls in the future, and not to assume that the latest leap by Chinese AI firms represents a larger failure of previous controls.

In fact, he criticized the Biden administration for not being aggressive enough and for telegraphing specific controls ahead of time in a way that allowed Chinese firms to stockpile parts and components before the rules took effect.

“It’s not fun to have an aggressive export control policy,” Allen said, “but we are incurring all of the costs of a maximalist, aggressive export control policy and we are only incurring a fraction of the strategic potential benefits, because of the way that we are going about executing it.”

The post Tech experts recommend full steam ahead on US export controls for AI appeared first on CyberScoop.

from CyberScoop https://ift.tt/q0jai9D
via IFTTT

Ivanti customers are confronting another string of attacks linked to an actively exploited vulnerability in the company’s VPN products. Mandiant said a nation-state backed espionage group linked to China has been exploiting the critical vulnerability, CVE-2025-22457, since mid-March.

The threat group, which Google Threat Intelligence Group tracks as UNC5221, has a knack for exploiting Ivanti products and has successfully — and repeatedly — attacked the vendor’s customers since 2023. UNC5221 previously exploited a trio of zero-day vulnerabilities, including CVE-2025-0282, CVE-2023-46805 and CVE-2024-21887. 

Actively exploited software defects in Ivanti products are a consistent and recurring problem for the vendor’s customers, which have been subject to multiple attack sprees from various threat groups. Ivanti has made 15 appearances in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since early 2024, not including CVE-2025-22457. 

“This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups,” Mandiant Consulting CTO Charles Carmakal said in a statement. “The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever.”

The latest attacks involve a vulnerability in Ivanti Connect Secure that the vendor released a patch for Feb. 11, but the company didn’t disclose the vulnerability until Thursday.

The software defect was considered low risk at the time, but UNC5221 studied the patch and found a way to exploit CVE-2025-22457 in earlier versions of the product, Mandiant said in a blog post Thursday.

“Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild,” Ivanti said in a security advisory. “We encourage all customers to ensure they are running Ivanti Connect Secure 22.7R2.6 as soon as possible, which remediates the vulnerability.”

A “limited number of customers” using Ivanti Connect Secure 22.7R2.5 or earlier versions and Pulse Connect Secure 9.1x appliances, which are no longer supported or receiving code changes, have been exploited, Ivanti said. The stack-based overflow vulnerability allows attackers to achieve remote code execution.

The vulnerability also affects Ivanti Policy Secure and Ivanti ZTA Gateways, though the vendor said it’s not aware of any exploitation in those products. Ivanti said patches for those products are in development and expected to be released later this month.

“Network security devices and edge devices are a focus of sophisticated and highly persistent threat actors,” an Ivanti spokesperson said in an email. 

“We seek to go above and beyond in providing detailed information to defenders to ensure they can take every possible step to secure their environments,” the spokesperson added. “We have continued to meaningfully expand and enhance the Ivanti Security team with highly skilled security specialists to meet the evolving needs of this landscape.”

During its investigation of post-exploitation activity, Mandiant observed UNC5221 deploying two newly identified malware families: the Trailblaze in-memory only dropper and the Brushfire passive backdoor. Researchers also observed various Spawn malware and UNC5221’s use of a modified version of Ivanti’s Integrity Checker Tool, which allowed the group to evade detection.

“China-nexus espionage actors regularly surge their exploitation activity once they are discovered and publicly outed,” Carmakal said in a LinkedIn post. “We expect they will likely try to compromise more victims in the coming days before organizations have the opportunity to patch.”

The post China-backed espionage group hits Ivanti customers again appeared first on CyberScoop.

from CyberScoop https://ift.tt/Y3ULqMV
via IFTTT

International intelligence and cybersecurity agencies jointly issued a warning Thursday about “fast flux,” an advanced technique used by cybercriminals and state-sponsored actors to evade detection and maintain resilient command and control infrastructure.

Fast flux involves rapidly changing or swapping out IP addresses linked to a particular domain. These quick changes render malicious activity nearly invisible to defensive measures. When fast flux is used, the domain names associated with these ever-changing IP addresses act as proxies, facilitating a wide array of cybercriminal activities. 

The advisory was issued by the NSA along with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ).

“Fast flux is an ongoing, serious threat to national security, and this guidance shares important insight we’ve gathered about the threat,” said NSA Cybersecurity Director Dave Luber.

The sheer number of IP addresses used in fast flux operations makes it a formidable challenge for cybersecurity professionals. Often reaching into the hundreds of thousands, these IP addresses are connected to a DNS record for minutes before being swapped out for another. This rapid turnover creates a scenario akin to searching for needles in a constantly shifting haystack, where both human observers and automated systems struggle to keep up with the changes.

Furthermore, malicious actors make it harder to detect by using legitimate cloud service providers as a front to their operations. By blending malicious traffic with legitimate-looking data, these actors make it exceedingly tough for defenders to distinguish between harmful and benign activities.

While the speed and sophistication of fast flux tactics make real-time interception nearly impossible, certain behavioral indicators can serve as warnings of malicious intent. These include the bulk procurement of domain names, the use of fake registration details for nameservers, and the rapid alteration of IP addresses associated with these domains. 

Intelligence agencies have observed fast flux being used across multiple threat vectors. Bulletproof hosting services, which disregard law enforcement requests and abuse notices, often offer fast flux as a service differentiator to help clients evade blocking.

The technique has been documented in ransomware attacks, including those by Hive and Nefilim. Nation-state actors such as Gamaredon have employed fast flux to limit the effectiveness of IP blocking during their operations.

The advisory advocates for the implementation of a multi-layered detection and mitigation approach among protective DNS (PDNS) providers to close network defense gaps.

“Service providers, especially Protective DNS providers, should track, share information about, and block fast flux as part of their provided cybersecurity services,” an advisory from CISA reads. “Government and critical infrastructure organizations should close this ongoing gap in network defenses by using cybersecurity and PDNS services that block malicious fast flux activity.”

You can read the full advisory here. 

The post International intelligence agencies raise the alarm on fast flux appeared first on CyberScoop.

from CyberScoop https://ift.tt/3HARNpo
via IFTTT

Businesses don’t always get what they pay for in cybersecurity. Some of the most expensive cloud network firewall vendors are among the worst performers against exploits and evasions, according to the most comprehensive, independent testing CyberRatings.org has conducted to date.

Cisco, by far the most expensive cloud network firewall offering across the top 10 vendors on price per megabits per second, ranked seventh with an overall security effectiveness score of 53.5%, according to CyberRatings.org research released Wednesday. 

The trio of big cloud providers — Amazon Web Services, Microsoft Azure and Google Cloud Platform — fared even worse, each landing at the bottom of the pack with a 0% security effectiveness score. 

“We’ve been told to use cloud-native technologies, that they’re better suited than using bolt-ons. Well, that’s clearly not the case here,” CyberRatings.org CEO Vikram Phatak told CyberScoop.

“Any of the third-party firewalls you pick are going to be better at protecting you than what you have today with the AWS firewall, but also frankly Azure and GCP today as well,” he said.

Fortinet and Check Point earned the highest rating of 100%, followed by Versa Networks, Palo Alto Networks and Juniper Networks — each landing in the upper end of the 99th percentile, according to CyberRatings.org’s tests. Forcepoint’s security effectiveness score was 96.6%.

CyberRatings.org tested cloud network firewalls against more than 2,000 widely exploited vulnerabilities. The nonprofit, which paid for the tests and research in Q1 2025 without any vendor involvement, then applied 2,500 attacks spanning 27 evasion techniques across multiple network layers to bypass firewall defenses.

“This is what I consider to be the equivalent of an open-book test. It’s not super hard stuff,” Phatak said. 

“We want to know what a buyer, purchaser of the technology can count on in an adversarial situation where things are not always going their way,” he said. “This is not a Category 5 hurricane, and it’s also not a sunny day on the beach.”

CyberRatings.org’s tests showed wide disparities in cloud network firewalls’ ability to defend against publicly available exploits. Protecting organizations against exploits is the first line of defense, a core selling point and purpose of firewalls. 

AWS performed the worst on this front, blocking only 0.59% of exploits. The big problem for AWS is that its signature set for exploits is mismatched, Phatak said.

“If you put all your eggs in the AWS basket, you’re going to end up regretting it from a cybersecurity perspective at least,” Phatak said. 

Rounding out the bottom of the field, Microsoft Azure blocked 55.28%, Cisco blocked 90.68%, GCP blocked 96.6% and Forecepoint blocked 97.63% of exploits. Fortinet and Check Point blocked all of the exploits CyberRatings.org threw at their cloud network firewalls. Versa Networks, Juniper Networks and Palo Alto Networks each scored in the high 99th percentile on exploit prevention.

The overall results and rankings diverged further when CyberRatings.org measured cloud network firewalls’ performance against evasions.

Cisco, AWS, GCP and Microsoft Azure each failed to defend against evasion tactics between layer 3 and layer 7, network traffic originating from IP addresses and the content of application data.

Ultimately, the 0% security effectiveness score applied to AWS and GCP was due to the ease with which CyberRatings.org bypassed their firewalls with evasions. Both vendors earned a 0% score in preventing evasions.

Microsoft performed better than its cloud counterparts on evasions, scoring 78%. Yet, Microsoft’s “big issue is that if anything comes across encrypted with HTTPS, they’re blind. [It’s] the only firewall that doesn’t have HTTPS decryption built in,” Phatak said.

Microsoft’s lack of transport layer security (TLS) and secure sockets layer (SSL) support resulted in its overall 0% security effectiveness score, according to CyberRatings.org’s benchmarks. Cisco prevented 59% of CyberRatings.org’s evasion tests.

Forcepoint blocked 99% of evasions while Palo Alto Networks, Check Point, Juniper Networks and Versa Networks all blocked 100%, according to CyberRatings.org’s tests.

CyberRatings.org explained its testing framework, including why and the extent to which it deducted points from firewall vendors’ score across all categories tested. In many cases, it was the combination of exploit and evasion prevention tests, and other factors unique to specific factors that resulted in low security effectiveness scores.

In the case of AWS, its firewall didn’t block any live attacks, so CyberRatings.org couldn’t test it against evasions. With Microsoft’s firewall, CyberRatings.org evaded defenses by encrypting traffic or targeting a web server that’s encrypted.

Phatak directed his harshest criticism at AWS, which has consistently performed poorly in CyberRatings.org exploit prevention tests since 2014. “Amazon’s lack of improvement was shocking to us,” he said. “It just says that it’s not taking this seriously.”

The post Independent tests show why orgs should use third-party cloud security services appeared first on CyberScoop.

from CyberScoop https://ift.tt/v3tXHLj
via IFTTT

The Commerce Department plans to finalize economic sanctions this week on nearly 20 Chinese and Taiwanese organizations, citing the need to limit their access to U.S. cloud, artificial intelligence and quantum computing technologies.

The sanctions, which will be detailed and published Friday in the Federal Register , would place additional license requirements on, and limit the availability of, license exceptions for exports, re-exports, and transfers of certain technologies to those entities.

Among the Trump administration’s stated goals for the sanctions are restricting the Chinese government from acquiring high-performance and exascale computing capabilities to build AI systems and quantum computers for military use.

“We will not allow adversaries to exploit American technology to bolster their own militaries and threaten American lives,” Commerce Secretary Howard Lutnick said in a statement. “We are committed to using every tool at the Department’s disposal to ensure our most advanced technologies stay out of the hands of those who seek to harm Americans.”

The newly added Chinese entities include the Beijing Academy of Artificial Intelligence and Beijing Innovation Wisdom Technology, for acquiring or attempting to acquire U.S. products for AI models, as well as advanced computing chips. Those efforts, the Commerce Department claims, are in support of the Chinese government’s larger military modernization goals.

Six Chinese and Taiwanese subsidiaries of Inspur Group, one of China’s largest cloud computing firms, were also placed on the sanctions list, citing their use of U.S. parts and components in the development of supercomputers for the Chinese military.

Four other Chinese firms — Henan Dingxin Information Industry, Nettrix Information Industry, Suma Technology and Suma-USI Electronics — were sanctioned for their alleged development of Chinese exascale supercomputers and providing manufacturing support for Sugan, a previously sanctioned Chinese entity.

The firms were all placed on the Bureau of Industry and Security’s export sanctions list for organizations engaged in “activities contrary to the national security or foreign policy interests” of the United States. The designation limits the ability of these companies to gain licenses to buy, import or otherwise legally acquire technologies from U.S. firms that may be used to power Beijing’s cloud, AI and quantum computing ambitions.

For certain entities, such as the Beijing Academy of Artificial Intelligence and Beijing Innovation Wisdom Technology, those license reviews will happen with a “policy of a presumption of denial.” For others, such as the firms working on exascale supercomputing, the reviews will be done under a “policy of denial.”

A separate Commerce action set to be finalized Friday places similar sanctions on an additional seven Chinese companies for their work developing quantum computing technologies. Those companies include Scikro (Hong Kong) Instruments, Scikro (Shanghai) Instrument, Anhui Kehua Sci-Tech Trading, Associated Optoelectronics, Chongqing Southwest Integrated Circuit Design, ORICAS Import and Export Corporation, and Physike Technology.

The sanctions are the latest example of bipartisan U.S. efforts to restrict or stop the flow of U.S. technologies and equipment — such as high-performance computing chips — that are foundational to a number of emerging technologies like AI and quantum computing. The Biden administration spent much of its last two years in office attempting to restrict the flow of semiconductors to China.

Previous attempts to restrict the supply of similar technologies to China have had mixed results. While conventional wisdom over the past year held that China was behind the U.S. in the global AI race, 2025 has seen multiple Chinese companies release large language models that are capable of performing as well as many of the top American-made models, in some cases with far more efficient computing and (allegedly) at a significantly cheaper cost.

China has also been steadily working to build up its own domestic industry for semiconductors and other key technologies, with the goal of weaning itself off dependence from U.S. firms.

“This is shocking to me, because I thought that the restrictions we placed on chips would keep them back,” former Google CEO Eric Schmidt said last November when discussing Chinese AI advancements over the past year and a half.

The post Commerce limits 19 Chinese, Taiwanese companies from buying U.S. tech appeared first on CyberScoop.

from CyberScoop https://ift.tt/YbehWAR
via IFTTT