Recently added artificial intelligence capabilities on the Chinese-language Darcula phishing-as-a-service platform make phishing attacks easy for even the least technical hackers.
from darkreading https://ift.tt/NrgJmS5
via IFTTT
IFTTT
In the works – New Availability Zone in Maryland for US East (Northern Virginia) Region
The US East (Northern Virginia) Region was the first Region launched by Amazon Web Services (AWS), and it has seen tremendous growth and customer adoption over the past several years. Now hosting active customers ranging from startups to large enterprises, AWS has steadily expanded the US East (Northern Virginia) Region infrastructure and capacity. The US East (Northern Virginia) Region consists of six Availability Zones, providing customers with enhanced redundancy and the ability to architect highly available applications.
Today, we’re announcing that a new Availability Zone located in Maryland will be added to the US East (Northern Virginia) Region, which is expected to open in 2026. This new Availability Zone will be connected to other Availability Zones by high-bandwidth, low-latency network connections over dedicated, fully redundant fiber. The upcoming Availability Zone in Maryland will also be instrumental in supporting the rapid growth of generative AI and advanced computing workloads in the US East (Northern Virginia) Region.
All Availability Zones are physically separated in a Region by a meaningful distance, many kilometers (km) from any other Availability Zone, although all are within 100 km (60 miles) of each other. The network performance is sufficient to accomplish synchronous replication between Availability Zones in Maryland and Virginia within the US East (Northern Virginia) Region. If your application is partitioned across multiple Availability Zones, your workloads are better isolated and protected from issues such as power outages, lightning strikes, tornadoes, earthquakes, and more.
With this announcement, AWS now has four new Regions in the works—New Zealand, Kingdom of Saudi Arabia, Taiwan, and the AWS European Sovereign Cloud—and 13 upcoming new Availability Zones.
Geographic information for the new Availability Zone
In March, we provided more granular visibility into the geographic location information of all AWS Regions and Availability Zones. We have updated the AWS Regions and Availability Zones page to reflect the new geographic information for this upcoming Availability Zone in Maryland. As shown in the following screenshot, the infrastructure for the upcoming Availability Zone will be located in Maryland, United States of America, for the US East (Northern Virginia) us-east-1 Region.
You can continue to use this geographic information to choose Availability Zones that align with your regulatory, compliance, and operational requirements.
After the new Availability Zone is launched, it will be available along with other Availability Zones in the US East (Northern Virginia) Region through the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDKs.
Stay tuned
We plan to make this new Availability Zone in the US East (Northern Virginia) Region generally available in 2026. As usual, check out the Regional news of the AWS News Blog so that you’ll be among the first to know when the new Availability Zone is open!
To learn more, visit the AWS Global Infrastructure Regions and Availability Zones page or AWS Regions and Availability Zones in the AWS documentation and send feedback to AWS re:Post or through your usual AWS Support contacts.
— Channy
How is the News Blog doing? Take this 1 minute survey!
(This survey is hosted by an external company. AWS handles your information as described in the AWS Privacy Notice. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)
from AWS News Blog https://ift.tt/vPRCq07
via IFTTT
Enhance real-time applications with AWS AppSync Events data source integrations
Today, we are announcing that AWS AppSync Events now supports data source integrations for channel namespaces, enabling developers to create more sophisticated real-time applications. With this new capability you can associate AWS Lambda functions, Amazon DynamoDB tables, Amazon Aurora databases, and other data sources with channel namespace handlers. With AWS AppSync Events, you can build rich, real-time applications with features like data validation, event transformation, and persistent storage of events.
With these new capabilities, developers can create sophisticated event processing workflows by transforming and filtering events using Lambda functions or save batches of events to DynamoDB using the new AppSync_JS batch utilities. The integration enables complex interactive flows while reducing development time and operational overhead. For example, you can now automatically persist events to a database without writing complex integration code.
First look at data source integrations
Let’s walk through how to set up data source integrations using the AWS Management Console. First, I’ll navigate to AWS AppSync in the console and select my Event API (or create a new one).
Persisting event data directly to DynamoDB
There are multiple kinds of data source integrations to choose from. For this first example, I’ll create a DynamoDB table as a data source. I’m going to need a DynamoDB table first, so I head over to DynamoDB in the console and create a new table called event-messages. For this example, all I need to do is create the table with a Partition Key called id. From here, I can click Create table and accept the default table configuration before I head back to AppSync in the console.
Back in the AppSync console, I return to the Event API I set up previously, select Data Sources from the tabbed navigation panel and click the Create data source button.
After giving my Data Source a name, I select Amazon DynamoDB from the Data source drop down menu. This will reveal configuration options for DynamoDB.
Once my data source is configured, I can implement the handler logic. Here’s an example of a Publish handler that persists events to DynamoDB:
import * as ddb from '@aws-appsync/utils/dynamodb'
import { util } from '@aws-appsync/utils'
const TABLE = 'events-messages'
export const onPublish = {
request(ctx) {
const channel = ctx.info.channel.path
const timestamp = util.time.nowISO8601()
return ddb.batchPut({
tables: {
[TABLE]: ctx.events.map(({id, payload}) => ({
channel, id, timestamp, ...payload,
})),
},
})
},
response(ctx) {
return ctx.result.data[TABLE].map(({ id, ...payload }) => ({ id, payload }))
},
}To add the handler code, I go the tabbed navigation for Namespaces where I find a new default namespace already created for me. If I click to open the default namespace, I find the button that allows me to add an Event handler just below the configuration details.
Clicking on Create event handlers brings me to a new dialog where I choose Code with data source as my configuration, and then select the DynamoDB data source as my publish configuration.
After saving the handler, I can test the integration using the built-in testing tools in the console. The default values here should work, and as you can see below, I’ve successfully written two events to my DynamoDB table.
Here’s all my messages captured in DynamoDB!
Error handling and security
The new data source integrations include comprehensive error handling capabilities. For synchronous operations, you can return specific error messages that will be logged to Amazon CloudWatch, while maintaining security by not exposing sensitive backend information to clients. For authorization scenarios, you can implement custom validation logic using Lambda functions to control access to specific channels or message types.
Available now
AWS AppSync Events data source integrations are available today in all AWS Regions where AWS AppSync is available. You can start using these new features through the AWS AppSync console, AWS command line interface (CLI), or AWS SDKs. There is no additional cost for using data source integrations – you pay only for the underlying resources you use (such as Lambda invocations or DynamoDB operations) and your existing AppSync Events usage.
To learn more about AWS AppSync Events and data source integrations, visit the AWS AppSync Events documentation and get started building more powerful real-time applications today.
How is the News Blog doing? Take this 1 minute survey!
(This survey is hosted by an external company. AWS handles your information as described in the AWS Privacy Notice. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)
from AWS News Blog https://ift.tt/UuhHxTO
via IFTTT
Navigating Regulatory Shifts & AI Risks
By proactively embracing emerging trends around encryption, AI security, and platform consolidation, organizations can turn compliance burdens into competitive advantage.
from darkreading https://ift.tt/ry1RT0N
via IFTTT
Attackers hit security device defects hard in 2024
Attackers are having a field day with software defects in security devices, according to a new report released Wednesday by Mandiant
Exploits were the most common initial infection vector, representing 1 of every 3 attacks in 2024, and the four most frequently exploited vulnerabilities were all contained in edge devices, such as VPNs, firewalls and routers, Mandiant said in its M-Trends report released Wednesday.
“Exploitation of these vulnerabilities represented slightly less than half of all observed vulnerability exploitation,” said Kirstie Failey, principal threat analyst at Google Threat Intelligence Group, under which the Mandiant brand operates.
Threat researchers and federal cyber authorities have been sounding the alarm about attacks targeting network edge devices for more than a year. Since 2024, security device exploits have resulted in attacks on government agencies and some of the most valuable publicly-traded companies in the world.
These lightweight devices and services are designed to improve defenses and prevent intrusions. Yet, because they don’t typically support third-party software, including endpoint detection and response capabilities, organizations are often caught off-guard when attackers gain access to their networks through a highly-privileged system.
“Three of the four vulnerabilities were first exploited as zero-days,” Mandiant said in the report. “While a broad selection of threat actors have recently targeted edge devices, Mandiant also specifically noted an increase in targeting from Russian and Chinese cyber espionage actors.”
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS, CVE-2024-3400, was the most frequently exploited defect across all of Mandiant’s incident response engagements last year. Mandiant said it observed one threat group exploit it as a zero-day, but malicious activities quickly escalated soon after.
Mandiant observed over a dozen threat groups exploiting the vulnerability within two weeks after Palo Alto Networks disclosed the CVE and published a proof-of-concept exploit code in April 2024. Among these was a Ransomhub affiliate, which used the vulnerability — rated a 10 on the CVSS scale — to gain initial access to organizations’ systems and launch a multifaceted extortion campaign.
The next most frequently exploited vulnerabilities in 2024 belong to a pair of defects — CVE-2023-46805 and CVE-2024-21887 — affecting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances, according to Mandiant. Ivanti disclosed the vulnerabilities in January a month after UNC5221, a suspected China state-sponsored espionage group, exploited the vulnerabilities in the wild as zero-days.
Attackers achieved unauthenticated arbitrary command execution on systems by chaining the vulnerabilities together, Mandiant said in the report.
By mid-January 2024, Mandiant observed UNC5135, a group with suspected links to Volt Typhoon, scanning Ivanti Connect Secure appliances but did not observe successful exploitation. Eight distinct clusters, including five suspected Chinese espionage groups, exploited one or more of the Ivanti vulnerabilities, including a third defect tracked as CVE-2024-21893 by April 2024.
An SQL injection vulnerability in Fortinet’s FortiClient Endpoint Management Server, CVE-2023-48788, was the fourth-most frequently exploited vulnerability across all of Mandiant’s incident response engagements last year.
A financially-motivated threat group exploited the vulnerability within two weeks of Fortinet’s disclosure in March 2024. At the back end of the year, in October and November, another financially motivated threat group tracked as FIN8 exploited the vulnerability to deploy ransomware and steal data.
“Mandiant observed dozens of organizations impacted by exploitation of these vulnerabilities, and our observations are almost certainly only a small fraction of the total number of organizations affected by this activity,” said Kelli Vanderlee, senior manager at Google Threat Intelligence Group. “These campaigns affected organizations across at least 13 industries, located in four different continents.”
Ransomware accounted for 21% of all Mandiant incident response activities last year. These ransomware-related attacks affected organizations in healthcare, local government, energy, technology, education and finance across the Americas, Europe, the Middle East, Asia Pacific and Japan, researchers said in the report.
Brute-force attacks, including password spraying, VPN compromise via default credentials and high-volume remote desktop protocol login attempts, were the most common initial access vector for ransomware attacks last year. Mandiant linked 26% of ransomware attacks to brute-force methods, 21% to stolen credentials, another 21% to exploits, 15% to prior compromise and 10% to third-party compromise.
Mandiant noted that potential deficiencies in enterprise logging and detection capabilities likely contributed to a considerable blind spot with respect to initial access vectors. The incident response firm was unable to determine an initial access vector for 34% of all intrusions.
Mandiant said its annual M-Trends report is based on 450,000 hours of incident response engagements throughout 2024.
The post Attackers hit security device defects hard in 2024 appeared first on CyberScoop.
from CyberScoop https://ift.tt/vuFf3TQ
via IFTTT
DOGE Worker’s Code Supports NLRB Whistleblower
A whistleblower at the National Labor Relations Board (NLRB) alleged last week that denizens of Elon Musk’s Department of Government Efficiency (DOGE) siphoned gigabytes of data from the agency’s sensitive case files in early March. The whistleblower said accounts created for DOGE at the NLRB downloaded three code repositories from GitHub. Further investigation into one of those code bundles shows it is remarkably similar to a program published in January 2025 by Marko Elez, a 25-year-old DOGE employee who has worked at a number of Musk’s companies.
A screenshot shared by NLRB whistleblower Daniel Berulis shows three downloads from GitHub.
According to a whistleblower complaint filed last week by Daniel J. Berulis, a 38-year-old security architect at the NLRB, officials from DOGE met with NLRB leaders on March 3 and demanded the creation of several all-powerful “tenant admin” accounts that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.
Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases. The new accounts also could restrict log visibility, delay retention, route logs elsewhere, or even remove them entirely — top-tier user privileges that neither Berulis nor his boss possessed.
Berulis said he discovered one of the DOGE accounts had downloaded three external code libraries from GitHub that neither NLRB nor its contractors ever used. A “readme” file in one of the code bundles explained it was created to rotate connections through a large pool of cloud Internet addresses that serve “as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.” Brute force attacks involve automated login attempts that try many credential combinations in rapid sequence.
A search on that description in Google brings up a code repository at GitHub for a user with the account name “Ge0rg3” who published a program roughly four years ago called “requests-ip-rotator,” described as a library that will allow the user “to bypass IP-based rate-limits for sites and services.”
The README file from the GitHub user Ge0rg3’s page for requests-ip-rotator includes the exact wording of a program the whistleblower said was downloaded by one of the DOGE users. Marko Elez created an offshoot of this program in January 2025.
“A Python library to utilize AWS API Gateway’s large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing,” the description reads.
Ge0rg3’s code is “open source,” in that anyone can copy it and reuse it non-commercially. As it happens, there is a newer version of this project that was derived or “forked” from Ge0rg3’s code — called “async-ip-rotator” — and it was committed to GitHub in January 2025 by DOGE captain Marko Elez.
The whistleblower stated that one of the GitHub files downloaded by the DOGE employees who transferred sensitive files from an NLRB case database was an archive whose README file read: “Python library to utilize AWS API Gateway’s large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.” Elez’s code pictured here was forked in January 2025 from a code library that shares the same description.
A key DOGE staff member who gained access to the Treasury Department’s central payments system, Elez has worked for a number of Musk companies, including X, SpaceX, and xAI. Elez was among the first DOGE employees to face public scrutiny, after The Wall Street Journal linked him to social media posts that advocated racism and eugenics.
Elez resigned after that brief scandal, but was rehired after President Donald Trump and Vice President JD Vance expressed support for him. Politico reports Elez is now a Labor Department aide detailed to multiple agencies, including the Department of Health and Human Services.
“During Elez’s initial stint at Treasury, he violated the agency’s information security policies by sending a spreadsheet containing names and payments information to officials at the General Services Administration,” Politico wrote, citing court filings.
KrebsOnSecurity sought comment from both the NLRB and DOGE, and will update this story if either responds.
The NLRB has been effectively hobbled since President Trump fired three board members, leaving the agency without the quorum it needs to function. Both Amazon and Musk’s SpaceX have been suing the NLRB over complaints the agency filed in disputes about workers’ rights and union organizing, arguing that the NLRB’s very existence is unconstitutional. On March 5, a U.S. appeals court unanimously rejected Musk’s claim that the NLRB’s structure somehow violates the Constitution.
Berulis’s complaint alleges the DOGE accounts at NLRB downloaded more than 10 gigabytes of data from the agency’s case files, a database that includes reams of sensitive records including information about employees who want to form unions and proprietary business documents. Berulis said he went public after higher-ups at the agency told him not to report the matter to the US-CERT, as they’d previously agreed.
Berulis told KrebsOnSecurity he worried the unauthorized data transfer by DOGE could unfairly advantage defendants in a number of ongoing labor disputes before the agency.
“If any company got the case data that would be an unfair advantage,” Berulis said. “They could identify and fire employees and union organizers without saying why.”
Marko Elez, in a photo from a social media profile.
Berulis said the other two GitHub archives that DOGE employees downloaded to NLRB systems included Integuru, a software framework designed to reverse engineer application programming interfaces (APIs) that websites use to fetch data; and a “headless” browser called Browserless, which is made for automating web-based tasks that require a pool of browsers, such as web scraping and automated testing.
On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
“If this were a side project, it would just be bad code,” the reviewer wrote. “But if this is representative of how you build production systems, then there are much larger concerns. This implementation is fundamentally broken, and if anything similar to this is deployed in an environment handling sensitive data, it should be audited immediately.”
Further reading: Berulis’s complaint (PDF).
from Krebs on Security https://ift.tt/3f2WP9U
via IFTTT
How Emerging AI Frameworks Drive Business Value and Mitigate Risk
Understanding how multiple AI models speak to each other and deciding which framework to use requires careful evaluation of both the business benefits of advanced AI orchestration and the cybersecurity implications of connecting automated services.
from darkreading https://ift.tt/VGDYhjr
via IFTTT
Terra Security Automates Penetration Testing with Agentic AI
Agentic AI’s appeal is growing as organizations seek more autonomous and hands-off approaches to their security protocols as risks increase and threats become more sophisticated.
from darkreading https://ift.tt/mcGPTfM
via IFTTT
AI can help defenders stop nation-state threat actors at machine speed
Last year, the escalating concerns about Chinese threat actors breaching U.S. organizations reached a crescendo as federal authorities issued increasingly urgent advisories about China’s “Typhoon” groups infiltrating U.S. networks, pressing organizations to take immediate action.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that these groups were engaged in a host of massive intrusions, ranging from infiltrating telecommunications networks and sensitive law enforcement communication platforms in order to preposition themselves on critical infrastructure networks to destroy or disrupt services.
Since late January, however, the U.S. government has issued few alerts about Chinese or other nation-state advanced persistent threat actors (APTs), including Russia, North Korea, and Iran. Experts say that despite the lack of warnings, it is more important than ever to stay alert against these groups, particularly given that rapidly developing artificial intelligence (AI) technologies have enabled defenders to spot these threat actors at machine speed and stop them in their tracks.
“Your ability to respond quickly is really important,” Alex Stamos, CISO at SentinelOne, told CyberScoop. “You can’t spend fifteen, twenty minutes for your security operations center analyst to go to the bathroom and then come back and look at an alert and to make a decision because the threat actors are already ten steps ahead of you.”
“Chinese threat actors are going for very large-scale operations,” Alon Schindel, VP of AI and threat research at Wiz, told CyberScoop. “AI can empower cybersecurity teams to walk faster and reduce the number of issues. You can reduce the remediation time. That’s the thing.”
AI brings it all together
Experts emphasize that AI’s real value in identifying and halting sophisticated threat actors lies in its capacity to process vast amounts of information across an organization’s tech surface. It can then correlate that data to identify and potentially thwart suspicious behavior swiftly.
“AI is there to augment your efforts by tying in a lot of the disparate context or the context that’s lacking between different siloed systems,” Cristian Rodriguez, Americas Field CTO at CrowdStrike, told CyberScoop. “We are firm believers that AI helps bridge that gap across disparate data sources so that contextually there’s a better understanding of the steps that an adversary needs to take to be successful in their tradecraft.”
“To help and try to understand whether it is a real attack or whether it is just some other activity, whether it’s a false positive alert by a security product, you can use the context that you have from your actual production environment, from your code, and the threat detection products,” Schindel said. “You can feed an LLM with all this information, and within a few seconds, you can get a conclusion with a high level of confidence, whether it is a real attack or whether it is just a false positive or maybe some ordinary activity in your environment.”
Before AI, defenders had massive amounts of information compiled in different locations with little ability to tie events together occurring in different log sources across the tech stack. The logs did not traditionally go into a repository “that allows for hyper scaling and hyper analysis of what those data points mean when they’re put together,” Stamos said.
The cloud nexus is critical
Most experts agree that the increasing adoption of cloud-based technologies is central to the problem of disparate data sources. As information moves between cloud and on-premises systems, it creates more avenues for threat actors to move around laterally within an organization.
“Very few companies have visibility across their cloud infrastructure and their on-premise tech in a way where they see all of it at the same time and detect and track a threat actor in real time across all of those different environments,” Stamos said. “And very few companies can respond fast enough.”
According to Stamos, this lack of visibility specifically benefits Chinese threat actors, notably in the Microsoft-based systems that dominate the enterprise sector’s cloud, security, and operating systems. “What [Chinese threat actors] have gotten very good at is chaining vulnerabilities across those three areas,” he said. “For example, you can have a cloud entry point where they can brute force a username and password.”
“That’s something that’s not getting logged, not getting alerted on,” Stamos said. “And so, they can just brute force for days until they find a user password pair that works for them and then use that against the VPN tied to Microsoft Active Directory, and then get onto the domain controller. Now, they can do a traditional domain controller attack. That’s not something you can do in the cloud; that’s only local.”
The combination of cloud-based technologies and stolen identities is at the crux of where AI can start shedding light on intrusions in a way that genuinely helps defenders. “AI can start to bring context around what are outliers within things like login attempts,” CrowdStrike’s Rodriguez said.
“Using legitimate credentials to get into your environment in lieu of having to use malware, for example, which is very noisy,” is how most unauthorized intrusions occur, Rodriguez added. “AI can act as that opportunity for analysts to scale themselves across these large data sets to contextually understand outliers for login attempts and outliers for authorization across applications. Think of identity, think of what’s happening on your endpoints, and what happens in your cloud workloads. Those are all major data sources a defender must use when responding or analyzing an attack.”
Warning: AI systems themselves need protection
As beneficial as AI technologies might be in identifying and thwarting threat actors, experts warn that new LLM models and other AI technologies that defenders use to protect assets are themselves prized targets of threat actors. Even worse, these AI technologies can leak organizational secrets.
Chinese threat actors are “targeting these AI companies directly for their intellectual property, whether it’s ChatGPT, Gemini, all these new models,” Wiz’s Schindel said. “They are trying to steal information and then build their own versions that are based on what they stole as part of their threat operations.”
For some of these threat actors, “especially coming out of China and even North Korea, not only are they looking for or using identities, but they’re also looking for these custom large language models or any type of generative AI that you may be hosting within your own cloud services,” CrowdStrike’s Rodriguez said.
“The adversary is looking for misconfigured large language models and any type of other genAI that you may be hosting in your cloud because that can also act as an exfiltration point if they were to access those systems,” he added. “And you’ve inadvertently put sensitive information or IP into those systems. They can ultimately use some prompt engineering or even access to misconfigurations within those models to exfiltrate sensitive data.”
What can defenders do?
According to Stamos, very few organizations are currently using AI in a way that prepares them to tackle threats from sophisticated adversaries to provide real-time intervention. “Out of the Fortune 500, there are maybe 150 to 200 companies playing at that level,” he said.
Stamos said organizations “need to gather as much security telemetry as possible and have it in one data lake that can be queried quickly in real time. You’ve got to do that plumbing, and that’s hard.”
Rodriguez advises organizations to “secure your identities. That is number one. Ensure that you understand the identities that you have for these services, have things like multifactor authentication, and [see to it] that the privileges for these identities are regularly assessed to ensure that you’re not overextending access to any single or handful of identities within environments that are sitting in the cloud, for example.”
Even though using AI to battle Chinese and other threat actors is a complex and high-level task that might need experienced AI engineers to implement, Schindel says that most organizations can easily start the process without this kind of scarce talent. “The only thing you need is someone enthusiastic about AI on your team,” he said. “They don’t necessarily have any significant background with AI, just someone who can use it. These models are easy to use.”
The post AI can help defenders stop nation-state threat actors at machine speed appeared first on CyberScoop.
from CyberScoop https://ift.tt/VhbPvJC
via IFTTT
GCP Cloud Composer Bug Let Attackers Elevate Access via Malicious PyPI Packages
Cybersecurity researchers have detailed a now-patched vulnerability in Google Cloud Platform (GCP) that could have enabled an attacker to elevate their privileges in the Cloud Composer workflow orchestration service that’s based on Apache Airflow.
“This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, which
from The Hacker News https://ift.tt/6gvJXde
via IFTTT