Category: Cybersecurity

Oct 22, 2025Ravie LakshmananCyber Espionage / Vulnerability

Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025.

Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country.

According to Broadcom’s Symantec Threat Hunter Team, the attacks involved the exploitation of CVE-2025-53770, a now-patched security flaw in on-premise SharePoint servers that could be used to bypass authentication and achieve remote code execution.

CVE-2025-53770, assessed to be a patch bypass for CVE-2025-49704 and CVE-2025-49706, has been weaponized as a zero-day by three Chinese threat groups, including Linen Typhoon (aka Budworm), Violet Typhoon (aka Sheathminer), and Storm-2603, the latter of which is linked to the deployment of Warlock, LockBit, and Babuk ransomware families in recent months.

However, the latest findings from Symantec indicate that a much wider range of Chinese threat actors have abused the vulnerability. This includes the Salt Typhoon (aka Glowworm) hacking group, which is said to have leveraged the ToolShell flaw to deploy tools like Zingdoor, ShadowPad, and KrustyLoader against the telecom entity and the two government bodies in Africa.

KrustyLoader, first detailed by Synacktiv in January 2024, is a Rust-based loader previously put to use by a China-nexus espionage group dubbed UNC5221 in attacks exploiting flaws in Ivanti Endpoint Manager Mobile (EPMM) and SAP NetWeaver.

The attacks aimed at government agencies in South America and a university in the U.S., on the other hand, involved the use of unspecified vulnerabilities to obtain initial access, followed by the exploitation of SQL servers and Apache HTTP servers running the Adobe ColdFusion software to deliver the malicious payloads using DLL side-loading techniques.

In some of the incidents, the attackers have been observed executing an exploit for CVE-2021-36942 (aka PetitPotam) for privilege escalation and domain compromise, along with a number of readily available and living-off-the-land (LotL) tools to facilitate scanning, file download, and credential theft on the infected systems.

“There is some overlap in the types of victims and some of the tools used between this activity and activity previously attributed to Glowworm,” Symantec said. “However, we do not have sufficient evidence to conclusively attribute this activity to one specific group, though we can say that all evidence points to those behind it being China-based threat actors.”

“The activity carried out on targeted networks indicates that the attackers were interested in stealing credentials and in establishing persistent and stealthy access to victim networks, likely for the purpose of espionage.”

From Detection to Resolution: Why the Gap Persists

A critical vulnerability is identified in an exposed cloud asset. Within hours, five different tools alert you about it: your vulnerability scanner, XDR, CSPM, SIEM, and CMDB each surface the issue in their own way, with different severity levels, metadata, and context.

What’s missing is a system of action. How do you transition from the detection and identification of a security issue to remediation and resolution?

The Continuous Threat Exposure Management (CTEM) framework was introduced to help organizations address this challenge, calling for a repeatable approach to scoping, discovery, validation, and ultimately, the mobilization of remediation efforts. The goal is not just to identify risk, but to act on it, continuously and at scale.

In most environments, that mobilization happens, but it relies on manual processes. Findings remain fragmented across tools, each with its own format, language, and logic. The responsibility to consolidate, correlate, prioritize, and assign remediation tasks often falls to already stretched security operations teams. And when fixes are eventually applied, there is often no mechanism in place to validate that your actions were effective.

What we’ve seen across more than 1,200 customers is that existing processes are not built to scale across the thousands of alerts enterprise security teams contend with on a weekly basis. Security and operations teams are not set up for success here.

This disconnect between identifying risk and resolving it efficiently and reliably is the remediation gap. It is not a visibility problem. It is an operational one.

Pentera Resolve: Operationalizing Validated Risk

As the leader in Security Validation, Pentera has always focused on helping organizations understand which vulnerabilities truly matter. By safely emulating real-world attacks, we don’t simply identify what is potentially exposed, but rather how those exposures can be exploited within the context of your environment.

Now we are extending that leadership by bridging security validation with automated remediation operations, closing the gap between insight and action. Alerts alone do not reduce risk. Their value depends entirely on the organization’s ability to act on them. Ten overlapping reports sitting unread on a dashboard do not make you safer. Action does.

Introducing Pentera Resolve. Our new product marks a shift in what organizations should expect from a Security Validation platform, integrating remediation workflows natively into the validation lifecycle.

Pentera Resolve automates the remediation workflow by turning validated findings into structured tasks and routing them directly to the teams responsible for fixing them. Security teams no longer need to comb through multiple reports, chase down asset owners, or track remediation progress across disconnected dashboards. Pentera Resolve removes that friction with a streamlined process embedded in the systems organizations already use.

Powered by AI, it automates triage, prioritization, and ownership assignment. Each validated issue is enriched with business and asset context, delivered into platforms like ServiceNow, Jira, and Slack. Each ticket is tracked and cataloged, ensuring audit-ready proof-of-fix. This creates a system of record for remediation, providing security, IT, and compliance teams a shared and verifiable view of progress, all within the tools they already use. As the platform evolves, Pentera Resolve will support triggering re-tests to determine whether the original validated risk has been fully addressed.

The result is faster, simpler, and more accountable remediation. Every issue is tied to real exploitability, verified after resolution, and fully measurable from start to finish.

This level of operational integration supports something broader. It is not just about fixing what has been found. It is about enabling security programs to run remediation as a continuous, coordinated part of enterprise risk management.

From Assessment to Resolution: A Unified Platform

Security teams no longer spend time translating findings into tickets. IT and DevOps teams no longer need to guess which exposures to prioritize. Everyone works from the same source of validated truth, inside the systems they already use.

This is not just about tooling. It is about changing how work gets done, with fewer gaps, clearer ownership, and full accountability from start to finish.

Exposure without action is just noise. Pentera Resolve brings remediation into focus. It is measurable, repeatable, and fully integrated into how teams already operate.

Validate. Remediate. Repeat.

That is the loop. And now, it runs without gaps.

Note: This article was authored by Dr. Arik Liberzon, Founder and Chief Technology Officer of Pentera.

Oct 22, 2025The Hacker NewsData Breach / Enterprise Security

The advice didn’t change for decades: use complex passwords with uppercase, lowercase, numbers, and symbols. The idea is to make passwords harder for hackers to crack via brute force methods. But more recent guidance shows our focus should be on password length, rather than complexity. Length is the more important security factor, and passphrases are the simplest way to get your users to create (and remember!) longer passwords.

The math that matters

When attackers steal password hashes from a breach, they brute-force by hashing millions of guesses per second until something matches. The time this takes depends on one thing: how many possible combinations exist.

A traditional 8-character “complex” password (P@ssw0rd!) offers roughly 218 trillion combinations. Sounds impressive until you realize modern GPU setups can test those combinations in months, not years. Increase that to 16 characters using only lowercase letters, and you’re looking at 26^16 combinations, billions of times harder to crack.

This is effective entropy: the actual randomness an attacker must work through. Three or four random common words strung together (“carpet-static-pretzel-invoke”) deliver far more entropy than cramming symbols into short strings. And users can actually remember them.

Why passphrases win on every front

The case for passphrases isn’t theoretical, it’s operational:

Fewer resets. When passwords are memorable, users stop writing them on Post-it notes or recycling similar variations across accounts. Your helpdesk tickets drop, which alone should justify the change.

Better attack resistance. Attackers optimize for patterns. They test dictionary words with common substitutions (@ for a, 0 for o) because that’s what people do. A four-word passphrase sidesteps these patterns entirely – but only when the words are truly random and unrelated.

Aligned with current guidance. NIST has been clear: prioritize length over forced complexity. The traditional 8-character minimum should really be a thing of the past.

One rule worth following

Stop managing 47 password requirements. Give users one clear instruction:

Choose 3-4 unrelated common words + a separator. Avoid song lyrics, proper names, or famous phrases. Never reuse across accounts.

Examples: mango-glacier-laptop-furnace or cricket.highway.mustard.piano

That’s it. No mandatory capitals, no required symbols, no complexity theater. Just length and randomness.

Self-service password reset (SSPR) can help during the transition. Users can securely update credentials on their own time, and your helpdesk shouldn’t be the bottleneck.

Password auditing gives you visibility into adoption rates. You can identify accounts still using short passwords or common patterns, then target those users with additional guidance.

Tools like Specops Password Policy handle all three functions: extending policy minimums, blocking over 4 billion compromised passwords, and integrating with SSPR workflows. The policy updates sync to Active Directory and Azure AD without additional infrastructure, and the blocklist updates daily as new breaches emerge.

What this looks like in practice

Imagine your policy requires 15 characters but drops all complexity rules. A user creates umbrella-coaster-fountain-sketch during their next password change. A tool like Specops Password Policy checks it against the compromised password database – it’s clean. The user remembers it without a password manager because it’s four concrete images linked together. They don’t reuse it because they know it’s specific to this account.

Six months later, no reset request. No Post-it note and no call to the helpdesk because they fat-fingered a symbol. Nothing revolutionary – just simple and effective.

The security you actually need

Passphrases aren’t a silver bullet. MFA still matters. Compromised credential monitoring still matters. But if you’re spending resources on password policy changes, this is where to spend it: longer minimums, simpler rules, and real protection against breached credentials.

Attackers still steal hashes and brute-force them offline. What’s changed is our understanding of what actually slows them down, so your next password policy should reflect that. Interested in giving it a try? Book a live demo of Specops Password Policy.

Oct 22, 2025Ravie LakshmananCyber Espionage / Network Security

Government, financial, and industrial organizations located in Asia, Africa, and Latin America are the target of a new campaign dubbed PassiveNeuron, according to findings from Kaspersky.

The cyber espionage activity was first flagged by the Russian cybersecurity vendor in November 2024, when it disclosed a set of attacks aimed at government entities in Latin America and East Asia in June, using never-before-seen malware families tracked as Neursite and NeuralExecutor.

It also described the operation as exhibiting a high level of sophistication, with the threat actors leveraging already compromised internal servers as an intermediate command-and-control (C2) infrastructure to fly under the radar.

“The threat actor is able to move laterally through the infrastructure and exfiltrate data, optionally creating virtual networks that allow attackers to steal files of interest even from machines isolated from the internet,” Kaspersky noted at the time. “A plugin-based approach provides dynamic adaptation to the attacker’s needs.”

Since then, the company said it has observed a fresh wave of infections related to PassiveNeuron since December 2024 and continuing all the way through August 2025. The campaign remains unattributed at this stage, although some signs point to it being the work of Chinese-speaking threat actors.

In at least one incident, the adversary is said to have gained initial remote command execution capabilities on a compromised machine running Windows Server through Microsoft SQL. While the exact method by which this is achieved is not known, it’s possible that the attackers are either brute-forcing the administration account password, or leveraging an SQL injection flaw in an application running on the server, or an as-yet-undetermined vulnerability in the server software itself.

Regardless of the method used, the attackers attempted to deploy an ASPX web shell to gain basic command execution capabilities. Failing in these efforts, the intrusion witnessed the delivery of advanced implants via a series of DLL loaders placed in the System32 directory. These include –

• Neursite, a bespoke C++ modular backdoor
• NeuralExecutor, a bespoke .NET implant used for download additional .NET payloads over TCP, HTTP/HTTPS, named pipes, or WebSockets and execute them
• Cobalt Strike, a legitimate adversary simulation tool

Neursite utilizes an embedded configuration to connect to the C2 server and uses TCP, SSL, HTTP and HTTPS protocols for communications. By default, it supports the ability to gather system information, manage running processes, and proxy traffic through other machines infected with the backdoor to enable lateral movement.

The malware also comes fitted with a component to fetch auxiliary plugins to achieve shell command execution, file system management, and TCP socket operations.

Kaspersky also noted that NeuralExecutor variants spotted in 2024 were designed to retrieve the C2 server addresses straight from the configuration, whereas artifacts found this year reach out to a GitHub repository to obtain the C2 server address — a technique referred to as the dead drop resolver technique.

“The PassiveNeuron campaign has been distinctive in the way that it primarily targets server machines,” researchers Georgy Kucherin and Saurabh Sharma said. “These servers, especially the ones exposed to the internet, are usually lucrative targets for [advanced persistent threats], as they can serve as entry points into target organizations.”

Oct 22, 2025Ravie LakshmananVulnerability / Data Protection

Cybersecurity researchers have disclosed details of a high-severity flaw impacting the popular async-tar Rust library and its forks, including tokio-tar, that could result in remote code execution under certain conditions.

The vulnerability, tracked as CVE-2025-62518 (CVSS score: 8.1), has been codenamed TARmageddon by Edera, which discovered the issue in late August 2025. It impacts several widely-used projects, such as testcontainers and wasmCloud.

“In the worst-case scenario, this vulnerability has a severity of 8.1 (High) and can lead to Remote Code Execution (RCE) through file overwriting attacks, such as replacing configuration files or hijacking build backends,” the Seattle-based security company said.

The problem is compounded by the fact that tokio-tar is essentially abandonware despite attracting thousands of downloads via crates.io. Tokio-tar is a Rust library for asynchronously reading and writing TAR archives built atop the Tokio runtime for the programming language. The Rust crate was last updated on July 15, 2023.

In the absence of a patch for tokio-tar, users relying on the library are advised to migrate to astral-tokio-tar, which has released version 0.5.6 to remediate the flaw.

“Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling,” Astral developer William Woodruff said in an alert.

“When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate TAR headers.”

The issue, in a nutshell, is the result of inconsistent handling when handling PAX extended headers and ustar headers when determining file data boundaries. PAX, short for portable archive interchange, is an extended version of the USTAR format used to store properties of member files in a TAR archive.

The mismatch between a PAX extended headers and ustar headers – where the PAX header correctly specifies the file size, whereas the ustar header incorrectly specifies the file size as zero (instead of the PAX size) – leads to a parsing inconsistency, causing the library to interpret the inner content as additional outer archive entries.

“By advancing 0 bytes, the parser fails to skip over the actual file data (which is a nested TAR archive) and immediately encounters the next valid TAR header located at the start of the nested archive,” Edera explained. “It then incorrectly interprets the inner archive’s headers as legitimate entries belonging to the outer archive.”

As a result, an attacker could exploit this behavior to “smuggle” extra archives when the library is processing nested TAR files, thereby making it possible to overwrite files within extraction directories, ultimately paving the way for arbitrary code execution.

In a hypothetical attack scenario, an attacker could upload a specially-crafted package to PyPI such that the outer TAR contains a legitimate pyproject.toml, whereas the hidden inner TAR contains a malicious one that hijacks the build backend and overwrites the actual file during installation.

“While Rust’s guarantees make it significantly harder to introduce memory safety bugs (like buffer overflows or use-after-free), it does not eliminate logic bugs – and this parsing inconsistency is fundamentally a logic flaw,” Edera said. “Developers must remain vigilant against all classes of vulnerabilities, regardless of the language used.”

Oct 22, 2025Ravie LakshmananVulnerability / Network Security

TP-Link has released security updates to address four security flaws impacting Omada gateway devices, including two critical bugs that could result in arbitrary code execution.

The vulnerabilities in question are listed below –

• CVE-2025-6541 (CVSS score: 8.6) – An operating system command injection vulnerability that could be exploited by an attacker who can log in to the web management interface to run arbitrary commands
• CVE-2025-6542 (CVSS score: 9.3) – An operating system command injection vulnerability that could be exploited by a remote unauthenticated attacker to run arbitrary commands
• CVE-2025-7850 (CVSS score: 9.3) – An operating system command injection vulnerability that could be exploited by an attacker in possession of an administrator password of the web portal to run arbitrary commands
• CVE-2025-7851 (CVSS score: 8.7) – An improper privilege management vulnerability that could be exploited by an attacker to obtain the root shell on the underlying operating system under restricted conditions

“Attackers may execute arbitrary commands on the device’s underlying operating system,” TP-Link said in an advisory released Tuesday.

The issues impact the following product models and versions –

• ER8411 < 1.3.3 Build 20251013 Rel.44647
• ER7412-M2 < 1.1.0 Build 20251015 Rel.63594
• ER707-M2 < 1.3.1 Build 20251009 Rel.67687
• ER7206 < 2.2.2 Build 20250724 Rel.11109
• ER605 < 2.3.1 Build 20251015 Rel.78291
• ER706W < 1.2.1 Build 20250821 Rel.80909
• ER706W-4G < 1.2.1 Build 20250821 Rel.82492
• ER7212PC < 2.1.3 Build 20251016 Rel.82571
• G36 < 1.1.4 Build 20251015 Rel.84206
• G611 < 1.2.2 Build 20251017 Rel.45512
• FR365 < 1.1.10 Build 20250626 Rel.81746
• FR205 < 1.0.3 Build 20251016 Rel.61376
• FR307-M2 < 1.2.5 Build 20251015 Rel.76743

While TP-Link makes no mention of the flaws being exploited in the wild, it’s advised that users move quickly to download and update to the latest firmware to fix the vulnerabilities.

“Check the configurations of the device after the firmware upgrade to ensure that all settings remain accurate, secure, and aligned with their intended preferences,” it added.

It also noted in a disclaimer that it cannot bear any responsibility for any consequences that may arise if the aforementioned recommended actions are not adhered to.

Oct 21, 2025Ravie LakshmananMalware / Vulnerability

Cybersecurity researchers have shed light on the inner workings of a botnet malware called PolarEdge.

PolarEdge was first documented by Sekoia in February 2025, attributing it to a campaign targeting routers from Cisco, ASUS, QNAP, and Synology with the goal of corralling them into a network for an as-yet-undetermined purpose.

The TLS-based ELF implant, at its core, is designed to monitor incoming client connections and execute commands within them.

Then, in August 2025, attack surface management platform Censys detailed the infrastructural backbone powering the botnet, with the company noting that PolarEdge exhibits characteristics that are consistent with an Operational Relay Box (ORB) network. There is evidence to suggest that the activity involving the malware may have started as far back as June 2023.

In the attack chains observed in February 2025, the threat actors have been observed exploiting a known security flaw impacting Cisco routers (CVE-2023-20118) to download a shell script named “q” over FTP, which is then responsible for retrieving and executing the PolarEdge backdoor on the compromised system.

“The backdoor’s primary function is to send a host fingerprint to its command-and-control server and then listen for commands over a built-in TLS server implemented with mbedTLS,” the French cybersecurity company said in a technical breakdown of the malware.

PolarEdge is designed to support two modes of operation: a connect-back mode, where the backdoor acts as a TLS client to download a file from a remote server, and debug mode, where the backdoor enters into an interactive mode to modify its configuration (i.e., server information) on-the-fly.

The configuration is embedded in the final 512 bytes of the ELF image, obfuscated by a one-byte XOR that can be decrypted with single-byte key 0x11.

However, its default mode is to function as a TLS server in order to send a host fingerprint to the command-and-control (C2) server and wait for commands to be sent. The TLS server is implemented with mbedTLS v2.8.0 and relies on a custom binary protocol for parsing incoming requests matching specific criteria, including a parameter named “HasCommand.”

If the “HasCommand” parameter equals the ASCII character 1, the backdoor proceeds to extract and run the command specified in the “Command” field and transmits back the raw output of the executed command.

Once launched, PolarEdge also moves (e.g., /usr/bin/wget, /sbin/curl) and deletes certain files (“/share/CACHEDEV1_DATA/.qpkg/CMS-WS/cgi-bin/library.cgi.bak”) on the infected device, although the exact purpose behind this step is unclear.

Furthermore, the backdoor incorporates a wide range of anti-analysis techniques to obfuscate information related to the TLS server setup and fingerprinting logic. To evade detection, it employs process masquerading during its initialization phase by choosing from a predefined list a name at random. Some of the names included are: igmpproxy, wscd, /sbin/dhcpd, httpd, upnpd, and iapp.

“Although the backdoor does not ensure persistence across reboots, it calls fork to spawn a child process that, every 30 seconds, checks whether /proc/<parent-pid> still exists,” Sekoia researchers explained. “If the directory has disappeared, the child executes a shell command to relaunch the backdoor.”

The disclosure comes as Synthient highlighted GhostSocks’ ability to convert compromised devices into SOCKS5 residential proxies. GhostSocks is said to have been first advertised under the malware-as-a-service (MaaS) model on the XSS forum in October 2023.

It’s worth noting that the offering has been integrated into Lumma Stealer as of early 2024, allowing customers of the stealer malware to monetize the compromised devices post-infection.

“GhostSocks provides clients with the ability to build a 32-bit DLL or executable,” Synthient said in a recent analysis. “GhostSocks will attempt to locate a configuration file in %TEMP%. In the scenario that the configuration file cannot be found, it will fall back to a hard-coded config.”

The configuration contains details of the C2 server to which a connection is established for provisioning the SOCKS5 proxy and ultimately spawning a connection using the open-source go-socks5 and yamux libraries.

Oct 21, 2025Ravie LakshmananCryptocurrency / Encryption

Meta on Tuesday said it’s launching new tools to protect Messenger and WhatsApp users from potential scams.

To that end, the company said it’s introducing new warnings on WhatsApp when users attempt to share their screen with an unknown contact during a video call so as to prevent them from giving away sensitive information like bank details or verification codes.

On Messenger, users can opt to enable a setting called “Scam detection” by navigating to Privacy & safety settings. Once it’s turned on, users are alerted when they receive a potentially suspicious message from an unknown connection that may contain signs of a scam.

“Because detection happens on your device, chats with end-to-end encryption stay secure,” Meta said in a support document. “If you’re notified that a chat may contain signs of a scam, we’ll ask if you’d like to send recent messages you received to AI review. Messages that are shared with AI are no longer end-to-end encrypted.”

If the review finds that it’s indeed a possible scam, users are given more information about common scams, such as job offers in exchange for money, opportunities promising fast cash, and work-from-home offers for jobs that can’t possibly be done remotely. Users are also provided options to block or report the account in question.

As part of its ongoing efforts to combat scams, the social media giant said it took action on over 21,000 Facebook Pages and accounts masquerading as customer support in an attempt to trick people into sharing their personal information.

In addition, Meta said it detected and disrupted close to 8 million accounts on Facebook and Instagram since the start of the year that are associated with criminal scam centers targeting people, including the elderly, across the world through messaging, dating apps, social media, crypto, and other apps. The scam compounds operated out of Myanmar, Laos, Cambodia, the United Arab Emirates, and the Philippines.

These schemes, often called romance baiting (aka pig butchering), are run by cybercrime syndicates based out of Southeast Asia and refer to a type of investment fraud where criminals entice victims into depositing ever-larger sums into bogus platforms with promises of bigger returns.

In many of the cases, the scammers – who are themselves trafficked into the region with lures of high-paying jobs and held against their will – initiate contact with victims through dating apps, social media platforms, or private messaging services like WhatsApp.

Once they establish rapport, the operation moves to the next phase, with the threat actors steering victims toward supposed investment opportunities, often tied to cryptocurrencies, and deceiving them into depositing their funds and ultimately disappearing without a trace.

“Central to the scam is psychological manipulation: perpetrators cultivate emotional bonds, instill confidence, and in some cases even simulate romantic relationships,” Infoblox noted in an analysis published earlier this month. “This drawn-out grooming process lowers victims’ defenses and primes them to believe in promises of extraordinary returns, leading to devastating financial losses.”

Artificial intelligence (AI) holds tremendous promise for improving cyber defense and making the lives of security practitioners easier. It can help teams cut through alert fatigue, spot patterns faster, and bring a level of scale that human analysts alone can’t match. But realizing that potential depends on securing the systems that make it possible.

Every organization experimenting with AI in security operations is, knowingly or not, expanding its attack surface. Without clear governance, strong identity controls, and visibility into how AI makes its decisions, even well-intentioned deployments can create risk faster than they reduce it. To truly benefit from AI, defenders need to approach securing it with the same rigor they apply to any other critical system. That means establishing trust in the data it learns from, accountability for the actions it takes, and oversight for the outcomes it produces. When secured correctly, AI can amplify human capability instead of replacing it to help practitioners work smarter, respond faster, and defend more effectively.

Establishing Trust for Agentic AI Systems

As organizations begin to integrate AI into defensive workflows, identity security becomes the foundation for trust. Every model, script, or autonomous agent operating in a production environment now represents a new identity — one capable of accessing data, issuing commands, and influencing defensive outcomes. If those identities aren’t properly governed, the tools meant to strengthen security can quietly become sources of risk.

The emergence of Agentic AI systems make this especially important. These systems don’t just analyze; they may act without human intervention. They triage alerts, enrich context, or trigger response playbooks under delegated authority from human operators. Each action is, in effect, a transaction of trust. That trust must be bound to identity, authenticated through policy, and auditable end to end.

The same principles that secure people and services must now apply to AI agents:

• Scoped credentials and least privilege to ensure every model or agent can access only the data and functions required for its task.
• Strong authentication and key rotation to prevent impersonation or credential leakage.
• Activity provenance and audit logging so every AI-initiated action can be traced, validated, and reversed if necessary.
• Segmentation and isolation to prevent cross-agent access, ensuring that one compromised process cannot influence others.

In practice, this means treating every agentic AI system as a first-class identity within your IAM framework. Each should have a defined owner, lifecycle policy, and monitoring scope just like any user or service account. Defensive teams should continuously verify what those agents can do, not just what they were intended to do, because capability often drifts faster than design. With identity established as the foundation, defenders can then turn their attention to securing the broader system.

Securing AI: Best Practices for Success

Securing AI begins with protecting the systems that make it possible — the models, data pipelines, and integrations now woven into everyday security operations. Just as

The SANS Secure AI Blueprint outlines a Protect AI track that provides a clear starting point. Built on the SANS Critical AI Security Guidelines, the blueprint defines six control domains that translate directly into practice:

• Access Controls: Apply least privilege and strong authentication to every model, dataset, and API. Log and review access continuously to prevent unauthorized use.
• Data Controls: Validate, sanitize, and classify all data used for training, augmentation, or inference. Secure storage and lineage tracking reduce the risk of model poisoning or data leakage.
• Deployment Strategies: Harden AI pipelines and environments with sandboxing, CI/CD gating, and red-teaming before release. Treat deployment as a controlled, auditable event, not an experiment.
• Inference Security: Protect models from prompt injection and misuse by enforcing input/output validation, guardrails, and escalation paths for high-impact actions.
• Monitoring: Continuously observe model behavior and output for drift, anomalies, and signs of compromise. Effective telemetry allows defenders to detect manipulation before it spreads.
• Model Security: Version, sign, and integrity-check models throughout their lifecycle to ensure authenticity and prevent unauthorized swaps or retraining.

These controls align directly NIST’s AI Risk Management Framework and the OWASP Top 10 for LLMs, which highlights the most common and consequential vulnerabilities in AI systems — from prompt injection and insecure plugin integrations to model poisoning and data exposure. Applying mitigations from those frameworks inside these six domains helps translate guidance into operational defense. Once these foundations are in place, teams can focus on using AI responsibly by knowing when to trust automation and when to keep humans in the loop.

Balancing Augmentation and Automation

AI systems are capable of assisting human practitioners like an intern that never sleeps. However, it is critical for security teams to differentiate what to automate from what to augment. Some tasks benefit from full automation, especially those that are repeatable, measurable, and low-risk if an error occurs. However, others demand direct human oversight because context, intuition, or ethics matter more than speed.

Threat enrichment, log parsing, and alert deduplication are prime candidates for automation. These are data-heavy, pattern-driven processes where consistency outperforms creativity. By contrast, incident scoping, attribution, and response decisions rely on context that AI cannot fully grasp. Here, AI should assist by surfacing indicators, suggesting next steps, or summarizing findings while practitioners retain decision authority.

Finding that balance requires maturity in process design. Security teams should categorize workflows by their tolerance for error and the cost of automation failure. Wherever the risk of false positives or missed nuance is high, keep humans in the loop. Wherever precision can be objectively measured, let AI accelerate the work.

Join us at SANS Surge 2026!

I’ll dive deeper into this topic during my keynote at SANS Surge 2026 (Feb. 23-28, 2026), where we’ll explore how security teams can ensure AI systems are safe to depend on. If your organization is moving fast on AI adoption, this event will help you move more securely. Join us to connect with peers, learn from experts, and see what secure AI in practice really looks like.

Register for SANS Surge 2026 here.

Note: This article was contributed by Frank Kim, SANS Institute Fellow.

Oct 21, 2025Ravie LakshmananCyber Espionage / Network Security

A European telecommunications organization is said to have been targeted by a threat actor that aligns with a China-nexus cyber espionage group known as Salt Typhoon.

The organization, per Darktrace, was targeted in the first week of July 2025, with the attackers exploiting a Citrix NetScaler Gateway appliance to obtain initial access.

Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807, is the name given to an advanced persistent threat actor with ties to China. Known to be active since 2019, the group gained prominence last year following its attacks on telecommunications services providers, energy networks, and government systems in the U.S.

The adversary has a track record of exploiting security flaws in edge devices, maintaining deep persistence, and exfiltrating sensitive data from victims in more than 80 countries across North America, Europe, the Middle East, and Africa.

In the incident observed against the European telecommunications entity, the attackers are said to have leveraged the foothold to pivot to Citrix Virtual Delivery Agent (VDA) hosts in the client’s Machine Creation Services (MCS) subnet, while also using SoftEther VPN to obscure their true origins.

One of the malware families delivered as part of the attack is Snappybee (aka Deed RAT), a suspected successor to the ShadowPad (aka PoisonPlug) malware that has been deployed in prior Salt Typhoon attacks. The malware is launched by means of a technique called DLL side-loading, which has been adopted by a number of Chinese hacking groups over the years.

“The backdoor was delivered to these internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter,” Darktrace said. “This pattern of activity indicates that the attacker relied on DLL side-loading via legitimate antivirus software to execute their payloads.”

The malware is designed to contact an external server (“aar.gandhibludtric[.]com”) over HTTP and an unidentified TCP-based protocol. Darktrace said the intrusion activity was identified and remediated before it could escalate further.

“Salt Typhoon continues to challenge defenders with its stealth, persistence, and abuse of legitimate tools,” the company added. “The evolving nature of Salt Typhoon’s tradecraft, and its ability to repurpose trusted software and infrastructure, ensures it will remain difficult to detect using conventional methods alone.”