More than 1 Billion AI Agents Spawn a Vast New Cyber Attack Surface: SandboxAQ Launches new platform to address the threat 

Posted in Commentary with tags on April 22, 2025 by itnerd

SandboxAQ today announced the general availability of AQtive Guard, a groundbreaking platform designed to manage and secure Non-Human Identities (NHIs) and other cryptographic assets used by AI agents – both friendly and malevolent – that are surging across enterprise environments.

As billions of AI agents flood enterprise ecosystems, organizations are facing an unprecedented surge of intelligent, adaptive cyber threats capable of continuously probing networks, evading detection, and rapidly exploiting vulnerabilities. This escalating threat demands proactive, AI-driven cryptographic defenses to counteract attacks that evolve faster than traditional security measures can respond.

AQtive Guard’s Discover module enables organizations to maintain an accurate inventory and control over both NHIs and cryptographic assets such as keys, certificates, algorithms, and libraries, and is crucial for compliance and meeting regulatory mandates. AQtive Guard’s Protect orchestrates automated remediation workflows and enforces protection policies such as credential rotation or certificate renewal.

Leveraging its industry-leading Large Quantitative Models (LQMs), AQtive Guard’s Discover and Protect modules provide organizations with unprecedented visibility, control and remediation, addressing the escalating challenges of machine-to-machine communication security, compliance pressures, and the transition to the new NIST security standards.

As part of the launch, SandboxAQ also announced two key capabilities:

  • Robust integration with the CrowdStrike Falcon® cybersecurity platform, representing SandboxAQ’s deepest technical integration to date. AQtive Guard empowers joint customers with full visibility into their non-human identity and cryptographic inventories and vulnerabilities by pulling data directly from CrowdStrike endpoints. One-click ingestion translates to value from the first hour of use. AQtive Guard can then remediate the vulnerabilities as they are identified.  
  • Interoperability with Palo Alto Networks, a trusted name in enterprise security solutions. SandboxAQ is ingesting Palo Alto Networks’ firewall logs directly into AQtive Guard, resulting in key visibility improvements for network security posture, vulnerability detection, and security compliance.

AQtive Guard addresses these challenges by providing a unified, AI-driven solution for modern NHI and cryptography management. The platform offers:

  • Vulnerability Detection and Inventory: Builds a complete and continuously updated inventory by integrating data from multiple sources, including existing data and meta-information captured from existing cybersecurity platforms and configuration management database tools. AQtive Guard works across the leading cloud providers including Amazon Web Services (AWS) and Google Cloud (GCP). This unified global inventory forms the crucial foundation for LQM analysis.
  • AI-powered Insights, Prioritization and Risk Analysis: Applies SandboxAQ’s industry-leading Cyber LQM to the unified inventory. By leveraging meta-data for advanced filtering and clustering, the platform enables efficient, noiseless exploration and accurate root-cause analysis, and delivers prioritized, actionable insights with contextual guidance for remediation and risk reduction, effectively reducing false positives. An integrated GenAI assistant further supports teams in understanding how to navigate relevant standards and regulatory frameworks.
  • Automated Remediation and Lifecycle Management: Streamlines and automates the entire lifecycle of identities and cryptographic keys – including issuance, rotation, and revocation – reducing manual overhead and minimizing the risk associated with stale or compromised secrets.
  • Compliance and NIST Standards: Provides targeted remediation recommendations, a powerful query engine with pre-built rulesets for major compliance standards (and custom query capabilities), and robust reporting to demonstrate compliance and significantly accelerate migration to new NIST standards.

Priority Access Starts Today: AQtive Guard launches today as a fully managed, cloud-delivered platform built for rapid deployment and immediate impact in securing cryptographic assets and nonhuman identities. Organizations can secure priority access today for early deployment and risk assessments. Take control at aqtiveguard.com or contact sales@sandboxaq.com.

Leave a comment »

Email Remains Primary Gateway for Disinformation and Cyberattacks in 2025 According to New Report from Valimail 

Posted in Commentary with tags on April 22, 2025 by itnerd

Valimail today released its “2025 Disinformation and Malicious Email Report,” revealing that email continues to be the most exploited attack vector for cybercriminals and disinformation campaigns, with artificial intelligence dramatically increasing the sophistication of these threats.

In an era marked widespread disinformation, trust in digital communications is eroding. Malicious actors are increasingly exploiting email to impersonate brands, launch phishing campaigns, and spread false information—often using sophisticated methods made simpler by emerging technologies. This environment calls for a layered approach to email protection. 

Email authentication is the foundational, cost-effective defense that can significantly curb many of these malicious attempts at their source, providing future-proof protection that can scale. Additionally, DMARC uniquely protects outbound email to partners and clients thereby offering brand and compliance protection.

The report reveals considerable variation in email authentication implementations across industries:

  • Online Retail leads with 94% of surveyed domains having implemented basic email authentication measures
  • Financial Services shows strong adoption (80%) but one-third of domains lack enforcement policies that actually prevent spoofing
  • Higher Education faces significant challenges with nearly two-thirds of domains unable to prevent impersonation attacks
  • Healthcare lags behind with just over one third having implemented the bare minimum, non-protective DMARC policy of p=none
  • Information Technology shows concerning gaps with nearly a third of surveyed domains lacking the ability to prevent the use of their domain name in spoofed email messages

Several alarming trends are highlighted within the report, including:

  • Rising threat sophistication: AI-generated emails more than ever now convincingly mimic legitimate communications, dramatically increasing the success rate of phishing and spoofing attacks.
  • Cross-industry vulnerability: Every sector from financial services to healthcare, government, and education faces significant email-based threats, with varying levels of preparedness.
  • Protection gap: While more than 7.2 million domains have implemented some form of email authentication, approximately half remain insufficiently protected against domain spoofing.

Despite these growing threats, the report shows that Domain-based Message Authentication, Reporting, and Conformance (DMARC) continues to be a highly effective approach that can authoritatively prevent the most pernicious spoofing attacks when properly implemented.

Industry, government, and regulatory bodies worldwide are increasingly mandating DMARC compliance for industries handling sensitive data, such as finance and healthcare. Major email providers like Google, Yahoo and Microsoft require email senders to implement DMARC, improving deliverability and reputation for compliant organizations. Failing to comply with DMARC mandates can result in penalties, reduced deliverability, and reputational damage.

Valimail offers free resources for organizations to check their email security status through the Valimail DMARC Checker and provides DMARC reporting visibility through its Monitor solution.

The full “2025 Disinformation and Malicious Email Report” can be accessed here.

Leave a comment »

Microsoft Entra Account Lockouts Caused by User Token Logging Mistake

Posted in Commentary with tags on April 22, 2025 by itnerd

From the “Oops” department comes this story. Microsoft has reported that the Entra accounts that were locked out over the weekend were caused by the invalidation of user refresh tokens that were mistakenly logged into internal systems.

More details here:  https://www.reddit.com/r/sysadmin/comments/1k2pmkz/comment/mo33q3f/

On Friday 4/18/25, Microsoft identified that it was internally logging a subset of short-lived user refresh tokens for a small percentage of users, whereas our standard logging process is to only log metadata about such tokens. The internal logging issue was immediately corrected, and the team performed a procedure to invalidate these tokens to protect customers.  As part of the invalidation process, we inadvertently generated alerts in Entra ID Protection indicating the user’s credentials may have been compromised. These alerts were sent between 4/20/25 4AM UTC and 4/20/25 9AM UTC. We have no indication of unauthorized access to these tokens – and if we determine there were any unauthorized access, we will invoke our standard security incident response and communication processes.  

Jim Routh, Chief Trust Officer at Saviynt, commented:

“It is not often that the identification of security vulnerabilities within a commonly used platform, which caused business disruption for some Microsoft enterprise customers, has some positive attributes for enterprises. The positive news is that the disruption occurred over the weekend, and today (Monday), customers have the facts along with the fix (corrective actions) necessary for recovery. The vulnerability and the action taken (token invalidation) were ultimately shared by Microsoft in an advisory relatively quickly. This is a sign of health or resilience despite the inconvenience to some enterprise customers over the weekend.”

I’ll give Microsoft credit for discovering this, fixing this, and admitting to it quickly. Hopefully something like this never happens again as this had the possibility of not ending well on multiple fronts.

Leave a comment »

New Research from Cloud Security Alliance Highlights Critical Need for a More Unified, Purpose-built Approach to SaaS Security

Posted in Commentary with tags on April 22, 2025 by itnerd

The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released the State of SaaS Security Report: Trends and Insights for 2025-2026, which examines the current state of SaaS security to uncover key challenges and explore how organizations are securing and managing their SaaS environments. The findings underscore the urgency for organizations to shift their SaaS security to a more unified, purpose-built approach. Current approaches to SaaS security are not enough.

Commissioned by Valence Security, the leader in SaaS security, the survey set out to determine the current state of SaaS security, uncover key challenges, and explore how organizations are securing and managing their SaaS environments.

SaaS security strategies cannot keep pace with the growing complexity of the SaaS landscape, remaining fragmented, reactive, and incomplete. Despite heightened awareness of the critical need for strong SaaS security, organizations must move beyond ad hoc, app-by-app controls to close the gap between rising investments and actual capabilities—adopting a more unified approach that addresses core challenges like discovery, posture management, threat detection, and risk remediation.

The report’s key findings include:

  • SaaS security is a top priority for 86% of organizations, with 76% of respondents saying they are increasing their budgets this year.
  • Despite organizations committing more resources to SaaS security, data oversharing (63%) and poor access control (56%) continue to expose them to risk, suggesting that many are still unable to establish the fundamental protections needed to secure sensitive data across their environments.
  • 79% of organizations expressed confidence in their programs. This high confidence level may be masking critical capability gaps with 55% of respondents sharing that employees are adopting SaaS tools without security’s involvement and 57% reporting they are grappling with fragmented SaaS security administration.
  • IAM remains a challenge. 58% of respondents said enforcing proper privilege levels was difficult, and 54% lacked automation for lifecycle management—gaps which directly contribute to breaches, complicate incident response, and leave organizations exposed.
  • SaaS-to-SaaS integrations and GenAI tools are expanding the attack surface, leaving nearly half of organizations (46%) struggling to monitor non-human identities (NHIs) and 56% concerned with over-privileged API access.
  • Too many organizations are relying on fragmented strategies, such as vendor-native tools (69%), general-purpose solutions like Cloud Access Security Brokers (CASBs) (43%), and manual audits (46%), resulting in critical gaps across the SaaS environment that will only widen as these systems become more complex.

The survey was conducted online by CSA in January 2025 and received 420 responses from IT and security professionals representing large organizations in various industries and locations. CSA’s research analysts performed the data analysis and interpretation for this report. Sponsors are CSA Corporate Members who support the research project’s findings but have no added influence on the content development or editing rights of CSA research.

Review the full State of SaaS Security Report: Trends and Insights for 2025-2026.

Leave a comment »

Abstract Security Launches ASTRO (Abstract Security Threat Research Organization) Pioneering the Next Frontier in Cyber Defense

Posted in Commentary with tags on April 22, 2025 by itnerd

Abstract Security today announced the launch of ASTRO (Abstract Security Threat Research Organization), aimed at redefining how companies detect, understand, and counter the most sophisticated cyber threats of the 21st century. ASTRO was formed by a coalition of cyber defenders, threat hunters and incident responders that have spent decades responding to real world incidents.

ASTRO provides high-powered capabilities to customers across the Abstract Platform by:

  • Delivering Filtering, Aggregation, Transformation and Enrichment actions (FATE),to surface the signals that matter most, empowering analysts, defenders, and cyber operations teams to move faster and smarter.
  • Embedding Abstract Security Engineer (ASE), the company’s advanced intelligence engine, with the team’s expertise to empower security analysts. Abstract utilizes the latest advancements of GenAI, machine learning, expert systems and automation for this critical capability.
  • Detecting the latest risks and threats with Abstract’s Streaming Threat Detection Engine with criteria covering the entire attack surface of Cloud, SaaS, Network and Endpoint.
  • Integrating data sources and destinations with Abstract Security’s Platform, to collect the most relevant events, context and data to provide the most complete situational awareness.

Abstract’s ASTRO team have played pivotal roles in the evolution of threat intelligence and response — beginning their careers at organizations such as CERT.org and NCFTA to leading positions at Equifax, Blackberry, Palo Alto Networks Unit 42, the Secureworks Counter Threat Unit, Sumo Logic, and Anomali. This collective experience fuels ASTRO’s mission “to protect the future by pioneering all-source data, threat, detection, and response analytics across today’s most critical environments.”

Abstract’s ASTRO team provides customers with insight into all the thousands of IoT/smart devices that connect to the network plus the entirety of SaaS software applications to make sure they are detecting everything happening in order to locate the bad actors and nefarious activity. ASTRO embeds the Abstract Security Engineer (ASE) technology to utilize GenAI and machine learning technology as well as providing expert systems and automation to train ASE with the team’s vast experience in all things cybersecurity.

For additional insight, please see ASTRO’s latest blog: The Invisible Enemy: Unmasking Microsoft 365’s Logging Blind Spots.

Leave a comment »

Darktrace uncovers new malware campaign targeting Docker environments

Posted in Commentary with tags on April 22, 2025 by itnerd

Darktrace researchers have uncovered a new sophisticated malware campaign targeting Docker environments. The new malware variant connects out to a legitimate crypto website which allows users to join a decentralized network and run a social media scraping node in exchange for private crypto tokens. The malware simply connects out to the crypto site and sends signals between the systems to gain more and more crypto tokens. 

In this campaign, threat actors were also observed using unique obfuscation techniques, hiding this malicious code under 63 layers to evade detection. 

You can find out more here: http://www.darktrace.com/blog/obfuscation-overdrive-next-gen-cryptojacking-with-layers

Leave a comment »

Google OAuth Abused by Phishers to Spoof Google in DKIM Replay Attack

Posted in Commentary with tags on April 21, 2025 by itnerd

In a novel attack, hackers are sending fake emails that appear to come from Google’s systems – no-reply@google.com – bypassing all verifications and the DomainKeys Identified Mail (DKIM) authentication method and pointing to a fraudulent page that collects logins.

You can get more details about this here: https://threadreaderapp.com/thread/1912439023982834120.html

Roger Grimes, data-driven defense evangelist at KnowBe4, commented:

“DMARC, DKIM, and SPF all focus on the DNS domain involved. The “email address” portion can change and the DMARC, DKIM, and SPF check will be just fine. So, if I can get an email sent from a common, global domain like google.com or hotmail.com, I can get nearly any email address name I like (e.g., the realbillgates@gmail.com) and it’s going to pass the checks.

DMARC, DKIM, and SPF should be understood this way: I claim to be from this and this domain (e.g., google.com) and if I pass the checks, I really am from that claimed domain. The user still has to look at the entire email address (friendly name and domain name) and figure out if it is or isn’t legitimate for the domain being claimed. On top of that, malicious scammers deploy DMARC, DKIM, and SPF at higher rates than non-scammers. Scammers early on decided that they needed all the domains they used to have DMARC, DKIM, and SPF enabled so their scammy email didn’t end up in the Junk Mail, Spam folder, or be rejected and never make it to the end-user. To that end, DMARC, DKIM, and SPF have been a total success. And at the same time it is a victim of its own success, with scammers using it even more than legitimate senders.”

I have certainly seen this with this attack that makes refund scam emails look like they are coming from Microsoft. Thus I am not shocked that this is happening on the Google side of the fence. And I fully expect to see more of this sort of thing going forward.

Leave a comment »

Introducing Rogers Xfinity Multiview: Watch multiple 2025 Stanley Cup Playoff games all on one screen

Posted in Commentary with tags on April 21, 2025 by itnerd

As the first round of the 2025 Stanley Cup Playoffs heats up, Rogers announced today a preview of Rogers Xfinity Multiview, a new service that gives Canadian hockey fans the chance to watch two games at once – all on the same screen.

Rogers Xfinity Multiview will launch on select nights throughout the first round of the 2025 Stanley Cup Playoffs starting Monday, April 21 at 9:30 p.m. ET. Customers just need to say “Multiview” into their award-winning voice remote to enjoy side-by-side coverage, with the ability to switch audio and add captions.

These exclusive events are a free preview of the new Rogers Xfinity Multiview experience, starting with this year’s 2025 Stanley Cup Playoffs. Rogers plans to continue building on its Rogers Xfinity Multiview experience, including the ability to watch up to four live events at the same time, increasing the number of sports, and the ability for customers to build their own Multiview experience.

Starting tonight, customers can experience these matchups using Rogers Xfinity Multiview:

  • April 21: Colorado at Dallas (9:30 p.m. ET) and Edmonton at Los Angeles (10 p.m. ET)
  • April 22: New Jersey at Carolina (6 p.m. ET) and Ottawa at Toronto (7:30 p.m. ET), Florida at Tampa Bay (8:30 p.m. ET) and Minnesota at Vegas (11 p.m. ET)
  • April 23: Dallas at Colorado (9:30 p.m. ET) and Edmonton at Los Angeles (10 p.m. ET)
  • April 24: Florida at Tampa Bay (6:30 p.m. ET) and Toronto at Ottawa (7 p.m. ET), Vegas at Minnesota (9 p.m. ET) and Winnipeg at St. Louis (9:30 p.m. ET)
  • April 25: Washington at Montreal (7 p.m. ET) and Carolina at New Jersey (8 p.m. ET)

Sportsnet is the place to catch all the 2025 Stanley Cup playoff action and Rogers Xfinity gives Canadians the best seat in the house. To learn more about Rogers Xfinity visit rogers.com/xfinity.

Leave a comment »

Is There An Issue With Apple TV+ Where User Accounts Are Being Locked Right After Purchasing?

Posted in Commentary with tags on April 21, 2025 by itnerd

I am asking this question because a reader of this blog pinged me via email on Sunday asking this question and directing me towards this Reddit thread which has a few people who have lodged complaints about their Apple TV+ accounts being locked hours or days after signing up for the service. I have to admit that I have not heard of this issue, but a quick search found a this thread on Apple’s own support forums. Not to mention this and this on Reddit. All of which have similar enough experiences to get my attention .

Now Apple does have this support document that offers some advice in terms dealing with this issue. But given that these Reddit and Apple Support Forums post exist, I wonder how effective this document is. Thus I am asking for your help on this. Have you had this issue? If so, how did you fix it? Or have you not fixed it? I’d love to figure out how widespread this problem is. Leave your feedback in the comments and let’s get a discussion going.

1 Comment »

Tom Whaley Joins Hammerspace as Head of Americas Sales

Posted in Commentary with tags on April 21, 2025 by itnerd

Hammerspace today announced the appointment of Tom Whaley as its Vice President of Americas Sales. He joins the company from WEKA with an extensive sales leadership history focusing on revenue delivery at organizations including VAST Data, mParticle and NetApp.

With over 20 years of experience focusing on Fortune 500 customers, Whaley excels in guiding sales strategy and execution centered around customers’ changing business and technical needs, with a track record of delivering consistent year-over-year revenue growth.

Whaley’s appointment comes at a time of unprecedented growth at Hammerspace. Recently, the company announced several of its strategic venture investors who invested $100 million in new growth capital in Hammerspace. The company has also rapidly bolstered its global sales team with top performers as demand surges for its Data Platform as the future of AI and hybrid cloud storage.

Today’s enterprises are challenged by the need to optimize high-performance data access for AI workloads, scale their infrastructure efficiently, and manage complex, distributed data environments. Hammerspace’s award-winning Data Platform delivers a competitive edge across every dimension of unstructured data: storage, access, movement and deployment. Whether training thousands of GPUs on-premises or in the cloud, deploying large-scale inference or maximizing NVMe performance in local GPU servers, Hammerspace is purpose-built to unleash data performance at scale.

Whaley stated that Hammerspace’s technology and culture were what drew him to the company.

Current open positions at Hammerspace are available on its Careers page.

Leave a comment »

« Older Entries
Newer Entries »