Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

AI-assisted phishing attacks pose a significant and increasing threat to organizations, according to Matt Weidman, partner and vice president of Commercial Property & Casualty at USIA. In an article for CBIA, Weidman explains that attackers can use AI tools to craft targeted, convincing phishing messages that are almost indistinguishable from the real thing.

Let’s catch up on the more interesting vulnerability disclosures and cyber security news gathered from articles across the web this week. This is what we have been reading about on our coffee break! Plaintext? Really?

The APT group known as Librarian Ghouls has managed to infiltrate the networks of technical universities and industrial companies in Russia, Belarus, and Kazakhstan without arousing suspicion. How did the gang get inside? By using legitimate logins and moving laterally through internal networks, relying on legitimate access credentials without generating alerts.

As AI transforms software development, AppSec teams face new complexities. For instance, the lack of visibility into where AI is being used and the reality that AI-generated code is often highly vulnerable make it nearly impossible to prioritize remediation and effectively scale security programs. To succeed, AppSec teams have to evolve from task managers to strategic governance enforcers.

Company overview: Labelbox is the leading data factory for delivering high-quality, frontier data to top AI labs and enterprise AI teams.

In cybersecurity, several related but divergent meanings have been ascribed to the phrase “red flags.” The phrase has roots in fraud and insurance, popularized by the FTC as part of the 2003 Red Flags Rule under the Fair and Accurate Credit Transactions Act requiring credit issuers to build programs that detect identity theft via warning signs of fraud.

Delivering safe and reliable power around the clock is a huge challenge. A task made even more difficult by the sharp rise in cyberattacks on the energy and utilities sector. Recent research from Trustwave SpiderLabs found that cyber threats against the sector have surged by 80% year-over-year, costing organizations nearly half a million dollars more per breach than the cross-industry average of $4.8 million.

Across financial services operations, machine identities play critical roles, but in many organizations, these cryptographic keys, API tokens, certificates, and service accounts remain chronically under-governed. What’s more, machine identities outnumber human identities by staggering margins, creating a massive, often unseen, unsecured attack surface—one that’s only further compounded by the rise of artificial intelligence (AI).

What if we told you that our newly released API Scanner has 922 quintillion payloads for a single type of vulnerability test? A quintillion is a billion billion – an immense number that highlights the limitations of traditional API security testing. Old methods like relying on signatures, vulnerability-specific payloads, or a fixed set of fuzzing inputs just aren’t enough anymore, especially when dealing with custom-built software and unique API endpoints.

Think of how painful it would be to spend a few weeks creating a mobile app to watch users abandon it because of a faulty update or chronic feature rollout. Your coders are fed up. Your QA team is flooded. And with every release, it is a tightrope walk with the blindfold on. That is the sad state of mobile app development without CI/CD. But here is what you can imagine: whenever your team pushes code, a test, a build, and a deploy happen automatically. No eleventh-hour rush. No delays.