The mantra, “be our guest,” indeed makes visitors feel welcome, but the hacking group dubbed Nullbulge reportedly got a little too comfortable inside Disney’s network and accessed, “spreadsheets outlining aspects of the company's financials, Disney Cruise employees' passport numbers, and login credentials to cloud software.”
A massive cyberattack on a global brand elicits much fear and curiosity, so it’s no surprise that many industry leaders have been sharing their perspectives as the story unfolds. One post penned by Dr. Erdal Ozkaya points out that the likely root cause of the issue was a targeted phishing campaign that allowed malicious actors to exploit vulnerabilities in endpoint systems and exfiltrate sensitive data.
Ozkaya’s post reminded me of two things: First, during the RSAC 365 Virtual Seminar on the Intersection of AI & Security, phishing stood out as one way that adversaries are using AI to advance their goals. As these technologies allow malicious actors to craft more sophisticated messages, the content is becoming more polished and more difficult for victims to detect. As a result, we are seeing more scams but also more efforts to protect against weaponized AI.
That’s where my second thought comes in. I watched a short snippet of Robert Lee, CEO & Founder of Dragos who joined S4xEvents to explain that “defense is doable.” It’s a perspective that I love and quite frankly one that has been echoed in almost every conversation I’ve had with Robert Lee and his colleague, Lesley Carhart (both of whom have had RSAC Top Rated Sessions). Lee referenced a mid-sized company that was targeted by a well-known threat actor who did not gain access to the company’s networks because they had prioritized basic cybersecurity protocols.
And that got me thinking: there must be others out there who have these success stories! You have cybersecurity knowledge to share. RSA Conference has the platform to share it. By sharing our ideas, we strengthen the community. Put your expertise into a speaking proposal for RSA Conference 2025. Answer the Call for Submissions by September 27!
Now let’s take a look at what else made industry headlines this week.
Sept. 6: Transport for London has cut some live data feeds to some travel apps amid a cyberattack.
Sept. 5: A North Carolina man allegedly swindled $10 million in song royalties by streaming AI-generated songs billions of times on multiple music streaming apps.
Sept. 5: A 19-year-old resident of Milton Keynes, England, recently pleaded guilty to operating an online service that helped criminals access people's bank accounts.
Sept. 4: The US FBI warned individuals of the ongoing and aggressive attacks designed to steal cryptocurrency.
Sept. 4: “The FBI seized 32 web domains used by the Doppelganger Russian-linked influence operation network in a disinformation campaign targeting the American public,” Bleeping Computer reported.
Sept. 3: This week, the White House Officer of the National Cyber Director released a roadmap to improve internet security by addressing Border Gateway Protocol vulnerabilities.
Sept. 3: Columbus, Ohio, recently sued a researcher who disclosed the extent of a ransomware attack that the city had suffered.
Sept. 2: Fota Wildlife Park in Ireland warned customers to cancel their credit cards following a data breach.
Sept. 2: The RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims.