Malicious ML Models on Hugging Face Leverage Broken Pickle Format to Evade Detection - Related to kills:, ransomware, detection, format, models

How AI-driven SOC co-pilots will change security center operations

Have you ever wished you had an assistant at your security operations centers (SOCs) — especially one who never calls in sick. Has a bad day or takes a long lunch? Your wish may come true soon. Not surprisingly, AI-driven SOC “co-pilots” are topping the lists for cybersecurity predictions in 2025, which often describe these tools as game-changers.

“AI-driven SOC co-pilots will make a significant impact in 2025, helping security teams prioritize threats and. Turn overwhelming amounts of data into actionable intelligence,” says Brian Linder, Cybersecurity Evangelist at Check Point. “It’s a game-changer for SOC efficiency.”.

AI-driven SOC co-pilots are generative AI tools that use machine learning to help security analysts run and. Manage the SOC. Common co-pilot tasks include detecting threats, managing incidents, triaging alerts, predicting new trends and patterns for attacks and breaches and automating responses to threats. Co-pilots may be proprietary tools built by the enterprise for their specific needs or commercially available cybersecurity co-pilots such as Microsoft Copilot.

For example, a co-pilot can review alerts and. Use AI to predict which are most likely to be a high priority. This reduces a common issue in SOCs: false positives. The analysts can then focus on the alerts that are most likely to be a real threat. Because they are not chasing down noncritical alerts, analysts have more time to spend on actual threats and. Are more likely to be successful in containing the threat.

Co-pilots can take many different forms in a SOC. Analysts can use the co-pilot similarly to how many people use ChatGPT, assigning it a specific task such as incident response. The analyst enters information about a specific incident, and the co-pilot analyzes data to suggest possible causes as well as how the organizations should respond to the incident. However, you can also use co-pilots to automate parts of the workflow without human intervention, such as monitoring current firewalls and. Detecting vulnerabilities.

Benefits of using AI-driven SOC co-pilots.

Businesses that turn to AI-driven co-pilots to help manage their SOC see a wide range of benefits. Common benefits include:

Improved productivity: Because it can process a much higher volume of data than even the most efficient cybersecurity analyst. A co-pilot gets significantly more work done in less time. With humans and machines working together, co-pilots are able to more effectively monitor the SOC with fewer human resources.

Because it can process a much higher volume of data than even the most efficient cybersecurity analyst. A co-pilot gets significantly more work done in less time. With humans and machines working together, co-pilots are able to more effectively monitor the SOC with fewer human resources. Additional time for cybersecurity professionals to complete high-level tasks: When co-pilots handle manual and repetitive tasks. Analysts have more time for higher-level tasks such as strategy and analytics. Analysts are more likely to be fully engaged when their day is filled with more interesting work, which reduces burnout.

When co-pilots handle manual and repetitive tasks. Analysts have more time for higher-level tasks such as strategy and analytics. Analysts are more likely to be fully engaged when their day is filled with more interesting work, which reduces burnout. Fewer errors: Humans make mistakes, especially with manual tasks such as reviewing logs. While AI tools are only as “smart” as the algorithm and the training data used for the algorithm. They are often able to spot patterns that may be undetectable to humans. This reduces errors and prevents issues that can lead to a breach or attack.

Humans make mistakes, especially with manual tasks such as reviewing logs. While AI tools are only as “smart” as the algorithm and the training data used for the algorithm. They are often able to spot patterns that may be undetectable to humans. This reduces errors and prevents issues that can lead to a breach or attack. Quicker response to threats: Whereas humans may not recognize an area of vulnerability or may be slower to respond, a co-pilot uses automation to respond and. Send a notification immediately. Co-pilots also don’t take bathroom or lunch breaks; they are always “at their desk,” leading to faster response times.

Whereas humans may not recognize an area of vulnerability or may be slower to respond, a co-pilot uses automation to respond and. Send a notification immediately. Co-pilots also don’t take bathroom or lunch breaks; they are always “at their desk,” leading to faster response times. Reduced impact of worker shortage and skills gaps: When cybersecurity positions are not filled or the analyst does not have the right skills for the job. The organization’s risk increases. AI-driven co-pilots can help reduce open positions by taking on various manual tasks, which means greater coverage by the SOC.

Will AI-driven SOC co-pilots replace humans?

Like many AI tools, co-pilots can take over many manual and. Repetitive tasks currently done by humans. However, the fear of AI replacing the need for humans in the SOC is not likely to become reality. Setting up co-pilots to operate without human oversight or intervention would likely be a mistake. But businesses that have analysts and co-pilots work together can see a reduction in risk, advanced responses and higher employee satisfaction.

While co-pilots can be the first line of defense in the SOC. Companies should set up gen AI tools so that humans remain the ultimate decision-makers. For example, an analyst may set up an automation with an AI-driven co-pilot to monitor and prioritize alerts based on set criteria. Yet, as threat actors begin using new tactics, the analyst may need to change the criteria to catch the latest threats. Once the co-pilot identifies a high-priority alert, the human can ask the tool to analyze the situation and provide recommended next steps. The analyst then uses human judgment to make the best decisions in the situation and instructs the tool to take the next action, such as shutting down systems or taking the network temporarily offline.

Putting AI-driven co-pilots into action in the SOC.

When it comes to putting co-pilots in action. Consider starting on a small scale with a limited use case. Many organizations use a commercial product to start, leaving open the option to create a proprietary tool in the future. Creating a list of time-consuming tasks in the SOC, especially those that are error-prone or frustrating for analysts. Will help you determine which use case to start with. After launching the tool, a single analyst can gather feedback and make changes.

Upon seeing success, your team can begin expanding the use of co-pilots to additional analysts and. Use cases. By taking a measured approach to using co-pilots and continuously soliciting feedback from the analysts, businesses can create a partnership between analysts and co-pilots that improves human job satisfaction while also keeping the organization more secure.

The rising influence of artificial intelligence (AI) has many organizations scrambling to address the new cybersecurity and data privacy concerns crea...

Cisco hat acht Sicherheitsmitteilungen veröffentlicht. In denen das Unternehmen Sicherheitslücken in mehreren Produkten behandelt. Mindestens eine Sch...

Microsoft has shared a workaround for customers affected by a known issue that blocks Windows security updates from deploying on some Windows 11 24H2 syst...

When ransomware kills: Attacks on healthcare facilities

As ransomware attacks continue to escalate, their toll is often measured in data loss and financial strain. But what about the loss of human life? Nowhere is the ransomware threat more acute than in the healthcare sector, where patients’ lives are literally on the line.

Since 2015. There has been a staggering increase in ransomware attacks on healthcare facilities. And the impacts are severe: Diverted emergency services, delayed critical treatments and even fatalities. Meanwhile, the pledge some ransomware groups made during the COVID-19 pandemic to avoid attacking healthcare providers has been abandoned. It’s clear that hospitals are now fair game.

Ransomware attacks on the healthcare sector cause real harm to patients, impacting survival rates and. Threatening other critical services. And ransomware targeting other critical infrastructure carries serious implications for public health and safety.

Hospitals depend heavily on digital systems for managing patient care. When a ransomware attack strikes, these systems go offline, with often tragic results. Research highlights the risks: There’s been a 300% increase in ransomware attacks on healthcare since 2015. This led to a spike in emergency cases, including strokes and cardiac arrests, at hospitals overwhelmed by patients diverted from facilities hit by cyberattacks.

A study by the University of California San Diego showed that ransomware attacks on hospitals cause a spillover effect. This means neighboring hospitals see a surge in patients, leading to cardiac arrest cases jumping 81%. Survival rates also dropped for those cardiac arrest cases.

One recent example is the ransomware attack on Synnovis. A pathology services provider to the NHS in London. The attack caused problems with blood tests and transfusions, delaying crucial cancer treatments and elective procedures across several hospitals. This disruption illustrates a common trend in healthcare-related ransomware incidents: Delayed testing and procedures can become life-threatening as time-sensitive treatments are postponed or missed altogether.

In another study of two urban emergency departments adjacent to a healthcare organization under attack, researchers noted significant increases in patient volume. Longer waiting times and increases in patient “left without being seen” rates. These delays, , underscore the need for a disaster response approach for such incidents.

In some cases. The tragic consequences of ransomware in healthcare have been documented in legal proceedings. In 2020, a woman sued an Alabama hospital, claiming that a ransomware attack had contributed to the death of her newborn daughter. The hospital’s computer systems were offline during delivery, preventing access to critical monitoring tools and allegedly leading to severe birth complications. While the case has been settled, it raises the question of whether similar events may have occurred without public awareness.

While the healthcare sector’s vulnerability to ransomware is uniquely tragic. Critical infrastructure sectors are also facing increased risks. When Colonial Pipeline, a major fuel distributor, was hit by ransomware in 2021, it led to fuel shortages across the Eastern Though no direct fatalities were reported, the panic that ensued may have resulted in at least one fatal car accident as people rushed to stockpile fuel.

In critical infrastructure sectors. The potential for loss of life or injury is significant. Attacks on power grids, water supplies and transportation systems could have severe consequences. Researchers warn that a ransomware attack on an energy grid, for example, could disrupt power to hospitals. Emergency services and vulnerable populations, putting lives at risk. If the healthcare industry can serve as a lesson, the fallout from critical infrastructure attacks is not a hypothetical but. A looming possibility.

How ransomware threats exploit vulnerabilities in healthcare.

Healthcare facilities are attractive targets for ransomware for several reasons. First, they hold a wealth of sensitive patient data, including medical histories, personal information and financial details. The cost of downtime in healthcare is especially high. When health centers are crippled by ransomware, people’s lives are at stake, making hospitals more likely to pay a ransom quickly. Healthcare ransomware incidents result in an average payment of $ million, .

Additionally, healthcare facilities often use complex and outdated infrastructure. Relying on an assortment of vendors and legacy systems that can be difficult to secure. A lack of centralized cybersecurity across networks further increases vulnerabilities, allowing ransomware groups to infiltrate systems and cause cascading disruptions.

Evidence of ransomware’s lethal potential.

Although establishing a direct causal link between ransomware attacks and. Fatalities can be complicated, recent data provides compelling insights. One analysis estimates that from 2016 to 2021, between 42 and 67 Medicare patients died as a result of ransomware attacks. And this doesn’t include private insurer data. Research also highlights the broader health impacts, including reduced care quality and delayed treatments. During cyber incidents, hospitals often resort to manual processes that lack the safety checks and efficiency of electronic health records. Increasing the risk of error and missed diagnoses.

The problem isn’t limited to fatalities. Ransomware-induced delays can exacerbate health issues, resulting in long-term complications and higher healthcare costs. A delayed diagnosis can mean the difference between life and death for conditions like heart disease, stroke and sepsis. Ransomware attacks may, therefore, lead to excess deaths, even if the connection is indirect.

The need for resilience against ransomware attacks.

To mitigate the impact of ransomware on patient care, some hospitals have begun implementing ransomware response protocols. Such as Children’s National Hospital’s “Code Dark” procedures. These response protocols are designed to maintain continuity of care when systems are down, including clear instructions for manual record-keeping, communication protocols and patient triage. Yet, these steps can only go so far. True resilience requires proactive measures like employee training, layered security controls and frequent system backups to minimize disruption.

As ransomware attacks grow more sophisticated. Many in the cybersecurity industry argue for policy changes to address the threat. One critical need is advanced data sharing among healthcare facilities, cybersecurity experts and government agencies to track trends and respond quickly. Governments also need to classify healthcare cybersecurity as a matter of national security, allocating resources and support to help facilities improve resilience against ransomware and. Other cyber threats.

Addressing the growing ransomware threat.

The threats to the healthcare sector provide a stark reminder of the broader risks ransomware poses to society. While healthcare providers are uniquely vulnerable, other critical infrastructure sectors are increasingly at risk. As demonstrated by the Colonial Pipeline incident, the ripple effects of ransomware can be felt across entire regions, affecting services as fundamental as fuel, water and. Transportation.

For cybersecurity professionals, the rise in ransomware attacks on critical services calls for a proactive approach to defense. This includes advocating for stronger industry standards, encouraging the use of robust cybersecurity tools and supporting cross-sector collaboration to prepare for and respond to attacks. The goal is clear: To minimize the risk that ransomware indicates lives, either directly or through delayed access to essential services.

Jonathan Reed Freelance Technology Writer.

Der Passwort-Manager Bitwarden soll besser geschützte Zugänge erhalten. Nutzerinnen und Nutzer, die bislang keine Zwei-Faktor-Authentifizierung aktivi...

A new audit of DeepSeek's mobile app for the Apple iOS operating system has found glaring security issues. The foremost being that it sends sensitive ...

Im vergangenen Jahr sind die Lösegeldzahlungen nach Angriffen mit Ransomware wieder deutlich zurückgegangen. Das hat Chainalysis ermittelt und sieht M...

Malicious ML Models on Hugging Face Leverage Broken Pickle Format to Evade Detection

Cybersecurity researchers have uncovered two malicious machine learning (ML) models on Hugging Face that leveraged an unusual technique of "broken" pickle files to evade detection.

"The pickle files extracted from the mentioned PyTorch archives revealed the malicious Python content at the beginning of the file," ReversingLabs researcher Karlo Zanki presented in a research shared with The Hacker News. "In both cases, the malicious payload was a typical platform-aware reverse shell that connects to a hard-coded IP address."

The approach has been dubbed nullifAI. As it involves clearcut attempts to sidestep existing safeguards put in place to identify malicious models. The Hugging Face repositories have been listed below -.

who-r-u0000/0000000000000000000000000000000000000.

It's believed that the models are more of a proof-of-concept (PoC) than an active supply chain attack scenario.

The pickle serialization format, used common for distributing ML models, has been repeatedly found to be a security risk, as it offers ways to execute arbitrary code as soon as they are loaded and. Deserialized.

The two models detected by the cybersecurity enterprise are stored in the PyTorch format, which is nothing but a compressed pickle file. While PyTorch uses the ZIP format for compression by default, the identified models have been found to be compressed using the 7z format.

Consequently, this behavior made it possible for the models to fly under the radar and avoid getting flagged as malicious by Picklescan, a tool used by Hugging Face to detect suspicious Pickle files.

"An interesting thing about this Pickle file is that the object serialization — the purpose of the Pickle file — breaks shortly after the malicious payload is executed, resulting in the failure of the object's decompilation," Zanki expressed.

Further analysis has revealed that such broken pickle files can still be partially deserialized owing to the discrepancy between Picklescan and. How deserialization works, causing the malicious code to be executed despite the tool throwing an error message. The open-source utility has since been updated to rectify this bug.

"The explanation for this behavior is that the object deserialization is performed on Pickle files sequentially," Zanki noted.

"Pickle opcodes are executed as they are encountered, and. Until all opcodes are executed or a broken instruction is encountered. In the case of the discovered model, since the malicious payload is inserted at the beginning of the Pickle stream, execution of the model wouldn't be detected as unsafe by Hugging Face's existing security scanning tools."

With cloud infrastructure and, more in recent times, artificial intelligence (AI) systems becoming prime targets for attackers. Security leaders are laser-fo...

Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was...

Europol hat Finanzinstitute und politische Entscheidungsträger weltweit aufgefordert, dem Übergang zur quantensicheren Verschlüsselung Priorität einzu...