The big cyber story this month is the unveiling of Claude Mythos Preview by Anthropic. The new AI model is apparently powerful enough to detect thousands of security flaws (some decades old) in virtually every operating system and web browser without any human involvement. Anthropic attempted (unsuccessfully: see below) to limit access to the model to a handful of large banks and tech companies, so they could test their systems’ defences internally.
We’ll have to wait and see if it was all just clever marketing or a genuine reason to worry about cyber defences. What is has done is highlight the importance of keeping legacy technology patched and secured. This month, we have tips for doing just that.
We also look at why the government wants every British individual and business to stop using passwords and embrace the more secure passkey. There’s also advice on how organisations can stay protected from Chinese state espionage.
Mythos is an epic AI cyber security risk, say experts
The rise of malicious AI and its potential to undermine cyber security has been a major cause for concern since the launch of ChatGPT in 2022.
We’ve already seen how advanced AI phishing scams have made it easy for non-technical cyber criminals to send out tailored, plausible phishing emails with very little human guidance.
But this month, the fear factor was dialled up to eleven when the biggest names in banking, tech and cyber security raised an alarm over the latest AI on the block – Claude Mythos Preview.
Mythos is the new AI model released by Claude-makers Anthropic. It can detect previously unknown vulnerabilities without any human intervention. According to a statement from Anthropic earlier this month, it “...has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser”. Some of these flaws are believed to be decades old and have gone undetected by humans and automated security tests. Now Mythos is believed to have found highly sophisticated ways to exploit these vulnerabilities.
Anthropic said it was worried enough about the capabilities of its latest creation to limit its access to a handful of banks and financial institutions. In a preview called Project Glasswing, about 40 different companies, including the likes of Apple, JPMorganChase and Microsoft, have all been granted access to Mythos. The companies plan to test the model for themselves to see how their cyber defences fare against it.
However, soon after the Project Glasswing announcement came the news that a small group of unauthorised users had gained access to the model via a supply chain breach. Anthropic is currently investigating the incident.
The Canadian finance minister, the head of the Bank of England and the UK’s AI Minister have all expressed concern about Mythos’ potential for misuse.
Jake Ives, our Head of Security, says now is the right time for organisations to revisit their security posture.
“If Claude Mythos does live up to the hype, it could lower the barrier for less skilled hackers to go after organisations. My top tips right now are:
- Protect the intellectual property of your code just as you would all your external systems. If proprietary code ends up somewhere public, it becomes easier for an AI model to pick it apart and potentially surface flaws and equip threat actors with what they need to successfully attack an organisation.
- Stay on top of your patching routine if you’re using open-source software in your business. While popular open-source projects are already heavily scrutinised by researchers, AI can speed up how quickly known vulnerabilities are exploited, and how easily infrequently reviewed code (like obscure plugins) can be analysed. For example, those running WordPress should consider enabling automatic updates for core files, plugins and themes to keep on top of fixes as they’re released.
- Don’t assume that because you’re a smaller outfit you won’t be a target. Dealing with big companies alone is enough to make you look interesting to a threat actor, especially if they can exploit your public-facing systems with minimal effort rather than spending weeks of their time on a harder target.”
The dangers of legacy technology: cyber risks, insurance invalidation and compliance failures
The emergence of Mythos AI and its ability to spot and exploit decades-old security flaws in systems has reignited the debate about the dangers of legacy technology.
Old, unpatched systems and end-of-life products are active targets for hackers. But how many businesses know about these vulnerabilities and are doing anything about them?
A quick look at UK businesses’ reliance on outdated technology paints a sobering picture. Over 90% of financial services firms rely on legacy technology in some form to deliver their services, according to research by the Financial Conduct Authority. 74% of manufacturing and engineering firms still depend on old systems or spreadsheets for day-to-day work. In the public sector, 28% of central government IT systems are now classified as legacy technology – up from 26% in 2023.
Relying on outdated technology for core business functions can expose organisations to a variety of cyber threats, primarily because of a lack of security updates, vendor support and bug fixes. A case in point: four recent Microsoft vulnerabilities believed to have been exploited in the wild are several years old and relate to older versions of Microsoft Office (some dating back to the early 2000s), Windows Server and Windows 10, to name a few.
Apart from obvious cyber risks, these unsupported software programs can also breach regulatory standards and compliance requirements (particularly in highly regulated industries) and even invalidate cyber insurance policies.
The Cyber Resilience Centre for the East has the following advice for organisations that still rely on old systems and technology:
- Monitor all legacy technology for active exploitation.
- Audit details of software versions and ensure regular patching of flaws.
- Map all outdated tech on risk registers for clear visibility.
‘Goodbye passwords, hello passkeys’ says UK government
The durability of the humble password has been a matter of debate for years.
Recent hacker strategies such as adversary-in-the-middle and MFA fatigue have shown how even strong passwords are not invulnerable. Now the UK’s technical authority, the NCSC, has officially endorsed a newer form of identity verification – passkeys. According to the latest advice, the NCSC wants us to start using passkeys across all our digital services, because they are more secure and user-friendly.
Passkeys are an alternative way of logging into online accounts. They require the use of biometrics or PINs to approve the login request on your device. They use a security method called public key cryptography, where a private key is securely stored on your device and a public key on a server. Data that’s encrypted this way is more protected because it requires unlocking with both a public key as well as the corresponding private key found only on your device.
Passkeys are considered to be phishing-resistant because they are generated for specific websites or apps and therefore can’t be accidentally used on a fake site. They are also a lot harder to crack as they contain long, unique cryptographic strings rather than memorable characters. It’s also eight times faster to login with a passkey than typing a password and waiting for a 2FA code.
For the layperson, the best thing about passkeys will surely be that you no longer need to remember a password!
Major online service providers Google, eBay and Microsoft support the use of passkeys. It appears that UK consumers are already ahead of the curve, with data from Google showing over 50% of the service provider’s users having a registered passkey.
While we welcome the move towards more secure identity authentication, we anticipate there will be a transition period where users rely on both methods.
Says Jake,
“When it comes to passkeys, execution really matters. The last thing you want is users saving passkeys into password managers that are protected with a weak password or not properly secured.
I’m a massive advocate for FIDO2 hardware like YubiKeys. I have several and they’re brilliant. The only catch is that if you lose one, you’re stuck, so you’ll probably want two or three and to keep them secured across multiple safe locations.
We’re preparing our customers for passkeys by rolling out enterprise password managers first. Implementing a good, secure password manager is a great place to start, alongside educating users on why protecting their accounts matters so much.”
Chinese state hackers target western home office routers and smart devices
Western businesses have been warned of the rising threat of Chinese hacks and cyber espionage using compromised large-scale infrastructure networks. These hacked networks are largely believed to be made up of Small Office Home Office (SOHO) routers and smart devices.
The UK government along with western allies has issued a joint warning about how the Chinese state is moving away from targeting individual infrastructure to using externally provisioned, large networks of hacked devices. In the past, Chinese-state sponsored attackers Volt Typhoon have used this method to target critical national infrastructure. A further hacker group Flax Typhoon used another covert network for cyber espionage.
The NCSC has advised all organisations to take the following steps to protect against this new tactic.
- Audit all your network edge devices such as routers, switches, firewalls and IoT machines to understand key assets and what they are connected to.
- Review existing connections, especially to VPNs, and investigate connections from consumer broadband networks.
- Ensure your threat feeds include covert network infrastructure.
- Mandate MFA for remote connections.
Look at the full guidance for more specific information for organisations of different sizes.
Other vulnerabilities and updates
Windows Defender “RedSun” Zero-Day Vulnerability