Intercast December 2025 – Shadow AI

Welcome to the December 2024 edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed.

In This Issue:

  • Client Insight: Shadow AI
  • Windows 10 Update Fee A Dream For Malware Creators?
  • Password Rules Change: Length Over Complexity
  • Bill Gates On Digital Public Infrastructure
  • SVG An Increasingly Common Phishing Tool
  • Ransomware Attackers Exploit Cloud Technology
  • Best of the Rest

Client Insight

Each month we ask our clients what’s on their mind to find out more about what’s important in the industry. This month we’ve been talking a lot about “Shadow AI” – a problem many companies have experienced, even if they don’t recognize the term.

Shadow AI refers to staff using AI tools and applications without the explicit knowledge of the IT staff. It’s a natural enough pattern with staff thinking the tools will help them do their job better, either to be more productive for the sake of it, or to meet targets and compete with colleagues.

The problem is that many of the tools, often cloud-based, present security risks. They might leak information in themselves, or cause conflicts with both the software and configuration that IT departments have carefully sourced and set-up. This could lead to actual data breaches or simply compromise compliance with data protection regulations. It also brings non-security risks such as compromised performance and wasted resources.

The simple answer is for IT staff to issue clear guidance about the use of AI tools, and for senior management to support this guidance.


Windows 10 Update Fee A Dream For Malware Creators?

Microsoft has confirmed it will offer paid security updates to home users of Windows 10 after the system’s “end of life” next year. It’s the first time non-enterprise users have had such an option. For now it’s billed as a one-year-only offer for $30, roughly half the price of the enterprise updates.

It very much has the feel of a compromise measure designed to avoid the same vicious circle that struck Vista. Microsoft is likely wary about pulling the plug completely while the system still has a large user base, but users don’t feel the need to upgrade while their old system is still secure. Of course, it’s not helped by the upgrade being difficult or impossible for many users thanks to some seemingly arbitrary hardware requirements.

The big risk is that we get the worst of both worlds where Microsoft thinks it’s done enough by offering the paid support, leaving potentially tens of millions of computers unprotected. That’s got the makings of a seriously attractive target for malware creators.


Password Rules Change: Length Over Complexity

The official US government advice for passwords has changed: longer passwords are in and mandatory monthly resets are out. The advice comes from the National Institute of Standards & Technology, which advises government agencies and businesses.

Previously the NIST recommended a mixture of upper and lower case letters, numbers and special characters. It also suggested employers force users to regularly change passwords. It now says both suggestions backfired as people either chose weaker passwords to make them easier to remember, or wrote them down for convenience.

The new advice is to only insist on a password change after a known compromise, with mandatory changes no more frequent than once a year. The agency also suggests a minimum length of 15 characters and, where possible, a maximum as high as 64 characters.


Bill Gates On Digital Public Infrastructure

While we all get caught up in the minutiae of day-to-day developments, it’s easy to lose sight of the big picture. Bill Gates, who can certainly afford to take the long view, wrote a compelling post on the reality of digital public infrastructure: using technology for the way people, businesses and governments exchange ideas and money.

He gives real-world examples of how it’s done well and where it’s not up to scratch. He notes the effects on society, culture and economies can be just as important as successes and failures with physical infrastructure.

The post has some great insights into how such systems can actually boost personal privacy rather than aid state surveillance, and it’s an excellent reminder of the role our industry plays in protecting such an important part of people’s lives.


SVG An Increasingly Common Phishing Tool

Researchers at Malware Hunter Team have spotted an increase in attackers using SVG files in phishing emails. The scammers have taken a legitimately useful format and adapted its characteristics to their own nefarious needs.

At the simplest level, SVG’s combination of image display, HTML and JavaScript makes it an ideal way to create images that redirect users to a phishing site. However, the scammers have also taken advantage by creating and displaying bogus forms in the email itself, making it much easier to capture data.

The researchers note the other big benefit for the scammers is that too many security tools can’t yet spot anything amiss with an SVG file and for now it may be down to recipients to exercise caution (and businesses to educate staff of the risks.)


Ransomware Attackers Exploit Cloud Technology

Ransomware distributors are finding cloud services just as useful as everyone else according to Sentinel Labs. It says attackers are not only targeting data stored in the cloud, but are even using cloud-based tools to extract data.

The attackers are developing specific techniques that take advantage of particular services. One involves AWS, which has a mandatory seven-day delay between a user requesting that their encryption key be deleted and the deletion taking effect. That’s an ideal setup for attackers who breach an account, issue the request, then turn the seven-day delay into a pressurized deadline for victims to pay up or permanently lose access to their data.

Attackers are also using services such as Azure Storage Explorer to extract data from compromised storage, finding it more efficient than dedicated offline tools. That enables “double-dipping” ransomware attacks that not only hold the data hostage but threaten to expose sensitive material.


Best of the Rest

Here’s our round up of what else you need to know: