ESKA Security

Meta recently introduced an AI-powered support assistant designed to help users recover accounts, update contact information, and resolve common Instagram and Facebook support issues.

Researchers discovered that attackers could manipulate the AI assistant into making account changes without properly verifying the identity of the legitimate account owner.

In simple terms, the bot could be tricked into replacing the victim's recovery email with an attacker-controlled address, allowing the attacker to reset the password and take over the account.

The key point is that hackers did not compromise Instagram's infrastructure or exploit a traditional software vulnerability. Instead, they persuaded the AI agent to perform the actions for them.

This incident may become one of the first high-profile examples of what security professionals call an Agentic AI Security Failure.

The issue was not the AI model itself. The problem was that the AI agent was granted authority to perform high-risk operations, including:

• Changing account contact details
• Recovering user accounts
• Resetting passwords

In practice, the AI was given Tier 1/Tier 2 support privileges without sufficient security controls and verification mechanisms.

As organizations increasingly deploy AI agents within Service Desk, Help Desk, and Identity & Access Management (IAM) processes, this case serves as an important reminder: AI agents must be treated as privileged users and governed accordingly.

The lesson for cybersecurity is clear: the risk is no longer limited to vulnerabilities in code. It also extends to the business processes and permissions we delegate to autonomous AI systems.

A recent Booking security incident serves as another reminder that even the world's largest platforms can become part of a cyberattack chain.

Booking recently confirmed an incident involving unauthorized access to booking-related data. Following the incident, researchers reported numerous cases of so-called "reservation hijacking" attacks.

Here's how the scheme worked:
1. A customer makes a legitimate hotel reservation through Booking
2. Attackers gain access to booking information or compromise hotel accounts.
3. The guest then receives a message that appears completely legitimate: "To confirm your reservation, please update your payment details." or "Your booking requires payment verification."

The message contains real information:
• Guest name
• Hotel name
• Check-in dates
• Reservation details

From the customer's perspective, everything looks authentic.
And that's exactly why these attacks are so effective.

The problem is that attackers are using legitimate data to build trust.

This incident highlights an important trend in modern cybercrime:
Attackers are no longer relying solely on mass phishing campaigns. Instead, they leverage data breaches, compromised partners, and supply-chain weaknesses to make their attacks highly convincing.

For businesses, the lesson is clear:
Your cybersecurity posture depends not only on your own infrastructure but also on the security of your vendors, partners, and SaaS providers.

Ask yourself:
🔸Do you assess third-party security risks?
🔸Do you evaluate vendors before integrating their services?
🔸Are employees trained to recognize highly targeted social engineering attacks?
🔸Do you have a response plan if a critical supplier is compromised?

Before attacking a company, threat actors conduct research and gather information from open sources.

A few Google searches are often enough to find:
• exposed services and admin panels
• old or forgotten subdomains
• leaked credentials
• the company’s technology stack
• employee email addresses
• information about internal infrastructure

Shodan helps attackers identify publicly exposed servers, VPNs, RDP services, open ports, and internet-facing systems the company may have forgotten about.

LinkedIn reveals team structure, employee roles, technologies in use, and people with privileged access, making it a valuable source for targeted phishing attacks.

GitHub repositories sometimes expose API keys, internal configurations, secrets, or code that helps attackers understand the architecture and identify potential entry points.

This is why external pentesting should always start with because real attackers almost always start there too.

More details in the article 👇
https://www.eskasecurity.com/post/what-attackers-see-when-they-google-your-company

A “Clean Vulnerability Scan Report” does not mean your company is secure.
A vulnerability scanner is designed to identify known vulnerabilities, misconfigurations, exposed services, and unpatched software based on a database of known signatures. It is useful for continuous monitoring, patch management, and identifying common weaknesses across infrastructure.

But scanners cannot detect:
🔸 business logic flaws
🔸 complex multi-step attack paths
🔸 authentication and session weaknesses
🔸 password reuse across systems
🔸 human factors and social engineering risks

They only find what they have been taught to recognize.

That is why a clean scan report is not proof of security. It only confirms that, at the time of the scan, the tool did not find matches against known vulnerability signatures.

To understand whether an environment can actually be compromised, organizations still need pe*******on testing, where a human tester thinks like an attacker, chains weaknesses together, and identifies risks that automated tools cannot see.

and *******ontesting are complementary, not interchangeable. And that is exactly why regular pentests still matter, even when the scan report looks “clean.”

Read more in our Blog https://www.eskasecurity.com/post/a-clean-vulnerability-scan-report-does-not-mean-you-are-secure

Phishing is often seen as the main entry point for cyberattacks. In reality, it is only one part of a much broader threat landscape. A growing number of real incidents start somewhere else entirely: through unpatched vulnerabilities or overtrusted third party access.

What this means in practice:
🔸 Old vulnerabilities remain one of the most reliable ways to gain initial access when they are not patched in time
🔸 Attackers often rely on known technical weaknesses rather than social engineering as the first step
🔸 Third party access is frequently less controlled than internal systems, which creates blind spots
🔸 Compromise of a supplier or partner can directly impact multiple organizations in the same chain
🔸 The most effective attacks often combine multiple vectors, such as vulnerability exploitation and stolen credentials, followed by lateral movement inside the environment

The key takeaway is simple. Modern attacks are rarely based on a single method. They exploit whatever is least controlled, especially technical debt and external trust relationships.

This is why security focus is shifting from defending only against phishing to continuous risk management, including patch management, access control, and third party risk oversight.

In the article we explore:
• how outdated vulnerabilities become real entry points
• why third party access is often underestimated
• how these two factors are combined in real attack scenarios

Read more: https://www.eskasecurity.com/post/why-old-vulnerabilities-and-third-party-access-are-as-dangerous-as-phishing

Getting ISO 27001 certified is a major milestone and a demanding one. It requires significant effort from the team and a mature approach to information security management.

But the work doesn’t end there.

After certification comes a new phase - maintaining and evolving the Information Security Management System (ISMS) in a real operational environment. The first 12 months are especially important: this is the period when the system either becomes embedded in everyday business processes or gradually turns into a “set of documents for audit purposes.”

What typically changes during this phase?

🔸 Security policies stop reflecting real operational processes
🔸 Risk registers are not updated for months
🔸 Evidence of control ex*****on is collected only “before the audit”
🔸 Access reviews, vendor reviews, and internal checks become formalities
🔸 ISMS ownership becomes unclear across teams
🔸 Management reviews exist only as a checkbox exercise

At this stage, companies often struggle with surveillance audits or receive significant nonconformities.

In the article, we explore:
• what happens to ISMS after certification
• why most challenges appear within the first year
• which processes tend to degrade after the audit
• how to prepare for surveillance audits without last-minute evidence gathering

Read more: https://www.eskasecurity.com/post/iso-27001-passed-now-what-the-12-months-after-certification-that-most-companies-get-wrong

A pe*******on test alone doesn’t make a company more secure.
The real value starts after the test — when findings turn into actions, priorities, and measurable security improvements.

Many organizations receive a 100-page pentest report and… archive it. But the real issue is not the number of vulnerabilities. It’s whether the business understands:
🔸 which risks are truly critical;
🔸 how real attack paths could be exploited;
🔸 what needs to be fixed first;
🔸 and whether remediation actually improved security.

A good pe*******on test is not just a list of CVEs — it’s a roadmap for reducing risk.
And a good pentest report is one that both security teams and management can understand and act on.

In our latest article, we explain:
— what should happen after a pentest;
— why many reports fail to deliver real value;
— how to turn testing results into actual security improvements.

Read more: https://www.eskasecurity.com/post/what-happens-after-a-pe*******on-test-from-report-to-real-security

Most companies assume their SaaS apps are secure by default.
They’re not.

The infrastructure may be protected, but everything else is on you:
who has access, what permissions they hold, what apps are connected, and how your data is shared.

That’s exactly where attackers look.
Here’s what we see most often in SaaS environments:

🔸 Overprivileged accounts that were never reviewed
🔸 Inactive users with active access
🔸 Dozens of unused OAuth integrations with persistent permissions
🔸 MFA disabled “temporarily” — and never turned back on
🔸 Files shared externally with no expiration or control

The risk isn’t theoretical.
A single compromised Microsoft 365 or Google Workspace account can expose:
emails, documents, internal chats, integrations, essentially your entire business context.

And attackers don’t need sophisticated exploits.
They use:
🔸 misconfigurations
🔸 weak access controls
🔸 normal platform features that look like legitimate activity

That’s why SaaS breaches are so hard to detect and often go unnoticed for weeks.

If you want a quick reality check, start here:
🔸 Review all connected OAuth apps - remove inactive ones
🔸 Audit external file sharing (especially “anyone with the link”)
🔸 Check which accounts don’t have MFA enforced

Understand your actual exposure, you need a structured SaaS security review:
access, permissions, integrations, and configuration, not just infrastructure.

We broke this down in detail in the article https://www.eskasecurity.com/post/why-hackers-love-your-saas-apps-the-security-blind-spots-most-companies-miss
(what attackers actually do, where the biggest blind spots are, and how to fix them)

ISO/IEC 42001 is the international standard for an Artificial Intelligence Management System (AIMS). It helps organizations build a structured approach to AI governance by defining rules, roles, controls, risk assessment, transparency, accountability, and continual improvement.

Why does ISO/IEC 42001 matter?
Certification helps companies that develop, implement, or use AI systems demonstrate to clients, partners, and auditors that their AI is managed within a clear and controlled framework, not in an ad hoc way.

The standard focuses on key areas such as governance and accountability, transparency, data protection, bias and fairness, security vulnerabilities, system monitoring, continual improvement.

This is especially important for organizations working with sensitive data, automated decision-making, or preparing to meet customer and regulatory requirements.

How to prepare for ISO/IEC 42001 certification?
From a practical perspective, preparation usually starts with four steps:

🔸 Identify where AI exists in your organization
Understand which systems, models, services, or internal processes actually use AI.

🔸 Assess risks and impacts
Evaluate not only business risks, but also the impact on customers, users, data, security, fairness, and compliance.

🔸 Build an AI governance system
Establish policies, roles and responsibilities, change control procedures, monitoring, documentation, internal reviews, and corrective actions.

🔸 Conduct a gap assessment before the audit
Identify what is missing against the standard’s requirements and close those gaps before the certification audit.

Read more in our new article https://www.eskasecurity.com/post/iso-iec-42001-explained-why-it-matters-for-responsible-ai-governance

At ESKA Security, our GRC team has the practical experience and relevant certifications needed to help organizations prepare for an ISO/IEC 42001 compliance audit with confidence.

Startups and SMBs still see Governance, Risk, and Compliance (GRC) as a regulatory checkbox - something required, but not valuable. In reality, a well-structured GRC program delivers measurable business ROI.

🔸 Incident prevention
Regular risk assessments and properly implemented controls reduce the likelihood of cyber incidents and data breaches that can cost millions in downtime, recovery, and reputational damage.

🔸 Regulatory readiness
Automated compliance workflows and structured control evidence significantly reduce preparation time for SOC 2, ISO 27001, NIS2, while helping avoid penalties and last-minute stress before audits.

🔸 Business trust and faster deals
Strong governance and compliance maturity increase confidence among customers, investors and partners, often accelerating procurement and partnership decisions.

A business-aligned GRC framework helps startups and SMBs reduce risk exposure, demonstrate maturity to partners, and prepare for enterprise-level requirements.
When structured properly, compliance strengthens positioning instead of slowing growth.

Need help choosing the right approach for your company?
The ESKA Security team is ready to support you at every stage.