It's an especially brazen form of malvertising, researchers say, striking at the heart of Google's business; the tech giant says it's aware of the issue and is working quickly to address the problem.

Source: Primakov via Shutterstock

In an especially brazen tactic, multiple threat actors are impersonating Google Ads login pages to trick advertisers into handing over their account credentials.

The attackers — from regions as geographically dispersed as South America, Asia, and Eastern Europe — are then using the hijacked accounts in real-time to buy and distribute malicious advertisements and malware via Google Ads.

**'Most Egregious' Malvertising Campaign Ever**

The scammers appear to be succeeding in many cases because their ads are allowed to show an ads.google.com URL. This makes them virtually indistinguishable from legitimate Google ads, according to researchers at Malwarebytes, who spotted the malicious activity recently.

"This is the most egregious malvertising operation we have ever tracked, getting to the core of Google's business and likely affecting thousands of their customers worldwide," Malwarebytes researcher Jerome Segura wrote in a blog post this week. "We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication."

Google Ads is an advertising platform that enables businesses and individuals to display targeted ads across Google's search results, websites, mobile apps, and other online properties, based on user search behavior and interests. Often, the top search results are sponsored, meaning someone paid for that high visibility. For context, Google Search generated some $175 billion in ad revenue in 2023.

Related:CISA: Second BeyondTrust Vulnerability Added to KEV Catalog

According to Segura, there has been a recent flood of fake sponsored ads for Google Ads directed at businesses and individuals looking to advertise on Google Search or wanting to sign in to their Google Ads accounts. The ads appear to be from Google and purport to either help people sign up for a Google Ads account or to sign in to an existing account. Users clicking on these ads are directed to a fake Google Ads home page from which they are directed to external sites designed specifically to steal usernames and passwords to the advertiser's Google accounts.

The attackers are using Google's free website creation platform, Google Sites, to host the lure pages. It is a tactic that Segura says allows them to trivially bypass a Google policy that allows advertisers to include a URL in their ads only if the URL matches the domain name of the advertiser. "Looking back at the ad and the Google Sites page, we see that \[the\] malicious \[ads do\] not strictly violate the rule since sites.google.com uses the same root domains as ads.google.com," Segura said. "In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC."

Related:OWASP's New LLM Top 10 Shows Emerging AI Threats

**Google Is Actively Investigating Cyberattacks**

In an emailed comment, a Google spokesman said the company is currently "actively investigating" the issue and working on a quick fix for the problem. "We expressly prohibit ads that aim to deceive people in order to steal their information or scam them," the spokesperson said.

As context, the spokesperson pointed to the growing sophistication and scale of malvertising campaigns and noted instances where threat actors have created thousands of malicious accounts simultaneously to distribute malicious ads on Google properties. Often these actors are using techniques such as text manipulation to get around automation detection mechanisms. In other instances, they use cloaking tactics to show Google reviewers and systems different ads from the ones that users end up seeing. "To provide a sense of the scale of our enforcement efforts in 2023, we removed over 3.4 billion ads, restricted over 5.7 billion ads, and suspended over 5.6 million advertiser accounts," the spokesman said.

**Impersonating Google Ads: Simple & Effective Social Engineering**

Related:Apple Bug Allows Root Protections Bypass Without Physical Access

In comments to Dark Reading, Segura says the most notable part of the new malicious activity is the impersonation of the Google Ads brand by combining Google Sites URLs with the ads. "It's a simple and yet effective trick that makes those ads incredibly hard to differentiate from the real ones," Segura says. Complicating matters is the fact that bad actors are often using compromised Google Ads accounts to place even more fake ads in Google Search, making the activity challenging to stop.

Google should be making it harder for bad actors to pull off such impersonation schemes, he says. "The 'how' is more complicated, as it involves reviewing business practices and … existing security policies."

Segura says Malwarebytes is tracking and reporting each malvertising incident it comes across via a live tracker that the Google Ads team can access. "This has been a helpful tool for us, not only to make the reporting process easier but also to keep a historical record," he notes. Google's response has consisted of taking action on ads that Malwarebytes report. "\[But\] the threat actors are able to get right back as if the campaign never stopped. We are talking about dozens of accounts that get burned but yet there are enough to keep this going indefinitely."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attackers Hijack Google Advertiser Accounts to Spread Malware

BeyondTrust has patched all cloud instances of the vulnerability and has released patches for self-hosted versions.

Source: ktdesign via Adobe Stock

NEWS BRIEF

The Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to patch a command injection flaw tracked as CVE-2024-12686, otherwise known as BT24-11, and has added it to the Known Exploited Vulnerabilities (KEV) Catalog.

The medium-severity security bug was found as a part of BeyondTrust's Remote Support SaaS Service security investigation, which was launched after a major data breach at the US Treasury Department. Silk Typhoon, a Chinese hacking group, was reportedly responsible for the December 2024 cyberattack, in which threat actors were able to gain credentials to Treasury workstations through the third-party vendor and then steal data. On Dec. 18, BeyondTrust reported identifying BT24-11 within its self-hosted and cloud Remote Support and Privileged Remote Access products, after reporting BT24-10 just two days prior.

On Jan. 6, in its latest update, BeyondTrust reported that its forensic investigation is nearly complete and that all software-as-a-service instances of BeyondTrust Remote Support have been fully patched with no new identified victims.

"All cloud instances have been patched for this vulnerability," BeyondTrust stated in the update. "We have also released a patch for self-hosted versions."

CISA stated that the vulnerability "can be exploited by an attacker with existing administrative privileges to inject commands and run as a site user." That would allow a remote attacker to execute underlying operating system commands.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

CISA: Second BeyondTrust Vulnerability Added to KEV Catalog

Evidence suggests that some of the payloads and extensions may date as far back as April 2023.

Source: VS148 via Shutterstock

A Christmas Eve phishing attack resulted in an unknown party taking over a Cyberhaven employee's Google Chrome Web Store account and publishing a malicious version of Cyberhaven's Chrome extension. While the problematic extension was removed within an hour of its discovery, the malicious activity highlights gaps in browser security that exist at most organizations and the necessity of getting a handle on the problem now, as extension poisoning is expected to be a persistent issue.

Further research into the incident suggests that this attack was likely part of two separate, but potentially related, campaigns to target multiple extension developers to distribute malicious extensions, experts say. The campaigns may have begun as early as April 2023.

"Currently we know about two different campaigns that have been targeting different objectives," says Amit Assaraf, CEO of Extension Total, a third-party extension security platform provider. Extension Total researchers have uncovered several malicious extensions over the past several weeks and have been looking at how they relate to each other.

**A Tale of Two Campaigns**

One campaign created extensions that steal cookies, session tokens, and possibly passwords, and targeted Facebook and OpenAI accounts, Assaraf says. The campaign relied on phishing to target extension developers and a malicious OAUTH application to take over Google Chrome Web Store accounts. Cyberhaven was one of the victims of this campaign.

There is some disagreement among experts over when the first malicious extension associated with this campaign appeared. Assaraf points to the Chrome extension "GPT 4 Summary with OpenAI," which was added to the Google Chrome Web Store in August. John Tuckner, founder of browser-extension management service Secure Annex, believes the "AI Assistant – ChatGPT and Gemini for Chrome" extension, which was uploaded to the Chrome Web Store in May, was the first extension used by this campaign.

"As far as I can tell, that is the first example of this type of code being used, but some of the related domain registrations go back to around Sept. 25, 2023, so this could have been planned for a while," Tuckner says.

Both extensions are no longer on the Chrome Web Store.

Regardless of when this campaign began, the impact has been widespread. Researchers have found 22 extensions related to it so far, affecting 1.46 million users, Assaraf says. Some of these have been removed completely from the Chrome Web Store, and others have been updated to a "safe" version.

The second campaign is aimed at tracking user activity, telemetry, and sites visited, "probably with intention to sell this data," Assaraf says. Its earliest appearance was in April 2023, and researchers have identified 15 extensions thus far as belonging to this campaign.

A Google spokesperson says the company has shut down malicious Chrome Web Store accounts identified as part of this investigation and continues to investigate reports from Extension Total regarding extensions still available in the store.

It's unclear at this time whether one attacker is behind both campaigns, though there is evidence — shared JavaScript payloads injected into unauthorized updates between August 2024 and December 2024 — suggesting "a synchronized campaign," says Bugcrowd founder Casey John Ellis.

"This also suggests centralized control over the hijacked developer accounts and a common threat actor," he says.

At this point, both campaigns appear to be contained; no additional extensions have been discovered, according to Assaraf.

**Extensions as Low-Hanging Fruit for Attackers**

Cyberhaven's internal security team was able to respond to the breach quickly, which helped expose the breadth of the extension poisoning. Many of the affected extensions are hobbyist projects, which means they likely do not have the tools or security support to be regularly monitoring for malware.

Therein lies the dilemma for detecting malicious Chrome extensions in the wild, experts say. It also explains why ensuring that extensions used within a corporate browser are safe is such a tricky scenario for organizations to navigate. While some are managed by companies with dedicated teams to ensure the extensions remain clean, many are maintained by private individuals and, thus, don't have this kind of oversight.

That complicates security within a corporate environment because browsers, like Chrome, grant extensions broad permissions, including access to sensitive user data, cookies, and even the ability to capture credentials and sessions, according to Matt Johansen, security researcher at Vulnerable U.

"Extensions still operate with a significant degree of trust, and once compromised, they can access everything a user can," Johansen says. "They also have less scrutiny to install than traditional desktop software, even in enterprises."

Because of their ability to compromise so many users and have access to so much information by poisoning a browser extension, it's a no-brainer for attackers.

"Controlling an extension gives an adversary a powerful vantage point for all browser activities," concurs Lionel Litty, chief security architect at Menlo Security.

Indeed, poisoning a Chrome extension is "actually a very convenient way for attackers to spread malicious code," Assaraf adds. "You only need to fool one person, one developer, and you get access to hundreds of thousands of machines," he says.

People often forget they've installed browser extensions, yet they continue to run in the background and update automatically, giving attackers wide access to sensitive data, he adds.

**Closing the Browser Security Gap**

Given their reach, why, then, are browsers and their extensions given such little thought when it comes to an organization's security posture? It could merely be that their security teams are so overwhelmed with responsibilities that browsers are the least of their worries — though that could now change, notes Secure Annex's Tuckner.

Organizations can take specific steps now to shore up the security of extensions running in corporate browsers, he says. Teams should start with collecting a real-time inventory of the browsers in the organization and which extensions are installed on them. This step should be followed by enrolling browsers in some kind of centralized management to set up an allowlist of known extensions, keeping only those that "drive core business value" and adding future ones on a case-by-case basis, Tuckner adds. The inventory will help security teams understand the scope of an incident when something happens.

"Few teams choose to or are able to prioritize browser security on top of everything else that they have to deal with," he says. "Many see browser security as a lower-risk item, but I believe that is quickly changing with incidents like this."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Extension Poisoning Campaign Highlights Gaps in Browser Security

"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.

Source: DD Images via Shutterstock

North Korea's Lazarus threat group has launched a fresh wave of attacks targeting software developers, using recruitment tactics on job-hiring platforms. This time, the group is using job postings on LinkedIn to lure freelance developers in particular into downloading malicious Git repositories; these contain malware for stealing source code, cryptocurrency, and other sensitive data.

The SecurityScorecard STRIKE team on Jan. 9 discovered the ongoing attack, dubbed Operation 99, in which attackers pose as recruiters to entice the developers with project tests or code reviews, the researchers revealed in a report (PDF) published today.

"Victims are tricked into cloning malicious Git repositories that connect to a command-and-control (C2) server, initiating a series of data-stealing implants," according to the post.

Attackers are using various payloads that work across Windows, macOS, and Linux in the campaign, using a layered malware delivery system with modular components that adapt to different targets. Downloaders such as Main99 retrieve and execute payloads that include Payload 99/73, brow99/73, and MCLIP, which perform tasks like keylogging, clipboard monitoring, file exfiltration from development environments, and browser credential theft.

Related:Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

The malware also steals from application source code, secrets and configuration files, and cryptocurrency-related assets such as wallet keys and mnemonics, according to the researchers. The latter are used to facilitate direct financial theft, furthering Lazarus' goals to fund the regime of North Korean leader Kim Jong Un.

"By embedding the malware into developer workflows, the attackers aim to compromise not only individual victims, but also the projects and systems they contribute to," according to the report.

**North Korea's History of Targeting Developers**

The campaign builds on previous tactics by the group to target developers with various malware, including 2021's Operation Dream Job, in which the group sent fake job offers to specific organizational targets. When opened, they installed Trojan programs to collect information and send it back to the attackers.

Lazarus' long history of using the technology job market to target victims also includes another campaign called DEV#POPPER, which targeted software developers worldwide for data theft by having attackers pose as recruiters for nonexistent jobs.

North Korean threat groups also have turned the tables and used their own cyber spies to infiltrate global organizations for cyber espionage. The now-infamous case of security firm KnowBe4 accidentally hiring a North Korean hacker shows how convincing these campaigns can be.  

Related:Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

While a Department of Justice operation in May disrupted North Korea's widespread IT freelance operation with the indictment of several people for helping state-sponsored actors establish fake freelancer identities and evade sanctions, the latest campaign demonstrates that Lazarus remains undaunted.

Amid all this, the new campaign shows an evolution in tactics, the researchers said.

"In this instance, Lazarus is demonstrating a higher level of sophistication and focus compared to previous campaigns," says Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard. These include using AI-generated profiles to pose as recruiters that appear highly authentic and realistic, "enabling them to effectively deceive victims," he adds.

"By presenting complete and convincing profiles, they offer what seem to be genuine job opportunities to developers," Sherstobitoff says. In some cases, Lazarus even compromises existing LinkedIn accounts to lend heft to their credibility, he adds.

The group also is employing more advanced techniques for obfuscation and encryption, making their malicious activities significantly more difficult to detect and analyze, Sherstobitoff says.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

**Job Seekers, Exercise Caution**

Indeed, as these campaigns become more sophisticated through the use of AI and advanced social engineering, it's becoming "easier for attackers to gain the confidence of their targets, demonstrating a significant evolution in the level of precision and realism in their campaigns," Sherstobitoff says.

For this reason, mitigation strategies "should fundamentally center around reinforcing social engineering awareness and adhering to the basics of cybersecurity for everyday employees," he says. As a general rule, if a job offer or opportunity seems too good to be true, it likely is, and "should be approached with skepticism," Sherstobitoff says.

"Employees also should exercise extreme caution when interacting with recruiters, particularly if asked to download files, clone repositories, or engage with unfamiliar software," especially over platforms like LinkedIn or email, he says. "These channels can be easily manipulated by attackers posing as legitimate entities."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Lazarus APT Evolves Developer-Recruitment Attacks

Ultimately, there is no replacement for an intuitive, security-focused developer working with the critical thinking required to drive down the risk of both AI and human error.

Matias Madou, Co-Founder & CTO, Secure Code Warrior

January 15, 2025

5 Min Read

Source: Nils Ackermann via Alamy Stock Vector

COMMENTARY

The advent of artificial intelligence (AI) coding tools undoubtedly signifies a new chapter in modern software development. With 63% of organizations currently piloting or deploying AI coding assistants into their development workflows, the genie is well and truly out of the bottle, and the industry must now make careful moves to integrate it as safely and efficiently as possible.

The OWASP Foundation has long been a champion of secure coding best practices, providing extensive coverage on how developers can best defend their codebases from exploitable vulnerabilities. Its recent update to the OWASP Top 10 for Large Language Model (LLM) Applications reveals the emerging and most potent threats perpetuated by AI-generated code and generative AI (GenAI) applications, and this is an essential starting point for understanding and mitigating the threats likely to rear their ugly heads. 

We must focus on integrating solid, foundational controls around developer risk management if we want to see more secure, higher quality software in the future, not to mention make a dent in the flurry of global guidelines that demand applications are released that are secure by design.

**The Perilous Crossover Between AI-Generated Code and Software Supply Chain Security**

Prompt Injection's ranking as the No. 1 entry on the latest OWASP Top 10 was unsurprising, given its function as a direct natural language command telling the software what to do (for better or worse). However, Supply Chain Vulnerabilities, which have a much more significant impact at the enterprise level, came in at No. 3. 

OWASP's advice mentions several attack vectors comprising this category of vulnerability, elements such as implementing pretrained models that are also precompromised with backdoors, malware and poisoned data, or vulnerable LoRA adapters that, ironically, are used to increase efficiency, but can, in turn, compromise the base LLM. These present potentially grave, widespread exploitable issues that can permeate the whole supply chain in which they are used.

Sadly, many developers are not skill- and process-enabled enough to navigate these problems safely, and this is even more apparent when assessing AI-generated code for business logic flaws. While not specifically listed as a category, as is apparent in OWASP’s Top 10 Web Application Security Risks, this is partly covered in No. 6, Excessive Agency. Often, a developer will vastly overprivilege the LLM for it to operate more seamlessly, especially in testing environments, or misinterpret how real users will interact with the software, leaving it vulnerable to exploitable logic bugs. These, too, affect supply chain applications and, overall, require a developer to apply critical thinking and threat modeling principles to overcome them. Unchecked AI tool use, or adding AI-powered layers to existing codebases, adds to the overall complexity and is a significant area of developer-driven risk.

**Data Exposure Is a Serious Concern Requiring Serious Awareness**

Sensitive Information Disclosure is second on the new list, but it should be a chief concern for enterprise security leaders and development managers. As OWASP points out, this vector can affect both the LLM itself and its application context, leading to personally identifiable information (PII) exposure, and disclosure of proprietary algorithms and business data.

The nature of how the technology operates can mean that exposing this data is as simple as using cunning prompts rather than actively "hacking" a code-level vulnerability, and "the grandma exploit" is a prime example of sensitive data being exposed due to lax security controls over executable prompts. Here, ChatGPT was duped into revealing the recipe for napalm when prompted to assume the role of a grandmother reading a bedtime story. A similar technique was also used to extract Windows 11 keys. 

Part of the reason this is made possible is through poorly configured model outputs that can expose proprietary training data, which can then be leveraged in inversion attacks to eventually circumvent the security controls. This is a high-risk area for those who are feeding training data into their own LLMs, and the use of the technology requires companywide, role-based security awareness upskilling. The developers building the platform must be well-versed in input validation and data sanitization (as in, these skills are verified and assessed before they can commit code), and every end user must be trained to avoid feeding sensitive data that can be spat out at a later date.

While this may seem trivial on a small scale, at the government or enterprise level, with the potential for tens of thousands of employees to inadvertently participate in exposing sensitive data, it's a significant expansion of an already unwieldy attack surface that must be addressed.

**Are You Paying Attention to Retrieval-Augmented Generation (RAG)?**

Perhaps the most notable new entry in the 2025 list is featured at No. 8, Vector and Embedding Weaknesses. With enterprise LLM applications often utilizing RAG technology as part of the software architecture, this is a vulnerability category to which the industry must pay close attention.

RAG is essential for model performance enhancement, often acting as the "glue" that provides contextual cues between pre-trained models and external knowledge sources. This is made possible by implementing vectors and embeddings, but if they are not implemented securely they can lead to disastrous data exposure, or pave the way for serious data poisoning and embedding inversion attacks. 

A comprehensive understanding of both core business logic and least-privilege access control should be considered a security skills baseline for developers working on internal models. However, realistically, the best-case scenario would involve utilizing the highest-performing, security-skilled developers and their AppSec counterparts to perform comprehensive threat modeling and ensure sufficient logging and monitoring.

As with all LLM technology, while this is a fascinating emerging space, it should be crafted and used with a high level of security knowledge and care. This list is a powerful, up-to-date foundation for the current threat landscape, but the environment will inevitably grow and change quickly. The way in which developers create applications is sure to be augmented in the next few years, but ultimately, there is no replacement for an intuitive, security-focused developer working with the critical thinking required to drive down the risk of both AI and human error.

**About the Author**

Co-Founder & CTO, Secure Code Warrior

Matias Madou is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company, Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences, including RSA Conference, Black Hat, DEF CON, BSIMM, OWASP AppSec, and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

OWASP's New LLM Top 10 Shows Emerging AI Threats

In 2024, the Taiwanese government saw the daily average of attempted attacks by China double to 2.4 million, with a focus on government targets and telecommunications firms.

Source: Andy.LIU via Shutterstock

Using phishing emails and zero-day exploits, China's cyber-operations groups targeted Taiwanese organizations — including government agencies, telecommunications firms, and transportation — with significantly higher volumes of attacks in 2024.

On average, Taiwan saw more than 2.4 million attack attempts per day, double the 1.2 million average daily attacks in 2023, with the vast majority of activity targeting the Taiwanese government, according to an annual analysis published by Taiwan's National Security Bureau (NSB). Like many other countries, Taiwan has also detected a surge in attacks targeting its telecommunications sector, with the number of security events rising by more than sixfold, the analysis stated.

"China has continued to intensify its cyberattacks against Taiwan," the NSB stated in the report. "By applying diverse hacking techniques, China has conducted reconnaissance, set cyber ambushes, and stolen data through hacking operations targeting Taiwan’s government, CI \[critical infrastructure\] and key private enterprises."

China has become increasingly aggressive in its cyber operations. Government-backed groups in the country have compromised telecommunications networks in the US, stolen information from Southeast Asia and Africa, and targeted individuals in India with SMS phishing attacks. China-based groups, specifically, have branched out into a variety of different areas, going beyond cyber espionage.

To date, very few countermeasures have been effective at restraining China in cyberspace, says Jon Clay, vice president of threat intelligence at cybersecurity firm Trend Micro.

"Until nation-states take action against China's aggressiveness, I don't think you're going to see a diminishing of the pace in attacks," he says, adding the companies should expect to get targeted by nation-states in general and China specifically. "It's a wakeup call that they have to start thinking about how do I defend myself against these nation states attacks better in 2025 than I've done in the past."

**Successful Attacks Rise**

Overall, Taiwanese government and private-sector organizations suffered at least 906 successful attacks in 2024, an increase of 20% compared to 2023, with government systems the target of more than 80% of attacks, followed by attacks against telecommunications firms, according to the NSB report.

In 2024, Taiwan saw twice as many attacks from China as the previous year, with a surge during the summer. Source: Taiwan NSB

The focus on the telecommunications industry is not surprising, says Michael Freeman, head of threat intelligence at Armis, a cyber exposure management firm. A variety of countries' telecommunications providers — including at least nine firms in the US — have been targeted by Chinese groups.

"The telecom industry is being hit by China in most regions right now, because if you can control the flow of information, you control a lot of factors," he says. "They could use that information to spy on politicians and find out something that could be used for blackmail purposes — it's a gift that keeps on giving in many different ways."

In the US, there are signs that China gained some level of access to the federal wiretapping system, which could have given the Chinese government information on people suspected of espionage, Freeman says. Taiwan prosecuted 64 individuals for espionage in 2024, up from 48 in 2023, according to a second report from the NSB.

Overall, threat activity has increased in the Asia-Pacific region with cybercriminals and espionage groups of all types targeting companies and national governments in the region. Chinese cybercriminal syndicates have become a problem for neighboring countries, whose citizens have been imprisoned and made to conduct "pig butchering" scams online.

**Business (and Politics) as Usual**

With the incoming Trump administration pledging to put significant tariffs on goods from China, the level of geopolitical stress in the Asia-Pacific will likely rise and cyberattacks typically increase during periods of diplomatic tensions. In addition, China's policy requiring that researchers disclose information on significant vulnerabilities to the Chinese government has likely created a stockpile of issues that can be used by state-sponsored hacking groups, says Trend Micro's Clay.

"It's all really all about acquiring sensitive information for political advantage, military advantage, and economic advantage," he says.

Companies doing business in the region should take steps to improve the cybersecurity, detect sophisticated attacks, and find ways to slow attackers, says Armis' Freeman. He points to deceptive techniques that seed a network with faux assets that act as detectors of malicious activity, as useful defenses. Not only can deceptive technology detect likely attacks, but even when the attackers figure out it's there, it can slow them down.

"Once an adversary knows that you're using some form of deception, they're much more cautious in the way they proceed in your environment," he says. "They don't know the scale of it. They don't know what types of technology you are using. It's putting them at a greater disadvantage."

With the frequency of cyberattacks like to continue rising in the Asia-Pacific region, raising attackers' costs and slowing them down should be considered a win, he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

As Tensions Mount With China, Taiwan Sees Surge in Cyberattacks

Company has issued patches for an unprecedented 159 CVEs, including eight zero-days, three of which attackers are already exploiting.

Source: Elena11 via Shutterstock

Microsoft's January update contains patches for a record 159 vulnerabilities, including eight zero-day bugs, three of which attackers are already actively exploiting.

The update is Microsoft's largest ever and is notable also for including three bugs that the company said were discovered by an artificial intelligence (AI) platform.  

Microsoft assessed 10 of the vulnerabilities disclosed this week as being of critical severity and the remaining ones as important bugs to fix. As always, the patches address vulnerabilities in a wide range of Microsoft technologies, including Windows OS, Microsoft Office, .NET, Azure, Kerberos, and Windows Hyper-V. They include more than 20 remote code execution (RCE) vulnerabilities, nearly the same number of elevation-of-privilege bugs, and an assortment of other denial-of-service flaws, security bypass issues, and spoofing and information disclosure vulnerabilities.

**Three Vulnerabilities to Patch Immediately**

Multiple security researchers pointed to the three actively exploited bugs in this month's update as the vulnerabilities that need immediate attention. The vulnerabilities, identified as CVE-2025-21335, CVE-2025-21333, and CVE-2025-21334, are all privilege escalation issues in a component of the Windows Hyper-V's NT Kernel. Attackers can exploit the bug relatively easily and with minimal permissions to gain system-level privileges on affected systems.

Microsoft itself has assigned each of the three bugs a relatively moderate severity score of 7.8 out of 10 on the CVSS scale. But the fact that attackers are exploiting the bug already means organizations cannot afford to delay patching it. "Don't be fooled by their relatively low CVSS scores of 7.8," said Kev Breen, senior director threat research, Immersive Labs, in emailed comments. "Hyper-V is heavily embedded in modern Windows 11 operating systems and used for a range of security tasks."

Microsoft has not released any details on how attackers are exploiting the vulnerabilities. But it is likely that threat actors are using it to escalate privileges after they have gained initial access to a target environment, according to researchers. "Without proper safeguards, such vulnerabilities escalate to full guest-to-host takeovers, posing significant security risks across your virtual environment," researchers at Automox wrote in a blog post this week.

**Five Publicly Disclosed but Not Yet Exploited Zero-Days**

The remaining five zero-days that Microsoft patched in its January update are all bugs that have been previously disclosed but which attackers have not exploited yet. Three of the bugs enable remote code execution and affect Microsoft Access: CVE-2025-21186 (CVSS:7.8/10), CVE-2025-21366 (CVSS: 7.8/10), and CVE-2025-21395. Microsoft credited AI-based vulnerability hunting platform Unpatched.ai for finding the bugs. "Automated vulnerability detection using AI has garnered a lot of attention recently, so it's noteworthy to see this service being credited with finding bugs in Microsoft products," Satnam Narang, senior staff research engineer for Tenable, wrote in emailed comments. "It may be the first of many in 2025."

The other two publicly disclosed but as yet unexploited zero-days in Microsoft's January security update are CVE-2025-21275 (CVSS: 7.8/10) in Windows App Package Installer and CVE-2025-21308 in Windows Themes. Both enable privilege escalation to SYSTEM and therefore are high-priority bugs for fixing as well.

**Other Critical Vulns**

In addition to the zero-days there are several other vulnerabilities in the latest batch that also merit high-priority attention. Near the top of the list are three CVEs to which Microsoft has assigned near maximum CVSS scores of 9.8 out of 10: CVE-2025-21311 in Windows NTLMv1 on multiple Windows versions; CVE-2025-21307, an unauthenticated RCE flaw in Windows Reliable Multicast Transport Driver; and CVE-2025-21298, an arbitrary code execution vulnerability in Windows OLE.

According to Ben Hopkins, cybersecurity engineer at Immersive Labs, Microsoft likely rated CVE-2025-21311 as critical because of the potentially severe risk it presents. "What makes this vulnerability so impactful is the fact that it is remotely exploitable, so attackers can reach the compromised machine(s) over the Internet," he wrote in emailed comments. "The attacker does not need significant knowledge or skills to achieve repeatable success with the same payload across any vulnerable component."

CVE-2025-21307, meanwhile, is a use-after-free memory corruption bug that affects organizations using the Pragmatic General Multicast (PGM) multicast transport protocol. In such an environment, an unauthenticated attacker only needs to send a malicious packet to the server to trigger the vulnerability, Ben McCarthy, lead cybersecurity engineer at Immersive Labs, wrote in emailed comments. Attackers who successfully attack the vulnerability can gain kernel-level access to affected systems, meaning organizations using the protocol need to apply Microsoft's patch for the flaw immediately, McCarthy added.

Tyler Reguly, associated director of security R&D at Fortra, described CVE-2025-21298 — the third 9.8 severity bug — as an RCE flaw that an attacker would likely exploit via email rather than over the network. "The Microsoft Outlook preview pane is a valid attack vector, which lends itself to calling this a remote attack. Consider reading all emails in plaintext to avoid vulnerabilities like this one," he noted in emailed comments.

Microsoft's January 2025 update is in stark contrast to January 2024's update when the company disclosed just 49 CVEs. According to data from Automox, the company issued patches for 150 CVEs in April 2024, and for 142 in July.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft Rings in 2025 With Record Security Update

The acquisition accelerates 1Password's ongoing efforts to expand the role of the password manager with secure SaaS management.

1Password's acquisition of software-as-a-service (SaaS) access management provider Trelica is the latest move in a race to broaden the scope and functionality of password managers beyond securely storing user credentials.

1Password and its competitors, including Bitwarden, Dashlane, and LastPass, have been piling on features in recent months, such as extended autofill capabilities; support for digital attachments, such as birth certificates; and the ability to use the System of Cross-domain Identity Management (SCIM) standard to automatically provision users and groups from a source directory.

The 1Password-Trelica deal announced last week fits with 1Password's plans to help enterprises manage SaaS and shadow IT in their environment. Addressing these two enterprise challenges is a natural progression of what 1Password has already been providing with credential management, says 1Password co-CEO David Faugno.

**Next Step for Password Management**

1Password has been steadily augmenting its password manager software with capabilities such as Secrets Automation and the Events API. The company launched 1Password Extended Access Automation (XAM) last year, which allows secure access to enterprise resources from employee-owned and unmanaged devices that are not set up with the organization's single sign-on tools.

Prior to launching XAM, 1Password acquired Kolide, which developed a tool that provides contextual access management by detecting the health and posture of devices before granting access to applications.

"Our vision for Extended Access Management, and the way we're building to it, includes the application side of the story, which is how you identify and discover applications in the shadow IT realm," Faugno says.

Faugno says SaaS authentication and management were both already on the product road map, but the company had not decided whether to build or buy the capabilities.

"When we found Trelica, it was very, very well aligned with how we saw the world and how we thought about what that element was going to be in our XAM platform," Faugno says. "The Trelica team was very philosophically aligned with the way they built the product, culturally, and was a really good fit, so the build-versus-buy decision became pretty clear for us."

Trelica, founded in 2018 by Iain McGhee, Richard Kirby, and Robert Stiff, integrates directly with 300 SaaS providers. The software's primary functions include shadow IT discovery, spend optimization, contract renewals, and access management workflows for automating onboarding, offboarding, provisioning, and privilege escalation tasks.

**Growing Enterprise Implementation**

Password managers have historically been designed to assist consumers in keeping track of usernames and passwords for all of their online accounts. In recent years, password managers integrated with single sign-on platforms from Microsoft, Okta, Ping Identity, and others to make it possible for employees to sign on to workforce systems.

"Most enterprises are using some form of password manager for dealing with SaaS and even on-premises applications," says IDC research vice president Jay Bretzmann.  

While demand is strong for 1Password and its leading competitors, they need to continue adding capabilities that meet enterprise needs to their core products if they are to grow.

"Odds are some of these vendors will be acquired or simply not keep up with investment \[in GenAI\] over the next three years," Bretzmann says. "Most of the leaders are focusing on the sprawl problem they currently solve for enterprise environments with too many point solutions. Password managers will still be relevant in the midmarket where identity problems are less complex."

According to a recent Bloomberg report, 1Password has been interviewing banks for a potential IPO. While Faugno was in New York at the Nasdaq exchange to announce the Telica acquisition, he dismisses that as a sign of immediate plans to go public.

"You know how these public exchanges woo you years before to get closer to the company," he says. "We're in no rush. We have a profile that is appealing to public market investors, but we're also very fortunate to have been a very profitable business for two decades, so we have no unnatural pressures to become public. When the timing is right, we'll do it."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

1Password's Trelica Buy Part of Broader Shadow IT Play

Emergent macOS vulnerability lets adversaries circumvent Apple's System Integrity Protection (SIP) by loading third-party kernels.

Source: Andrey Kryuchkov via Alamy Stock Photo

Cyber defenders are encouraged to ensure systems have been updated with the latest macOS patch, which includes a fix for a vulnerability that exposed the entire operating system to further compromise.

The bug, tracked under CVE-2024-44243, was patched in the Dec. 11 Apple security update, according to analysis from Microsoft Threat Intelligence that was released this week. The vulnerability could allow adversaries to bypass the macOS System Integrity Protection (SIP) restrictions, which limit operations that are detrimental to a device's security. Without SIP controls in place, a threat actor could install rootkits, drop persistent malware, and more, according to the Microsoft report. More disturbing, threat actors don't need physical access to pull off the cyberattack.

"This exposes the entire operating system to deeper compromise without needing physical access, threatening sensitive data and system controls," said Jason Soroko, senior fellow at Sectigo, in a statement.

**Detecting Other Apple Bug Exploits**

In addition to updating vulnerable macOS systems, experts suggest cyber defenders be on the lookout for suspicious behavior.

"Teams should proactively monitor processes with special entitlements, as these can be exploited to bypass SIP," said Mayuresh Dani, manager, security research, at Qualys, in a statement provided in reaction to the flaw. "The behavior of these processes in the environments should also be maintained."

Soroko also advised teams to monitor for unusual disk management activity, in addition to anomalous privileged user behavior, and to implement endpoint detection tools and controls for unsigned kernel extensions. Dani agreed that third-party kernel extensions should be managed with care to prevent these sorts of attacks.

Third-party kernel extensions "should be enabled only when absolutely necessary and with strict monitoring guidelines," Dani added.

This is just one of the recent cyberattacks that has found its way around Apple's defenses.

The macOS infostealer malware "Banshee" was recently observed skirting Apple's antivirus protections, courtesy of a string encryption algorithm stolen from Apple. It's up to cyber teams to have adequate protections in place to lock down their own environments.

"Regular integrity checks, principle-of-least-privilege policies, and strict compliance with Apple's security guidelines further reduce exposure to this critical threat," Soroko added.

This and other similar flaws are a demonstration of a lack of security between root users and the operating system, Lionel Litty, chief security architect at Menlo Security, explained in a statement. It's also an example of the limitations of endpoint-based solutions, he added.

"While endpoint-based security solutions are attractive from a cost and usability perspective compared to off-device solutions such as \[virtual desktop infrastructure\], the constant stream of OS vulnerabilities that allow a local attacker to bypass OS integrity protection mechanisms shows that this is a risky gamble," Litty said. "If your security controls involve installing an application on an unmanaged device and relying on this application protecting itself, you need to closely monitor this type of issue."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Apple Bug Allows Root Protections Bypass Without Physical Access

Two hacker groups were paid to develop malware targeting victims in the US, Europe, and Asia, as well as various Chinese dissident groups.

Source: Herr Loeffler via Shutterstock

NEWS BRIEF

The US Justice Department and the FBI said on Jan. 14 that they were able to delete "PlugX" malware from thousands of devices globally as part of a cooperative effort.

The operation spanned a series of months, targeting the work of a group of China-sponsored hackers known as "Mustang Panda" and "Twill Typhoon." The group used PlugX malware to infect victims' computers and steal their information.

According to court documents, the Chinese government paid the hacking group to develop their strain of PlugX.

Since 2014, the group has targeted thousands of victims across the US, Europe, and Asia, as well as Chinese dissident groups. Many victims are still unaware their devices remain infected with the malware.

"This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of \[People's Republic of China\] state-sponsored hackers," said US Attorney Jacqueline Romero.

French law enforcement led the international operation, and a French cybersecurity company, Sekoia.io, was able to identify and report on the capability to send commands to delete the PlugX version from infected devices.

The tactic was tested and deemed viable by the FBI, leading the organization to obtain nine warrants to begin deleting PlugX from US-based computers.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Source

DARKReading