An ongoing campaign targeting FortiGate devices with management interfaces exposed on the public Internet is leading to unauthorized administrative logins and configuration changes, creating new accounts, and performing SSL VPN authentication.

Source: Lutsenko Oleksandr via Shutterstock

A zero-day flaw is likely to blame for a series of recent attacks on Fortinet FortiGate firewall devices that have management interfaces exposed on the public Internet. Attackers are targeting the devices to make unauthorized administrative logins and other configuration changes, create new accounts, and perform SSL VPN authentication, researchers have found.

Researchers at Arctic Wolf have been tracking the campaign since they first noticed suspicious activity on FortiGate devices in early December, they revealed in a recent blog post. They observed threat actors gaining access to management interfaces on affected firewalls — the firmware versions of which ranged between 7.0.14 and 7.0.16 —  and altering their configurations. Moreover, in compromised environments, attackers also were using DCSync to extract credentials.

Artic Wolf released a security bulletin in December upon discovery of the campaign, while the recent blog post revealed more in-depth details, including the attackers likely exploiting a zero-day flaw. However, they have not "definitively confirmed" this initial access vector, though the compressed timeline across affected organizations as well as firmware versions affected by the campaign suggest that attackers are exploiting an as-yet-undisclosed vulnerability, according to the Arctic Wolf researchers.

Victims of the campaign did not represent a specific sector or organization size, suggesting "that the targeting was opportunistic in nature rather than being deliberately and methodically targeted," they added.

The researchers didn't provide details on the scope or volume of the campaign.

**Cyber Abuse of the Fortinet Administrator Console**

What alerted the researchers to the malicious activity "in contrast with legitimate firewall activities, is the fact that \[attackers\] made extensive use of the jsconsole interface from a handful of unusual IP addresses," according to the post.  FortiGate next-generation firewall products have a standard and "convenient" feature that allow administrators to access the command-line interface through the Web-based management interface, the researchers explained.

"According to the FortiGate Knowledge Base, when changes are made via the Web-based CLI console, the user interface is logged as jsconsole along with the source IP address of whomever made the changes," they wrote. "In contrast, changes made via ssh would be listed as ssh for the user interface instead."

The researchers do not have direct confirmation that such commands are used in the present campaign; however, the observed activities follow a similar pattern in the way they invoke jsconsole, they added.

"Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board," the researchers wrote.

**A Four-Phase Cyberattack, Still Ongoing**

The researchers broke the campaign down into four phases that started in mid-November: It started with a vulnerability scanning phase, followed by a reconnaissance phase at the end of November, an SSL VPN configuration phase in the beginning of December, and then wrapping up with lateral movement from mid- to late December. However, they noted that the campaign is ongoing and they may uncover further activity in the future.

"These phases are delineated by the types of malicious configuration changes that were observed on compromised firewall devices across multiple victim organizations, and the activities that were taken by threat actors upon gaining access," the researchers explained.

Typically, the total count of successful jsconsole logins from anomalous IP addresses ranged between several hundred and several thousand entries for each victim organization, spanning the four phases of the campaign.

"Most of these sessions were short-lived, with corresponding logout events within a second or less," the researchers wrote. "In some instances, multiple login or logout events occurred within the same second, with up to four events occurring per second."

**Don't Expose Management Interfaces to Public Internet**

Fortinet devices are a popular target for threat actors, with vulnerabilities found in the products widely exploited to breach networks. To protect against attack, organizations should never expose Fortinet device management interfaces on the public Internet, regardless of the product specifics, according to the researchers. Instead, access to these interfaces should be limited to trusted internal users.

"When such interfaces are left open on the public internet, it expands the attack surface available to threat actors, opening up the potential to identify vulnerabilities that expose features that are meant to be limited to trusted administrators," they wrote in the post.

Administrators also should follow the common best practice of regularly updating firmware on the devices to patch any flaws or other security issues. Further, the researchers added, organizations also should ensure that syslog monitoring is configured for all of an organization’s firewall devices to increase the likelihood of catching malicious activity early.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

In times of unprecedented change, innovative mindsets and attentiveness of startup culture make for a community everyone can leverage to understand the world and guard against its dangers.

Source: Vladimir Badaev via Alamy Stock Photo

COMMENTARY

In 2024, early growth startups found capital hard to come by, yet venture capitalists couldn't help but invest in emerging data and AI security. Solutions tackling data-in-motion and application data flows were a heavy focus. And there was a mad scramble to solve deepfakes and disinformation.

It was the year of deepfake awareness. Global governments were on high alert during election time, and even Wiz was touched by a failed deepfake attack. Yet the most disturbing news involved a conference call of synthetic co-workers, including a deepfake chief financial officer (CFO) who tricked a Hong Kong financial analyst into wiring $25 million. 

Imperceptible impersonation attacks are not difficult to generate these days. Real-time face swapping tools have proliferated on GitHub, such as Deep-Live-Cam and DeepFaceLive. Synthetic voice tools, like Descript and ElevenLabs, are also readily available.

In years past, monitoring human audio and video has fallen under the purview of insider threat and physical security. Now SecOps will deploy tech to monitor conference calls using startups like Validia and RealityDefender. These identity assurance solutions put participants through models looking for indicators of liveness, and provide confidence scores.

Governmental threat intelligence spans state-sponsored disinformation and narrative attacks as part of their broader information warfare operations. In the corporate space, monitoring brand reputation and disinformation traditionally has fallen under the legal and PR comms departments. Yet in 2024 there were signs of a shift.

New disinformation and narrative attacks not only destroy brands but have attempted to frame executives for Securities and Exchange Commission (SEC) violations, as well as incite violence after the recent United Healthcare assassination. Ignoring them could mean executive jail time or worse.

There's a belief in the startup community that boards of directors will want a single unified view of these threats. Threat intelligence that spans cybersecurity exfil, insider threats, impersonation, and broader information warfare. In the future, the chief information security officer’s (CISO’s) threat intel teams may find  their scope expanded with startups like Blackbird.AI, Alethea, or Logically.

Data security was another notable focus within the early growth startup world in 2024.

**Model Data Leakage Is the Problem of the Decade**

Models can be thought of as databases that are conversationally queried in English, and that store what was learned from Internet-sized chunks of unstructured text, audio, and video. Their neural network format doesn't get enough credit for density, storing immense data, and intelligence in models that may even fit on devices. 

The impending rollout of agentic AI, which produces agents that click UIs and operate tools, will only expand on-device model deployment. Agentic AI may even deploy adaptive models that learn device data. 

It sounds too insecure to adopt. Yet how many organizations will pass up AI's productivity gains?

To add to the complexity, the AI arms race produces groundbreaking foundational models every week. This encourages designing AI native apps that lean toward flexible code architectures — architectures that allow app vendors to swap out models under an organization's nose.

How will companies protect data as it collapses into these knowledge-dense neural nets? It's a data leakage nightmare.

**Time to Tackle Data in Motion**

A 2024 trend was the startup world's belief that it's time to rebuild cybersecurity for data in motion. Data flows are tackled on two fronts. First, reinventing traditional user and device controls, and second, providing app security under the chief technology officer (CTO). 

Data loss prevention (DLP) has been a must-buy category for compliance purposes. It places controls on the egress channels of users and devices, as well as between data and installed applications, including AI apps. In 2024, investors see DLP as a big opportunity to reinvent. 

At RSA and BlackHat's 2024 startup competitions, DLP startups Harmonic and LeakSignal were named finalists. MIND also received an $11 million seed investment last year.

DLP has traditionally focused on users, devices, and their surrounding network traffic, though one startup is eyeing the non-human identities that today outnumber humans, and are often microservices or apps deployed within Kubernetes. The leaking of secrets by these entities in logfiles has become a growing concern, and LeakSignal is employing cyber mesh concepts to control this data loss channel.

This leads to the CISOs' second data battleground, a data security approach that could govern code and AI development under CTOs. 

**Data Security Intersects Application Security**

Every company is developing software, and many leverage private data to train proprietary models. In this application world, CISOs need a control plane.

Antimatter and Knostic both appeared as finalists in 2024 RSA and BlackHat startup competitions. They offer privacy vault APIs that, when fully adopted by an organization, enable cybersecurity teams to govern the data that engineers expose to models. 

Startups working on fully homomorphic encryption (FHE) appear in competitions annually, touting this Holy Grail of AI privacy. It's a tech that produces an intermediate but still AI-usable encryption state. FHE's ciphertext remains usable because it maintains entity relationships, and models can use it during both training and inference time to deliver insights without seeing secrets.

Unfortunately, FHE is too computationally expensive and bloated for broad usage. The lack of partial word searching is another notable limitation. That's why we're seeing a privacy trend that delivers FHE as only one approach within a wider blend of encryption and token replacement. 

Startup Skyflow deploys polymorphic technology using FHE when it makes sense, along with lighter forms of encryption and tokenization. This enables handling partial searches, examining the last four digits of IDs, and being performative on devices. It's a blended approach similar to Apple's end-to-end encryption across devices and the cloud.

It's not hyperbole to say these are times of unprecedented change. Here one should note the innovative mindset and attentiveness of startup culture. It makes for a community that all can leverage to understand the world and guard against its dangers.

**About the Author**

Cybersecurity Analyst

Paul Shomo is an experienced analyst focusing on emerging cybersecurity and early-growth startups. A prescient forecaster, Paul is featured in Dark Reading, CSO Online, eWeek, and the Genealogy of Cybersecurity podcast. A patent holder and engineering leader behind EnCase, Paul was a founding pioneer of DFIR and enterprise forensics from 2006 to 2015. Paul was also a former kernel developer for Wind River Systems.

New Startups Focus on Deepfakes, Data-in-Motion &amp; Model Security

PRESS RELEASE

Today, CISA released the Cybersecurity Performance Goals Adoption Report to highlight how adoption of Cybersecurity Performance Goals (CPGs) benefits our nation’s critical infrastructure sectors. Originally released in October 2022, CISA’s CPGs are voluntary practices that critical infrastructure owners can take to protect themselves against cyber threats. 

This report is based on analysis of 7,791 critical infrastructure organizations enrolled in CISA’s Vulnerability Scanning service from Aug. 1, 2022, through Aug. 31, 2024. Data reveals that four critical infrastructure sectors are most impacted by CPG adoption: Healthcare and Public Health, Water and Wastewater Systems, Communications, and Government Services and Facilities. These four sectors have strong partnerships with CISA.

As CISA strengthens partnerships across all 16 critical infrastructure sectors, the agency hopes that CPG adoption will continue to expand. CISA urges critical infrastructure to learn more by visiting Cross-Sector Cybersecurity Performance Goals. 

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases the Cybersecurity Performance Goals Adoption Report

PRESS RELEASE

HONOLULU, Jan. 08, 2025 (GLOBE NEWSWIRE) -- Krilla Kaleiwahea LLC (K2), a Native Hawaiian Organization leader in defense, technology, resilience, and workforce development for the U.S. federal government, is proud to announce its selection as a prime contractor on the prestigious Navy SeaPort contract. This achievement underscores K2’s commitment to delivering innovative solutions and unparalleled support to the U.S. Navy and its mission-critical operations.

SeaPort NxG, the Navy’s electronic procurement platform, facilitates efficient and streamlined acquisition of professional support services in various functional areas, including engineering, financial management, and program management. As a trusted partner, K2 is now positioned to provide exceptional services across these domains, ensuring the Navy meets its strategic objectives with cutting-edge capabilities.

Driving Innovation and Excellence

“Being awarded the SeaPort contracting vehicle is a testament to K2’s dedication to excellence and our proven track record of supporting the Department of Defense with world-class talent,” said Peter Krilla, Co-Founder of K2. “We are honored to serve the Navy and contribute to its mission by delivering forward-thinking solutions and unmatched expertise.”

With this award, K2 will leverage its deep industry knowledge, advanced technologies, and talented team to address the complex challenges faced by the Navy and its partners. This contract allows K2 to expand its footprint and continue its tradition of excellence in supporting national security initiatives.

About K2

K2 is an 8(a) Native Hawaiian Organization and a leading provider of advanced solutions for the U.S. federal government's defense, technology, resilience, and workforce development sectors. Backed by decades of senior leadership experience in government, military, and corporate, we bring forward-thinking strategies that empower our clients to achieve operational success in the most demanding environments. As a Native Hawaiian Organization, we dedicate a portion of our profits to supporting the Native Hawaiian community. For more information about K2 and its services, visit www.k2-nho.com/

You May Also Like

K2 Secures Navy SeaPort Next Generation Contract

PRESS RELEASE

New York City, January 13, 2025 — Grupo Bimbo Ventures, the venture capital arm of Grupo Bimbo, the world's leading baking company and a significant player in the snack industry, is pleased to announce a strategic investment in NanoLock Security, a global leader in OT cybersecurity and management solutions for industrial manufacturing and critical infrastructure. This investment underscores Grupo Bimbo's commitment to embrace innovation that can benefit global markets and needs.

The food industry plays a critical role in national resilience. However, it has increasingly become a target for cyber threat actors. Food manufacturers manage complex and diverse industrial systems across multiple sites, creating vulnerabilities that threat actors can exploit. The use of third-party contractors for system maintenance and updates further heightens risks if not properly monitored.

NanoLock Security's solutions are designed to protect industrial systems, ensuring the integrity and security of critical operations. Their zero-trust approach provides centralized, global enforcement of security policies across diverse industrial environments. This flexibility is crucial for maintaining the security and operational integrity of manufacturing facilities worldwide.

As a global leader in the baking industry, Grupo Bimbo understands the importance of ensuring uninterrupted production and uphold the highest standards of quality and safety. NanoLock's proven expertise and successful deployments with leading manufacturers in APAC, US, Israel & EU align perfectly with Grupo Bimbo's vision for a secure and resilient future in the food sector.

"We are excited to partner with NanoLock Security and leverage their advanced solutions to enhance food operations worldwide," said Constantino Matouk Iriondo, VP Global Bimbo Ventures. "This investment reflects our dedication to ensuring a safer world, and we are impressed with how NanoLock’s customers, from different sectors, are benefiting from their unique technology and capabilities."

Grupo Bimbo Ventures is a minority shareholder of NanoLock Security, having invested alongside Awz Ventures. Awz Ventures has a proven track record of pioneering multi-use, innovative deep-tech investments. It has led NanoLock’s investment from inception in 2018 through subsequent rounds.

About Grupo Bimbo Ventures

Grupo Bimbo Ventures is the venture capital arm of Grupo Bimbo, the world's leader and largest baking company and a significant player in the snack industry.

About NanoLock Security

NanoLock Security is a global leader in OT cybersecurity and management solutions for industrial manufacturing and critical infrastructure. NanoLock provides comprehensive protection of operational technology environments, ensuring the integrity, resilience and security of critical systems and infrastructure.

You May Also Like

Grupo Bimbo Ventures Announces Investment in NanoLock Security

According to the tech giant, it has observed a threat group seeking out vulnerable customer accounts using generative AI, then creating tools to abuse these services.

Source: MAXSHOT.PL via Shutterstock

NEWS BRIEF

Microsoft's Digital Crimes Unit is pursuing legal action to disrupt cybercriminals who create malicious tools that evade the security guardrails and guidelines of generative AI (GenAI) services to create harmful content.

According to an unsealed complaint in the Eastern District of Virginia, though the company goes to great lengths to create and enhance secure AI products and services, cybercriminals continue to innovate their tactics and bypass security measures.

"With this action, we are sending a clear message: the weaponization of our AI technology by online actors will not be tolerated," said Microsoft in a blog post about the lawsuit.

In the court filings that were unsealed on Jan. 13, Microsoft noted that it had "observed a foreign-based threat-actor group develop sophisticated software that exploited exposed customer credentials scraped from public websites."

The group tried to access accounts with generative AI services in order to alter the capabilities of those services, then resold this unlawful access to other malicious actors, providing instructions on how to use the tools to create harmful content.

Since discovering the group's actions, Microsoft has revoked access and enhanced safeguards to mitigate this kind of activity in the future.

As the company continues to seek out proactive measures it can take alongside legal action, it highlights a report, "Protecting the Public From Abusive AI-Generated Content," that provides recommendations for organizations and governments to protect the public from AI-created threats.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Microsoft Cracks Down on Malicious Copilot AI Use

The security vulnerability tracked as CVE-2024-50603, which rates 10 out of 10 on the CVSS scale, enables unauthenticated remote code execution on affected systems, which cyberattackers are using to plant malware.

Source: Everett Collection Historical via Alamy Stock Photo

Multiple threat actors are actively targeting a recently disclosed maximum-severity security bug in the Aviatrix Controller centralized management platform for cloud networking.

In a worst-case scenario, the vulnerability, identified as CVE-2024-50603 (CVSS 10) could allow an unauthenticated remote adversary to run arbitrary commands on an affected system and take full control of it. Attackers are currently exploiting the flaw to deploy XMRig cryptomining malware and the Sliver backdoor on vulnerable targets.

**CVE-2024-50603: A High-Impact Vulnerability**

The vulnerability presents an especially severe risk in Amazon Web Services (AWS) cloud environments, where Aviatrix Controller allows privilege escalation by default, researchers at Wiz Security warned in a blog on Jan. 10.

"Based on our data, around 3% of cloud enterprise environments have Aviatrix Controller deployed," the researchers noted. "In 65% of such environments, the virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions."

Hundreds of large companies use Aviatrix's technology to manage cloud networking across AWS, Azure, Google Cloud Platform (GCP), and other multi-cloud environments. Common use cases include automating the deployment and management of cloud network infrastructure, and managing security, encryption, and connectivity policies. The company lists organizations such as Heineken, Raytheon, Yara, and IHG Hotels and Resorts among its customers.

Related:In Appreciation: Amit Yoran, Tenable CEO, Passes Away

CVE-2024-50603 stems from Aviatrix Controller not properly checking or validating the data that users send through its application programming interface (API). It is the latest bug to highlight the security risks tied to the growing use of APIs among organizations of all sizes. Other common API-related risks include those stemming from configuration errors, lack of visibility, and inadequate security testing.

The flaw is present in all supported versions of Aviatrix Controller before 7.2.4996 or 7.1.4191. Aviatrix has issued a patch for the bug and recommends that organizations apply it or upgrade to either versions 7.1.4191 or 7.2.4996 of the Controller.

"In certain circumstances the patch is not fully persistent across controller upgrades and must be re-applied, even if the controller status is displayed as 'patched,'" the company noted. One such circumstance is applying the patch on non-supported versions of the controller, Aviatrix said.

**Hackers Mount Opportunistic Cloud Attacks**

Security researcher Jakub Korepta of SecuRing, who discovered and reported the bug to Aviatrix, publicly disclosed details of the flaw on Jan. 7. Just one day later, a proof-of-concept exploit for the bug became available on GitHub, triggering near-immediate exploit activity.

Related:Managing Cloud Risks Gave Security Teams a Big Headache in 2024

"Since the proof-of-concept release, Wiz observed that most of the vulnerable instances were specifically targeted by attackers looking for unpatched Aviatrix deployments," says Alon Schindel, vice president of AI & Threat Research at Wiz. "The overall volume of exploitation attempts has been steady. However, we see customers patching their systems and preventing attackers from targeting them."

Schindel characterizes the exploit activity so far as largely opportunistic in nature, and emanating from scanners and automated tool sets combing the Internet for unpatched Aviatrix instances.

"Although some of the payloads and infrastructure used suggest higher sophistication in a few cases, most of the attempts appear to be broad sweeps rather than highly customized or targeted attacks on specific organizations," he says.

Available telemetry suggests that multiple threat actors, including organized criminal gangs, are leveraging the flaw in various ways. So far at least, there is no evidence pointing to any single group as dominating the exploitation activity, Schindel says. "Depending on the environment's setup, an attacker might exfiltrate sensitive data, access other parts of the cloud or on-prem infrastructure, or disrupt normal operations," he notes.

Related:DDoS Attacks Surge as Africa Expands Its Digital Footprint

**A Reminder of API-Based Cyber-Risks**

Ray Kelly, a fellow at Black Duck, says the Aviatrix Controller vulnerability is another reminder of both the growing risks associated with API endpoints and the challenges involved in addressing them. The vulnerability shows how a server can be compromised via a simple Web call to an API, and highlights the need for thorough testing of APIs. But such testing can be daunting, given the size, complexity, and interdependence of APIs and the fact that many APIs are developed and managed by external software and service providers.

"One effective approach to mitigating these risks is by establishing clear 'rules of governance' for third-party software," Kelly says. "This includes implementing thorough vetting processes for third-party providers, enforcing consistent security measures, and maintaining continuous monitoring of software performance and vulnerabilities."

Wiz's Schindel says the best recourse for organizations affected by the new Aviatrix bug is to apply the company's patch for it as soon as possible. Organizations that are unable to patch immediately should restrict network access to the Aviatrix Controller via an IP allowlist so only trusted sources can reach it, Schindel advises. They should also monitor logs and system behavior closely for suspicious activity or known exploit indicators, set up alerts for abnormal behavior associated with Aviatrix, and reduce unnecessary lateral movement paths between their cloud identities.

Jessica MacGregor, spokeswoman for Aviatrix says the company issued an emergency patch for the vulnerability back in November 2024 given its potential severity. The security patch applied to all supported releases and also for versions of Aviatrix Controller for which support had ended two years ago. The company also reached out privately to customers via multiple targeted campaigns to make sure affected organizations applied the patch, MacGregor says.

While a significant portion of affected customers have applied the patch and recommended hardening measures, some organizations have not. And it is these customers that are experiencing the current attacks, she notes. "While we strongly recommend that customers remain current in their software, customers on Controller version 6.7+ who have applied the Security Patch can be protected even if they have not upgraded to the latest versions with the permanent fixes," she says.

 MacGregor says Aviatrix wants anyone unable to upgrade or patch their systems to reach out so the company can work with them to harden their configuration based on best practices. "We will also work closely with customers that believe they been exploited to restore their Aviatrix software to a clean state."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cloud Attackers Exploit Max-Critical Aviatrix RCE Flaw

Threat actors are targeting people searching for pirated or cracked software with fake downloaders that include infostealing malware such as Lumma and Vidar.

Source: Bits and Splits via Shutterstock

Attackers are targeting people interested in pirated and cracked software downloads by abusing YouTube and Google search results.

Researchers from Trend Micro uncovered the activity on the video-sharing platform, on which threat actors are posing as "guides" offering legitimate software installation tutorials to lure viewers into reading the video descriptions or comments, where they then include links to fake software downloads that lead to malware, they revealed in a recent blog post.

On Google, attackers are seeding search results for pirated and cracked software with links to what appear to be legitimate downloaders, but which in reality also include infostealing malware, the researchers said.

Moreover, the actors "often use reputable file hosting services like Mediafire and Mega.nz to conceal the origin of their malware, and make detection and removal more difficult," Trend Micro researchers Ryan Maglaque, Jay Nebre, and Allixon Kristoffer Francisco wrote in the post.

**Evasive & Anti-Detection Built Into the Campaign**

The campaign appears to be similar to one that surfaced about a year ago spreading Lumma Stealer — a malware-as-a-service (MaaS) commonly used to steal sensitive information like passwords and cryptocurrency-wallet data — via weaponized YouTube channels. At the time, the campaign was thought to be ongoing.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

Though the Trend Micro did not mention if the campaigns are related, if they are, the recent activity appears to up the ante in terms of the variety of malware being spread and advanced evasion tactics, as well as the addition of malicious Google search results.

The malicious downloads spread by attackers often are password-protected and encoded, which complicates analysis in security environments such as sandboxes and allows malware to evade early detection, the researchers noted.

After infection, the malware lurking in the downloaders collects sensitive data from Web browsers to steal credentials, demonstrating "the serious risks of exposing your personal information by unknowingly downloading fraudulent software," the researchers wrote.

In addition to Lumma, other infostealing malware observed being distributed via fake software downloads on links posted on YouTube include PrivateLoader, MarsStealer, Amadey, Penguish, and Vidar, according to the researchers.

Overall, the campaign exploits the trust that people have in platforms such as YouTube and file-sharing services, the researchers wrote; it especially can affect people looking for pirated software who think they are downloading legitimate installers for popular programs, they said.

Related:Russia Carves Out Commercial Surveillance Success Globally

**Shades of a GitHub Campaign**

The thinking behind the campaign also is similar to one recently found abusing GitHub, in which attackers exploited the trust that developers have in the platform to hide the Remcos RAT in GitHub repository comments.

Though the attack vector is different, comments play a big role in spreading malware, the researchers explained. In one attack they observed, a video post purports to be advertising a free "Adobe Lightroom Crack" and includes a comment with a link to the software downloader.

Upon accessing the link, a separate post on YouTube opens, revealing the download link for the fake installer, which leads to a download of the malicious file that includes infostealing malware from the Mediafire file hosting site.

Another attack discovered by Trend Micro planted a shortened link to a malicious fake installer file from OpenSea, the NFT marketplace, as the third result in a search for an Autodesk download.

"The entry contains a shortened link that redirects to the actual link," the researchers wrote. "One assumption is that they use shortened links to prevent scraping sites from accessing the download link."

The link prompts the user for the actual download link and the zip file's password, presumably because "password-protecting the files can help prevent sandbox analysis of the initial file upon arrival, which can be a quick win for an adversary," they noted.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

**Protect Your Organization From Malware**

As shown by the threat activity, attackers continue to use social engineering tactics to target victims and apply a variety of methods to avoid security defenses, including: using large installer files, password-protected zip files, connections to legitimate websites, and creating copies of files and renaming them to appear benign, the researchers noted.

To defend against these attacks, organizations should "stay updated on current threats and to remain vigilant regarding detection and alert systems," the researchers wrote. "Visibility is important because solely relying on detection can result in many malicious activities going unnoticed."

Employee training, as security experts often note, also goes a long way in ensuring employees don't fall for socially engineered attacks or try to download pirated software.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

The Hellcat ransomware group has stolen roughly 5,000 documents, potentially containing confidential information, from the telecom giant's internal database.

Source: Photo Art Lucas via Alamy Stock Photo

NEWS BRIEF

Telefonica, the multinational telecommunications company headquartered in Madrid, has confirmed that its internal systems were breached by hackers, leading to the theft of more than 236,000 lines of customer data and close to a half-million Jira tickets.

"We have become aware of unauthorized access to an internal ticketing system," Telefonica said in an emailed statement to media. "We are currently investigating the extent of the incident and have taken the necessary steps to block any unauthorized access."

Four threat actors posted an exfiltrated Jira database on the BreachForums Dark Web hacking community last week, claiming that it contains nearly 470,000 lines of internal ticketing data and more than 5,000 PDFs, Word documents, PowerPoints, and other documents.

Three of the four threat actors in question are believed to be a part of the Hellcat ransomware group.

Hudson Rock, a cybersecurity vendor that claims to have spoken with the threat actors, reported that the perpetrators used infostealer malware to compromise roughly 15 Telefonica employees and gain access to the system via their credentials. 

The vendor says that the breach has exposed 24,000 Telefonica employee emails and names as well as the Jira issues. The stolen documents also likely contain other confidential information.

"The data includes summaries of internal Jira issues, which can reveal sensitive operational details, project plans and vulnerabilities within Telefonica's infrastructure," Hudson Rock warned. "This poses a significant risk as it could be used to map out internal workflows and exploit weaknesses."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Telefonica Breach Exposes Jira Tickets, Customer Data

By focusing on vigilant security practices, responsible AI deployment, and alignment with global regulatory standards, the OSS community can make 2025 a transformative year for security.

Source: Wavebreakmedia Ltd FUS1407 via Alamy Stock Photo

COMMENTARY

As we move into 2025, open source software (OSS) remains central to digital innovation across industries. However, its widespread adoption brings heightened security challenges and evolving regulatory demands. In the coming year, we expect a rise in targeted OSS supply chain attacks, a greater reliance on AI in cybersecurity — with both positive and negative implications — and a stronger push for global regulatory standards promoting responsible OSS practices.

**Growing Threats in the Open Source Supply Chain**

Following incidents like the XZ Utils backdoor, OSS supply chain attacks are expected to increase in frequency and sophistication. These attacks will likely prompt a heightened sense of urgency within organizations as they realize that a single security scan is insufficient. Moving forward, implementing proactive, continuous monitoring and adopting advanced tools will be essential to identifying threats before they can cause damage.

Understanding the growing importance of OSS security, the Open Source Security Foundation (OpenSSF) has taken steps to address these security challenges. As threats evolve, organizations will increasingly rely on resources like OpenSSF's SIREN mailing list, which notifies the OSS community about emerging threats, and the Open Source Vulnerabilities project, which helps identify malicious packages and other vulnerabilities. Tools such as Scorecard and GUAC provide visibility into project dependencies, helping developers assess risk within their OSS components. As the supply chain threat landscape intensifies, adopting these tools as standard practice will be important for any organization that relies on OSS.

**AI as a Double-Edged Sword in Cybersecurity**

AI will continue transforming cybersecurity in 2025, acting as a powerful ally for defenders and a dangerous weapon for attackers. On the one hand, AI integrated into automated tools and continuous integration and continuous delivery(CI/CD) pipelines will help organizations identify coding flaws and vulnerabilities more efficiently. Security teams will also increasingly rely on AI to analyze vast data volumes and detect unusual patterns in real time.

However, attackers will use AI to enhance their tactics, such as refining social engineering techniques or automating the search for vulnerabilities within codebases. Additionally, they will exploit flaws in AI-generated code for malicious purposes. This double-edged sword with AI highlights the urgent need for robust safeguards and security-focused innovation to harness AI's benefits while mitigating its risks.

**A Global Regulatory Push for Open Source Compliance**

The regulatory landscape surrounding OSS security will shift in 2025 as the European Union's Cyber Resilience Act (CRA) takes effect. By requiring software bills of materials (SBOM) and setting compliance standards, the CRA is expected to establish a global precedent, influencing nations like Japan, India, and the US to adopt similar legislation.

This regulatory shift will likely push more organizations to reassess their OSS practices, prioritizing transparency and accountability. As compliance pressures mount, companies will increasingly contribute to the open source projects they depend on, recognizing that supporting the OSS community bolsters the security and resilience of their digital ecosystems. This collaboration will enhance security and foster sustainable growth in the OSS landscape.

**Opportunities and Strategies for Open Source Security**

While these trends present clear challenges, companies can proactively strengthen OSS security. Businesses need to understand their dependencies and implement proactive measures to secure OSS components. Simple measures — such as supporting the developers behind critical open source projects and investing in secure infrastructure — can make a significant impact.

Most OSS developers are highly skilled but may lack specialized training in cybersecurity practices. OpenSSF aims to bridge this gap by offering tools and training that help embed security into the development process. Companies that adopt OSS due diligence, such as reviewing a project's security practices before integrating it, are better positioned to avoid vulnerabilities and maintain a secure infrastructure.

**Looking Ahead: A Collaborative Approach to Open Source Security**

OSS has grown beyond a convenient tool for developers — it is now a critical component of the global economy, valued in the trillions of dollars. While it will remain a driving force for technological progress, security must be a priority. Companies, governments, and the OSS community must work together to ensure a sustainable, secure, open source ecosystem.

Focusing on vigilant security practices, responsible AI deployment, and alignment with global regulatory standards, the OSS community can make 2025 a transformative year for security. By prioritizing collaboration and investment in security initiatives, we can build a resilient open source future in which OSS continues to power innovation safely and sustainably.

**About the Author**

Chief Security Architect, Open Source Security Foundation

Christopher Robinson (aka CRob) is the chief security architect for the Open Source Software Foundation (OpenSSF). With more than 25 years of experience in engineering and leadership, he has worked with Fortune 500 companies in industries like finance, healthcare, and manufacturing, and spent six years as program architect for Red Hat’s product security team.

Source

DARKReading