The malware, operated by China-backed cyberattackers, has been significantly fortified with new evasive and post-infection capabilities.

Source: Antony Cooper via Alamy Stock Photo

An unknown attacker is wielding an updated version of a backdoor malware that was previously deployed against high-profile Southeast Asian organizations in targeted attacks, this time against ISPs and governmental entities in the Middle East.

Researchers at Kaspersky have detected a new variant of the EagerBee backdoor outfitted with various new components in attacks that demonstrate a significant evolution of the malware framework, they revealed in a blog post published today.

EagerBee is primarily designed to operate in memory to enhance its stealth capabilities and help it evade detection by traditional endpoint security solutions, according to Kaspersky. It's also unique in that it obscures its command shell activities by injecting malicious code into legitimate processes that are executed within the context of explorer.exe or the targeted user's session.

"These tactics allow the malware to seamlessly integrate with normal system operations, making it significantly more challenging to identify and analyze," Kaspersky senior security researcher Saurabh Sharma wrote in the post.

A previous variant of the malware was seen in attacks by a a trio of Chinese state-aligned threat clusters, which previously collaborated in Operation Crimson Palace to steal sensitive military and political secrets from a high-profile government organization in Southeast Asia.

Related:Deepfakes, Quantum Attacks Loom Over APAC in 2025

The latest version of EagerBee that was used in the Middle East attacks features several new advanced features, including a novel service injector designed to inject the backdoor into a running service, and a slew of previously undocumented plug-ins that can be deployed after the backdoor's installation.

"These enabled a range of malicious activities such as deploying additional payloads, exploring file systems, executing command shells, and more," Sharma wrote.

**Who Are the Cyberattackers Behind EagerBee?**

Previous researchers had attributed EagerBee to Chinese threat group Iron Tiger (aka Emissary Panda or APT27), one of numerous groups that often collaborate with other China-backed state-sponsored actors; that tends to make specific attribution of both attacks and malware murky.

Case in point: Kaspersky's latest analysis of the backdoor deployed in the Middle East attributes EagerBee to a different Chinese actor, CoughingDown. That's because there was a creation of services on the same day via the same Web shell to execute EagerBee and the CoughingDown Core Module in one of the attacks researchers analyzed, according to Sharma. Moreover, the researchers observed overlap in the command-and-control (C2) domain used both by EagerBee and the CoughingDown Core Module in the attack.

Related:Middle East Cyberwar Rages On, With No End in Sight

Further evidence discovered in the Middle East attacks linking EagerBee to CoughingDown includes code overlap in a malicious DLL file used in the attack with a multiplug-in malware developed by CoughingDown in late September 2020, according to Sharma. "We assess with medium confidence that the EagerBee backdoor is related to the CoughingDown threat group," he wrote.

**EagerBee Backdoor Malware's Advanced Features**

The Kaspersky team identified key new plug-in features of EagerBee that are all run by a plug-in orchestrator module to execute commands that perform various malicious activities.

The orchestrator exports a single method responsible for injecting the module into memory and subsequently calling its entry point. In addition to victim-specific data collected by the malware, this plug-in gathers and reports various other information — such as current usage of physical and virtual memory, system locale and time-zone settings, and Windows character encoding — about the infected system to the C2 server.

After transmitting this information, the plug-in orchestrator also reports whether the current process has elevated privileges and then collects details about all running processes on the system. Once the information is sent, the plug-in orchestrator waits for commands to execute, which are carried out by the various backdoor plug-ins.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

These include a file manager plug-in that is responsible for, among other things, renaming, moving, copying, and deleting files; reading and writing files to and from the system; and injecting additional payloads into memory. Another process manager plug-in lists running processes in the system; launches new modules and executes command lines; and terminates existing processes.

Two other plug-ins found in the novel variant include a remote access manager that facilitates and maintains remote connections while also providing command shell access, and a service manager that manages system services, including installing, starting, stopping, deleting, and listing them.

**Malware Sophistication Demands Cyber Defender Vigilance**

Despite links to CoughingDown, Kaspersky researchers could not determine the initial infection vector for the deployment of EagerBee.

In the previous attacks using the backdoor in Asia, attackers leveraged the now infamous Exchange ProxyLogon flaw as the initial entry point; however, there is no evidence of this in the attacks here, according to Kaspersky. However, the researchers still recommend that defenders promptly patch ProxyLogon to secure their network perimeter, as it "remains a popular exploit method among attackers to gain unauthorized access to Exchange servers," Sharma noted.

Overall, the emergence of a fortified variant of EagerBee in attacks in the Middle East demonstrates how attackers continue to advance malware frameworks in terms of both ability to evade detection and the sheer breadth of malicious functionality they can achieve, demanding that organizations also up their security game, he said.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets

New security regulations are more than compliance hurdles — they're opportunities to build better products, restore trust, and lead the next chapter of innovation.

Source: Panom Bounak via Alamy Stock Photo

COMMENTARY

The regulatory clock is ticking on the Internet of Things (IoT). In October, European lawmakers officially adopted the Cyber Resilience Act, ushering in much-needed security thresholds for connected devices across the region. Meanwhile, United Kingdom makers are already navigating world-first device security and privacy rules, and the United States is preparing to launch its Cyber Trust Mark.

It's about time. For too long, default passwords and weak authentication practices were accepted as the status quo in connected devices, wreaking post-pandemic botnet and hacker havoc. But now, amid the rapid rise of endpoints powering the smart home and office, governments are finally taking a stand and setting standards.

For manufacturers, this regulatory reckoning is unavoidable across the world's most lucrative markets, forcing them to get up to code or fall behind. What's clear is the sooner companies evolve, the better the outcome for troubleshooting, performance, and users. Let's explore the urgency and opportunity for connected device creators heading into 2025.

**Profits Over Protection**

Device makers haven't done themselves any favors over the past few years. Many are cutting corners and abandoning cybersecurity cornerstones in a race to the lowest price. Default passwords, non-existent software updates, and zero vulnerability testing are creating bigger attack vectors ripe for exploitation. Botnets, for example, are booming, with botnet-driven distributed denial-of-service (DDoS) devices increasing by five times in the past year. Even more concerning? Device numbers will double over the next 10 years, to more than 40 billion worldwide, quadrupling the pre-pandemic figure. Something's got to give, and governments know it.

Europe, in the footsteps of the General Data Protection Regulation (GDPR), is again leading the tech regulation charge. The Cyber Resilience Act is the most comprehensive suite of coming changes, with an obligation for manufacturers to protect their Internet-connected products from unauthorized access throughout their life cycle. This demands products without known exploitable vulnerabilities — a tall order requiring design, development, and production that ensures an appropriate security level at all times.

Meanwhile, the UK's Product Security and Telecommunications Infrastructure Act tackles many of the same themes but with a lower bar to clear. Passed in April, the act requires minimum security update periods (rather than lifetime) and mandatory security issue reporting back to consumers. The best part of this act is the ruling on passwords — devices must either have a randomized password or generate a unique one during initialization. This is a great step that goes a long way to stopping hackers from accessing smart devices, infecting local networks, and creating botnets.

Finally, the US is betting on market forces. The Cyber Trust Mark, similar to Energy Star, offers voluntary certification for products meeting "robust" security standards. The hope? Consumer choice will drive industry change. One thing is evident across markets: Governments are taking this threat seriously and acting accordingly. It's now up to makers to meet the moment and move in kind.

**Move Now or Move Aside**

My advice to connected device makers? Prepare now. If you want access to the world's largest markets (and I suspect you do), there's only a short window to get up to code. Sure, Europe's act is now in a three-year transition before taking full effect, but getting this right demands investment, time, and troubleshooting. These are big hurdles, and 2027 isn't far away.

This is something we learned from the GDPR. The new rules didn't just require writing a report — they demanded system adjustments and subsequent costs. On average, firms spent more than €1 million ($1.06 million) on readiness initiatives, but justified the investment by retaining access to the bloc and avoiding business-threatening fines (not to mention better protecting consumer data).

So, what does this say to device makers? Simple — start getting up to standard now with best practice authentication, encryption, and communication. Make sure security updates are part of your product planning, reconsider your approach to passwords, and implement consistent testing, patching, and reporting. Yes, this takes valuable resources, but the payoff is clear — better products, stronger security, and lasting consumer trust.

**This Is Beyond Compliance**

I'm relieved to see these regulations come into force. Device makers have lacked respect for their creations, consumers, and — frankly — themselves for several years. The rise of cheap and lazy products isn't an accurate reflection of IoT ingenuity. Sincerely, I hope these regulations weed out the bad apples, set an acceptable bar of baseline requirements, and give confidence back to consumers and enterprises.

Device makers, it's now up to you. Don't just treat these new regulations as mere compliance hurdles, but seize them as opportunities to build better products, restore trust, and lead the next chapter of our sector's innovation.

**About the Author**

CEO & Founder, Nabto

Carsten Rhod Gregersen is an IoT expert with more than two decades in software and innovation. Carsten is the founder of Nabto, the platform providing peer-to-peer communications for connected devices. His areas of expertise span critical domains including cybersecurity, technology regulation, and the impact of IoT.

IoT's Regulatory Reckoning Is Overdue

In just two years, LLMs have become standard for developers — and non-developers — to generate code, but companies still need to improve security processes to reduce software vulnerabilities.

Source: TippaPatt via Shutterstock

The use of large language models (LLMs) for code generation surged in 2024, with a vast majority of developers using OpenAI's ChatGPT, GitHub Copilot, Google Gemini, or JetBrains AI Assistant to help them code.

However, the security of the generated code — and developers' trust in that code — continues to lag. In September, a group of academic researchers found more than 5% of the code generated by commercial models and nearly 22% of the code generated by open source models contained package names that do not exist. And in November, a study of the code generated by five different popular artificial intelligence (AI) models found that at least 48% of the generated code snippets contained vulnerabilities.

While code-generating AI tools are accelerating development, companies need to adapt secure coding practices to keep up, says Ryan Salva, senior director of product and lead for developer tools and productivity at Google.

"I am deeply convinced that, as we adopt these tools, we can't just keep doing things the exact same way, and we certainly can't trust that the models will always give us the right answer," he says. "It absolutely has to be paired with good, critical human judgment every step of the way."

One significant risk is hallucinations by code-generating AI systems, which — if accepted by the software developer — result in vulnerabilities and defects, with 60% of IT leaders describing the impact of AI-coding errors as very or extremely significant, according to the "State of Enterprise Open-Source AI" report published by developer-tools maker Anaconda.

Companies need to make sure that AI is augmenting developers' efforts, not supplanting them, says Peter Wang, chief AI and innovation officer and co-founder at Anaconda.

"Users of these code-generation AI tools have to be really careful in vetting code before implementation," he says. "Using these tools is one way malicious code can slip in, and the stakes are incredibly high."

**Developers Pursue Efficiency Gains**

Nearly three-quarters of developers (73%) working on open source projects use AI tools for coding and documentation, according to GitHub's 2024 Open Source Survey, while a second GitHub survey of 2,000 developers in the US, Brazil, Germany, and India found that 97% had used AI coding tools to some degree.

The result is a significant increase in code volume. About a quarter of code produced within Google is generated by AI systems, according to Google's Salva. Developers who use GitHub regularly and GitHub Copilot are more active as well, producing 12% to 15% more code, according the company's Octoverse 2024 report.

Overall, developers like the increased efficiency, with about half of developers (49%) finding that they save at least two hours a week due to their use of AI tools, according to the annual "State of Developer Ecosystem Report" published by software tools maker JetBrains.

In the push to get developer tools into the market, AI firms chose versatility over precision, but those will evolve over the coming year, says Vladislav Tankov, director of AI at JetBrains.

"Before the rise of LLMs, fine-tuned and specialized models dominated the market," he says. "LLMs introduced versatility, making anything you want just one prompt away, but often at the expense of precision. We foresee a new generation of specialized models that combine versatility with accuracy."

In October, JetBrains launched Mellum, an LLM specialized in code-generation tasks. The company trained the model in several phases, Tankov says, starting with a "general understanding and progressing to increasingly specialized coding tasks. This way, it retains a general understanding of the broader context, while excelling in its key function."

As part of its efforts, JetBrains has feedback mechanisms to reduce the likelihood of vulnerable code suggestions and extra filtering and analysis steps for AI-generated code, he says.

**Security Remains a Concern**

Overall, developers appear to increasingly trust the code generated by popular LLMs. While the majority of developers (59%) have security concerns with using AI-generated code, according to the JetBrains report, more than three-quarters (76%) believe that AI-powered coding tools produce more secure code than humans.

The AI tools can help accelerate development of secure code, as long as developers know how to use the tools safely, Anaconda's Wang says. He estimates that AI tools can as much as double developer productivity, while producing errors 10% to 30% of the time.

Senior developers should use code-generating AI tools as "a very talented intern, knocking out a lot of the rote grunt work before passing it on for refinement and confirmation," he says. "For junior developers, it can reduce the time required to research and learn from various tutorials. Where junior developers need to be careful is with using code-generation AI to pull from sources or draft code they don't understand."

Yet AI is also helping to fix the problem as well.

GitHub's Wales points to tools like the service's Copilot Autofix as a way that AI can augment the creation of secure code. Developers using Autofix tend to fix vulnerabilities in their code more than three times faster than those who do so manually, according to GitHub.

"We've seen improvements in remediation rates since making the tool available to open source developers for free, from nearly 50% to nearly 100% using Copilot Autofix," Wales says.

And the tools are getting better. For the past few years, AI providers have seen code-suggestion acceptance rates increase by about 5% per year, but they have largely plateaued at an unimpressive 35%, says Google's Salva.

"The reason for that is that these tools have largely been grounded in the context that's surrounding the cursor, and that's in the \[integrated development environment (IDE)\] alone, and so they basically just take context from a little bit before and a little bit after the cursor," he says. "By expanding the context beyond the IDE, that's what tends to get us the next significant step in improving the quality of the response."

**Discrete AIs for Developers' Pipelines**

AI assistants are already specializing, targeting different aspects of the development pipeline. While developers continue to use AI tools integrated into their development environments and standalone tools, such as ChatGPT and Google's Gemini, development teams will likely need specialists to effectively produce secure code.

"The good news is that the advent of AI is already reshaping how we think about and approach cybersecurity," says GitHub's Wales. "2025 will be the era of the AI engineer, and we'll see the composition of security teams start to alter."

As attackers become more familiar with code-generation tools, attacks that attempt to leverage the tools may become more prevalent as well, says JetBrains' Tankov.

"Security will become even more pressing as agents generate larger volumes of code, some potentially bypassing thorough human review," he says. "These agents will also require execution environments where they make decisions, introducing new attack vectors — targeting the coding agents themselves rather than developers."

As AI code-generation becomes the de facto standard in 2025, developers will need to be more cognizant of how they can check for vulnerable code and ensure their AI tools are prioritizing security.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Will AI Code Generators Overcome Their Insecurities This Year?

Weeks after the critical vulnerability was reported and a hacking of the Treasury Department, nearly 9,000 BeyondTrust instances remain wide open to the Internet, researchers say.

Source: artpartner-images.com via Alamy Stock Photo

A remarkable number of BeyondTrust instances remain connected to the Internet, despite dire warnings Chinese state-sponsored threat actors are actively exploiting a critical vulnerability in unpatched systems.

The BeyondTrust bug, tracked under CVE-2024-12356, has an assigned CVSS score of 9.8 and affects Privileged Remote Access (PRA) and Remote Support (RS). It was first reported by BeyondTrust on Dec. 16, 2024. Three days later, the vulnerability was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities list. By the end of the month, a Chinese state-sponsored hacker group had used the flaw to break into the US Department of the Treasury and steal data.

New analysis from Censys has found that despite highly publicized evidence of a widespread advanced persistent threat (APT) campaign against unpatched systems, there are 8,602 instances of BeyondTrust PRA and RS still connected to the Internet, 72% of which are in the US. But Censys added a big caveat to the research — there is no way for them to know whether the exposed instances have been patched or not.

It is unknown what portion of these open instances remain unpatched. BeyondTrust says all self-hosted instances have been force updated, however the company did not confirm when asked if that meant these open instances were indeed patched. A sizable portion, if not all, of these systems are self-hosted BeyondTrust deployments that have been left open to the Internet, and also potentially vulnerable, experts say.

Censys has not responded to a request for clarification.

**Self-Hosted BeyondTrust Deployments Likely Behind the Lag**

"If this data is correct, it reflects the age-old tradeoff in software service operating philosophies and licensing models," Bugcrowd CISO Trey Ford says. "Hosted services will have scale economies supporting both detection/response efforts, as well as centralized patching and hardening."

Ford adds organizations can see a cost savings on licensing with self-hosted software-as-a-service (SaaS) models, but what they miss out on in turn is critical threat intelligence and remediation help.

"Customers own patching, hardening, and building monitoring capabilities — you're effectively operating on an island by yourself," Ford explains. "Service providers charge a slight premium to provide the patching, hardening, and monitoring — at scale — where the rising tide of operational efficiency protects all customers."

BeyondTrust cloud customers were automatically patched Dec. 16, 2024, as soon as the vulnerability was reported.

"Customers using centralized services will see prioritized, and nearly immediate, patch deployment during incident response cycles," Ford says. "The systems observed online by the Censys report with lagging patch deployment is the delay in patch discovery, testing, and patch deployment."

Self-hosted deployments that can't be patched, for whatever reason, can still protect vulnerable BeyondTrust remote tools, according to John Bambenek, cybersecurity expert and president, Bambenek Consulting.

"In situations like this, even if patching cannot be done, organizations can still limit inbound connectivity to these systems to trusted IP addresses only," he says. "Organizations know who is remotely supporting them, \[so\] they can easily lock down those IP addresses."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Thousands of Buggy BeyondTrust Systems Remain Exposed

Healthcare organizations of all shapes and sizes will be held to a stricter standard of cybersecurity starting in 2025 with new proposed rules, but not all have the budget for it.

Source: MedStockPhotos via Alamy Stock Photo

An unmitigated revamp of healthcare cybersecurity is coming in 2025, and experts warn that the compliance burden for organizations will be steep.

Since 2005, healthcare organizations have been subject to Security Standards for the Protection of Electronic Protected Health Information ("Security Rule") under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a set of national standards designed to protect electronic protected health information (ePHI). But while threats to ePHI have risen year after year, the Security Rule has remained staid, last updated in January 2013.

Last week, the US Department of Health and Human Services (HHS), via its Office for Civil Rights (OCR), proposed a long-awaited update to the Security Rule. The 400-page working draft is as serious as its length would suggest, with extensive new requirements for providers, plans, clearinghouses, and their business associates. And while the requirements are all standard best practices, experts point out that this new update is more significant and less flexible than any previous version of HIPAA has been.

**Multifactor Authentication, Encryption & Risk**

Since the beginning, HIPAA has always been the best, yet insufficient, regulation dictating cybersecurity for the healthcare industry.

"\[There's\] a history of the focus being in the wrong place because of the way HIPAA was laid out in the mid-1990s," says Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC). "At the time, there was this big push to transfer medical and health records to the electronic medium. And with the advent of the HIPAA regulations, it was all about protecting patient privacy but not necessarily securing those records."

HIPAA's focus on privacy limited its ability to address more diverse cybersecurity threats in the 2010s, particularly ransomware. Meanwhile, instead of using it as a baseline for developing a robust security posture, organizations tended to treat HIPAA more as a set of boxes to check. "It ended up driving budgets toward compliance and not necessarily security. And in the past five or six years, we've seen what happens in an environment that's not properly secured, not properly tied down, not properly backed up, when they're hit by ransomware," Weiss says.

HHS highlighted this same point in a statement released alongside the draft Security Rule. From 2018 to 2023, it reported, large-scale healthcare breaches rose 102%, and the individuals affected rose 1,002%, primarily thanks to ransomware. 2023 set a new record, with more than 167 million individuals affected.

The newly proposed Security Rule aims to fix things up, with a laundry list of new requirements that touch on patch management, access controls, multifactor authentication (MFA), encryption, backup and recovery, incident reporting, risk assessments, compliance audits, and more.

As Lawrence Pingree, vice president at Dispersive, acknowledges, "People have a love-hate relationship with regulations. But there's a lot of good that comes from HIPAA becoming a lot more prescriptive. Whenever you are more specific about the security controls that they must apply, the better off you are."

**HIPAA Grows Teeth**

Pingree recalls how "HIPAA, for a long time, had a kind of wide-angle lens. 'Thou shalt protect your data.' And, frankly, those nebulous rules mean that you get lots of different, varying interpretations."

Historically, in fact, this has been HIPAA's great downfall.

It's just about impossible to impose universally effective cybersecurity rules on an entire industry. Smaller and larger organizations have different needs and different capabilities — and budgets. The threat landscape is constantly changing, so rules designed today may prove obsolete tomorrow. To account for this inevitability, the original HIPAA Security Rule included its provision 164.306, which drew a distinction between "addressable" and "required" rules. For addressable rules, organizations could "assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information," according to HIPAA. An organization might decide that a rule was not appropriate or reasonable in its case due to the specifics of its infrastructure, its size or capabilities, the costs of implementing any given security measure, etc.

Joseph J. Lazzarotti, principal at Jackson Lewis P.C., says provision 164.306 allowed for the kind of flexibility businesses always ask for: "That we're not expecting the same thing from every solo practitioner on Main Street in the Midwest versus the large hospital on the East Coast. There are obviously going to be different expectations for compliance."

But some healthcare organizations exploited this legal flexibility to avoid having to invest in more security defenses. "We are concerned that some regulated entities proceed as if compliance with an addressable implementation specification is optional," HHS wrote in its latest proposal. "That interpretation is incorrect and weakens the cybersecurity posture of regulated entities."

The new Security Rule would eliminate the required-addressable distinction, forcing all regulated organizations to comply with the same rules, regardless of circumstance.

**New Costs for Data Health With HIPAA**

This newer, stricter Security Rule would force major hospitals on the East Coast and solo practitioners in the Midwest alike to implement a lot of new cybersecurity measures, and it won't be cheap. According to a Dec. 27 press briefing from Anne Neuberger, deputy national security adviser for cyber and emerging technology, the White House estimates that implementation costs will run around $9 billion in the first year following the rule change, then another $6 billion in years two through five.

The Health-ISAC's Weiss worries that isn't realistic for many healthcare organizations. "When you look at these organizations, many are, at best, operating on thin profit margins as it is," he says. "Many of them are in the red, and can't afford stuff like this."

"Even if they're already following all the NIST controls," Dispersive's Pingree estimates, implementing the new HIPAA security rules "could cost as low as $100,000 for a small doctor's office, or it could be many millions if you're a big medical group."

One possible way stretched healthcare organizations might navigate all these new rules and their associated costs is with an outsourced, virtual chief information security officer (vCISO), according to Weiss. Because "it's not just about buying the technology. It's also about recruiting and retaining the cybersecurity expertise that you need to run," he says.

"These organizations don't know where to start," he continues. "The cybersecurity market is very confusing. There are a lot of players. There are a lot of solutions. So if you have $100 to spend on cybersecurity, where do you spend that? They need help to be able to figure all of that out. And I think something like a virtual CISO can help implement a strategy, and then be around on a virtual basis — to check in, to be a resource for that organization when they have questions and they need some help. It seems like a decent model for these small rural hospitals that could not necessarily justify or hire a full-time CISO."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

New HIPAA Cybersecurity Rules Pull No Punches

Integrity Technology Group was found complicit with Flax Typhoon as part of a broader Chinese strategy to infiltrate the IT systems of US critical infrastructure.

Source: KB Photodesign via Shutterstock

NEWS BRIEF

The US Department of Treasury has sanctioned China-based cybersecurity company Integrity Technology Group Inc. for its role in computer-intrusion incidents against US victims attributed to Chinese state-sponsored Flax Typhoon. The malicious actor has been active since at least 2021 and has targeted organizations in US critical infrastructure sectors.

In tandem, the Treasury Department earlier this week alerted lawmakers of a breach in its own systems through third-party cybersecurity vendor BeyondTrust, allowing Chinese state-backed threat actors to steal data from workstations.

And previously, Salt Typhoon, another Chinese APT, targeted T-Mobile USA in its widescale cyber-espionage operation, aiming to steal sensitive information from a variety of telecommunications companies.

"The Treasury Department will not hesitate to hold malicious cyber actors and their enablers accountable for their actions," Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith, said in a statement. "The United States will use all available tools to disrupt these threats as we continue working collaboratively to harden public and private sector cyber defenses."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Treasury Dept. Sanctions Chinese Tech Vendor for Complicity

The proposed settlement would amount to roughly $20 per Apple product that has Siri enabled, for each plaintiff.

Source: Bjanka Kadic via Alamy Stock Photo

NEWS BRIEF

Apple has agreed to pay a $95 million cash settlement to wrap up a proposed class action lawsuit, Lopez v. Apple, Inc., involving mobile device owners reporting that the tech company has routinely recorded conversations after unintentionally activating Siri.

The class action lawsuit period spans from Sept. 17, 2014, to Dec. 31 of last year, the time period Apple was implementing the "Hey, Siri" feature, which the plaintiffs allege made unauthorized recordings.

Two of the plaintiffs note of their personal issues with the feature, stating that by mentioning things such as Air Jordan sneakers and Olive Garden restaurants, ads were then triggered for these products. Another plaintiff began receiving ads for a surgical procedure they had only privately discussed with their health provider.

The plaintiffs may seek up to $28.5 million in fees as well as $1.1 million for expenses in this case. The members of the suit, estimated to be in the tens of millions, would likely receive up to $20 per Siri-enabled Apple device, should the settlement be agreed upon.

In agreeing to settle, however, Apple has denied any wrongdoing on its part.

This preliminary settlement was filed just this Tuesday and will require approval from US District Judge Jeffrey White before any steps forward can be taken.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Apple Offers $95M to Settle Siri Privacy Lawsuit

The growing complexity of cyber threats, paired with limited resources, makes it essential for companies to adopt a more comprehensive approach that combines human vigilance with AI's capabilities.

COMMENTARY

As cybersecurity threats continue to surge, it has become crucial for small businesses to adopt proactive strategies to ensure they are protected. While artificial intelligence (AI) is starting to provide value to security organizations, it also has enabled more sophisticated attacks, leaving too much room for hackers to slip through.

The very nature of our workplaces is intensifying the cybersecurity challenges small businesses face, with remote and hybrid work models still popular, despite the push for a return to office. This massive increase in remote work has created a broader attack surface that's difficult to manage for businesses when they are already lacking time and resources. Accenture's Cybercrime Study revealed that nearly 43% of cyberattacks are on small businesses, and 95% of them can be attributed to human error. These businesses agree, as 60% of small-business owners said in the US Chamber of Commerce's Q1 2024 Small Business Index that they are concerned about cybersecurity threats.

Employees now operate in a space where their activities are less regulated, making cybersecurity vigilance more crucial than ever. Companies must not only implement robust security measures but also empower their teams to recognize potential threats. One significant risk comes from the allure of public Wi-Fi networks — incredibly convenient but fraught with danger, especially as "work from home" can also be "work from anywhere." These networks can easily be mimicked by malicious actors eager to intercept sensitive data.

As workers navigate this new environment, a blend of proactive security measures and individual awareness becomes essential for safeguarding both personal and organizational information.

Here are two of the most common cybersecurity myths or misconceptions business owners will encounter, and how they can avoid falling into these traps:

*   Myth No. 1: Antivirus software is enough. Many small businesses are relying on antivirus software alone to protect against cyber threats. This is not an effective long-term solution. Modern security threats, especially social engineering attacks, demand more robust defenses, such as multifactor authentication (MFA) and ongoing employee education to withstand these threats.
    

*   Myth No. 2: Your business is immune to threats because of size or location. Small businesses should never assume they are immune due to their size or location. Fostering a culture of cybersecurity awareness among employees is vital, despite the size or capacity of your small business. When individual employees are armed with the right knowledge and they recognize that cybersecurity is a collective responsibility, simple actions like reporting suspicious activities and ensuring devices are securely managed can significantly mitigate the risk of breaches.
    

**Strategies for Small Businesses**

AI needs to be used as a supplement, not a replacement for human analysis and decision-making. Small businesses should identify and prioritize their most critical functions and software. AI can process vast amounts of data and improve efficiency, but it still requires human oversight. Small businesses, which often lack dedicated information security teams, need to adopt proactive strategies to protect themselves.

While small businesses may lack the resources needed for complex simulations, they can use checklists and resources provided by local or federal cybersecurity agencies to evaluate their preparedness and make sure they are covering all of their bases. Leveraging resources that are readily available can give small businesses the additional support they need in a time where threats have become unmanageable.

**Maintaining Customer Trust**

Small businesses often depend on third-party providers for critical services like payment processing, payroll, customer support, and more. Again, because their resources are limited, it's vital for them to verify that the providers they choose uphold stringent security standards, such as PCI certification, to protect both their operations and their customers. In that same vein, these businesses need to communicate clearly with customers about how their data is being protected by these third-party platforms. As much as people don't want to hear it, reading and understanding terms of service and data privacy policies is essential and will show customers your commitment to securing their data.

The workplace will continue to see growing use of AI, and small businesses that adopt these solutions need to ensure customer data is protected. According to Pipedrive's 2024 "State of AI in Business Report," knowledge and trust are the main blockers in AI adoption, with 48% citing a lack of knowledge as the main blocker to adoption, followed by lack of trust (40%). When there is already a lack of trust in AI solutions, it makes it even more important that small businesses prioritize gaining the trust of their customers when using AI to enhance their offerings.

AI offers valuable tools to enhance cybersecurity, but small businesses cannot afford to rely on it as a standalone solution. The growing complexity of cyber threats, paired with limited resources, makes it essential for companies to adopt a more comprehensive approach that combines human vigilance with AI's capabilities. Building a culture of cybersecurity awareness among employees, ensuring the use of advanced security measures like multifactor authentication, and fostering transparent communication with customers about data protection are all critical steps. As businesses navigate an increasingly digital landscape, their long-term success will depend on how well they can balance technological solutions with human insight and proactive planning.

**About the Author**

CISO, Pipedrive

John Mutuski is chief information security officer (CISO) at Pipedrive, the easy and effective sales CRM for small businesses. Mutuski is responsible for developing and leading the information security program, managing technology risk, driving cybersecurity operations, and implementing and managing the cyber governance, risk, and compliance (GRC) process.

With over 20 years of experience spanning both agile startups and large global enterprises, he has consistently demonstrated a unique blend of strategic leadership and technical expertise. His career is marked by a deep commitment to continuous learning, always embracing the unfamiliar and turning challenges into opportunities for growth. His passion for building diverse, cross-functional teams has allowed him to foster innovation and resilience in the face of rapidly evolving security threats. As a collaborative leader, he actively seeks out new experiences and relationships, enabling him to stay at the forefront of cybersecurity trends and deliver impactful, long-term solutions.

Why Small Businesses Can't Rely Solely on AI to Combat Threats

The Christmas Eve compromise of data-security firm Cyberhaven's Chrome extension spotlights the challenges in shoring up third-party software supply chains.

Source: Tada Images via Shutterstock

On Christmas Eve, developers at data detection and response firm Cyberhaven received a troubling email that seemed to come from Google, threatening to remove access to the company's Chrome extension for violation of excessive metadata.

One employee clicked on the "Go To Policy" link, they were taken to Google's authorization application for adding privileges to a third-party application — in this case, a seemingly innocuous application named "Privacy Policy Extension" — and granted the software rights to see, edit, update, and publish to the Chrome Web Store. Once granted access, however, the attacker quickly uploaded a new Chrome extension modifying Cyberhaven's browser add-on to exfiltrate Facebook access tokens saved in the browser and install a mouse-click listener to possibly bypass captchas, according to a preliminary analysis of the breach by the firm's engineering team.

The malicious Chrome extension was only active for about a day before discovery, Howard Ting, CEO of Cyberhaven said in a statement.

"For browsers running the compromised extension during this period, the malicious code could have exfiltrated cookies and authenticated sessions for certain targeted websites," he said. "While the investigation is ongoing, our initial findings show the attacker was targeting logins to specific social media advertising and AI platforms."

Cyberhaven is not alone, but rather appears to be one of the first victims to detect the attack. So far, 36 different extensions — used by as many as 2.6 million people — appear to be linked in some way to the attack, the techniques, or to the infrastructure used by the attackers, according to an analysis by John Tuckner, founder of Secure Annex, a browser-extension management service. Until Cyberhaven detected the attack on its Chrome extensions, developers at other companies and independent programmers largely failed to detect similar compromises using the supply-chain attack.

**Attackers Focus on Supply Chain**

The attacks underscore the problems that companies have in securing their software supply chains. Most companies do not have visibility into much of the software — and cloud services replacing some software — that their employees are using on a daily basis, says Jaime Blasco, chief technology officer and cofounder at Nudge Security, a cloud application security service provider.

"Modern shadow IT is not just software," he says. "Every SaaS application that your employees are using, they grant access to tons of resources that no one knows about — that includes Chrome extensions and extensions in your IDEs. There's a lot of new attack surface that people are not paying attention to in the SaaS ecosystem."

Many companies do not pay attention to the potential for compromise through plug-ins that extend software applications, such as the Chrome browser and its extensions.

Yet, despite Google's updated security and privacy standards for Google Chrome extensions, attackers and researchers continue to find ways to inject malicious code into victims' browsers through the extension ecosystem. In 2021, for example, Google removed a Chrome extension that helped users shut down old tabs and their processes, after a cybercriminal group bought the extension from the original developer and used it to install malicious code on the systems of its approximately 2 million users. University researchers have also found ways to circumvent Google's security process to publish malicious Chrome extensions to the Chrome Web Store.

Overall, hundreds of millions of Chrome users have security-noteworthy extensions (SNEs) — those that contain malware, a vulnerability, or violate Google's policies — installed in their browsers, according to one study published Stanford University researchers.

**Gaining Access Rights Through Social Engineering**

In the case of the developer phishing campaigns, attackers are collecting developer email addresses from the information published on the Chrome Web Store, sending phishing attacks aimed at those developers, and then compromising the code of any developers who fall prey to the attacks.

The attack does not need to steal a developer's credentials, but just convince the developer to grant the necessary permissions, says Secure Annex's Tuckner.

"The OAuth phishing attack used \[by the attacker\] is very scary and even worked around Cyberhaven's implementation of Advanced Protection, one of the most sophisticated authentication systems," he says. "I think developers need to be aware that an email address will be tied to the Chrome web store publicly and will be used as a primary method of contact, increasing its exposure."

Because attackers can layer a number of privileges into a single OAuth permissions request, quite a few suspicious behaviors can be stacked on top of each other in a single extension, he says.

"There are a handful of extensions that are quite susceptible to compromise, monetization, ownership transfers, and lack of hygiene, which I believe some threat actors have identified," he says. "For many I talk to, managing browser extensions can be a lower priority item in their security program. Folks know they can present a threat, but nothing has ever happened to make them a priority."

**Time to Shore Up Extensions**

In the coming year, Tuckner hopes that will change.

"I hope that the Chrome web store can become more transparent in how it operates before something worse happens," he says, adding: "The suspicious extension reporting process, while likely overwhelmed, is often met with silence, inaction, and no documentation trail."

Any developer with major browser extensions should not rely on the specific store provider to detect the attack, but regularly monitor their software deployments, he recommends. Because compromising an extension requires a new version of the code to be released, a peer-review and approval process for software releases can catch unusual deployments. In addition, developers should have an email security service that detects phishing attacks, separate their general-use emails from their development accounts, and require administrator approval of new access attempts.

For its part, Cyberhaven released a collection of scripts designed to help investigate the extent to which their own machines were impacted by the attack.

"As Cyberhaven assisted our customers in responding to the attack, it became apparent that limited tooling was available to quickly and accurately evaluate the spread of the impact," the company said in a December 31 blog post on the release of the tools, adding that "\[t\]hese scripts search for entries indicating that a malicious extension has exfiltrated data."

Companies should expect attacks using extensions of all sorts — for browsers, for integrated development environments (IDEs), and other extensible software platforms — to increase in the future, says Nudge Security's Blasco.

"Attackers know that companies have spent enough dollars to protect their endpoints," he says. "But, in other places — like SaaS applications and Chrome, for instance — you don't have enough visibility, and there is not enough security controls in place. So this \[Chrome security issue\] is just an evolution of what we are going to see happening more often."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Chrome Extension Compromises Highlight Software Supply Challenges

The changes to the healthcare privacy regulation with technical controls such as network segmentation, multi-factor authentication, and encryption. The changes would strengthen cybersecurity protections for electronic health information and address evolving threats against healthcare entities.

Source: Zoonar GmbH via Alamy Stock Photo

The U.S. Department of Health and Human Services is planning a massive overhaul of the Health Insurance Portability and Accountability Act security rule to strengthen baseline cybersecurity requirements for protecting electronic protected health information (PHI). The proposed amendments, which will be published in the Federal Register on Jan. 6, would require healthcare organizations and other covered entities to implement security controls such as multi-factor authentication and enhanced encryption requirements.

The proposal describes the most substantive changes to HIPAA to date. The security rule was last revised in 2013. The threat landscape is different now than it was over a decade ago, and breaches against healthcare organizations have increased by 102% between 2018 and 2023, the HHS Office  for Civil Rights said in a statement. In 2023, over 167 million people had their health information compromised, a 1,002% increase from 2018.

**Proposed Changes to HIPAA**

The amendments will apply to health plans, healthcare clearinghouses, health providers, healthcare facilities, insurance companies, and business associates.

Everything in Writing: All policies, procedures, plans, and analyses will need to be in writing. This also applies to developing stronger incident response procedures, such as having written incident response plans and testing plans, as well as written procedures to be able to restore information systems and data within 72 hours.

Asset Inventory: Healthcare organizations will need to develop and regular maintain an up-to-date technology asset inventory and network map to track the movement of protected health information (PHI) through the various systems.

Risk Analysis: Healthcare organizations are not all that good at security risk analysis. The proposed changes include more specifics on how to conduct security risk analysis, such as written assessments that include a review of the technology asset inventory and network map, identify all potential threats to PHI, and assess the risk level for each threat and vulnerability.

Implement Security Controls: Healthcare organizations will be required to employ multifactor authentication and network segmentation to make it harder for healthcare systems to be compromised or data breaches. All PHI will need to be encrypted both during rest and in transit, reflecting the consensus that encryption is no longer optional. For systems that process PHI, security teams will need to scan for vulnerabilities every six months, run penetration tests at least once a year, deploy antimalware defenses, and remove extraneous software from systems. These requirements show how these are moving from recommended activities to minimum security baseline every entity must meet.

Organizations will need to conduct a compliance audit at least once every 12 months to ensure these technical controls are in place, and prove the safeguards have been implemented at least once every 12 months via a written certification.

**Next Steps After Comments**

Anne Neuberger, deputy national security adviser for cyber and emerging technology, said during a Dec. 27 press briefing that the changes to the security rule will cost approximately $9 billion in the first year, and $6 billion for years two to five. “The cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences,” Neuberger said.

Stakeholders have 60 days after the nearly 400-page proposal is published to submit comments (early March 2025). HHS will issue the final version of the rule afterwards, although a specific date has not yet been set followed by a compliance date of 180 days. It is also not clear if the work on the changes to the security rule will continue under the new presidential administration. Even so, healthcare organizations should review proposed requirements and evaluate their existing security programs to prepare for potential changes.

**About the Author**

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Source

DARKReading