A Chinese threat actor infiltrated several IT and security companies in a bring-your-own VS code, with an eye to carrying out a supply-chain-based espionage attack.

Source: Araki Illustrations via Alamy Stock Photo

Chinese hackers almost breached critical European supply chain companies by disguising their malicious activities behind native Microsoft technologies.

It happened during a three-week period, from late June to July, according to researchers from SentinelLabs. A threat actor tied to China's diverse and thriving cyberattack scene targeted large business-to-business (B2B) IT service providers throughout southern Europe, such as cybersecurity vendors and data and infrastructure solutions providers, with the presumed goal of downstream supply chain espionage.

To penetrate these IT vendors — and, presumably, the many clients across the continent to which they enjoy privileged access — the attackers masked their malicious activity behind everyday business tools like Visual Studio Code and Microsoft Azure. And to confuse attribution, they used the same tactics, techniques, procedures (TTPs), and tooling observed across a number of other known Chinese threat actors.

**Malware via Microsoft**

Infections in the campaign, which researchers dubbed "Operation Digital Eye," began with SQL injections against vulnerable, Internet-facing Web and database servers. Then the attackers dropped PHP Web shells, using filenames specially tailored to the target's environment in order to avoid raising any suspicion. Reconnaissance, lateral movement, and credentials theft followed.

The highlight of the attacks, though, came innocuously packaged as "code.exe." Digitally signed by Microsoft and run as a service using the Windows Service Wrapper, the attackers brought to each of their victims their own portable copy of the Visual Studio Code (VS Code). VS Code is a free, open source editor developed by Microsoft, by far the most popular integrated development environment (IDE) among both new and seasoned developers.

VS Code has also become a proven weapon of Chinese threat actors as of late, thanks to its Remote Tunnels feature. Remote Tunnels is designed to allow developers to access and work on code on remote machines. In a different light, though, it's a perfect malicious payload, enabling command execution and file editing on remote systems in the context of a seemingly innocuous Microsoft program. The attackers behind Operation Digital Eye intended to use VS Code to maintain persistent backdoor access to victims, using innocuous file and service names and storing it in the Temp folder to further blend in with victims' normal business operations.

Tunneling with VS Code isn't quite as simple as loading malware onto a victim's machine, though — it requires a GitHub account and connection with an Azure server. Researchers aren't sure whether the attackers used stolen GitHub and Azure credentials, or registered their own accounts.

What is clear is that they turned this potential roadblock into an advantage, leveraging public cloud infrastructure in Western Europe to make their otherwise suspicious traffic look more legitimate, and more likely to evade notice by security tools. VS Code and Azure network traffic tends to avoid close scrutiny, the researchers noted, and are commonly allowed by application controls and firewall rules. "Combined with the full endpoint access it provides, this makes Visual Studio Code tunneling an attractive and powerful capability for threat actors to exploit," they wrote.

**The Trouble in Attributing Chinese Attackers**

The actual malware used in Operation Digital Eye did less to clarify than to confuse who, exactly, was behind the attacks.

The most notable tool in the mix, "bK2o.exe," is a modified version of the open source credential stealing tool Mimikatz, designed for pass-the-hash attacks. Its aim is to snag a New Technology LAN Manager (NTLM) hash, in lieu of the targeted user's actual password, to enable the further execution of processes within the user's security context.

BK2o.exe is just one among many Mimikatz variants deployed by several Chinese advanced persistent threats (APTs). Related variants have been observed in Operations Soft Cell and Tainted Love, associated with groups like APT41 and APT10. Researchers from SentinelLabs concluded that there is likely a shared vendor supplying many groups at once, as evidenced by the recent case of iSoon.

Also common to these many groups, besides their malware, is the intent behind their cyberespionage. In the case of Digital Eye, "Southern Europe's role as a Mediterranean hub intersects with China's Belt and Road Initiative, particularly in infrastructure investments like Greece's Port of Piraeus," notes SentinelLabs principal threat researcher Tom Hegel. "Cyber operations in this area likely support China's efforts to safeguard these investments, gain leverage in energy transit routes, and monitor naval activities critical to global trade and security. Economically, Southern Europe offers access to critical industries such as energy, shipping, aerospace, and agriculture, as well as opportunities for scientific and technological espionage, particularly in aerospace and renewable energy. Politically, the region's challenges provide opportunities for influence, allowing China to exploit economic dependencies, shape public sentiment, and potentially weaken EU and NATO unity."

He concludes that "In targeting Southern Europe, China seeks not only to secure competitive advantages but also to deepen its influence in a region vital to global trade, energy flows, and Western alliances."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Sprawling 'Operation Digital Eye' Attack Targets European IT Orgs

The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice.

Source: QINQIE99 via Shutterstock

Microsoft has released fresh guidance to organizations on how to mitigate NTLM relay attacks by default, days after researchers reported finding a NTLM hash disclosure zero-day in all versions of Windows Workstation and Server, from Windows 7 to current Windows 11 versions.

However, it was not immediately clear if the two developments are related or purely coincidental in terms of timing. In any event, the bug, which doesn't yet have a CVE or CVSS score, is not expected to be patched for months.

**Windows NTLM Zero-Day Allows Credential Theft**

Researchers from ACROS Security reported finding a zero-day bug in all supported Windows versions. The bug allows an attacker to grab a user's NTLM credentials simply by getting the user to view a malicious file via the Windows Explorer file management utility.

"Opening a shared folder or USB disk with such file or viewing the Downloads folder where such file was previously automatically downloaded from attacker's Web page" is all it takes for credential compromise, Mitja Kolsek, CEO of ACROS Security wrote in a blog post.

ACROS said it would not release any further information on the bug until Microsoft has a fix for it. But Kolsek tells Dark Reading that an attacker's ability to exploit the bug depends on various factors.

"It's not easy to find where the issue is exploitable without actually trying to exploit it," he explains. Microsoft has assessed the vulnerability as being of moderate or "Important" severity, a designation that is one notch lower than "Critical" severity bugs. The company plans to issue a fix for it in April, Kolsek says.

In an emailed comment, a Microsoft spokesman said the company is "aware of the report and will take action as needed to help keep customers protected."

The bug is the second NTLM credential leak zero-day that ACROS has reported to Microsoft since October. The previous one involved a Windows Themes spoofing issue and allowed attackers a way to coerce victim devices into sending NTLM authentication hashes to attacker-controlled devices. Microsoft has not yet issued a patch for that bug either.

The bugs are among several NTLM-related issues that have surfaced in recent years including PetitPotam, DFSCoerce, PrinterBug/SpoolSample, and, recently, one affecting the open source policy enforcement engine.

**Legacy Protocol Dangers**

Windows NTLM (NT LAN Manager) is a legacy authentication protocol that Microsoft includes in modern Windows for backward compatibility purposes. Attackers have frequently targeted weaknesses in the protocol to intercept authentication requests and forward or "relay" them to access other servers or services to which the original users have access.

In its advisory this week, Microsoft described NTLM-relaying as a "popular attack method used by threat actors that allows for identity compromise." The attacks involve coercing a victim to authenticate to an attacker-controlled endpoint and relaying the authentication against a vulnerable target server or service. The advisory pointed to vulnerabilities that attackers have used previously, such as CVE-2023-23397 in Outlook and CVE-2021-36942 in Windows LSA, to exploit service that lack protections against NTLM-relaying attacks.

In response to such attacks, Microsoft has updated previous guidance on how to enable Extended Protection for Authentication (EPA) by default on LDAP, AD CS, and Exchange Server, the company said. The latest Windows Server 2025 ships with EPA enabled by default for both AD CS and LDAP.

The advisory highlighted the need for organizations to enable EPA specially for Exchange Server, given the "unique role that Exchange Server plays in the NTLM threat landscape." The company pointed to CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563 as examples of recent vulnerabilities that attackers have exploited for NTLM coercion purposes. "Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them," the company says.

Kolsek says it's unclear if Microsoft's advice for protecting against NTLM attacks has anything to do with his recent bug disclosure. "\[But\] if possible, follow Microsoft's recommendations on mitigating NTLM-related vulnerabilities," he says. "If not, consider 0patch," he adds, referring to the free micropatches that his company provides for vulnerabilities, especially in older and no longer supported software products.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft NTLM Zero-Day to Remain Unpatched Until April

Scammers set up call centers in luxury rentals to run bank help-desk fraud, as well as large-scale phishing campaigns, across at least 10 European countries, according to law enforcement.

Source: Hajrudin Hodzic via Alamy Stock Photo

NEWS BRIEF

Five suspects have been arrested in Belgium, accused of taking part in a sprawling phishing operation that committed cybercrimes on an industrial scale across Europe.

The group operated by setting up call centers in luxury Airbnbs and apartment rentals to contact victims and lure them into handing over banking information, which was then abused to steal millions. The cybercriminals used the ill-gotten gains to buy fancy watches, clothes, and nights at posh nightclubs, according to an announcement of the arrests by Dutch law enforcement.

Belgian police first discovered evidence of the cyber-fraud ring and traced its leadership back to Rotterdam. In coordination, law enforcement of both countries arrested three men and one woman, a 66-year-old who was released, but remains a suspect. A magistrate ruled the three men will remain in custody. A fifth suspect was arrested in Belgium at the request of Dutch authorities and will be extradited to the Netherlands to face charges.

**Cybercriminals Can Expect "VIP Treatment," Police Warn**

"Many victims in at least ten European countries were called by a so-called bank employee or an employee of a so-called anti-fraud team with the message that fraud had been committed with their bank account and that the \[bank\] employee could help them," Jacqueline Bonnes, public prosecutor of the Rotterdam Public Prosecution Service, said in a statement about the arrests. "Bank accounts were mercilessly plundered and in this way they managed to steal an estimated millions of euros."

The stolen money funded a high-end lifestyle for members of the cybercrime ring, who had very expensive tastes.

"While the victims were left in misery, they spent all the victims' money during parties in expensive clubs, dressed in designer clothes and expensive watches," Jan van der Linden, team leader of the Cybercrime Team Rotterdam, added in the statement about the arrests. "Or they rented cars and booked luxury holidays in Spain."

Van der Linden pointed out the accused criminals also liked to flex their extravagant lifestyle on social media.

"And then preferably with a photo that also included a celebrity from, for example, the music or football world, which increased their status," he added.

Another member of Dutch cybercrime law enforcement, Ruben van Well, said he would continue to hunt down these types of brazen criminals who take to social media to glorify their crimes, with plans for his own "VIP" treatment — "very important police treatment."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Millionaire Airbnb Phishing Ring Busted Up by Police

Researchers demonstrate a proof-of-concept cyberattack vector that gets around remote, on-premises, and local versions of browser isolation security technology to send malicious communications from an attacker-controlled server.

Source: Sasin Paraska via Shutterstock

Security researchers have found a way to bypass three types of browser isolation, which would allow a cyberattacker to send malicious data to a remote device by using QR codes.

Researchers from Mandiant demonstrated a proof-of-concept (PoC) that gets around remote, on-premises, and local browser isolation by overriding HTTP request-based communication with machine-readable QR codes. In this way, the technique allows attackers to send commands from a command-and-control (C2) server to a victim's device.

Browser isolation is often used by organizations to fight phishing threats, protect a device from browser-delivered attacks, and deter typical C2 tactics used by attackers. The technique runs a browser in a secure environment — such as a cloud server or virtual machine — and then streams the visual content to the user's device.

When browser isolation is being used, the remote browser handles everything from page rendering to executing JavaScript, with only the visual appearance of the webpage sent back to the user's local browser.

As attackers generally send commands to and from a victim's device through HTTP requests, browser isolation makes it challenging for attackers to remotely control a device in the typical way. That's because the HTTP response returned to the local browser contains only the streaming engine to render the remote browser's visual page contents, "and only a stream of pixels is sent to the local browser to visually render the webpage," Mandiant principal security consultant Thibault Van Geluwe de Berlaere wrote in the post. "This prevents typical HTTP-based C2 because the local device cannot decode the HTTP response."

Related:Cybercrime Gangs Abscond With Thousands of AWS Credentials

**Bypassing Browser Isolation With QR Codes**

Mandiant researchers developed a PoC that demonstrates how to get around browser isolation using the Puppeteer JavaScript library and the Google Chrome browser in headless mode. However, any modern browser can be used to achieve the PoC, Van Geluwe de Berlaere noted.

Instead of returning the C2 data in the HTTP request headers or body, as a typical attacker-controlled attempt to send commands to a device might, the C2 server returns a valid webpage that visually shows a QR code. "The implant then uses a local headless browser … to render the page, grabs a screenshot, and reads the QR code to retrieve the embedded data," Van Geluwe de Berlaere wrote.

"By taking advantage of machine-readable QR codes, an attacker can send data from the attacker-controlled server to a malicious implant even when the webpage is rendered in a remote browser."

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

In the attack sequence, the malicious implant visually renders the webpage from the browser isolation's pixel streaming engine and decodes the command from the QR code displayed on the page. It then retrieves a valid HTML webpage from the C2 server with the command data encoded in a QR code visually shown on the page.

The remote browser then returns the pixel-streaming engine back to the local browser, starting a visual stream that shows the rendered page obtained from the C2 server. The implant waits for the page to fully render, then grabs a screenshot of the local browser that contains the QR code, which the malicious implant reads to execute the C2 command on the compromised device.

The implant then goes through the local browser again to navigate to a new URL that includes the command output encoded in a URL parameter. This parameter is passed through to the remote browser and ultimately to the C2 server, which decodes the command output as in traditional HTTP-based C2.

**Challenges to Implementing the Bypass**

Though the PoC demonstrates how attackers can get around browser isolation, there are some limitations and challenges to consider when using it, the researchers noted.

One is that it's not feasible to use the PoC with QR codes that have the maximum data size — i.e., 2,953 bytes, 177x177 grid, Error Correction Level "L" — as "the visual stream of the webpage rendered in the local browser was of insufficient quality to reliably read the QR code contents," Van Geluwe de Berlaere explained. Instead, the researchers used QR codes containing a maximum of 2,189 bytes of content.

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

Moreover, the requests take at least five seconds to reliably show and scan the QR code due to the processing involved when using Chrome in headless mode, as well as the time it takes for the remote browser to start up, page-rendering requirements, and the stream of visual content from the remote browser back to the local browser. "This introduces significant latency in the C2 channel," he wrote.

Finally, the PoC does not consider other security features of browser isolation, such as domain reputation, URL scanning, data-loss prevention, and request heuristics, which may need to be overcome if they are present in the browser-isolation environment on which it is being used.

Despite the success of the bypass, Mandiant still recommends browser isolation as a strong protection measure against client-side browser exploitation and phishing attacks. However, Van Geluwe de Berlaere wrote, it should be used as one part of "a well-rounded cyber defense posture" that also includes monitoring for anomalous network traffic and browser in automation mode to defend against Web-based attacks.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Can Use QR Codes to Bypass Browser Isolation

More than 4% of US attempted e-commerce transactions between Thanksgiving and Cyber Monday suspected to be fraudulent.

PRESS RELEASE

MONTRÉAL, December 4, 2024 — Genetec Inc. (“Genetec”), the global leader in enterprise physical security software, today shared the results of its "2025 State of the Physical Security Report." Based on insights from over 5,600 physical security leaders worldwide (including end users, channel partners, systems integrators, and consultants), the report offers a comprehensive analysis of evolving trends in physical security operations.

**Hybrid cloud adoption grows as organizations seek flexibility and control**

As organizations evaluate cloud solutions for physical security, most are prioritizing a hybrid strategy that aligns with operational needs, budget constraints, and storage requirements. This pragmatic and flexible deployment approach allows critical data and applications to be managed both on-premises and in the cloud.

According to the report, 43% of end users envision hybrid deployments as their preferred approach within the next five years, compared to just 18% favoring fully cloud-based implementations and 17% planning to remain fully on-premises. This preference for hybrid-cloud is echoed by consultants and channel partners, with 66% of consultants planning to recommend hybrid deployments in the next five years.

This data not only reflects the rising demand for adaptable deployment models but also highlights a measured approach to cloud adoption as the industry matures.

By focusing on operational realities, varying costs of the cloud, and evolving seditecurity requirements, organizations will be better positioned to successfully adopt the cloud at a pace and cost that reflects their needs.

“There’s no all-or-nothing with a hybrid-cloud approach. Businesses remain in total control of how they deploy their systems across various locations. With an open ecosystem, they can implement the best technology—whether on-premises or in the cloud— that meets their business needs and avoid unnecessary compromise without ever being locked into proprietary solutions. This allows them to deploy, scale, and upgrade systems faster, streamline processes, and strengthen their security posture in the most efficient and effective ways,” said Christian Morin, Vice President Product Engineering, Genetec Inc.

**IT departments become central to decisions**

A decade ago, physical security systems in large organizations were typically managed by personnel in specialized security departments. However, the increasing adoption of cloud and hybrid-cloud solutions, the rise in cybersecurity threats, and the need to align physical and digital security have led IT teams to take an increasingly prominent role in influencing the acquisition and deployment of physical security systems.

According to the report, 77% of end users say physical security and information technology (IT) departments now work collaboratively. Additionally, IT departments are taking on an increasing role in the buying process, with over 50% of end users, systems integrators, and consultants reporting that IT teams are now actively involved in physical security purchasing decisions.

“The evolving role of physical security is reshaping how organizations secure both their people and digital networks. With IT at the forefront of implementing cloud and hybrid solutions, physical security operations are becoming more resilient, data-driven, and adaptable to evolving threats," Morin added.

**AI adoption grows as industry prioritizes practical applications**

The report reveals a significant rise in the interest toward AI adoption in physical security, with 37% of end users planning to implement AI-powered features in 2025, up from just 10% in 2024. This heightened interest aligns with a strategic, purpose-driven approach. With 42% of end users seeing AI as a tool to streamline security operations, organizations are focusing on practical applications, such as refining threat detection and automating routine processes, with intelligent automation as the ultimate goal.

Survey methodology

Genetec Inc. surveyed physical security professionals from August 12th to September 15th, 2024. Following a review of submissions and data cleansing, 5,696 respondents (including end users, channel partners, and consultants) were included in the sample for analysis. Survey samples were run across all regions including North America, Central America, the Caribbean, South America, Europe, the Middle East, Africa, East Asia, Southern Asia, South-Eastern Asia, Central Asia, Western Asia, and Australia-New Zealand.

Genetec Physical Security Report Shows Accelerating Hybrid Cloud Adoption

Using different parts of our brains gives us different perspectives on the world around us and new approaches to the problems we face in security.

Source: Dennis Hallinan via Alamy Stock Photo

COMMENTARY

I recently delivered one of the keynotes at the Fall Summit 2024 for Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium that works to build cybersecurity and resilience in the global financial system. My talk began with a lyrical analysis of the Joni Mitchell song "Both Sides Now" and continued into how we can take lessons from the song and apply them to our security programs.

To be clear, this was a risk. An audience of security professionals and security executives in the banking, financial services, and insurance (BFSI) vertical looking for information about technical innovation and new research may not respond positively to a talk that centers on a lyrical analysis of a song written in the 1960s.

If you aren't familiar with the lyrics, I highly encourage a listen — it's a great song.

What I learned is that people like it when we draw inspiration from sources outside of cybersecurity. After all, we are a relatively new field, and other professions have likely figured out a few things that we're still trying to work out. Security professionals can — and should — learn from other fields and apply those lessons to our work.

**1\. Pay Attention**

The analog world has many lessons to teach us. Inspiration, ideas, and solutions are all around us. We simply need to open our eyes to what surrounds us. It is not easy to take in everything when we are focused on our jobs and everyday life, but it is still worth taking a step back now and again to take in the wider world and the lessons it can teach us. Many of them are applicable to the security challenges we face.

**2\. Open a Book**

It may seem old-fashioned, but books are still one of the most amazing sources of knowledge and inspiration. Whether classic or modern, some of the top authors have grappled with, processed, thought through, and written about some of the most difficult and challenging issues. It would be silly to cast all that aside and think that there isn't anything in there we can learn from as a security community. So while William Shakespeare, Charles Dickens, Mark Twain, Leo Tolstoy, Jane Austen, the Bronte sisters, and others may not immediately bring security to mind, we are almost certain to find important lessons in their works.

**3\. Read Poetry**

One of the things that amazes me most is how poets can take the same words that most of us use day to day and form them into the most beautiful works of art. Aside from the powerful messages that poems can convey, there is a unique angle to problem-solving that poets take in order to be able to transform language as they do. As security professionals, we can learn a lot from both the messages that poets convey and the manner in which they do so. We as security professionals can certainly learn to convey more valuable messages to our stakeholders, as well as how to convey those messages more clearly.

**4\. Listen to Lyrics**

Although I only recently gave my first talk based on lyrical analysis, I have been listening to and analyzing lyrics for quite some time. Like authors and poets, good lyricists are also quite talented at getting powerful messages into relatively few words. In the security field, we can learn a lot from this. First off, understanding that our management, executives, and other stakeholders want fewer but more powerful words from us is an important lesson. So is being able to deliver that message in a catchy, fun, or impactful manner, as is the case with music. While it may be tempting to fill reports and presentations with an overdose of data, successful lyricists would advise us otherwise.

**5\. Appreciate Art**

If you've ever seen an original work of art (in a museum, for example), you know that it can sometimes take you aback in a way that seeing it online or seeing a replica cannot. While I am not a visual person, I can appreciate that some people are. As security professionals, we can take a lesson from this. Some people need to see data come alive visually in order to internalize it. We can take inspiration and learn from other fields that have worked out how to present data visually.

**6\. Study Creativity**

Creativity comes in many forms. Whether someone is an author, a poet, a lyricist, an artist, or any other creative type, they all have one thing in common: They take inspiration from the world around them and synthesize something new. As security professionals, we can learn from this. There is no shortage of the same old conventional wisdom floating around our industry. Much of that conventional wisdom has led to less-than-ideal outcomes. Creative thinking, fresh ideas, and new approaches could potentially do wonders for our field if we allow them to.

**Coda**

Literature, poetry, music, and art may not be sources you think of when looking for fresh thinking around security problems. They probably should be, though. Other fields that have been around considerably longer than the security field are likely good sources of inspiration for creative approaches to solving security issues. It seems about time we consider that when looking to advance the state of our field.

**About the Author**

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

How Art Appreciation Supplements Cybersecurity Skills

Vanir automates the process of scanning source code to identify missing security patches.

Source: Art of Food via Alamy Stock Photo

NEWS BRIEF

Security updates in the Android ecosystem is a complex, multistage affair, with each downstream manufacturer responsible for incorporating security fixes and deploying them to individual user devices. Manufacturers have diverse device portfolios with different models running different versions of the Android operating system and related software, which means they are responsible for multiple update versions. As it currently stands, updating Android devices is both time-consuming and labor-intensive.

Vanir, Google's latest open source security patch validation tool, speeds up the process of figuring out which security patches are missing from the platform by scanning custom platform code using static code analysis. By automating this process, OEMs can identify missing security updates much faster than current methods, according to an announcement on the Google Security Blog.

Vanir, which has a 97% accuracy rate, covers 95% of all Android, Wear, and Pixel vulnerabilities that already have public fixes, the company said. Inside Google, Vanir is part of the build system and tests against over 1,300 vulnerabilities, saving internal teams "over 500 hours to date in patch fix time," according to Google.

The tool does not rely on metadata, such as version numbers, repository history, or build configurations, to identify which updates are missing. Instead, Vanir uses automatic signature refinement techniques and multiple pattern analysis algorithms. Google said these algorithms have low false-alarm rates, noting that in two years of testing Vanir, only 2.72% of signatures triggered false alarms.

"This allows Vanir to efficiently find missing patches, even with code changes, while minimizing unnecessary alerts and manual review efforts," the company said.

A single engineer used Vanir to generate signatures for over 150 vulnerabilities and verify missing security patches across downstream branches in just five days, Google noted.

While Vanir was originally introduced at Android Bootcamp back in April and is designed for Android, the tool can be adapted to other ecosystems and platforms with small modifications. Vanir can be used as a standalone application as well as a Python library. Users can integrate Vanir with their continuous builds or test chains by wiring the tool with Vanir scanner libraries.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Google Launches Open Source Patch Validation Tool

We can anticipate a growing number of emerging vulnerabilities in the near future, emphasizing the need for an effective prioritization strategy.

Audra Streetman, Senior Threat Intelligence Analyst, Splunk

December 9, 2024

4 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

The work of cybersecurity defenders continues to evolve. The sheer amount of software and applications within an organization's IT environment has increased the attack surface and, consequently, the number of vulnerabilities. According to the Verizon "2024 Data Breach Investigations Report," "14% of breaches involved the exploitation of vulnerabilities as an initial access step, almost triple the amount from last year's report."

With vulnerability exploitation increasing, prioritization can be difficult and time-consuming if you don't have a clear plan. The consequences of large-scale incidents, such as Log4j and the MOVEit breach, have had lasting impacts on the cybersecurity world. However, cybersecurity defenders can learn from these experiences.

**Key Considerations for Vulnerability Evaluation**

The first step in vulnerability evaluation mirrors the basics of reading comprehension: understanding the who, what, when, where, and why:

Who: Who is discussing vulnerabilities? Pay attention to peers, industry experts, and government advisories. Know that vulnerability discourse on social media and online forums may include fear-mongering and hyperbole. 

What: After identifying a vulnerability, analyze its exploitability. Determine if it is exploitable over a network or requires local access, or if exploit code is public. 

When: Timing is crucial. Know when the vulnerability was disclosed and if it has been exploited in the wild.

Where: Know where the vulnerability exists in your environment, which can influence the impact of exploitation. Check if it appears in a software bill of materials (SBOM) or a vendor advisory, as this can direct your remediation efforts.

If a patch is available, determine if it will cause downtime and if you are bound by a service-level agreement. If you opt to not patch, or if a patch is not available, research mitigation guidance to minimize risk.

Why: Understand how the vulnerability aligns with recent trends in adversary behavior. Also, Common Vulnerability scores and Exploit Prediction scores can inform prioritization, but should not be relied upon as the only factor when evaluating vulnerabilities.

**Learning From Large-Scale Incidents****MOVEit **

A great way to combat vulnerabilities is to learn from the past. For example, when the MOVEit Transfer vulnerability emerged in 2023, there were early signs pointing to the potential for mass exploitation. The cybercriminal group behind the breach was known to target vulnerabilities in file transfer software for spray-and-pray attacks that relied on data exfiltration without encryption to reach more victims. Ultimately, more than 2,700 organizations and 95.8 million people were impacted by the breach, according to cybersecurity firm Emsisoft, teaching the cybersecurity world three things:

1.  Adversary behavior can influence the likelihood of exploitation. A critical vulnerability in a file transfer appliance carried additional urgency in 2023 because of the strategies employed by cybercriminals. 
    
2.  Zero-day vulnerabilities with low attack complexity are a higher priority. Attacks began days before the MOVEit vulnerability was publicly disclosed and one attack vector allowed data exfiltration directly from the MOVEit application. One caveat here is that not all zero-day vulnerabilities are a high priority; there are other factors to consider, such as attack complexity. 
    
3.  Vulnerabilities with cascading effects on the supply chain are critical priorities. Some organizations were impacted by the breach because their vendor's contractor's subcontractor used MOVEit Transfer.
    

**Log4j**

The 2021 Log4j incident highlights the challenges with identifying vulnerable software components in your environment. This vulnerability was a high priority for several reasons:

1.  It was remotely exploitable.
    
2.  It was publicly disclosed before a fix was available.
    
3.  Exploit code circulated online.
    
4.  Because the Log4j library was popular among Java developers, it was embedded into thousands of software packages and integrated into millions of systems worldwide. 
    

Many organizations struggled to identify where Log4j was present in their environment, as these open source components aren't always readily listed. Accurate asset inventories and widespread SBOM adoption — which is essentially an ingredients list of software components — can go a long way in improving how organizations identify and respond to future vulnerabilities. 

**Knowing the Score With Vulnerabilities**

Cybersecurity defenders have at their disposal a number of vulnerability databases and scoring frameworks, such as the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog and the National Vulnerability Database (NVD). As organizations mature and refine their vulnerability management program, they can begin to implement additional steps, such as continuous monitoring, automation, and the integration of vulnerability management tools with configuration management databases (CMDBs) to improve detection and remediation.

In the future, we may see software suppliers adopt a secure-by-design philosophy that takes greater ownership of customer security outcomes. This could be influenced by future regulations, heightened liability for security executives, and the loss of customer trust. We may also see new use cases for emerging technologies, like machine learning and artificial intelligence, to help speed up and guide the vulnerability prioritization process, while maintaining a human-in-the-loop approach. In the meantime, we can anticipate a growing number of emerging vulnerabilities, emphasizing the need for an effective prioritization strategy.

**About the Author**

Senior Threat Intelligence Analyst, Splunk

Audra Streetman is an active member of Splunk's global security team and previously contributed to Splunk's SURGe research team. Before arriving at Splunk, Audra worked as a reporter, producer, and news anchor at local TV stations in Indiana, California, Kentucky, and Colorado. Audra produced and co-hosted a podcast called The Security Detail, which examined the cyber threat landscape in different industries. Audra is a member of the GIAC Advisory Board and has several certifications, including GDAT, GCTI, Security+, Linux+, Network+, AWS Cloud Practitioner, and Splunk Enterprise Certified Admin.

Large-Scale Incidents &amp; the Art of Vulnerability Prioritization

An FBI operation nabbed a member of the infamous cybercrime group, who is spilling the tea on 'key Scattered Spider members' and their tactics.

Source: Steven Frame via Alamy Stock Photo

Chasing down members of Scattered Spider, the cybercrime group known for their social engineering takedowns of massive organizations, has been a top law enforcement priority over the past several months. Now, the Federal Bureau of Investigation has made a new arrest in the case, a 19-year-old hacker living in Fort Worth, Texas — and he's talking.

Remington Goy Ogletree is accused of a phishing operation that ran from October 2023 to last May, when, according to the complaint, he was able to gain credentials and unauthorized access to two telecommunications companies and one US-based national bank. He then stole data, including API keys and cryptocurrency, and sold off access to other threat actors on the Dark Web, according to the indictment.

He is also accused of hijacking one of the telecommunications platforms to send about 8.5 million phishing texts in an attempt to steal cryptocurrency. Ogletree likewise allegedly used a hacked telecom network to send phishing messages to employees of an unidentified financial institution with the intent to steal their credentials. The FBI complaint added that Ogletree hacked into a second telecommunications organization to send an additional 140,000 fraudulent phishing text messages.

**Suspect Spills Details on Scattered Spider Cybercrime Ring**

Once he was arrested in February, Ogletree admitted to being a part of the Scattered Spider threat group.

"I know key Scattered Spider members," Ogletree told the cops. "Any company getting ransom\[ed\] ... that's not crypto-related, it's gonna be them."

He went on to tell the FBI that Scattered Spider prefers to target business process outsourcing (BPO) organizations, "because outsourcing companies, they have less security." He also told law enforcement that Scattered Spider has already compromised five of the top BPO companies, the complaint explained.

Scattered Spider threat group is well known for recruiting young, native English speakers into its fold to help pull off brazen social engineering schemes to steal employee login credentials. Some of the group's most infamous breaches include last year's casino ransomware attacks on Caesars and MGM Resorts.

**FBI Keeps Nabbing Scattered Spider Members**

The arrest is the latest in a string of Scattered Spider stings. Just a few weeks ago, another group of Scattered Spider members was arrested and charged with various cybercrimes; four of them are American. Last June, a 22-year-old British man was arrested by Spanish police for his connection to Scattered Spider and was found with control of more than $27 million in Bitcoin. And in July, a 17-year-old was arrested in the UK for his role in the Scattered Spider operation.

The arrests are welcome news. Last year, law enforcement received criticism for not doing more to stop Scattered Spider and keep them from committing additional cybercrimes.

The FBI was able to nab Ogletree by posing as a cryptocurrency laundering operation called "Cash Service." When he engaged with the front operation to convert stolen crypto to cash, they were able to track him down and make the arrest, according to the complaint.

**About the Author**

Senior Editor, Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Texas Teen Arrested for Scattered Spider Telecom Hacks

The activity-recording capability has drawn concerns from the security community and privacy experts, but the tech giant is being measured in its gradual rollout, which is still in preview mode.

Source: Pictorial Press Ltd via Alamy Stock Photo

NEWS BRIEF

Microsoft has expanded access for its Windows Recall feature to Copilot+ PCs that use AMD and Intel chipsets, after initially offering it to users with Snapdragon-powered machines. And, it has now launched in Europe.

The launch is part of a gradual rollout that for now is in a preview phase within the Windows Insiders testing community.

Recall is an AI-powered feature that allows PC users to record everything they do on their computers, and then go back to a desired "snapshot" of activity later. It's a useful tool, as Microsoft pointed out in its expansion announcement on Dec. 6: "It's now possible to quickly find and get back to apps, websites, images, or documents just by describing its content." But the capability also has sparked ongoing concerns about privacy and data security (Microsoft keeps and hosts the recorded content in the cloud), as well as the potential for the feature to be compromised and used for cyber-espionage ends.

The tech giant appears to be taking those concerns seriously; in June, it beefed up its planned privacy and security features for Recall, including data encryption, turning Recall off by default, and requiring users to enroll in Windows Hello biometrics authentication to prove they're present at the keyboard as recording is happening. It also added it to its bug bounty program to track down exploitable security vulnerabilities.

Microsoft has taken its time with the launch in light of the concerns; after being set to go live in June, Redmond pushed the release date for Recall back to October, and then to November, when it finally became available in limited release.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Source

DARKReading