PRESS RELEASE

BOSTON, Feb. 13, 2025 (GLOBE NEWSWIRE) -- Thrive, a global technology outsourcing provider for cybersecurity, Cloud, and IT managed services, today announced the acquisition of Secured Network Services (SNS), a leading New Hampshire-based IT provider for organizations across industries, including healthcare, non-profit, and municipal government. The acquisition will enable Thrive to enter the New Hampshire market to deepen its presence in New England, bringing its industry-leading global Security Operation Center (SOC) & Hybrid Cloud solutions to SNS’ customers.

Cyber regulations are continuing to get more complex across industries – for example, the Health Insurance Portability and Accountability Act (HIPAA) is facing several proposed changes to its Privacy and Security rules in 2025. With the acquisition of SNS, Thrive will deepen its vertical industry knowledge, ensuring healthcare, non-profit, and government customers are backed with the latest industry insights to navigate these challenging landscapes. Together, Thrive and SNS will enable customers in New Hampshire and beyond to have access to industry-leading resources and Thrive’s global high-touch 24x7x365 service mandate.

“SNS’ similar philosophy of providing the highest caliber of technical expertise and unwavering dedication to customers greatly resonated with us,” said Bill McLaughlin, CEO of Thrive. “Coupled with their deep vertical knowledge, SNS will ensure we continue delivering the best technology solutions to businesses across industries.”

This acquisition builds upon Thrive’s tremendous growth, having completed eleven previous acquisitions over the past two years, most recently acquiring Michigan-based Safety Net and North Carolina-based The Longleaf Network. Along with geographic expansion, Thrive also received a strategic investment from Berkshire Partners and Court Square Capital Partners to continue scaling the capabilities of the company.

“Our team is excited to accelerate our growth and enable our customers to have access to Thrive’s NextGen solutions,” Kevin M. Low, Founder & CEO at SNS. “Our mission of helping businesses get the most from their technology aligns seamlessly with Thrive’s dedication to delivering outsized ROI and the best technology outcomes for each customer. We look forward to advancing our capabilities to better help our customers navigate the complex IT landscape with Thrive’s partnership.”

To learn more about Thrive and its offerings, visit the website.  

About Thrive    
Thrive delivers global technology outsourcing for cybersecurity, Cloud, networking, and other complex IT requirements. Thrive’s NextGen platform enables customers to increase business efficiencies through standardization, scalability, and automation, delivering oversized technology returns on investment (ROI). They accomplish this with advisory services, vCISO, vCIO, consulting, project implementation, solution architects, and a best-in-class subscription-based technology platform. Thrive delivers exceptional high-touch service through its POD approach of subject matter experts and global 24x7x365 SOC, NOC, and centralized services teams. Learn more at www.thrivenextgen.com or follow us on LinkedIn.

Thrive Acquires Secured Network Services

PRESS RELEASE

As AI adoption accelerates, organizations lack the tools to secure these rapidly evolving technologies. While AI's potential in cybersecurity is vast, there is currently a significant gap between innovation and implementation. Many existing security solutions are either proprietary, insufficient, or simply inaccessible. 

SANS Institute, the global leader in cybersecurity training and research, is launching the AI Cybersecurity Hackathon, a month-long event designed to address the urgent need for the development of these tools. The hackathon aims to inspire participants to develop expertise in AI security, identify and support cybersecurity talent, and drive progress in AI security research through open-source contributions. Running from February 15 to March 15, 2025, this hackathon provides an opportunity for cybersecurity professionals, ethical hackers, developers, and students to cultivate the critical skills and develop the open-source tools needed to address emerging AI security challenges.

"AI is transforming cybersecurity at an unprecedented rate, but organizations are struggling to find professionals with the right expertise to secure these evolving technologies," emphasized Rob Lee, Chief of Research at SANS Institute. "Through this hackathon, SANS hopes to not only contribute vital open-source tools but also encourage individuals to pursue and refine the AI security skills the industry desperately needs." 

SANS has a long history of empowering the cybersecurity community, not just through training but by developing and distributing open-source security tools. From Rob Lee's SIFT Workstation, to Ed Skoudis' Holiday Hack Challenge, to Johannes Ullrich's Internet Storm Center (ISC), SANS has repeatedly delivered solutions that security professionals can use immediately.

The AI Cybersecurity Hackathon continues this tradition, offering participants a chance to build and contribute critical tools that will shape the future of AI security. Participants will have the opportunity to develop AI-driven security solutions that address emerging threats, enhance system security, and improve data protection. The hackathon welcomes both experienced professionals and newcomers who want to explore the intersection of AI and cybersecurity.

Kate Marshall, Director of Summits at SANS Institute, underscored the hackathon's significance. "We don't just want to talk about AI security, we want to build the tools that solve these challenges. Even if this event results in just one essential tool, that's a win for the entire cybersecurity community. We hope this inspires long-term innovation and a new generation of AI security experts."

**How to Participate **

2.  Collaborate or Go Solo: Participants can join teams or work independently. 
    
3.  Develop & Submit: Build an AI-powered security solution and submit it by March 15, 2025. 
    

SANS will select high-quality submissions that can be further highlighted, promoted, and published as open-source tools for future security initiatives. 

To learn more and sign up, visit SANS AI Cybersecurity Hackathon. Don't miss this opportunity to develop valuable AI security skills, contribute to cutting-edge cybersecurity solutions, and connect with a global community of innovators.

SANS Institute Launches AI Cybersecurity Hackathon

Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.

Source: Africa Studio via Alamy Stock Photo

Attackers are wielding a new variant of one of the biggest threats to the macOS platform, malware called XCSSET, Microsoft is warning. The fresh version has so far been seen in a handful of attacks targeting Apple developers, but its reach could grow much longer in the coming weeks.

XCSSET can read and dump data from Safari browsers; inject JavaScript backdoors into websites; steal information from the victim's Skype, Telegram, WeChat, Notes, and other apps; take screenshots; encrypt files; and exfiltrate data to attacker-controlled systems. The new variant — which features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies — is the first known update to the malware since 2022, Microsoft Threat Intelligence revealed in a post on X this week.

"These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files," according to the post.

Researchers at Trend Micro first discovered XCSSET in 2020 when investigating a security incident related to Xcode developer projects; the malware in the past has targeted software developers by exploiting vulnerabilities and then infecting their projects, using this as a means to spread. If one of the infected projects is downloaded and built by another developer, XCSSET also infects their projects, which could in turn be downloaded by others. This gives the malware wormable capability, and the potential for a broader supply chain attack.

**Significant Enhancements to macOS Malware**

The variant appears to be a significant update to the modular malware, with various new features that make it easier for attackers to spread XCSSET and also obscure their malicious activities.

Enhanced obfuscation methods present in XCSSET use "a significantly more randomized approach for generating payloads to infect Xcode projects," randomizing both its encoding technique and a number of encoding iterations, according to Microsoft.

And while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64 and obfuscates module names. This makes it more challenging to determine the intent of the malware's modules, Microsoft said.

Its operators also have outfitted the variant with two distinct new persistence mechanisms: the "zshrc" method and the "dock" method. In the former method, the malware creates a file named ~/.zshrc\_aliases that contains the payload, according to Microsoft. "It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware's persistence across shell sessions," according to the post.

The dock method involves downloading a signed dockutil tool from a command-and-control (C2) server to manage the dock items, and then creating a fake Launchpad application, replacing the legitimate Launchpad's path entry in the dock with this fake one.

"This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed," according to Microsoft.

The variant also employs new infection methods that determine where the payload is placed in Xcode projects. The method is chosen from one of the following options: TARGET, RULE, or FORCED\_STRATEGY, while an additional method involves placing the payload inside the TARGET\_DEVICE\_FAMILY key under build settings and running it at a later phase.

**Advice for macOS Cyber Defenders**

Though traditionally not a target for threat actors, the macOS platform has become increasingly more at risk to malware and other security threats in recent years, mainly due to Apple's growing market share in a shrinking PC market.

To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware.

"They should also only install apps from trusted sources, such as a software platform’s official app store," according to Microsoft.

Users of Microsoft Defender for Endpoint on Mac should be protected against XCSSET, including its new variant, the company added, because it can detect all currently known versions of the malware.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft: New Variant of macOS Threat XCSSET Spotted in the Wild

PRESS RELEASE

AUSTIN, Texas, Feb. 13, 2025 /PRNewswire/ -- enQase, a groundbreaking quantum-safe security solution, launches today to safeguard the most sensitive information against the threat of quantum attacks. This innovative solution addresses the urgent calls from leading business technology analyst, cybersecurity experts, and governments worldwide who are stressing the importance to fortify digital defenses against quantum computing threats.

The urgency to act is because the stakes are high, as malicious hackers who acquire highly sensitive encrypted data today could decrypt soon with quantum computers – thus the term "harvest now, decrypt later".

Why enQase exists 

In August 2024, the National Institute of Standards and Technology (NIST) released its recommendations for PQC urging all sectors to urgently begin transitioning to higher levels of cryptographic protection.

Experts, including the World Economic Forum, recommend combining PQC with Quantum Random Number Generation (QRNG) to provide organizations with the strongest protection against future quantum computing threats. While PQC is anticipated to offer good data security, the integration of both technologies is considered the most comprehensive approach to safeguarding sensitive information in the post-quantum era.

Certain limitations that have prompted organizations and sectors to explore more comprehensive security solutions for their most highly sensitive information include:

*   Theoretical foundations: PQC standards are grounded on theoretical analyses and projections of quantum computer capabilities. The security of these algorithms relies on mathematical assumptions that may be challenged as quantum technology advances.
    
*   Deterministic Algorithms: PQC utilizes deterministic algorithms, which could potentially be vulnerable to unforeseen weaknesses or breakthroughs in quantum computing.
    
*   Reliance on PRNGs: PQC implementations often depend on Pseudo-Random Number Generators (PRNGs) for key generation and other random values. The security of these systems could be compromised if the PRNGs are found to be predictable or vulnerable to quantum attacks.
    

In comparison, enQase takes quantum-safe security beyond conventional standards by harnessing the power of quantum mechanics to fortify and 'enQase' NIST's PQC standards. This innovative approach provides organizations with unparalleled assurance that their information will remain secure today, against "Harvest now, Decrypt later" attacks, and well into the future.

How enQase ensures future-proof security

In an era where traditional encryption methods are increasingly vulnerable, enQase stands as a beacon of innovation. Our quantum-enhanced security platform doesn't just meet today's standards—it defines tomorrow's.

The comprehensive platform leverages PQC, Quantum Random Number Generator (QRNG), digital Quantum Key Distribution (dQKD), and Quantum Key Distribution (QKD). At the forefront of innovation, enQase offers an industry-first hybrid key distribution system that uniquely combines both QKD and dQKD technologies.

enQase offers unparalleled deployment flexibility, with options ranging from Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), perpetual licensing and on-premises hardware solutions. The platform seamlessly integrates with existing infrastructure while ensuring full-stack interoperability and scalability to meet evolving security needs.

"enQase counters this threat with a robust data security solution that leverages quantum mechanics to enhance NIST Post-Quantum Cryptography (PQC) protection. The platform offers unique deployment flexibility and scalability demanded by Global 500 companies and government organizations to protect their entire information lifecycle."  
     -Mike Kramer, co-founder and CEO of enQase.

enQase solutions are fully compliant with NIST and ETSI guidelines, positioning clients at the forefront of secure networks. enQase simplifies quantum security management through an intuitive central console, reducing the need for specialized expertise while delivering practical, business-centric solutions.

As global quantum security pioneers with 15 patents, enQase continuously innovates and develops next-generation solutions, including advanced QKD implementations for terrestrial and space-based networks.

About enQase

enQase offers security beyond PQC; the only comprehensive, flexible, scalable solution that utilizes enhanced quantum technologies to protect data against current and future quantum threats without compromising operational performance.

The company's technology addresses critical shortcomings in existing cybersecurity measures, particularly in the face of emerging quantum computing threats. By offering a truly future-proof solution, enQase enables businesses to stay ahead of sophisticated quantum and AI-driven hacking attempts.

enQase offers versatile solutions spanning various deployment options, including SaaS, Cloud, PaaS, on-premises, and hardware-based implementations. Recognizing that every organization safeguards sensitive data —and for certain industries the stakes are far higher— enQase ensures that critical sectors such as finance, healthcare, government, critical infrastructure, and defense, are equipped to shield their most sensitive information with unwavering vigilance.

For more information about how enQase can secure an organization's future, visit www.enqase.com.

Introducing enQase for Quantum-Safe Security

Credible Security's founders bring their varied experiences to help growing companies turn trust into a strategic advantage.

Source: Ronstik via Alamy Stock Photo

Teaching students or learning the classics may not be the typical career path for cybersecurity professionals, but the founders of independent security consultancy Credible Security believe a diversity of backgrounds can be a superpower.

"Working together has taught us that the thing that makes the difference between an acceptable and a great approach to security within any organization is not technical knowledge or skill sets or backgrounds," says co-founder Josh Yavor. Qualifications are a given, but more importantly, a security team needs leadership "empowered in the right ways with empathy and effective communication and a bias toward building relationships that are based on trust."

Yavor, along with Kim Burton and Jessica Walters, launched Credible Security at the start of 2025. The company works with business-to-business companies that offer cloud services and software-as-a-service, with a specific focus on underserved teams within organizations. That includes go-to-market teams that have public-facing functions and early-stage companies that are finding their security footing while still forming a growth strategy.

**Diversity Leads to Stronger Security Mindset**

The founding partners — "We haven't really fought over those titles yet," Yavor jokes — had worked together before at Tessian, Cisco, and Duo Security. When Proofpoint acquired Tessian in 2023, Yavor was CISO, Burton was head of trust and compliance, and Waters was senior security manager. They each had extensive security experience but had taken different paths to get there.

Prior to holding security leadership roles at Cisco Secure, Duo Security, and Facebook, Yavor was a school teacher and owned an IT consulting business. Burton studied literature and classical languages in graduate school. Walters was chief of staff of Cisco's Security Business Group team. All three say their experiences at Duo Security demonstrated the value of bringing together practitioners from different backgrounds. They stayed at Duo through its Cisco acquisition in 2018 and landed in the same team at Cisco. When Yavor joined Tessian in 2021, Burton and Walters "came over to continue the journey."

The team members' varied backgrounds "make it so that when you encounter something that you haven't seen before, everyone is able to actually relate to something that they have, in fact, experienced," Burton says. "When you have a team of people who've come from the same programs, the same location, the same ideas all the time, you actually end up with groupthink. We do not have that problem."

**Developing Strategy With a Trusted Partner**

Having different perspectives is particularly important when helping customers develop and execute their cloud strategies, according to the trio. Cloud services touch every aspect of people's lives, so B2B enterprises need to prioritize building trust with end users as part of their strategy. In the past 10 to 15 years, enterprises have made strides in thinking about risk and how to manage it, but they haven't mastered the strategy in all areas, Yavor says.

The missing part that Credible Security targets "is having consistent strategy and outcomes in evaluating and delivering trust on both sides of the equation \[end users and service providers\]," Yavor says. Trust is critical at every juncture of that pipeline; with some proactive security thinking and investment, businesses can boost results.

"We are helping our clients simplify their strategies and align them to their actual business objectives so that they have a much easier and more efficient approach to developing not just minimum viable security for whatever their product is, but actually using it as a competitive advantage as they try to earn their customers' trust and then maintain it through a long-term relationship," Yavor says.

When managing risk, many companies still conflate trust with compliance, "where you're doing checkbox exercises because you have to show up to an auditor and tell them about it. But that's a backward way of thinking about it," Burton says. Compliance is only a way to verify trustworthiness, and trust develops as consultants show that they are working with the same values and goals in mind.

"It's saying: 'Hey, how can you actually design your product and your process so that the customers that you are finding actually understand this deep-felt sense that they know you will do the best by them?'"

**'Layered Experiences'**

Another advantage Credible Security offers is the ability to tap the team's experience as both buyers of security products and on the developer side of the process.

"All three of us have these layered experiences of both things we've done or built, but then also seeing teams and brands that really showed up in a way that we would want family members to experience," Walters says. The variety of positions they have held — CISO, head of compliance, chief of staff — also give them internal perspective, Yavor adds.

"That's actually one of the most exciting differentiators about our company, that all three of us, we haven't just been in the industry, we have been in the roles that we are seeking to help," he says. "We've actually done the work."

**About the Author**

Contributing Writer, Dark Reading

Mercedes Cardona is a New York-based business journalist. She is the former editor of The Economist Group’s “Marketing Unbound” blog and WP Engine’s “Velocitize.” She also has served as the Assistant Business Editor for features at the Associated Press and Financial Editor at Advertising Age. She has contributed to books including The Advertising Age Encyclopedia of Advertising and Single Women and Money.

This Security Firm's 'Bias' Is Also Its Superpower

Companies pursing internal AI development using models from Hugging Face and other open source repositories need to focus on supply chain security and checking for vulnerabilities.

Source: Zoonar GmbH via Alamy Stock Photo

Attackers are finding more and more ways to post malicious projects to Hugging Face and other repositories for open source artificial intelligence (AI) models, while dodging the sites' security checks. The escalating problem underscores the need for companies pursuing internal AI projects to have robust mechanisms to detect security flaws and malicious code within their supply chains.

Hugging Face's automated checks, for example, recently failed to detect malicious code in two AI models hosted on the repository, according to a Feb. 3 analysis published by software supply chain security firm ReversingLabs. The threat actor used a common vector — data files using the Pickle format — with a new technique, dubbed "NullifAI," to evade detection.

While the attacks appeared to be proofs-of-concept, their success in being hosted with a "No issue" tag shows that companies should not rely on Hugging Face's and other repositories' safety checks for their own security, says Tomislav Pericin, chief software architect at ReversingLabs.

"You have this public repository where any developer or machine learning expert can host their own stuff, and obviously malicious actors abuse that," he says. "Depending on the ecosystem, the vector is going to be slightly different, but the idea is the same: Someone's going to host a malicious version of a thing and hope for you to inadvertently install it."

Related:This Security Firm's 'Bias' Is Also Its Superpower

Companies are quickly adopting AI, and the majority are also establishing internal projects using open source AI models from repositories — such as Hugging Face, TensorFlow Hub, and PyTorch Hub. Overall, 61% of companies are using models from the open source ecosystem to create their own AI tools, according to a Morning Consult survey of 2,400 IT decision-makers sponsored by IBM.

Yet many of the components can contain executable code, leading to a variety of security risks, such as code execution, backdoors, prompt injections, and alignment issues — the latter being how well an AI model matches the intent of the developers and users.

**In an Insecure Pickle**

One significant issue is that a commonly used data format, known as a Pickle file, is not secure and can be used to execute arbitrary code. Despite vocal warnings from security researchers, the Pickle format continues to be used by many data scientists, says Tom Bonner, vice president of research at HiddenLayer, an AI-focused detection and response firm.

"I really hoped that we'd make enough noise about it that Pickle would've gone by now, but it's not," he says. "I've seen organizations compromised through machine learning models — multiple \[organizations\] at this point. So yeah, whilst it's not an everyday occurrence such as ransomware or phishing campaigns, it does happen."

Related:How Banks Can Adapt to the Rising Threat of Financial Crime

While Hugging Face has explicit checks for Pickle files, the malicious code discovered by ReversingLabs sidestepped those checks by using a different file compression for the data. Other research by application security firm Checkmarx found multiple ways to bypass the scanners, such as PickleScan used by Hugging Face, to detect dangerous Pickle files.

Despite having malicious features, this model passes security checks on Hugging Face. Source: ReversingLabs

"PickleScan uses a blocklist which was successfully bypassed using both built-in Python dependencies," Dor Tumarkin, director of application security research at Checkmarx, stated in the analysis. "It is plainly vulnerable, but by using third-party dependencies such as Pandas to bypass it, even if it were to consider all cases baked into Python, it would still be vulnerable with very popular imports in its scope."

Rather than Pickle files, data science and AI teams should move to Safetensors — a library for a new data format managed by Hugging Face, EleutherAI, and Stability AI — which has been audited for security. The Safetensors format is considered much safer than the Pickle format.

Related:Warning: Tunnel of Love Leads to Scams

**Deep-Seated AI Vulnerabilities**

Executable data files are not the only threats, however. Licensing is another issue: While pretrained AI models are frequently called "open source AI," they generally do not provide all the information needed to reproduce the AI model, such as code and training data. Instead, they provide the weights generated by the training and are covered by licenses that are not always open source compatible.

Creating commercial products or services from such models can potentially result in violating the licenses, says Andrew Stiefel, a senior product manager at Endor Labs.

"There's a lot of complexity in the licenses for models," he says. "You have the actual model binary itself, the weights, the training data, all of those could have different licenses, and you need to understand what that means for your business."

Model alignment — how well its output aligns with the developers' and users' values — is the final wildcard. DeepSeek, for example, allows users to create malware and viruses, researchers found. Other models — such as OpenAI's o3-mini model, which boasts more stringent alignment — has already been jail broken by researchers.

These problems are unique to AI systems and the boundaries of how to test for such weaknesses remains a fertile field for researchers, says ReversingLabs' Pericin.

"There is already research about what kind of prompts would trigger the model to behave in an unpredictable way, divulge confidential information, or teach things that could be harmful," he says. "That's a whole other discipline of machine learning model safety that people are, in all honesty, mostly worried about today."

Companies should make sure to understand any licenses covering the AI models they are using. In addition, they should pay attention to common signals of software safety, including the source of the model, development activity around the model, its popularity, and the operational and security risks, Endor's Stiefel says.

"You kind of need to manage AI models like you would any other open source dependencies," Stiefel says. "They're built by people outside of your organization and you're bringing them in, and so that means you need to take that same holistic approach to looking at risks."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Open Source AI Models: Perfect Storm for Malicious Code, Vulnerabilities

Banking fraud and financial crimes are growing more sophisticated every day. By understanding the threats and building strong collaborations, banks can protect themselves and their clients.

Source: Panther Media GmbH via Alamy Stock Photo

COMMENTARY

Banking executives have a lot to consider when it comes to financial crime. With new technologies at their disposal, fraudsters are becoming more sophisticated, underscoring the importance of staying vigilant in protecting against these emerging threats. In the near future, synthetic identity fraud and account takeovers will increasingly be leveraged to maximize gains, and AI and machine learning will rapidly adapt to a bank's detection methods. While most banks recognize the importance of fraud prevention, having a clear strategy and best practices is essential to mitigate the rising risks posed by these evolving technologies.

**Risk of Fraud and Financial Crimes Grows**

Last year, US fraud losses totaled a staggering $12.3 billion, and the emergence of new technologies will amplify financial crimes further. Research from Deloitte expects US fraud losses to grow to $40 billion by 2027, representing a compound annual growth rate (CAGR) of 32%. Generative AI is one reason why bank fraud is growing. At Grasshopper, we've seen fraudsters try to use generative AI (GenAI) to create fake business profiles and descriptions when applying for small business loans. To combat this, banks need to implement advanced AI-driven fraud monitoring and detection tools, enhance identity verification processes, and stay vigilant with continuous monitoring and staff training to recognize anomalies.

The rise of banking-as-a-service (BaaS) and embedded banking has also created more opportunities for bad actors to try to exploit gaps in fraud prevention. In this model, banks lose the direct connection with the end user, adding complexity to fraud prevention efforts. BaaS and embedded finance solutions offer significant advantages for modern banking, but they also present new challenges in fraud prevention. PYMNTS.com reports that bad actors are targeting application programming interfaces (APIs) — serving as the bridge between banks and their BaaS partners — are being viewed by bad actors as entry points. Earlier this year, attacks on APIs were up 20% year over year. Although the benefits of BaaS far outweigh the risks, fraud activity continues to accelerate. To stay protected, banks and their BaaS partners need a systemic approach to manage risk tolerance across the platform and protect themselves and their clients. 

**Implementing Best Practices for a Strong BaaS Partnership **

Banks and BaaS partners who collaborate closely to continuously improve their risk programs can navigate the evolving risks and rewards of AI. The most successful way to be effective and successful in preventing fraud is to have a shared understanding of the risk appetite and compliance program. Sometimes, this will mean the bank has to say no to a potential BaaS partnership, if the partner doesn't align with the bank's risk culture. This can be as simple as one partner shifting focus to a specific industry that the other is not as committed to serving. If one partner is choosing to pivot in a specific direction and the other is not, the partnership is no longer aligned. A shared understanding should be established at the onset of the relationship, but partners should also routinely check in to ensure they remain aligned, as risk appetite is always evolving alongside growth.

The partnership should also clearly identify roles and responsibilities to create clarity and transparency in the fraud prevention strategy. The professionals engaged in the relationship should know how responsibilities are allocated to create a solid foundation of the risk framework. From there, teams should share resources through joint training programs and guides for new regulation or threat activity. Ultimately, a robust program doesn't just identify gaps — it actively closes them. Through regular audits and swift, actionable responses, it ensures vulnerabilities are eliminated, keeping fraud prevention strong and resilient. By embracing these strategies, banks can confidently drive the innovation economy forward, unlocking the full potential of BaaS partnerships while safeguarding against financial crime.

**The Human Response Is Essential**

Technology is a critical component of a successful fraud prevention program, but it can't stand alone. The fact is, humans have an innate ability to detect when something doesn't feel right — robotic behavior, no matter how sophisticated, still raises red flags for human analysts. Outliers that slip past automated systems are often identified by skilled anti-fraud professionals who can spot the subtle signs that machines miss. 

Banking fraud and financial crimes are growing more sophisticated every day, and the banking industry continues to evolve by forging relationships with new partners. While these partnerships can introduce new fraud risks, banks don't have to be vulnerable. By understanding the threats, building strong collaborations, and investing in advanced detection tools, banks can stay one step ahead and protect themselves and their clients. 

**About the Author**

BSA Manager, Grasshopper Bank

Alena Robertson is a seasoned financial crime governance leader with more than a decade of experience in BSA/AML compliance and fraud prevention within financial institutions. As BSA manager at Grasshopper Bank, she spearheads the development and implementation of BSA procedures, ensuring regulatory compliance while mitigating financial crime risks. Alena has a strong track record of building high-performing teams, driving cross-functional collaboration, and forecasting emerging threats to enhance institutional resilience. Before joining Grasshopper, she held key compliance roles at Barclays, Station Casinos, MidFirst Bank, and Nevada State Bank, where she specialized in AML investigations, sanctions monitoring, and regulatory reporting. Recognized for her strategic approach to risk management, Alena continues to lead initiatives that strengthen governance frameworks and align compliance strategies with organizational objectives.

How Banks Can Adapt to the Rising Threat of Financial Crime

The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.

Source: Imagechina Limited via Alamy Stock Photo

The Chinese advanced persistent threat (APT) known as Salt Typhoon has targeted more than a thousand Cisco devices located within the infrastructures of telecommunications companies, internet service providers (ISPs), and universities.

Salt Typhoon (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) first made its name last fall, with explosive reports about its targeting major US telecommunications providers like T-Mobile, AT&T, and Verizon. In the process, it managed to eavesdrop on US law enforcement wiretaps, and even the Democratic and Republican presidential campaigns.

Apparently, all that new media attention did little to slow it down. According to Recorded Future's Insikt Group, Salt Typhoon — which Insikt tracks as "RedMike" — attacked communications providers and research universities worldwide on six occasions in December and January. The group exploited old bugs in Cisco network devices to infiltrate its targets, and this may not actually be the first time it tried this tactic.

In a statement to Dark Reading, a Cisco spokesperson wrote that "We are aware of new reports that claim Salt Typhoon threat actors are exploiting two known vulnerabilities in Cisco devices relating to IOS XE. To date, we have not been able to validate these claims but continue to review available data." They added that "In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols."

Related:Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

**Salt Typhoon's Latest Attacks on Elecom, Unis**

Back in October 2023, Cisco urged all of its customers to immediately pull all their routers, switches, etc., off the Web — at least those running the IOS XE operating system. An attacker had been actively exploiting a previously unknown vulnerability in the user interface (UI) which, without prior authorization, allowed them to create new local accounts with administrative privileges. The issue was assigned CVE-2023-20198, with the highest possible score of 10 out of 10 on the Common Vulnerability Scoring System (CVSS).

Just a few days later, Cisco revealed a second IOS XE web UI vulnerability that was being exploited in tandem with CVE-2023-20198. CVE-2023-20273 took the first vulnerability a step further, allowing attackers to run malicious commands on compromised devices using root privileges. It earned a "high" 7.2 CVSS score.

Related:Salt Typhoon's Impact on the US & Beyond

Evidently, Cisco's warnings were not heard loudly and widely enough, as Salt Typhoon followed this exact path to just recently compromise large organizations on six continents. With the complete power afforded by CVE-2023-20198 and CVE-2023-20273, the threat actor would then configure Generic Routing Encapsulation (GRE) tunnels connecting compromised devices with its own infrastructure. It used this otherwise legitimate feature to establish persistence and enable data exfiltration, with less risk of detection by firewalls or network monitoring software.

Though Insikt tracks this campaign only back through December, it's possible that this isn't the first time Salt Typhoon has used Cisco devices to target major telcos.

"Very little detail is currently publicly available about the Salt Typhoon-linked intrusions against US telecommunications providers uncovered in September 2024, including whether or not Cisco devices were involved," explains Jon Condra, senior director of strategic intelligence at Recorded Future. "Notably, CISA in December 2024 put out defensive guidance for communications providers that implies that Cisco devices have been exploited, linked to the Salt Typhoon intrusions, without providing specifics. We do know that Cisco devices have been targeted by Chinese APT groups on many occasions in the past, as with a variety of other edge devices."

Related:Magecart Attackers Abuse Google Ad Tool to Steal Data

**Salt Typhoon's Latest Cyberattack Victims**

Organizations affected by this campaign include a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel, one of Myanmar's premier telcos.

"Salt Typhoon targets telecommunications systems which are some of the most complicated Frankenstein-esque examples of architectures that exist," explains Zach Edwards, senior threat researcher for Silent Push. That even old vulnerabilities might still be exploited against telcos, he suggests, isn't such a mystery: "They possess some technologies in certain systems dating back decades that, in many cases, cannot be replaced, and with other modernized aspects that remain vulnerable to sophisticated attacks."

And besides telcos and ISPs themselves, Salt Typhoon also attacked 13 universities, including the University of California, Los Angeles (UCLA) and three more US institutions, plus more in Argentina, Indonesia, the Netherlands, etc. As Insikt noted, many of these universities perform significant research in telecommunications, engineering, and other areas of technology.

Overall, while more than 100 countries have been touched by this campaign, more than half of the devices compromised have been in South America, India, and, most often, the US.

Recorded Future's Condra emphasizes that while prior Salt Typhoon coverage has been US-centric, he says, "The group’s targeting extends far beyond US borders and is truly global in scope. This speaks to strategic Chinese intelligence requirements to gain access to sensitive networks for the purposes of espionage, gaining the ability to disrupt or manipulate data flows, or pre-position themselves for disruptive or destructive action in the event of an escalation of geopolitical tensions or kinetic conflict."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Salt Typhoon Exploits Cisco Devices in Telco Infrastructure

Romance-baiting losses were up 40% last year, as more and more pig-butchering efforts crop up in the wild.

Source: dpa picture alliance via Alamy Stock Photo

NEWS BRIEF

In what appears to be the more sinister side of romance, the amount of money individuals lost in 2024 to love-baiting scams, known to some as pig butchering, increased 40%.

That's according to ChainAnalysis, which said the scams, in which fraudsters approach their victims on dating apps or sites, groom them, and convince them to give them money or invest in a supposed "business venture," are growing in number, too. The number of people losing money this way increased by 210% year-over-year in 2024, probably because more scams are circulating. The operations are increasingly run out of compounds in Southeast Asia with staffers who are being held against their will.

One piece of good news though: The average loss per person declined 55% year-over-year.

"The combination of lower payment amounts and increased deposits could indicate a change in strategy for pig-butchering scams," said the researchers. "Scammers could be spending less time priming targets, and therefore, receiving smaller payments in exchange for targeting more victims."

Overall, with romance baiting comprising a third of total crypto fraud revenue in 2024, signs — or cupid arrows — point to romance scams becoming even bigger this coming year. Users of dating apps should be wary of connections made online, and should avoid sending money, cryptocurrency, wire transfers, or prepaid gift cards to anyone they don't know personally.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Warning: Tunnel of Love Leads to Scams

CyberArk announces the Zilla deal on the same day leading identity service provider SailPoint returns to the public markets.

Source: Artemis Diana via Alamy Stock Photo

CyberArk has acquired Boston-based startup Zilla as part of its plans to add identity governance and administration (IGA) capabilities to its privilege access management (PAM) platform. The $165 million deal announced Thursday has already closed.

Zella is a small IAG provider that was led by Aveksa founder and CEO Deepak Taneja. CyberArk said it had $5 million in annual recurring revenue last year, 40 employees, and 125 customers. During CyberArk's earnings call with investors, CEO Matt Cohen touted Zilla's "modern" IGA platform.

"In stark contrast to legacy IGA systems, Zilla's modern IGA SaaS \[software-as-a-service\] platform was built from scratch to address today's digital environments characterized by an explosion of staff applications, decentralized management, and identity-based security threats," Cohen said. "Leveraging AI-driven role management, Zilla automates the processes of identity, compliance, and provisioning, making governance easy, intuitive, and all-inclusive for the modern enterprise."

Cohen noted that customers can deploy Zilla five times faster than traditional IGA offerings, resulting in 60% fewer service tickets.

"Legacy IGA are often slow to deploy, difficult to integrate, have limited integration with modern systems, and are reliant on manual processes," Cohen said.

Because CyberArk is integrating Zilla into its platform, Cohen said that in addition to managing entitlements, provisioning, and compliance, the same tool will grant access and provide controls.

"That integrated nature then creates a much more secure footprint across these modern environments," he said.

CyberArk, whose annual revenues topped $1 billion for the first time last year, has aggressively expanded its PAM and identity and access management (IAM) portfolio. Last year, CyberArk acquired nonhuman identity provider Venafi for $1.6 billion.

**Identity and Access Governance Is Vital**

CyberArk's announcement came on the same day that SailPoint returned to the public markets, two years after Thoma Bravo purchased it for $6.9 billion and took it private. Thoma Bravo spun out 60 million shares (roughly 12% of the company, to raise an estimated $1.38 billion in the first major tech IPO of 2025. SailPoint, the largest IGA provider, estimated in its prospectus recurring revenues of $875 million in the fiscal year that ended Jan. 31, a 41% increase over the prior year. Although the company hasn't been profitable, SailPoint reported net loss improved to $235.7 million in the first nine months of 2024, a 23.5% improvement over the previous year.

Just as CyberArk is expanding its IGA offerings, SailPoint has been moving into CyberArk's space with its 2023 acquisition of PAM provider Osirium. In December, SailPoint acquired Imprivata's IGA unit for $10.7 million, plus up to $7.4 million in earnouts.

Alex Bovee, CEO of ConductorOne, another IGA startup that offers an SaaS-based offering to compete with SailPoint and Zilla, says IGA has become an increasingly vital component of cybersecurity posture.

"I think the bull view on this is that every single security company is recognizing that identity and identity governance are critical parts of the stack, and that's why CyberArk made this investment," Bovee said. "CyberArk is traditionally a privileged access management solution, but the future is these converged identity platforms."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Source

DARKReading