With a lack of cybersecurity awareness training resources for all employees, organizations are more susceptible to being breached or falling short when it comes to preventing threats.

New studies show that cybersecurity executives often fail to prioritize software security training for the entirety of a company, instead only deeming it necessary for a select few — and not always for the right reasons.

Nearly half of cybersecurity leaders who provide these kind of training tools don't consider awareness efforts to be essential within their organizations, according to a study conducted by CMD+CTRL Security and Wakefield Research. In addition to this, half of the leaders who do provide security training do so to build a "security culture," but only 41% say they provide training because of the increased risk from third parties and supply chains.

In "Enhancing Cybersecurity: The Critical Role of Software Training," the research data showed that executives who implement these kinds of trainings are highly motivated by factors such as customer satisfaction, time to market, and financial costs when implementing training resources.

Further, cyber leaders who recognize the need for this kind of software security training don't tend to prioritize customized training solutions, either because they don't consider it important or because they don't have the resources to provide it. Ultimately, this leads to a focus on developer-only training, or broad-based training programs that aren't effective, according to the findings.

With the risks that come with inadequate training, however, it's essential that company executives implement effective resources for all employees, tailored to their roles in an organization, the research concluded: "Employees gain the knowledge and skills necessary to identify vulnerabilities and adhere to best practices, learning about the latest threats and how to mitigate against them. This ultimately leads to fewer cyber breaches and a better resilience in an organization's supply chain."

**About the Author**

Cybersecurity Training Resources Often Limited to Developers

A new variant of the sophisticated attacker tool gives cybercriminals even more control over victim devices to conduct various malicious activities, including fraud and cyber espionage.

Source: Brian Jackson via Alamy Stock Photo

A new variant of a sophisticated malware that helps attackers carry out advanced voice and mobile phishing (aka vishing and mishing) attacks against Android users has evolved with new capabilities that extend their control over compromised devices to commit further malicious activities.

FakeCall, a malware that's been tracked by various research groups since at least 2022, conducts the attacks by tricking victims into calling fraudulent phone numbers controlled by the attacker, and then impersonating a typical conversation with bank employees or other entities aimed at defrauding the user in some way.

FakeCall's capability historically lies inherently in its design for communicating with an attacker-controlled command-and-control (C2) server, enabling it to execute a range of actions aimed at deceiving the end user. In addition to allowing attackers to control a person's phone calls, it also allows them to gain access to various permissions to Android devices for other malicious activity.  

Researchers at Zimperium zLabs now have discovered a new variant of FakeCall that adds novel capabilities — some of which appear to be under development — that give attackers even more capabilities to monitor people's device activity and control the device with even more precision, they revealed in a blog post published today.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

The variant demonstrates attackers coming up with new and strategic ways to create a more seamless integration with Android devices, which can help the malware avoid detection and remain active on a user's device without them knowing, the researchers found.

**FakeCall's Extension of Malicious Capabilities**

Specifically, one of the features allows for the malware to integrate with Android's Accessibility Service to give attackers "significant control over the user interface and the ability to capture information displayed on the screen," according to the post.

The feature demonstrates how attackers can evolve past simple device permissions to abuse an even more complex attack vector, "granting attackers near-total control to intercept calls, access sensitive data, and manipulate the user interface," notes Jason Soroko, senior fellow at Sectigo, a provider of certificate life-cycle management (CLM).

By seamlessly mimicking legitimate interfaces, attackers also are making detection by users "nearly impossible," he says, highlighting a critical need for advanced security solutions capable of detecting this threat.

Other new features extend FakeCall's persistent spyware capabilities, which have existed since it was first discovered and set it apart from other vishing and mishing attacks, which tend to be a one-time engagement. One of these is a Bluetooth receiver that acts as a listener to monitor Bluetooth status and changes, while the other is similar, but it acts as a screen receiver to monitor the state of the device's screen.

Related:French ISP Confirms Cyberattack, Data Breach Affecting 19M

**How a FakeCall Attack Works**

FakeCall was first detailed by researchers at Kaspersky in April 2022 as a banking Trojan with extended capability to intercept calls that users make with their banks, to create a fake customer-service experience for malicious purposes.

The malware also had some spyware capabilities, including a feature to turn on a device's microphone and send recordings from it to an attacker's C2 server; the ability to secretly broadcast audio and video from the phone in real time; and the option to pinpoint device location.

A typical FakeCall attack begins when victims download a malicious APK file (masquerading as a legitimate app) onto an Android mobile device through a phishing attack, which acts as a dropper for FakeCall. When launched, the app prompts the user to set it as the default call handler and, once designated, attackers can manage all incoming and outgoing calls. The malware then displays a custom interface mimicking the native Android dialer, seamlessly integrating its malicious functionality.

Related:Delta Launches $500M Lawsuit Against CrowdStrike

While the primary function of FakeCall is to monitor outgoing calls and transmit info to attackers via a C2 server, cyberattackers also can commit other malicious activities using the malware. These include identity fraud, which can be done by exploiting FakeCall's position as the default call handler. The malware can modify the dialed number, replacing it with a malicious one and thus deceiving users into making fraudulent calls.

Attackers also can use FakeCall's adversary-in-the-middle (AitM) approach to hijack incoming and outgoing calls, to make unauthorized connections with other mobile device users. "In this case, users may be unaware until they remove the app or restart their device," according to the post.

**Defending Against FakeCall Attacks**

As vishing and mishing attacks have become a worldwide epidemic that defrauds users of millions of dollars annually — including even the most tech-savvy individuals — it's imperative that people learn to defend themselves from sophisticated versions of these attacks, experts say.

One way to do this is to scrutinize carefully any Android apps being downloaded or used on devices, and to only acquire apps from trusted app stores, Soroko says.

FakeCall is especially dangerous to enterprises given that mobile these days is a primary tool for doing business. This makes compromise of that device potentially "catastrophic," notes Mika Aalto, co-founder and CEO at Hoxhunt, a human risk management platform.

To avoid this scenario, the most important thing that companies can do, Aalto says, is to "equip senior management and employees with the skills and tools to recognize and safely report a mobile phishing attack."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Vishing, Mishing Go Next-Level With FakeCall Android Malware

Outages are inevitable. Our focus should be on minimizing their scope, addressing underlying causes, and understanding that protecting systems is about keeping bad actors out while maintaining stability and reliability.

Source: Igor Goncharenko via Alamy Stock Photo

COMMENTARY

In an era where digital security is paramount, organizations invest heavily in cybersecurity tools to defend against cyberattacks. However, these same tools — designed to protect — can sometimes be the cause of major disruptions. From botched updates to unforeseen errors in protective software, the very systems meant to safeguard us can lead to widespread outages, with the recent cases of CrowdStrike and Verizon standing out as prime examples. 

**The Fine Line Between Protection and Disruption**

Cybersecurity solutions are essential in our interconnected world, helping businesses and governments protect sensitive data, infrastructure, and user privacy. However, when improperly handled, even the best tools can turn from protectors into sources of failure. 

Known for its strong cybersecurity offerings, CrowdStrike rolled out a threat intelligence update to its Falcon platform in July that inadvertently caused a major global outage, affecting airlines, banks, and hospitals. This incident, which resulted from a software glitch during the delivery of its "Rapid Response Content" threat signatures, left critical services temporarily offline, reminding us that even the most advanced security systems aren't infallible. 

Similarly, in September, Verizon experienced a massive network outage that left millions of customers without mobile service across the US. Although the exact cause of the outage is still under investigation, fears of a cyberattack have been discussed. However, early signs suggest that it could have stemmed from a technical issue or mismanagement during a network upgrade — further highlighting how small oversights in maintaining or updating network infrastructure can have outsized consequences. 

**The Domino Effect: More Than Just an Inconvenience**

When cybersecurity or networking systems fail, the impact often ripples far beyond the initial disruption. Take Verizon's outage as an example: Businesses dependent on the network lost critical communication channels, customer service teams were unable to assist clients, and productivity ground to a halt for countless users. These events illustrate the profound dependency modern society has on digital infrastructure, and when that infrastructure falters, so do economies, health services, and day-to-day life. 

But outages like these also create windows of opportunity for cybercriminals. When networks are down or overwhelmed, attackers may exploit system vulnerabilities or use the chaos as cover for more nefarious activities, such as distributed-denial-of-service (DDoS) attacks, ransomware deployments, or supply chain compromises. Therefore, resilience and proper update protocols are just as important as the defensive capabilities of any cybersecurity tool. 

**Lessons for the Industry**

These high-profile outages, including Verizon's and CrowdStrike's, serve as reminders that robust cybersecurity involves more than just tools — it requires continuous testing, resilience planning, and careful management of system updates. 

Key takeaways for businesses include: 

*   Test updates thoroughly: Even the best security patches can introduce new risks if not properly vetted. 
    

*   Invest in incident response: Prepare for outages or failures by developing comprehensive response plans that prioritize minimizing downtime and ensuring customer communication. 
    

*   Stay vigilant: Disruptions provide opportunities for attackers. Ensure that security monitoring continues even during outages. 
    

**Looking Forward**

As technology evolves, so must our approach to cybersecurity. While outages are inevitable, the focus should be on minimizing their scope, addressing underlying causes, and understanding that protecting systems is not just about keeping bad actors out — it's also about maintaining stability and reliability within the infrastructure itself. 

Cybersecurity tools must balance protection with resilience, ensuring that the systems designed to defend us don't inadvertently cause more harm. 

**About the Author**

Director of Security, Owlet Baby Care

Yvonne Dickinson is currently the Director of Security for a global and publicly traded company. Her depth of expertise resides within application and cloud security, although she is a generalist across the other security domains. Yvonne is extremely passionate about advocating for women in STEM fields and strives to make an impact where she can. Although her official title is Security Director, that job is secondary to her primary role as CMO — Chief Mom Officer — to her family. As a technical leader, she strives to find balance in her work and her home so she can succeed at both her jobs, and she empowers her team to do the same.

When Cybersecurity Tools Backfire

Using a malicious Chrome extension, researchers showed how an attacker could use a now-fixed bug to inject custom code into a victim's Opera browser to exploit special and powerful APIs, used by developers and typically saved for only the most trusted sites.

Source: Tierfotoagentur via Alamy Stock Photo

Researchers have uncovered a fresh browser attack that compromises "private" application programming interfaces (APIs) in Opera to allow carte blanche over victims' browsers.

Browser APIs provide a bridge between Web applications and browser functionalities — including those related to security, storage, performance optimization, geolocation, and more — enabling the websites you visit to provide better, more robust features and experiences. Most browser APIs are publicly known, available to all, and rigorously reviewed.

Companies, however, have a habit of giving special permissions to their own preferred apps and sites. The Opera browser, for example, saves "private" APIs for several preferred third-party domains — such as Instagram, Atlassian, and Russia's Yandex and VK — as well as its own internal development domains, and those that are publicly reachable in the production version of the browser.

These private APIs may be useful for developers, but researchers from Guardio demonstrated how they could be accessed by hackers, too, allowing cyberattackers an array of powers imaginable from a browser: changing settings, hijacking accounts, disabling security extensions, adding further malicious extensions, and more. They did so with a canine-themed proof-of-concept attack they called "CrossBarking."

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**CrossBarking Opera Browser Attack**

The goal of CrossBarking is to run malicious code in the context of sites with access to those powerful, private APIs. To do that, one could make use of, for example, a cross-site scripting (XSS) vulnerability. Or, even easier, a malicious browser extension.

Getting a malicious extension onto Opera is no small feat. Many a developer has complained about just how drawn out its manual review process can be — taking months or even years in some cases. The upside is the comfort that Opera's 350 million active users enjoy: that the extensions they add to their browsers have been well and thoroughly vetted.

That isn't as much the case, however, for Chrome extensions, which Opera allows its users to download. Chrome add-ons undergo a largely automated review process, and might go live within just hours or days of being submitted for approval.

So, to leverage privileged Opera sites, Guardio researchers developed a Chrome extension, not an Opera one. They designed it to add pictures of puppies to webpages — a guise for running scripts on any given site — and covered its maliciousness enough to get approved on the Chrome store. If a puppy-loving Opera user adopted the extension and visited a site with private API access, it would perform a direct script injection attack to run malicious code and gain access to any powers afforded by those private APIs.

Related:When Cybersecurity Tools Backfire

To demonstrate the full breadth of power afforded by CrossBarking, Guardio researchers targeted the settingsPrivate API, which allows for reading and editing any available browser settings. They used settingsPrivate to change a hypothetical victim's Domain Name System (DNS) settings, funneling all of their browser activity through a malicious DNS server. From there, the researchers had full view into the victim's browsing activity, plus the ability to manipulate the content of webpages or redirect the victim to malicious pages.

"You could almost take control over the entire browser, and the computer hosting it," explains Nati Tal, head of Guardio Labs. Though his PoC focused on changing a specific browser setting, "in the same way, you can change any other setting. There are many more APIs to hack — \[we didn't\] have enough time to check all of the possibilities."

**Security vs. Functionality in Browser APIs**

In the eternal struggle between functionality and security, browser developers will not easily part with the special APIs that allow them powers beyond those afforded to the hoi polloi. That applies to Opera, and other browsers as well. In May, Guardio discovered a not-dissimilar issue with a private API used for marketing in another Chromium browser, Microsoft Edge.

Related:Recurring Windows Flaw Could Expose User Credentials

To fix the CrossBarking issue, Opera did not do away with its private APIs or its Chrome extension cross-compatibility. On Sept. 24, though, it did adopt a sort of quick-fix solution already implemented in Chrome: blocking the ability of any extension to run scripts on domains with private API access.

"The infrastructure of Chromium is \[such that\] vendors need to take control of their security, and think about all the possible attack vectors there are. There are so many possible vectors," Tal concludes.

He adds: "In this case, again, it wasn't even in their \[app store\]. Opera is not responsible for Chrome Store, but they do allow extensions from there, so they need to think about it as well. \[They have to see\] the entire ecosystem, not only this vulnerability, to keep up with the threat."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'CrossBarking' Attack Targets Secret APIs, Exposes Opera Browser Users

Now a zero-day, the vulnerability enables NTLM hash theft, an issue that Microsoft has already fixed twice before.

Source: tdhster via Shutterstock

All versions of Windows clients, from Windows 7 through current Windows 11 versions, contain a 0-day vulnerability that could allow attackers to capture NTLM authentication hashes from users of affected systems.

Researchers at ACROS Security reported the flaw to Microsoft this week. They discovered the issue while writing a patch for older Windows systems for CVE-2024-38030, a medium-severity Windows Themes spoofing vulnerability that Microsoft mitigated in its July security update.

**Variant of Two Previous Vulnerabilities**

The vulnerability that ACROS discovered is very similar to CVE-2024-38030 and enables what is known as an authentication coercion attack, where a vulnerable device is essentially coerced into sending NTLM hashes — the cryptographic representation of a user's password — to an attacker's system. Akamai researcher Tomer Peled discovered CVE-2024-38030 while analyzing Microsoft's fix for CVE-2024-21320, another, earlier Windows themes spoofing vulnerability he discovered and reported to Microsoft. The flaw that ACROS uncovered is a new, separate vulnerability related to the two flaws Peled reported earlier.

Windows themes files allow users to customize the appearance of their Windows desktop interface via wallpapers, screen savers, colors, and sounds. Both the vulnerabilities that Akamai researcher Peled discovered had to do with the manner in which the themes handled file paths to a couple of image resources, specifically "BrandImage" or "Wallpaper." Peled found that because of improper validation, an attacker could manipulate the legitimate path to these resources in such a way as to get Windows to automatically send an authenticated request, along with the user's NTLM hash, to the attacker's device.

As Peled explains to Dark Reading, "The themes file format is an .ini file, with multiple 'key,value' pairs. I originally found two key,value pairs that could accept file paths," he says.

The original vulnerability (CVE-2024-21320) stemmed from the fact that the key,value pairs accepted UNC paths — a standardized format for identifying network resources like shared files and folders — for network drives, Peled notes. "This \[meant\] that a weaponized theme file, with a UNC path, could trigger an outbound connection with user authentication, without them knowing." Microsoft fixed the issue by adding a check on the file path to ensure it wasn't a UNC path. But, Peled says, the function Microsoft used for this validation allowed for some bypasses, which is what led to Peled's discovery of the second vulnerability (CVE-2024-38030).

**Microsoft Will Act 'As Needed'**

What ACROS Security reported this week is the third Windows themes spoofing vulnerability rooted in the same file path issue. "Our researchers discovered the vulnerability in early October while writing a patch for CVE-2024-38030 intended for legacy Windows systems many of our users are still using," says Mitja Kolsek, CEO of ACROS Security. "We reported this issue to Microsoft \[on\] Oct. 28, 2024, but we did not release details or a proof-of-concept, which we plan to do after Microsoft has made their own patch publicly available."

A Microsoft spokesman said via email the company is aware of the ACROS report and "will take action as needed to help keep customers protected." The company does not appear to have issued a CVE, or vulnerability identifier, for the new issue yet.

Like the two previous Windows themes spoofing vulnerabilities that Akamai discovered, the new one that ACROS found also does not require an attacker to have any special privileges. "But they have to somehow get the user to copy a theme file to some other folder on their computer, then open that folder with Windows Explorer using a view that renders icons," Kolsek says. "The file could also be automatically downloaded to their Downloads folder while visiting \[an\] attacker's website, in which case the attacker would have to wait for the user to view the Downloads folder at a later time."

Kolsek recommends that organizations disable NTLM where possible, but acknowledges that doing so could cause functional problems if any network components rely on it. "\[An\] attacker could only successfully target a computer where NTLM is enabled," he says. "Another requirement is that a request initiated by a malicious theme file would be able to reach the attacker's server on the Internet or in an adjacent network," something that firewalls should typically block, he says. As a result, it's more likely than an attacker would try to exploit the flaw in a targeted campaign more so than in a mass exploit.

Akamai's Peled says it's hard to know what ACROS's vulnerability is about without having access to the technical details. "But it might be another UNC bypass that circumvents the check, or it could be a different key,value pair that was missed in the original patching," he says. "UNC path formats are very complex and allow for weird combinations, which make detecting them very hard. This might be why it's so complex to fix."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Recurring Windows Flaw Could Expose User Credentials

A professional-grade tool set, appropriately dubbed "CloudScout," is infiltrating cloud apps like Microsoft Outlook and Google Drive, targeting sensitive info for exfiltration.

Source: Design Pics Inc. via Alamy Stock Photo

The China-sponsored Evasive Panda hacking crew has debuted CloudScout, a sleek, professional post-compromise toolset that retrieves data from various cloud services by leveraging stolen Web session cookies.

That's according to researchers at ESET, who uncovered CloudScout while investigating a pair of past breaches in Taiwan (targeting a religious institution and a government entity).

CloudScout is written in .NET, and it's designed to work seamlessly with MgBot, Evasive Panda’s proprietary malware framework. Via a plug-in architecture, MgBot feeds CloudScout previously stolen cookies, which it then uses to access and infiltrate data from the cloud, using the pass-the-cookie technique to hijack authenticated sessions from Web browsers.

ESET researchers observed individual CloudScout modules targeting Google Drive, Gmail, and Outlook, but in all, they believe Evasive Panda has developed modules for attacks on least 10 different cloud apps.  

"These modules are designed to access public cloud services … by hijacking authenticated Web sessions," according to ESET's analysis, released on Oct. 28. "This technique relies on stealing cookies from a Web browser database, then using them in a specific set of Web requests to gain access to cloud services," thus avoiding authentication checks like two-factor authentication (2FA) and IP tracking.

Related:Mobile Apps With Millions of Downloads Expose Cloud Credentials

After authentication, the CloudScout modules use a set of hardcoded Web requests, as well as complex HTML parsers to identify and extract any data of interest from Web responses, such as email folder listings and email messages. Once the data is collected, it's compressed into a .zip archive that can then be exfiltrated by either MgBot or another proprietary backdoor called Nightdoor.

**Chinese APT Hones Cyberespionage Arsenal**

Evasive Panda (aka Bronze Highland, Daggerfly, or StormBamboo) is an advanced persistent threat (APT) that's been operating since at least 2012, focused mainly on cyber espionage against civil society targets.

These include "independence movements such as those in the Tibetan diaspora, religious and academic institutions in Taiwan and in Hong Kong, and supporters of democracy in China," ESET researchers noted. "At times we have also observed its cyberespionage operations extend to countries such as Vietnam, Myanmar, and South Korea." It has also been seen targeting a handful of victims in Nigeria.

The Chinese APT is known for consistently evolving its cyberattack techniques, but the latest iteration is notable in its sophistication, the researchers wrote.

Related:SoftwareOne Launches Cloud Competency Centre in Malaysia

According to ESET, "The professional design behind the CloudScout framework … demonstrates Evasive Panda’s technical capabilities and the important roles that cloud-stored documents, user profiles, and email play in its espionage operations."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

China's 'Evasive Panda' APT Debuts High-End Cloud Hijacking

In the latest attack against ISPs, second-largest French provider Free fell victim to unknown cyberattackers who attempted to sell the compromised data it stole from the company on an underground cybercrime forum.

Source: Timon Schneider via Alamy Stock Photo

Free, a French telecommunications company and the second largest Internet service provider (ISP) in the country, has disclosed a cyberattack it fell a victim to over the weekend. It's the latest in a line of attacks against ISPs and telcos of late.

A threat actor stole information from the company's internal management tool, gathering data on the company's subscribers, and attempted to sell the data on the Dark Web in a cybercrime forum, the ISP confirmed to Agence France-Presse (AFP) on Oct. 26.

The hacker, known as "drussellx," posted a message on the forum, putting two databases stolen from the ISP company up for auction. The databases reportedly contained information on more than 19 million customer accounts, and more than 5 million international bank account details.

The bad actors gained "unauthorized access to some of the personal data associated with the accounts of certain subscribers," according to Free, which has more than 22 million mobile and fixed subscribers. However, it stressed that no passwords, bank-card information, emails, SMSs, or voicemails were compromised, and that its services were not been impacted.

Internet service provider networks are increasingly being targeted by bad actors in attacks to steal data and set up base for new tactics and techniques. Take advanced persistent threat (APT) Salt Typhoon, for example, which has been targeting these networks in the US, likely due to the information they can garner, such as home addresses, billing information, SMSs, and more.

Another APT group, known as Evasive Panda (aka StormBambaoo and DaggerFly), also targets ISPs, using them as a launchpad to exploit software vendor update mechanisms by using DNS poisoning.

Now, in the wake of its own ISP attack, Free reports that it soon will be informing impacted customers via email regarding the breach. It has also filed a criminal complaint and informed France's National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI).

French ISP Confirms Cyberattack, Data Breach Affecting 19M

A collaboration with the FBI and law-enforcement agencies in Europe, the UK, and Australia, Operation Magnus has seized servers and source code related to the two malware families, which have stolen data from millions of victims worldwide.

Source: JVPhoto via Alamy Stock Photo

The FBI in collaboration with various international law-enforcement agencies has seized the servers and source code for the RedLine and Meta stealers as part of Operation Magnus, and US authorities have charged one of RedLine's developers with various crimes. The stealers are responsible for the theft of millions of unique credentials from international victims, authorities said.

The intelligence bureau and the US Department of Justice (DoJ) are among several international agencies — including Dutch National Police, Belgian Federal Police, Belgian Federal Prosecutor’s Office, UK National Crime Agency, Australian Federal Police, Portuguese Federal Police, and Eurojust — that on Oct. 28 disrupted the operation of the cybercriminal group behind the stealers, which authorities claim are "pretty much the same" malware in a video posted on the operation's website.

Investigations into RedLine and Meta started after authorities learned about the potential of servers in the Netherlands being linked to the malware, according to a press statement by the European Union Agency for Criminal Justice Cooperation. Investigators went on to discover that more than 1,200 servers in dozens of countries were running the stealers.

Authorities eventually collected victim log data stolen from computers infected with RedLine and Meta, identifying millions of unique usernames and passwords, as well as email addresses, bank accounts, cryptocurrency addresses, and credit card numbers that have been stolen by various malware operators. Moreover, the DoJ believes that there is still more stolen data to be recovered, it said in a press statement on Operation Magnus.

Law enforcement also seized source code for RedLine and Meta as well as REST-API servers, panels, stealers, and Telegram bots that were being used to distribute the stealers to cybercriminals. Both malwares are typically are sold via cybercrime forums and through Telegram channels that offer customer support and software updates.

**RedLine Developer Charged by the DoJ**

As part of the US operation, the DoJ has charged Maxim Rudometov, one of the developers and administrators of RedLine, with access device fraud, conspiracy to commit computer intrusion, and money laundering. If convicted, Rudometov faces a maximum penalty of 10 years in prison for access device fraud, five years in prison for conspiracy to commit computer intrusion, and 20 years in prison for money laundering.

The DoJ also unsealed a warrant issued in the Western District of Texas that authorized law enforcement to seize two domains used by RedLine and Meta for command and control (C2). Dutch police also took down three servers associated with the stealers in the Netherlands, and two more people associated with the criminal activity were taken into custody in Belgium.

Assistant US Attorney G. Karthik Srinivasan is prosecuting the case in the US, while the investigation in Texas is being conducted by the FBI Austin Cyber Task Force, which includes the Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service, and Army Criminal Investigation Division, among other agencies.

**Widespread Stealer Distribution**

RedLine Stealer is a malware-as-a-service (MaaS) platform sold via Telegram and online hacker forums that targets browsers to collect various data saved by the user, including credentials and payment card details. It can also take a system inventory to assess the attack surface for further attacks. 

To that end, RedLine also can perform other malicious functions, such as uploading and downloading files, and executing commands. Meta meanwhile is basically a clone of RedLine that performs similar functions and also operates through an MaaS model.

Because of their widespread availability, both stealers have been used by threat actors with various levels of sophistication. Advanced actors have distributed the stealers as an initial vector upon which to perform further nefarious activity, such as delivering ransomware, while unsophisticated actors have used one or the other of the stealers to get into the cybercriminal game to steal credentials. Those credentials are often sold to other cybercriminals on the Dark Web to continue the cycle of cybercrime.

One popular way cybercriminals have distributed the stealers is to hide them behind Facebook ads, including ones promoting AI chatbots like ChatGPT and Google Bard. Other attack vectors have used phishing to embed the stealers in malicious files or links attached to emails.

International authorities plan to continue their investigations into the criminals using data stolen by the infostealers. For people concerned they may have been criminalized by RedLine and/or Meta, ESET is offering an online tool to allow people to check to see if their data was stolen and what steps they should take if it has.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

FBI, Partners Disrupt RedLine, Meta Stealer Operations

Great CISOs are in short supply, so choose wisely. Here are five ways to make sure you've made the right pick.

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY

The artificial intelligence (AI) investment cycle we are currently in will drive new levels of cybersecurity risk in pretty much every organization, making the cybersecurity chief a CEO's most important current hire. Great chief information security officers (CISOs) — who blend technical, strategic, board-level communication, and leadership skills — are in high demand and short supply, and with technology constantly changing, the cybersecurity skill set is changing, too.  

**Attracting the Best**

How do CEOs, their executive teams, and their HR partners attract the best of the market? Here are a few ways.  

1\. Level and structure the role appropriately: If security — of enterprise data, customer information, or data right in the product itself — is so critical to your organization that one mishap can have a major impact on your revenues, then give the role some teeth. Don't bury it under IT operations, where you will attract a technologist, not a leader. Either have the CISO report to the chief information officer (who, in turn, should be reporting to the CEO given the critically of technology to your business) or make the CISO a CIO peer. If your security risk is less life threatening, and your CIO has depth in security, you can consider moving them down a layer. Is the CISO responsible for enterprise security or product security or both? Will the CISO have a small matrixed organization or a larger dedicated team?  While the right CISO will help you answer some of the questions, the more thoughtful you’ve been about these questions ahead of time, the better.  

2\. Educate your board: Public company boards do not yet fully understand their role in cyber governance. They often equate security to technology and tools rather than emphasizing the human behavior side of cyber incidents. While the board does not need to know the latest tools, they should understand what truly lies behind cyber incidents and how they should govern. By showing that you've primed the pump, and your CIO has been bringing the board up to speed on the risks and return of digital technologies, you are demonstrating a tech-savvy board. The market’s best CISO will see a savvy board as a requirement.  

3\. Think about both defensive and offensive tactics: The best CISOs will balance the defensive and offensive postures of information security. They will see the cyber role as both facilitating the growth of the business and securing it from cyber-risk. Show these rare birds that your board, executive committee, and CIO understand that technology must be a strategic advantage, not an unfortunate cost. Do your discussions about IT focus on expense only, or are your IT investments clearly aligned to your business value streams? Does your CEO talk in company meetings about how important technology is to the growth of the company? The quality of the CISO you can attract depends on our view of the impact of technology on your business.  

4\. Build and demonstrate a change management capability: People resist change, particularly if they do not perceive value in the change. Getting a large organization to follow security protocols takes a tremendous amount of adoption effort and change management. The better your organization is at driving the right behaviors in your employee base, the stronger your security program. During your candidate interviews, extoll the virtues of your change management team and your executive committee's understanding that good security is about culture, behaviors, education, and change. In fact, "change management" is quickly becoming the most important skill set of any technology leader, CISOs included.  

5\. Involve the board in the interview process: Actions speak louder than words, and a few board interviews will demonstrate to your CISO finalist that you and the board take cybersecurity seriously. It will also allow the CISO to assess his or her dynamic with the board. The board-CISO relationship is only going to be become more important, so getting an early read on that relationship will help ensure that it will work.   

With every dime we spend on AI, we produce risk. With every new Internet of Things (IoT) product we sell, we open a cybersecurity door. With every day that passes, our cyber foes are getting smarter. CEOs and their teams have a powerful weapon to fight these forces: the ability to attract the right CISO. While most companies have a head of security, these professionals are not all created equal. Some are "tool jockeys" who love technology but not people; then there are the CISOs with great regulatory knowledge but lacking great influencing skills. When you identify the right blend of technical, communication, and leadership skills, by showing your candidates know that you are serious about cybersecurity, you can make the right hire.  

**About the Author**

CEO, Heller Search

Martha Heller is a widely followed thought leader on technology leadership talent, and CEO of Heller Search, a premier technology executive search firm. Over the course of her career, Martha has become an authoritative voice on technology leadership and executive search. She has recruited hundreds of chief information officers (CIOs), chief technology officers (CTOs), architects, and other senior technology positions, and become a trusted adviser to executives around the country.

How to Find the Right CISO

Sophos CEO Joe Levy says the $859 million deal to acquire SecureWorks from majority owner Dell Technologies will put the Taegis platform — with network detection and response, vulnerability detection and response, and identity threat detection and response capabilities — at the core.

Source: DigitalStorm via iStock Photo

Sophos is doubling down on managed detection and response (MDR) services. Last week's agreement to acquire SecureWorks in an $859 million all-cash deal is set to close in early 2025 pending customary approvals, accelerating Sophos' push into MDR and extended detection and response (XDR) with SecureWorks' popular Taegis platform at the core, the company said.

SecureWorks has only 4,000 customers to Sophos' 600,000, but the company offers advanced XDR capabilities built on a cloud-native data lake architecture to larger enterprises and delivered by service providers. Building on its managed XDR capabilities, SecureWorks this year added network detection and response (NDR), vulnerability detection and response (VDR), and, most recently, identity threat detection and response (ITDR) to the Taegis platform.

Dell Technologies, which owns nearly 80% of SecureWorks' publicly traded shares, has been exploring ways over the years to divest its control of the security provider. Dell joins the small club of large companies that have quit the operations business this year: IBM abruptly announced the sale of its QRadar SaaS portfolio to Palo Alto Networks, and AT&T spun out its managed security business, now known as LevelBlue.

Meanwhile, Sophos was looking to add an advanced XDR and MDR platform that it could integrate with its own Sophos Central security operations center. The central management tool provides endpoint, server and email protection, and access to other security services, including firewall, cloud, and encryption, among other point offerings.

Sophos, which also added its vendor-agnostic MDR service to its portfolio in late 2022, quickly saw demand for it from its customers, says Enterprise Strategy Group principal analyst Dave Gruber.

"Scaling operations to serve an audience of this size is challenging, making this acquisition a smart move for Sophos, as SecureWorks has many of the best and brightest security professionals in the industry," Gruber says.  

**Building an XDR Platform on Taegis**

Sophos CEO Joe Levy says he can't reveal specific integration plans while the deal, set to close in the first quarter of 2025, undergoes regulatory clearance processes. But he doesn't dispute that bringing Taegis and Sophos Central together is what is driving this deal, which would mark the largest since the company was founded in 1985.  

"We're aiming toward this world where we bring together the best hits of the two operations," Levy tells Dark Reading. "We will figure out that combination of the technology stack — Taegis inside Sophos Central and the security operations center itself."

That will include delivering the MDR business and the VDR, managed risk, and ITDR, he adds.

"\[It's\] the service component that customers are relying on to help to keep them secure," Levy says.

Besides determining a unified approach to provisioning services from SecureWorks and Sophos offerings, a key challenge will be enabling collaboration among the security operation teams within its MDR business, customers, and partners — notably MSPs and MSSPs that deliver the two companies' respective offerings, Levy explains.

"We want to produce the best possible workflows while demonstrating empathy and understanding of what the security operators are doing every single day," he says. "These are the driving principles that are going to be guiding the way that we undertake this."

**SecureWorks Shift to XDR Platform**

SecureWorks began developing Taegis in 2017 and launched it in early 2021. Taegis is built with a data lake architecture designed to ingest and normalize data and an analytics engine built to identify, prioritize, and block threats.

SecureWorks CEO Wendy Thomas told investors during the company's Q2 2025 quarterly earnings call in September that she sees continued growth potential for Taegis.

"We've increasingly seen customers more than ready to move away from noisy, hard, and expensive-to-maintain SIEMs \[security information and event management\] to an XDR approach to detection and response," she said. "That trend is only accelerating."

Analysts and customers have given Taegis high marks.

"The Taegis platform from SecureWorks has great detection and response capabilities," says IDC analyst Craig Robinson.

While SecureWorks' and Sophos' respective MDR services offer many similar features, Robinson notes that Sophos' offering has a more vendor-independent model than Taegis.

"While there's overlap, Sophos has more individual products while Taegis is a platform," he says.

Independent consultant William Klusovsky says he believes that adding SecureWorks is poised to deepen Sophos' reach into larger enterprises and offer richer services to small and midsize organizations. But he warns that Sophos could "fumble" that potential if it doesn't adequately invest in the integration of the products.

"If they are too short-sighted and focus only on financials and returns, they could end up with two businesses that don't work together and lose the talent they need to create the right business," Klusovsky says. "They need to have a vision, stick to it, and believe in it."

**Transition to Managed Security Services**

Sophos is owned by private equity firm Thoma Bravo, whose portfolio is mostly product companies, while both SecureWorks and Sophos have been shifting to services, Klusovsky notes.

"The services industry is very different," he says. "The good news is the product road maps and integrations should be something they can create efficiency with and drive in a positive direction. The unknown is going to be in managing service delivery, sales, the channel, and go-to-market as these motions are very different for a managed services provider than a product company."

Levy says he first started driving the shift from a product-only cybersecurity business to a hybrid product and services business in 2018, before Sophos agreed to be acquired by Thoma Bravo.

"We now think of it more in terms of life cycles of engagement with our customers, rather than just selling them a product or selling them a service," Levy says. "We're working in collaboration with this ecosystem of cybersecurity players to maintain life cycle engagements with customers, so just pray that the next point solution they buy is actually going to provide better security."

Similarly, SecureWorks has undergone several significant changes, having shifted from operating as a managed security services provider to a platform supplier. Instead, SecureWorks tapped its ecosystem of channel partners to offer the Taegis platform with their own managed security services.

IDC forecasts that demand for managed security services will grow to $44 billion in 2024, up from $39.5 billion in 2023. Demand is estimated to grow to $49.2 billion next year, IDC's Robinson says. Driving the growth are shrinking budgets and a dearth of skilled security operations talent.

"Everyone's looking at and making sure that for every dollar spent, it's being spent in the right way," he says. "And managed security services is not only a better way, but it's also, more often, a better outcome."

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Source

DARKReading