### Impact
Users of WireGuard Portal v2 who have OAuth (or OIDC) authentication backends enabled can be affected by an Account Takeover vulnerability if they visit a malicious website.

### Patches
The problem was fixed in the latest alpha release, v2.0.0-alpha.3. The [docker images](https://hub.docker.com/r/wgportal/wg-portal) for the tag 'latest' built from the master branch also include the fix.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-2r2v-9pf8-6342

**WireGuard Portal v2 Vulnerable to OAuth Insecure Redirect URI / Account Takeover**

High severity GitHub Reviewed Published Jan 7, 2025 in h44z/wg-portal • Updated Jan 7, 2025

**Package**

gomod github.com/h44z/wg-portal (Go)

**Affected versions**

\>= 2.0.0-alpha.1, < 2.0.0-alpha.3

**Patched versions**

2.0.0-alpha.3

**Impact**

Users of WireGuard Portal v2 who have OAuth (or OIDC) authentication backends enabled can be affected by an Account Takeover vulnerability if they visit a malicious website.

**Patches**

The problem was fixed in the latest alpha release, v2.0.0-alpha.3. The docker images for the tag 'latest' built from the master branch also include the fix.

**References**

*   GHSA-2r2v-9pf8-6342
*   h44z/wg-portal@62dbdfe

Published to the GitHub Advisory Database

Jan 7, 2025

GHSA-2r2v-9pf8-6342: WireGuard Portal v2 Vulnerable to OAuth Insecure Redirect URI / Account Takeover

### Impact

Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause client applications relying on the SDK to overlook such changes.

### Patches

matrix-sdk-crypto 0.8.0 adds a new `VerificationLevel::VerificationViolation` enum variant which indicates that a previously verified identity has been changed.

### Workarounds

N/A

### References

- Patch: https://github.com/matrix-org/matrix-rust-sdk/pull/3795


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-52813

**matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity**

Moderate severity GitHub Reviewed Published Jan 7, 2025 in matrix-org/matrix-rust-sdk • Updated Jan 7, 2025

**Package**

cargo matrix-sdk-crypto (Rust)

**Affected versions**

< 0.8.0

**Impact**

Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause client applications relying on the SDK to overlook such changes.

**Patches**

matrix-sdk-crypto 0.8.0 adds a new VerificationLevel::VerificationViolation enum variant which indicates that a previously verified identity has been changed.

**Workarounds**

N/A

**References**

*   Patch: matrix-org/matrix-rust-sdk#3795

**References**

*   GHSA-r5vf-wf4h-82gg
*   matrix-org/matrix-rust-sdk#3795

Published to the GitHub Advisory Database

Jan 7, 2025

GHSA-r5vf-wf4h-82gg: matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity

We can't put defense on hold until Inauguration Day.

Christy Wyatt, President & Chief Executive Officer, Absolute Security

January 7, 2025

3 Min Read

Source: Albert Knapp via Alamy Stock Photo

COMMENTARY

In 1998, President Bill Clinton published the first White House national cyber policy. Since then, cyberattacks have evolved alongside the explosive growth of the digital world, as have laws, policies, and regulations. Although there's been continuous federal activity around cyber since the early days of the Internet, the level of seriousness and attitudes toward how much control government should exercise over technology and cybersecurity fluctuates, with debates continuing to rage over how free or controlled the tech markets should be.

With the upcoming changing of the guard in the US, those of us in the domestic cybersecurity and technology industries are all wondering where we will land. Will the Cybersecurity and Infrastructure Security Agency (CISA) be eliminated? Will we see a raft of new security, privacy, and compliance laws? Will current cybersecurity regulations be deprioritized? Will rapid deregulation undo much of what we've already adjusted to? No one really knows.

Despite the uncertainty, one thing cybersecurity and risk professionals all know is that cybercriminals aren't putting their plans on hold until after Inauguration Day. If anything, threat actors will ramp up activities to take advantage of this current period of post-election uncertainty. Those of us responsible for protecting the public and private sectors know that now isn't a time to debate which side has the better security plan. It's time to come together in our efforts to create a more resilient and secure nation. Of course, this is easier said than done. Every time we adopt a standard or best practice, some enterprising cybercriminal develops a new way to counter it. However, there are some basic and fundamental steps any organization that wants to thrive in the years to come should take.

**Defense Steps We Can Take Now**

*   Prioritize security: While policies may change, the fundamentals of keeping your organization secure and resilient do not. Your organization's ability to do business depends on proactive preparation. Don't wait for the next set of rules to be handed down from Washington — prepare now. 
    
*   Focus on recovery: Attacks and disruptions are inevitable; business continuity is essential. Evaluate and refine your remediation plans continually to ensure they address potential disasters. It's cliché to state that "failure to plan is planning to fail," but it's also true. Being prepared will reduce the time it takes you to recover from an incident.
    
*   Adopt common standards and language: Standards create a shared language for finding risks, and using existing frameworks will drive faster and more cohesive responses. Let's all get on the same page in terms of how we share information about challenges we face and which standards and frameworks map back to specific risks. This is an industry discussion and does not require any agency to facilitate this type of a forum. 
    
*   Own your cyber accountability: Governments, vendors, and enterprises all share responsibility for mitigating risks and ensuring continuity through adversity. You need to be ready to ride to your own defense — there is no calvary behind a digital hill ready to ride to your rescue.
    

Over the next 12 to 18 months, we can expect to see rapid and unpredictable changes. New challenges and risks will arise out of trade disputes, domestic policies, geopolitical events, and the growth of AI. The security problems we face today require a unified and focused approach. Changing administrations — anywhere in the world — should not distract us from the critical task at hand. Let's collectively commit to ensuring security and resilience for all organizations, whether they be part of the critical national infrastructure (CNI), an essential supply chain, or a favorite consumer brand. Remember, cybercriminals don't care about national cyber policy or politics. We can't put defense on hold until Inauguration Day.

**About the Author**

President & Chief Executive Officer, Absolute Security

Christy Wyatt is president and chief executive officer of Absolute Security, a leader in enterprise resilience, and the only endpoint and secure access provider embedded in more than 600 million endpoint devices globally.

Cybercriminals Don't Care About National Cyber Policy

Ramat Gan, Israel, 7th January 2025, CyberNewsWire

**Ramat Gan, Israel, January 7th, 2025, CyberNewsWire**

CyTwist, a leader in advanced next-generation threat detection solutions, has launched its patented detection engine to combat the insidious rise of AI-generated malware.

The cybersecurity landscape is evolving as attackers harness the power of artificial intelligence (AI) to develop advanced and evasive threats. The rise of AI-generated malware and AI-enhanced cyberattacks has escalated the threat landscape, leaving traditional defenses struggling to keep up. Businesses now face the critical challenge of adapting to this new era of cyber warfare, characterized by speed, sophistication, and adaptability.

**The Threat of AI-Driven Cyberattacks**

AI has altered the dynamics of cyber conflict, enabling attackers to execute sophisticated operations previously associated with state-sponsored entities. AI-generated phishing emails, adaptive botnets, and automated reconnaissance tools are now common components of cybercriminal tactics. These technologies bypass signature-based defenses and mimic legitimate behavior, making detection more challenging.

For example, in a recent attack on French corporates and government agencies, an AI-engineered malware exploited advanced techniques like COM hijacking and encrypted payloads, enabling attackers to remain undetected for extended periods, exfiltrate sensitive data, and establish long-term persistence within the network. This incident highlights three key risks of AI-driven attacks:

·      Sophistication: AI allows attacks to evolve in real-time, rendering static defenses obsolete.

·      Speed: Automated reconnaissance and attack execution drastically reduce the time needed to breach networks and execute the attack.

·      Evasion: AI-generated threats mimic human behavior, complicating detection for security teams.

In response to this growing challenge, CyTwist has developed a patented detection engine that identifies stealthy, AI-driven attack campaigns and malware that bypass traditional security tools, including leading EDR and XDR solutions. By leveraging advanced behavioral analysis, CyTwist Profiler identifies new and emerging threats in real time, stopping attackers before they can cause harm.

**CyTwist: Advanced Defense Against AI-Generated Threats**

CyTwist recently demonstrated its advanced detection capabilities during a red team simulation with a major telecommunications provider. The exercise mirrored the sophisticated techniques observed in the recent attack on French organizations and government agencies, employing AI-generated malware with encryption and evasion tactics. While the existing security tools failed to detect the attack, CyTwist’s solution identified malicious activity within minutes.

The head of incident response at the telecom operator highlighted the tool’s value, stating “We were impressed by CyTwist’s capability of detecting sophisticated, AI-generated malware that our EDR had failed to pick up. CyTwist provided the critical insights we needed to detect the attack in time, adding a valuable security layer against AI-generated threats.”

This simulation underscored the importance of adopting advanced technologies to address modern cyber challenges.

> “The use of AI in cyberattacks is reshaping the threat landscape, enabling attackers to operate elusively and at speed, capable of gliding past traditional security solutions. Our patented detection engine is specifically engineered to address these challenges.” Said Eran Orzel, CEO of CyTwist.

**Strategies for Mitigating AI-Generated Threats**

As organizations face increasing threats from AI-driven attacks, proactive strategies are essential. Key recommendations include:

**1\. Adopting Advanced Detection Technologies:** Traditional detection tools are not always sufficient defense against the dynamic nature of modern cyber threats. Modern detection tools that leverage AI, machine learning, behavioral analytics, and anomaly detection are needed to uncover threats missed by traditional approaches.

**2\. Prioritized Rapid Detection and Response:** Speed is critical when responding to AI-driven threats. Continuous monitoring and automated response systems enable swift containment of threats and real-time triage tools help security teams focus on critical alerts and ignore the noise.

**3\. Enhanced Resilience Through Security Frameworks:** Building adaptive security frameworks that integrate advanced detection tools will enable a response to emerging threats in real time. Regular training for security teams is needed to build the skills to counter the latest AI-driven attack methods.

CyTwist’s patented detection engine represents a significant advancement in addressing AI-enhanced cyber threats, providing organizations with the tools needed to navigate this increasingly complex landscape.

To learn more about CyTwist’s cutting-edge solutions, users can visit cytwist.com or reach out via \[email protected\].

**About CyTwist**

CyTwist is an advanced cybersecurity solution, specializing in next-generation threat detection and response. Its patented detection engine enables organizations to stay ahead of evolving threats, providing unmatched protection against stealthy, AI-generated attacks and novel malware. CyTwist was founded by a team of experienced cybersecurity professionals and former intelligence officers who bring extensive expertise in counterintelligence and cybersecurity.

In an era where attackers leverage AI to outpace traditional defenses, CyTwist Profiler provides a critical layer of security, enabling organizations to detect, investigate, and neutralize threats before they cause harm.

**Contact**

**CEO**  
**Eran Orzel**  
**CyTwist**  
**\[email protected\]**

CyTwist Launches Advanced Security Solution to identify AI-Driven Cyber Threats in minutes

The Wall Street Journal reports that Charter, Consolidated, and Windstream have been added to the growing list of…

The Wall Street Journal reports that Charter, Consolidated, and Windstream have been added to the growing list of US telecom companies breached by Chinese state-sponsored hackers in the Salt Typhoon campaign.

The list of telecommunications companies compromised in the **Salt Typhoon cyberattack** continues to grow, with recent reports naming Charter Communications, Consolidated Communications, and Windstream as the latest victims of Chinese government espionage. 

This follows previous confirmations from **AT&T, Verizon, T-Mobile**, and Lumen Technologies, as earlier reported by Hackread.com, that their networks had been breached. According to Anne Neuberger, White House deputy national security adviser for cyber and emerging technologies, Chinese hackers have targeted nine US telecoms, with the latest three remaining unclear.

The Wall Street Journal **reported** that Chinese spies exploited vulnerabilities in network devices from Fortinet and Cisco to gain unauthorized access to these telecom networks. In some cases, attackers gained control of high-level network management accounts lacking multi-factor authentication, granting them access to several routers. This access allowed them to potentially monitor network traffic and cover their tracks.

This incident has prompted several government-level security developments. The US Department of Treasury **recently sanctioned** a Chinese cybersecurity company for its role in another cyberattack, and the US government is taking steps to strengthen the security of American telecom infrastructure.

These measures include increased scrutiny by the FCC, legislative efforts to enhance security, and recommendations for individuals and organizations to improve their cybersecurity practices.

Moreover, given the ongoing wave of Salt Typhoon’s breaches, the US Cybersecurity and Infrastructure Security Agency (CISA) is advising government officials to switch to end-to-end encrypted messaging apps like Signal. 

The latest revelation highlights the growing threat of Chinese cyberattacks on US infrastructure, with the Salt Typhoon campaign indicating a shift from traditional espionage to more disruptive activities. Experts urge organizations in international business or critical infrastructure to enhance their cybersecurity defences.

**Chris Hauk**, Consumer Privacy Champion at Pixel Privacy commented on the latest development stating, _“_Possible targets of these Chinese attackers need to immediately follow the steps outlined by the FBI and NSA to help harden their systems against attack. Actually, any organization would be advised to follow the steps._“_

_“_Patching and upgrading apps and devices, limiting the types of connections and privileged accounts, and only using strong encryption, are just some of the steps organizations can take to harden their systems against attack_,”_ Chris added.

1.  **FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet**
2.  **CISA – FBI: Chinese Hackers Compromised US Telecom Networks**
3.  **US Charges 5 Suspected MGM Hackers from Scattered Spider Gang**
4.  **Microsoft: Chinese Flax Typhoon uses legit tools for cyber espionage**
5.  **Chinese Hackers Breach US Firm, Maintain Network Access for Months**

US Telecom Breaches Widen as 9 Firms Hit by Chinese Salt Typhoon Hackers

Cybersecurity industry visionary and renowned executive Amit Yoran has passed away after an almost one-year battle with cancer.

Amit Yoran, Source: Tenable

The cybersecurity industry reacted with shock at the loss of Amit Yoran, the renowned cybersecurity executive who helmed several of the biggest cybersecurity companies, including Tenable, RSA Security, and NetWitness. Yoran was also the founding director of the US Department of Homeland Security's US Computer Emergency Readiness Team (US-CERT) program.

Yoran, 54, died on Jan. 3. He had been in treatment for cancer since March 2024 and took a medical leave of absence on Dec. 5 to pursue additional treatment.

Yoran became the chairman and CEO of Tenable Holdings in 2016 following the retirement of co-founder Ron Gula; he also became the company's president in 2018. Yoran led the company's growth and successful $250 million Nasdaq initial public offering (IPO) in 2018. The exposure management company was valued at $2.1 billion at IPO; it is now worth $4.69 billion. In 2022, Tenable launched Tenable One, which combined vulnerability management, external attack surface management, identity management, and cloud security.

"Amit leaves behind an incredible legacy as a visionary, leader, colleague, mentor, brother, father, and friend. He touched the lives of so many within and beyond our company and he will be missed," Tenable said in a statement. "We understand that this news may come as a shock, and we encourage you to take the time to process this difficult loss." 

Prior to Tenable, Yoran served as president of RSA Security from 2014 to 2016. He founded threat detection and response platform NetWitness in 2006 and led the company until 2011, when it was acquired by RSA Security. In 1998, Yoran co-founded RIPtech, a managed security services provider that used sensor networks to protect government and corporate computers. RIPtech was acquired by Symantec for $145 million in 2002. Yoran, who graduated from the United States Military Academy at West Point in 1993, served in Homeland Security's National Cyber Security Division from 2003 to 2004 where he focused on critical infrastructure security and preparedness.

**True Leader in Cybersecurity**

Yoran helped shape the cybersecurity industry with his expertise, empathy, and leadership. His goal was to make the digital world safer for everyone, and toward that end, he acted as a mentor to many, shared his expertise with industry peers, and sat on a number of boards, including BlackLine and the Center for Internet Security. In a memo to employees, Tenable chief people and culture officer Bidgett Paradise called Yoran "a visionary leader and a guiding force who profoundly impacted our industry, company, culture, and community." Former colleagues and peers filled social media with acknowledgements of Yoran's contributions to the cybersecurity field and their personal stories of how Yoran had guided them.

"Amit was one of the true OGs in cybersecurity, and we grew up together in this space," George Kurtz, founder and CEO of competitor CrowdStrike, wrote on LinkedIn. "He was a brilliant leader who understood the mission of protecting organizations and people at a fundamental level. Beyond his work in the private sector, Amit's public service with the federal government underscored his dedication to securing the nation at large."

Yoran's "open letter to Okta" after the company disclosed a third-party breach had compromised customers in 2022 is a good example of how he called out the industry for its mistakes in a thoughtful and constructive way, while advocating for best practices in a straightforward manner. He wrote a similar note in 2023 after multiple reports of vulnerabilities in Microsoft Azure.

Yoran's two brothers, Dov and Elad, are both in cybersecurity. "Late last night, we lost a brother, a father, a son, a husband, a veteran, an industry titan and a drinking buddy," Dov Yoran, former Cisco executive now leading cyber investigation startup Command Zero, wrote on LinkedIn. "Amit Yoran was a force of nature. He was a true hero in how he touched and helped so many people in so many unthinkable ways."

Editor's Note: Amit was a leader in the industry who generously shared his time, expertise, and insight with Dark Reading over the years. He was a friend to many of us here at Dark Reading — we will miss his big heart and smile.

In Appreciation: Amit Yoran, Tenable CEO, Passes Away

SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data.

****SUMMARY****

*   **Sophisticated Phishing Tool**: Russian cybercriminals created a WordPress plugin, PhishWP, to mimic legitimate payment pages and steal sensitive data like credit card details, CVVs, and 3DS OTPs.

*   **Real-Time Data Exploitation**: PhishWP transmits stolen information directly to attackers via Telegram, enabling immediate unauthorized use or sale on the dark web.

*   **Advanced Features**: The plugin offers customizable fake checkout pages, browser profiling, 3DS code pop-ups, and auto-response emails to deceive users and bypass security measures.

*   **Global Impact**: Multi-language support and obfuscation features allow attackers to launch targeted phishing campaigns worldwide, leading to financial losses and data breaches.

*   **Mitigation Strategies**: Users are urged to implement phishing protection tools, maintain vigilance, and adopt proactive cybersecurity measures to combat these threats effectively.

Online transactions have become an integral part of our lives in the digital age. We rely on the Internet for everything from shopping and banking to social interactions. However, this convenience comes at a price as cybercriminals exploit users’ trust to obtain sensitive data.

The cybersecurity firm SlashNext has discovered one such threat. According to their research, which was shared with Hackread.com ahead of its publication on Monday, Russian cybercriminals have created a new WordPress plugin, PhishWP, to create fake payment pages. Instead of processing payments, they steal credit card numbers, expiration dates, CVVs, and billing addresses.

PhishWP creates deceptively realistic online payment pages that mimic legitimate services like Stripe. These fake pages lure unsuspecting users into entering their credit card details, expiration dates, CVV codes, and even the crucial one-time passwords (OTPs) used for 3D Secure authentication. 

In its blog post, SlashNext outlined an attack scenario where an attacker creates a fake e-commerce website using PhishWP and replicates Stripe payment pages. Users are directed to a fake checkout page, where a 3DS code pop-up requests an OTP, which users unknowingly provide. The plugin transmits collected information to the attacker’s Telegram account, allowing them to exploit data for unauthorized purchases or sell it on dark web marketplaces.

This means that the sophisticated plugin goes beyond simply collecting data; it integrates with platforms like Telegram, enabling real-time transmission of stolen information directly to the attackers, maximizing the potential for immediate exploitation.

Furthermore, the plugin leverages advanced techniques like 3DS code harvesting, where it tricks victims into entering OTPs via pop-ups, effectively bypassing security measures designed to verify cardholder identity. 

To enhance its effectiveness, PhishWP offers several key features, including customizable checkout pages that closely resemble legitimate payment interfaces, browser profiling capabilities to create attacks as per the specific user environments, and auto-response emails that create a false sense of security in victims. By combining these features with multi-language support and obfuscation options, attackers can launch highly targeted and evasive phishing campaigns on a global scale.

Screenshot from the Russian hacker forum (Via SlashNext)

Researchers note that PhishWP is a powerful tool that allows cybercriminals to conduct phishing attacks with utmost sophistication, causing significant financial losses and personal data breaches.

To mitigate these risks, it is essential to use reliable security measures, such as browser-based phishing protection tools, which provide real-time defence against malicious URLs and prevent users from visiting compromised websites. Vigilance and proactive security measures can reduce your vulnerability to these sophisticated attacks to a great extent.

Mr. Mayuresh Dani, Manager, Security Research at Qualys Threat Research Unit, commented on the latest development stating _“_WordPress plugins like PhishWP pose significant risks by mimicking payment interfaces to steal user information, including credit card details and 3DS codes. Data is sent to attackers via Telegram, making PhishWP a highly effective information stealer when victims input valid details._“_

1.  **US Marshals Service Data Sold on Russian Hacker Forum**
2.  **New Rockstar 2FA Phishing Kit Targets Microsoft 365 Accounts**
3.  **Military Satellite Access Sold on Russian Hacker Forum for $15K**
4.  **Android Botnet Nexus Being Rented Out on Russian Hacker Forum**
5.  **Network access to Pakistan’s top fed agency sold on Russian forum**

New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages

A fake Telegram Premium app delivers information-stealing malware, in a prime example of the rising threat of adversaries leveraging everyday applications, researchers say.

Source: Boris Kozlov via Alamy Stock Photo

A new advanced Android spyware threat called "FireScam" is using a fake Telegram Premium application to drop an infostealer on victims' phones that is able to track, monitor, and collect sensitive data on its victims.

Researchers at Cyfirma behind a new FireScam analysis said the campaign is part of a wider trend of threat actors finding success disguising malware as legitimate applications and services. In this case, they are abusing Firebase, a legitimate cloud platform widely used by developers of Google mobile and Web applications.

"By capitalizing on the widespread usage of popular apps and legitimate services like Firebase, FireScam exemplifies the advanced tactics used by modern malware to evade detection, execute data theft, and maintain persistent control over compromised devices," the report explained. "By exploiting the popularity of messaging apps and other widely used applications, FireScam poses a significant threat to individuals and organizations worldwide."

The infection routine starts with a phishing site hosted on the GitHbub\[dot\]io domain, dressed up to look like the RuStore app store, the report said. The site delivers a malicious version of Telegram Premium, which then steals data from the targeted Android device, including notifications, messages, and more, and sends it to a Firebase Realtime Database endpoint.

Related:China's Salt Typhoon Adds Charter, Windstream to Telecom Victim List

Once installed, FireScam uses regular checks and analysis, command-and-control communications (C2), and data storage to maintain persistence and deliver additional malware, as needed, the report added.

"The FireScam malware campaign reveals a worrying development in the mobile threat landscape: malware targeting Android devices is becoming increasingly sophisticated," Eric Schwake, director of cybersecurity strategy at Salt Security, said in a statement. "Although using phishing websites for malware distribution is not a new tactic, FireScam's specific methods — such as masquerading as the Telegram Premium app and utilizing the RuStore app store — illustrate attackers' evolving techniques to mislead and compromise unsuspecting users."

**Solutions for Stopping Spyware Like FireScam**

With these threats becoming increasingly sophisticated, it's important for cyber defenders to focus on anomalous app activity, according to a statement from Stephen Kowski, field CTO at SlashNext Email Security+.

"Real-time mobile app scanning and continuous monitoring are crucial safeguards, as these attacks often bypass traditional security measures by exploiting user trust and legitimate distribution channels," Kowski wrote. "The key to protecting against such threats is implementing security solutions that can detect suspicious permission requests and unauthorized app behaviors before sensitive data is compromised."

Related:EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets

Schwake added that protecting application programming interfaces (APIs) can also help protect users from increasingly convincing phishing lures.

"Real-time mobile-app scanning and continuous monitoring are crucial safeguards, as these attacks often bypass traditional security measures by exploiting user trust and legitimate distribution channels," Kowski wrote. "The key to protecting against such threats is implementing security solutions that can detect suspicious permission requests and unauthorized app behaviors before sensitive data is compromised."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

FireScam Android Spyware Campaign Poses 'Significant Threat Worldwide'

The malware, operated by China-backed cyberattackers, has been significantly fortified with new evasive and post-infection capabilities.

Source: Antony Cooper via Alamy Stock Photo

An unknown attacker is wielding an updated version of a backdoor malware that was previously deployed against high-profile Southeast Asian organizations in targeted attacks, this time against ISPs and governmental entities in the Middle East.

Researchers at Kaspersky have detected a new variant of the EagerBee backdoor outfitted with various new components in attacks that demonstrate a significant evolution of the malware framework, they revealed in a blog post published today.

EagerBee is primarily designed to operate in memory to enhance its stealth capabilities and help it evade detection by traditional endpoint security solutions, according to Kaspersky. It's also unique in that it obscures its command shell activities by injecting malicious code into legitimate processes that are executed within the context of explorer.exe or the targeted user's session.

"These tactics allow the malware to seamlessly integrate with normal system operations, making it significantly more challenging to identify and analyze," Kaspersky senior security researcher Saurabh Sharma wrote in the post.

A previous variant of the malware was seen in attacks by a a trio of Chinese state-aligned threat clusters, which previously collaborated in Operation Crimson Palace to steal sensitive military and political secrets from a high-profile government organization in Southeast Asia.

Related:Deepfakes, Quantum Attacks Loom Over APAC in 2025

The latest version of EagerBee that was used in the Middle East attacks features several new advanced features, including a novel service injector designed to inject the backdoor into a running service, and a slew of previously undocumented plug-ins that can be deployed after the backdoor's installation.

"These enabled a range of malicious activities such as deploying additional payloads, exploring file systems, executing command shells, and more," Sharma wrote.

**Who Are the Cyberattackers Behind EagerBee?**

Previous researchers had attributed EagerBee to Chinese threat group Iron Tiger (aka Emissary Panda or APT27), one of numerous groups that often collaborate with other China-backed state-sponsored actors; that tends to make specific attribution of both attacks and malware murky.

Case in point: Kaspersky's latest analysis of the backdoor deployed in the Middle East attributes EagerBee to a different Chinese actor, CoughingDown. That's because there was a creation of services on the same day via the same Web shell to execute EagerBee and the CoughingDown Core Module in one of the attacks researchers analyzed, according to Sharma. Moreover, the researchers observed overlap in the command-and-control (C2) domain used both by EagerBee and the CoughingDown Core Module in the attack.

Related:Middle East Cyberwar Rages On, With No End in Sight

Further evidence discovered in the Middle East attacks linking EagerBee to CoughingDown includes code overlap in a malicious DLL file used in the attack with a multiplug-in malware developed by CoughingDown in late September 2020, according to Sharma. "We assess with medium confidence that the EagerBee backdoor is related to the CoughingDown threat group," he wrote.

**EagerBee Backdoor Malware's Advanced Features**

The Kaspersky team identified key new plug-in features of EagerBee that are all run by a plug-in orchestrator module to execute commands that perform various malicious activities.

The orchestrator exports a single method responsible for injecting the module into memory and subsequently calling its entry point. In addition to victim-specific data collected by the malware, this plug-in gathers and reports various other information — such as current usage of physical and virtual memory, system locale and time-zone settings, and Windows character encoding — about the infected system to the C2 server.

After transmitting this information, the plug-in orchestrator also reports whether the current process has elevated privileges and then collects details about all running processes on the system. Once the information is sent, the plug-in orchestrator waits for commands to execute, which are carried out by the various backdoor plug-ins.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

These include a file manager plug-in that is responsible for, among other things, renaming, moving, copying, and deleting files; reading and writing files to and from the system; and injecting additional payloads into memory. Another process manager plug-in lists running processes in the system; launches new modules and executes command lines; and terminates existing processes.

Two other plug-ins found in the novel variant include a remote access manager that facilitates and maintains remote connections while also providing command shell access, and a service manager that manages system services, including installing, starting, stopping, deleting, and listing them.

**Malware Sophistication Demands Cyber Defender Vigilance**

Despite links to CoughingDown, Kaspersky researchers could not determine the initial infection vector for the deployment of EagerBee.

In the previous attacks using the backdoor in Asia, attackers leveraged the now infamous Exchange ProxyLogon flaw as the initial entry point; however, there is no evidence of this in the attacks here, according to Kaspersky. However, the researchers still recommend that defenders promptly patch ProxyLogon to secure their network perimeter, as it "remains a popular exploit method among attackers to gain unauthorized access to Exchange servers," Sharma noted.

Overall, the emergence of a fortified variant of EagerBee in attacks in the Middle East demonstrates how attackers continue to advance malware frameworks in terms of both ability to evade detection and the sheer breadth of malicious functionality they can achieve, demanding that organizations also up their security game, he said.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets

### Impact

Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source (https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192). This can leave servers vulnerable to replay attacks when TLS is not used.

### Patches

Upgrade to version 0.8.1 or higher.

### Workarounds

No.

### References

Issue is similar to https://nvd.nist.gov/vuln/detail/CVE-2025-22376.


**Guzzle OAuth Subscriber has insufficient nonce entropy**

Low severity GitHub Reviewed Published Jan 6, 2025 in guzzle/oauth-subscriber • Updated Jan 6, 2025

Tag

#git