Part predictive analysis, part intuition, risk and reputation services are imperfect instruments at best — and better than nothing for most organizations and insurers.

Source: MMD Creative via Shutterstock

As companies seek to improve their cybersecurity postures, they are increasingly using a variety of metrics, scoring systems, and reputational rankings to measure their efforts. But in many cases, businesses are asking too much of the various systems that attempt to measure security.

The old saw says that you need to measure something to manage it, but many systems that have flourished — from the Common Vulnerability Scoring System (CVSS) to organizational security posture scoring and ratings for software development projects — are sometimes only successful at expressing measurable risk. Yet corporate boards are turning some security measurements into key performance indicators (KPIs), and some industries — such as insurance firms — are using them to determine risk. Their conclusion: Scoring risk and reputation tools are imperfect but better than nothing.

Part of the reason is that companies look to manage risk, not just improve security, says Bruce Schneier, chief technology officer of Inrupt, a user-focused data management provider, and an adjunct lecturer at the Harvard Kennedy School. Schneier is critical of many attempts to measure security.

"Whenever I've had a company that could do it, I've always tried to build comparative metrics — how am I doing compared to everybody else that does this?" he says. "That does help. People do want to know how they compare to their peers, and that's also good lawsuit protection." They may say, "Yes, this is a problem, but look, everybody else is doing the same thing."

From software and vulnerabilities to corporate security and human risk, efforts to assign scores and reputations to various components of the information technology ecosystem are growing. This week, detection and response platform Sweet Security inked a deal to use the early-stage startup Illustria to offer a package reputation service to detect risky changes to open source software packages. Providers of security posture ratings — such as Bitsight, SecurityScorecard, and UpGuard — have gained a following among cyber insurers, while human-risk management firms, such as Living Security and Mimecast, are increasingly assigning scores to users' cybersecurity awareness.

**Common Vexations of Scoring Security**

CVSS — the standard way to grade potential criticality of software flaws — highlights many of the issues that continue to dog rating and reputation systems. CVSS allows security researchers and software companies to assess the basic severity of vulnerabilities using a 10-point scoring system, but organizations need to evaluate the vulnerabilities' impacts in their own environments. This step that is often overlooked and gives critics significant fodder to attack the approach.

As a result, CVSS garners some praise but also a great deal of criticism. The scoring system is more like grading a high dive rather than tallying a baseball game, wrote Richard Brooks, co-founder and lead software engineer at consulting firm Business Cyber Guardian, in tepid defense of the system that often veered into criticism.

"It's highly subjective and each party needs to decide for themselves if there is risk from a vulnerability, based on their own circumstances and the information known about the vulnerability and its exploitation methods," he stated.

A major problem for any scoring systems is that security is often subjective and frequently amounts to proving a negative — a difficult application of metrics and scoring, says Inrupt's Schneier.

Using scores to fuel checklists can help, he says. Checklists are used in environments where reliability is critical, such as airplanes, hospitals, and spacecraft. To some degree the software security community has pursued this approach, creating lists of vulnerabilities — such as the OWASP Top 10 and the CWE Top 25 lists — that are intended to focus remediation efforts.

"Checklists are a way to turn the unprovable negative into a demonstrable positive," Schneier says. Yet we still have trouble creating metrics for security because "security is fundamentally not about capabilities. It's not about functionality. It's about denying functionality."

**Adoption by the Kings of Metrics (Insurers)**

One group that's hungry for scores and metrics is the insurance industry. Insurers aim to boil down events into data, and security events and cyberattacks are no different. Cyber insurers are increasingly collecting their own data to infer which products have good security and determine what to charge potential policyholders based on their use of those products.

Models that assign companies scores based on their observable cybersecurity posture, for example, can save insurance firms significant money by identifying the worst performers. Using information from Bitsight and internal data, for example, reinsurance firm Gallagher Re identified the bottom 20% of companies, which had a 3.17 times greater likelihood of suffering a loss — an approach that could reduce insurance firm losses by about 16%, the reinsurer stated in a 2024 study. A second study by professional services firm Marsh McLennan and Bitsight found that the lowest-scoring tier of companies were nearly five times more likely to have a cybersecurity incident than the highest-scoring tier.

A scoring system works only if companies are using it to reach their end goals (more security) rather than trying to just increase their scores (compliance), says Stephen Boyer, co-founder and chief technology officer at Bitsight.

"I do think that as long as it's communicating something that drives an action that ends up being risk-reducing, that's good," he says. "If it's a regulatory focus and \[the company\] is doing that to optimize the score and is not actually reducing risk, then it is a wasted effort for everybody."

Unsurprisingly, more regulated industries tend to score higher on organizational ratings. Financial firms, utilities, energy, and healthcare all average a score of 720 or higher, while communications services average a score of a 630 and industrials a score of 690, according to a report on cybersecurity oversight of corporate boards.

**Software Ratings Gain Traction**

As software supply chain worries mount, companies and the open source community are aiming to rate the reputation and development processes of open source projects and assign scores to the components they produce. The OpenSSF Scorecard, for example, conducts a number of automated checks and ranks a project by a numerical score for each area, including whether the project has binary artifacts, whether the branch protection is on, the cadence of commits, and whether the project shows signs of using automated tools and fuzzers. The popular machine-learning library TensorFlow, for example, currently has an overall score of 8.2, with low scores for its Code Review practices and the failure to pin dependencies.

In some ways, we have too much data, and often it's not the right data, says Dylan Thomas, senior director of product and engineering at IT conglomerate OpenText.

"Because there's so much more data, the biggest challenge is understanding that we're using it in an effective way and that we're using the right data to draw the right conclusions, \[so we don't\] misrepresent a particular data point or metric or scoring system," he says. "It's one of the reasons that LLM-based machine-learning algorithms really can provide a lot of value to augment security decision-making \[and\] can synthesize the vast amounts of data into potential patterns that we can actually make sense of."

The Open Source Select service offered by software supply chain security firm Debricked, part of OpenText, uses ratings for the contributors, the popularity, and the security of open source components to summarize their practices using a scale of 1 to 100, assigning a traffic-light color to each component. TensorFlow, for example, received green ratings for its contributors (score: 73) and popularity (score: 84) but only a yellow rating (score: 42) for security.

The ratings are not necessarily a way to detect whether a software component is dangerous but a way to automate the approval and intake process for the proposed use of open source components, speeding up decision-making, Thomas says.

"The benefit is, as a developer, I'm not waiting weeks to work through an open source intake process," he says. "I can quickly get a decision in a subset — and, hopefully, a meaningful subset — of use cases. Either quickly not waste my time going through a long process for a particular component or get green-lit very quickly."

The question that companies should ask when they use metrics is whether those metrics are speeding up decision-making processes, and if not, why not.

"Part of what we need to do is make sure that we are not just measuring for the sake of measuring, but that we're also taking time to measure the measuring stick," Thomas says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Risk, Reputational Scores Enjoy Mixed Success as Security Tools

Nathaniel Fick, the ambassador for cyberspace and digital policy, has led US tech diplomacy amid a rising tide of pressure from authoritarian regimes. Will the Trump administration undo that work?

European governments wonder if Trump will continue US support of Ukraine and NATO in a conflict with Russia that has partly played out in cyberspace. Fick’s team was instrumental in establishing a process for rapidly delivering cyber-defense aid to Ukraine’s battered government.

“I was in Ukraine right before Christmas, I was in Poland, I was in Estonia, kind of up and down NATO's eastern flank,” he says, adding that he sensed “both a deep desire for the United States to stay engaged and a recognition that European partners are going to need to do their share—which they, by the way, increasingly are doing.”

More broadly, Fick has heard “a strong desire among many allies and partners” for the US to continue going toe to toe with China and Russia in tech and cyber discussions in international bodies like the UN and the Group of 20.

“Without the United States deeply involved, you're going to see the Chinese more deeply involved, you're going to see the Russians more deeply involved,” Fick says. “There's a pretty broad view \[globally\] that the US needs to, for its own interests and for the interests of our allies and partners, stay engaged in multilateral organizations.”

Fick sympathizes with Republicans who consider these multilateral organizations too slow and timid, but he wants Trump’s team to “recognize that the alternative is not diminished influence of these organizations; the alternative is simply that they become playgrounds for our competitors and our adversaries.”

**Celebrating “a Sea Change”**

Looking back on his time as America’s cyber ambassador—which saw him spend a total of more than 200 days traveling the world on nearly 80 trips to visit key US allies and partners—Fick is proud of how his team launched an entirely new bureau inside the State Department, grew it to around 130 employees, and delivered results that he says are transforming digital diplomacy.

One of his biggest accomplishments was the launch of a foreign cyber aid fund that will support programs to deploy security assistance to hack-stricken allies, subsidize new undersea cables, and train foreign diplomats on cyber issues.

The security-assistance project saw an early test in November when Costa Rica faced another major ransomware attack. “We had people on a plane the next morning, Thanksgiving morning, with hands on keyboards alongside Costa Rican partners that night,” Fick says. “That’s amazing. That is a sea change in how we do this, and it’s going to strengthen our hand in providing support to these middle-ground states.”

Fick has also focused on preparing the Foreign Service for the modern world, meeting his goal of training at least one tech-savvy diplomat for every foreign embassy (around 237 total) and successfully lobbying to add digital fluency to the State Department’s criteria for career ambassador positions. He has also helped State counterbalance the Pentagon in White House discussions about foreign tech issues—putting “American diplomacy literally back at the table in the Situation Room on technology topics.”

And then there’s his team’s support for US cyber aid to Ukraine, from security software to satellite communications to cloud migration for vital government data—work that he says offers a template for future public-private foreign-aid partnerships.

**One Final Warning**

Fick has shared his thoughts about China, 5G, AI, deterrence, and other cyber issues with Trump’s transition team, and he says there’s still more to do to keep cyber diplomacy “front and center” at State. But as he prepares to leave government, he has one major piece of advice for the incoming administration.

“It is essential to have a bias for action,” he says. “We end up admiring a problem for too long rather than taking a decisive step to address it … That decisive step may be imperfect, but indecision is a decision, and the world moves on without you.”

Put another way: In an era of rapidly evolving technologies and intensifying geopolitical competition, massive bureaucracies like the State Department sometimes need to be jolted into action.

“The job of the leaders in these big organizations,” Fick says, “is to move the org to change a little bit faster than it would on its own.”

Biden's Cyber Ambassador Urges Trump Not to Cede Ground to Russia and China in Global Tech Fight

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep…

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep up, businesses need to understand that while complex regulations may sound difficult to deal with; cybersecurity threats are the real danger to their credibility and success. Here are six strategies that showcase how the change in financial technology impacts expansion and security.

**1\. **Using Data Analytics for Smarter Security and Personalization****

Fintech companies have access to a treasure trove of user data, making data analytics a key to both innovation and security. Predictive analytics can detect fraud in real time by spotting unusual transaction patterns, while personalization algorithms offer customized financial solutions to users.

Take PayPal, for instance, which uses machine learning to track fraud attempts while ensuring seamless user experiences. By investing in platforms like Tableau or Splunk, companies can not only improve data-driven decisions but also strengthen their cybersecurity protection.

**2\. **Optimizing Customer Journeys Through AI and Automation****

Customer retention in fintech depends on efficient, user-friendly platforms. AI-driven Client Lifecycle Management (CLM) tools not only enhance customer experience but also fortify compliance with data protection laws like GDPR.

For example, automated KYC (Know Your Customer) processes can validate user identities within minutes, reducing conflict while maintaining security. Companies that leverage AI to simplify operations position themselves as leaders in convenience and trust, two critical factors in the digital financial world.

**3\. **Expanding Beyond Payments: Diversification in Fintech Offerings****

Successful fintech companies are moving beyond basic services like payments and lending to offer a wider range of products. Digital wallets, cryptocurrency trading, BNPL (Buy Now, Pay Later) options, and even ESG (Environmental, Social, and Governance)-focused investment tools are becoming standard offerings.

For instance, Square (now Block) transitioned from payment processing to include cash apps, crypto wallets, and merchant solutions. This diversification not only strengthens market positioning but also hedges against disruptions in individual sectors.

**4\. **Automating Security Protocols to Counter Cyber Threats****

While cybersecurity threats grow more sophisticated, automation in fintech security has become a necessity. Tools like automated anomaly detection, real-time threat intelligence, and AI-driven incident response systems ensure swift responses to breaches.

Take Stripe, which integrates advanced monitoring tools to detect and neutralize suspicious activity before it escalates. Automation in security protocols not only protects sensitive financial data but also boosts consumer confidence in the platform.

**5\. **Sustainability in Fintech: Balancing Growth with Responsibility****

The fintech sector is embracing sustainability through green technologies and ethical financial practices. Blockchain-based carbon credit platforms, eco-friendly payment cards, and renewable energy-backed investments are paving the way for a greener future.

Consider Mastercard’s sustainable card program, which uses biodegradable materials and supports reforestation initiatives. By integrating eco-conscious elements, fintech companies are appealing to the growing demographic of socially responsible consumers and investors.

**6\. **Risk Management with Predictive Technologies****

Managing risk (risk management) is critical in fintech, where markets and regulations can change overnight. Predictive technologies like machine learning are revolutionizing risk management by identifying vulnerabilities before they become liabilities.

For example, Robinhood employs real-time analytics to manage liquidity risks and safeguard user assets during volatile market conditions. This approach not only ensures operational stability but also reinforces trust in the brand.

The worlds of technology and finance are changing like never before, with advancements in AI, blockchain, and sustainable solutions building the future of fintech. By using data-driven security, improving operations through automation, and focusing on sustainable practices, companies can remain competitive. For fintech firms, the message is clear: innovate, adapt, and protect your operations, or risk falling behind.

1.  **Cybersecurity, Big Data and Automation Tools**
2.  **Top 9 Compliance Automation Software in 2024**
3.  **Fortifying FinTech: Building Resilient APIs for Security**
4.  **Digital Transformation in Financial Industry: The Role of Fintech**
5.  **Blockchain and Smart Contracts in Securing Digital Transactions**

Top/Featured Image via Marvin Meyer/Unsplash

6 Strategic Innovations Transforming the Fintech Industry

Seven system recovery programs contained what amounted to a backdoor for injecting any untrusted file into the system startup process.

Source: Ognyan Yosifov via Alamy Stock Photo

A vulnerability in trusted system recovery programs could allow privileged attackers to inject malware directly into the system startup process in Unified Extensible Firmware Interface (UEFI) devices.

Seven real-time recovery products — Howyar SysReturn, Greenware GreenGuard, Radix SmartRecovery, Sanfong EZ-back System, WASAY eRecoveryRX, CES NeoImpact, and SignalComputer HDD King — all make use of "reloader.efi," the Microsoft-signed Extensible Firmware Interface (EFI) file at issue.

The problem, ESET explains in a new report, is that reloader.efi uses a custom loader that enables the application to load even unsigned binaries during the boot process. In essence, it's a backdoor for sneaking any kind of file into a system's startup, past UEFI Secure Boot. The issue has been assigned CVE-2024-7344, and earned a "medium" 6.5 Common Vulnerability Scoring System (CVSS) rating, as it requires administrator privileges to exploit.

**Backdoor to the UEFI Boot Process**

The standard way to load, prepare, and execute UEFI images in system memory is with the autological LoadImage and StartImage functions. The Microsoft-approved "reloader" application goes its own way, using a custom mechanism that allows it to load any binary, trusted or otherwise, at startup.

"Maybe it's a lack of secure coding awareness," Martin Smolár, malware researcher at ESET, guesses of the developers' motives in implementing the custom loader. "Or maybe it's because they found it convenient to create such a functionality. Because when a developer makes a change \[to a signed program\] they need to send it to Microsoft to get it re-signed. This means that they don't need to every time they create a new update or something like that."

Reloader.efi loads arbitrary binaries from a specific, encrypted file, "cloak.dat." When ESET decrypted cloak.dat, it found that it contained an unsigned executable primarily designed for classroom environments. "Its core function is to provide real-time system recovery, ensuring that students from different classes can work in a teacher-predefined computer environment within shared computer labs," Smolár says, though he adds that the same component might be used in other settings, like public Internet cafes. The larger point is that the unsigned executable is run during the startup process, completely bypassing UEFI Secure Boot checks.

This odd classroom recovery software is perfectly honest, but an attacker could easily swap it out for something worse. If they could just get a hold of administrator privileges on a targeted machine, an attacker could access the EFI system partition (ESP) and substitute their own malicious file in place of cloak.dat. Then all they'd need is a quick system reboot to drop any malicious file they wished into the startup process.

**Why UEFI Bugs Are So Bad**

UEFI is a kind of sacred space — a bridge between firmware and operating system, allowing a machine to boot up in the first place.

Any malware that invades this space will earn a dogged persistence through reboots, by reserving its own spot in the startup process. Security programs have a harder time detecting malware at such a low level of the system. Even more importantly, by loading first, UEFI malware will simply have a head start over those security checks that it aims to avoid. Malware authors take advantage of this order of operations by designing UEFI bootkits that can hook into security protocols, and undermine critical security mechanisms like UEFI Secure Boot or HVCI (Hypervisor-Protected Code Integrity), Windows' technology for blocking unsigned code in the kernel.

To ensure that none of this can happen, the UEFI Boot Manager verifies every boot application binary against two lists: "db," which includes all signed and trusted programs, and "dbx," including all forbidden programs. But when a vulnerable binary is signed by Microsoft, the matter is moot.

Microsoft maintains a list of requirements for signing UEFI binaries, but the process is a bit obscure, Smolár says. "I don't know if it involves only running through this list of requirements, or if there are some other activities involved, like manual binary reviews where they look for not necessarily malicious, but insecure behavior," he says.

Microsoft has previously alluded to UEFI binaries being "approved through manual review." In response to an inquiry from Dark Reading, a Microsoft spokesperson provided the following clarification:

"Our process is designed to meet the evolving standard for analysis of third-party binary code, while ensuring effective scalability across our vast ecosystem. It begins with vetting and analysis with the partner, understanding the components they are requesting to be signed, and aspects of the design and functionality that may require additional security measures. Submissions are run through automated security analysis and are manually reviewed through a rigorous process. As a result, we may require additional security reviews, investigations with the submitting partner, or other mitigations. We remain committed to evolving our vetting process to better the security of our ecosystem as we operate within this ever-changing threat landscape."

ESET first discovered CVE-2024-7344 in July 2024. Since then, all vulnerable applications have been fixed, and Microsoft revoked the old, vulnerable binaries in its Jan. 14, 2025, Patch Tuesday update.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Trusted Apps Sneak a Bug Into the UEFI Boot Process

The FBI has announced it's deleted PlugX malware from approximately 4,258 US-based computers and networks.

The FBI says it has removed PlugX malware from thousands of infected computers worldwide.

The move came after suspicion that cybercriminals groups under control of the People’s Republic of China (PRC) used a version of PlugX malware to control, and steal information from victims’ computers.

PlugX has been around since at least 2008 but is under constant development. With the remote access it provides criminals, it is often used to spy on users and plant additional malware on interesting systems.

Among others, the PlugX Remote Access Trojan (RAT) was used in a lasting campaign uncovered last year in which a Chinese group known as “Velvet Ant” used compromised F5 BIG-IP appliances to gain access to networks, managing to stay hidden for years.

US Attorney Jacqueline Romero for the Eastern District of Pennsylvania commented:

> “This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers.”

After researchers found out that thousands of infected machines reported to one specific IP address, they managed to seize control over the IP address that served as a Command & Control (C2) server.

In close cooperation with the French authorities, the FBI and Justice Department used this IP address to “sinkhole” the botnet. Sinkholing in this context means that the redirection of traffic from its original destination to one specified by the sinkhole owners. The altered destination is known as the sinkhole.

With control of the sinkhole, a specially configured DNS server can simply route the requests of the bots to a fake C2 server. This provides the controller of the sinkhole with valuable information about the affected systems and an opportunity to send commands to delete the PlugX version from the connecting devices.

FBI special agent in Charge Wayne Jacobs of the FBI Philadelphia Field Office said:

> “The FBI worked to identify thousands of infected US computers and delete the PRC malware on them. The scope of this technical operation demonstrates the FBI’s resolve to pursue PRC adversaries no matter where they victimize Americans.”

The FBI says it is notifying those who had the malware deleted from their computers via their internet service providers (ISPs).

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 PlugX malware deleted from thousands of systems by FBI 

Evidence suggests that some of the payloads and extensions may date as far back as April 2023.

Source: VS148 via Shutterstock

A Christmas Eve phishing attack resulted in an unknown party taking over a Cyberhaven employee's Google Chrome Web Store account and publishing a malicious version of Cyberhaven's Chrome extension. While the problematic extension was removed within an hour of its discovery, the malicious activity highlights gaps in browser security that exist at most organizations and the necessity of getting a handle on the problem now, as extension poisoning is expected to be a persistent issue.

Further research into the incident suggests that this attack was likely part of two separate, but potentially related, campaigns to target multiple extension developers to distribute malicious extensions, experts say. The campaigns may have begun as early as April 2023.

"Currently we know about two different campaigns that have been targeting different objectives," says Amit Assaraf, CEO of Extension Total, a third-party extension security platform provider. Extension Total researchers have uncovered several malicious extensions over the past several weeks and have been looking at how they relate to each other.

**A Tale of Two Campaigns**

One campaign created extensions that steal cookies, session tokens, and possibly passwords, and targeted Facebook and OpenAI accounts, Assaraf says. The campaign relied on phishing to target extension developers and a malicious OAUTH application to take over Google Chrome Web Store accounts. Cyberhaven was one of the victims of this campaign.

There is some disagreement among experts over when the first malicious extension associated with this campaign appeared. Assaraf points to the Chrome extension "GPT 4 Summary with OpenAI," which was added to the Google Chrome Web Store in August. John Tuckner, founder of browser-extension management service Secure Annex, believes the "AI Assistant – ChatGPT and Gemini for Chrome" extension, which was uploaded to the Chrome Web Store in May, was the first extension used by this campaign.

"As far as I can tell, that is the first example of this type of code being used, but some of the related domain registrations go back to around Sept. 25, 2023, so this could have been planned for a while," Tuckner says.

Both extensions are no longer on the Chrome Web Store.

Regardless of when this campaign began, the impact has been widespread. Researchers have found 22 extensions related to it so far, affecting 1.46 million users, Assaraf says. Some of these have been removed completely from the Chrome Web Store, and others have been updated to a "safe" version.

The second campaign is aimed at tracking user activity, telemetry, and sites visited, "probably with intention to sell this data," Assaraf says. Its earliest appearance was in April 2023, and researchers have identified 15 extensions thus far as belonging to this campaign.

A Google spokesperson says the company has shut down malicious Chrome Web Store accounts identified as part of this investigation and continues to investigate reports from Extension Total regarding extensions still available in the store.

It's unclear at this time whether one attacker is behind both campaigns, though there is evidence — shared JavaScript payloads injected into unauthorized updates between August 2024 and December 2024 — suggesting "a synchronized campaign," says Bugcrowd founder Casey John Ellis.

"This also suggests centralized control over the hijacked developer accounts and a common threat actor," he says.

At this point, both campaigns appear to be contained; no additional extensions have been discovered, according to Assaraf.

**Extensions as Low-Hanging Fruit for Attackers**

Cyberhaven's internal security team was able to respond to the breach quickly, which helped expose the breadth of the extension poisoning. Many of the affected extensions are hobbyist projects, which means they likely do not have the tools or security support to be regularly monitoring for malware.

Therein lies the dilemma for detecting malicious Chrome extensions in the wild, experts say. It also explains why ensuring that extensions used within a corporate browser are safe is such a tricky scenario for organizations to navigate. While some are managed by companies with dedicated teams to ensure the extensions remain clean, many are maintained by private individuals and, thus, don't have this kind of oversight.

That complicates security within a corporate environment because browsers, like Chrome, grant extensions broad permissions, including access to sensitive user data, cookies, and even the ability to capture credentials and sessions, according to Matt Johansen, security researcher at Vulnerable U.

"Extensions still operate with a significant degree of trust, and once compromised, they can access everything a user can," Johansen says. "They also have less scrutiny to install than traditional desktop software, even in enterprises."

Because of their ability to compromise so many users and have access to so much information by poisoning a browser extension, it's a no-brainer for attackers.

"Controlling an extension gives an adversary a powerful vantage point for all browser activities," concurs Lionel Litty, chief security architect at Menlo Security.

Indeed, poisoning a Chrome extension is "actually a very convenient way for attackers to spread malicious code," Assaraf adds. "You only need to fool one person, one developer, and you get access to hundreds of thousands of machines," he says.

People often forget they've installed browser extensions, yet they continue to run in the background and update automatically, giving attackers wide access to sensitive data, he adds.

**Closing the Browser Security Gap**

Given their reach, why, then, are browsers and their extensions given such little thought when it comes to an organization's security posture? It could merely be that their security teams are so overwhelmed with responsibilities that browsers are the least of their worries — though that could now change, notes Secure Annex's Tuckner.

Organizations can take specific steps now to shore up the security of extensions running in corporate browsers, he says. Teams should start with collecting a real-time inventory of the browsers in the organization and which extensions are installed on them. This step should be followed by enrolling browsers in some kind of centralized management to set up an allowlist of known extensions, keeping only those that "drive core business value" and adding future ones on a case-by-case basis, Tuckner adds. The inventory will help security teams understand the scope of an incident when something happens.

"Few teams choose to or are able to prioritize browser security on top of everything else that they have to deal with," he says. "Many see browser security as a lower-risk item, but I believe that is quickly changing with incidents like this."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Extension Poisoning Campaign Highlights Gaps in Browser Security

"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.

Source: DD Images via Shutterstock

North Korea's Lazarus threat group has launched a fresh wave of attacks targeting software developers, using recruitment tactics on job-hiring platforms. This time, the group is using job postings on LinkedIn to lure freelance developers in particular into downloading malicious Git repositories; these contain malware for stealing source code, cryptocurrency, and other sensitive data.

The SecurityScorecard STRIKE team on Jan. 9 discovered the ongoing attack, dubbed Operation 99, in which attackers pose as recruiters to entice the developers with project tests or code reviews, the researchers revealed in a report (PDF) published today.

"Victims are tricked into cloning malicious Git repositories that connect to a command-and-control (C2) server, initiating a series of data-stealing implants," according to the post.

Attackers are using various payloads that work across Windows, macOS, and Linux in the campaign, using a layered malware delivery system with modular components that adapt to different targets. Downloaders such as Main99 retrieve and execute payloads that include Payload 99/73, brow99/73, and MCLIP, which perform tasks like keylogging, clipboard monitoring, file exfiltration from development environments, and browser credential theft.

Related:Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

The malware also steals from application source code, secrets and configuration files, and cryptocurrency-related assets such as wallet keys and mnemonics, according to the researchers. The latter are used to facilitate direct financial theft, furthering Lazarus' goals to fund the regime of North Korean leader Kim Jong Un.

"By embedding the malware into developer workflows, the attackers aim to compromise not only individual victims, but also the projects and systems they contribute to," according to the report.

**North Korea's History of Targeting Developers**

The campaign builds on previous tactics by the group to target developers with various malware, including 2021's Operation Dream Job, in which the group sent fake job offers to specific organizational targets. When opened, they installed Trojan programs to collect information and send it back to the attackers.

Lazarus' long history of using the technology job market to target victims also includes another campaign called DEV#POPPER, which targeted software developers worldwide for data theft by having attackers pose as recruiters for nonexistent jobs.

North Korean threat groups also have turned the tables and used their own cyber spies to infiltrate global organizations for cyber espionage. The now-infamous case of security firm KnowBe4 accidentally hiring a North Korean hacker shows how convincing these campaigns can be.  

Related:Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

While a Department of Justice operation in May disrupted North Korea's widespread IT freelance operation with the indictment of several people for helping state-sponsored actors establish fake freelancer identities and evade sanctions, the latest campaign demonstrates that Lazarus remains undaunted.

Amid all this, the new campaign shows an evolution in tactics, the researchers said.

"In this instance, Lazarus is demonstrating a higher level of sophistication and focus compared to previous campaigns," says Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard. These include using AI-generated profiles to pose as recruiters that appear highly authentic and realistic, "enabling them to effectively deceive victims," he adds.

"By presenting complete and convincing profiles, they offer what seem to be genuine job opportunities to developers," Sherstobitoff says. In some cases, Lazarus even compromises existing LinkedIn accounts to lend heft to their credibility, he adds.

The group also is employing more advanced techniques for obfuscation and encryption, making their malicious activities significantly more difficult to detect and analyze, Sherstobitoff says.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

**Job Seekers, Exercise Caution**

Indeed, as these campaigns become more sophisticated through the use of AI and advanced social engineering, it's becoming "easier for attackers to gain the confidence of their targets, demonstrating a significant evolution in the level of precision and realism in their campaigns," Sherstobitoff says.

For this reason, mitigation strategies "should fundamentally center around reinforcing social engineering awareness and adhering to the basics of cybersecurity for everyday employees," he says. As a general rule, if a job offer or opportunity seems too good to be true, it likely is, and "should be approached with skepticism," Sherstobitoff says.

"Employees also should exercise extreme caution when interacting with recruiters, particularly if asked to download files, clone repositories, or engage with unfamiliar software," especially over platforms like LinkedIn or email, he says. "These channels can be easily manipulated by attackers posing as legitimate entities."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Lazarus APT Evolves Developer-Recruitment Attacks

Silver Spring, United States / Maryland, 15th January 2025, CyberNewsWire

**Silver Spring, United States / Maryland, January 15th, 2025, CyberNewsWire**

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for NHIcon 2025, a virtual event dedicated to advancing non-human identity security, streaming live on Jan. 28 and headlined by industry luminary Kevin Mandia.

NHIcon 2025 is co-presented by Aembit and Veza, alongside industry partners Identity Defined Security Alliance and Cloud Security Alliance. 

Bringing together diverse viewpoints from the cybersecurity and DevSecOps communities, NHIcon 2025 will provide technical insights and practical guidance to address the challenges of securing non-human identities, such as service accounts, AI agents, and other software workloads.

The widespread adoption of cloud technologies, the growth of APIs and microservices, and the increasing scale of machine-to-machine communications have made securing non-human identities more challenging. Traditional identity management practices and tools often fail to provide adequate visibility and control, leaving critical security gaps that elevate breach risk.

As non-human identities become central to modern infrastructure, securing them has become a top priority for enterprises worldwide, with Gartner® naming machine identity management a top security trend for 2025.

> “My vision for NHIcon is that it gives organizations the opportunity to rethink – or even begin to explore for the first time – their approach to non-human identity security,” said David Goldschlag, CEO and co-founder of Aembit. “This unique event is designed to provide clear, actionable takeaways, a deeper understanding of how to secure the identities that power enterprise innovation, and the justification for prioritizing it.”

NHIcon 2025 will provide an experiential platform for interactive learning and meaningful collaboration. Attendees can openly engage with speakers, connect with a global community of identity security professionals, and uncover cutting-edge strategies for securing non-human identities in today’s fast-evolving environments.

Mandiant Founder Mandia, co-founder of Ballistic Ventures and one of the world’s most recognizable security voices, will share his perspective on the year ahead, focusing on identity security and the growing role of AI in threat landscapes.

The agenda also includes:

*   A keynote from Talha Tariq, chief security officer at HashiCorp, on zero-trust principles for non-human identities.
*   Heather Flanagan, executive director of IDPro, discusses modernizing identity standards.
*   Software Architect Victor Ronin leading a technical session titled From Hardcoded to Hardened: The 7 Stages of Non-Human Identity Maturity.
*   Ed Amoroso, CEO of TAG Cyber, shares experience in securing non-human identities in complex environments.
*   A panel featuring security leaders from Twilio, Grafana Labs, and SoFi addressing business and compliance risks tied to non-human identities.

Registration for NHIcon 2025 is free and open at NHIcon.com.

**About Aembit**

Aembit is the leading provider of workload identity and access management solutions, designed to secure non-human identities like applications, AI agents, and service accounts across on-premises, SaaS, cloud, and partner environments. Aembit’s no-code platform enables organizations to enforce access policies in real time, ensuring the security and integrity of critical infrastructure. Users can visit aembit.io and follow us on LinkedIn.

**Contact**

**Chief Marketing Officer**  
**Apurva Davé**  
**Aembit**  
**\[email protected\]**

Aembit Announces Speaker Lineup for the Inaugural NHIcon

CVE-2024-44243, a critical macOS vulnerability discovered recently by Microsoft, can allow attackers to bypass Apple’s System Integrity Protection…

CVE-2024-44243, a critical macOS vulnerability discovered recently by Microsoft, can allow attackers to bypass Apple’s System Integrity Protection (SIP). Learn how this vulnerability can be exploited and how to protect your devices from this threat.

A recently discovered macOS vulnerability tracked as CVE-2024-44243, has raised alarms for jeopardizing the security of Apple devices. This vulnerability, uncovered by Microsoft Threat Intelligence, allows attackers to circumvent Apple’s robust System Integrity Protection (SIP) mechanism.

****How Does It Work?****

The flaw is found in the Storage Kit daemon, allowing local attackers with root privileges to exploit low-complexity attacks. According to Microsoft’s technical blog, shared with Hackread.com, CVE-2024-44243 exploits a weakness in the macOS storage management system. By leveraging the “storagekitd” daemon, attackers can potentially load third-party kernel extensions, bypassing the strict controls imposed by SIP.  

****What are the Implications?****

System Integrity Protection (SIP) is a crucial cybersecurity measure for macOS systems, protecting against malware and attackers. Bypassing it can significantly compromise the system’s security, Microsoft noted. Such as, attackers can install malicious software at the kernel level, and gain deep access to the system and data.

Moreover, malicious software can establish a persistent presence on the system, making it difficult to remove and potentially enabling future attacks. Also, attackers could bypass TCC (Transparency, Consent, and Control), Apple’s privacy framework, allowing unauthorized access to user data and sensitive information.  The vulnerability creates a wider attack surface, enabling attackers to exploit other vulnerabilities and escalate their privileges.

****Mitigating the Threat****

Apple has released security updates to address CVE-2024-44243. All macOS users must update their systems to the latest version to patch this vulnerability.

Microsoft’s responsible disclosure to Apple and their joint efforts to address this threat highlights the importance of shared knowledge and coordinated action in safeguarding user security. 

While we focus on patching vulnerabilities to protect ourselves from cyberattacks, it is important to remember that social engineering scams remain a prevalent threat. 

A recent campaign discovered by Group-IB targeted Apple iOS and Android users with fake trading apps. These apps were designed to steal from unsuspecting cryptocurrency investors. Therefore, staying informed about the latest threats, practicing safe online habits, and keeping software updated, are essential to minimize cybersecurity risks.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) commented on this stating, _“_This exposes the entire operating system to deeper compromise without needing physical access, threatening sensitive data and system controls._“_ 

“Security teams should ensure macOS systems are patched with the latest updates, closely monitor for unusual disk management or privileged process behaviour, and implement endpoint detection tools that watch for unsigned kernel extensions,“ Jason explained. _“_Regular integrity checks, principle-of-least-privilege policies, and strict compliance with Apple’s security guidelines further reduce exposure to this critical threat._“_

Microsoft Discovers macOS Flaw CVE-2024-44243, Bypassing SIP

Company has issued patches for an unprecedented 159 CVEs, including eight zero-days, three of which attackers are already exploiting.

Source: Elena11 via Shutterstock

Microsoft's January update contains patches for a record 159 vulnerabilities, including eight zero-day bugs, three of which attackers are already actively exploiting.

The update is Microsoft's largest ever and is notable also for including three bugs that the company said were discovered by an artificial intelligence (AI) platform.  

Microsoft assessed 10 of the vulnerabilities disclosed this week as being of critical severity and the remaining ones as important bugs to fix. As always, the patches address vulnerabilities in a wide range of Microsoft technologies, including Windows OS, Microsoft Office, .NET, Azure, Kerberos, and Windows Hyper-V. They include more than 20 remote code execution (RCE) vulnerabilities, nearly the same number of elevation-of-privilege bugs, and an assortment of other denial-of-service flaws, security bypass issues, and spoofing and information disclosure vulnerabilities.

**Three Vulnerabilities to Patch Immediately**

Multiple security researchers pointed to the three actively exploited bugs in this month's update as the vulnerabilities that need immediate attention. The vulnerabilities, identified as CVE-2025-21335, CVE-2025-21333, and CVE-2025-21334, are all privilege escalation issues in a component of the Windows Hyper-V's NT Kernel. Attackers can exploit the bug relatively easily and with minimal permissions to gain system-level privileges on affected systems.

Microsoft itself has assigned each of the three bugs a relatively moderate severity score of 7.8 out of 10 on the CVSS scale. But the fact that attackers are exploiting the bug already means organizations cannot afford to delay patching it. "Don't be fooled by their relatively low CVSS scores of 7.8," said Kev Breen, senior director threat research, Immersive Labs, in emailed comments. "Hyper-V is heavily embedded in modern Windows 11 operating systems and used for a range of security tasks."

Microsoft has not released any details on how attackers are exploiting the vulnerabilities. But it is likely that threat actors are using it to escalate privileges after they have gained initial access to a target environment, according to researchers. "Without proper safeguards, such vulnerabilities escalate to full guest-to-host takeovers, posing significant security risks across your virtual environment," researchers at Automox wrote in a blog post this week.

**Five Publicly Disclosed but Not Yet Exploited Zero-Days**

The remaining five zero-days that Microsoft patched in its January update are all bugs that have been previously disclosed but which attackers have not exploited yet. Three of the bugs enable remote code execution and affect Microsoft Access: CVE-2025-21186 (CVSS:7.8/10), CVE-2025-21366 (CVSS: 7.8/10), and CVE-2025-21395. Microsoft credited AI-based vulnerability hunting platform Unpatched.ai for finding the bugs. "Automated vulnerability detection using AI has garnered a lot of attention recently, so it's noteworthy to see this service being credited with finding bugs in Microsoft products," Satnam Narang, senior staff research engineer for Tenable, wrote in emailed comments. "It may be the first of many in 2025."

The other two publicly disclosed but as yet unexploited zero-days in Microsoft's January security update are CVE-2025-21275 (CVSS: 7.8/10) in Windows App Package Installer and CVE-2025-21308 in Windows Themes. Both enable privilege escalation to SYSTEM and therefore are high-priority bugs for fixing as well.

**Other Critical Vulns**

In addition to the zero-days there are several other vulnerabilities in the latest batch that also merit high-priority attention. Near the top of the list are three CVEs to which Microsoft has assigned near maximum CVSS scores of 9.8 out of 10: CVE-2025-21311 in Windows NTLMv1 on multiple Windows versions; CVE-2025-21307, an unauthenticated RCE flaw in Windows Reliable Multicast Transport Driver; and CVE-2025-21298, an arbitrary code execution vulnerability in Windows OLE.

According to Ben Hopkins, cybersecurity engineer at Immersive Labs, Microsoft likely rated CVE-2025-21311 as critical because of the potentially severe risk it presents. "What makes this vulnerability so impactful is the fact that it is remotely exploitable, so attackers can reach the compromised machine(s) over the Internet," he wrote in emailed comments. "The attacker does not need significant knowledge or skills to achieve repeatable success with the same payload across any vulnerable component."

CVE-2025-21307, meanwhile, is a use-after-free memory corruption bug that affects organizations using the Pragmatic General Multicast (PGM) multicast transport protocol. In such an environment, an unauthenticated attacker only needs to send a malicious packet to the server to trigger the vulnerability, Ben McCarthy, lead cybersecurity engineer at Immersive Labs, wrote in emailed comments. Attackers who successfully attack the vulnerability can gain kernel-level access to affected systems, meaning organizations using the protocol need to apply Microsoft's patch for the flaw immediately, McCarthy added.

Tyler Reguly, associated director of security R&D at Fortra, described CVE-2025-21298 — the third 9.8 severity bug — as an RCE flaw that an attacker would likely exploit via email rather than over the network. "The Microsoft Outlook preview pane is a valid attack vector, which lends itself to calling this a remote attack. Consider reading all emails in plaintext to avoid vulnerabilities like this one," he noted in emailed comments.

Microsoft's January 2025 update is in stark contrast to January 2024's update when the company disclosed just 49 CVEs. According to data from Automox, the company issued patches for 150 CVEs in April 2024, and for 142 in July.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#mac