The innocuously named Russian-sponsored cyber threat actor has combined critical and serious vulnerabilities in Windows and Firefox products in a zero-click code execution exploit.

Source: Collection Chrisophel via Alamy Stock Photo

For a brief window of time in October, Russian hackers had the ability to launch arbitrary code against anyone in the world using Firefox or Tor.

On Oct. 8, researchers from ESET first spotted malicious files on a server managed by the Russian advanced persistent threat (APT) RomCom (aka Storm-0978, Tropical Scorpius, UNC2596). The files had gone online just five days earlier, on Oct. 3. Analysis showed that they leveraged two zero-day vulnerabilities: one affecting Mozilla software, the other Windows. The result: an exploit that spread the RomCom backdoor to anyone who visited an infected website, no clicks required.

Luckily, both issues were remediated quickly. "The attackers only had a really small window to try to compromise computers," explains Romain Dumont, malware researcher with ESET. "Yes, there was a zero-day vulnerability. But, still, it was patched really fast."

Dark Reading has reached out to Mozilla for comment on this story.

**A Zero-Day in Firefox & Tor**

The first of the two vulnerabilities, CVE-2024-9680, is a use-after-free opportunity in Firefox animation timelines — the browser mechanism that handles how animations play out based on user interactions with websites. Its power to afford attackers arbitrary command execution earned it a "critical" 9.8 rating from the Common Vulnerability Scoring System (CVSS). 

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

Importantly, CVE-2024-9680 affects more than just Firefox. Mozilla's open source email client "Thunderbird" is also impacted, as is the ultrasecretive Tor browser, which is built from a modified version of Firefox's Extended Support Release (ESR) browser.

In October, RomCom deployed specially crafted websites that would instantly trigger CVE-2024-9680 without the need for any victim interaction. Victims would unknowingly download the RomCom backdoor from RomCom-controlled servers, then quickly be redirected to the original website they thought they were visiting all along.

These malicious domains were made to mimic the real sites associated with the ConnectWise and Devolutions IT services platforms, and Correctiv, a nonprofit newsroom for investigative journalism in Germany. That these organizations are both political and economic in nature might not surprise those familiar with RomCom, which has always conducted opportunistic cybercrime, but in more recent times has added politically motivated espionage to its agenda. Its activity in 2024 has included campaigns against the insurance and pharmaceutical sectors in the US, but also the defense, energy, and government sectors in Ukraine.

Related:News Desk 2024: Can GenAI Write Secure Code?

It's unclear by what means of social engineering RomCom might have spread these malicious sites.

**What We Know of RomCom's Campaign**

Not content with only running code in a victim's browser, however, RomCom also employed a second vulnerability, CVE-2024-49039. This high-severity 8.8 CVSS-rated bug in the Windows Task Scheduler allows for privilege escalation, thanks to an undocumented remote procedure calls (RPC) endpoint unintentionally accessible to low level users. In this case, RomCom used CVE-2024-49039 to escape the browser sandbox and onto a victim's machine at large.

The damage that might've been done with such a powerful exploit chain, and exactly who was affected by it last month, remains unknown. What's clear at this point is that the overwhelming majority of targets were located in North America and Europe — particularly the Czech Republic, France, Germany, Poland, Spain, Italy, and the US — plus scattered victims in New Zealand and French Guiana.

Also, notably, none of the victims tracked by ESET were compromised via Tor. "Tor has some predefined settings that differ from Firefox, so maybe it would not have worked," Damien Schaeffer, senior malware researcher at ESET speculates. He notes, too, that RomCom's primary targets appeared to be corporations, which rarely use Tor.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

Both CVE-2024-9680 and CVE-2024-49039 have since been patched — the former on Oct. 9, just 25 hours after Mozilla was notified of the issue, and the latter on Nov. 12.

"By now, I hope, the problem is more or less done," Schaeffer says. Still, for any given organization, "It'll depend on their policies. If you have good patch management, this would have been fixed in one day or so. But it's up to people to fix their stuff."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

The Russia-aligned threat actor known as RomCom has been linked to the zero-day exploitation of two security flaws, one in Mozilla Firefox and the other in Microsoft Windows, as part of attacks designed to deliver the eponymous backdoor on victim systems.
"In a successful attack, if a victim browses a web page containing the exploit, an adversary can run arbitrary code – without any user

RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks

The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012…

The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012 & CVE-2024-9474, enabling admin bypass and root access. Top targets: US & India.

Cybersecurity researchers at Shadowserver have revealed that approximately 2,000 **Palo Alto Networks** firewalls have been compromised. The breaches leverage two recently identified zero-day vulnerabilities in the company’s PAN-OS software. These vulnerabilities have been labeled as CVE-2024-0012 and CVE-2024-9474.

****The Vulnerabilities****

**CVE-2024-0012**: This vulnerability is an authentication bypass in the PAN-OS management web interface. It allows remote attackers to gain administrator privileges without authentication. This means attackers can tamper with firewall settings, making them more susceptible to further exploitation.

**CVE-2024-9474**: This flaw is a privilege escalation issue. Once exploited, it lets attackers execute commands with root privileges, giving them full control over the compromised firewall.

> Heads-up! Thanks to collaboration with the Saudi NCA we are now scanning & reporting Palo Alto Networks devices COMPROMISED as a result of a CVE-2024-0012/CVE-2024-9474 campaign. Found ~2000 instances compromised on 2024-11-20: dashboard.shadowserver.org/statistics/c… Top affected: US & India
> 
> — The Shadowserver Foundation (@shadowserver.bsky.social) November 21, 2024 at 9:45 AM

****Operation Lunar Peek – Ongoing Threat Activity****

Palo Alto Networks has **named** the initial exploitation of these vulnerabilities “Operation Lunar Peek.” Palo Alto Networks initially warned customers on November 8 about restricting access to their next-generation firewalls due to an unspecified remote code execution flaw.

Since then, the company has observed a notable increase in threat activity following the public release of technical insights by third-party researchers on November 19, 2024.

Unit 42, Palo Alto Networks threat intelligence team, assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which could lead to broader threat activity.

The company is currently investigating the ongoing attacks, which involve chaining these two vulnerabilities to target a limited number of device management web interfaces. The company has observed threat actors dropping malware and executing commands on compromised firewalls, indicating that a chain exploit is likely already in use.

****Recommendations for Users****

Palo Alto Networks has provided several recommendations to mitigate the risk:

*   **Monitor and Review:** Users should monitor for any suspicious or abnormal activity on devices with a management web interface exposed to the internet. After applying the patch, it is crucial to review firewall configurations and audit logs for any signs of unauthorized administrator activity.
*   **Patch Immediately:** Customers are advised to update their systems to receive the latest patches that fix CVE-2024-0012 and CVE-2024-9474. Detailed information about affected products and versions can be found in the Palo Alto Networks Security Advisories.
*   **Restrict Access:** To reduce the risk, Palo Alto Networks recommends restricting access to the management web interface to only trusted internal IP addresses. This is in line with their recommended best practice deployment guidelines.

****Expert Insights****

**Elad Luz**, Head of Research at Oasis Security, emphasizes the importance of immediate action even before patching. He advises affected customers to restrict access to the web management interface, preferably allowing only internal IPs. Luz also stresses the need to ensure that devices are free from any potential malware or malicious configurations after patching.

1.  Palo Alto Patches 0-Day Exploited by Python Backdoor
2.  Authentication bypass Flaw found in NATO approved firewall
3.  Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
4.  CISA Urges Patching of Palo Alto Networks’ Expedition Tool Flaw
5.  Backdoor account found in 100K+ Zyxel Firewalls, VPN Gateways

Operation Lunar Peek: More Than 2,000 Palo Alto Network Firewalls Hacked

Malware bypasses Microsoft Defender and 2FA, stealing $24K in cryptocurrency via a fake NFT game app. Learn how…

Malware bypasses Microsoft Defender and 2FA, stealing $24K in cryptocurrency via a fake NFT game app. Learn how it compromised devices and evaded security.

Cybersecurity researchers at SafetyDetectives revealed that Microsoft Defender, the default Windows antivirus, was deceived by malware, enabling the theft of cryptocurrency from an unsuspecting user. The issue was uncovered during the analysis of a seemingly harmless NFT game app, which was actually designed to steal cryptocurrency.

The application also compromised the device by bypassing **Google’s two-factor authentication** and stole over $24,000 in cryptocurrency. According to researchers, the malware, once installed, quietly operates in the background, gathering sensitive information and may even hijack the user’s Google account, which is protected by two-factor authentication (2FA). It achieves this by installing a malicious Chrome extension disguised as Google Keep, bypassing the 2FA security measures.

During the investigation, SafetyDetectives’ team tested Microsoft Defender against the malware-laced app, using Wireshark to monitor network traffic and detect the malware’s location.

Surprisingly, Microsoft Defender failed to stop the virus during its installation and execution, allowing the malware to gain access to system operations, download suspicious files, collect sensitive information, and even determine the user’s location.

The malware was programmed to shut down if the user was in Russia, Ukraine, or Belarus, likely due to its origin. The **fake Chrome extension** enabled the malware to access every website visited, steal login data, and monitor anything copied from the browser. The virus collected everything necessary to remotely control the system, and Microsoft Defender didn’t send an alert.

****Bitdefender and Malwarebytes to the Rescue****

To assess the effectiveness of other antivirus solutions, the team also tested Malwarebytes and Bitdefender. While neither antivirus was able to prevent the initial installation, they did intervene at later stages of the attack. Bitdefender blocked the malware’s attempt to access critical information, while Malwarebytes prevented the installation altogether. 

“While Malwarebytes stopped the breach faster than Bitdefender, neither is inherently better in dealing with this specific malware, as both were able to prevent critical compromise. Bitdefender may even have the benefit of having fewer false positives,” they explained in the **blog post**.

It could be that in recent years, Microsoft Exchange Server has been targeted by a **series** of zero-day vulnerabilities, some of which could have impacted Microsoft Defender’s ability to protect systems. Or supply chain attacks, like the **SolarWinds hack**, can compromise software updates and tools, potentially affecting the integrity of security solutions like Microsoft Defender.

Nevertheless, the investigation emphasizes the importance of investing in stronger antivirus software and exercising caution when downloading and installing applications, especially from unverified sources. Staying informed about cyber threats and taking proactive measures can significantly reduce the risk of malicious attacks.

1.  Microsoft Defender Flags Tor Browser as Malware
2.  Fake ChatGPT Extension Hijacks Facebook Accounts
3.  Malicious Extensions Bypass Google’s MV3 Restrictions
4.  Fake Sites Spread Malware as Malwarebytes, Bitdefender
5.  Phemedrone Exploits Windows Defender SmartScreen Flaw

Malware Bypasses Microsoft Defender and 2FA to Steal $24K in Crypto

Though the information regarding the exploits is limited, the company did report that Intel-based Mac systems have been targeted by cybercriminals looking to exploit CVE-2024-44308 and CVE-2024-44309.

Source: Shahid Jamil via Alamy Stock Photo

Apple has released security updates to address two zero-day vulnerabilities that are under active exploitation in the wild.

The bugs, tracked as CVE-2024-44308 (CVSS 6.8) and CVE-2024-44309 (CVSS 4.3), are, respectively, a vulnerability in JavaScriptCore that could lead to arbitrary code execution; and a cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack while processing malicious Web content.

The bugs affect Apple's iOS, iPadOS, macOS, visionOS, and the Safari Web browser; the company reports that it has addressed them with better checks and improved state management.

Clément Lecigne and Benoît Sevens at Google's Threat Analysis Group (TAG) first discovered and reported the vulnerabilities and, as is customary for the company, Apple did not provide any additional details of reported attacks nor did it offer indicators of compromise (IoCs).

"Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems," Apple stated its advisory for both zero-days, the lone piece of information regarding in-the-wild exploitation attempts.

Those using affected Apple ecosystem products should update to iOS 18.1.1, macOS Sequoia 15.1.1, and  iOS 17.7.2 as soon as possible to avoid compromise.

**About the Author**

Apple Urgently Patches Actively Exploited Zero-Days

An elusive, sophisticated cybercriminal group has used known and zero-day vulnerabilities to compromise more than 20,000 SOHO routers and other IoT devices so far, and then puts them up for sale on a residential proxy marketplace for state-sponsored cyber-espionage actors and others to use.

Source: Jiraroj Praditcharoenkul via Alamy Stock Photo

A cybercriminal group is exploiting vulnerabilities in Internet of Things (IoT) devices and then turning a tidy profit by putting them up for sale on a residential proxy marketplace, where they can be turned into proxy botnets by state-sponsored advance persistent threats (APTs) and other malicious actors.

The gang, tracked as "Water Barghest," has already compromised more than 20,000 IoT devices, including small office and home office (SOHO) routers used by businesses, by using automated scripts to identify and compromise vulnerable devices, according to new research from Trend Micro. The threat actor, which has operated for more than five years (largely under the radar due to a sophisticated automation strategy) discovers vulnerable IoT devices from public Internet-scanning databases such as Shodan, the researchers noted.

Once Water Barghest compromises devices, it deploys proprietary malware called Ngioweb to register the device as a proxy — i.e., a network that puts an intermediary between a client and a server. Water Barghest then lists the device for sale on a residential proxy marketplace for other threat actors to purchase.

The entire cybercriminal process to enslave a target takes as little as 10 minutes, "indicating a highly efficient and automated operation," Trend Micro researchers Feike Hacquebord and Fernando Mercês wrote in the post.

**Selling Proxy Devices as a Cybercrime Business Model**

There is indeed a significant incentive for both espionage-motivated and financially motivated actors to set up proxy botnets to help hide where their malicious activities originate; Russia's Sandworm, for example, recently used the VPNFilter botnet and Cyclops Blink in activities against Ukraine that were elusive for a time before being ultimately disrupted by the FBI, according to Trend Micro.

"These \[botnets\] can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyberattacks," the researchers wrote.

Threat actors can find any IoT device that accepts incoming connections on the open Internet using public scanning services, making it easy for them to compromise ones with known vulnerabilities, or even zero-days, for future use in malicious activities, they wrote. This makes it easy for threat actors like Water Barghest to exploit them for financial gain and further abuse, they added.

**Uncovering the Elusive Botnet-for-Sale Cyber Operation**

Trend Micro discovered Water Barghest's operation during an investigation of the Department of Justice's disruption of a Russian military intelligence botnet that Russian state-sponsored threat group Fancy Bear (aka APT28) used for global cyber espionage.

The researchers examined EdgeRouter devices that had been used by Sandworm, and eventually uncovered Water Barghest's Ngioweb malware and botnet. The group's infrastructure had been up and running for more than five years but had been able to evade detection by security researchers and law enforcement "because of their careful operational security and high degree of automation," the researchers wrote.

"They quietly erased log files from their servers and made forensic analysis more difficult," they wrote. "They removed human error from their operations by automating almost everything. They also removed financial traceability by using cryptocurrency for anonymous payments."

Water Barghest automates each step of the 10-minute process, from initially finding vulnerable IoT devices to ultimately putting them for sale on a residential proxy marketplace. The group first acquires known exploits for flaws in devices, then uses search queries on one of the publicly available Internet-scanning databases to find vulnerable devices and their IP addresses. It then uses a set of data center IP addresses to try the exploits against potentially vulnerable IoT devices.

When one works, the compromised IoT devices download a script that iterates through Ngioweb malware samples compiled for different Linux architectures. When one of the samples runs successfully, Ngioweb will run in memory on the victim’s IoT device, registering it with a command-and-control (C2) server, and then eventually sending it to be listed on a Dark Web marketplace.

Water Barghest has about 17 identities on virtual private servers that continuously scan routers and IoT devices for known vulnerabilities and also upload Ngioweb malware to freshly compromised IoT devices. In this way, Water Barghest has been running a profitable business "for years, with the worker IP addresses changing slowly over time," according to the Trend Micro analysis.

**Protecting SOHO Routers: Limit Exposure to Public Internet**

Trend Micro expects that both the commercial market for residential proxy services and the underground market of proxies will grow in the coming years due to high demand from both APTs and financial cybercriminal groups alike. This growth will pose "a challenge for many enterprises and government organizations around the world" to protect against the anonymization layers behind which these groups hide, the researchers wrote.

While law enforcement has been effective in disrupting proxy botnets, it's better to go directly to the source to combat the problem, and that can be done by addressing the security of IoT devices. Indeed, these devices are notoriously hackable, posing a problem for organizations that must manage increasingly larger networks of them.

"It is important \[for organizations\] … to put mitigations in place to avoid their infrastructure being part of the problem itself," the researchers wrote. They can do this, they added, by limiting the exposure of these devices to incoming connections from the open Internet whenever it is not business-essential.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Water Barghest' Sells Hijacked IoT Devices for Proxy Botnet Misuse

Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild.
The flaws are listed below -

CVE-2024-44308 - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content
CVE-2024-44309 - A cookie management vulnerability in

Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities

Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that’s why we also partner with the global security community through our bug bounty programs to proactively identify and mitigate potential issues before our customers are impacted.

Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that’s why we also partner with the global security community through our bug bounty programs to proactively identify and mitigate potential issues before our customers are impacted. Unique perspectives from the brightest security minds add another layer to our overall strategy to protect our ecosystem. By incentivizing high-impact research, we raise the security bar for everyone.  

Today, we are building on that history of partnership and expanding our bug bounty programs with the Zero Day Quest. This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI. Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers – bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe.  

The quest begins today with a research challenge, where vulnerability submissions within targeted scenarios during the event are eligible for multiplied bounty awards. Submissions can also qualify researchers for a spot in the onsite hacking event in Redmond, WA, in 2025.  

To advance AI security, starting today we will offer double AI bounty awards. We will also offer researchers direct access to the Microsoft AI engineers focused on developing secure AI solutions, and our AI Red Team. This unique opportunity will allow participants to enhance their skills with cutting-edge tools and techniques and work with Microsoft to raise the bar for AI security across the ecosystem – making everyone safer. Register for a training session with the Microsoft AI Red Team today.  

In alignment with our Coordinated Vulnerability Disclosure (CVD) approach, researchers will be encouraged to publicly discuss their findings once mitigated, with support from Microsoft through blogs, podcasts, and videos to ensure we can all learn and build on this work. As part of our Secure Future Initiative (SFI), we will transparently share critical vulnerabilities through the Common Vulnerabilities and Exposures (CVE) program, even if they require no customer action. Learnings from the Zero Day Quest will be shared across Microsoft to help improve cloud and AI security - by default, by design, and in operations.  

This event is not just about finding vulnerabilities; it’s about fostering new and deepening existing partnerships between the Microsoft Security Response Center (MSRC), product teams, and external researchers – raising the security bar for all. Join us in this exciting journey as we push the boundaries of cybersecurity and work together to create a safer digital world.

_Tom Gallagher_  
_VP of Engineering, Microsoft Security Response Center (MSRC)_

Securing AI and Cloud with the Zero Day Quest

Freshly released court documents reveal new details on controversial Israeli spyware firm's operations.

Source: Shubham singh 007 via Shutterstock

Israel's NSO Group may know a lot more about how customers use its Pegasus commercial spyware product than the company has let on, newly released court documents connected to a legal dispute with Meta's WhatsApp suggest.

In fact, NSO Group installed and operated the spyware on behalf of its customers, making the company directly liable for the spyware's use, WhatsApp lawyers said in one court filing, released Nov. 14 in the US District Court for the Northern District of California.

The court documents are part of a lawsuit that WhatsApp filed against NSO Group in October 2019 after discovering the Israeli firm had used WhatsApp servers to distribute Pegasus to some 1,400 mobile phones, including those belonging to journalists and rights activists.

The lawyers also claimed that NSO Group repeatedly developed and used exploits for abusing WhatsApp's servers to install Pegasus on target devices, including at least once after WhatsApp had sued the company over the issue.

**NSO 'Solely Responsible'**

"NSO is solely responsible for Pegasus’s unauthorized access to WhatsApp's servers," the social media giant noted in one briefing. "Despite what NSO has claimed, its customers had a minimal role in how the spyware tool operated or collected information. All that NSO Group customers typically had to do was enter their target's phone number, press install and wait for the malware to install on the target device without any further interaction," they noted.

Related:Trustwave-Cybereason Merger Boosts MDR Portfolio

"In other words, the customer simply places an order for a target device's data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus," WhatsApp's lawyers said. The company, in fact, was so aware of how customers were using its malware that it actually disconnected service to 10 customers for excessive abuse, the lawyers claimed.

**Controversial Surveillance Software**

Pegasus is a controversial mobile spyware designed to secretly monitor and extract data from iOS and Android smartphones. Once installed, Pegasus can intercept messages, emails, media, and passwords, and track location data, all while evading detection by antivirus software. NSO Group claims to sell the technology solely to authorized government agencies for legitimate law enforcement, crime-fighting, and anti-terror purposes. But critics argue that the tool has been misused, particularly in authoritarian regimes, to target journalists, human rights activists, political dissidents, and others critical of the government.  

Related:Xiphera & Crypto Quantique Announce Partnership

A 2021 database leak revealed that NSO Group customers had, at the time, targeted more than 50,000 phone numbers for surveillance in countries like Mexico, Hungary, and India. The US government formally blacklisted the company in 2021, meaning its ability to operate in the US or do business with US entities abroad is severely restricted.

The NSO Group has tried to get US courts to dismiss WhatsApp's lawsuit against the company, citing, among other things, a lack of jurisdiction and the fact that its clients are mostly governments and therefore are not doing anything illegal. WhatsApp lawyers have sought to portray NSO Group as indeed being liable for Pegasus by attempting to tie the vendor more directly to customer use of the spyware tool.

In the newly released court documents, WhatsApp has alleged that NSO Group repeatedly and deliberated worked around the mechanisms the company put in place to prevent misuse of the secure messaging platform. One of them was a modified WhatsApp client app called the WhatsApp Installation Server (WIS) that could access WhatsApp's back-end servers in ways its own client software could not. NSO Group then developed tools named Heaven and Eden to interact with WIS in such a way as to trigger Pegasus downloads on target phones via WhatsApp. The company developed Eden after WhatsApp discovered Heaven and put up blocks against it. When WhatsApp engineers discovered Eden, NSO developed and used yet another tool, called Erised, through 2020, or after WhatsApp had filed its lawsuit.

Related:North Korea's Andariel Pivots to 'Play' Ransomware Games

The WhatsApp lawsuit is one of several that NSO Group is currently battling in courts worldwide from organizations and individuals impacted by the malware. In September, Apple sought voluntary dismissal of a 2021 lawsuit it had filed against NSO Group, citing concerns over the company having to share information with the court that other spyware makers could abuse going forward.

Back when the lawsuit was filed, the NSO Group was among a handful of known purveyors of such mobile spyware software. Since then, there has been a sharp increase in the number of commercial spyware vendors, driven largely by demand from government agencies. A Google report earlier this year identified spyware vendors like NSO Group as being responsible for nearly half of all zero-day exploits it counted between mid-2014 and December 2023.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

WhatsApp: NSO Group Operates Pegasus Spyware for Customers

PRESS RELEASE

SAN FRANCISCO, Nov. 4, 2024 /PRNewswire/ -- Bugcrowd, the leader in crowdsourced security, today announced the addition of Trey Ford as Chief Information Security Officer for the Americas, to the leadership team.

Trey is a seasoned strategic advisor and security thought leader with over 25 years of experience in offensive and defensive security disciplines. Trey has held key leadership roles at Deepwatch, Vista Equity Partners, Salesforce, Black Hat, and more. He has also been a valued member of Bugcrowd's advisory board for over a decade.

Trey is passionate about working with enterprise leaders, corporate directors, and investors to help teams strengthen their technology and execution strategy.

"I'm really looking forward to joining this amazing Bugcrowd team and this fast-growing, dynamic organization that continues to execute on its compelling vision for the future of cybersecurity, based on the ingenuity of the crowd," Ford said. "I've always believed in taking a hands-on approach to building, breaking, and deconstructing security problems to first principles -- I intend to continue applying that same mindset here at Bugcrowd."

"Trey's addition to our team marks a pivotal moment for enhancing our operational capabilities in the Americas region," said Nick McKenzie, Chief Information and Security Officer of Bugcrowd. "His leadership and offensive security expertise, coupled with his ability to help us connect with and support customers, will elevate the team's capabilities to new heights—a timely appointment with our current business momentum."

Bugcrowd also announced the availability of Bugcrowd Continuous Attack Surface Pentesting as a Service Subscription, a new way to consume pen testing. By using this subscription model, customers can enjoy the flexibility and predictability of pre-paid capacity on the Bugcrowd Platform to be drawn-down on demand.

In addition, Bugcrowd announced an additional growth capital facility of $50 million from Silicon Valley Bank in October. The new financing will further scale Bugcrowd's AI-powered platform globally, fund continued innovation into the Bugcrowd Platform, and leverage opportunities for strategic M&A, providing added value to clients, partners, and the hacker community.

"We are extremely excited by the rapid growth and market momentum that Bugcrowd has achieved so far this year," said Dave Gerry, Chief Executive Officer of Bugcrowd. "We believe we are putting together the world's strongest combination of people and technologies to deliver on the powerful insights provided by elite hackers operating on our global Platform."

The Bugcrowd Platform connects organizations with trusted security researchers and hackers to help proactively defend themselves against sophisticated threats. For over a decade, Bugcrowd's unique "skills-as-a-service" approach has uncovered more high-impact vulnerabilities than traditional methods, along with clearer ROI, for more than 1,200 customers – including OpenAI, Google, T-Mobile, Carvana, the US Department of Defense's Chief Digital and Artificial Intelligence Office (CDAO), ExpressVPN, Rapyd, New Relic, and OpenSea. With unmatched flexibility and access to a decade of vulnerability intelligence, the Bugcrowd Platform has evolved to address a changing attack surface influenced by adoption of mobile infrastructure, hybrid work, APIs, crypto, cloud workloads, and AI. Bugcrowd's crowdsourced solutions include penetration-testing-as-a-service, managed bug bounties, vulnerability disclosure programs (VDPs), and AI Safety and Security products.

To learn more about how the Bugcrowd platform can help your organization fight against today's evolving cyberattacks, visit here.

To download a copy of the Inside the Mind of a Hacker 2024 report, click here.

About Bugcrowd

We are Bugcrowd. Since 2012, we've been empowering organizations to take back control and stay ahead of threat actors by uniting the collective ingenuity and expertise of our customers and trusted alliance of elite hackers, with our patented data and AI-powered Security Knowledge Platform™. Our network of hackers brings diverse expertise to uncover hidden weaknesses, adapting swiftly to evolving threats, even against zero-day exploits. With unmatched scalability and adaptability, our data and AI-driven CrowdMatch™ technology in our platform finds the perfect talent for your unique fight. We are creating a new era of modern crowdsourced security that outpaces threat actors.

Unleash the ingenuity of the hacker community with Bugcrowd, visit www.bugcrowd.com. Read our blog.

Tag

#zero_day