You can tell the story of the current state of stolen credential-based attacks in three numbers:

Stolen credentials were the #1 attacker action in 2023/24, and the breach vector for 80% of web app attacks. (Source: Verizon).
Cybersecurity budgets grew again in 2024, with organizations now spending almost $1,100 per user (Source: Forrester). 
Stolen credentials on criminal forums cost as

The $10 Cyber Threat Responsible for the Biggest Breaches of 2024

Details have emerged about a now-patched security vulnerability that could allow a bypass of the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems.
The vulnerability, assigned the CVE identifier CVE-2024-7344 (CVSS score: 6.7), resides in a UEFI application signed by Microsoft's "Microsoft Corporation UEFI CA 2011" third-party UEFI certificate, according to a new

New UEFI Secure Boot Vulnerability Could Allow Attackers to Load Malicious Bootkits

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep…

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep up, businesses need to understand that while complex regulations may sound difficult to deal with; cybersecurity threats are the real danger to their credibility and success. Here are six strategies that showcase how the change in financial technology impacts expansion and security.

**1\. **Using Data Analytics for Smarter Security and Personalization****

Fintech companies have access to a treasure trove of user data, making data analytics a key to both innovation and security. Predictive analytics can detect fraud in real time by spotting unusual transaction patterns, while personalization algorithms offer customized financial solutions to users.

Take PayPal, for instance, which uses machine learning to track fraud attempts while ensuring seamless user experiences. By investing in platforms like Tableau or Splunk, companies can not only improve data-driven decisions but also strengthen their cybersecurity protection.

**2\. **Optimizing Customer Journeys Through AI and Automation****

Customer retention in fintech depends on efficient, user-friendly platforms. AI-driven Client Lifecycle Management (CLM) tools not only enhance customer experience but also fortify compliance with data protection laws like GDPR.

For example, automated KYC (Know Your Customer) processes can validate user identities within minutes, reducing conflict while maintaining security. Companies that leverage AI to simplify operations position themselves as leaders in convenience and trust, two critical factors in the digital financial world.

**3\. **Expanding Beyond Payments: Diversification in Fintech Offerings****

Successful fintech companies are moving beyond basic services like payments and lending to offer a wider range of products. Digital wallets, cryptocurrency trading, BNPL (Buy Now, Pay Later) options, and even ESG (Environmental, Social, and Governance)-focused investment tools are becoming standard offerings.

For instance, Square (now Block) transitioned from payment processing to include cash apps, crypto wallets, and merchant solutions. This diversification not only strengthens market positioning but also hedges against disruptions in individual sectors.

**4\. **Automating Security Protocols to Counter Cyber Threats****

While cybersecurity threats grow more sophisticated, automation in fintech security has become a necessity. Tools like automated anomaly detection, real-time threat intelligence, and AI-driven incident response systems ensure swift responses to breaches.

Take Stripe, which integrates advanced monitoring tools to detect and neutralize suspicious activity before it escalates. Automation in security protocols not only protects sensitive financial data but also boosts consumer confidence in the platform.

**5\. **Sustainability in Fintech: Balancing Growth with Responsibility****

The fintech sector is embracing sustainability through green technologies and ethical financial practices. Blockchain-based carbon credit platforms, eco-friendly payment cards, and renewable energy-backed investments are paving the way for a greener future.

Consider Mastercard’s sustainable card program, which uses biodegradable materials and supports reforestation initiatives. By integrating eco-conscious elements, fintech companies are appealing to the growing demographic of socially responsible consumers and investors.

**6\. **Risk Management with Predictive Technologies****

Managing risk (risk management) is critical in fintech, where markets and regulations can change overnight. Predictive technologies like machine learning are revolutionizing risk management by identifying vulnerabilities before they become liabilities.

For example, Robinhood employs real-time analytics to manage liquidity risks and safeguard user assets during volatile market conditions. This approach not only ensures operational stability but also reinforces trust in the brand.

The worlds of technology and finance are changing like never before, with advancements in AI, blockchain, and sustainable solutions building the future of fintech. By using data-driven security, improving operations through automation, and focusing on sustainable practices, companies can remain competitive. For fintech firms, the message is clear: innovate, adapt, and protect your operations, or risk falling behind.

1.  **Cybersecurity, Big Data and Automation Tools**
2.  **Top 9 Compliance Automation Software in 2024**
3.  **Fortifying FinTech: Building Resilient APIs for Security**
4.  **Digital Transformation in Financial Industry: The Role of Fintech**
5.  **Blockchain and Smart Contracts in Securing Digital Transactions**

Top/Featured Image via Marvin Meyer/Unsplash

6 Strategic Innovations Transforming the Fintech Industry

Cybersecurity researchers have found that the Microsoft Active Directory Group Policy that's designed to disable NT LAN Manager (NTLM) v1 can be trivially bypassed by a misconfiguration.
"A simple misconfiguration in on-premise applications can override the Group Policy, effectively negating the Group Policy designed to stop NTLMv1 authentications," Silverfort researcher Dor Segal said in a

Researchers Find Exploit Allowing NTLMv1 Despite Active Directory Restrictions

Threat actors have been observed concealing malicious code in images to deliver malware such as VIP Keylogger and 0bj3ctivity Stealer as part of separate campaigns.
"In both campaigns, attackers hid malicious code in images they uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads," HP Wolf Security said in its Threat Insights Report

Hackers Hide Malware in Images to Deploy VIP Keylogger and 0bj3ctivity Stealer

Over a dozen programs used by creators of nonconsensual explicit images have evaded detection on the developer platform, WIRED has found.

“When we look at intimate image abuse, the vast majority of tools and weaponized use have come from the open source space,” says Ajder. But they often start with well-meaning developers, he says. “Someone creates something they think is interesting or cool and someone with bad intentions recognizes its malicious potential and weaponizes it.”

Some, like the repository disabled in August, have purpose-built communities around them for explicit uses. The model positioned itself as a tool for deepfake porn, claims Ajder, becoming a “funnel” for abuse, which predominantly targets women.

Other videos uploaded to the porn-streaming site by an account crediting AI models downloaded from GitHub featured the faces of popular deepfake targets, celebrities Emma Watson, Taylor Swift, and Anya Taylor-Joy, as well as other less famous but very much real women, superimposed into sexual situations.

The creators freely described the tools they used, including two scrubbed by GitHub but whose code survives in other existing repositories.

Perpetrators on the prowl for deepfakes congregate in many places online, including in covert community forums on Discord and in plain sight on Reddit, compounding deepfake prevention attempts. One Redditor offered their services using the archived repository’s software on September 29. “Could someone do my cousin,” another asked.

Torrents of the main repository banned by GitHub in August are also available in other corners of the web, showing how difficult it is to police open-source deepfake software across the board. Other deepfake porn tools, such as the app DeepNude, have been similarly taken down before new versions popped up.

“There’s so many models, so many different forks in the models, so many different versions, it can be difficult to track down all of them,” says Elizabeth Seger, director of digital policy at cross-party UK think tank Demos. “Once a model is made open source publicly available for download, there’s no way to do a public rollback of that,” she adds.

One deepfake porn creator with 13 manipulated explicit videos of female celebrities credited one prominent GitHub repository marketed as a “NSFW” version of another project encouraging responsible use and explicitly asking users not to use it for nudity. “Learning all available Face Swap AI from GitHUB, not using online services,” their profile on the tube site says, brazenly.

GitHub had already disabled this NSFW version when WIRED identified the deepfake videos. But other repositories branded as “unlocked” versions of the model were available on the platform on January 10, including one with 2,500 “stars.”

“It is technically true that once \[a model is\] out there it can’t be reversed. But we can still make it harder for people to access,” says Seger.

If left unchecked, she adds, the potential for harm of deepfake “porn” is not just psychological. Its knock-on effects include intimidation and manipulation of women, minorities, and politicians, as has been seen with political deepfakes affecting female politicians globally.

But it’s not too late to get the problem under control, and platforms like GitHub have options, says Seger, including intervening at the point of upload. “If you put a model on GitHub and GitHub said no, and all hosting platforms said no, for a normal person it becomes harder to get that model.”

Reining in deepfake porn made with open source models also relies on policymakers, tech companies, developers and, of course, creators of abusive content themselves.

At least 30 US states also have some legislation addressing deepfake porn, including bans, according to nonprofit Public Citizen’s legislation tracker, though definitions and policies are disparate, and some laws cover only minors. Deepfake creators in the UK will also soon feel the force of the law after the government announced criminalizing the creation of sexually explicit deepfakes, as well as the sharing of them, on January 7.

GitHub’s Deepfake Porn Crackdown Still Isn’t Working

Seven system recovery programs contained what amounted to a backdoor for injecting any untrusted file into the system startup process.

Source: Ognyan Yosifov via Alamy Stock Photo

A vulnerability in trusted system recovery programs could allow privileged attackers to inject malware directly into the system startup process in Unified Extensible Firmware Interface (UEFI) devices.

Seven real-time recovery products — Howyar SysReturn, Greenware GreenGuard, Radix SmartRecovery, Sanfong EZ-back System, WASAY eRecoveryRX, CES NeoImpact, and SignalComputer HDD King — all make use of "reloader.efi," the Microsoft-signed Extensible Firmware Interface (EFI) file at issue.

The problem, ESET explains in a new report, is that reloader.efi uses a custom loader that enables the application to load even unsigned binaries during the boot process. In essence, it's a backdoor for sneaking any kind of file into a system's startup, past UEFI Secure Boot. The issue has been assigned CVE-2024-7344, and earned a "medium" 6.5 Common Vulnerability Scoring System (CVSS) rating, as it requires administrator privileges to exploit.

**Backdoor to the UEFI Boot Process**

The standard way to load, prepare, and execute UEFI images in system memory is with the autological LoadImage and StartImage functions. The Microsoft-approved "reloader" application goes its own way, using a custom mechanism that allows it to load any binary, trusted or otherwise, at startup.

"Maybe it's a lack of secure coding awareness," Martin Smolár, malware researcher at ESET, guesses of the developers' motives in implementing the custom loader. "Or maybe it's because they found it convenient to create such a functionality. Because when a developer makes a change \[to a signed program\] they need to send it to Microsoft to get it re-signed. This means that they don't need to every time they create a new update or something like that."

Reloader.efi loads arbitrary binaries from a specific, encrypted file, "cloak.dat." When ESET decrypted cloak.dat, it found that it contained an unsigned executable primarily designed for classroom environments. "Its core function is to provide real-time system recovery, ensuring that students from different classes can work in a teacher-predefined computer environment within shared computer labs," Smolár says, though he adds that the same component might be used in other settings, like public Internet cafes. The larger point is that the unsigned executable is run during the startup process, completely bypassing UEFI Secure Boot checks.

This odd classroom recovery software is perfectly honest, but an attacker could easily swap it out for something worse. If they could just get a hold of administrator privileges on a targeted machine, an attacker could access the EFI system partition (ESP) and substitute their own malicious file in place of cloak.dat. Then all they'd need is a quick system reboot to drop any malicious file they wished into the startup process.

**Why UEFI Bugs Are So Bad**

UEFI is a kind of sacred space — a bridge between firmware and operating system, allowing a machine to boot up in the first place.

Any malware that invades this space will earn a dogged persistence through reboots, by reserving its own spot in the startup process. Security programs have a harder time detecting malware at such a low level of the system. Even more importantly, by loading first, UEFI malware will simply have a head start over those security checks that it aims to avoid. Malware authors take advantage of this order of operations by designing UEFI bootkits that can hook into security protocols, and undermine critical security mechanisms like UEFI Secure Boot or HVCI (Hypervisor-Protected Code Integrity), Windows' technology for blocking unsigned code in the kernel.

To ensure that none of this can happen, the UEFI Boot Manager verifies every boot application binary against two lists: "db," which includes all signed and trusted programs, and "dbx," including all forbidden programs. But when a vulnerable binary is signed by Microsoft, the matter is moot.

Microsoft maintains a list of requirements for signing UEFI binaries, but the process is a bit obscure, Smolár says. "I don't know if it involves only running through this list of requirements, or if there are some other activities involved, like manual binary reviews where they look for not necessarily malicious, but insecure behavior," he says.

Microsoft has previously alluded to UEFI binaries being "approved through manual review." In response to an inquiry from Dark Reading, a Microsoft spokesperson provided the following clarification:

"Our process is designed to meet the evolving standard for analysis of third-party binary code, while ensuring effective scalability across our vast ecosystem. It begins with vetting and analysis with the partner, understanding the components they are requesting to be signed, and aspects of the design and functionality that may require additional security measures. Submissions are run through automated security analysis and are manually reviewed through a rigorous process. As a result, we may require additional security reviews, investigations with the submitting partner, or other mitigations. We remain committed to evolving our vetting process to better the security of our ecosystem as we operate within this ever-changing threat landscape."

ESET first discovered CVE-2024-7344 in July 2024. Since then, all vulnerable applications have been fixed, and Microsoft revoked the old, vulnerable binaries in its Jan. 14, 2025, Patch Tuesday update.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Trusted Apps Sneak a Bug Into the UEFI Boot Process

US president Joe Biden just issued a 40-page executive order that aims to bolster federal cybersecurity protections, directs government use of AI—and takes a swipe at Microsoft’s dominance.

Four days before he leaves office, US president Joe Biden has issued a sweeping cybersecurity directive ordering improvements to the way the government monitors its networks, buys software, uses artificial intelligence, and punishes foreign hackers.

The 40-page executive order unveiled on Thursday is the Biden White House’s final attempt to kickstart efforts to harness the security benefits of AI, roll out digital identities for US citizens, and close gaps that have helped China, Russia, and other adversaries repeatedly penetrate US government systems.

The order “is designed to strengthen America’s digital foundations and also put the new administration and the country on a path to continued success,” Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging technology, told reporters on Wednesday.

Looming over Biden’s directive is the question of whether president-elect Donald Trump will continue any of these initiatives after he takes the oath of office on Monday. None of the highly technical projects decreed in the order are partisan, but Trump’s advisers may prefer different approaches (or timetables) to solving the problems that the order identifies.

Trump hasn’t named any of his top cyber officials, and Neuberger said the White House didn’t discuss the order with his transition staff, “but we are very happy to, as soon as the incoming cyber team is named, have any discussions during this final transition period.”

The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidents—namely, the security failures of federal contractors.

The order requires software vendors to submit proof that they follow secure development practices, building on a mandate that debuted in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be tasked with double-checking these security attestations and working with vendors to fix any problems. To put some teeth behind the requirement, the White House’s Office of the National Cyber Director is “encouraged to refer attestations that fail validation to the Attorney General” for potential investigation and prosecution.

The order gives the Department of Commerce eight months to assess the most commonly used cyber practices in the business community and issue guidance based on them. Shortly thereafter, those practices would become mandatory for companies seeking to do business with the government. The directive also kicks off updates to the National Institute of Standards and Technology’s secure software development guidance.

Another part of the directive focuses on the protection of cloud platforms’ authentication keys, the compromise of which opened the door for China’s theft of government emails from Microsoft’s servers and its recent supply-chain hack of the Treasury Department. Commerce and the General Services Administration have 270 days to develop guidelines for key protection, which would then have to become requirements for cloud vendors within 60 days.

To protect federal agencies from attacks that rely on flaws in internet-of-things gadgets, the order sets a January 4, 2027, deadline for agencies to purchase only consumer IoT devices that carry the newly launched US Cyber Trust Mark label.

Another part of the order boosts CISA’s ability to watch for cyberattacks across the government by tapping into the security software that other agencies operate. It’s an attempt to reduce visibility gaps that adversaries have successfully exploited in many intrusions, especially the 2020 SolarWinds hack. The order requires agencies to give CISA direct access to their security platforms and to allow CISA to conduct unannounced threat-hunting activities on their networks.

“If we find one particular technique that a foreign government is using to hack one particular federal agency,” Neuberger said, “this now … gives CISA centralized visibility to hunt across all agency systems to ensure we're defending against this attack broadly.”

The security risks and opportunities of AI play a major role in the executive order. The document directs the departments of Energy and Homeland Security to launch a pilot program to use AI to help protect energy infrastructure, with the goal of automating things like vulnerability detection and patching. The Defense Department would have to launch a program to use “advanced AI models” for cyber defense.

Biden also wants DHS, Commerce, and the National Science Foundation to prioritize research on topics like how humans and AI tools can coordinate to analyze cyber threat data, how to ensure the security of AI-generated code, how to design secure AI models, and how to prevent and recover from cyber incidents involving AI systems.

Biden’s order attempts to expedite agencies’ use of digital identity documents to streamline citizen services and reduce waste and fraud. The directive asks agencies to “consider accepting digital identity documents” as proof of eligibility for public benefits. Commerce would have 270 days to issue guidance to help agencies do so.

Other provisions in the executive order require government recommendations for securing open-source software; updates to cyber requirements in contracts for space systems; contracting changes to ensure that new technology supports post-quantum cryptography; and the use of encryption in DNS technologies, email systems, and voice and video conferencing platforms. There is also a provision requiring OMB to help agencies reduce risks associated with concentration in the IT market—a not-so-veiled shot at Microsoft.

The order also lowers the bar for the government to be able to sanction people who launch cyberattacks on US critical infrastructure, potentially easing barriers to deploying one of Washington’s favorite responses to major hacks.

A New Jam-Packed Biden Executive Order Tackles Cybersecurity, AI, and More

The FBI has announced it's deleted PlugX malware from approximately 4,258 US-based computers and networks.

The FBI says it has removed PlugX malware from thousands of infected computers worldwide.

The move came after suspicion that cybercriminals groups under control of the People’s Republic of China (PRC) used a version of PlugX malware to control, and steal information from victims’ computers.

PlugX has been around since at least 2008 but is under constant development. With the remote access it provides criminals, it is often used to spy on users and plant additional malware on interesting systems.

Among others, the PlugX Remote Access Trojan (RAT) was used in a lasting campaign uncovered last year in which a Chinese group known as “Velvet Ant” used compromised F5 BIG-IP appliances to gain access to networks, managing to stay hidden for years.

US Attorney Jacqueline Romero for the Eastern District of Pennsylvania commented:

> “This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers.”

After researchers found out that thousands of infected machines reported to one specific IP address, they managed to seize control over the IP address that served as a Command & Control (C2) server.

In close cooperation with the French authorities, the FBI and Justice Department used this IP address to “sinkhole” the botnet. Sinkholing in this context means that the redirection of traffic from its original destination to one specified by the sinkhole owners. The altered destination is known as the sinkhole.

With control of the sinkhole, a specially configured DNS server can simply route the requests of the bots to a fake C2 server. This provides the controller of the sinkhole with valuable information about the affected systems and an opportunity to send commands to delete the PlugX version from the connecting devices.

FBI special agent in Charge Wayne Jacobs of the FBI Philadelphia Field Office said:

> “The FBI worked to identify thousands of infected US computers and delete the PRC malware on them. The scope of this technical operation demonstrates the FBI’s resolve to pursue PRC adversaries no matter where they victimize Americans.”

The FBI says it is notifying those who had the malware deleted from their computers via their internet service providers (ISPs).

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 PlugX malware deleted from thousands of systems by FBI 

Cybercriminals are exploiting the California wildfires by launching phishing scams. Learn how hackers are targeting victims with fake domains and deceptive tactics, and how to protect yourself from these cyber threats.

****SUMMARY****

*   **Cybercriminals are exploiting the California wildfires to launch phishing campaigns.**

*   **Veriti Research found fake domains like “malibu-firecom” designed to mimic legitimate services.**

*   **These domains aim to steal personal information or install malware under the guise of fire-related assistance.**
*   **Scammers are using fear and urgency to deceive victims into clicking fraudulent links.**

*   **Veriti urges heightened vigilance, though no active email campaigns have been detected yet.**

The recent California wildfires have not only devastated communities but have also become a lucrative event for cybercriminals. Exploiting the chaos and uncertainty surrounding the disaster, these malicious actors are employing sophisticated phishing tactics to take advantage of the situation.

Cybersecurity researchers at Veriti have identified numerous newly registered domains closely linked to the fires. These domains, such as “malibu-firecom” and “fire-reliefcom,” mimic legitimate services, luring unsuspecting victims with promises of fire evacuation assistance, recovery permits, and even fire coverage.

Screenshot of the homepage of one of the fake sites (Via Veriti Research)

“These domains exhibit patterns typical of phishing campaigns. Some aim to mimic official services like fire evacuation assistance, while others target specific localities, such as Malibu and Pacific Palisades. Early indications suggest these sites are being prepared to host fraudulent activities, including phishing attacks, fake donation requests, and malicious downloads,” the Veriti Research team noted in the blog post.

As per their research, these domains are likely being used to host phishing emails and websites designed to steal personal information, such as login credentials and financial details. Hackers leverage social engineering techniques, creating a sense of urgency and fear to manipulate victims into clicking on fraudulent links or downloading malicious software.

For example, a subdomain might offer “fire-related assistance” while secretly attempting to install malware on the victim’s device. This exploitation of disaster-related fears highlights the vulnerability of individuals and organizations during these critical times.

While no email campaigns utilizing these phishing domains have been identified yet, Veriti Research is actively monitoring them for any malicious activity.

The team stresses the need for people to stay alert and informed about these threats. Understanding how cybercriminals operate can help individuals and organizations protect themselves and reduce the chances of becoming victims. Here is the full list of domains Veriti Research identified within 72 hours:

fire-reliefcom

malibu-firecom

boca-on-firecom

palisades-firecom

Calfirerestorationstore

palisadesfirecoveragecom

fire-evacuation-servicecom

Pacificpalisadesrecoverycom

Lacountyfirerebuildpermitscom

1.  **Zika Virus Exploited by Scammers to Spread Malware**
2.  **#JeSuisCharlie Being Used by Hackers To Spread Malware**
3.  **Viral Facebook Links on Missing Malaysia Jet Are Malicious**
4.  **Hackers Sending Fake Ebola Virus reports in emails with Malware**
5.  **Online Scam Alert Associated with the Nepal Earthquake Disaster**
6.  **Florida Hurricane Victims Hit with Fake FEMA Claims, Malware Files**
7.  **Photos of Drowned Syrian Boy Exploited by Spammers on Facebook**
8.  **Russian Hackers hacked MH17 Crash investigators in phishing attack**

Latest News