The breach was carried out by exploiting CVE-2024-12356 in BeyondTrust cybersecurity company, just last week.

Source: trekandshoot via Alamy Stock Photo

NEWS BRIEF

The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that the third-party breach that affected the US Treasury Department at the hands of Chinese threat actors was limited to just that agency.

"CISA is working closely with the Treasury Department and BeyondTrust to understand and mitigate the impacts of the recent cybersecurity incident," the CISA stated in a brief bulletin. "At this time, there is no indication that any other federal agencies have been impacted by this incident."

The department alerted lawmakers on Dec. 30 to the intrusion, noting that cyber threat actors were able to compromise systems and steal data from workstations.

The adversaries broke into the Treasury Department by exploiting a bug in BeyondTrust, a vendor that offers software-as-a-service (SaaS)-based cybersecurity, and gained access to a remote key that secured a cloud-based service providing technical support to Treasury Department Offices' (DO) end users. From there, they were able to override security and remotely access Treasury DO workstations.

As CISA continues to monitor the situation, it reports that it is "working aggressively to safeguard against any further impacts and will provide updates, as appropriate."

BeyondTrust meanwhile updated its statement on the incident yesterday, stating that its forensic investigation is nearly complete, all SaaS instances of BeyondTrust Remote Support have been fully patched, and no new victims have been identified other than those previously communicated.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

CISA: Third-Party Data Breach Limited to Treasury Dept.

The malware, found on a Russian cybercriminal site, impersonates e-commerce payment-processing services such as Stripe to steal user payment data from legitimate websites.

Source: Primakov via Shutterstock

A malicious plug-in found on a Russian cybercrime forum turns WordPress sites into phishing pages by creating fake online payment processes that convincingly impersonate trusted checkout services. Masquerading as legitimate e-commerce apps such as Stripe, the malware proceeds to steal customer payment data.

Called PhishWP, the WordPress plug-in was designed by Russian cybercriminals to be particularly deceptive, researchers from SlashNext revealed in findings published this week. In addition to mimicking the legitimate payment process that people would be familiar with to complete online transactions, it also has a key feature that make payment processes on transactions appear secure by allowing users to create one-time passwords (OTPs) during the process, they said.

Instead of processing payments, however, the payment gateway steals credit card numbers, expiration dates, CVVs, billing addresses, and more when people enter their personal data, thinking they are using a legitimate payment gateway. As soon as victims of the plug-in press "enter," the data is sent to a Telegram account controlled by the cybercriminals. Threat actors can use the plug-in like any WordPress plug-in, by either installing it on a legitimate but compromised WordPress site or creating a fraudulent site and using it there.

Related:Thousands of BeyondTrust Systems Remain Exposed

"PhishWP’s features make fake checkout pages look real, steal security codes, send your details to attackers right away, and trick you into thinking everything went fine," SlashNext security researcher Daniel Kelley wrote in the post.

This immediate turnaround of data "equips cybercriminals with the necessary credentials to make fraudulent purchases or resell the stolen data — sometimes within minutes of capturing it," notes Jason Soroko, senior fellow at Sectigo, a certificate life-cycle management (CLM) firm, making it a fast return on their investment to use the plug-in for nefarious purposes.

**Other Key PhishWP Malware Features**

OTP hijacking is one of the plug-in's key features, which when combined provide attackers with a turnkey solution for hijacking payment pages. Included in these are the aforementioned customizable checkout pages that simulate common payment processes through "highly convincing" fake interfaces, Kelley wrote.

Another feature of PhishWP, browser profiling, captures data beyond payment info for the replication of user environments for use in potential future fraud. This includes IP addresses, screen resolutions, and user agents.

The plug-in also gives the hijacked checkout process added legitimacy by using auto-response emails to send fake order confirmations to victims, which delays suspicion and thus detection of the attack. And as mentioned before, PhishWP also integrates with Telegram to instantly transmit stolen data to attackers for potential exploitation in real time.

Related:Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

The plug-in also comes in an obfuscated version for stealth purposes, or users can use its source code for advanced attacker customizations. Finally, PhishWP also offers multilanguage support so attackers can target victims globally.

**Browser-Based Protection From E-Commerce Phishing**

Creating malicious plug-ins for WordPress sites has become a cottage industry for cyberattackers, giving them a broad attack surface due to the popularity of the platform, which as of today is the basis for some 472 million websites, according to Colorlib, which provides WordPress themes.

One of the reasons that PhishWP — or any malicious WordPress plug-in — is so dangerous is that the malicious process is built directly into the browser, which makes it difficult to detect when it appears as a legitimate part of online engagement.

To defend against such threats, SlashNext recommends using phishing protection that also works from directly inside the browser to spot phishing sites before they reach the end user. These solutions, which are available within various browsers, work within browser memory to block malicious URLs before users engage with them. The company said this provides real-time threat detection and blocking capabilities that traditional security measures might miss.

Related:Midnight Blizzard Taps Phishing Emails, Rogue RDP Nets

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

PhishWP Plug-in Hijacks WordPress E-Commerce Checkouts

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

Who are you? Who is the person behind the machine? Security involves asking people who they are all the time. Send us a cybersecurity-related caption to describe the above scene. Our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Jan. 28, 2025 deadline:

*   Via social media: X, Facebook, and LinkedIn. (New! Bluesky, too!) (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 Amazon gift card — to Marcello Delcaro, winner of the July contest "Cyber Cloudburst," for sending us the winning caption for December's "Shackled!" cartoon. Some noteworthy contenders included "Corporate says we're free to innovate — just not free to leave," "Now I know why they are called control systems," and "Phase 3 of the Cyber Kill Chain-Exploitation." A big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Greetings and Salutations

We can't put defense on hold until Inauguration Day.

Christy Wyatt, President & Chief Executive Officer, Absolute Security

January 7, 2025

3 Min Read

Source: Albert Knapp via Alamy Stock Photo

COMMENTARY

In 1998, President Bill Clinton published the first White House national cyber policy. Since then, cyberattacks have evolved alongside the explosive growth of the digital world, as have laws, policies, and regulations. Although there's been continuous federal activity around cyber since the early days of the Internet, the level of seriousness and attitudes toward how much control government should exercise over technology and cybersecurity fluctuates, with debates continuing to rage over how free or controlled the tech markets should be.

With the upcoming changing of the guard in the US, those of us in the domestic cybersecurity and technology industries are all wondering where we will land. Will the Cybersecurity and Infrastructure Security Agency (CISA) be eliminated? Will we see a raft of new security, privacy, and compliance laws? Will current cybersecurity regulations be deprioritized? Will rapid deregulation undo much of what we've already adjusted to? No one really knows.

Despite the uncertainty, one thing cybersecurity and risk professionals all know is that cybercriminals aren't putting their plans on hold until after Inauguration Day. If anything, threat actors will ramp up activities to take advantage of this current period of post-election uncertainty. Those of us responsible for protecting the public and private sectors know that now isn't a time to debate which side has the better security plan. It's time to come together in our efforts to create a more resilient and secure nation. Of course, this is easier said than done. Every time we adopt a standard or best practice, some enterprising cybercriminal develops a new way to counter it. However, there are some basic and fundamental steps any organization that wants to thrive in the years to come should take.

**Defense Steps We Can Take Now**

*   Prioritize security: While policies may change, the fundamentals of keeping your organization secure and resilient do not. Your organization's ability to do business depends on proactive preparation. Don't wait for the next set of rules to be handed down from Washington — prepare now. 
    
*   Focus on recovery: Attacks and disruptions are inevitable; business continuity is essential. Evaluate and refine your remediation plans continually to ensure they address potential disasters. It's cliché to state that "failure to plan is planning to fail," but it's also true. Being prepared will reduce the time it takes you to recover from an incident.
    
*   Adopt common standards and language: Standards create a shared language for finding risks, and using existing frameworks will drive faster and more cohesive responses. Let's all get on the same page in terms of how we share information about challenges we face and which standards and frameworks map back to specific risks. This is an industry discussion and does not require any agency to facilitate this type of a forum. 
    
*   Own your cyber accountability: Governments, vendors, and enterprises all share responsibility for mitigating risks and ensuring continuity through adversity. You need to be ready to ride to your own defense — there is no calvary behind a digital hill ready to ride to your rescue.
    

Over the next 12 to 18 months, we can expect to see rapid and unpredictable changes. New challenges and risks will arise out of trade disputes, domestic policies, geopolitical events, and the growth of AI. The security problems we face today require a unified and focused approach. Changing administrations — anywhere in the world — should not distract us from the critical task at hand. Let's collectively commit to ensuring security and resilience for all organizations, whether they be part of the critical national infrastructure (CNI), an essential supply chain, or a favorite consumer brand. Remember, cybercriminals don't care about national cyber policy or politics. We can't put defense on hold until Inauguration Day.

**About the Author**

President & Chief Executive Officer, Absolute Security

Christy Wyatt is president and chief executive officer of Absolute Security, a leader in enterprise resilience, and the only endpoint and secure access provider embedded in more than 600 million endpoint devices globally.

Cybercriminals Don't Care About National Cyber Policy

The deal adds Phylum's technology for malicious package analysis, detection, and mitigation to Veracode's software composition analysis portfolio.

Source: Yury Zap via Alamy Stock Photo

NEWS BRIEF

Application security company Veracode has acquired malicious package analysis, detection, and mitigation technology from software supply chain security startup Phylum, along with some staff who worked on package analysis.

The technology will enhance Veracode's capabilities to identify and block malicious code in open source libraries, giving customers a more comprehensive view of the risks associated with using open source code, the company said. The new staff will join Veracode's security research team.

The deal comes at a time when organizations are increasingly concerned about the risks of vulnerabilities in open source code.

Founded in 2020, Phylum specializes in technologies for analyzing, detecting, and mitigating malicious software packages. The tools provide instant analysis of newly published packages, helping organizations identify and blocks in real time. Back in 2022, when Phylum won Black Hat's first Innovation Spotlight competition, co-founder Peter Morgan described package analysis as looking at risk indicators to create a "credit score for packages."

Phylum’s recent research identified nearly half a million malicious packages, including campaigns targeting finance and cryptocurrency companies.

Veracode's platform is used by organizations to scan code to understand exploitable risks, identify and remediate vulnerabilities, and reduce security debt. With Phylum's technology, Veracode can significantly reduce the attack window by helping customers identify the existence of malicious packages in their applications much faster, the company said.

The malicious package database and package management firewall will be integrated into Veracode's Software Composition Analysis product, with general availability expected early this year, Veracode said.

"With Phylum's unmatched database and cutting-edge research—proven to detect 60 percent more malicious packages than any other vendor—our customers will gain the confidence to innovate faster, knowing their software is protected against evolving threats," said Ravi Iyer, Veracode's chief product officer, in a statement.

Veracode did not disclose the financial terms of the transaction.

**About the Author**

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Veracode Buys Package Analysis Technology From Phylum

Cybersecurity industry visionary and renowned executive Amit Yoran has passed away after an almost one-year battle with cancer.

Amit Yoran, Source: Tenable

The cybersecurity industry reacted with shock at the loss of Amit Yoran, the renowned cybersecurity executive who helmed several of the biggest cybersecurity companies, including Tenable, RSA Security, and NetWitness. Yoran was also the founding director of the US Department of Homeland Security's US Computer Emergency Readiness Team (US-CERT) program.

Yoran, 54, died on Jan. 3. He had been in treatment for cancer since March 2024 and took a medical leave of absence on Dec. 5 to pursue additional treatment.

Yoran became the chairman and CEO of Tenable Holdings in 2016 following the retirement of co-founder Ron Gula; he also became the company's president in 2018. Yoran led the company's growth and successful $250 million Nasdaq initial public offering (IPO) in 2018. The exposure management company was valued at $2.1 billion at IPO; it is now worth $4.69 billion. In 2022, Tenable launched Tenable One, which combined vulnerability management, external attack surface management, identity management, and cloud security.

"Amit leaves behind an incredible legacy as a visionary, leader, colleague, mentor, brother, father, and friend. He touched the lives of so many within and beyond our company and he will be missed," Tenable said in a statement. "We understand that this news may come as a shock, and we encourage you to take the time to process this difficult loss." 

Prior to Tenable, Yoran served as president of RSA Security from 2014 to 2016. He founded threat detection and response platform NetWitness in 2006 and led the company until 2011, when it was acquired by RSA Security. In 1998, Yoran co-founded RIPtech, a managed security services provider that used sensor networks to protect government and corporate computers. RIPtech was acquired by Symantec for $145 million in 2002. Yoran, who graduated from the United States Military Academy at West Point in 1993, served in Homeland Security's National Cyber Security Division from 2003 to 2004 where he focused on critical infrastructure security and preparedness.

**True Leader in Cybersecurity**

Yoran helped shape the cybersecurity industry with his expertise, empathy, and leadership. His goal was to make the digital world safer for everyone, and toward that end, he acted as a mentor to many, shared his expertise with industry peers, and sat on a number of boards, including BlackLine and the Center for Internet Security. In a memo to employees, Tenable chief people and culture officer Bidgett Paradise called Yoran "a visionary leader and a guiding force who profoundly impacted our industry, company, culture, and community." Former colleagues and peers filled social media with acknowledgements of Yoran's contributions to the cybersecurity field and their personal stories of how Yoran had guided them.

"Amit was one of the true OGs in cybersecurity, and we grew up together in this space," George Kurtz, founder and CEO of competitor CrowdStrike, wrote on LinkedIn. "He was a brilliant leader who understood the mission of protecting organizations and people at a fundamental level. Beyond his work in the private sector, Amit's public service with the federal government underscored his dedication to securing the nation at large."

Yoran's "open letter to Okta" after the company disclosed a third-party breach had compromised customers in 2022 is a good example of how he called out the industry for its mistakes in a thoughtful and constructive way, while advocating for best practices in a straightforward manner. He wrote a similar note in 2023 after multiple reports of vulnerabilities in Microsoft Azure.

Yoran's two brothers, Dov and Elad, are both in cybersecurity. "Late last night, we lost a brother, a father, a son, a husband, a veteran, an industry titan and a drinking buddy," Dov Yoran, former Cisco executive now leading cyber investigation startup Command Zero, wrote on LinkedIn. "Amit Yoran was a force of nature. He was a true hero in how he touched and helped so many people in so many unthinkable ways."

Editor's Note: Amit was a leader in the industry who generously shared his time, expertise, and insight with Dark Reading over the years. He was a friend to many of us here at Dark Reading — we will miss his big heart and smile.

In Appreciation: Amit Yoran, Tenable CEO, Passes Away

These latest attacks follow a long string of cyberattacks and breaches targeting US and global telecom and ISP companies.

Source: Science Photo Library via Alamy Stock Photo

NEWS BRIEF

This past weekend, the Chinese state-backed hackers known as Salt Typhoon allegedly targeted their latest victims: Charter Communications, Consolidated Communications, and Windstream.

This comes after the group targeted a variety of other communications companies and ISPs, including AT&T, Verizon, and Lumen, accessing text messages, voicemails, and phone calls.

According to Anne Neuberger, White House deputy national security adviser for cyber and emerging technologies, nine US telecoms have been targeted and breached by Chinese hackers so far. Whether or not these latest three are included as a part of that list remains unclear.

Because of this tidal wave of Salt Typhoon telco breaches occurring in the US and around the world, the Cybersecurity and Infrastructure Security Agency (CISA) is advising senior government officials to switch to end-to-end encrypted messaging apps, such as Signal, in order to prevent the risk of interception.

"Possible targets of these Chinese attackers need to immediately follow the steps outlined by the FBI and NSA to help harden their systems against attack," said Chris Hauk, consumer privacy champion at Pixel Privacy, in an emailed statement to Dark Reading. "Patching and upgrading apps and devices, limiting the types of connections and privileged accounts, and only using strong encryption, are just some of the steps organizations can take to harden their systems against attack."

The US Department of Treasury has also made moves to mitigate risk from other Chinese threat groups, by sanctioning Integrity Technology Group, a Chinese cybersecurity company, for its role in Flax Typhoon-led incidents against US victims. That action comes after the Treasury Department was targeted by another Chinese state-backed threat actor.

Other major government developments include US Senator Ron Wyden (D-Ore.) announcing a bill aimed at securing American telecom infrastructure, and Federal Communications Commission (FCC) chair Jessica Rosenworcel stating that the agency will act with swiftness to ensure the cybersecurity of US carriers.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

China's Salt Typhoon Adds Charter, Windstream to Telecom Victim List

A fake Telegram Premium app delivers information-stealing malware, in a prime example of the rising threat of adversaries leveraging everyday applications, researchers say.

Source: Boris Kozlov via Alamy Stock Photo

A new advanced Android spyware threat called "FireScam" is using a fake Telegram Premium application to drop an infostealer on victims' phones that is able to track, monitor, and collect sensitive data on its victims.

Researchers at Cyfirma behind a new FireScam analysis said the campaign is part of a wider trend of threat actors finding success disguising malware as legitimate applications and services. In this case, they are abusing Firebase, a legitimate cloud platform widely used by developers of Google mobile and Web applications.

"By capitalizing on the widespread usage of popular apps and legitimate services like Firebase, FireScam exemplifies the advanced tactics used by modern malware to evade detection, execute data theft, and maintain persistent control over compromised devices," the report explained. "By exploiting the popularity of messaging apps and other widely used applications, FireScam poses a significant threat to individuals and organizations worldwide."

The infection routine starts with a phishing site hosted on the GitHbub\[dot\]io domain, dressed up to look like the RuStore app store, the report said. The site delivers a malicious version of Telegram Premium, which then steals data from the targeted Android device, including notifications, messages, and more, and sends it to a Firebase Realtime Database endpoint.

Related:China's Salt Typhoon Adds Charter, Windstream to Telecom Victim List

Once installed, FireScam uses regular checks and analysis, command-and-control communications (C2), and data storage to maintain persistence and deliver additional malware, as needed, the report added.

"The FireScam malware campaign reveals a worrying development in the mobile threat landscape: malware targeting Android devices is becoming increasingly sophisticated," Eric Schwake, director of cybersecurity strategy at Salt Security, said in a statement. "Although using phishing websites for malware distribution is not a new tactic, FireScam's specific methods — such as masquerading as the Telegram Premium app and utilizing the RuStore app store — illustrate attackers' evolving techniques to mislead and compromise unsuspecting users."

**Solutions for Stopping Spyware Like FireScam**

With these threats becoming increasingly sophisticated, it's important for cyber defenders to focus on anomalous app activity, according to a statement from Stephen Kowski, field CTO at SlashNext Email Security+.

"Real-time mobile app scanning and continuous monitoring are crucial safeguards, as these attacks often bypass traditional security measures by exploiting user trust and legitimate distribution channels," Kowski wrote. "The key to protecting against such threats is implementing security solutions that can detect suspicious permission requests and unauthorized app behaviors before sensitive data is compromised."

Related:EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets

Schwake added that protecting application programming interfaces (APIs) can also help protect users from increasingly convincing phishing lures.

"Real-time mobile-app scanning and continuous monitoring are crucial safeguards, as these attacks often bypass traditional security measures by exploiting user trust and legitimate distribution channels," Kowski wrote. "The key to protecting against such threats is implementing security solutions that can detect suspicious permission requests and unauthorized app behaviors before sensitive data is compromised."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

FireScam Android Spyware Campaign Poses 'Significant Threat Worldwide'

The malware, operated by China-backed cyberattackers, has been significantly fortified with new evasive and post-infection capabilities.

Source: Antony Cooper via Alamy Stock Photo

An unknown attacker is wielding an updated version of a backdoor malware that was previously deployed against high-profile Southeast Asian organizations in targeted attacks, this time against ISPs and governmental entities in the Middle East.

Researchers at Kaspersky have detected a new variant of the EagerBee backdoor outfitted with various new components in attacks that demonstrate a significant evolution of the malware framework, they revealed in a blog post published today.

EagerBee is primarily designed to operate in memory to enhance its stealth capabilities and help it evade detection by traditional endpoint security solutions, according to Kaspersky. It's also unique in that it obscures its command shell activities by injecting malicious code into legitimate processes that are executed within the context of explorer.exe or the targeted user's session.

"These tactics allow the malware to seamlessly integrate with normal system operations, making it significantly more challenging to identify and analyze," Kaspersky senior security researcher Saurabh Sharma wrote in the post.

A previous variant of the malware was seen in attacks by a a trio of Chinese state-aligned threat clusters, which previously collaborated in Operation Crimson Palace to steal sensitive military and political secrets from a high-profile government organization in Southeast Asia.

Related:Deepfakes, Quantum Attacks Loom Over APAC in 2025

The latest version of EagerBee that was used in the Middle East attacks features several new advanced features, including a novel service injector designed to inject the backdoor into a running service, and a slew of previously undocumented plug-ins that can be deployed after the backdoor's installation.

"These enabled a range of malicious activities such as deploying additional payloads, exploring file systems, executing command shells, and more," Sharma wrote.

**Who Are the Cyberattackers Behind EagerBee?**

Previous researchers had attributed EagerBee to Chinese threat group Iron Tiger (aka Emissary Panda or APT27), one of numerous groups that often collaborate with other China-backed state-sponsored actors; that tends to make specific attribution of both attacks and malware murky.

Case in point: Kaspersky's latest analysis of the backdoor deployed in the Middle East attributes EagerBee to a different Chinese actor, CoughingDown. That's because there was a creation of services on the same day via the same Web shell to execute EagerBee and the CoughingDown Core Module in one of the attacks researchers analyzed, according to Sharma. Moreover, the researchers observed overlap in the command-and-control (C2) domain used both by EagerBee and the CoughingDown Core Module in the attack.

Related:Middle East Cyberwar Rages On, With No End in Sight

Further evidence discovered in the Middle East attacks linking EagerBee to CoughingDown includes code overlap in a malicious DLL file used in the attack with a multiplug-in malware developed by CoughingDown in late September 2020, according to Sharma. "We assess with medium confidence that the EagerBee backdoor is related to the CoughingDown threat group," he wrote.

**EagerBee Backdoor Malware's Advanced Features**

The Kaspersky team identified key new plug-in features of EagerBee that are all run by a plug-in orchestrator module to execute commands that perform various malicious activities.

The orchestrator exports a single method responsible for injecting the module into memory and subsequently calling its entry point. In addition to victim-specific data collected by the malware, this plug-in gathers and reports various other information — such as current usage of physical and virtual memory, system locale and time-zone settings, and Windows character encoding — about the infected system to the C2 server.

After transmitting this information, the plug-in orchestrator also reports whether the current process has elevated privileges and then collects details about all running processes on the system. Once the information is sent, the plug-in orchestrator waits for commands to execute, which are carried out by the various backdoor plug-ins.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

These include a file manager plug-in that is responsible for, among other things, renaming, moving, copying, and deleting files; reading and writing files to and from the system; and injecting additional payloads into memory. Another process manager plug-in lists running processes in the system; launches new modules and executes command lines; and terminates existing processes.

Two other plug-ins found in the novel variant include a remote access manager that facilitates and maintains remote connections while also providing command shell access, and a service manager that manages system services, including installing, starting, stopping, deleting, and listing them.

**Malware Sophistication Demands Cyber Defender Vigilance**

Despite links to CoughingDown, Kaspersky researchers could not determine the initial infection vector for the deployment of EagerBee.

In the previous attacks using the backdoor in Asia, attackers leveraged the now infamous Exchange ProxyLogon flaw as the initial entry point; however, there is no evidence of this in the attacks here, according to Kaspersky. However, the researchers still recommend that defenders promptly patch ProxyLogon to secure their network perimeter, as it "remains a popular exploit method among attackers to gain unauthorized access to Exchange servers," Sharma noted.

Overall, the emergence of a fortified variant of EagerBee in attacks in the Middle East demonstrates how attackers continue to advance malware frameworks in terms of both ability to evade detection and the sheer breadth of malicious functionality they can achieve, demanding that organizations also up their security game, he said.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets

New security regulations are more than compliance hurdles — they're opportunities to build better products, restore trust, and lead the next chapter of innovation.

Source: Panom Bounak via Alamy Stock Photo

COMMENTARY

The regulatory clock is ticking on the Internet of Things (IoT). In October, European lawmakers officially adopted the Cyber Resilience Act, ushering in much-needed security thresholds for connected devices across the region. Meanwhile, United Kingdom makers are already navigating world-first device security and privacy rules, and the United States is preparing to launch its Cyber Trust Mark.

It's about time. For too long, default passwords and weak authentication practices were accepted as the status quo in connected devices, wreaking post-pandemic botnet and hacker havoc. But now, amid the rapid rise of endpoints powering the smart home and office, governments are finally taking a stand and setting standards.

For manufacturers, this regulatory reckoning is unavoidable across the world's most lucrative markets, forcing them to get up to code or fall behind. What's clear is the sooner companies evolve, the better the outcome for troubleshooting, performance, and users. Let's explore the urgency and opportunity for connected device creators heading into 2025.

**Profits Over Protection**

Device makers haven't done themselves any favors over the past few years. Many are cutting corners and abandoning cybersecurity cornerstones in a race to the lowest price. Default passwords, non-existent software updates, and zero vulnerability testing are creating bigger attack vectors ripe for exploitation. Botnets, for example, are booming, with botnet-driven distributed denial-of-service (DDoS) devices increasing by five times in the past year. Even more concerning? Device numbers will double over the next 10 years, to more than 40 billion worldwide, quadrupling the pre-pandemic figure. Something's got to give, and governments know it.

Europe, in the footsteps of the General Data Protection Regulation (GDPR), is again leading the tech regulation charge. The Cyber Resilience Act is the most comprehensive suite of coming changes, with an obligation for manufacturers to protect their Internet-connected products from unauthorized access throughout their life cycle. This demands products without known exploitable vulnerabilities — a tall order requiring design, development, and production that ensures an appropriate security level at all times.

Meanwhile, the UK's Product Security and Telecommunications Infrastructure Act tackles many of the same themes but with a lower bar to clear. Passed in April, the act requires minimum security update periods (rather than lifetime) and mandatory security issue reporting back to consumers. The best part of this act is the ruling on passwords — devices must either have a randomized password or generate a unique one during initialization. This is a great step that goes a long way to stopping hackers from accessing smart devices, infecting local networks, and creating botnets.

Finally, the US is betting on market forces. The Cyber Trust Mark, similar to Energy Star, offers voluntary certification for products meeting "robust" security standards. The hope? Consumer choice will drive industry change. One thing is evident across markets: Governments are taking this threat seriously and acting accordingly. It's now up to makers to meet the moment and move in kind.

**Move Now or Move Aside**

My advice to connected device makers? Prepare now. If you want access to the world's largest markets (and I suspect you do), there's only a short window to get up to code. Sure, Europe's act is now in a three-year transition before taking full effect, but getting this right demands investment, time, and troubleshooting. These are big hurdles, and 2027 isn't far away.

This is something we learned from the GDPR. The new rules didn't just require writing a report — they demanded system adjustments and subsequent costs. On average, firms spent more than €1 million ($1.06 million) on readiness initiatives, but justified the investment by retaining access to the bloc and avoiding business-threatening fines (not to mention better protecting consumer data).

So, what does this say to device makers? Simple — start getting up to standard now with best practice authentication, encryption, and communication. Make sure security updates are part of your product planning, reconsider your approach to passwords, and implement consistent testing, patching, and reporting. Yes, this takes valuable resources, but the payoff is clear — better products, stronger security, and lasting consumer trust.

**This Is Beyond Compliance**

I'm relieved to see these regulations come into force. Device makers have lacked respect for their creations, consumers, and — frankly — themselves for several years. The rise of cheap and lazy products isn't an accurate reflection of IoT ingenuity. Sincerely, I hope these regulations weed out the bad apples, set an acceptable bar of baseline requirements, and give confidence back to consumers and enterprises.

Device makers, it's now up to you. Don't just treat these new regulations as mere compliance hurdles, but seize them as opportunities to build better products, restore trust, and lead the next chapter of our sector's innovation.

**About the Author**

CEO & Founder, Nabto

Carsten Rhod Gregersen is an IoT expert with more than two decades in software and innovation. Carsten is the founder of Nabto, the platform providing peer-to-peer communications for connected devices. His areas of expertise span critical domains including cybersecurity, technology regulation, and the impact of IoT.

Source

DARKReading