PRESS RELEASE

RALEIGH, N.C., Oct. 28, 2024 /PRNewswire-PRWeb/ -- ALL THINGS OPEN 2024 -- After a year-long, global, community design process, the Open Source Definition (OSAID) v.1.0 is available for public use.

The release of version 1.0 was announced today at All Things Open 2024, an industry conference focused on common issues of interest to the worldwide Open Source community. The OSAID offers a standard by which community-led, open and public evaluations will be conducted to validate whether or not an AI system can be deemed Open Source AI. This first stable version of the OSAID is the result of multiple years of research and collaboration, an international roadshow of workshops, and a year-long co-design process led by the Open Source Initiative (OSI), globally recognized by individuals, companies and public institutions as the authority that defines Open Source.

"The co-design process that led to version 1.0 of the Open Source AI Definition was well-developed, thorough, inclusive and fair," said Carlo Piana, OSI board chair. "It adhered to the principles laid out by the board, and the OSI leadership and staff followed our directives faithfully. The board is confident that the process has resulted in a definition that meets the standards of Open Source as defined in the Open Source Definition and the Four Essential Freedoms, and we're energized about how this definition positions OSI to facilitate meaningful and practical Open Source guidance for the entire industry."

"The new definition requires Open Source models to provide enough information about their training data so that a 'skilled person can recreate a substantially equivalent system using the same or similar data,' which goes further than what many proprietary or ostensibly Open Source models do today," said Ayah Bdeir, who leads AI strategy at Mozilla. "This is the starting point to addressing the complexities of how AI training data should be treated, acknowledging the challenges of sharing full datasets while working to make open datasets a more commonplace part of the AI ecosystem. This view of AI training data in Open Source AI may not be a perfect place to be, but insisting on an ideologically pristine kind of gold standard that will not actually be met by any model builder could end up backfiring."

"We welcome OSI's stewardship of the complex process of defining Open Source AI," said Liv Marte Nordhaug, CEO of the Digital Public Goods Alliance (DPGA) secretariat. "The Digital Public Goods Alliance secretariat will build on this foundational work as we update the DPG Standard as it relates to AI as a category of DPGs."

"Transparency is at the core of EleutherAI's non-profit mission. The Open Source AI Definition is a necessary step towards promoting the benefits of Open Source principles in the field of AI," said Stella Biderman, executive director at the EleutherAI Institute. "We believe that this definition supports the needs of independent machine learning researchers and promotes greater transparency among the largest AI developers."

"Arriving at today's OSAID version 1.0 was a difficult journey, filled with new challenges for the OSI community," said OSI Executive Director, Stefano Maffulli. "Despite this delicate process, filled with differing opinions and uncharted technical frontiers—and the occasional heated exchange—the results are aligned with the expectations set out at the start of this two-year process. This is a starting point for a continued effort to engage with the communities to improve the definition over time as we develop with the broader Open Source community the knowledge to read and apply OSAID v.1.0."

The text of the OSAID v.1.0 as well as a partial list of the many global stakeholders who endorse the definition can be found here:

https://opensource.org/ai

About the Open Source Initiative   
Founded in 1998, the Open Source Initiative (OSI) is a non-profit corporation with global scope formed to educate about and advocate for the benefits of Open Source and to build bridges among different constituencies in the Open Source community. It is the steward of the Open Source Definition and the Open Source AI Definition, setting the foundation for the global Open Source ecosystem. Join and support the OSI mission today at https://opensource.org/join.

The Open Source Initiative Announces Open Source AI Definition

PRESS RELEASE

LONDON, Oct. 28, 2024 /PRNewswire/ -- VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, has released its Q3 2024 Email Threat Trends Report, shedding light on the evolving cybersecurity landscape. This comprehensive analysis of real-world data reveals the sophisticated strategies and techniques employed by cybercriminals, with a particular persistent focus on the highly lucrative tactic of business email compromise (BEC). VIPRE processed 1.8 billion emails globally, of which 208 million were malicious.

BEC impersonation weaponisation  

In this third quarter of 2024, cybercriminals intensified their efforts to exploit organisational vulnerabilities through employee deception. BEC scams surged, accounting for 58% of phishing attempts. Notably, 89% of these BEC attacks involved impersonation of authority figures, including CEOs, senior executives, and IT staff, underscoring the sophisticated tactics employed by malicious actors.

BEC aims for the manufacturing sector 

The manufacturing sector saw a significant rise in BEC attacks, potentially driven by financial fraud. These incidents increased from just 2% in Q1 to 10% in Q3 this year. This rise may be attributed to the industry's widespread use of mobile sign-ins at various worksites. Employees accessing systems "on the go", often under pressure to meet production deadlines, are more susceptible to phishing attempts.

Subtler tactics are a larger threat

Email threats in Q3 were dominated by scams (34%), commercial spam (30%), and phishing (20%). These email threats overshadowed ransomware and malware combined, which comprised less than 20% of all email attacks. Interestingly, despite their lower prevalence, ransomware and malware continue to receive disproportionate attention from the cybersecurity industry.

Sneakier attachments 

To counter advancing email security solutions, criminals are deploying increasingly more intricate methods to bypass defenses. Attackers are employing sneakier techniques such as disguising malicious attachments as voicemail recordings or critical security updates to lure unsuspecting users into downloading them.

Additionally, Microsoft PDFs and .DOCX files remain the most common forms of malicious attachments. In Q3 2024, 2.18 million emails were detected containing harmful attachments, marking a 30% increase from the previous quarter's 21% attachment-based attacks.

Phishing links and compromised websites

Cybercriminals continue to favour the URL redirection technique, a tactic that typically proves effective at evading security controls. This deceptive ploy utilises a "clean" URL within the body of the email, which then redirects unsuspecting users to a malicious one once inside. In Q3 2024, URL redirection accounted for 52% of such attacks, leading victims to meticulously crafted fraudulent websites designed to appear authentic, and gain trust.

Malspam pendulum swing from malicious links to attachments

When it comes to malspam, there is a pendulum swing from a preference for malicious links to attachments. During Q3, malspam efforts were centered on malicious attachments (64%), while only 36% employed a link. The attachment formats used were predominantly LNK, ZIP, and DOCX. Only a quarter ago, links were the tool of choice by a factor of nearly nine-to-one (86% links to 14%).

The 'Malware Family of the Quarter' goes to Redline

Redline is the top malspam family of Q3 2024, a spot it has maintained since the corresponding quarter in 2023. RedLine is designed to steal sensitive information from web browsers, such as credentials and payment data. Typically distributed via phishing emails or malicious websites, it sends stolen data to a command-and-control server controlled by the attacker. It can completely take over a compromised machine and uses multiple infiltration methods.

"The findings of this report yet again illustrate the sophistication of criminal tactics. BEC email and phishing attacks are becoming more targeted and convincing," Usman Choudhary, CPTO, VIPRE Security Group, says. "Additionally, malware distribution through malicious spam campaigns continues to pose a serious threat to organisations. These findings stress the critical need for robust cybersecurity measures and ongoing employee education to combat these evolving threats, especially as bad actors gear up for the upcoming holiday season – Black Friday, Thanksgiving, Christmas, and New Year."

To read the full report, click here: VIPRE's Email Threat Trends Report: Q3 2024. 

VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock vigilance of the cybersecurity landscape.

About VIPRE Security Group

VIPRE Security Group, part of Ziff Davis, Inc., is a leading provider of internet security solutions purpose-built to protect businesses, solution providers, and home users from costly and malicious cyber threats. With over 25 years of industry expertise, VIPRE is one of the world's largest threat intelligence clouds, delivering exceptional protection against today's most aggressive online threats. Our award-winning software portfolio includes next-generation antivirus endpoint cloud solutions, advanced email security products, along with threat intelligence for real-time malware analysis, and security awareness training for compliance and risk management. VIPRE solutions deliver easy-to-use, comprehensive layered defense through cloud-based and server security, with mobile interfaces that enable instant threat response. VIPRE is a proud Advanced Technology Partner of Amazon Web Services operating globally across North America and Europe.

Business Email Compromise (BEC) Impersonation: The Weapon of Choice of Cybercriminals

PRESS RELEASE

NEW YORK, Oct. 28, 2024 /PRNewswire/ -- Casap, a disputes automation and fraud prevention platform, has raised $8.5 million to scale the first AI-powered solution for banks, credit unions and fintechs to intelligently tackle first-party fraud and automate disputes and chargebacks. The recent round was led by Lightspeed Venture Partners with participation from Primary Venture Partners, Commerce Ventures, Curql, Alloy Labs, and notable fintech founders and execs from Chime, Robinhood, Square, Current, Novo, and Alloy. The funding will enable Casap to continue to scale its AI decisioning, helping financial institutions reduce operational costs, curb fraud-related losses, and transform the consumer experience.

"The surge in first-party fraud and dispute volumes are overwhelming financial institutions," said Shanthi Shanmugam, co-founder and CEO of Casap. "Our platform helps banks, credit unions and fintechs meet these challenges head-on with intelligent automation that delivers fast, frictionless dispute resolution at a fraction of today's cost. By empowering institutions to identify fraudulent claims early and resolve legitimate cases swiftly, Casap is transforming what is often a frustrating customer service experience into an opportunity to build consumer loyalty."

Financial institutions are under immense pressure to resolve the 238 million chargebacks that emerge annually, most of which take 45-90 days to resolve. First-party fraud has consistently risen year over year since COVID, with more consumers disputing legitimate charges to avoid payment. This surge, combined with a growing tendency to file disputes directly with payment providers instead of merchants, has led to overwhelming volumes and substantial financial losses. Institutions are forced to hire large teams, navigate complex regulations, and outsource chargebacks yet still struggle to meet consumer expectations — 50% of consumers will switch banks if they are not getting the service they want and expect, leading to long-term attrition and escalating costs.

Casap's AI-powered automations and proprietary "first-party fraud score", similar to an industry-standard FICO score, combine to resolve a dispute end-to-end without human intervention. The platform intelligently analyzes evidence, predicts outcomes, and automates key actions — such as issuing credits, filing chargebacks, and responding to merchants — while using its fraud score to identify suspicious consumers and merchants to proactively reduce disputes.

"Our team was impressed by the deep expertise Shanthi and Saisi brought to what is a cross-industry problem with significant scale. The company's early momentum is a promising indication of the type of compounding technological innovation we look for," says Aaron Frank, Partner at Lightspeed.

Casap's chargeback model, the first of its kind, includes publicly available weights — putting Casap at the forefront of innovation and sets a new standard for transparency in the industry. With built-in regulatory expertise and key integrations, Casap's advanced AI and decisioning capabilities cut resolution times from days to minutes, driving significant cost savings and enhancing operational efficiency for financial institutions.

Casap is already delivering measurable results for customers across the payments ecosystem, from major fintechs and established institutions like Chartway Credit Union to Banking-as-a-Service providers and sponsor banks.

"Before Casap, our team lacked the tools to effectively resolve disputes or file chargebacks, leading to a negative member experience and limited ability to improve the process," said Karin Collier, Director of Card Services at Chartway Credit Union. "Partnering with Casap has revolutionized how we think about disputes. With Casap's built-in regulatory expertise and AI-powered automation, we get to drive fast, accurate dispute outcomes, catch friendly fraud early, achieve higher NPS, all while seeing an immediate positive impact on our bottom line. Casap's customizability helps us adapt quickly to evolving needs, fraud trends, and transforms the way we work across the credit union. With Casap, AI is more than a tool—it's the engine driving our mission to create an unparalleled member experience. We're excited to continue partnering with Casap to transform how we operate across the back-office and set a new benchmark for exceptional member service."

"Choosing Casap as our multi-year partner for disputes and fraud management was an easy decision," continues Collier. "The partnership delivers immediate impact, with 29% cost savings from day one with even greater efficiencies projected just a month out. More importantly, Casap enables us to build trust by offering our members a fast, seamless self-service experience that sets a new standard for dispute resolution."

Casap is committed to making its platform the best-in-class solution for resolving disputes and chargebacks, helping customers achieve results up to four times faster than competitors in the space.

"Consumer trust is the lifeblood of financial institutions," Shanmugam continues. "Casap gives banks, credit unions and fintechs the tools they need to resolve genuine disputes quickly, while curbing the rising costs of fraud. We're not just solving a back-office problem—we're reshaping how institutions build trust and loyalty in the face of fraud."

Before founding Casap, Shanthi Shanmugam and Saisi Peter spent years driving innovation at fintech powerhouses Chime and Robinhood, with a focus on delivering seamless, consumer-first experiences. Their expertise in revolutionizing the way we operate payments has fueled Casap's rapid growth and early momentum.

Casap has also been recognized by industry leaders, winning the NACUSO 2024 Next Big Idea Competition.

About

Casap is an AI-powered disputes automation and fraud prevention platform. With built-in regulatory expertise and network integrations, Casap's intelligent automation identifies fraudulent claims early and delivers fast, frictionless dispute and chargeback resolution at a fraction of today's cost. Growing financial institutions use Casap to scale with a triple shield — back office efficiencies, fraud protection, and consumer delight. Casap is backed by top-tier VCs and notable fintech founders. Learn more at casaphq.com.

Casap Secures $8.5M in Funding

With a lack of cybersecurity awareness training resources for all employees, organizations are more susceptible to being breached or falling short when it comes to preventing threats.

New studies show that cybersecurity executives often fail to prioritize software security training for the entirety of a company, instead only deeming it necessary for a select few — and not always for the right reasons.

Nearly half of cybersecurity leaders who provide these kind of training tools don't consider awareness efforts to be essential within their organizations, according to a study conducted by CMD+CTRL Security and Wakefield Research. In addition to this, half of the leaders who do provide security training do so to build a "security culture," but only 41% say they provide training because of the increased risk from third parties and supply chains.

In "Enhancing Cybersecurity: The Critical Role of Software Training," the research data showed that executives who implement these kinds of trainings are highly motivated by factors such as customer satisfaction, time to market, and financial costs when implementing training resources.

Further, cyber leaders who recognize the need for this kind of software security training don't tend to prioritize customized training solutions, either because they don't consider it important or because they don't have the resources to provide it. Ultimately, this leads to a focus on developer-only training, or broad-based training programs that aren't effective, according to the findings.

With the risks that come with inadequate training, however, it's essential that company executives implement effective resources for all employees, tailored to their roles in an organization, the research concluded: "Employees gain the knowledge and skills necessary to identify vulnerabilities and adhere to best practices, learning about the latest threats and how to mitigate against them. This ultimately leads to fewer cyber breaches and a better resilience in an organization's supply chain."

**About the Author**

Cybersecurity Training Resources Often Limited to Developers

A new variant of the sophisticated attacker tool gives cybercriminals even more control over victim devices to conduct various malicious activities, including fraud and cyber espionage.

Source: Brian Jackson via Alamy Stock Photo

A new variant of a sophisticated malware that helps attackers carry out advanced voice and mobile phishing (aka vishing and mishing) attacks against Android users has evolved with new capabilities that extend their control over compromised devices to commit further malicious activities.

FakeCall, a malware that's been tracked by various research groups since at least 2022, conducts the attacks by tricking victims into calling fraudulent phone numbers controlled by the attacker, and then impersonating a typical conversation with bank employees or other entities aimed at defrauding the user in some way.

FakeCall's capability historically lies inherently in its design for communicating with an attacker-controlled command-and-control (C2) server, enabling it to execute a range of actions aimed at deceiving the end user. In addition to allowing attackers to control a person's phone calls, it also allows them to gain access to various permissions to Android devices for other malicious activity.  

Researchers at Zimperium zLabs now have discovered a new variant of FakeCall that adds novel capabilities — some of which appear to be under development — that give attackers even more capabilities to monitor people's device activity and control the device with even more precision, they revealed in a blog post published today.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

The variant demonstrates attackers coming up with new and strategic ways to create a more seamless integration with Android devices, which can help the malware avoid detection and remain active on a user's device without them knowing, the researchers found.

**FakeCall's Extension of Malicious Capabilities**

Specifically, one of the features allows for the malware to integrate with Android's Accessibility Service to give attackers "significant control over the user interface and the ability to capture information displayed on the screen," according to the post.

The feature demonstrates how attackers can evolve past simple device permissions to abuse an even more complex attack vector, "granting attackers near-total control to intercept calls, access sensitive data, and manipulate the user interface," notes Jason Soroko, senior fellow at Sectigo, a provider of certificate life-cycle management (CLM).

By seamlessly mimicking legitimate interfaces, attackers also are making detection by users "nearly impossible," he says, highlighting a critical need for advanced security solutions capable of detecting this threat.

Other new features extend FakeCall's persistent spyware capabilities, which have existed since it was first discovered and set it apart from other vishing and mishing attacks, which tend to be a one-time engagement. One of these is a Bluetooth receiver that acts as a listener to monitor Bluetooth status and changes, while the other is similar, but it acts as a screen receiver to monitor the state of the device's screen.

Related:French ISP Confirms Cyberattack, Data Breach Affecting 19M

**How a FakeCall Attack Works**

FakeCall was first detailed by researchers at Kaspersky in April 2022 as a banking Trojan with extended capability to intercept calls that users make with their banks, to create a fake customer-service experience for malicious purposes.

The malware also had some spyware capabilities, including a feature to turn on a device's microphone and send recordings from it to an attacker's C2 server; the ability to secretly broadcast audio and video from the phone in real time; and the option to pinpoint device location.

A typical FakeCall attack begins when victims download a malicious APK file (masquerading as a legitimate app) onto an Android mobile device through a phishing attack, which acts as a dropper for FakeCall. When launched, the app prompts the user to set it as the default call handler and, once designated, attackers can manage all incoming and outgoing calls. The malware then displays a custom interface mimicking the native Android dialer, seamlessly integrating its malicious functionality.

Related:Delta Launches $500M Lawsuit Against CrowdStrike

While the primary function of FakeCall is to monitor outgoing calls and transmit info to attackers via a C2 server, cyberattackers also can commit other malicious activities using the malware. These include identity fraud, which can be done by exploiting FakeCall's position as the default call handler. The malware can modify the dialed number, replacing it with a malicious one and thus deceiving users into making fraudulent calls.

Attackers also can use FakeCall's adversary-in-the-middle (AitM) approach to hijack incoming and outgoing calls, to make unauthorized connections with other mobile device users. "In this case, users may be unaware until they remove the app or restart their device," according to the post.

**Defending Against FakeCall Attacks**

As vishing and mishing attacks have become a worldwide epidemic that defrauds users of millions of dollars annually — including even the most tech-savvy individuals — it's imperative that people learn to defend themselves from sophisticated versions of these attacks, experts say.

One way to do this is to scrutinize carefully any Android apps being downloaded or used on devices, and to only acquire apps from trusted app stores, Soroko says.

FakeCall is especially dangerous to enterprises given that mobile these days is a primary tool for doing business. This makes compromise of that device potentially "catastrophic," notes Mika Aalto, co-founder and CEO at Hoxhunt, a human risk management platform.

To avoid this scenario, the most important thing that companies can do, Aalto says, is to "equip senior management and employees with the skills and tools to recognize and safely report a mobile phishing attack."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Vishing, Mishing Go Next-Level With FakeCall Android Malware

Outages are inevitable. Our focus should be on minimizing their scope, addressing underlying causes, and understanding that protecting systems is about keeping bad actors out while maintaining stability and reliability.

Source: Igor Goncharenko via Alamy Stock Photo

COMMENTARY

In an era where digital security is paramount, organizations invest heavily in cybersecurity tools to defend against cyberattacks. However, these same tools — designed to protect — can sometimes be the cause of major disruptions. From botched updates to unforeseen errors in protective software, the very systems meant to safeguard us can lead to widespread outages, with the recent cases of CrowdStrike and Verizon standing out as prime examples. 

**The Fine Line Between Protection and Disruption**

Cybersecurity solutions are essential in our interconnected world, helping businesses and governments protect sensitive data, infrastructure, and user privacy. However, when improperly handled, even the best tools can turn from protectors into sources of failure. 

Known for its strong cybersecurity offerings, CrowdStrike rolled out a threat intelligence update to its Falcon platform in July that inadvertently caused a major global outage, affecting airlines, banks, and hospitals. This incident, which resulted from a software glitch during the delivery of its "Rapid Response Content" threat signatures, left critical services temporarily offline, reminding us that even the most advanced security systems aren't infallible. 

Similarly, in September, Verizon experienced a massive network outage that left millions of customers without mobile service across the US. Although the exact cause of the outage is still under investigation, fears of a cyberattack have been discussed. However, early signs suggest that it could have stemmed from a technical issue or mismanagement during a network upgrade — further highlighting how small oversights in maintaining or updating network infrastructure can have outsized consequences. 

**The Domino Effect: More Than Just an Inconvenience**

When cybersecurity or networking systems fail, the impact often ripples far beyond the initial disruption. Take Verizon's outage as an example: Businesses dependent on the network lost critical communication channels, customer service teams were unable to assist clients, and productivity ground to a halt for countless users. These events illustrate the profound dependency modern society has on digital infrastructure, and when that infrastructure falters, so do economies, health services, and day-to-day life. 

But outages like these also create windows of opportunity for cybercriminals. When networks are down or overwhelmed, attackers may exploit system vulnerabilities or use the chaos as cover for more nefarious activities, such as distributed-denial-of-service (DDoS) attacks, ransomware deployments, or supply chain compromises. Therefore, resilience and proper update protocols are just as important as the defensive capabilities of any cybersecurity tool. 

**Lessons for the Industry**

These high-profile outages, including Verizon's and CrowdStrike's, serve as reminders that robust cybersecurity involves more than just tools — it requires continuous testing, resilience planning, and careful management of system updates. 

Key takeaways for businesses include: 

*   Test updates thoroughly: Even the best security patches can introduce new risks if not properly vetted. 
    

*   Invest in incident response: Prepare for outages or failures by developing comprehensive response plans that prioritize minimizing downtime and ensuring customer communication. 
    

*   Stay vigilant: Disruptions provide opportunities for attackers. Ensure that security monitoring continues even during outages. 
    

**Looking Forward**

As technology evolves, so must our approach to cybersecurity. While outages are inevitable, the focus should be on minimizing their scope, addressing underlying causes, and understanding that protecting systems is not just about keeping bad actors out — it's also about maintaining stability and reliability within the infrastructure itself. 

Cybersecurity tools must balance protection with resilience, ensuring that the systems designed to defend us don't inadvertently cause more harm. 

**About the Author**

Director of Security, Owlet Baby Care

Yvonne Dickinson is currently the Director of Security for a global and publicly traded company. Her depth of expertise resides within application and cloud security, although she is a generalist across the other security domains. Yvonne is extremely passionate about advocating for women in STEM fields and strives to make an impact where she can. Although her official title is Security Director, that job is secondary to her primary role as CMO — Chief Mom Officer — to her family. As a technical leader, she strives to find balance in her work and her home so she can succeed at both her jobs, and she empowers her team to do the same.

When Cybersecurity Tools Backfire

Using a malicious Chrome extension, researchers showed how an attacker could use a now-fixed bug to inject custom code into a victim's Opera browser to exploit special and powerful APIs, used by developers and typically saved for only the most trusted sites.

Source: Tierfotoagentur via Alamy Stock Photo

Researchers have uncovered a fresh browser attack that compromises "private" application programming interfaces (APIs) in Opera to allow carte blanche over victims' browsers.

Browser APIs provide a bridge between Web applications and browser functionalities — including those related to security, storage, performance optimization, geolocation, and more — enabling the websites you visit to provide better, more robust features and experiences. Most browser APIs are publicly known, available to all, and rigorously reviewed.

Companies, however, have a habit of giving special permissions to their own preferred apps and sites. The Opera browser, for example, saves "private" APIs for several preferred third-party domains — such as Instagram, Atlassian, and Russia's Yandex and VK — as well as its own internal development domains, and those that are publicly reachable in the production version of the browser.

These private APIs may be useful for developers, but researchers from Guardio demonstrated how they could be accessed by hackers, too, allowing cyberattackers an array of powers imaginable from a browser: changing settings, hijacking accounts, disabling security extensions, adding further malicious extensions, and more. They did so with a canine-themed proof-of-concept attack they called "CrossBarking."

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**CrossBarking Opera Browser Attack**

The goal of CrossBarking is to run malicious code in the context of sites with access to those powerful, private APIs. To do that, one could make use of, for example, a cross-site scripting (XSS) vulnerability. Or, even easier, a malicious browser extension.

Getting a malicious extension onto Opera is no small feat. Many a developer has complained about just how drawn out its manual review process can be — taking months or even years in some cases. The upside is the comfort that Opera's 350 million active users enjoy: that the extensions they add to their browsers have been well and thoroughly vetted.

That isn't as much the case, however, for Chrome extensions, which Opera allows its users to download. Chrome add-ons undergo a largely automated review process, and might go live within just hours or days of being submitted for approval.

So, to leverage privileged Opera sites, Guardio researchers developed a Chrome extension, not an Opera one. They designed it to add pictures of puppies to webpages — a guise for running scripts on any given site — and covered its maliciousness enough to get approved on the Chrome store. If a puppy-loving Opera user adopted the extension and visited a site with private API access, it would perform a direct script injection attack to run malicious code and gain access to any powers afforded by those private APIs.

Related:When Cybersecurity Tools Backfire

To demonstrate the full breadth of power afforded by CrossBarking, Guardio researchers targeted the settingsPrivate API, which allows for reading and editing any available browser settings. They used settingsPrivate to change a hypothetical victim's Domain Name System (DNS) settings, funneling all of their browser activity through a malicious DNS server. From there, the researchers had full view into the victim's browsing activity, plus the ability to manipulate the content of webpages or redirect the victim to malicious pages.

"You could almost take control over the entire browser, and the computer hosting it," explains Nati Tal, head of Guardio Labs. Though his PoC focused on changing a specific browser setting, "in the same way, you can change any other setting. There are many more APIs to hack — \[we didn't\] have enough time to check all of the possibilities."

**Security vs. Functionality in Browser APIs**

In the eternal struggle between functionality and security, browser developers will not easily part with the special APIs that allow them powers beyond those afforded to the hoi polloi. That applies to Opera, and other browsers as well. In May, Guardio discovered a not-dissimilar issue with a private API used for marketing in another Chromium browser, Microsoft Edge.

Related:Recurring Windows Flaw Could Expose User Credentials

To fix the CrossBarking issue, Opera did not do away with its private APIs or its Chrome extension cross-compatibility. On Sept. 24, though, it did adopt a sort of quick-fix solution already implemented in Chrome: blocking the ability of any extension to run scripts on domains with private API access.

"The infrastructure of Chromium is \[such that\] vendors need to take control of their security, and think about all the possible attack vectors there are. There are so many possible vectors," Tal concludes.

He adds: "In this case, again, it wasn't even in their \[app store\]. Opera is not responsible for Chrome Store, but they do allow extensions from there, so they need to think about it as well. \[They have to see\] the entire ecosystem, not only this vulnerability, to keep up with the threat."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'CrossBarking' Attack Targets Secret APIs, Exposes Opera Browser Users

Now a zero-day, the vulnerability enables NTLM hash theft, an issue that Microsoft has already fixed twice before.

Source: tdhster via Shutterstock

All versions of Windows clients, from Windows 7 through current Windows 11 versions, contain a 0-day vulnerability that could allow attackers to capture NTLM authentication hashes from users of affected systems.

Researchers at ACROS Security reported the flaw to Microsoft this week. They discovered the issue while writing a patch for older Windows systems for CVE-2024-38030, a medium-severity Windows Themes spoofing vulnerability that Microsoft mitigated in its July security update.

**Variant of Two Previous Vulnerabilities**

The vulnerability that ACROS discovered is very similar to CVE-2024-38030 and enables what is known as an authentication coercion attack, where a vulnerable device is essentially coerced into sending NTLM hashes — the cryptographic representation of a user's password — to an attacker's system. Akamai researcher Tomer Peled discovered CVE-2024-38030 while analyzing Microsoft's fix for CVE-2024-21320, another, earlier Windows themes spoofing vulnerability he discovered and reported to Microsoft. The flaw that ACROS uncovered is a new, separate vulnerability related to the two flaws Peled reported earlier.

Windows themes files allow users to customize the appearance of their Windows desktop interface via wallpapers, screen savers, colors, and sounds. Both the vulnerabilities that Akamai researcher Peled discovered had to do with the manner in which the themes handled file paths to a couple of image resources, specifically "BrandImage" or "Wallpaper." Peled found that because of improper validation, an attacker could manipulate the legitimate path to these resources in such a way as to get Windows to automatically send an authenticated request, along with the user's NTLM hash, to the attacker's device.

As Peled explains to Dark Reading, "The themes file format is an .ini file, with multiple 'key,value' pairs. I originally found two key,value pairs that could accept file paths," he says.

The original vulnerability (CVE-2024-21320) stemmed from the fact that the key,value pairs accepted UNC paths — a standardized format for identifying network resources like shared files and folders — for network drives, Peled notes. "This \[meant\] that a weaponized theme file, with a UNC path, could trigger an outbound connection with user authentication, without them knowing." Microsoft fixed the issue by adding a check on the file path to ensure it wasn't a UNC path. But, Peled says, the function Microsoft used for this validation allowed for some bypasses, which is what led to Peled's discovery of the second vulnerability (CVE-2024-38030).

**Microsoft Will Act 'As Needed'**

What ACROS Security reported this week is the third Windows themes spoofing vulnerability rooted in the same file path issue. "Our researchers discovered the vulnerability in early October while writing a patch for CVE-2024-38030 intended for legacy Windows systems many of our users are still using," says Mitja Kolsek, CEO of ACROS Security. "We reported this issue to Microsoft \[on\] Oct. 28, 2024, but we did not release details or a proof-of-concept, which we plan to do after Microsoft has made their own patch publicly available."

A Microsoft spokesman said via email the company is aware of the ACROS report and "will take action as needed to help keep customers protected." The company does not appear to have issued a CVE, or vulnerability identifier, for the new issue yet.

Like the two previous Windows themes spoofing vulnerabilities that Akamai discovered, the new one that ACROS found also does not require an attacker to have any special privileges. "But they have to somehow get the user to copy a theme file to some other folder on their computer, then open that folder with Windows Explorer using a view that renders icons," Kolsek says. "The file could also be automatically downloaded to their Downloads folder while visiting \[an\] attacker's website, in which case the attacker would have to wait for the user to view the Downloads folder at a later time."

Kolsek recommends that organizations disable NTLM where possible, but acknowledges that doing so could cause functional problems if any network components rely on it. "\[An\] attacker could only successfully target a computer where NTLM is enabled," he says. "Another requirement is that a request initiated by a malicious theme file would be able to reach the attacker's server on the Internet or in an adjacent network," something that firewalls should typically block, he says. As a result, it's more likely than an attacker would try to exploit the flaw in a targeted campaign more so than in a mass exploit.

Akamai's Peled says it's hard to know what ACROS's vulnerability is about without having access to the technical details. "But it might be another UNC bypass that circumvents the check, or it could be a different key,value pair that was missed in the original patching," he says. "UNC path formats are very complex and allow for weird combinations, which make detecting them very hard. This might be why it's so complex to fix."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Recurring Windows Flaw Could Expose User Credentials

A professional-grade tool set, appropriately dubbed "CloudScout," is infiltrating cloud apps like Microsoft Outlook and Google Drive, targeting sensitive info for exfiltration.

Source: Design Pics Inc. via Alamy Stock Photo

The China-sponsored Evasive Panda hacking crew has debuted CloudScout, a sleek, professional post-compromise toolset that retrieves data from various cloud services by leveraging stolen Web session cookies.

That's according to researchers at ESET, who uncovered CloudScout while investigating a pair of past breaches in Taiwan (targeting a religious institution and a government entity).

CloudScout is written in .NET, and it's designed to work seamlessly with MgBot, Evasive Panda’s proprietary malware framework. Via a plug-in architecture, MgBot feeds CloudScout previously stolen cookies, which it then uses to access and infiltrate data from the cloud, using the pass-the-cookie technique to hijack authenticated sessions from Web browsers.

ESET researchers observed individual CloudScout modules targeting Google Drive, Gmail, and Outlook, but in all, they believe Evasive Panda has developed modules for attacks on least 10 different cloud apps.  

"These modules are designed to access public cloud services … by hijacking authenticated Web sessions," according to ESET's analysis, released on Oct. 28. "This technique relies on stealing cookies from a Web browser database, then using them in a specific set of Web requests to gain access to cloud services," thus avoiding authentication checks like two-factor authentication (2FA) and IP tracking.

Related:Mobile Apps With Millions of Downloads Expose Cloud Credentials

After authentication, the CloudScout modules use a set of hardcoded Web requests, as well as complex HTML parsers to identify and extract any data of interest from Web responses, such as email folder listings and email messages. Once the data is collected, it's compressed into a .zip archive that can then be exfiltrated by either MgBot or another proprietary backdoor called Nightdoor.

**Chinese APT Hones Cyberespionage Arsenal**

Evasive Panda (aka Bronze Highland, Daggerfly, or StormBamboo) is an advanced persistent threat (APT) that's been operating since at least 2012, focused mainly on cyber espionage against civil society targets.

These include "independence movements such as those in the Tibetan diaspora, religious and academic institutions in Taiwan and in Hong Kong, and supporters of democracy in China," ESET researchers noted. "At times we have also observed its cyberespionage operations extend to countries such as Vietnam, Myanmar, and South Korea." It has also been seen targeting a handful of victims in Nigeria.

The Chinese APT is known for consistently evolving its cyberattack techniques, but the latest iteration is notable in its sophistication, the researchers wrote.

Related:SoftwareOne Launches Cloud Competency Centre in Malaysia

According to ESET, "The professional design behind the CloudScout framework … demonstrates Evasive Panda’s technical capabilities and the important roles that cloud-stored documents, user profiles, and email play in its espionage operations."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

China's 'Evasive Panda' APT Debuts High-End Cloud Hijacking

In the latest attack against ISPs, second-largest French provider Free fell victim to unknown cyberattackers who attempted to sell the compromised data it stole from the company on an underground cybercrime forum.

Source: Timon Schneider via Alamy Stock Photo

Free, a French telecommunications company and the second largest Internet service provider (ISP) in the country, has disclosed a cyberattack it fell a victim to over the weekend. It's the latest in a line of attacks against ISPs and telcos of late.

A threat actor stole information from the company's internal management tool, gathering data on the company's subscribers, and attempted to sell the data on the Dark Web in a cybercrime forum, the ISP confirmed to Agence France-Presse (AFP) on Oct. 26.

The hacker, known as "drussellx," posted a message on the forum, putting two databases stolen from the ISP company up for auction. The databases reportedly contained information on more than 19 million customer accounts, and more than 5 million international bank account details.

The bad actors gained "unauthorized access to some of the personal data associated with the accounts of certain subscribers," according to Free, which has more than 22 million mobile and fixed subscribers. However, it stressed that no passwords, bank-card information, emails, SMSs, or voicemails were compromised, and that its services were not been impacted.

Internet service provider networks are increasingly being targeted by bad actors in attacks to steal data and set up base for new tactics and techniques. Take advanced persistent threat (APT) Salt Typhoon, for example, which has been targeting these networks in the US, likely due to the information they can garner, such as home addresses, billing information, SMSs, and more.

Another APT group, known as Evasive Panda (aka StormBambaoo and DaggerFly), also targets ISPs, using them as a launchpad to exploit software vendor update mechanisms by using DNS poisoning.

Now, in the wake of its own ISP attack, Free reports that it soon will be informing impacted customers via email regarding the breach. It has also filed a criminal complaint and informed France's National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI).

Source

DARKReading