BeyondTrust has revealed it completed an investigation into a recent cybersecurity incident that targeted some of the company's Remote Support SaaS instances by making use of a compromised API key.
The company said the breach involved 17 Remote Support SaaS customers and that the API key was used to enable unauthorized access by resetting local application passwords. The breach was first flagged

BeyondTrust Zero-Day Breach Exposed 17 SaaS Customers via Compromised API Key

Now we know exactly how DeepSeek was designed to work, and we may even have a clue toward its highly publicized scandal with OpenAI.

Source: mundissima via Alamy Stock Photo

Researchers have tricked DeepSeek, the Chinese generative AI (GenAI) that debuted earlier this month to a whirlwind of publicity and user adoption, into revealing the instructions that define how it operates.

DeepSeek, the new "it girl" in GenAI, was trained at a fractional cost of existing offerings, and as such has sparked competitive alarm across Silicon Valley. This has led to claims of intellectual property theft from OpenAI, and the loss of billions in market cap for AI chipmaker Nvidia. Naturally, security researchers have begun scrutinizing DeepSeek as well, analyzing if what's under the hood is beneficent or evil, or a mix of both. And analysts at Wallarm just made significant progress on this front by jailbreaking it.

In the process, they revealed its entire system prompt, i.e., a hidden set of instructions, written in plain language, that dictates the behavior and limitations of an AI system. They also may have induced DeepSeek to admit to rumors that it was trained using technology developed by OpenAI.

**DeepSeek's System Prompt**

Wallarm informed DeepSeek about its jailbreak, and DeepSeek has since fixed the issue. For fear that the same tricks might work against other popular large language models (LLMs), however, the researchers have chosen to keep the technical details under wraps.

Related:Code-Scanning Tool's License at Heart of Security Breakup

"It definitely required some coding, but it's not like an exploit where you send a bunch of binary data \[in the form of a\] virus, and then it's hacked," explains Ivan Novikov, CEO of Wallarm. "Essentially, we kind of convinced the model to respond \[to prompts with certain biases\], and because of that, the model breaks some kinds of internal controls."

By breaking its controls, the researchers were able to extract DeepSeek's entire system prompt, word for word. And for a sense of how its character compares to other popular models, it fed that text into OpenAI's GPT-4o and asked it to do a comparison. Overall, GPT-4o claimed to be less restrictive and more creative when it comes to potentially sensitive content.

"OpenAI's prompt allows more critical thinking, open discussion, and nuanced debate while still ensuring user safety," the chatbot claimed, where "DeepSeek’s prompt is likely more rigid, avoids controversial discussions, and emphasizes neutrality to the point of censorship."

While the researchers were poking around in its kishkes, they also came across one other interesting discovery. In its jailbroken state, the model seemed to indicate that it may have received transferred knowledge from OpenAI models. The researchers made note of this finding, but stopped short of labeling it any kind of proof of IP theft.

Related:OAuth Flaw Exposed Millions of Airline Users to Account Takeovers

"\[We were\] not retraining or poisoning its answers — this is what we got from a very plain response after the jailbreak. However, the fact of the jailbreak itself doesn't definitely give us enough of an indication that it's ground truth," Novikov cautions. This subject has been particularly sensitive ever since Jan. 29, when OpenAI — which trained its models on unlicensed, copyrighted data from around the Web — made the aforementioned claim that DeepSeek used OpenAI technology to train its own models without permission.

Source: Wallarm

**DeepSeek's Week to Remember**

DeepSeek has had a whirlwind ride since its worldwide release on Jan. 15. In two weeks on the market, it reached 2 million downloads. Its popularity, capabilities, and low cost of development triggered a conniption in Silicon Valley, and panic on Wall Street. It contributed to a 3.4% drop in the Nasdaq Composite on Jan. 27, led by a $600 billion wipeout in Nvidia stock — the largest single-day decline for any company in market history.

Then, right on cue, given its suddenly high profile, DeepSeek suffered a wave of distributed denial of service (DDoS) traffic. Chinese cybersecurity firm XLab found that the attacks began back on Jan. 3, and originated from thousands of IP addresses spread across the US, Singapore, the Netherlands, Germany, and China itself. 

Related:Spectral Capital Files Quantum Cybersecurity Patent

An anonymous expert told the Global Times when they began that "at first, the attacks were SSDP and NTP reflection amplification attacks. On Tuesday, a large number of HTTP proxy attacks were added. Then early this morning, botnets were observed to have joined the fray. This means that the attacks on DeepSeek have been escalating, with an increasing variety of methods, making defense increasingly difficult and the security challenges faced by DeepSeek more severe."

To stem the tide, the company put a temporary hold on new accounts registered without a Chinese phone number.

On Jan. 28, while fending off cyberattacks, the company released an upgraded Pro version of its AI model. The following day, Wiz researchers discovered a DeepSeek database exposing chat histories, secret keys, application programming interface (API) secrets, and more on the open Web.

Elsewhere on Jan. 31, Enkyrpt AI published findings that reveal deeper, meaningful issues with DeepSeek's outputs. Following its testing, it deemed the Chinese chatbot three times more biased than Claud-3 Opus, four times more toxic than GPT-4o, and 11 times as likely to generate harmful outputs as OpenAI's O1. It's also more inclined than most to generate insecure code, and produce dangerous information pertaining to chemical, biological, radiological, and nuclear agents.

Yet despite its shortcomings, "It's an engineering marvel to me, personally," says Sahil Agarwal, CEO of Enkrypt AI. "I think the fact that it's open source also speaks highly. They want the community to contribute, and be able to utilize these innovations. I think that's why a lot of closed-source model providers are sort of scared."

He adds, too, that "there are other models that are worse than DeepSeek. It's just that DeepSeek is so much in the news, so it has a lot of eyes on it."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

DeepSeek Jailbreak Reveals Its Entire System Prompt

The ABB Cylon FLXeon (BACnet) controller suffers from an unauthenticated remote code execution vulnerability with root privileges. Input passed through the login.js script for the password JSON parameter allows out-of-band command injection.

Title: ABB Cylon FLXeon 9.3.4 (login.js) Unauthenticated Root Remote Code Execution  
Advisory ID: ZSL-2025-5907  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 31.01.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon (BACnet) controller suffers from an unauthenticated remote code execution vulnerability with root privileges. Input passed through the login.js script for the password JSON parameter allows out-of-band command injection.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[31.01.2025\] Coordinated public security advisory released.

**PoC**

flxeon.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://library.e.abb.com/public/ABB\_Cylon\_Bulletin\_0546\_FBVi\_FBTi\_FBXi\_CBXi\_Firmware\_v9.3.5.pdf  
\[3\] https://www.cve.org/CVERecord?id=CVE-2024-48841

**Changelog**

\[31.01.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (login.js) Unauthenticated Root Remote Code Execution

The CHC remains operational, but a host of personal data is now in the hands of a "skilled cybercriminal," it said.

Source: Panther Media via Alamy Stock Photo

NEWS BRIEF

Nonprofit healthcare provider Community Health Center (CHC) has begun notifying more than a million patients of a breach that compromised its data.

This is the third healthcare institution to be targeted in the past week. Frederick Health and the New York Blood Center Enterprises were both targeted in separate ransomware attacks that it alerted the public to on Jan. 27 and Jan. 29, respectively. 

It remains unclear who is behind the heists, and whether there is any connection between the attacks.

In a letter to victims from CHC, it reports that it noticed unusual activity on its computer systems on Jan. 2. It then launched an investigation and bolstered its security systems alongside cybersecurity experts. The investigation determined that a "skilled criminal hacker" was able to gain access to its systems and steal data, including some of the personal information of its patients. That includes names, dates of birth, addresses, phone numbers, emails, diagnoses, treatment details, test results, Social Security numbers, and health insurance information.

"Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal's activity did not affect our daily operations," the CHC wrote in its letter. "We believe we stopped the criminal hacker's access within hours, and that there is no current threat to our systems."

"Incidents in this sector underscore the ongoing risks healthcare providers face, with attackers gaining access to sensitive data like names, medical diagnoses, and insurance details," Emily Phelps, director of Cyware, wrote in an emailed statement to Dark Reading. "This incident highlights the urgency of securing healthcare infrastructures — protecting not just patient data, but the broader ecosystem of communication, collaboration, and care delivery."

Though there is currently no sign that the information was misused, the CHC is offering free identity theft protection through IDX including two years of credit and CyberScan monitoring, $1,000,000 insurance reimbursement policy, and assistance recovering stolen identities. 

The letter provides additional information regarding how customers can sign up for IDX protection services, which the CHC urges individuals to take advantage of, even if there is no current sign of foul play regarding their stolen information, as it remains unclear what the threat actor intends to do with the stolen data.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Community Health Center Data Breach Affects 1M Patients

The "Cracked" and "Nulled" Dark Web sites are now offline, along with the Pakistani "Saim Raza" network of underground forums (aka HeartSender).

Source: Britpix via Alamy Stock Photo

The US Department of Justice Department (DoJ) has partnered with international law enforcement to crack down on Dark Web cybercrime forums, with a pair of operations that disrupted underground markets linked to attacks on millions of victims globally. It's unclear what the long-term effects of the efforts will be, however.

In the first action, the DoJ, in coordination with the Dutch National Police, seized 39 domains operated by a Pakistani group known as Saim Raza (aka HeartSender).

According to a DoJ announcement on Jan. 31, Saim Raza has been operating since 2020, slinging phishing kits and fraud tools to the highest bidder across a network of underground sites. The cybercriminals buying the tools are responsible for global business email compromise (BEC) attacks and other nefarious scams, including against victims in the US who were collectively swindled out of $3 million.

"Not only did Saim Raza make these tools widely available on the open Internet, it also trained end users on how to use the tools against victims by linking to instructional YouTube videos on how to execute schemes using these malicious programs, making them accessible to criminal actors that lacked this technical criminal expertise," the agency said in its announcement. "The group also advertised its tools as 'fully undetectable' by antispam software."

Related:7 Tips for Strategically Saying 'No' in Cybersecurity

**"Cracked" & "Nulled" Dark Web Markets Are … Cracked & Nulled**

In a separate action, the DoJ participated in "Operation Talent," a Europol-backed international operation that disrupted the Cracked and Nulled Dark Web marketplaces. Together, the forums have been linked to cybercrimes against at least 17 million US victims.

According to the DoJ, the Cracked marketplace emerged in 2018, boasted 4 million users, made $4 million in revenue, and hosted more than 28 million cybercrime ads over the course of its reign.

Reflective of its name, one service on offer on the Cracked forum gave users a password search tool to find stolen credentials for millions of accounts and services. In one case, a stalker allegedly sextorted and harassed a woman in the Buffalo, NY, area after using the service to break into one of her accounts and access sensitive materials.

The Nulled website domain seizure meanwhile came in tandem with the unsealing of charges against one of its administrators, Lucas Sohn, an Argentinian national living in Spain. Nulled had been around since 2016, had 5 million users, raked in $1 million per year, and listed more than 43 million ads.

Nulled specialized in selling stolen login credentials, stolen identification documents, and hacking tools, according to the DoJ. If convicted, Sohn faces a maximum penalty of five years in prison for conspiracy to traffic in passwords, 10 years in prison for access device fraud, and 15 years in prison for identity fraud.

Related:IT-Harvest Launches HarvestIQ.ai

**Law Enforcement Takedowns: Do They Deter Cybercrime?**

The actions are just the latest in a flurry of efforts by US law enforcement to take down the infrastructure that powers cybercrime.

Just last week for example, the DoJ announced a partial disruption of North Korea's tech worker scam efforts. And in January, it wrapped up an eradication effort against the notorious PlugX malware. Other recent operations have included arresting actors behind the LockBit ransomware gang and teenaged members of Scattered Spider.

However, law-enforcement disruptions can be a game of whack-a-mole, with new threats popping up, or old ones re-emerging or taking a different shape, in the wake of takedowns. For instance, just two weeks after the DoJ shuttered the infamous BreachForums cybercrime forum last May, it sprang back to life with listings for Ticketmaster breach data. Fast forward several months, and the site is back to enjoying high-traffic status, with cybercriminals using it as a go-to for offering data breach information for sale.

Related:MITRE's Latest ATT&CK Simulations Tackle Cloud Defenses

"Arrests can cause actors to move away from a code base or campaigns that were formerly a notable threat," explains Ken Dunham, cyber threat director at Qualys Threat Research Unit. "In other situations, actors adapt, like cockroaches that simply move to another room when you move the couch, when pressure is applied, taking on new codes and tactics to further nefarious means and motives."

It's important to offer a full-court press against the most virulent threats to have even a scintilla of hope to root them out entirely, according to Derek Manky, global vice president of threat intelligence at Fortinet.

"Turning the tide against cybercrime necessitates a culture of collaboration, transparency, and accountability on a larger scale," he explains. "No single organization can effectively stop cybercrime alone. Public-private partnerships can influence the disruption of large-scale cybercrime activities, leading to a safer, more resilient society. Every organization has a place in the chain of disruption against cyberthreats."

Taken on their own though, it's useful to think of the disruption efforts as an important thorn in cybercriminals' sides, at the very least.

"Historically attackers can more easily obtain information and tools than defenders, giving them a perpetual advantage," Evan Dornbush, former National Security Agency (NSA) cybersecurity expert, said in an emailed statement. "Actions like this make it more expensive for cyber criminals to operate, and ultimately this is a good thing. Lesser players who rely on purchasing tools and network access from these two marketplaces won't be able to get started, raising the barrier to entry for their criminal enterprise aspirations."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

DoJ Shutters Cybercrime Forums Behind Attacks on 17M Americans

Global law enforcement seizes 12 domains including Sellix, Cracked and Nulled, €300,000 in cash and cryptocurrencies, and multiple…

Global law enforcement seizes 12 domains including Sellix, Cracked and Nulled, €300,000 in cash and cryptocurrencies, and multiple servers in a coordinated raid targeting cybercrime networks.

As reported by Hackread.com on January 29, 2025, a significant international law enforcement operation, dubbed Operation Talent, disrupted two notorious online cybercrime marketplaces, dealing a blow to the facilitators of digital illicit activities.

The operation, involving agencies from the United States, Romania, Australia, France, Germany, Spain, Italy, and Greece, targeted the notorious platforms Cracked and Nulled, which served as central marketplaces for trading stolen credentials, hacking tools, and other cybercrime activities. 

Now, the Justice Department’s press release has confirmed the seizure, highlighting the central role of the FBI in the investigation. Working with international partners, the FBI identified the servers hosting these marketplaces and the individuals operating them. In the case of Nulled, the Justice Department unsealed charges against an administrator, Lucas Sohn, for his alleged involvement in the platform’s operations.

Seizure notice on Nulled.to, Cracked.to, and Sellix.io (Screenshot credit: Hackread.com)

Executed between January 28th and 30th, Operation Talent resulted in arresting of two individuals in Spain, searches of seven properties, and the seizure of seventeen servers, more than fifty electronic devices, and approximately 300,000 euros in cash and cryptocurrencies. Twelve domains associated with Cracked and Nulled were seized, effectively shutting down these platforms.

Furthermore, related services, including Sellix, a financial processing service used by Cracked, and StarkRDP, a hosting service promoted on both platforms and operated by the same individuals, were also taken offline.

The scope of the operation is substantial, with Cracked alone boasting over four million users and listing more than 28 million posts advertising cybercrime tools and stolen information. Nulled, had over five million users and listed over 43 million posts advertising similar illicit goods and services.

Beyond mere discussions and knowledge sharing, Cracked and Nulled facilitated a “cybercrime-as-a-service” model where users could acquire stolen data, malicious software, hacking tools, and various other resources necessary to carry out cyberattacks. Investigators estimate that the criminal proceeds generated through these platforms amounted to at least one million euros.

Cracked reportedly generated approximately $4 million in revenue and impacted at least 17 million victims in the United States, according to the Justice Department. One particularly concerning product advertised on Cracked offered access to “billions of leaked websites,” enabling users to search for stolen login credentials.

The Justice Department highlighted a case in the Western District of New York where this tool was allegedly used for cyberstalking and harassment, demonstrating the real-world harm these marketplaces facilitate.

Operating since 2016, Nulled generated approximately $1 million in yearly revenue, offering stolen login credentials, identification documents, and hacking tools. A disturbing example cited by the Justice Department is a product advertised on Nulled that purportedly contained the names and social security numbers of 500,000 American citizens.

The crackdown on Cracked and Nulled marks a significant victory over cybercriminals. Operation Talent’s collaborative nature demonstrates the fruitfulness of international cooperation in combating cybercrime, and their commitment to holding cybercriminals accountable regardless of their location.

Operation Talent: Two Arrested as Authorities Dismantle Cracked and Nulled

The FBI and authorities in The Netherlands this week seized a number of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan. The proprietors of the service, who use the collective nickname "The Manipulaters," have been the subject of three stories published here since 2015. The FBI said the main clientele are organized crime groups that try to trick victim companies into making payments to a third party.

The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan. The proprietors of the service, who use the collective nickname “**The Manipulaters**,” have been the subject of three stories published here since 2015. The FBI said the main clientele are organized crime groups that try to trick victim companies into making payments to a third party.

One of several current Fudtools sites run by the principals of The Manipulators.

On January 29, the FBI and the Dutch national police seized the technical infrastructure for a cybercrime service marketed under the brands **Heartsender**, **Fudpage** and **Fudtools** (and many other “fud” variations). The “fud” bit stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

The Dutch authorities said 39 servers and domains abroad were seized, and that the servers contained millions of records from victims worldwide — including at least 100,000 records pertaining to Dutch citizens.

A statement from the **U.S. Department of Justice** refers to the cybercrime group as **Saim Raza**, after a pseudonym The Manipulaters communally used to promote their spam, malware and phishing services on social media.

“The Saim Raza-run websites operated as marketplaces that advertised and facilitated the sale of tools such as phishing kits, scam pages and email extractors often used to build and maintain fraud operations,” the DOJ explained.

The core Manipulaters product is **Heartsender**, a spam delivery service whose homepage openly advertised phishing kits targeting users of various Internet companies, including **Microsoft 365**, **Yahoo**, **AOL**, **Intuit**, **iCloud** and **ID.me**, to name a few.

The government says transnational organized crime groups that purchased these services primarily used them to run business email compromise (BEC) schemes, wherein the cybercrime actors tricked victim companies into making payments to a third party.

“Those payments would instead be redirected to a financial account the perpetrators controlled, resulting in significant losses to victims,” the DOJ wrote. “These tools were also used to acquire victim user credentials and utilize those credentials to further these fraudulent schemes. The seizure of these domains is intended to disrupt the ongoing activity of these groups and stop the proliferation of these tools within the cybercriminal community.”

Manipulaters advertisement for “Office 365 Private Page with Antibot” phishing kit sold via Heartsender. “Antibot” refers to functionality that attempts to evade automated detection techniques, keeping a phish deployed and accessible as long as possible. Image: DomainTools.

KrebsOnSecurity first wrote about The Manipulaters in May 2015, mainly because their ads at the time were blanketing a number of popular cybercrime forums, and because they were fairly open and brazen about what they were doing — even who they were in real life.

We caught up with The Manipulaters again in 2021, with a story that found the core employees had started a web coding company in Lahore called **WeCodeSolutions** — presumably as a way to account for their considerable Heartsender income. That piece examined how WeCodeSolutions employees had all doxed themselves on Facebook by posting pictures from company parties each year featuring a large cake with the words **FudCo** written in icing.

A follow-up story last year about The Manipulaters prompted messages from various WeCodeSolutions employees who pleaded with this publication to remove stories about them. The Saim Raza identity told KrebsOnSecurity they were recently released from jail after being arrested and charged by local police, although they declined to elaborate on the charges.

The Manipulaters never seemed to care much about protecting their own identities, so it’s not surprising that they were unable or unwilling to protect their own customers. In an analysis released last year, **DomainTools.com** found the web-hosted version of Heartsender leaked an extraordinary amount of user information to unauthenticated users, including customer credentials and email records from Heartsender employees.

Almost every year since their founding, The Manipulaters have posted a picture of a FudCo cake from a company party celebrating its anniversary.

DomainTools also uncovered evidence that the computers used by The Manipulaters were all infected with the same password-stealing malware, and that vast numbers of credentials were stolen from the group and sold online.

“Ironically, the Manipulaters may create more short-term risk to their own customers than law enforcement,” DomainTools wrote. “The data table ‘User Feedbacks’ (sic) exposes what appear to be customer authentication tokens, user identifiers, and even a customer support request that exposes root-level SMTP credentials–all visible by an unauthenticated user on a Manipulaters-controlled domain.”

Police in The Netherlands said the investigation into the owners and customers of the service is ongoing.

“The Cybercrime Team is on the trail of a number of buyers of the tools,” the Dutch national police said. “Presumably, these buyers also include Dutch nationals. The investigation into the makers and buyers of this phishing software has not yet been completed with the seizure of the servers and domains.”

U.S. authorities this week also joined law enforcement in Australia, France, Greece, Italy, Romania and Spain in seizing a number of domains for several long-running cybercrime forums and services, including **Cracked** and **Nulled**. According to a statement from the European police agency **Europol**, the two communities attracted more than 10 million users in total.

Other domains seized as part of “**Operation Talent**” included **Sellix**, an e-commerce platform that was frequently used by cybercrime forum members to buy and sell illicit goods and services.

FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang

The deal, expected to close this quarter, will give Tenable One Exposure Management much-needed integration with over 100 third-party security tools and platforms.

Source: Maxiphoto via iStock Photo

Tenable is poised to fill significant gaps in its exposure management platform with its agreement to acquire Vulcan Cyber.

Tenable said it was the first vendor to add exposure management to its vulnerability management platform when it launched the Tenable One Exposure Management Platform in 2022. However, Tenable's exposure management has lacked the ability to share telemetry with IT and security tools from other vendors. This is where Vulcan Cyber's exposure management offering, which can integrate with more than 100 third-party security tools, can make a difference for Tenable.

"This will give organizations the ability to have insights across the attack surface, not just what you point at Tenable but also that third-party data," says Tenable senior VP of products Jason Merrick. "At the end of the day, our focus here is helping organizations move as they're progressing from vulnerability management to exposure management and then gaining that context where they can make better decisions."

**Adding Exposure Management to Vulnerability Management**

Unlike vulnerability management offerings that are designed to discover, assess, prioritize, and mitigate threats in IT assets, exposure management considers an organization's cybersecurity posture and performs risk assessment.

Several Tenable rivals also offer exposure management as part of their product portfolios. For example, CrowdStrike added Exposure Management to its Falcon XDR platform in 2023, and Microsoft recently added exposure management to Microsoft Defender, which notably includes third-party connectors. On the same day Tenable announced its Vulcan Cyber plans, exposure management platform provider CYE acquired Solvo.

Omdia analyst Andrew Braunberg believes Vulcan Cyber will bring needed features to Tenable One that its rivals are now touting.

"While Tenable has been talking about exposure management for as long as anyone, it still often has the feel of an old legacy vulnerability management company," Braunberg says. "Vulcan has always seen exposure management as where the market was headed and has taken an impressively open approach to pulling in asset and exposure data and working to broadly support remediation, orchestration, and automation."

Tenable's Merrick acknowledges that Microsoft's licensing model with its M365 E3 and E5 plans give Microsoft an advantage.

"They can throw a lot of free stuff at this, and there are many organizations that are Microsoft-only shops," he says. "CrowdStrike, too, is growing and expanding. But I also think that this is an opportunity for Tenable to differentiate, to continue being that source of truth, to provide better analytic capability, and to tie these things together. Because at the end of the day, this forces us, from a product standpoint, to continue to innovate and deliver new capabilities."

Organizations are only beginning to expand their focus on vulnerability management to include exposure management, Merrick adds.

"I think we're in the first inning of exposure management," he says. "More and more, organizations are starting to talk about this."

The deal, announced on Wednesday, calls for Tenable to pay $147 million in cash and $3 million in restricted stock to Vulcan Cyber. While Merrick is unable to discuss specific integration plans before the deal closes, which the company anticipates will take place this quarter, the 100-plus connectors to third-party systems were a key impetus for the deal.

"We have always been envisioning being able to ingest third-party data into our exposure management platform like we've done with our vulnerability management solution," he says. "We've already built the data model specifically to accept and bring in third-party data. So we want to be able to go and fast-track that. Once we close, this is going to be the big focus for us in 2025."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Tenable to Acquire Vulcan Cyber to Boost Exposure Management Focus

Nine application security toolmakers band together to fork the popular Semgrep code-scanning project, touching off a controversy over access to features and fairness.

Source: TippaPatt via Shutterstock

A group of nine application security service providers announced they would "fork" the popular code-scanning project Semgrep, creating a new codebase, after a series of moves by the eponymous startup made it more difficult for the firms to use the open source software in their own products.

The companies — Aikido Security, Arnica, Amplify Security, Endor Labs, Jit, Kodem, Legit Security, Mobb, and Orca Security — embarked on the initiative after Semgrep announced it had moved some capabilities of its open source engine into the startup's paid version. Dubbed Opengrep, the new project remains under the same license as the Semgrep Community Edition — the Lesser GNU Public License (LGPL) — but will restore advanced features and the ability to export data in JSON and SARIF formats, as well as create an open source database of rules.

The Opengrep initiative is intended to create a neutral open source project that is not owned by a single company and can be improved to suit the needs of enterprise users and the group of companies behind the project, says Varun Badhwar, CEO and co-founder of software supply chain security firm Endor Labs, one of the companies sponsoring Opengrep.

"We are all collectively funding this right now, but once we stabilize the project, our goal is to turn it over to the right community ... we don't want to — as vendors — own this long term," he says. "This is an interim step for us — to create something that is owned by multiple parties and not a single vendor \[that\] can overnight decide to make a change."

The triggering event for the open source split came on Dec. 13, when Semgrep outlined changes it had made to seemingly small — but nevertheless important — features. The company sought to further delineate its Pro version from the open source project by renaming the latter to the "Community Edition," clarifying that the license allowed only internal use of its ruleset and removing the ability of the Community Edition to export certain fields in common output formats, such as JSON and the Static Analysis Results Interchange Format (SARIF).

Essentially, the firm has pursued an open core model, where the core engine is made public using an open source license, but more advanced features are made proprietary.

"I feel that we've clarified what belongs in a Unix-style, open source tool for security practitioners versus what makes sense in a commercial platform," says Luke O'Malley, chief product officer and founder at Semgrep. "Features like platform-focused fingerprinting go beyond CE's core mission. As maintainers, we ask ourselves: Would the majority of the community see this as fair? That principle broadly guides what stays in CE and what is in our commercial offering."

**Freeloading and a Growing Gap**

The creation of the Opengrep project has created a kerfuffle among some application security specialists, with some criticizing the companies for forking, rather than financing, Semgrep's open source core. In many ways, it's part of a playbook where venture-backed companies use an open source project to launch their own products, argued application security specialist Mark Curphey, in a Jan. 29 column.

"\[W\]hy on earth would anyone fork a successful open-source security project with a vibrant community?," he said. "There are a lot of free-loaders in the world of software, companies who build on other peoples hard work, and that don't fairly contribute back to the projects that they are making money off. It's perfectly legal as long as they stay within the license terms, and sadly a fact of life."

He pointed to another application security project — the open source Zed Attack Proxy (ZAP) used for dynamic application security testing (DAST) — which suffered similar commercial issues during its development, struggling to fund the maintainers of the project, even though "over a dozen commercial DAST services" used the open source codebase as the basis of their products. Application security firm Checkmarx ended up hiring all three ZAP maintainers and committed to funding the project, which formed the foundation of its own DAST solution.

In Curphey's mind, Semgrep's efforts have been taken advantage of.

"I think open source funding is incredibly complex, but this doesn't feel right, and it feels hypocritical to me for these companies to be doing this," he told Dark Reading in an interview.

**More Features for Opengrep?**

Endor Labs' Badhwar, however, argues that Opengrep will be a more feature-rich version of the code-scanning engine because Semgrep had slowly created a gap between its professional AppSec Platform and its open source engine — a common practice among companies that create open core technologies.

The creation of the Community Edition and the removal of some "experimental" features that the Opengrep companies considered valuable caused alarm among the commercial vendors who used the Semgrep engine as part of their service offerings, says Badhwar.

"There are several examples where the community tried to contribute things that would close the gaps in the open source version of Semgrep ... that the maintainers of the engine were choosing not to necessarily accept and include," he says. "I think it was becoming very clear ... that Semgrep's biggest competitor was their own open source engine, and so they were trying to create a bigger gap."

Opengrep has already financed two software engineers to work on the project and will discuss a road map during a Feb. 20 meeting.

This tension has played out with other open source projects as well. The open source search engine Elasticsearch, for example, had been developed as an open core project, but Elastic shifted the license in January 2021 to restrict managed service providers from using the software as the basis of their services. The same month, a group of Amazon Web Services engineers created a fork, OpenSearch, to give the community the ability to use an open version.

In Semgrep's case, founder O'Malley argues that the company has an incentive to keep the Community Edition well-maintained and strong, while the Opengrep team has not demonstrated their product will be an improvement. Two parallel projects is never ideal, he says.

"Multiple forks can create confusion, making it harder for individuals to know where to contribute and what’s actively maintained," O'Malley says. "That’s always a risk with fragmentation in open source. Our priority is keeping Semgrep CE strong, well-maintained, and growing. Developers and security engineers relying on it should feel confident that we're committed to its long-term success and a thriving ecosystem."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Code-Scanning Tool's License at Heart of Security Breakup

Massive Pakistani cybercrime network HeartSender has been shut down in a joint US-Dutch operation. Learn how their phishing…

Massive Pakistani cybercrime network HeartSender has been shut down in a joint US-Dutch operation. Learn how their phishing kits and other tools caused millions in losses and impacted countless victims.

U.S. and Dutch law enforcement have taken down a major Pakistani cybercrime network known as HeartSender, or Saim Raza. The takedown was part of Operation Heart Blocker in which authorities seized multiple domains and servers used by the group including Heartsender(.)com and Botsdetector(.)com.

Visitors to these sites are greeted with the following message: “This domain has been seized in accordance with a seizure warrant issued pursuant to 18 U.S.C. § 1030 in the United States District Court for the Southern District of Texas as part of a coordinated law enforcement operation and action by: The U.S. Department of Justice’s Computer Crime & Intellectual Property Section, the Federal Bureau of Investigation, and the Dutch National Police.”

Screenshot credit: Hackread.com

This takedown closely follows another international law enforcement action dubbed Operation Talent resulting in the seizure of two major online cybercrime-as-a-service marketplaces, Cracked and Nulled.

HeartSender specialized in developing and distributing cybercrime tools, including phishing kits for deceptive emails, credential-stealing software, and resources for large-scale spam campaigns. These tools were sold to other cybercriminals, enabling them to carry out a range of attacks. 

The US Department of Justice states that these tools are estimated to have caused over $3 million in losses to victims.  Furthermore, the seizure of HeartSender’s servers yielded millions of records containing sensitive information belonging to their victims.

HeartSender ran multiple online storefronts and used platforms like YouTube to promote its malicious products. The network specialized in offering a full suite of cybercrime tools, enabling criminals to automate and scale large-scale attacks worldwide. HeartSender also provided access to other compromised resources, such as cPanels, SMTP servers, and WordPress accounts, further expanding the scope of their illicit services.

Screenshot from HeartSender’s store – Credit: Hackread.com

The investigation leading to the takedown uncovered a vast trove of stolen data, including millions of victim records. Among them were around 100,000 login credentials belonging to individuals in the Netherlands, highlighting the widespread reach of HeartSender’s cybercrime operations.

Apart from law enforcement, HeartSender has been on the radar of cybersecurity researchers for years. Independent journalist Brian Krebs previously reported on the group’s operational security shortcomings, including malware infections within their own network and significant security vulnerabilities in their services. These vulnerabilities reportedly exposed customer data and internal operations to unauthorized access. 

Krebs notes that the group was called The Manipulators. Krebs reveals that Saim Raza “for the past decade has peddled a popular spamming and phishing service variously called “Fudtools,” “Fudpage,” “Fudsender,” “FudCo,” etc.” Here FUD stands for Fully Un-Detectable.

The dismantling of HeartSender represents yet another victory in the ongoing fight against cybercrime, disrupting a key source of malicious tools and potentially preventing further harm to countless individuals and organizations.

Tag

#auth