We can anticipate a growing number of emerging vulnerabilities in the near future, emphasizing the need for an effective prioritization strategy.

Audra Streetman, Senior Threat Intelligence Analyst, Splunk

December 9, 2024

4 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

The work of cybersecurity defenders continues to evolve. The sheer amount of software and applications within an organization's IT environment has increased the attack surface and, consequently, the number of vulnerabilities. According to the Verizon "2024 Data Breach Investigations Report," "14% of breaches involved the exploitation of vulnerabilities as an initial access step, almost triple the amount from last year's report."

With vulnerability exploitation increasing, prioritization can be difficult and time-consuming if you don't have a clear plan. The consequences of large-scale incidents, such as Log4j and the MOVEit breach, have had lasting impacts on the cybersecurity world. However, cybersecurity defenders can learn from these experiences.

**Key Considerations for Vulnerability Evaluation**

The first step in vulnerability evaluation mirrors the basics of reading comprehension: understanding the who, what, when, where, and why:

Who: Who is discussing vulnerabilities? Pay attention to peers, industry experts, and government advisories. Know that vulnerability discourse on social media and online forums may include fear-mongering and hyperbole. 

What: After identifying a vulnerability, analyze its exploitability. Determine if it is exploitable over a network or requires local access, or if exploit code is public. 

When: Timing is crucial. Know when the vulnerability was disclosed and if it has been exploited in the wild.

Where: Know where the vulnerability exists in your environment, which can influence the impact of exploitation. Check if it appears in a software bill of materials (SBOM) or a vendor advisory, as this can direct your remediation efforts.

If a patch is available, determine if it will cause downtime and if you are bound by a service-level agreement. If you opt to not patch, or if a patch is not available, research mitigation guidance to minimize risk.

Why: Understand how the vulnerability aligns with recent trends in adversary behavior. Also, Common Vulnerability scores and Exploit Prediction scores can inform prioritization, but should not be relied upon as the only factor when evaluating vulnerabilities.

**Learning From Large-Scale Incidents****MOVEit **

A great way to combat vulnerabilities is to learn from the past. For example, when the MOVEit Transfer vulnerability emerged in 2023, there were early signs pointing to the potential for mass exploitation. The cybercriminal group behind the breach was known to target vulnerabilities in file transfer software for spray-and-pray attacks that relied on data exfiltration without encryption to reach more victims. Ultimately, more than 2,700 organizations and 95.8 million people were impacted by the breach, according to cybersecurity firm Emsisoft, teaching the cybersecurity world three things:

1.  Adversary behavior can influence the likelihood of exploitation. A critical vulnerability in a file transfer appliance carried additional urgency in 2023 because of the strategies employed by cybercriminals. 
    
2.  Zero-day vulnerabilities with low attack complexity are a higher priority. Attacks began days before the MOVEit vulnerability was publicly disclosed and one attack vector allowed data exfiltration directly from the MOVEit application. One caveat here is that not all zero-day vulnerabilities are a high priority; there are other factors to consider, such as attack complexity. 
    
3.  Vulnerabilities with cascading effects on the supply chain are critical priorities. Some organizations were impacted by the breach because their vendor's contractor's subcontractor used MOVEit Transfer.
    

**Log4j**

The 2021 Log4j incident highlights the challenges with identifying vulnerable software components in your environment. This vulnerability was a high priority for several reasons:

1.  It was remotely exploitable.
    
2.  It was publicly disclosed before a fix was available.
    
3.  Exploit code circulated online.
    
4.  Because the Log4j library was popular among Java developers, it was embedded into thousands of software packages and integrated into millions of systems worldwide. 
    

Many organizations struggled to identify where Log4j was present in their environment, as these open source components aren't always readily listed. Accurate asset inventories and widespread SBOM adoption — which is essentially an ingredients list of software components — can go a long way in improving how organizations identify and respond to future vulnerabilities. 

**Knowing the Score With Vulnerabilities**

Cybersecurity defenders have at their disposal a number of vulnerability databases and scoring frameworks, such as the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog and the National Vulnerability Database (NVD). As organizations mature and refine their vulnerability management program, they can begin to implement additional steps, such as continuous monitoring, automation, and the integration of vulnerability management tools with configuration management databases (CMDBs) to improve detection and remediation.

In the future, we may see software suppliers adopt a secure-by-design philosophy that takes greater ownership of customer security outcomes. This could be influenced by future regulations, heightened liability for security executives, and the loss of customer trust. We may also see new use cases for emerging technologies, like machine learning and artificial intelligence, to help speed up and guide the vulnerability prioritization process, while maintaining a human-in-the-loop approach. In the meantime, we can anticipate a growing number of emerging vulnerabilities, emphasizing the need for an effective prioritization strategy.

**About the Author**

Senior Threat Intelligence Analyst, Splunk

Audra Streetman is an active member of Splunk's global security team and previously contributed to Splunk's SURGe research team. Before arriving at Splunk, Audra worked as a reporter, producer, and news anchor at local TV stations in Indiana, California, Kentucky, and Colorado. Audra produced and co-hosted a podcast called The Security Detail, which examined the cyber threat landscape in different industries. Audra is a member of the GIAC Advisory Board and has several certifications, including GDAT, GCTI, Security+, Linux+, Network+, AWS Cloud Practitioner, and Splunk Enterprise Certified Admin.

Large-Scale Incidents &amp; the Art of Vulnerability Prioritization

Details have emerged about a now-patched security flaw in the DeepSeek artificial intelligence (AI) chatbot that, if successfully exploited, could permit a bad actor to take control of a victim's account by means of a prompt injection attack.
Security researcher Johann Rehberger, who has chronicled many a prompt injection attack targeting various AI tools, found that providing the input "Print

Researchers Uncover Prompt Injection Vulnerabilities in DeepSeek and Claude AI

Operation Destabilise was a major international operation led by the UK's National Crime Agency (NCA) to dismantle two Russian-speaking criminal networks: Smart and TGR. These networks were backbone in laundering billions of dollars for various criminal activities.

****KEY POINTS of THIS STORY****

*   **Operation Destabilise Success**: The UK’s NCA led an international effort that dismantled two major Russian-speaking criminal networks laundering millions of dollars.

*   **Criminal Activities**: The networks funded ransomware attacks, drug trafficking, and Russian espionage, laundering over $2.3 million in ransomware payments.

*   Global Reach: These networks operated in 30 countries, using cryptocurrency and cash-for-crypto methods to fund illicit activities.

*   **Arrests and Seizures**: Authorities arrested 84 individuals, seized £20 million in cash and crypto, and imposed US sanctions on key figures.

*   **Blockchain Analysis**: The operation highlighted the critical role of blockchain tracing in combating cyber and traditional organized crime.

A joint international effort led by the UK’s National Crime Agency (NCA) has successfully disrupted two large-scale Russian-speaking criminal networks involved in laundering millions of dollars in illegal funds.

Dubbed Operation Destabilise, the investigation exposed a network of financial transactions that supported various criminal activities, including ransomware attacks, drug trafficking, and Russian espionage.

Two networks, identified as “Smart” (led by Ekaterina Zhdanova) and “TGR” (led by Rossi, Chirkinyan, and Bradens), were instrumental in facilitating the movement of illegal funds across borders, often using cryptocurrency as a primary tool.

Authorities found that between 2022 and 2023, these networks laundered over $2.3 million (£20 million) in ransomware payments made to the **Ryuk ransomware group,** provided financial support to notorious criminal organizations like the Kinahan crime syndicate known for drug and arms trafficking, and facilitated funding of Russian espionage operations, helping to bypass financial sanctions imposed on Russia.

According to the NCA’s **press release**, the network had a global reach, with operations spanning across 30 countries, including the UK, Russia, the Middle East, and South America. 

Further probing revealed the techniques employed to hide the origin of ill-gotten funds, often involving cash-for-crypto transactions. Criminal gangs used cryptocurrency to reinvest in their illegal business, buying more drugs and firearms without transferring physical money across borders. This financial service allowed these groups to continue their violent activity. 

The operation resulted in the arrest of 84 individuals and the seizure of over £20 million in cash and cryptocurrency. Additionally, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) has **imposed sanctions** on four entities and five individuals associated with the TGR network. These sanctions target key figures involved in laundering money for Russian elites and cyber criminals.

The operation was a collaborative effort involving multiple international law enforcement agencies, including the UK Metropolitan Police Service, French police, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the Drug Enforcement Agency (DEA), and the Federal Bureau of Investigation (FBI).

“While these organisations have sought to exploit emerging technologies such as cryptocurrency to obscure their activities, the inherent traceability of blockchain has proven invaluable in unravelling their activities that operated on a truly global scale, moving billions of dollars for a range of different threat actors,” the NCA’s head of cyber intelligence, Will Lyne, stated.

This operation has significantly disrupted the activities of various criminal organizations, including ransomware groups, drug traffickers, and Russian intelligence services. It has also exposed the complex ways in which cybercrime and traditional organized crime intersect.

1.  **Russian Court Jails Four REvil Ransomware Gang Members**
2.  **Leading French IT firm Sopra Steria hit by Ryuk ransomware**
3.  **Russian Man Extradited to US over Phobos Ransomware Attacks**
4.  **Dark Web Hydra Market Mastermind Sentenced to Life by Russia**
5.  **Hacker Wanted by FBI in Ransomware Attacks Arrested in Russia**

84 Arrested as Russian Ransomware Laundering Networks Disrupted

Plus: Russian spies keep hijacking other hackers’ infrastructure, Hydra dark web market admin gets life sentence in Russia, and more of the week’s top security news.

A consortium of global law enforcement agencies led by Britain’s National Crime Agency announced a takedown operation this week against two major Russian money-laundering networks that process billions of dollars each year in more than 30 locations around the world. WIRED had exclusive access to the investigation, which uncovered new and troubling laundering techniques, particularly schemes to directly change cryptocurrency for cash. As the United States government scrambles to address China’s “Salt Typhoon” digital espionage campaign into US telecoms, two senators demanded this week that the Department of Defense investigate its failure to secure its own communications and address known vulnerabilities in US telecom infrastructure. Meanwhile, Signal Foundation president Meredith Whittaker spoke at WIRED’s The Big Interview event in San Francisco this week about Signal’s enduring commitment to bring private, end-to-end encrypted communication services to people all over the world regardless of geopolitical climate.

A new smartphone scanner from the mobile device security firm iVerify can quickly and easily detect spyware and has already flagged seven devices infected with the invasive Pegasus surveillance tool. Programmer Micah Lee built a tool to help you save and delete your X posts after he offended Elon Musk and was banned from the platform. And privacy advocate Nighat Dad is fighting to protect women from digital harassment in Pakistan after escaping from an abusive marriage.

The US Federal Trade Commission is targeting data brokers who it says unlawfully tracked protesters and US military personnel, but the enforcement efforts seem likely to trail off under the Trump administration. Similarly, the US Consumer Financial Protection Bureau has devised a strategy to impose new oversight on predatory data brokers, but the new administration may not continue the initiative. Some new laws are finally coming around the world in 2025 that will attempt to regulate the dysfunction of the digital advertising industry, but malicious advertising is still booming around the world and continues to play a big role in global scamming.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Officials Urge Americans to Encrypt Calls and Texts After Chinese Telecom Hacking**

Remember how the US federal government spent much of the last three decades periodically decrying the dangers of strong, freely available encryption tools, arguing that because they enable criminals and terrorists, they should be outlawed or required to implement government-approved backdoors? As of this week, the government will never again be able to make that argument without privacy advocates pointing to a particular phone call where two officials recommended Americans use exactly those encryption tools to protect themselves amidst an ongoing massive breach of US telecoms by Chinese hackers.

In a briefing with reporters about the breach of no fewer than eight phone companies by the Chinese state-sponsored espionage hackers known as Salt Typhoon, officials from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI both said that amid the still-uncontrolled infiltration of US telecoms that have exposed calls and texts, Americans should use encryption apps to safeguard their privacy. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. (Signal and WhatsApp, for instance, end-to-end encrypt calls and texts, though the officials didn’t name any particular apps.)

The recommendation amid what one senator has called “the worst telecom hack in our nation’s history” represents a stunning reversal from previous US officials’ rhetoric on encryption, and in particular the FBI’s repeated calls for access to backdoors in encryption. In fact, it was exactly this sort of government-approved wiretap capability requirement for US telecoms that the Salt Typhoon hackers in some cases exploited to access Americans communications.

**Russia’s FSB Hackers Keep Hijacking Other Hackers’ Infrastructure for Spying**

The hacker group known as Secret Blizzard, Snake, or Turla, widely believed to work for Russia’s FSB intelligence agency, is known for using some of the most ingenious hacking techniques ever seen to spy on its victims. One of the tricks that’s now become its signature move: hacking the infrastructure of other hackers to stealthily piggyback on their access. This week Microsoft’s threat intelligence researchers and security firm Lumen Technologies revealed that Turla gained access to the servers of a Pakistan-based hacker group and used its visibility into victim networks to spy on government, military and intelligence targets in India and Afghanistan of interest to the Kremlin. In some cases, Turla hijacked the Pakistani hackers’ access to install their own malware, while in other instances they appear to have used the other group’s tools for even greater stealth and deniability. The incident marks the fourth known time since 2017, when it penetrated an Iranian hacker group’s command-and-control servers, that Turla has freeloaded on another hacker group’s infrastructure and tooling, according to Lumen.

**Admin of Russian Dark Web Market Hydra Sentenced to Life in Prison**

The Russian government is known for turning a blind eye to cybercrime—until it doesn’t. This week 15 convicted members of the notorious dark web market Hydra learned the limits of that forbearance when they reportedly received prison sentences ranging from 8 years to 23 years, as well an unprecedented life sentence for the site’s creator Stanislav Moiseyev. Before it was taken down two years ago in a law enforcement operation led by IRS criminal investigators in the US and Germany’s BKA police agency, Hydra was a uniquely sprawling dark web marketplace, one that not only served as the post-Soviet world’s biggest online bazaar for narcotics but also a vast money laundering machine for crimes including ransomware, scams, and sanctions evasion. In total, Hydra enabled more than $5 billion dollars in dirty cryptocurrency transactions since 2015, according to crypto tracing firm Elliptic.

**Suspected Ransomware Actor “Wazawaka” Reportedly Charged and Apprehended by Russia**

Russian law enforcement charged and arrested a software developer last week who is suspected of prolific contributions to multiple ransomware groups, including building malware to extort money from businesses and other targets. The suspect is reportedly Mikhail Matveev, or “Wazawaka,” who has worked as an affiliate with ransomware gangs like Conti, LockBit, Babuk, DarkSide, and Hive. Social media reports indicate that Matveev confirmed his indictment and said that he has been released from law enforcement custody on bail.

Russia’s prosecutor general did not name Matveev, but described charges last week against a 32-year-old hacker under Article 273 of Russia’s Criminal Code, which bans the creation or use of malware. The move came as Russia seemed to be sending some sort of message about its tolerance for cybercrime with the sentencing of the dark web marketplace Hydra’s staff, including a life sentence for its administrator. In 2023, the US government indicted and sanctioned Matveev.

**FBI Is Investigating Exxon Lobbyist Firm Over Hack-and-Leak Operation Targeting Activists**

In a disturbing scoop (one we didn’t cover last week due to the Thanksgiving holiday), Reuters reporters have revealed that the FBI is now investigating a lobbying consultancy hired by Exxon over the firm’s role in a hack-and-leak operation that targeted climate change activists. DCI Group, a lobbying firm hired at the time by Exxon, allegedly gave a list of target activists to a private investigator who then outsourced a hacking operation against those targets to mercenary hackers. After the private investigator—an Israeli man named Amit Forlit, who was later arrested in London and faces US hacking charges—allegedly gave the hacked material to DCI, it leaked the activists’ internal communications about climate change litigation against Exxon to the media, Reuters discovered. The FBI, according to Reuters, has determined that DCI also first previewed that material to Exxon before leaking it. “Those documents were directly employed by Exxon to come after me with all guns blazing,” one attorney working with the activist group, the Center for Climate Integrity, told Reuters. “It turned my life upside down.”

Exxon has denied knowing about any hacking activities and DCI told Reuters in a statement that “we direct all our employees and consultants to comply with the law.”

US Officials Recommend Encryption Apps Amid Chinese Telecom Hacking

In yet another software supply chain attack, it has come to light that two versions of a popular Python artificial intelligence (AI) library named ultralytics were compromised to deliver a cryptocurrency miner.
The versions, 8.3.41 and 8.3.42, have since been removed from the Python Package Index (PyPI) repository. A subsequently released version has introduced a security fix that "ensures

Ultralytics AI Library Compromised: Cryptocurrency Miner Found in PyPI Versions

The activity-recording capability has drawn concerns from the security community and privacy experts, but the tech giant is being measured in its gradual rollout, which is still in preview mode.

Source: Pictorial Press Ltd via Alamy Stock Photo

NEWS BRIEF

Microsoft has expanded access for its Windows Recall feature to Copilot+ PCs that use AMD and Intel chipsets, after initially offering it to users with Snapdragon-powered machines. And, it has now launched in Europe.

The launch is part of a gradual rollout that for now is in a preview phase within the Windows Insiders testing community.

Recall is an AI-powered feature that allows PC users to record everything they do on their computers, and then go back to a desired "snapshot" of activity later. It's a useful tool, as Microsoft pointed out in its expansion announcement on Dec. 6: "It's now possible to quickly find and get back to apps, websites, images, or documents just by describing its content." But the capability also has sparked ongoing concerns about privacy and data security (Microsoft keeps and hosts the recorded content in the cloud), as well as the potential for the feature to be compromised and used for cyber-espionage ends.

The tech giant appears to be taking those concerns seriously; in June, it beefed up its planned privacy and security features for Recall, including data encryption, turning Recall off by default, and requiring users to enroll in Windows Hello biometrics authentication to prove they're present at the keyboard as recording is happening. It also added it to its bug bounty program to track down exploitable security vulnerabilities.

Microsoft has taken its time with the launch in light of the concerns; after being set to go live in June, Redmond pushed the release date for Recall back to October, and then to November, when it finally became available in limited release.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Microsoft Expands Access to Windows Recall AI Feature

The cybersecurity industry faces a growing crisis in attracting and retaining SOC analysts.

Source: Dragos Condrea via Alamy Stock Photo

COMMENTARY

When I began my career, the security operations center (SOC) analyst role seemed like an exciting entry point into a promising career. And for me, it was. However, the job is increasingly perceived as thankless and high-stress, filled with repetitive tasks, high stakes, and limited opportunities for professional growth. 

High turnover and talent shortages are common, so if businesses want to retain skilled analysts and appeal to the next generation of talent, the SOC role needs a serious rebrand. 

**Why SOC Roles Are Losing Their Appeal**

I won't sugarcoat it: The SOC Tier I analyst role is incredibly challenging. In a typical day, analysts receive thousands of alerts, many of which are false positives. 

This constant flood of data leaves analysts struggling to sift through the noise and focus on real threats, a task that demands both accuracy and a clear rationale for every action taken. Dismissing an alert too quickly risks missing a critical event, while escalating a low-risk alert could divert resources away from more urgent priorities. This pressure, coupled with the fear of making mistakes that could affect the team or your own credibility, often leads to burnout. The pressure, the sheer volume of alerts, and the feeling of always being under scrutiny make this role uniquely taxing.

Another significant issue I've encountered is the lack of growth opportunities. With so much time dedicated to the constant alerts, analysts rarely have time to develop new skills. Despite the extensive training and certifications many analysts bring, they're often stuck with monotonous tasks like reviewing phishing emails, limiting exposure to broader infrastructure or skills required for senior roles. 

This lack of growth and evolution leads to disengagement and, eventually, many talented analysts leave the role entirely.

**Leveraging AI and Career Development to Transform SOC Jobs**

The key to transforming the status quo for SOC analysts lies in reimagining these positions to make them more dynamic, rewarding, and sustainable. 

One solution is thoughtfully integrating AI to enhance — not replace — human expertise. By doing so, organizations can:

*   Automatically resolve false positives, allowing SOC analysts to focus on more critical, actionable alerts
    
*   Automate repetitive tasks that can be time consuming, like threat intelligence enrichment, false positive filtering, and alert triage prioritization 
    
*   Provide 24/7 monitoring to alleviate the strain of on-call shifts and cover gaps by allowing AI to investigate and escalate alerts
    
*   Triage the flood of alerts to surface only the most critical and relevant issues, empowering SOC analysts to proactively threat hunt rather than only react to alerts 
    

These applications of AI not only reduce the workload but help prevent human error, which is more likely when analysts are overwhelmed by large volumes of data. 

But AI alone doesn't fix everything. While AI can free up analysts' time by automating many entry-level tasks, businesses must then provide the appropriate structure and growth opportunities to align with these changes. 

To help SOC analysts grow and avoid stagnation, while also providing the necessary support, businesses should do the following:

*   Provide mentorship opportunities after taking steps to ensure senior analysts aren't bogged down with the same repetitive tasks as junior analysts. In many cases I found that no one on the team had bandwidth for anything beyond alert response. 
    
*   Invest in training and upskilling so analysts can perform more sophisticated tasks and advance in their careers rather than becoming pigeonholed in low-level tasks.
    
*   Implement regular evaluations to assess the well-being and development needs of SOC analysts. These evaluations are commonplace in the public sector, but I've rarely encountered them in the corporate world. 
    
*   Foster a culture of continuous improvement throughout the organization, empowering all team members to seek out new skills and opportunities.
    
*   Secure a permanent seat for security in strategic decision-making. SOC teams are often seen as blockers and are typically the last to learn about key business changes. By integrating security early, security teams can influence strategies, ensuring that protocols are built in from the start and reducing future risks.
    

**Investing in Tools, Training, and the Future of SOC Roles**

Budget constraints and organizational inertia often prevent companies from investing in the tools and training needed to make analyst roles more meaningful and sustainable. 

However, the cost of not investing is far greater — high turnover leads to gaps in security coverage, increased vulnerability to cyberattacks, lost institutional knowledge, and longer incident response times. Plus finding, hiring, and training replacements only consumes more time and resources.

The solution lies in rethinking the SOC analyst role — embracing AI to reduce stress and improve efficiency while providing better support and growth opportunities. Forward-thinking businesses that face these challenges head-on will be better equipped with the highly skilled, motivated analysts ready to tackle the threats of the future.

I want to see SOC analysts succeed. These days, I love that I'm able to help SOC analysts as a solutions engineer, working with them to implement and adopt tools to alleviate the stress and alert fatigue that can come from working in a SOC. 

Companies that fail to address these issues risk losing not only their analysts but also their security edge against attackers.

**About the Author**

Solutions Engineer, Intezer

Jessica Belt is solutions engineer at Intezer, a leading provider of AI-powered technology for autonomous security operations. With five years of experience in cybersecurity and 10 years in event coordination, Jessica brings a unique combination of technical expertise and operational excellence. In her current role as a solutions engineer, Jessica leverages her experience as a former security engineer at a security operations center (SOC) to help teams optimize their workflows and enhance their security operations. In her previous roles, Jessica specialized in vulnerability management, threat intelligence, container security, incident response, and identity security.

Why SOC Roles Need to Evolve to Attract a New Generation

SUMMARY A large U.S. company with operations in China fell victim to a large-scale cyberattack earlier this year,…

****SUMMARY****

*   **Network Access**: Chinese hackers maintained access to a major U.S. company’s network for at least four months, likely stealing sensitive information, including emails.

*   **Techniques Used**: Hackers employed DLL sideloading, exploited Google and Apple software, and used tools like Impacket and FileZilla to move within the network.

*   **Targeted Data**: The attackers focused on Exchange Servers and email data, indicating a strategic intelligence-gathering operation.

*   **Attribution to Daggerfly**: Symantec linked the attack to Chinese state-sponsored groups Daggerfly and Crimson Palace, known for sophisticated cyber-espionage.
*   **Expert Insight**: Cybersecurity expert Stephen Kowski highlights the sophistication and dangers of long-term network breaches and emphasises the need for stronger email security and monitoring.

A large U.S. company with operations in China fell victim to a large-scale cyberattack earlier this year, according to cybersecurity firm Symantec. The attack believed to be the work of **Chinese hackers**, allowed the attackers to maintain access to the company’s network for at least four months, likely gathering sensitive information.

This follows **October 2024’s report** in which it was revealed that China’s Salt Typhoon hacking group targeted and successfully compromised AT&T, Verizon, and Lumen, compromising wiretap systems used in criminal investigations.

Symantec’s findings indicates the hackers were active from April 11, 2024, until August, though the initial breach may have happened even earlier. During this time, hackers moved through the company’s network, gaining access to multiple computers, including **Exchange Servers**.

This suggests a primary goal of stealing email data for intelligence-gathering purposes. According to Symantec’s **blog post**, hackers employed a mix of legitimate applications and open-source tools to carry out their attacks.

From DLL-sideloading, a technique where malicious code is loaded with legitimate applications, to the exploitation of Google and Apple software were carried out for this purpose. Additionally, threat actors utilized **Impacket**, a Python-based toolkit for network protocol manipulation, and FileZilla, an FTP client, among others.

****Links to Chinese APT Groups****

Although the organization’s name is still unknown, Symantec believes that the group behind the attack is closely linked to the Chinese state-sponsored group **Daggerfly** (Daggerfly (also known as BRONZE HIGHLAND StormCloud, and Evasive Panda) and Crimson Palace.

This claim is based on the group’s repeated use of DLL sideloading in past attacks. Daggerfly is well-known for using this technique. Moreover, one of the malicious files found on a compromised system was textinputhost.dat, which has also been associated with another Chinese group, Crimson Palace. This group recently **made news** for targeting South Asian governments and stealing sensitive military secrets.

**Stephen Kowski**, a cybersecurity expert at SlashNext, told _Hackread.com_ that this attack is part of a worrying trend. Hackers are using increasingly sophisticated methods to gain long-term access to company networks, he said.

“The focus on Exchange servers and email harvesting suggests a strategic intelligence-gathering operation,” Kowski added. He emphasized the need for strong email security and continuous monitoring to detect these kinds of attacks.

1.  **GLASSBRIDGE: Google Blocks Pro-China Fake News Sites**
2.  **China’s insidious surveillance against Uyghurs with Android malware**
3.  **Muddling Meerkat Suspected of Espionage via Great Firewall of China**
4.  **Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage**
5.  **Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff**

Chinese Hackers Breach US Firm, Maintain Network Access for Months

AI-powered tools are making cybersecurity tasks easier to solve, as well as easier for the team to handle.

Security professionals say adding large language model (LLM) and generative artificial intelligence (GenAI) capabilities to security programs improves efficiency in threat detection and increases productivity of analysts, according to Dark Reading's latest research on enterprise security. Efficiency and effectiveness were recurring themes.

In Dark Reading's Artificial Intelligence and Machine Learning in Cybersecurity Survey, the top three benefits of using GenAI and LLMs in a cybersecurity program were more efficient threat detection (28%), improved analyst productivity and efficiency (27%), and better threat intelligence analysis (23%).

The promise of AI tools is enhancing the analysts' performance. Almost one-fifth (19%) of respondents said they appreciated how AI helped generate reports faster, while the same number (19%) liked how AI-infused technologies learn and adapt from new information. Fifteen percent felt the pressure lift from AI's ability to analyze security alerts to reduce false positives, while another 15% appreciated how the technology helped them discover and reduce misconfigurations.

Cybersecurity practitioners also saw value in active uses for AI, such as proactive threat hunting (16%), greater user behavior analysis (15%), improved incident response (15%), and a better security posture (11%).

There are also benefits to the business side. LLM tools can optimize resources (13%) to help make an organization's network more efficient and reduce costs (9%). Respondents also see ways GenAI can scale up their operations (12%), as well as improve cybersecurity response by supplementing the skills of the current team (12%). On the budgeting side, LLM use can reduce both the need for additional headcount (11%) and costs of operation (9%).

For more on the impact of AI and ML on cybersecurity, download the Dark Reading report "The State of Artificial Intelligence and Machine Learning in Cybersecurity."

**About the Author**

Karen joined Dark Reading in January 2022 as features editor. She's been in tech editing since before the img tag was introduced, working for outlets such as the IEEE Computer Society, CNET Download.com, and TechTV. She lives in Los Angeles with her husband, son, and two cats. Find her on Mastodon.

LLMs Raise Efficiency, Productivity of Cybersecurity Teams

SUMMARY The machine learning-based threat-hunting system of leading threat intelligence and cybersecurity firm ReversingLabs (RL) recently detected malicious…

****SUMMARY****

*   **Malicious Package Found**: ReversingLabs uncovered _aiocpa_, a Python package targeting crypto wallets via malicious updates.

*   **Unique Attack**: Hackers built trust by publishing a legitimate-looking crypto tool before injecting harmful code.

*   **AI Detection**: ReversingLabs’ _Spectra Assure_ flagged the package using machine learning to detect hidden malicious behaviour.

*   **Action Taken**: PyPI reported, quarantined, and removed the package to stop further harm.

*   **Key Takeaways**: Regular security checks, machine learning tools, and cautious dependency management are vital to combat open-source threats.

The machine learning-based threat-hunting system of leading threat intelligence and cybersecurity firm ReversingLabs (RL) recently detected malicious code in a legitimate-looking package, _“_aiocpa._“_ According to RL’s investigation, shared with Hackread.com, this package was designed to compromise cryptocurrency wallets. 

Through differential analysis of two package versions, RL was able to determine how these attackers carried out their distinctive campaign. The package, a synchronous and asynchronous Crypto Pay API client, has been downloaded 12,100 times.

While probing, researchers identified what makes this campaign unique. Unlike most attacks targeting open-source repositories like npm and PyPI, in this campaign, the threat actors published their own crypto client tool to gradually build trust with a growing user base. Then, they struck. An apparently harmless update to the aiocpa package (version 0.1.13 and later) injected malicious code.

“The malicious actor was observed trying to take over an existing PyPI project named pay, probably to gain access to an established user base, or the attacker estimated that such a package name would attract more victims,” researchers observed.

****How Machine Learning Spotted the Trouble****

RL uses a machine learning-based threat hunting system called Spectra Assure. This system continuously scans open-source packages for suspicious behaviour. In the case of aiocpa, on November 21, 2024, Spectra Assure flagged the updated package due to its resemblance to previously encountered malware.

Further revealed obfuscated code within the aiocpa package with numerous versions published until September 2024. This code was hidden behind layers of encryption and was designed to steal sensitive information like crypto trading tokens. If stolen, this data could be used to drain victims’ cryptocurrency wallets.

Researchers noted in the blog post that application security testing (AST) tools wouldn’t have caught this attack. The malicious code wasn’t present in the referenced GitHub repository, which would typically be reviewed for legitimacy. This is why advanced tools like Spectra Assure are crucial. They analyse code behaviour, allowing for a deeper inspection than traditional methods.

PyPI home page pf the malicious package and the GitHub account behind it (Screenshot credit: RL)

RL reported this malicious package to the Python Package Index (PYPI) for removal, which was later published on their blog on November 25. Researchers at Phylum reported on RL’s discovery, highlighting the uniqueness of the malicious campaign

The incident highlights the evolving nature of open-source software threats making it essential to perform regular security assessments, and consider machine learning-based threat hunting tools for powerful protection. Regular evaluation of third-party code, tools, packages, and extensions is also crucial.

Furthermore, PyPI users should be aware of package name takeover, a serious supply chain infection vector. If a project pay dependency is taken over by a threat actor, a new malicious version could be published to PyPI. The PyPI security team advises users to pin dependencies and versions, using hashes to prevent unwanted updates. 

1.  **ChatGPT Sandbox Flaws Enabling Python Execution**
2.  **PyPI Exploited to Infiltrate Systems Through Python Packages**
3.  **PythonAnywhere** **Cloud Platform Abused to Host Ransomware**
4.  **Qubitstrike Malware Hits Jupyter Notebooks for Cryptojacking**
5.  **VMCONNECT: Malicious PyPI Package Mimicking Python Tools**
6.  **New version of Jupyter infostealer delivered through MSI installer**

Tag

#intel