Emmenhtal Loader uses LOLBAS techniques, deploying malware like Lumma and Amadey through legitimate Windows tools. Its infection chain…

Emmenhtal Loader uses LOLBAS techniques, deploying malware like Lumma and Amadey through legitimate Windows tools. Its infection chain of LNK files and encrypted scripts evades detection.

Cybercriminals are always on the lookout for sneaky ways to bypass detection. One of the ongoing threats that cybersecurity professionals are closely monitoring is the Emmenhtal loader campaign.

Emmenhtal relies on LOLBAS (Living Off the Land Binaries and Scripts) techniques to quietly deliver malware, making it especially hard to detect.

In their research, analysts from ANY.RUN identified multiple malware strains being distributed by Emmenhtal, including Arechclient2, Lumma, Hijackloader, and Amadey—each cleverly disguised through malicious scripts.

Let’s examine this campaign more closely, unpacking Emmenhtal’s execution chain and exploring safe ways to detect its activities before they cause harm.

****What’s Emmenhtal Loader?****

Emmenhtal is a malware loader that surfaced in early 2024, known for its sophisticated methods in deploying various malicious payloads, including information stealers like Lumma and CryptBot. 

It uses LOLBAS techniques, utilizing legitimate Windows tools to avoid detection. Emmenhtal often conceals itself within modified legitimate Windows binaries, embedding malicious scripts that execute in multiple stages to download and run additional malware. 

Its infection chain frequently involves the use of HTA (HTML Application) files and PowerShell scripts, making it challenging for traditional security measures to detect.

You can check what scripts Emmenhtal Loader uses and what they do with the help of tools, such as ANY.RUN’s Script Tracer. 

Malicious scripts traced inside ANY.RUN’s sandbox

****Execution Chain of Emmenhtal Loader****

To examine how the Emmenhtal loader operates, we can explore a real-world malware sample within a secure environment like ANY.RUN’s interactive sandbox. 

In this case, we’ll have a closer look at the sample of Emmenhtal and how it’s executed.

View analysis session

Execution chain of Emmenhtal Loader

1.  **LNK file initiation:**

The attack begins with a malicious LNK file that initiates the **forfiles** command. This file is designed to look harmless, making it more likely to be executed by a user.

We can observe the forfiles.exe process in the interactive sandbox by examining the process tree section on the right side of the screen.

Forfiles inside ANY.RUN’s sandbox

2.  **Forfiles locates HelpPane to execute PowerShell:**

The forfiles command is used to locate the HelpPane executable. This legitimate Windows tool is then employed to launch PowerShell, which initiates the next step in the infection chain.

Forfiles.exe process details inside ANY.RUN’s sandbox

3.  **PowerShell calls Mshta:**

Next, PowerShell runs a command that calls Mshta. The latter is instructed to download a payload from a remote server. This payload is encrypted using the AES encryption algorithm to make it harder to detect and analyze.

4.  **Mshta decrypts and executes payload:**

**Mshta** decrypts and executes the downloaded payload. This payload contains the necessary instructions to proceed with the infection process.

Mshta.exe detected by ANY.RUN sandbox

5.  **PowerShell runs AES-encrypted command:**

PowerShell runs an AES-encrypted command to decrypt the Emmenhtal loader. This command is obfuscated to avoid detection by traditional security measures.

6.  **Emmenhtal Loader launches payload:**

The final PowerShell script is the Emmenhtal loader, which launches a payload (often **Updater.exe**) with a binary file with a generated name as an argument. This step carries out the transition from the loader to the actual malware.

In our example, we deal with Updater.exe as well:

Updater.exe displayed inside the sandbox

7.  **Malware infects the system:**

The malware successfully infects the system, completing the execution chain. At this point, the malware can carry out its intended malicious activities, such as data exfiltration, credential theft, or establishing persistence.

In the research carried out by ANY.RUN, the Emmenhtal Loader used scripts to deliver malware, such as Arechclient2, Lumma, Hijackloader, and Amadey.

****Analyze Threats Safely with ANY.RUN****

The Emmenhtal loader is a tricky malware that’s hard to detect. It uses legitimate Windows tools and encrypted scripts to hide its activities. But with the right tools, you can spot and stop it.

ANY.RUN’s interactive sandbox gives you the ability to analyze the behaviour of Emmenhtal and other advanced malware inside a controlled environment.

Get started today with a 14-day free trial!

1.  A Step-by-Step Guide to How Threat Hunting Works
2.  Analysis of Top Infostealers: Redline, Vidar and Formbook
3.  PythonAnywhere Cloud Platform Abused for Hosting Ransomware
4.  ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats
5.  ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats

Emmenhtal Loader Uses Scripts to Deliver Lumma and Other Malware

Despite having only a scant focus on cybersecurity regulations a decade ago, countries in the Middle East — led by Saudi Arabia and other Gulf nations — have adopted mature frameworks and regulations amid escalating volumes of attacks.

Source: KamilSD via Alamy Stock Photo

The increase in cyber operations, disruptive attacks, and hacktivism in the Middle East has led the region's largest nations to pursue more sophisticated cybersecurity laws and frameworks over the past decade, leading to a dynamic regulatory landscape that companies need to navigate moving forward, according to regional experts.

Efforts to move their nations beyond the traditional petrochemical-based economies to a knowledge-based future have led Middle East nations to invest heavily in digital and cloud technologies over the past two decades. The result: Cyberattacks and cybercriminal operations have increased in the region. In reaction, countries such as Qatar, Saudi Arabia, and Oman all have developed mature regulatory regimes based on international standards, Cisco stated in a recent analysis of Middle East regulatory frameworks.

The goal of the effort is for countries to protect their valuable investments in the future from the dangers highlighted by destructive attacks and geopolitical tensions, says Yuri Kramarz, a principal engineer leading the global Incident response practice at Cisco's Talos threat intelligence group.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larson from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

Related:Southeast Asian Cybercrime Profits Fuel Shadow Economy

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

"As various states started to diversify from traditional sources of income to a digital economy, they realized that technology adoption plays a crucial role in their economies as both a source of revenue and employment," he says. "It was not until the late 2000s and early 2010, when attacks became increasingly sophisticated, that countries began to take notice."

Yet, once the cyber danger was identified, the regional governments swung into action, with Saudi Arabia and the United Arab Emirates (UAE) leading the way, according to business consultancy Oliver Wyman. While Middle East nations have made significant strides, they do have to overcome a variety of factors, including uneven enforcement and the migration of talent away from the region, Souheil Moukaddem, global head of cyber risk at Oliver Wyman, stated in a video interview.

Related:Ransomware Gangs Pummel Southeast Asia

"A global problem, \[which is\] particularly exacerbated in the Middle East, \[is\] the shortage of cyber talent," he said. "And what you see really is, as the professionals become more experienced, they tend to migrate to other geographies where the pay is better, and the jobs are better."

**Mideast Plays Catch Up**

In 2014, nations in the Middle East began establishing cybersecurity and data-protection frameworks following a series of critical cybersecurity attacks, such as the Stuxnet attack and the Shamoon wiper. Recent tensions in the Middle East have driven even more advanced hacktivism, denial-of-service attacks, and supply chain compromises, including Israel's cyber-physical attack using exploding pagers.

Cisco's Kramarz points to the Shamoon wiper attacks as an example of the type of threats that have driven the change in perceptions of cybersecurity in the Middle East. Despite its lack of sophistication, the Shamoon wiper virus crashed more than 30,000 workstations at Saudi Arabia's state-owned oil giant, Saudi Aramco.

"As we have seen, the economy of an entire country can be impacted by a cybersecurity attack," he says.

As international tensions in the region have escalated, many countries in the Gulf Cooperative Council (GCC) have developed national cybersecurity strategies using international regulatory frameworks and standards and establishing a minimum set of security controls — especially in critical sectors, says Koroush Tajbakhsh, a director in the cybersecurity practice at FTI Consulting, based in Dubai.

Related:India's Critical Infrastructure Suffers Spike in Cyberattacks

"In the face of increasing cyber warfare, GCC countries have responded by bolstering regional cyber alliances, conducting joint cybersecurity drills, and fostering intelligence-sharing initiatives, though political tensions can complicate cooperation," he says.

**Standardized Approach Pays Off**

Companies that already use standards from the United States' National Institute of Standards and Technology, the European Union's General Data Protection Directive, or the global International Organization for Standardization are already well along in meeting most of the cybersecurity controls required by nations in the Middle East, Cisco's Kramarz says.

"Most country-level standards and frameworks are built on top of these well-known standards," he says. "However, companies must also pay attention to the specific requirements in each country, particularly around data localization, incident reporting, and compliance with sector-specific regulations that might often be only available through regulatory bodies who add additional frameworks on top of existing country-level regulations and laws."

However, enforcement of the regulations can be uneven — often due to a lack of expertise about newly passed laws or a failure to establish offices for data authorities — which poses problems for companies looking to prioritize their efforts. In addition, the lack of enforcement contributes to sometimes spotty responses to data breaches, says FTI Consulting's Tajbakhsh.

"Effectively responding to cybercrime and data breaches is not as much about gaps in local data protection legislation as it is about their effective enforcement," he says. "While laws exist, cross-border enforcement will remain a challenge when looking to prosecute foreign agents or international crime syndicates, as this would require local data offices responsible for enforcing laws locally to reach a level of operational maturity that also includes cross-border data sharing."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Middle East Cybersecurity Efforts Catch Up After Late Start

The November 2024 Patch Tuesday update contains a substantially high percentage of remote code execution (RCE) vulnerabilities (including a critical issue in Windows Kerberos), and two other zero-day bugs that have been previously disclosed and could soon come under attack.

Source: Rix Pix Photography via Shutterstock

Attackers are already actively exploiting two vulnerabilities for which Microsoft issued patches on Nov. 12 as part of its monthly security update. And they could soon begin targeting two other publicly disclosed, but as yet unexploited, flaws.

The four zero-day bugs are among a set of 89 common vulnerabilities and exposures (CVEs) that Microsoft addressed in November's Patch Tuesday. The batch contains a substantially high percentage of remote code execution (RCE) vulnerabilities, in addition to the usual collection of elevation of privileges flaws, spoofing vulnerabilities, security bypass, denial-of-service issues, and other vulnerability classes. Microsoft identified eight of the flaws as issues that attackers are more likely to exploit, though researchers pointed to other flaws as well that are of likely of high interest to adversaries.

**Microsoft Adopts CSAF Standard**

Along with the November security update, Microsoft also announced its adoption of Common Security Advisory Framework (CSAF), an OASIS standard for disclosing vulnerabilities in machine-readable form. "CSAF files are meant to be consumed by computers more so than by humans," Microsoft said in a blog post. It should help organizations accelerate their vulnerability response and remediation processes, the company noted.

"This is a huge win for the security community and a welcome addition to Microsoft’s security pages," said Tyler Reguly, associate director of security R&D at Fortra, via email. "This is a standard that has been adopted by many software vendors and it is great to see that Microsoft is following suit."

**Zero-Day Bugs Under Active Exploit**

One of the zero-day bugs that attackers are already actively exploiting is CVE-2024-43451 (CVSS 6.5 out of 10), a flaw that discloses a user's NTLMv2 hash for validating credentials in Windows environments. The hashes allow attackers to authenticate as legitimate users, and access applications and data to which they have permissions. The vulnerability affects all Windows versions and requires minimal user interaction to exploit. Merely selecting or inspecting a file could trigger the vulnerability, Microsoft warned.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

"To my knowledge, it's the third such vulnerability that can disclose a user's NTLMv2 hash that was exploited in the wild in 2024," Satnam Narang, senior staff engineer at Tenable, wrote in an emailed comment. The other two are CVE-2024-21410 in Microsoft Exchange Server from February, and CVE-2024-38021 in Microsoft Office from July.

"One thing is certain," according to Narang. "Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes."

The second bug under active exploit in Microsoft's latest update is CVE-2024-49039 (CVSS 8.8), a Windows Task Scheduler elevation of privilege bug that allows an attacker to execute remote procedure calls (RPC) normally available only to privileged accounts.

"In this case, a successful attack could be performed from a low privilege AppContainer," Microsoft said. "The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment."

The fact that it was Google's Threat Analysis Group that discovered and reported this flaw to Microsoft suggests that the attackers currently exploiting the flaw are either a nation-state-backed group or other advanced persistent threat actor, Narang said.

"An attacker can perform this exploit as a low-privileged AppContainer and effectively execute RPCs that should be available only to privileged tasks," added Ben McCarthy, lead cybersecurity engineer at Immersive Labs, via email. "It is unclear what RPCs are affected here, but it could give an attacker access to elevate privileges and execute code on a remote machine, as well as the machine in which they are executing the vulnerability."

**Previously Disclosed but Unexploited Zero-Days**

One of the two already disclosed — but not yet exploited — zero-days is CVE-2024-49019 (CVSS 7.8), an elevation-of-privilege vulnerability in Active Directory Certificate Services that attackers could use to gain domain administrator access. Microsoft's advisory listed several recommendations for organizations to secure certificate templates, including removing overly broad enrollment rights for users or groups, removing unused templates, and implementing additional measures to secure templates that allow users to specify a subject in the request.  

Microsoft is tracking the other publicly disclosed but unexploited flaw as CVE-2024-49040 (CVSS 7.5), a Windows Exchange Server spoofing flaw. "The primary issue lies in how Exchange processes ... headers, enabling attackers to construct emails that falsely appear to be from legitimate sources," Mike Walters, president and co-founder of Action1, wrote in a blog post. "This capability is particularly useful for spear phishing and other forms of email-based deception."

**RCE Security Bugs Have a Big Month**

Nearly 60% of the bugs — 52 of 89 — that Microsoft disclosed in its November update are RCE vulnerabilities that allow remote attackers to execute arbitrary code on vulnerable systems. Some allow for unauthenticated RCE, while others require an attacker to have authenticated access to exploit the bug. Most of the RCEs in Microsoft's latest update affect various versions of MS SQL Server. Other impacted technologies include MS Office 2016, MS Defender for iOS, MS Excel 2016, and Windows Server 2012, 2022, and 2025, said Will Bradle, security consultant at NetSPI, in an emailed statement.

Among the most critical of the RCEs, according to Walters, is CVE-2024-43639 in Windows Kerberos. The bug has a near-maximum CVSS severity score of 9.8 of 10 because, among other things, an unauthenticated attacker can exploit it remotely. Microsoft itself has assessed the bug as something that attackers are less likely to exploit. But putting it on the back burner for that reason could be a mistake.

"Kerberos is a fundamental component of Windows environments, crucial for authenticating user and service identities," Walters added. "This vulnerability turns Kerberos into a high-value target, allowing attackers to exploit the truncation flaw to craft messages that Kerberos fails to process securely, potentially enabling the execution of arbitrary code."

Bradle pointed to CVE-2024-49050 in Visual Studio Code Python Extension as another RCE in this month's set that merits priority attention. "The extension currently has over 139 million downloads and is affected by an RCE vulnerability with a base CVSS score of 8.8," he said. "Microsoft has patched the VSCode extension, and updates should be installed immediately."

Immersive Labs' McCarthy also identified multiple other flaws that organizations would do well to address quickly. They include the critical CVE-2024-43498 (CVSS 9.8), an RCE in .NET and Visual Studio; CVE-2024-49019 (CVSS 7.8), an Active Directory privilege escalation flaw; CVE-2024-49033 (CVSS 7.5), a Microsoft Word security bypass flaw; and CVE-2024-43623 (CVSS 7.8), a privilege escalation flaw in the Windows NT OS kernel that enables attacker to gain system level access on affected systems. Importantly, Microsoft has assessed the latter vulnerability as one that attackers are more likely to exploit.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit

The data leak was not actually due to a breach in Amazon's systems but rather that of a third-party vendor; the supply chain incident affected several other clients as well.

Source: Ian Dagnall via Alamy Stock Photo

Amazon has confirmed that its employees' data was exposed on a cybercrime forum due to the now-infamous MOVEit vulnerability.

The vulnerability, tracked as CVE-2023-34362, was discovered last year in the MOVEit file transfer software. The flaw allows hackers to bypass authentication on unpatched systems in order to access files, and it has affected thousands of organizations to date.

An Amazon spokesperson said that Amazon and AWS systems are secure and that its systems have not experienced a security breach. The "security event" actually occurred at a third-party property-management vendor, and several other customers it worked with in addition to Amazon were also affected, the person said. The type of compromised information includes work email addresses, desk phone numbers, and building locations.

"Amazon's recent data breach, traced back to a third-party vendor's use of the MOVEit tool, is another wake-up call for the supply chain's hidden vulnerabilities," Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, wrote in an emailed statement to Dark Reading. "The MOVEit flaw initially hit hundreds, but the shockwave extended across 2,700+ organizations as the ripple effects reached third- and even fourth-party vendors. We've identified over 600 MOVEit servers that were likely caught in this 'spray' attack — leaving a vast field of potential targets."

Cybercrime intelligence company Hudson Rock referred to the fallout of the bug as one of the most substantial leaks of corporate information last year; and authors of the "Verizon Data Breach Investigation Report (DBIR)" in February noted that breaches attributable to MOVEit were so numerous that they skewed its statistics for the year.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Amazon Employee Data Compromised in MOVEit Breach

The essays are to focus on the impact that artificial intelligence will have on European policy.

Source: Deco via Alamy Stock Photo

The Munich Security Conference is partnering with the European Cyber Conflict Research Initiative's Binding Hook on the AI-Cybersecurity Essay Prize Competition to explore the intersection of cybersecurity and artificial intelligence (AI).

As cyber threats rapidly evolve, AI is at the forefront, shaping the next generation of cyber defenses and bringing new challenges and opportunities, said Max Smeets, co-director of the European Cyber Conflict Research Initiative (ECCRI) and the European Cyber Conflict Research Incubator, in a statement. Researchers are invited to submit essays on how AI will change cybersecurity, its implications for Europe, and actionable recommendations for policymakers. Essays can reference previously published research, but the content should be reworked to provide new insights.

"Launching this competition is, for me, about opening the door to voices from a range of disciplines - encouraging contributions that speak to both the opportunities and risks AI presents for cybersecurity," Smeets said. "I also hope we will see not just analysis but ideas that policymakers can consider seriously; thoughtful pieces that get at the heart of what AI could mean for cybersecurity policy in Europe."

Essays will be reviewed by a board led by co-chairs Kersti Kaljulaid, former president of Estonia, and Shashank Joshi, defense editor at The Economist. Board members include Heather Adkins, vice president of security engineering and head of office of cybersecurity resilience at Google; Klaus Hommels, founder of Lakestar and chair of the board of directors at the NATO Innovation Fund; Mikko Hyppönen, a security and privacy expert; Maria Markstedter, founder of Azeria Labs; Eva Maydell, member of the European Parliament; and ECCRI's Smeets. Prizes will be awarded for the top five essays, starting at €10,000 (US$10,628) for the top prize and €5,000 (US$5314) for the runner-up. The winning author will also be invited to attend the 2025 Munich Security Conference.

Essays should be 800 to 1,200 words. The deadline for submissions is Jan. 2, 2025. 

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

New Essay Competition Explores AI's Role in Cybersecurity

Adaptive Shield is the third security posture management provider the company has acquired in the last 14 months as identity-based attacks continue to rise.

Source: Artemis Diana via Alamy Stock Photo

CrowdStrike's spending spree for security posture management capabilities continued with a deal to buy Adaptive Shield, an Israeli startup  that specializes in securing organizations' SaaS ecosystems and protecting against identity-based attacks.

Last week's deal calls for CrowdStrike to pay cash and stock for Adaptive Shield; CrowdStrike expects to complete the transaction by the end of January 2025. Press reports estimate the value of the deal at around $300 million.

Founded in 2019, Adaptive Shield is one of many companies in the SaaS security posture management (SSPM) sector; others include AppOmni, DoControl, Obsidian, and Reco. 

Adaptive Shield's platform supports more than 150 SaaS applications including Adobe, Google Workspace, Microsoft 365, Salesforce, Slack, and Zoom. It monitors for misconfigurations and identity threats, and offers a no-code tool for custom SaaS applications called Integration Builder.

**Competitive Impact?**

Omdia senior principal analyst Rik Turner wonders whether the deal will prompt CrowdStrike's competitors like Cisco, Palo Alto Networks, and Sentinal One to follow suit with their own deals. Overall, it's been an active time for acquisitions of cloud and data security posture management (DSPM) startups, he noted. 

Adaptive Shield is CrowdStrike's third security posture management provider in the last 18 months. In October 2023, CrowdStrike bought Bionic, an early provider of application security posture management (ASPM), extending security risk visibility from code development to cloud deployment. 

Earlier this year, CrowdStrike bought Flow Security, another DSPM cloud platform that protects data at rest and in motion. "In contrast, there has been no such buying frenzy with SSPMs. CrowdStrike's acquisition of Adaptive Shield is the first deal of this kind, raising the question of whether it might start a trend among the purchaser’s competitors," Turner note in a recent report.

CrowdStrike emphasizes that the addition of Adaptive Shield will boost the capability of its Falcon platform to protect organizations against identity-based attacks by adding SaaS applications to the mix. 

Once integrated into Falcon, Adaptive Shield's SSPM platform will give organizations visibility into misconfigurations, unnecessary or rogue privileges, and activities undertaken among accounts of on-premises and cloud identity providers as well as SaaS security applications. The addition "provides organizations with granular visibility into their growing cloud environments, enables them to manage and secure their SaaS security posture and their human and non-human identities, and helps them detect and prevent identity-centric, cloud-focused cyberattacks," CrowdStrike president Michael Sentonas explained in a blog post.

CrowdStrike senior product manager for identity Ryan Terry buttressed that message at a company meeting last week in Amsterdam. "Our vision is to unify identity protection across the entire Falcon security platform that includes cloud security," he said. "That will bring ISPM, CIEM, and ITDR together in an integrated way, in one single platform to help you address today's modern identity challenges."

**Keying in on Identity**

SaaS connectors will improve visibility into threat activity and precursors to identity-based attacks, says Forrester Research principal analyst Andras Cser. And he believes adding SSPM to CrowdStrike Falcon will fill a gap in the platform's identity protection module.

"Identity-wise, CrowdStrike claims they have ITDR, but in reality, it's mainly cloud infrastructure entitlement management, addressing how admins have access to policies that drive privileges on things like \[AWS\] S3 buckets and Azure Blobs and things like that," Cser says. "It's not true \[identity and access management\] in the sense of user account provisioning-deprovisioning, federation, token service, and all these other types of things."

The Adaptive Shield SSPM and ITDR platform promises to provide a broad range of protection against such attacks by providing unified, hybrid identity management for SaaS-based apps and on-premises authentication, notably Microsoft's Active Directory.

Adaptive Shield's platform also continuously monitors generative AI-based SaaS applications for configuration shifts and enforces security standards and privileges. And it's designed to prevent data exfiltration and discover unauthorized AI applications. "Beyond identities, it also provides visibility into misconfigurations and other risks affecting SaaS applications so organizations can better manage these issues and detect and respond to threats," Sentonas added.

Identity-Based Attacks Continue to Mount

Vendor focus on identity isn't happening in a vacuum. Threat actors such as Scattered Spider and Cozy Bear (also known as APT29 and Midnight Blizzard) have actively exploited identity through various techniques, including password spraying, phishing, stealing legitimate credentials, and exploiting misconfigurations. 

After managing to get global administrator rights to MGM Resorts' Azure instances last year, Scattered Spider was able to exfiltrate data and disrupt its operations. Earlier this year, Microsoft was among the victims of a password spray attack by Russia-based Midnight Blizzard, compromising its corporate email systems. Overall, CrowdStrike has claimed that 80% of breaches now have an identity component.  

At the RSA Conference earlier in the year, Sentonas and CrowdStrike co-founder and CEO George Kurtz demonstrated how hackers exploit identity provider misconfigurations with phish-able authentication factors to gain access to highly privileged accounts. "They move laterally once they're inside an organization to achieve their outcome," Sentonas said.

**More Identity Features in the Wings**

Ross Penny, a principal technical strategist for CrowdStrike, said the company plans to roll out several tools to bolster CrowdStrike Falcon Identity by February 2025. Among recent and current deliverables include integration with AWS Identity Center, which reports on the "full picture" of risks associated with federated AWS accounts. 

"If you're only looking within AWS because it's federated, you lack a lot of information about it," Penny explained. "The fact that we know where that account lives and originates means you have a much wider variety of risk that you're able to use to calculate those access decisions and detections."

Penny said that CrowdStrike is also readying a policy management API that can be integrated into external workflows. CrowdStrike developed this API because many of its customers also use ServiceNow.

Early next year, CrowdStrike will extend integration with other identity providers, including Okta Universal Directory, Google Workspace, and AWS permission usage analysis. CrowdStrike also plans to add attack path detection across those multiple identity providers in 2025.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 am ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, Dr. Max Smeets from ETH Zurich, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

CrowdStrike Spends to Boost Identity Threat Detection

Aftermath of MOVEit vulnerability: Data vigilante ‘Nam3L3ss’ leaks nearly 8 million employee records from industry giants like Amazon,…

Aftermath of MOVEit vulnerability: Data vigilante ‘Nam3L3ss’ leaks nearly 8 million employee records from industry giants like Amazon, 3M, HP, and Delta, exposing cybersecurity flaws across major firms.

A “Data Vigilante” using the alias Nam3L3ss has leaked millions of employee records from global industry giants, in connection with the widespread **MOVEit vulnerability**. For your information, the MOVEit flaw is a security vulnerability in the MOVEit file transfer software, which many organizations use to share sensitive data.

Nam3L3ss, who denies being a hacker, began leaking the data on Friday, November 8, 2024. So far, sensitive and non-sensitive records from 27 companies, totalling 7,952,414 employee records, have been exposed. This includes 2,861,111 records from Amazon employees, a breach acknowledged by the company.

“Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon,” Amazon spokesperson Adam Montgomery told Hackread.com. “The only Amazon information involved was employee work contact information, for example, work email addresses, desk phone numbers, and building locations.”

****Data Analysis****

The Hackread.com research team conducted an in-depth analysis of each file leaked by Nam3L3ss, revealing that the data includes full names, email addresses, phone numbers, office addresses, residential addresses, company names, location coordinates, and more.

****List of Affected Companies and Employee Counts****

    3M: 48,630 employees
    
    HP: 104,119 employees
    
    Delta: 57,317 employees
    
    MetLife: 585,130 employees
    
    Amazon: 2,861,111 employees
    
    McDonald's: 3,295 employees
    
    Lenovo: 45,522 employees
    
    TIAA: 2,464,625 employees
    
    CalSTRS: 422,311 employees
    
    BT: 15,347 employees
    
    URBN: 17,553 employees
    
    Leidos: 52,610 employees
    
    UBS: 20,462 employees
    
    HSBC: 280,693 employees
    
    Firmenich: 13,248 employees
    
    U.S. Bank: 114,076 employees
    
    Canada Post: 69,860 employees
    
    Westinghouse: 18,193 employees
    
    Rush University: 15,853 employees
    
    Omnicom Group: 37,320 employees
    
    Charles Schwab: 49,356 employees
    
    City National Bank: 9,358 employees
    
    Applied Materials: 53,170 employees
    
    Cardinal Health: 407,437 employees
    
    Bristol-Myers Squibb: 37,497 employees
    
    TIAA (additional listing): 23,857 employees
    
    Fidelity Investments: 124,464 employees

List of targeted companies (Screenshot credit: Hackread.com)

****Nam3L3ss’s Manifesto: Motivation and Methodology****

In a post on Breach Forums, Nam3L3ss outlined their “manifesto” to explain who they are and why they’re leaking data. According to the post, they monitor misconfigured and unsecured cloud databases across various services, including AWS Buckets, Azure, Digital Ocean, Google, and FTP and MongoDB servers, to extract and make this data public.

Nam3L3ss also claims to monitor ransomware groups, analyze stolen data, clean it by removing duplicates and irrelevant information, and then release it online. For example, the leaked MetLife employee directory originated from MetLife, a global financial services firm that suffered a ransomware attack in 2023.

Nam3L3ss intro and Manifesto (Screenshot credit: Hackread.com)

The Cl0p ransomware gang exploited MOVEit extensively, targeting hundreds of organizations worldwide. They even **created clear web websites to leak** the stolen data in July 2024.

**Ferhat Dikbiyik**, chief research and intelligence officer at Black Kite, weighed in on the recent Amazon data breach, explaining, that Amazon’s recent data breach traced back to a third-party vendor’s use of the MOVEit tool, is another wake-up call for the supply chain’s hidden vulnerabilities.

“Amazon’s recent data breach traced back to a third-party vendor’s use of the MOVEit tool, is another wake-up call for the supply chain’s hidden vulnerabilities. The MOVEit flaw initially hit hundreds, but the shockwave extended across 2,700+ organizations as the ripple effects reached third and even fourth-party vendors,” Ferhat said.

“We’ve identified over 600 MOVEit servers that were likely caught in this “spray” attack—leaving a vast field of potential targets,” he explained. “CL0P ransomware, the group exploiting this flaw, named 270 victims within three months, and the count is still rising.”

“With 200 to 400 organizations speculated to have paid ransoms, the real impact stretches far beyond these numbers. This breach emphasizes that ransomware risk doesn’t stop at your company’s doorstep. In today’s ecosystem, exposure management must extend across the entire supply chain to truly defend against the next big attack.”

****Data Vigilante?****

Although the term Data Vigilante is debatable, Nam3L3ss expresses frustration with companies and government institutions for failing to secure their networks. By leaking this data, they aim to raise awareness about data security and encourage better cybersecurity practices.

****Implications of the Data Leak and Advice to Employees****

Although passwords and financial details weren’t included in the leaked files, the exposure poses significant risks to companies and employees. Threat actors, especially state-sponsored groups like **North Korea’s Lazarus Group**, are known to exploit such data to initiate phishing scams, steal cryptocurrency, and access financial information that could aid their **country’s economy**.

If you work for one of the affected companies, be on the lookout for phishing scams via email, SMS phishing (smishing), and voice phishing (vishing) attempts, as attackers may try to exploit this data for further scams.

1.  Hacker Leaks Thousands of Microsoft and Nokia Employee Details
2.  Hackers Calling Employees to Steal VPN Credentials from US Firms
3.  Hacker Leaks Data of 33K Accenture Employees in 3rd-Party Breach
4.  Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets
5.  Indian Ex-Employee Jailed for Wiping 180 Virtual Servers in Singapore

Data Vigilante Leaks 8 Million Employee Records from Amazon, HP and Others

Marketed on a cybercriminal forum, the $700 tool harvests email addresses from public GitHub profiles, priming cyberattackers for further credential theft, malware delivery, OAuth subversion, supply chain attacks, and other corporate breaches.

Source: Piotr Swat via Alamy Stock Photo

Researchers have uncovered a tool aimed at targeting GitHub users, distributed on a cybercrime forum. It offers bulk developer credential theft and the ability to conduct further malicious activities, including supply chain attacks.

The tool — called GoIssue and potentially linked to a previous GitHub repository extortion campaign called Gitloker — allows potential attackers to extract email addresses from GitHub profiles and to send bulk emails directly to user inboxes, researchers from SlashNext discovered.

"At its core, the tool systematically harvests email addresses from public GitHub profiles, using automated processes and GitHub tokens to collect data based on various criteria — from organization memberships to stargazer lists," SlashNext revealed in a blog post on Nov. 12.

GoIssue is marketed to potential attackers at $700 for a custom build or $3,000 for full source code access. The tool combines bulk email capabilities with sophisticated data collection features, and protects the operator's identity through proxy networks, according to SlashNext. 

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

Related:Citrix Issues Patches for Zero-Day Recording Manager Bugs

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

**Developers Have a Target on Their Backs**

Developers increasingly have become a top target for threat actors because they provide the keys to valuable source code that can be used to launch supply chain attacks, reaching numerous victims by merely altering or abusing lines of code. As the leading online repository for source code, GitHub already has been in the crosshairs of numerous malicious campaigns targeting its users.

"The emergence of GoIssue signals a new era where developer platforms become high-stakes battlegrounds," with attackers aiming to "exploit trusted developer environments," observes Jason Soroko, senior fellow at Sectigo, an automated certificate life-cycle management firm.

GoIssue represents an evolution in GitHub-focused attack tools, giving attackers a way to orchestrate large-scale, customized phishing campaigns that can bypass spam filters and target specific developer communities, while attackers maintain the cover of anonymity.

Related:Citrix 'Recording Manager' Zero-Day Bug Allows Unauthenticated RCE

Through these campaigns, attackers can steal developer credentials and use that stolen information in phishing attacks that can steal login credentials, spread malicious payloads to compromise a user's device, or distribute prompts for OAuth app authorization that give attackers access to private repositories and data.

In this way, threat actors can steal and/or poison source code from GitHub projects to launch supply chain and other attacks that can breach corporate networks, the researchers said. "This is a high-impact attack mechanism that specifically preys on the trust and openness of the developer community," Soroko observes.

**Cybercrime Link to Gitloker Extortion Campaign?**

When investigating GoIssue, the contact info provided to potential buyers of the tool led SlashNext researchers to a Telegram profile for "cyberluffy," which states that someone called "Cyber D' Luffy" is a member of the Gitloker team. Gitloker is an ongoing campaign uncovered in June that uses GitHub notifications to push malicious OAuth apps aimed at wiping developer repositories for extortion purposes.

Moreover, in a thread advertising GoIssue, the seller even links to high-profile security blogs that detail and validate Gitloker attack efficacy. This seems to suggest that the same attackers selling GoIssue are behind Gitloker, and the tool "could be an extension of the Gitloker campaign or an evolved version of the same tool," according to SlashNext.

Related:'SteelFox' Malware Blitz Infects 11K Victims With Bundle of Pain

"Both tools share a similar target audience (GitHub users) and leverage email communication to initiate attacks," according to the post. "This overlap in purpose and personnel strongly supports the theory that they are either linked or variations of one another."

No matter who is distributing the tool, it represents a dire warning to developers using GitHub that they need to remain vigilant and not engage with any anomalous email correspondence or messages that seem suspicious, the researchers noted. "This isn’t just spam; it’s a potential entry point to taking over your account or projects," according to SlashNext.

Enterprises with developers in the organization that use GitHub in particular should be especially proactive and adaptive at securing their people, notes Mika Aalto, co-founder and CEO at human risk-management firm Hoxhunt.

"As attackers leverage automation and advanced tools with increasing sophistication, we must give people the instincts to recognize a suspicious email and the skills to report threats that bypass filters," he says.

Enterprises also should integrate human threat intelligence into the security stack to facilitate accelerated detection and response to suspicious activity, Aalto adds.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'GoIssue' Cybercrime Tool Targets GitHub Developers En Masse

There is some disagreement over whether the remote code execution (RCE) security flaws allow for unauthenticated exploitation or not. Citrix says no, but researchers say the company is downplaying a "good old unauthenticated RCE."

Source: JHVEPhoto via Shutterstock

Very swiftly after their disclosure, Citrix has issued patches for two vulnerabilities in its Citrix Virtual Apps and Desktop technology that allow a remote attacker escalate privileges or execute code of their choice on vulnerable systems.

Citrix has described the remote code execution (RCE) vulnerabilities as something that only a previously authenticated attacker could abuse. However, researchers at watchTowr who discovered the flaws and developed a proof-of-concept exploit (PoC) say it's a point-and-click vulnerability that an unauthenticated attacker can exploit with relative ease.

Citrix is tracking one of the flaws as CVE-2024-8068 and the other as CVE-2024-8069.  

**Citrix Downplaying Threat Severity?**

The flaws affect the thin-client technology's Session Recording Manager component that allows admins to capture, store, and manage recordings of user sessions. They stem from a weakness in how Session Recording Manager deserializes or unpacks data that has been converted into a format that makes it easy to store and transmit, according to the researchers at watchTowr who discovered and reported the issues to Citrix in July.

Citrix initially said it was unable to reproduce the issue but later acknowledged the problem after the security vendor gave them a PoC exploit for the vulnerability.

Related:'GoIssue' Cybercrime Tool Targets GitHub Developers En Masse

In an advisory on Nov. 12, the company described CVE-2024-8068 as a privilege escalation vulnerability that allows an authenticated user in the same Windows Active Directory domain as the session recording server to gain NetworkService Account access. CVE-2024-8069, according to Citrix, is a "limited" RCE for attackers with admin level account access on vulnerable systems. "Cloud Software Group strongly urges affected customers of Citrix Session Recording to install the relevant updated versions of Citrix Session Recording as soon their upgrade schedule permits," the company cautioned.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Even so, Citrix has assigned both vulnerabilities only medium severity scores of 5.1 of 10 on the CVSS vulnerability rating scale. It's an assignment that watchTowr has disputed.

Related:Citrix 'Recording Manager' Zero-Day Bug Allows Unauthenticated RCE

"Citrix is downplaying the severity of this vulnerability as a medium priority when it’s really point-click-full-takeover," says Benjamin Harris, CEO of watchTowr, pointing to the company's exploit code. The combination of the two vulnerabilities allows for a "good old unauthenticated RCE," Harris tells Dark Reading.

"Citrix's Virtual Apps and Desktop offering is a flagship Citrix solution, targeted at \[Fortune 500\] organizations," he notes. "Since we're dealing with a deserialization issue, a bug class that is known for being relatively stable, we \[have\] a high degree of confidence that our exploit will work reliably. There's no tricky heap manipulation or other entropy creeping in."

Many organizations use Citrix’s Virtual Apps and Desktop technology to enable users to access their applications and desktop environments from anywhere and using any device. It gives organizations a way to centrally deploy, update and secure all user apps from a single location making maintenance more efficient, consistent and cost effective. Another benefit that Citrix advertises is increased security from having applications and data on centralized servers rather than on individual endpoint devices. The technology's Session Recording feature — where watchTowr discovered the flaws — enables admins to monitor for anomalous behavior and to maintain a detailed record of user activity for future audit and troubleshooting purposes.

Related:'SteelFox' Malware Blitz Infects 11K Victims With Bundle of Pain

Demand for such technologies has increased in recent years as more companies have embraced remote and hybrid work models. Research firm MarketsandMarkets estimates the market will reach $1.7 billion in 2028 from around $1.5 billion last year. The broader desktop as a service (DaaS) market itself is expected to hit nearly $19 billion by 2030 from just over $4 billion in 2021.

**Dependence on Known Insecure Technology**

watchTowr discovered the vulnerabilities while scrutinizing Citrix's Virtual Apps and Desktop's architecture for potential security issues. The security vendor's examination showed that Citrix's app uses Microsoft's Message Queuing (MSMQ) service to receive recorded user session files and to store them in a separate storage manager component. In addition, watchTowr found Citrix using a Microsoft technology called BinaryFormatter to deserialize data in the storage manager component when needed. BinaryFormatter is technology that Microsoft itself has urged organizations to stop using as soon as possible because of security weaknesses that are no longer fixable, watchTowr said.

The vulnerabilities that watchTowr discovered involved a combination of an Internet-accessible MSMQ instance in the session recording component of Citrix's Virtual Apps and Desktop technology along with misconfigured permissions related to BinaryFormatter. "This isn't really a bug in the BinaryFormatter itself, nor a bug in MSMQ, but rather the unfortunate consequence of Citrix relying on the documented-to-be-insecure BinaryFormatter to maintain a security boundary," Harris says. "It's a 'bug' that manifested during the design phase, when Citrix decided which serialization library to use."

Harris says watchTowr reported the vulnerability as a single issue, whereas Citrix appears to have treated it as two separate issues.  

"While it is inarguable that Citrix's use of a BinaryFormatter with untrusted data is a de-facto bug, we don't have enough context to determine if exposing the MSMQ queue via HTTP is a really a bug, caused by a careless oversight, or a carefully calculated effect of some obscure business requirement."

Citrix's technologies are a frequent target for attackers because of the high-level of access the company's technology provides to enterprise applications and data. Many of the reported security flaws recently have impacted the company's NetScaler ADC and NetScaler Gateway remote access platforms.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Citrix Issues Patches for Zero-Day Recording Manager Bugs

The security vulnerability is due to an exposed Microsoft Message Queuing (MSMQ) instance and the use of the insecure BinaryFormatter.

Source: Brian Jackson via Alamy Stock PhotoSource:

\[Ed. note, Nov. 12 at 12:30 p.m. ET: Citrix has now issued patches for the issue and assigned CVE-2024-8068/CVE-2024-8069 for tracking.\]

An unpatched zero-day vulnerability in Citrix’s Session Recording Manager allows unauthenticated remote code execution (RCE, paving the way for data theft, lateral movement, and desktop takeover.

According to watchTowr research out today, the issue (which does not yet have a CVE or CVSS score) resides in Citrix's Session Recording Manager, which, as its name implies, records user activity, including keyboard and mouse inputs, websites visited, video streams of desktop activity, and more.

"Citrix advertises the feature as being really useful for monitoring (somewhat obviously), but also for compliance and troubleshooting. It can even be set up so that certain actions (like identifying sensitive data) will trigger recording, which helps meet regulatory needs and flag suspicious activities," the watchTowr researchers noted in the report.

The feature logs session recordings via Microsoft Message Queuing (MSMQ), which enables efficient data transfer from individual computers to centralized storage. However, the Citrix implementation uses BinaryFormatter for serialization and deserialization of the information for easier and more accurate transfer and storage. The utility is unfortunately well-known to be insecure.

Related:'GoIssue' Cybercrime Tool Targets GitHub Developers En Masse

BinaryFormatter is a .NET class created by Microsoft, which is in the process of deprecating it: "BinaryFormatter is insecure and can't be made secure. Applications should stop using \[it\] as soon as possible, even if they believe the data they're processing to be trustworthy," the computing giant said in August.

On top of the BinaryFormatter issue, Recording Session Manager also involves an exposed MSMQ service that can be reached from any host via HTTP. This, combined with what watchTowr says are misconfigured permissions, paves the way for unauthenticated RCE.

Dark Reading has reached out for comment and planned patching or mitigation information from both watchTowr and Citrix. There is no evidence of in-the-wild exploitation yet, but given Citrix's attractiveness as a cybercrime target, that could soon change.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 am ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larson from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

Related:Citrix Issues Patches for Zero-Day Recording Manager Bugs

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Tag

#intel