Explore how AI tools like OpenAI’s Sora face restrictions in Europe due to GDPR, with insights on bypassing…

Explore how AI tools like OpenAI’s Sora face restrictions in Europe due to GDPR, with insights on bypassing geo-restrictions and the impact on innovation and users.

Artificial intelligence tools are being widely integrated with many tools and activities as people begin noticing their benefits. The majority of companies around the world are using AI actively or exploring its use in some form. This means many startups and big corporations are actively testing new forms of AI and applying them to make life easier for everyone often except for Europe (in this article, don’t associate the word with continental Europe, as we discuss the circumstances within the European Union).

Many popular AI tools like OpenAI’s Sora and Meta AI are not available to European users. The main reasons behind their unavailability are due to regulatory frameworks and operational constraints. But does this mean European users are completely left out of using AI tools? Not really.

In this blog, we are going to look at why many new AI tools aren’t available in Europe and some tips to access them. 

****Bypassing The Geo-Restrictions****

AI tools are not available in Europe and the only way to access them is by using a strong proxy or third-party service. It can be quite surprising for people outside Europe to be denied access to popular AI tools since they are available elsewhere. For example, people from around the world, including Europe can use US-based proxies to get access to these platforms and enjoy using AI without any difficulties.

The proxy will act as a middleman between your device and the website and make it look like you are using the AI from the US itself. This not only improves accessibility but also has additional benefits of enhanced connection and improved security. This means businesses or even individuals who travel frequently and still require uninterrupted access to popular AI tools like Sora can use the help of proxies.

****Why Are AI Tools Restricted In Europe?****

Most AI tools are restricted in Europe due to the regulations the continent has, mainly in the form of the General Data Protection Regulation (GDPR). The GDPR ensures that all citizens and users within Europe are protected from unnecessary data tampering and misuse, but it also puts a heavy burden on tech companies. Since an AI platform requires data to be used for machine learning, the GDPR prevents tech companies from processing data in the traditional way which can harm the user’s privacy. This results in a delay in deploying the AI and hence the unavailability.

Take OpenAI’s Sora as an example. It has recently come into the news regarding its unavailability in Europe, and that is mainly due to compliance issues. Sora is a platform that uses advanced immersive AI to create hyper-realistic videos with simple prompts. This can create a revolution in terms of education and digital marketing. However, concerns regarding how the user data is collected, processed, and stored have delayed its deployment.

****What Europe Is Missing Out On****

With these restrictions, Europe is missing out on several advanced AI tools that are popular elsewhere. OpenAI’s Sora comes to mind first since it’s a relatively new AI that is available in most countries as of now and offers some hyper-realistic visuals with real-time prompts. Meta AI is also popular as it offers an entire suite for developers and consumers alike to enhance their social media experience and recommendations.

Some AI models are still available in Europe, like Jasper AI. The platform works similarly to ChatGPT but has more of a creative edge making it perfect for creative tasks like writing or brainstorming. JasperAI was initially unavailable due to GDPR laws, but after three years of continuous negotiations, the platform is now approved under the AI Act. This goes to show that Europe still has the potential to allow AI systems to run for European marketers.

****How AI Restrictions Affect Innovation****

Europe is pretty rigorous about its data regulation laws and user privacy; it’s a good thing to protect users but it also has its negative sides with companies unable to operate as they could. These restrictions can result in technological gaps between regions where businesses in the US can gain a competitive edge to streamline operations and enhance productivity. This not only results in a global challenge but also forces companies within Europe to look at less-productive alternatives.

The unavailability of AI tools in Europe is a pressing issue that is still being negotiated between lawmakers and developers. Even though AI has its share of downsides regarding data use, Europe needs to find a solution that aligns it with the globe in terms of AI. Since many things in our digitized world are connected, the unavailability of the latest technologies in the EU member countries may have an impact on digital nomads too, who choose to work from Europe.

As the EU also has initiatives to attract nomads, it will likely loosen some restrictions in the future, particularly those applicable in the early stages of new technology releases, while keeping user privacy at the forefront.

Top/Featured Image via FreePik

Why Many New AI Tools Aren’t Available In Europe – And How To Access Them

A highly targeted cyber-intelligence campaign adds fuel to the increasingly complex relationship between the two former Soviet states.

Source: Daniren via Alamy Stock Photo

A suspected Russia-nexus threat actor has been executing convincing spear phishing attacks against diplomatic entities in Kazakhstan.

UAC-0063, active since at least 2021, was first documented by Ukraine's Computer Emergency Response Team (CERT-UA) in 2023. With medium confidence, CERT-UA tied it to APT28 (aka Fancy Bear, Forest Blizzard, Strontium, Sofacy), from the General Staff Main Intelligence Directorate (GRU) Military Unit 26165. APT28 is best known for its high-profile attacks against Western governments: the Democratic National Committee (DNC) hack of 2016, campaigns against parliamentary bodies in Germany, Norway, and the Netherlands, and much more.

UAC-0063, specifically, has used cyber operations to collect intelligence from government entities, nongovernmental organizations (NGOs), academic institutions, and energy and defense organizations in Eastern Europe — most notably Ukraine — as well as Central Asia, including Kazakhstan, Kyrgyzstan, Tajikistan, and other countries in the vicinity, including Israel and India.

Its latest ongoing campaign, which, in a blog post, researchers from Sekoia date back to at least 2022, may fold into a broader effort by Vladimir Putin's government to gain strategic insights into, and advantage over, a former Soviet state that has sought to broaden its diplomatic horizons in recent years.

**Phishing Kazakh Diplomats**

On Oct. 16, 2024 — one month after it'd been deployed in the wild — researchers spotted a diplomatic document uploaded to VirusTotal. It appeared to be a legitimate draft of a joint declaration between the chancellor of Germany and heads of Central Asian countries.

"The first step, when you open this document, is that it asks you to enable macros," recalls Amaury Garçon, cyber threat intelligence (CTI) analyst at Sekoia Threat Detection & Research (TDR), adding that the document was obscured by "shapes" at first sight. "Some phishing documents look really ugly or have a bad shape \[at first\] — they prompt the user to enable macros, because if you don't enable macros you can't write text in the document, can't move images, etc.," he notes.

Clicking "enable" would trigger various malicious, unseen commands on a target device. While the user was made privy to the full, unadulterated lure document, in the background their security settings would be downgraded so as to remove the need for future "enable macros" prompts. Next a second, blank document was created and opened by a hidden instance of Microsoft Word. The Visual Basic (VB) code associated with this hidden document — now enabled by default, of course — dropped and executed a malicious HTML application (HTA) containing a backdoor named "HatVibe."

The purpose of HatVibe is to receive and execute code from a remote server. Though Sekoia couldn't identify the payloads associated with this phishing campaign, CERT-UA has previously observed HatVibe downloading and executing a more complex Python backdoor named "CherrySpy."

**What This Means for Kazakhstan and Russia**

Six weeks after researchers spotted the first VirusTotal upload associated with this campaign, on Nov. 27, Putin went on a two-day state visit to the country he deemed Russia's "true ally," Kazakhstan. He and Kazakhstan's president, Kassym-Jomart Tokayev, used the opportunity afforded by the Collective Security Treaty Organization (CSTO) summit to discuss various areas for economic partnership — particularly around the energy sector — and signed agreements over energy, education, and transportation.

"Central Asia is a real point of interest for Russian influence," Maxime Arquillière, senior CTI analyst at Sekoia TDR explains. "We know that Kazakhstan is a close ally, but since the beginning of the Ukraine war, Kazakhstan has distanced itself a little bit from Russia, trying to develop new connections with both Western states and also China."

Kazakhstan's centrality in the Asian continent positions it nicely as a trade bridge between China and Europe, particularly while Ukraine and Russia are consumed by war. And as Sekoia notes in its blog, the country's gradually broadening geopolitical ties are evident in recent agreements with Mongolia and Afghanistan's new Taliban government, and, most notably, its balanced position on the war in Ukraine — supporting Ukraine's right to territorial integrity without outright condemning Russia's invasion.

This latest cyber campaign, then, fits neatly into Russia's broader initiatives with regard to its Central Asian neighbor. Sekoia identified 11 lure documents in all, each one legitimate and likely having originated with Kazakhstan's Ministry of Foreign Affairs, pertaining to diplomatic business between Kazakhstan and potential partner nations.

Exactly how the threat actor obtained these documents is not known. They include, for example:

*   Letters from Kazakhstan's embassies in Afghanistan and Belgium, regarding diplomatic and economic developments.
    
*   A draft of a joint statement between Germany and Central Asian states, following a Sept. 16, 2024, summit in Astana.
    
*   Administrative reports and briefings on the Kazakh president's visits to Mongolia and New York.
    

"It's really coherent with the \[need for\] Russian intelligence to conduct this kind of cyber espionage, to know about the strategic interests between Kazakhstan and European states," Arquillière says.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Russian APT Phishes Kazakh Gov't for Strategic Intel

The Russian threat actor known as Star Blizzard has been linked to a new spear-phishing campaign that targets victims' WhatsApp accounts, signaling a departure from its longstanding tradecraft in a likely attempt to evade detection.
"Star Blizzard's targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations

Russian Star Blizzard Shifts Tactics to Exploit WhatsApp QR Codes for Credential Harvesting

Part predictive analysis, part intuition, risk and reputation services are imperfect instruments at best — and better than nothing for most organizations and insurers.

Source: MMD Creative via Shutterstock

As companies seek to improve their cybersecurity postures, they are increasingly using a variety of metrics, scoring systems, and reputational rankings to measure their efforts. But in many cases, businesses are asking too much of the various systems that attempt to measure security.

The old saw says that you need to measure something to manage it, but many systems that have flourished — from the Common Vulnerability Scoring System (CVSS) to organizational security posture scoring and ratings for software development projects — are sometimes only successful at expressing measurable risk. Yet corporate boards are turning some security measurements into key performance indicators (KPIs), and some industries — such as insurance firms — are using them to determine risk. Their conclusion: Scoring risk and reputation tools are imperfect but better than nothing.

Part of the reason is that companies look to manage risk, not just improve security, says Bruce Schneier, chief technology officer of Inrupt, a user-focused data management provider, and an adjunct lecturer at the Harvard Kennedy School. Schneier is critical of many attempts to measure security.

"Whenever I've had a company that could do it, I've always tried to build comparative metrics — how am I doing compared to everybody else that does this?" he says. "That does help. People do want to know how they compare to their peers, and that's also good lawsuit protection." They may say, "Yes, this is a problem, but look, everybody else is doing the same thing."

From software and vulnerabilities to corporate security and human risk, efforts to assign scores and reputations to various components of the information technology ecosystem are growing. This week, detection and response platform Sweet Security inked a deal to use the early-stage startup Illustria to offer a package reputation service to detect risky changes to open source software packages. Providers of security posture ratings — such as Bitsight, SecurityScorecard, and UpGuard — have gained a following among cyber insurers, while human-risk management firms, such as Living Security and Mimecast, are increasingly assigning scores to users' cybersecurity awareness.

**Common Vexations of Scoring Security**

CVSS — the standard way to grade potential criticality of software flaws — highlights many of the issues that continue to dog rating and reputation systems. CVSS allows security researchers and software companies to assess the basic severity of vulnerabilities using a 10-point scoring system, but organizations need to evaluate the vulnerabilities' impacts in their own environments. This step that is often overlooked and gives critics significant fodder to attack the approach.

As a result, CVSS garners some praise but also a great deal of criticism. The scoring system is more like grading a high dive rather than tallying a baseball game, wrote Richard Brooks, co-founder and lead software engineer at consulting firm Business Cyber Guardian, in tepid defense of the system that often veered into criticism.

"It's highly subjective and each party needs to decide for themselves if there is risk from a vulnerability, based on their own circumstances and the information known about the vulnerability and its exploitation methods," he stated.

A major problem for any scoring systems is that security is often subjective and frequently amounts to proving a negative — a difficult application of metrics and scoring, says Inrupt's Schneier.

Using scores to fuel checklists can help, he says. Checklists are used in environments where reliability is critical, such as airplanes, hospitals, and spacecraft. To some degree the software security community has pursued this approach, creating lists of vulnerabilities — such as the OWASP Top 10 and the CWE Top 25 lists — that are intended to focus remediation efforts.

"Checklists are a way to turn the unprovable negative into a demonstrable positive," Schneier says. Yet we still have trouble creating metrics for security because "security is fundamentally not about capabilities. It's not about functionality. It's about denying functionality."

**Adoption by the Kings of Metrics (Insurers)**

One group that's hungry for scores and metrics is the insurance industry. Insurers aim to boil down events into data, and security events and cyberattacks are no different. Cyber insurers are increasingly collecting their own data to infer which products have good security and determine what to charge potential policyholders based on their use of those products.

Models that assign companies scores based on their observable cybersecurity posture, for example, can save insurance firms significant money by identifying the worst performers. Using information from Bitsight and internal data, for example, reinsurance firm Gallagher Re identified the bottom 20% of companies, which had a 3.17 times greater likelihood of suffering a loss — an approach that could reduce insurance firm losses by about 16%, the reinsurer stated in a 2024 study. A second study by professional services firm Marsh McLennan and Bitsight found that the lowest-scoring tier of companies were nearly five times more likely to have a cybersecurity incident than the highest-scoring tier.

A scoring system works only if companies are using it to reach their end goals (more security) rather than trying to just increase their scores (compliance), says Stephen Boyer, co-founder and chief technology officer at Bitsight.

"I do think that as long as it's communicating something that drives an action that ends up being risk-reducing, that's good," he says. "If it's a regulatory focus and \[the company\] is doing that to optimize the score and is not actually reducing risk, then it is a wasted effort for everybody."

Unsurprisingly, more regulated industries tend to score higher on organizational ratings. Financial firms, utilities, energy, and healthcare all average a score of 720 or higher, while communications services average a score of a 630 and industrials a score of 690, according to a report on cybersecurity oversight of corporate boards.

**Software Ratings Gain Traction**

As software supply chain worries mount, companies and the open source community are aiming to rate the reputation and development processes of open source projects and assign scores to the components they produce. The OpenSSF Scorecard, for example, conducts a number of automated checks and ranks a project by a numerical score for each area, including whether the project has binary artifacts, whether the branch protection is on, the cadence of commits, and whether the project shows signs of using automated tools and fuzzers. The popular machine-learning library TensorFlow, for example, currently has an overall score of 8.2, with low scores for its Code Review practices and the failure to pin dependencies.

In some ways, we have too much data, and often it's not the right data, says Dylan Thomas, senior director of product and engineering at IT conglomerate OpenText.

"Because there's so much more data, the biggest challenge is understanding that we're using it in an effective way and that we're using the right data to draw the right conclusions, \[so we don't\] misrepresent a particular data point or metric or scoring system," he says. "It's one of the reasons that LLM-based machine-learning algorithms really can provide a lot of value to augment security decision-making \[and\] can synthesize the vast amounts of data into potential patterns that we can actually make sense of."

The Open Source Select service offered by software supply chain security firm Debricked, part of OpenText, uses ratings for the contributors, the popularity, and the security of open source components to summarize their practices using a scale of 1 to 100, assigning a traffic-light color to each component. TensorFlow, for example, received green ratings for its contributors (score: 73) and popularity (score: 84) but only a yellow rating (score: 42) for security.

The ratings are not necessarily a way to detect whether a software component is dangerous but a way to automate the approval and intake process for the proposed use of open source components, speeding up decision-making, Thomas says.

"The benefit is, as a developer, I'm not waiting weeks to work through an open source intake process," he says. "I can quickly get a decision in a subset — and, hopefully, a meaningful subset — of use cases. Either quickly not waste my time going through a long process for a particular component or get green-lit very quickly."

The question that companies should ask when they use metrics is whether those metrics are speeding up decision-making processes, and if not, why not.

"Part of what we need to do is make sure that we are not just measuring for the sake of measuring, but that we're also taking time to measure the measuring stick," Thomas says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Risk, Reputational Scores Enjoy Mixed Success as Security Tools

Nathaniel Fick, the ambassador for cyberspace and digital policy, has led US tech diplomacy amid a rising tide of pressure from authoritarian regimes. Will the Trump administration undo that work?

European governments wonder if Trump will continue US support of Ukraine and NATO in a conflict with Russia that has partly played out in cyberspace. Fick’s team was instrumental in establishing a process for rapidly delivering cyber-defense aid to Ukraine’s battered government.

“I was in Ukraine right before Christmas, I was in Poland, I was in Estonia, kind of up and down NATO's eastern flank,” he says, adding that he sensed “both a deep desire for the United States to stay engaged and a recognition that European partners are going to need to do their share—which they, by the way, increasingly are doing.”

More broadly, Fick has heard “a strong desire among many allies and partners” for the US to continue going toe to toe with China and Russia in tech and cyber discussions in international bodies like the UN and the Group of 20.

“Without the United States deeply involved, you're going to see the Chinese more deeply involved, you're going to see the Russians more deeply involved,” Fick says. “There's a pretty broad view \[globally\] that the US needs to, for its own interests and for the interests of our allies and partners, stay engaged in multilateral organizations.”

Fick sympathizes with Republicans who consider these multilateral organizations too slow and timid, but he wants Trump’s team to “recognize that the alternative is not diminished influence of these organizations; the alternative is simply that they become playgrounds for our competitors and our adversaries.”

**Celebrating “a Sea Change”**

Looking back on his time as America’s cyber ambassador—which saw him spend a total of more than 200 days traveling the world on nearly 80 trips to visit key US allies and partners—Fick is proud of how his team launched an entirely new bureau inside the State Department, grew it to around 130 employees, and delivered results that he says are transforming digital diplomacy.

One of his biggest accomplishments was the launch of a foreign cyber aid fund that will support programs to deploy security assistance to hack-stricken allies, subsidize new undersea cables, and train foreign diplomats on cyber issues.

The security-assistance project saw an early test in November when Costa Rica faced another major ransomware attack. “We had people on a plane the next morning, Thanksgiving morning, with hands on keyboards alongside Costa Rican partners that night,” Fick says. “That’s amazing. That is a sea change in how we do this, and it’s going to strengthen our hand in providing support to these middle-ground states.”

Fick has also focused on preparing the Foreign Service for the modern world, meeting his goal of training at least one tech-savvy diplomat for every foreign embassy (around 237 total) and successfully lobbying to add digital fluency to the State Department’s criteria for career ambassador positions. He has also helped State counterbalance the Pentagon in White House discussions about foreign tech issues—putting “American diplomacy literally back at the table in the Situation Room on technology topics.”

And then there’s his team’s support for US cyber aid to Ukraine, from security software to satellite communications to cloud migration for vital government data—work that he says offers a template for future public-private foreign-aid partnerships.

**One Final Warning**

Fick has shared his thoughts about China, 5G, AI, deterrence, and other cyber issues with Trump’s transition team, and he says there’s still more to do to keep cyber diplomacy “front and center” at State. But as he prepares to leave government, he has one major piece of advice for the incoming administration.

“It is essential to have a bias for action,” he says. “We end up admiring a problem for too long rather than taking a decisive step to address it … That decisive step may be imperfect, but indecision is a decision, and the world moves on without you.”

Put another way: In an era of rapidly evolving technologies and intensifying geopolitical competition, massive bureaucracies like the State Department sometimes need to be jolted into action.

“The job of the leaders in these big organizations,” Fick says, “is to move the org to change a little bit faster than it would on its own.”

Biden's Cyber Ambassador Urges Trump Not to Cede Ground to Russia and China in Global Tech Fight

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep…

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep up, businesses need to understand that while complex regulations may sound difficult to deal with; cybersecurity threats are the real danger to their credibility and success. Here are six strategies that showcase how the change in financial technology impacts expansion and security.

**1\. **Using Data Analytics for Smarter Security and Personalization****

Fintech companies have access to a treasure trove of user data, making data analytics a key to both innovation and security. Predictive analytics can detect fraud in real time by spotting unusual transaction patterns, while personalization algorithms offer customized financial solutions to users.

Take PayPal, for instance, which uses machine learning to track fraud attempts while ensuring seamless user experiences. By investing in platforms like Tableau or Splunk, companies can not only improve data-driven decisions but also strengthen their cybersecurity protection.

**2\. **Optimizing Customer Journeys Through AI and Automation****

Customer retention in fintech depends on efficient, user-friendly platforms. AI-driven Client Lifecycle Management (CLM) tools not only enhance customer experience but also fortify compliance with data protection laws like GDPR.

For example, automated KYC (Know Your Customer) processes can validate user identities within minutes, reducing conflict while maintaining security. Companies that leverage AI to simplify operations position themselves as leaders in convenience and trust, two critical factors in the digital financial world.

**3\. **Expanding Beyond Payments: Diversification in Fintech Offerings****

Successful fintech companies are moving beyond basic services like payments and lending to offer a wider range of products. Digital wallets, cryptocurrency trading, BNPL (Buy Now, Pay Later) options, and even ESG (Environmental, Social, and Governance)-focused investment tools are becoming standard offerings.

For instance, Square (now Block) transitioned from payment processing to include cash apps, crypto wallets, and merchant solutions. This diversification not only strengthens market positioning but also hedges against disruptions in individual sectors.

**4\. **Automating Security Protocols to Counter Cyber Threats****

While cybersecurity threats grow more sophisticated, automation in fintech security has become a necessity. Tools like automated anomaly detection, real-time threat intelligence, and AI-driven incident response systems ensure swift responses to breaches.

Take Stripe, which integrates advanced monitoring tools to detect and neutralize suspicious activity before it escalates. Automation in security protocols not only protects sensitive financial data but also boosts consumer confidence in the platform.

**5\. **Sustainability in Fintech: Balancing Growth with Responsibility****

The fintech sector is embracing sustainability through green technologies and ethical financial practices. Blockchain-based carbon credit platforms, eco-friendly payment cards, and renewable energy-backed investments are paving the way for a greener future.

Consider Mastercard’s sustainable card program, which uses biodegradable materials and supports reforestation initiatives. By integrating eco-conscious elements, fintech companies are appealing to the growing demographic of socially responsible consumers and investors.

**6\. **Risk Management with Predictive Technologies****

Managing risk (risk management) is critical in fintech, where markets and regulations can change overnight. Predictive technologies like machine learning are revolutionizing risk management by identifying vulnerabilities before they become liabilities.

For example, Robinhood employs real-time analytics to manage liquidity risks and safeguard user assets during volatile market conditions. This approach not only ensures operational stability but also reinforces trust in the brand.

The worlds of technology and finance are changing like never before, with advancements in AI, blockchain, and sustainable solutions building the future of fintech. By using data-driven security, improving operations through automation, and focusing on sustainable practices, companies can remain competitive. For fintech firms, the message is clear: innovate, adapt, and protect your operations, or risk falling behind.

1.  **Cybersecurity, Big Data and Automation Tools**
2.  **Top 9 Compliance Automation Software in 2024**
3.  **Fortifying FinTech: Building Resilient APIs for Security**
4.  **Digital Transformation in Financial Industry: The Role of Fintech**
5.  **Blockchain and Smart Contracts in Securing Digital Transactions**

Top/Featured Image via Marvin Meyer/Unsplash

6 Strategic Innovations Transforming the Fintech Industry

Seven system recovery programs contained what amounted to a backdoor for injecting any untrusted file into the system startup process.

Source: Ognyan Yosifov via Alamy Stock Photo

A vulnerability in trusted system recovery programs could allow privileged attackers to inject malware directly into the system startup process in Unified Extensible Firmware Interface (UEFI) devices.

Seven real-time recovery products — Howyar SysReturn, Greenware GreenGuard, Radix SmartRecovery, Sanfong EZ-back System, WASAY eRecoveryRX, CES NeoImpact, and SignalComputer HDD King — all make use of "reloader.efi," the Microsoft-signed Extensible Firmware Interface (EFI) file at issue.

The problem, ESET explains in a new report, is that reloader.efi uses a custom loader that enables the application to load even unsigned binaries during the boot process. In essence, it's a backdoor for sneaking any kind of file into a system's startup, past UEFI Secure Boot. The issue has been assigned CVE-2024-7344, and earned a "medium" 6.5 Common Vulnerability Scoring System (CVSS) rating, as it requires administrator privileges to exploit.

**Backdoor to the UEFI Boot Process**

The standard way to load, prepare, and execute UEFI images in system memory is with the autological LoadImage and StartImage functions. The Microsoft-approved "reloader" application goes its own way, using a custom mechanism that allows it to load any binary, trusted or otherwise, at startup.

"Maybe it's a lack of secure coding awareness," Martin Smolár, malware researcher at ESET, guesses of the developers' motives in implementing the custom loader. "Or maybe it's because they found it convenient to create such a functionality. Because when a developer makes a change \[to a signed program\] they need to send it to Microsoft to get it re-signed. This means that they don't need to every time they create a new update or something like that."

Reloader.efi loads arbitrary binaries from a specific, encrypted file, "cloak.dat." When ESET decrypted cloak.dat, it found that it contained an unsigned executable primarily designed for classroom environments. "Its core function is to provide real-time system recovery, ensuring that students from different classes can work in a teacher-predefined computer environment within shared computer labs," Smolár says, though he adds that the same component might be used in other settings, like public Internet cafes. The larger point is that the unsigned executable is run during the startup process, completely bypassing UEFI Secure Boot checks.

This odd classroom recovery software is perfectly honest, but an attacker could easily swap it out for something worse. If they could just get a hold of administrator privileges on a targeted machine, an attacker could access the EFI system partition (ESP) and substitute their own malicious file in place of cloak.dat. Then all they'd need is a quick system reboot to drop any malicious file they wished into the startup process.

**Why UEFI Bugs Are So Bad**

UEFI is a kind of sacred space — a bridge between firmware and operating system, allowing a machine to boot up in the first place.

Any malware that invades this space will earn a dogged persistence through reboots, by reserving its own spot in the startup process. Security programs have a harder time detecting malware at such a low level of the system. Even more importantly, by loading first, UEFI malware will simply have a head start over those security checks that it aims to avoid. Malware authors take advantage of this order of operations by designing UEFI bootkits that can hook into security protocols, and undermine critical security mechanisms like UEFI Secure Boot or HVCI (Hypervisor-Protected Code Integrity), Windows' technology for blocking unsigned code in the kernel.

To ensure that none of this can happen, the UEFI Boot Manager verifies every boot application binary against two lists: "db," which includes all signed and trusted programs, and "dbx," including all forbidden programs. But when a vulnerable binary is signed by Microsoft, the matter is moot.

Microsoft maintains a list of requirements for signing UEFI binaries, but the process is a bit obscure, Smolár says. "I don't know if it involves only running through this list of requirements, or if there are some other activities involved, like manual binary reviews where they look for not necessarily malicious, but insecure behavior," he says.

Microsoft has previously alluded to UEFI binaries being "approved through manual review." In response to an inquiry from Dark Reading, a Microsoft spokesperson provided the following clarification:

"Our process is designed to meet the evolving standard for analysis of third-party binary code, while ensuring effective scalability across our vast ecosystem. It begins with vetting and analysis with the partner, understanding the components they are requesting to be signed, and aspects of the design and functionality that may require additional security measures. Submissions are run through automated security analysis and are manually reviewed through a rigorous process. As a result, we may require additional security reviews, investigations with the submitting partner, or other mitigations. We remain committed to evolving our vetting process to better the security of our ecosystem as we operate within this ever-changing threat landscape."

ESET first discovered CVE-2024-7344 in July 2024. Since then, all vulnerable applications have been fixed, and Microsoft revoked the old, vulnerable binaries in its Jan. 14, 2025, Patch Tuesday update.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Trusted Apps Sneak a Bug Into the UEFI Boot Process

The FBI has announced it's deleted PlugX malware from approximately 4,258 US-based computers and networks.

The FBI says it has removed PlugX malware from thousands of infected computers worldwide.

The move came after suspicion that cybercriminals groups under control of the People’s Republic of China (PRC) used a version of PlugX malware to control, and steal information from victims’ computers.

PlugX has been around since at least 2008 but is under constant development. With the remote access it provides criminals, it is often used to spy on users and plant additional malware on interesting systems.

Among others, the PlugX Remote Access Trojan (RAT) was used in a lasting campaign uncovered last year in which a Chinese group known as “Velvet Ant” used compromised F5 BIG-IP appliances to gain access to networks, managing to stay hidden for years.

US Attorney Jacqueline Romero for the Eastern District of Pennsylvania commented:

> “This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers.”

After researchers found out that thousands of infected machines reported to one specific IP address, they managed to seize control over the IP address that served as a Command & Control (C2) server.

In close cooperation with the French authorities, the FBI and Justice Department used this IP address to “sinkhole” the botnet. Sinkholing in this context means that the redirection of traffic from its original destination to one specified by the sinkhole owners. The altered destination is known as the sinkhole.

With control of the sinkhole, a specially configured DNS server can simply route the requests of the bots to a fake C2 server. This provides the controller of the sinkhole with valuable information about the affected systems and an opportunity to send commands to delete the PlugX version from the connecting devices.

FBI special agent in Charge Wayne Jacobs of the FBI Philadelphia Field Office said:

> “The FBI worked to identify thousands of infected US computers and delete the PRC malware on them. The scope of this technical operation demonstrates the FBI’s resolve to pursue PRC adversaries no matter where they victimize Americans.”

The FBI says it is notifying those who had the malware deleted from their computers via their internet service providers (ISPs).

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 PlugX malware deleted from thousands of systems by FBI 

Evidence suggests that some of the payloads and extensions may date as far back as April 2023.

Source: VS148 via Shutterstock

A Christmas Eve phishing attack resulted in an unknown party taking over a Cyberhaven employee's Google Chrome Web Store account and publishing a malicious version of Cyberhaven's Chrome extension. While the problematic extension was removed within an hour of its discovery, the malicious activity highlights gaps in browser security that exist at most organizations and the necessity of getting a handle on the problem now, as extension poisoning is expected to be a persistent issue.

Further research into the incident suggests that this attack was likely part of two separate, but potentially related, campaigns to target multiple extension developers to distribute malicious extensions, experts say. The campaigns may have begun as early as April 2023.

"Currently we know about two different campaigns that have been targeting different objectives," says Amit Assaraf, CEO of Extension Total, a third-party extension security platform provider. Extension Total researchers have uncovered several malicious extensions over the past several weeks and have been looking at how they relate to each other.

**A Tale of Two Campaigns**

One campaign created extensions that steal cookies, session tokens, and possibly passwords, and targeted Facebook and OpenAI accounts, Assaraf says. The campaign relied on phishing to target extension developers and a malicious OAUTH application to take over Google Chrome Web Store accounts. Cyberhaven was one of the victims of this campaign.

There is some disagreement among experts over when the first malicious extension associated with this campaign appeared. Assaraf points to the Chrome extension "GPT 4 Summary with OpenAI," which was added to the Google Chrome Web Store in August. John Tuckner, founder of browser-extension management service Secure Annex, believes the "AI Assistant – ChatGPT and Gemini for Chrome" extension, which was uploaded to the Chrome Web Store in May, was the first extension used by this campaign.

"As far as I can tell, that is the first example of this type of code being used, but some of the related domain registrations go back to around Sept. 25, 2023, so this could have been planned for a while," Tuckner says.

Both extensions are no longer on the Chrome Web Store.

Regardless of when this campaign began, the impact has been widespread. Researchers have found 22 extensions related to it so far, affecting 1.46 million users, Assaraf says. Some of these have been removed completely from the Chrome Web Store, and others have been updated to a "safe" version.

The second campaign is aimed at tracking user activity, telemetry, and sites visited, "probably with intention to sell this data," Assaraf says. Its earliest appearance was in April 2023, and researchers have identified 15 extensions thus far as belonging to this campaign.

A Google spokesperson says the company has shut down malicious Chrome Web Store accounts identified as part of this investigation and continues to investigate reports from Extension Total regarding extensions still available in the store.

It's unclear at this time whether one attacker is behind both campaigns, though there is evidence — shared JavaScript payloads injected into unauthorized updates between August 2024 and December 2024 — suggesting "a synchronized campaign," says Bugcrowd founder Casey John Ellis.

"This also suggests centralized control over the hijacked developer accounts and a common threat actor," he says.

At this point, both campaigns appear to be contained; no additional extensions have been discovered, according to Assaraf.

**Extensions as Low-Hanging Fruit for Attackers**

Cyberhaven's internal security team was able to respond to the breach quickly, which helped expose the breadth of the extension poisoning. Many of the affected extensions are hobbyist projects, which means they likely do not have the tools or security support to be regularly monitoring for malware.

Therein lies the dilemma for detecting malicious Chrome extensions in the wild, experts say. It also explains why ensuring that extensions used within a corporate browser are safe is such a tricky scenario for organizations to navigate. While some are managed by companies with dedicated teams to ensure the extensions remain clean, many are maintained by private individuals and, thus, don't have this kind of oversight.

That complicates security within a corporate environment because browsers, like Chrome, grant extensions broad permissions, including access to sensitive user data, cookies, and even the ability to capture credentials and sessions, according to Matt Johansen, security researcher at Vulnerable U.

"Extensions still operate with a significant degree of trust, and once compromised, they can access everything a user can," Johansen says. "They also have less scrutiny to install than traditional desktop software, even in enterprises."

Because of their ability to compromise so many users and have access to so much information by poisoning a browser extension, it's a no-brainer for attackers.

"Controlling an extension gives an adversary a powerful vantage point for all browser activities," concurs Lionel Litty, chief security architect at Menlo Security.

Indeed, poisoning a Chrome extension is "actually a very convenient way for attackers to spread malicious code," Assaraf adds. "You only need to fool one person, one developer, and you get access to hundreds of thousands of machines," he says.

People often forget they've installed browser extensions, yet they continue to run in the background and update automatically, giving attackers wide access to sensitive data, he adds.

**Closing the Browser Security Gap**

Given their reach, why, then, are browsers and their extensions given such little thought when it comes to an organization's security posture? It could merely be that their security teams are so overwhelmed with responsibilities that browsers are the least of their worries — though that could now change, notes Secure Annex's Tuckner.

Organizations can take specific steps now to shore up the security of extensions running in corporate browsers, he says. Teams should start with collecting a real-time inventory of the browsers in the organization and which extensions are installed on them. This step should be followed by enrolling browsers in some kind of centralized management to set up an allowlist of known extensions, keeping only those that "drive core business value" and adding future ones on a case-by-case basis, Tuckner adds. The inventory will help security teams understand the scope of an incident when something happens.

"Few teams choose to or are able to prioritize browser security on top of everything else that they have to deal with," he says. "Many see browser security as a lower-risk item, but I believe that is quickly changing with incidents like this."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Extension Poisoning Campaign Highlights Gaps in Browser Security

"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.

Source: DD Images via Shutterstock

North Korea's Lazarus threat group has launched a fresh wave of attacks targeting software developers, using recruitment tactics on job-hiring platforms. This time, the group is using job postings on LinkedIn to lure freelance developers in particular into downloading malicious Git repositories; these contain malware for stealing source code, cryptocurrency, and other sensitive data.

The SecurityScorecard STRIKE team on Jan. 9 discovered the ongoing attack, dubbed Operation 99, in which attackers pose as recruiters to entice the developers with project tests or code reviews, the researchers revealed in a report (PDF) published today.

"Victims are tricked into cloning malicious Git repositories that connect to a command-and-control (C2) server, initiating a series of data-stealing implants," according to the post.

Attackers are using various payloads that work across Windows, macOS, and Linux in the campaign, using a layered malware delivery system with modular components that adapt to different targets. Downloaders such as Main99 retrieve and execute payloads that include Payload 99/73, brow99/73, and MCLIP, which perform tasks like keylogging, clipboard monitoring, file exfiltration from development environments, and browser credential theft.

Related:Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

The malware also steals from application source code, secrets and configuration files, and cryptocurrency-related assets such as wallet keys and mnemonics, according to the researchers. The latter are used to facilitate direct financial theft, furthering Lazarus' goals to fund the regime of North Korean leader Kim Jong Un.

"By embedding the malware into developer workflows, the attackers aim to compromise not only individual victims, but also the projects and systems they contribute to," according to the report.

**North Korea's History of Targeting Developers**

The campaign builds on previous tactics by the group to target developers with various malware, including 2021's Operation Dream Job, in which the group sent fake job offers to specific organizational targets. When opened, they installed Trojan programs to collect information and send it back to the attackers.

Lazarus' long history of using the technology job market to target victims also includes another campaign called DEV#POPPER, which targeted software developers worldwide for data theft by having attackers pose as recruiters for nonexistent jobs.

North Korean threat groups also have turned the tables and used their own cyber spies to infiltrate global organizations for cyber espionage. The now-infamous case of security firm KnowBe4 accidentally hiring a North Korean hacker shows how convincing these campaigns can be.  

Related:Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

While a Department of Justice operation in May disrupted North Korea's widespread IT freelance operation with the indictment of several people for helping state-sponsored actors establish fake freelancer identities and evade sanctions, the latest campaign demonstrates that Lazarus remains undaunted.

Amid all this, the new campaign shows an evolution in tactics, the researchers said.

"In this instance, Lazarus is demonstrating a higher level of sophistication and focus compared to previous campaigns," says Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard. These include using AI-generated profiles to pose as recruiters that appear highly authentic and realistic, "enabling them to effectively deceive victims," he adds.

"By presenting complete and convincing profiles, they offer what seem to be genuine job opportunities to developers," Sherstobitoff says. In some cases, Lazarus even compromises existing LinkedIn accounts to lend heft to their credibility, he adds.

The group also is employing more advanced techniques for obfuscation and encryption, making their malicious activities significantly more difficult to detect and analyze, Sherstobitoff says.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

**Job Seekers, Exercise Caution**

Indeed, as these campaigns become more sophisticated through the use of AI and advanced social engineering, it's becoming "easier for attackers to gain the confidence of their targets, demonstrating a significant evolution in the level of precision and realism in their campaigns," Sherstobitoff says.

For this reason, mitigation strategies "should fundamentally center around reinforcing social engineering awareness and adhering to the basics of cybersecurity for everyday employees," he says. As a general rule, if a job offer or opportunity seems too good to be true, it likely is, and "should be approached with skepticism," Sherstobitoff says.

"Employees also should exercise extreme caution when interacting with recruiters, particularly if asked to download files, clone repositories, or engage with unfamiliar software," especially over platforms like LinkedIn or email, he says. "These channels can be easily manipulated by attackers posing as legitimate entities."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#mac