Managing third-party risk in the SaaS era demands a proactive, data-driven approach beyond checkbox compliance.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTRY

In June 2023, the MOVEit supply chain attack served as a harsh reminder of the vulnerabilities in our software-as-a-service (SaaS) ecosystem. Third-party risk management (TPRM) in today's world of SaaS applications is no longer just about ticking boxes on a checklist. The old methods, with their static questionnaires and outdated ISO 27001 and System and Organization Controls (SOC) — SOC 1, SOC 2, and SOC 3 — reports are simply not efficient anymore. With cyber threats, such as supply chain attacks and third-party integration exploits, becoming more sophisticated, organizations need a dynamic approach to managing SaaS vendors. Embracing automation, real-time visibility, and targeted assessments are crucial steps to stay ahead of potential risks.

Let's explore how organizations that rely heavily on SaaS apps can evolve their TPRM strategies to face modern security challenges head-on.

**The Growing Complexity of SaaS Oversight**

SaaS adoption is growing rapidly, bringing organizations convenience and flexibility. According to B2BSaaS estimates, the SaaS market was valued at $273.5 billion in 2023 and is expected to grow to $1.2 trillion by 2032. However, this growth also comes with an expanded attack surface and more complex data flows. For organizations handling sensitive customer data and navigating strict regulations, these challenges are critical.

Two trends amplify these challenges:

*   Explosion of SaaS apps: Companies use hundreds of SaaS and cloud apps, many introduced without official approval, complicating security oversight. Shadow IT often results in blind spots, making it harder to assess overall security.
    
*   Evolving threat landscape: Attackers increasingly target third-party vendors. Generative AI (GenAI) has further complicated the landscape, enabling attackers to enhance tactics and exploit integration points, misconfigured cloud services, and stolen credentials. The Okta breach of 2023 demonstrated the potential scale of damage from a supply chain attack.
    

These challenges highlight the inadequacy of relying solely on traditional security questionnaires and annual SOC 2 reports. Continuous visibility into vendors' security practices is essential for effective risk management.

**The Problem With Traditional Third-Party Risk Reviews**

Traditional risk reviews involve substantial manual effort and fall short in addressing modern threats:

*   Inefficient manual processes: Manually sending, tracking, and analyzing vendor questionnaires consumes excessive time and energy and delays the resolution of security issues.
    
*   Superficial questions: Generic Yes/No queries (e.g., "Do your developers follow secure coding practices?") fail to assess the effectiveness of vendors' security measures. More specific questions, tied to real-world scenarios, often yield actionable insights.
    
*   Outdated reports: Reports like ISO 27001 and SOC 2 quickly become obsolete in evolving SaaS environments. The emergence of GenAI has further accelerated the pace of change, necessitating updated, dynamic assessments.
    

**Evolving TPRM to Handle Modern SaaS Challenges**

To tackle these issues, organizations must adopt agile, data-centric approaches to vendor security:

1.  Embrace real-time assurance through trust centers. SOC 2 reports are a starting point, but critical vendors should offer ongoing visibility through automated trust centers. Tools like Sprinto, Drata, and Vento provide real-time insights into security controls and compliance, enabling proactive decisions.
    

1.  Make questionnaires smarter. Replace generic questionnaires with tailored assessments that probe deeper. Focus on how controls are implemented and monitored. For example, shift from "Do you secure ABC?" to "How do you secure ABC, and how do you verify its effectiveness?" Questions that examine metrics and outcomes help uncover the true state of security.
    
2.  Address talent gaps and boost technical expertise. Invest in developing skills in cloud security, SaaS configuration, and API management. Training internal teams or partnering with specialized vendors can bridge expertise gaps. The SolarWinds breach of 2020 underscores the need for visibility into supply chain vulnerabilities. Workshops and certifications can enhance team capabilities, keeping them informed of evolving risks.
    
3.  Include shadow IT and "free" tools. Review unpaid apps, open source tools, and browser extensions — often overlooked but risky. Shadow IT tools, while offering productivity, introduce unknown risks. Assessing these apps before they integrate into workflows reduces unexpected exposure. Include them in audits to ensure they meet baseline security standards.
    
4.  Use modern tools, not spreadsheets. Transition from spreadsheets to SaaS security posture management (SSPM) tools, which monitor misconfigurations, excessive permissions, and suspicious activities. AI-powered tools can further analyze vendor responses and highlight inconsistencies. Leveraging these tools saves time and enhances accuracy.
    

**What Can You Do When Revamping Your TPRM Strategy**

Evolving TPRM processes isn't easy. Avoid common pitfalls:

*   Avoid risky inaction: Delaying updates to vendor management increases exposure. Start with small, impactful improvements and scale gradually.
    
*   Avoid overcommitting resources: Implement changes incrementally, prioritizing high-impact areas. This ensures resource efficiency without overwhelming teams.
    
*   Set realistic expectations for AI: Leverage AI where it adds value while recognizing its limitations. AI tools should complement, not replace, human oversight.
    
*   Ensure team alignment: Align team skills with new vendor security goals. Equip teams to manage technical assessments effectively. Feedback loops can ensure continuous improvement and alignment with organizational objectives.
    

**What We Can Take From This**

Managing third-party risk in the SaaS era demands a proactive, data-driven approach. Organizations must go beyond checkbox compliance by leveraging real-time assurance, tailored assessments, and automation. Modernizing TPRM is essential to address the complexities of SaaS security.

While challenging, particularly for smaller organizations, the benefits of preventing breaches and protecting reputations outweigh the costs. Organizations can manage expenses effectively by prioritizing critical vendors and adopting phased changes while enhancing third-party risk management. The commitment to proactive strategies ensures resilience against an ever-evolving threat landscape.

**About the Author**

Information Security Officer, IMC Trading

Jatin Mannepalli, CISSP, CCSP is an information security officer (ISO) at IMC Trading, where he brings a deep commitment to managing security and risk across organizations. With more than 10 years of experience in the InfoSec space, he has built and led information security and risk management teams, and has also worked as a security consultant for major consulting firms like McKinsey & Company. Jatin is passionate about security governance and risk management, as well as developing technology-driven, customer-focused strategies that prioritize both organizational success and client satisfaction. Known for his holistic approach, he is dedicated to fostering a culture of security that aligns with the organization’s broader goals. In addition to his professional accomplishments, Jatin is recognized as one of the top voices in Information Security on LinkedIn. In his leisure time, he volunteers to promote security awareness in local communities and contributes to the cybersecurity community by helping develop exams for ISC2.

The Old Ways of Vendor Risk Management Are No Longer Good Enough

Atomwaffen Division cofounder and alleged Terrorgram Collective member Brandon Russell is facing a potential 20-year sentence for an alleged plot on a Baltimore electrical station. His case is only the beginning.

Brandon Russell, arguably one of the most influential figures in the American neofascist revival of the past decade, is on trial this week over an alleged plot to knock out Baltimore’s power grid and trigger a race war.

The 29-year-old cofounder of the Atomwaffen Division, a neo-Nazi guerrilla organization that was responsible for five homicides and a number of bomb plots before the FBI dismantled it in 2020, Russell was arrested by federal agents in February 2023 along with his girlfriend, Sarah Clendaniel. If convicted of his charges of conspiring to destroy an energy facility, Russell could face 20 years behind bars thanks to a prior conviction and the potential penalty for his current charges.

Russell’s case represents one of the last gasps of the Biden administration’s hard-charging approach to tackling violent far-right extremism that is all but guaranteed to change during US president Donald Trump’s second term in office. It also offers a unique look inside federal law enforcement’s investigation into an insidious accelerationist propaganda network that mixes neo-Nazi ideology with nihilist, Columbine-style violence to inspire mass casualty events in the United States and beyond.

Russell allegedly hatched the plot to black out Baltimore while, according to prosecutors, participating in a noxious, prolific propaganda network hellbent on fomenting violence and chaos. The Terrorgram Collective, which took its name following a massive influx of neo-Nazis to Telegram at the end of the last decade, ran several channels on the messaging​​ app and developed a series of “how-to” domestic terrorism manuals that sought to inspire disaffected young men and women into committing mass casualty events. Terrorgram is currently designated a “tier one” extremism threat by the US Department of Justice.

To date, Terrorgram has released four publications—a blend of ideological motivation, mass-murder worship, neofascist indoctrination, and how-to manuals for chemical weapons attacks, infrastructure sabotage, and ethnic cleansing. Court records indicate there are at least three unreleased Terrorgram Collective compendiums, including “The Saint Encyclopedia” of the far-right mass killers they venerate, including Anders Breivik, Brenton Tarrant, and Timothy McVeigh; and “The List,” a collection of politicians, government officials, business leaders, journalists, activists, and other people deemed legitimate assassination targets.

The screeds appear to have directly inspired a series of ideologically motivated attacks around the world, including a 2022 mass shooting at an LGBTQ bar in Bratislava, Slovakia, successful attacks on power infrastructure in North Carolina and similar failed plots in Baltimore and New Jersey, and a stabbing spree in the Turkish city of Eskisehir. There are currently more than a dozen separate federal prosecutions around the United States that involve people alleged to be core Terrorgram Collective members or individuals allegedly inspired toward violent attacks on infrastructure or civilians.

In one of the Biden administration’s last policy moves against right-wing extremism, on January 13, the State Department formally classified the Terrorgram Collective as a Foreign Terrorist Organization, a listing usually reserved for militant groups that hold territory and have a formal real-world paramilitary structure as opposed to a loose propaganda network that seeks to inspire mass casualty events. While it is not unique—the British Home Office formally proscribed Terrorgram as an extremist organization last May, and Russell’s Atomwaffen Division was banned by the UK, Australia, and Canada—it is likely to be the last such action taken toward neo-Nazi groups by the United States government for the foreseeable future.

The Trump administration appears to be engaged in a wholesale shift away from violent far-right extremism, best illustrated by the unprecedented pardons given to more than 1,500 individuals charged or convicted of crimes during the failed insurrection of January 6, 2021, as well as the reassignment of senior Justice Department attorneys in the National Security Division.

In a set of pretrial hearings and motions over the limits of evidence in Russell’s trial, federal prosecutors convinced US District Court judge James K. Bredar to allow in evidence of Russell’s deep neo-Nazi indoctrination, including background about his founding role in the Atomwaffen Division. Russell’s alleged involvement in the Terrorgram Collective is bolstered by a pendant allegedly recovered by FBI agents in a search of his home after his February 2023 arrest: The necklace is made of swastika-bearing beads that contains a larger golden swastika pendant with “Terrorgram” inscribed along the side.

The court is taking extra precautions as the US attempts to convict Russell. Journalists’ use of phones and laptops in the courtroom is forbidden, and the judge granted some witnesses permission to testify anonymously over fears of retaliation by Russell's compatriots, some of whom have indicated in Terrorgram chats cited in court filings that they have sought to identify informants and agents involved in their cases. Clendaniel, Russell’s girlfriend, pleaded guilty in May and was later sentenced to 18 years in federal prison. It is unclear whether she will be one of the witnesses testifying against Russell.

The prosecution of Russell also offers insight to how American law enforcement and intelligence agencies collaborate with their foreign counterparts to combat the transnational far-right milieu that spawned the Terrorgram Collective.

In an unusual alliance over the past two years, lawyers from the American Civil Liberties Union’s National Security Project weighed in on Russell’s behalf during pretrial motions in an effort to reveal evidence of warrantless surveillance of the fascist figurehead by either the National Security Agency or its counterparts. Although Judge Bredar ultimately denied the ACLU’s efforts on the grounds that the material was classified, the government’s response spoke volumes about the intelligence community’s role in surveilling Russell. American intelligence documents reviewed by WIRED show the Five Eyes alliance of American, Canadian, British, Australian and New Zealander intelligence agencies were keeping tabs on the Terrorgram Collective as far back as 2021.

The presence of Terrorgram Collective members in Croatia, Denmark, Slovakia, South Africa, Canada, and elsewhere overseas, coupled with the State Department’s designation of the propaganda network as a foreign terrorist organization, also point to additional reasons the group would be subjected to the highest level of official surveillance.

Russell was on court supervision when he was picked up for the Baltimore plot nearly two years ago. In 2018, he was convicted on federal charges for possession of homemade hexamethylene triperoxide diamine, a highly unstable compound. He served a little over three years in prison and was released in August 2021. Russell’s arrest, in 2017, on illegal explosives charges, stemmed from a macabre internecine squabble within the Atomwaffen Division and a double homicide at the Tampa, Florida, apartment Russell shared with three other extremist comrades.

_Updated 7:35 am EST, January 29, 2025: Corrected the maximum sentence Russell could receive if convicted._

The Trial at the Tip of the Terrorgram Iceberg

Advanced phishing campaign targets Poland and Germany, delivering Agent Tesla, Snake Keylogger and newly identified TorNet backdoor via…

Advanced phishing campaign targets Poland and Germany, delivering Agent Tesla, Snake Keylogger and newly identified TorNet backdoor via .tgz attachments. All by leveraging PureCrypter and TOR network for stealthy C2.

A malicious campaign, discovered by Cisco Talos in July 2024, targeted users primarily in Poland and Germany through phishing emails containing malicious attachments disguised as.tgz files. These emails impersonate financial institutions and businesses, often with themes like money transfer confirmations or order receipts. They are primarily written in Polish and German and contain compressed.tgz files.

According to Cisco Talos’ research, shared with Hackread.com ahead of its publishing on Tuesday 28, the actor has deployed other payloads as well, including “Agent Tesla, Snake Keylogger and a new undocumented backdoor, which researchers dubbed TorNet. 

Phishing email in Polish and German language (Via: Cisco Talos)

When a user extracts an attachment from a file, a.NET executable file appears, which downloads the next stage of the attack, the PureCrypter malware, from a remote server or within the loader itself (decrypted using the AES algorithm and loaded into the targeted device’s memory). 

The PureCrypter malware is a Windows dynamic-link library obfuscated with Eziriz’s.NET Reactor obfuscator. It contains encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL, and the TorNet backdoor.

PureCrypter employs various evasion techniques, including disconnecting the victim’s machine from the network before dropping payloads, checking for a virtual machine, sandbox environment, or debugger status, and modifying Windows Defender settings. It ensures persistence by creating a scheduled task that runs every few minutes, even on low battery, and adding entries to the Windows registry to ensure the loader runs on startup. 

Moreover, it drops the TorNet backdoor, which is a relatively new .NET backdoor used in this attack to connect to a C2 server over the TOR network for stealthy communication. It anonymizes the communication with the C2 server, making detection harder. After establishing a connection, it sends identifying information and allows attackers to carry out remote code execution by sending arbitrary.NET assemblies to the C2 server, hence, expanding the attack surface substantially.

Attack flow (Via Cisco Talos)

The campaign uses advanced techniques like network disconnections, Tor network exploitation, and multi-stage payloads. The use of the Tor network further hinders tracking/disruption. This campaign highlights the need for continuous caution and network monitoring to address attackers’ growing threat tactics.

1.  **New WarmCookie Malware in Espionage Campaign**
2.  **23% of Tor browser relays found to be stealing Bitcoin**
3.  **Kronos Variant banking trojan spotted using Tor network**
4.  **Fake Tor Browser Installer Spreading Malware Via YouTube**
5.  **BlackByte Ransomware Exploits VMware Flaw in VPN Attacks**

New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack

Globally, security researchers and whistleblowers face increasingly hostile laws and judiciaries that are ready to levy fines and prison sentences.

Source: bestfoto77 via Shutterstock

While disclosure of software vulnerabilities and data breaches has become more accepted over the past three decades, researchers and whistleblowers continue to risk lawsuits and criminal charges depending on the country in which they live.

In April 2022, for example, police in Istanbul arrested independent Turkish journalist İbrahim Haskoloğlu after he revealed details of a breach of government data in Turkey. The country's ruling party has since proposed a law to make the false reporting of a data breach a crime punishable by two to five years in prison — a law that critics say will prevent disclosure of real data breaches.

And in the island nation of Malta, three computer-science students and their lecturer at the University of Malta will be charged in March, two years after they found vulnerabilities in scheduling service FreeHour and notified the company. FreeHour claimed the disclosure appeared to be a ransom demand and reported the students to the police — although, since then the firm has criticized the nation's lack of clear exemptions for researchers.

The students continue to face charges, however.

"I hope that at the end of this case, it results in a better climate for cybersecurity, but I'm genuinely exhausted from this whole situation," Michael Debono, one of the students, stated in a post on Facebook. "It's crazy that I've had to spend almost two years now dealing with the fallout of an incident that should have been resolved over a table in a day with FreeHour and the police."

Turkey and Malta are not the only countries to crack down people who report data breaches and software vulnerabilities. In Poland, a train manufacturer threatened to sue three ethical hackers who circumvented a kill code that the cybersecurity professionals claim disabled trains that had been parked in a third-party repair facility. In China, vulnerability researchers who do not first report software issues to the government risk prison time.

Even in the US, where vulnerability-disclosure issues have been debated for decades, companies and government agencies still occasionally resort to legal attacks rather than civil engagement. In September 2024, the city government of Columbus, Ohio, filed a lawsuit against whistleblower David L. Ross after he disputed the significance of a data breach, claiming that Ross colluded with the ransomware gang behind the breach. Two months later, the city settled the lawsuit.

**Defensive Driving and Disclosure**

Worldwide, vulnerability researchers need to take care when disclosing software security issues. Erring on the side of safety, like defensive driving, should be the default for cybersecurity researchers and whistleblowers, says Trey Ford, chief information security officer at San Francisco-based Bugcrowd, who connects its stable of independent penetration testers with clients.

The October 2022 email that resulted in three students and their lecturer facing charges. Source: Lecturer Luke Collins' site

In the best case, researchers should obtain permission from the targeted organization to conduct research and disclose findings, he says.

"The reality now is: If you see something, and you're not absolutely sure — and don't have receipts and proof — maybe don't say anything, or you risk going to jail," Ford says, pointing out that defensive or vindictive organizations can cause trouble. Any risk can be "further amplified by the misaligned incentives of companies that would prefer not to address an issue. These companies have the power to almost completely silence the reporter."

In addition, working with the organization rather than immediately adopting an adversarial approach can help minimize potential misinformation about what constitutes a breach or vulnerability, says Ilona Cohen, chief legal and policy officer at HackerOne, a hacking-services platform.

Researchers should also always be cognizant of local law, she says.

"Whether a data breach has occurred or a vulnerability is present are not always clear-cut," Cohen says. "It’s not uncommon for countries to have laws against fraudulent misrepresentation, but lawmakers must take care not to target individuals that do not intend to deceive or to cause harm."

**Benign Intent or Hostile Actions**

So far, the researchers and whistleblowers are paying the price of the lack of clarity. Turkish journalist Haskoloğlu, for example, claimed he notified the Turkish government two months before his disclosure, after being contacted by the hackers that the data had been stolen. Last month, he announced he would leave Turkey following escalating death threats.

In December, Newag — the train manufacturer in Poland that allegedly bricked trains not repaired in its workshops — filed a lawsuit against the three hackers who discovered and publicized their workaround for the kill code. While the European Union adopted a right-to-repair law for consumer goods in 2024, it's unclear whether industrial equipment, such as trains and machinery, are covered.

The incidents highlight that organizations are aiming to silence researchers, rather than engage publicly with them, says Dustin Childs, the head of threat awareness and the Zero Day Initiative at Trend Micro, which maintains a third-party bug bounty program.

"It’s a disturbing trend I hope reverses soon," he says. "We need to offer safe harbor to researchers who are willing to report vulnerabilities in a coordinated manner. Unfortunately, this trend is unlikely to change without either litigation or legislation."

Globally, however, legislation appears to be moving in a different direction. In August 2024, the UN General Assembly adopted the Convention Against Cybercrime, which makes it a crime to "access ... an information or communications technology (ICT) system without right" or to intercept data or communications. Digital-rights groups worry that the treaty will lead to more laws that penalize legitimate security research.

While Turkey appears to be the first country since August to pass a more strict cybercrime statue, tougher regulations seem increasingly likely, Childs says.

"Overall, we are currently in a climate where governments favor businesses over individual researchers," he says. "It would not surprise me to see similar measures in other countries."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Reporting a Breach or Vuln? Be Sure Your Lawyer's on Call

McAfee Labs uncovers malicious GitHub repositories distributing Lumma Stealer malware disguised as game hacks and cracked software. Learn…

McAfee Labs uncovers malicious GitHub repositories distributing Lumma Stealer malware disguised as game hacks and cracked software. Learn how to protect yourself.

McAfee Labs, the threat research arm of cybersecurity giant McAfee, has recently uncovered a disturbing trend: the exploitation of popular platforms like GitHub to distribute malware. Their research reveals a network of malicious repositories offering seemingly legitimate content such as game hacks, cracked software, and free cryptocurrency tools, all designed to lure unsuspecting users into downloading and executing harmful code.

These repositories, often disguised with professional-looking features like distribution licenses and screenshots, leverage the trust and accessibility of GitHub to deceive users. Attackers strategically target individuals seeking an edge in popular games like Minecraft, Roblox, and Call of Duty, or those looking for free access to premium software like Spotify and Adobe Express.

Attack vector (Via McAfee)

The Lumma Stealer is the primary type of malware being distributed through these repositories. Promises of game hacks, cracked software, or free cryptocurrency tools lure users. Once on the repository, they are instructed to download and execute a file disguised as the promised software.

The downloaded file is typically a variant of the Lumma Stealer malware, which then collects sensitive information, including login credentials, cryptocurrency wallet information, browser history, cookies, and personally identifiable information, and extracts the stolen data to command-and-control servers controlled by the attackers.

“Every week, a new set of repositories with a new malware variant is released, as the older repositories are detected and removed by GitHub. These repositories also include distribution licenses and software screenshots to enhance their appearance of legitimacy,” McAfee’s Aayush Tyagi explained in a blog post.

To further lure users, these repositories often instruct victims to disable their antivirus software, claiming it will interfere with the downloaded program. This crucial step effectively disarms the user’s primary line of defence, allowing the malware to operate undetected and steal sensitive information such as login credentials, cryptocurrency wallet data, and browsing history.

Children and young adults, particularly avid gamers, are prime targets for these attacks. The allure of game hacks, offering advantages like aimbots and speed hacks, and that the package includes an advanced Anti-Ban system to prevent account suspension, are highly appealing, making them more susceptible to falling victim to these deceptive tactics.

Google search shows the malicious GitHub repository and a YouTube video where scammers are using descriptions to spread the repository (Via McAfee)

****McAfee’s Response and Recommendations:****

McAfee Labs is actively mitigating this threat by blocking malicious URLs, detecting and blocking downloaded malware, and providing comprehensive security solutions to protect users. The company recommends enhancing your security posture, such as keeping antivirus and anti-malware software up-to-date and practising cautious online behaviour. Regular system updates with the latest security patches are also crucial.

1.  **Fake League of Legends Download Ads Spread Lumma Stealer**
2.  **Banshee Stealer Hits macOS Users via Fake GitHub Repositories**
3.  **Hackers Use Excel Files to Drop Remcos RAT Variant on Windows**
4.  **Fake OnlyFans Checker Tool Infects Hackers with Lummac Stealer**
5.  **YouTube Channels Hacked, Drop Lumma Stealer via Cracked Software**

Lumma Stealer Found in Fake Crypto Tools and Game Mods on GitHub

Apple has released a host of security updates for iOS, iPadOS, Mac, Apple Watch, and Apple TV. Update as soon as you can.

Apple has released a host of security updates across many devices, including for a zero-day bug which is being actively exploited in iOS.

Apple said:

> “A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.”

Devices affected are those that run:

*   iPhone XS and later
*   iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
*   macOS Sequoia
*   Apple Watch Series 6 and later
*   All models of Apple TV HD and Apple TV 4K

If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to **Settings** (or **System Settings**) > **General** \> **Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

**Technical details about the zero-day**

The zero-day vulnerability patched in this update is tracked as CVE-2025-24085. It is described as a use after free (UAF) issue in Apple’s Core Media framework that would allow an attacker to elevate privileges.

The Core Media framework handles multimedia applications like photos, videos, and real-time communication applications. UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, successful exploitation could provide a malicious app with privileges on the affected device that it shouldn’t have.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple users: Update your devices now to patch zero-day vulnerability 

View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: B&R
Equipment: Automation Runtime
Vulnerability: Use of a Broken or Risky Cryptographic Algorithm
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to masquerade as legitimate services on impacted devices.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
B&R reports that the following products are affected:
B&R Automation Runtime: versions prior to 6.1
B&R mapp View: versions prior to 6.1
3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327
A "Use of a Broken or Risky Cryptographic Algorithm" vulnerability in the SSL/TLS component used in B&R Automation Runtime versions <6.1 and B&R mapp View versions <6.1 may be abused by unauthenticated network-based attackers to masquerade as legitimate services on impacted devices.
CVE-2024-8603 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Austria
3.4 RESEARCHER
ABB PSIRT reported this vulnerability to CISA.
4. MITIGATIONS
B&R has identified the following specific workarounds and mitigations users can apply to reduce risk:
All affected products: The problem is corrected in the following product versions: B&R Automation Runtime version 6.1 and B&R mapp View 6.1. B&R recommends that customers apply the update at their earliest convenience if B&R Automation Runtime or B&R mapp View is used to generate self-signed certificates on production machines.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
January 28, 2025: Initial Publication

B&R Automation Runtime

Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany.

Tuesday, January 28, 2025 06:00

*   Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language. 
*   The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware.  
*   The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence.  
*   The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions.  
*   We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion. 

**The campaign **

The intrusions start with a phishing email as the initial infection vector. The actor is impersonating financial institutions and manufacturing and logistics companies by sending fake money transfer confirmations and fake order receipts, respectively. The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English. We assess with medium confidence that the actor is financially motivated, based on the phishing email themes and the filenames of the email attachments.  

The phishing email has attachments with the file extension “.tgz”, indicating that the actor has used GZIP to compress the TAR archive of the malicious attachment file to disguise the actual malicious content of the attachment and evade email detections. 

Sample phishing email in Polish. 

Sample phishing email in German. 

When a user opens the compressed email attachment and manually unzips it and runs a .NET loader executable, it eventually downloads encrypted PureCrypter malware from a compromised staging server. The Loader decrypts the PureCrypter malware and runs it in the system memory.  

In a few intrusions in this campaign, we found that the PureCrypter malware drops and runs the TorNet backdoor. The TorNet backdoor establishes connection to the C2 server and also connects the victim machine to the TOR network. It has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions. 

**.NET loader implants PureCrypter **

Talos found that the compressed attachment files contain a large .NET executable file. The actor has instrumented the .NET executable to either download the next-stage malicious executables from a remote staging server or to reflectively load an embedded malicious binary.  

Some of the loader samples we analyzed in this campaign download the AES-encrypted binary of the PureCrypter malware hosted on compromised websites in paths “/filescontentgalleries/pictorialcoversoffiles/” and “/post-postlogin/” using a hardcoded URL. The encrypted PureCrypter binaries were stored with the arbitrary filenames using different file extensions, including .pdf, .dat, .wav, .vdf, .mp3 and .mp4. The loader decrypts the PureCrypter binary and loads reflectively. 

Snippet of the loader program that downloads the encrypted PureCrypter malware.

Network traffic showing the encrypted PureCrypter malware downloaded from the hosting site. 

In a few other loader samples, we found that the encrypted PureCrypter sample was embedded in the loader, which is decrypted using the AES algorithm and reflectively loaded into the victim machine’s memory.  

Snippet of the loader with embedded PureCrypter binary. 

**PureCrypter drops the TorNet backdoor **

The PureCrypter malware found in this intrusion is a Windows dynamic-link library obfuscated with Eziriz’s .NET Reactor obfuscator. It has resources of encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL along with the TorNet backdoor.  

PureCrypter initially creates a mutex on the victim machine and executes the command to release the currently assigned DHCP IP address of the victim machine, establishes persistence, performs various anti-analysis and detections tasks, drops and runs the payload, and finally executes a command to renew the IP address of the victim machine.  

Cmd /c ipconfig /release 
Cmd /c ipconfig /renew 

The threat actor is likely using this technique to evade detections from the cloud-based anti-malware programs by disconnecting the victim machine from the network and connects back to the network after dropping and running the backdoor.  

The PureCrypter malware performs various anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine as described below: 

*   It checks if the process is debugged using the function “CheckRemoteDebuggerPresent”. 
*   It checks for the Sandboxie and Cuckoo sandbox environments by enumerating processes to look for “sbieDLL.dll” and “cuckoomon.dll”. 
*   It checks if the DLL is running in the virtual environment by executing the WMI queries and searches for the strings “VMware”, “VIRTUAL”, “AMI”, and “Xen”.  

Select \* from Win32\_BIOS 
Select \* from Win32\_ComputerSystem 

*   It also checks if the process running is associated with “vmGuestLib.dll” to detect the VMWare environment. 
*   It checks if the victim machine username is “john” or “anna” or “xxxxxxxx”.  
*   It checks for the strings “amsi.dll” and “amsiscanbuffer” in the running processes modules of the victim machine.  
*   It checks if the Event Tracing for Windows (ETW) is configured for the victim machine by attempting to check if any processes point to the function “EtwEventWrite” of “ntdll.dll”.  
*   It modifies the Windows Defender settings by executing the PowerShell commands to add its process and the path of the dropped backdoor to the exclusion lists.

Add-MpPreference –ExclusionPath 
Add-MpPreference –ExclusionProcess 

After the evasion checks, PureCrypter decrypts the encrypted backdoor from its resource and drops it to the user profile application temporary folder with a random file name. It also decrypts another file resource using a custom string decryption algorithm, generating the arbitrary filename strings and the task name strings for the Windows Task scheduler.  

PureCrypter establishes the persistence in the Run registry key by adding the path of the loader. It also creates a Windows task using a task name gained by decrypting the strings from the resource file and executes the loader every two to four minutes with no execution time limit. The task can run if the machine switches to battery power and will not stop if it runs on a low battery power. The threat actor has instrumented this technique to possibly ensure an uninterrupted infection avoiding the victim machine operating system to deprioritize the process when a victim machine is running on low battery power mode.  

Code snippet of creating the Windows schedule task. 

PureCrypter drops a Visual Basic script in the Windows startup folder with the instructions to load and execute the dropped backdoor. 

Code Snippet showing the command to drop and execute a VB Script.

After establishing persistence, PureCrypter loads the dropped backdoor by accessing it through a URL scheme “file\[://\]<Path of the dropped backdoor>” and injects the backdoor into the .NET runtime executable process in the victim machine. The threat actor is using this technique to possibly masquerade the file access activity as a web request in the victim machine logs and to bypass detections for loading a file from suspicious file paths on the victim machine.  

Code snippet showing the process injection.

**Payload TorNet creates a backdoor on the victim machine **

Talos discovered a new .NET backdoor as the payload in the recent intrusions of this campaign, which we call TorNet. TorNet backdoor is also obfuscated with Eziriz’s .NET Reactor obfuscator and has hash values for the compilation time. This could be the artifact that was created when the samples were compiled in Visual Studio with the “/deterministic” parameter. When Visual Studio is configured to generate deterministic binaries, the compiled date/time field of the binaries will be replaced by a hash of the compilation options. Talos had previously seen, and reported this technique used by other threat actors to disguise the actual compilation time of the malware binaries.    

TorNet initially decodes a base64-encoded string to obtain the C2 domain, port number, and an alphanumeric string of 16 characters (5e7a81857a353068). It then performs the anti-debugging, anti-malware, anti-VM, and sandbox evasion checks similar to PureCrypter we discussed in the previous section.  

Code snippet showing the base64 string decoding to obtain the string, C2 domain, and port number. 

After the evasion checks, TorNet establishes a TCP socket connection to the C2 server by resolving the IP address of the C2 domain decoded from the base64-encoded string. The connection uses one of the port numbers 8194, 7890, or 8410. We observed that the C2 domains used by the backdoor were resolving to the IP address 104\[.\]168\[.\]7\[.\]37 during the period of our research. 

TorNet backdoor sample connecting to the C2 using the domain and port number.

After establishing the connection to the C2 server, TorNet sends the gained string “5e7a81857a353068” by decoding the base64-encoded strings to the C2 server, creating a hexadecimal byte stream of length 20 and writes it to a memory stream by compressing it using the GzipStream function.  

HEX stream: “3A 12 12 10 35 65 37 61 38 31 38 35 37 61 33 35 33 30 36 38” 

ASCII equivalent: “:<2-byte place holder>\\n5e7a81857a353068” 

TorNet then generates an MD5 hash value of the string “5e7a81857a353068” and uses it as a key to encrypt the compressed 20-byte hexadecimal data stream using the triple DES algorithm. Using the Bitconverter function, TorNet splits the encrypted byte stream and sends it to the C2 server by writing it to the TCP stream through the socket.  

Code snippet of TorNet showing the data exfiltration to the C2 server through sockets. 

The C2 server may send an arbitrary encrypted .NET assembly as a response to a TorNet’s request. TorNet will decrypt the arbitrary binary and reflectively run it. During our research, we were unable to receive a response from the C2, still analyzing the TorNet binary allowed us to assess that the received response will be an arbitrary .NET assembly code, enabling the attack surface for further attack.  

Code snippet for running the received arbitrary .NET assembly. 

TorNet also connects the victim machine to the TOR network. It downloads the TOR expert bundle from the TOR Project archive site, unpacks it and runs the “tor\[.\]exe” as a background process to connect to TOR.  

Code snippet shows the download and execution of tor\[.\]exe. 

Once TOR is running, TorNet connects to the TOR network using the TOR SocksPort (127\[.\]0\[.\]0\[.\]1:9050), and with the “socket.Poll” function, it routes all traffic from the backdoor process on the victim machine through the TOR network. The threat actor is leveraging the TOR network to anonymize the C2 communication and evade detection.  

Connections from TorNet on analysis machine to the TOR nodes.

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64440, 64439, 64437, 64438 and 301115. 

ClamAV detections are also available for this threat: 

Win.Backdoor.TorNet-10041435-0    
Win.Downloader.TorNet-10041463-0    
Win.Malware.TorNet-10041565-0    
Win.Malware.TorNet-10041601-0    
Win.Trojan.TorNet-10041734-0 

**Indicators of Compromise  **

IOCs for this threat can be found in our GitHub repository here.

New TorNet backdoor seen in widespread campaign

Apple has released software updates to address several security flaws across its portfolio, including a zero-day vulnerability that it said has been exploited in the wild.
The vulnerability, tracked as CVE-2025-24085, has been described as a use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate privileges.
"Apple is

Apple Patches Actively Exploited Zero-Day Affecting iPhones, Macs, and More

The Apple iOS 18.3 update fixes 28 other vulnerabilities identified by the tech company, though there is little information on them.

Source: Shahid Jamil via Alamy Stock Photo

NEWS BRIEF

In its latest security update for users, Apple has released a patch for a zero-day vulnerability tracked as CVE-2025-24085 (no CVSS score assigned yet).

The vulnerability, not yet added to the National Vulnerability Database (NVD), can be found in iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. As a privileged escalation security flaw, it is located in Apple's Core Media framework. The bug is being actively exploited in the wild.

The Core Media framework, according to Apple, is "the media pipeline used by AVFoundation and other high-level media frameworks found on Apple platforms." It allows users to process media samples as well as manage queues of media data.

This patch comes in the form of iOS 18.3, which fixes 28 other vulnerabilities as well. Apple has yet to divulge many details about any of the issues that have been patched by this update, likely to prevent attackers from exploiting them before users can apply the necessary fix.

Impacted devices from this bug include:

*   Apple Watch Series 6 and later
    

*   Apple TV HD and Apple TV 4K (all models)
    
*   iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
    

Though the tech giant has disclosed that "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2," it has not published any details of the attacks nor attributed its discovery to a researcher.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Tag

#mac