The fast growing region has its own unique cyber issues — and it needs its own talent to fight them.

Source: Panther Media via Alamy Stock Photo

COMMENTARY

The Middle East is undergoing a digital transformation that is as rapid as it is remarkable. Tech multinationals are investing big in the region as Dubai, Riyadh, and Abu Dhabi strive to establish themselves as global innovation hubs.   

But this increased digitization comes with an increased risk of cyberattacks — and businesses throughout the Middle East are at risk of being caught with their guard down.

The pace of digital growth in countries throughout the Middle East has far outstripped cybersecurity talent in the region, leaving organizations fatally exposed. While some businesses resort to outsourcing their cybersecurity measures to tech giants and their tools, this hands-off approach is risk-prone.

The Middle East now sits squarely in the firing line. With cyberattacks emboldened by AI, robust cybersecurity defenses are more crucial than ever. Businesses must move away from outsourcing and focus on building strong in-house defenses by investing in tool-based approaches and heavily leveraging in-house hiring, upskilling, and talent retention practices.

**Victims of Their Own Success?**

The commercial success of locations like Dubai, Abu Dhabi, and Saudi Arabia has transformed them into potential hotbeds for cybercrime. Distributed denial-of-service (DDoS) attacks on Middle Eastern countries have risen 75% in the past year, with the UAE and Saudi Arabia taking the brunt of the blow. 

Related:Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

The UAE alone falls victim to around 50,000 cyberattacks a day. And it comes at a cost: in 2023, cyberattacks cost businesses, organizations, and public bodies more than $8 million per incident.

The uptick in cyberattacks is only exacerbated by changing patterns in the cybercrime landscape. The rise of AI has lowered the barrier to entry for would-be hackers, allowing those with even the most novice skills to carry out a full-scale attack. Meanwhile, the proliferation of cybercrime as a service (CaaS), offering services like DDoS-for-hire, means threat actors now need little more than an intention to launch a cyberattack. In this new era of cybercrime, where there's a will, there's a way.

The current cybersecurity skills gap seen throughout the Middle East is leaving companies exposed and vulnerable to bad actors. Over half the companies in the EMEA region have attributed cybersecurity breaches to a lack of skills and training, while 70% of business leaders believe that skills shortages create a whole host of additional cybersecurity risks for companies to address.

**AI Muddles Outsourced Security Equation**

Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Too many businesses attempt to remedy this lack of talent by outsourcing their cybersecurity to third parties. While this might have been effective when countries like the US were the main target for threat actors, that's no longer the case.   

The rise of AI-enhanced cyberattacks presents a new host of threats that businesses outsourcing cybersecurity won't necessarily be able to tackle. Not only has AI made it easier for threat actors to carry out cyberattacks, it's also made the attacks themselves more sophisticated and more malicious.

AI-enhanced malware is stealthier, making it harder to detect a breach of IT infrastructure. Automated phishing attacks enable bad actors to target a larger number of potential victims, while the phishing attacks themselves are highly tailored to their targets.

It is crucial that Middle Eastern businesses — particularly those in the UAE and Saudi Arabia — are on top of their cybersecurity measures. They cannot sit back and outsource cybersecurity with the assumption that the risk is also transferred. Instead, they must take an active approach to their cybersecurity measures by building up a strong in-house cybersecurity team that can identify, respond to, and deal with threats in an effective and timely manner. 

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

Bringing cybersecurity in-house mitigates the risks that can crop up when relying on outsourced defenses, such as slow response times. Instead, in-house cybersecurity teams will have their fingers on the pulse of the business's security framework, as well as a thorough understanding of business specifics, enabling them to react quickly to threats.

But to achieve this, businesses must invest heavily in new and pre-existing IT talent to close the Middle East's skills gap — and this should be done with a particular focus on hiring and retention practices.

**Retention Is Tough in Smaller Talent Pool**

Over half of organizations globally say they struggle to recruit candidates with cybersecurity experience. Difficulties in hiring cybersecurity talent are compounded by trouble retaining cybersecurity staff, throwing employers into a vicious cycle of hiring and re-hiring. In the Middle East, where the digital economy is still young, this is of particular concern — the talent pool is finite, and companies cannot afford to lose out on promising employees.   

To combat this, corporations in the Middle East should turn their attention to the fresh talent coming out of universities throughout the Middle East and around the world. By forming partnerships with universities and offering attractive graduate schemes, businesses can tap into dense talent pools brimming with promising cybersecurity talent.

Graduates are eager to learn and willing to mold to the company ethos, making them the ideal choice for corporations looking to build up a dedicated in-house cybersecurity team.

Investing in apprenticeship schemes is another option for companies. Although more hands-on, companies will be able to train candidates from the ground up, ensuring the candidate's skills and knowledge are strongly aligned with the business's cybersecurity needs.

**Learning & Development Must Be Fostered**

Retaining this talent is just as crucial as bringing them on board in the first place.  Alongside the usual retention tactics, such as competitive pay packets and desirable benefits, companies must invest heavily in continuous learning and development (L&D) opportunities throughout the employee's career.  

Poor training — or a lack of training altogether — is a surefire way to lose employees. Conversely, 94% of employees say they would stay longer with an employer that invested in L&D. In a fast-changing, continually developing industry like cybersecurity, L&D is especially vital.

Investing in training sessions and development courses for cybersecurity employees will ensure they're kept up to date with any changes in the threat and security landscape. And, in the process, employees will feel as if the company is giving them opportunities to develop their skills and abilities, rounding them out into highly experienced cybersecurity professionals.

Investing in staff as a cybersecurity tactic shouldn't begin and end with cybersecurity staff. Deploying a company-wide cybersecurity upskilling program is a vital first step — and a simple way of ruling out one of the greatest causes behind cybersecurity breaches: human error. Negligence, a lack of awareness, or simple mistakes can lead to vulnerabilities and breaches, even in the most robust systems. Upskilling is a vital step companies must take to mitigate this risk.

With the rising rate of cyberattacks in the Middle East, corporations cannot afford to sit back and wait until they become the next big victim of a data breach or DDoS attack.

Companies can't rely solely on third-party cybersecurity measures — they must build up comprehensive in-house defenses. Businesses need to act now and double their investments in cybersecurity talent, paying particular mind to up-and-coming graduate talent.

**About the Author**

Founder, PG Advisors Ltd.

Partha Gopalakrishnan is a leading business transformation expert with more than 25 years of experience directing global teams to drive digital growth. He also has his own firm, PG Advisors, which offers board advisory and non-executive director services for prominent analysts and PE Firms. 

Partha has served in executive leadership positions with some of the world’s largest technology firms and global systems Integrators, including 17 years with Infosys, followed by a tenure at Tech Mahindra. He has completed executive education programs at the Stanford University Graduate School of Business and The Wharton School of the University of Pennsylvania.

Cybersecurity Lags in Middle East Business Development

AI tools will enable significant productivity and efficiency benefits for organizations in the coming year, but they also will exacerbate privacy, governance, and security risks.

Source: Anggalih Prasetya via Shutterstock

Most industry analysts expect organizations will accelerate efforts to harness generative artificial intelligence (GenAI) and large language models (LLMs) in a variety of use cases over the next year.

Typical examples include customer support, fraud detection, content creation, data analytics, knowledge management, and, increasingly, software development. A recent survey of 1,700 IT professionals conducted by Centient on behalf of OutSystems had 81% of respondents describing their organizations as currently using GenAI to assist with coding and software development. Nearly three-quarters (74%) plan on building 10 or more apps over the next 12 months using AI-powered development approaches.

While such use cases promise to deliver significant efficiency and productivity gains for organizations, they also introduce new privacy, governance, and security risks. Here are six AI-related security issues that industry experts say IT and security leaders should pay attention to in the next 12 months.

**AI Coding Assistants Will Go Mainstream — and So Will Risks**

Use of AI-based coding assistants, such as GitHub Copilot, Amazon CodeWhisperer, and OpenAI Codex, will go from experimental and early adopter status to mainstream, especially among startup organizations. The touted upsides of such tools include improved developer productivity, automation of repetitive tasks, error reduction, and faster development times. However, as with all new technologies, there are some downsides as well. From a security standpoint these include auto-coding responses like vulnerable code, data exposure, and propagation of insecure coding practices.

"While AI-based code assistants undoubtedly offer strong benefits when it comes to auto-complete, code generation, re-use, and making coding more accessible to a non-engineering audience, it is not without risks," says Derek Holt, CEO of Digital.ai. The biggest is the fact that the AI models are only as good as the code they are trained on. Early users saw coding errors, security anti-patterns, and code sprawl while using AI coding assistants for development, Holt says. "Enterprises users will continue to be required to scan for known vulnerabilities with \[Dynamic Application Security Testing, or DAST; and Static Application Security Testing, or SAST\] and harden code against reverse-engineering attempts to ensure negative impacts are limited and productivity gains are driving expect benefits."

**AI to Accelerate Adoption of xOps Practices**

As more organizations work to embed AI capabilities into their software, expect to see DevSecOps, DataOps, and ModelOps — or the practice of managing and monitoring AI models in production — converge into a broader, all-encompassing xOps management approach, Holt says. The push to AI-enabled software is increasingly blurring the lines between traditional declarative apps that follow predefined rules to achieve specific outcomes, and LLMs and GenAI apps that dynamically generate responses based on patterns learned from training data sets, Holt says. The trend will put new pressures on operations, support, and QA teams, and drive adoption of xOps, he notes.

"xOps is an emerging term that outlines the DevOps requirements when creating applications that leverage in-house or open source models trained on enterprise proprietary data," he says. "This new approach recognizes that when delivering mobile or web applications that leverage AI models, there is a requirement to integrate and synchronize traditional DevSecOps processes with that of DataOps, MLOps, and ModelOps into an integrated end-to-end life cycle." Holt perceives this emerging set of best practices will become hyper-critical for companies to ensure quality, secure, and supportable AI-enhanced applications.

**Shadow AI: A Bigger Security Headache**

The easy availability of a wide and rapidly growing range of GenAI tools has fueled unauthorized use of the technologies at many organizations and spawned a new set of challenges for already overburdened security teams. One example is the rapidly proliferating — and often unmanaged — use of AI chatbots among workers for a variety of purposes. The trend has heightened concerns about the inadvertent exposure of sensitive data at many organizations.

Security teams can expect to see a spike in the unsanctioned use of such tools in the coming year, predicts Nicole Carignan, vice president of strategic cyber AI at Darktrace. "We will see an explosion of tools that use AI and generative AI within enterprises and on devices used by employees," leading to a rise in shadow AI, Carignan says. "If unchecked, this raises serious questions and concerns about data loss prevention as well as compliance concerns as new regulations like the EU AI Act start to take effect," she says. Carignan expects that chief information officers (CIOs) and chief information security officers (CISOs) will come under increasing pressure to implement capabilities for detecting, tracking, and rooting out unsanctioned use of AI tools in their environment.

**AI Will Augment, Not Replace, Human Skills**

AI excels at processing massive volumes of threat data and identifying patterns in that data. But for some time at least, it remains at best an augmentation tool that is adept at handling repetitive tasks and enabling automation of basic threat detection functions. The most successful security programs over the next year will continue to be ones that combine AI's processing power with human creativity, according to Stephen Kowski, field CTO at SlashNext Email Security+.

Many organizations will continue to require human expertise to identify and respond to real-world attacks that evolve beyond the historical patterns that AI systems use. Effective threat hunting will continue to depend on human intuition and skills to spot subtle anomalies and connect seemingly unrelated indicators, he says. "The key is achieving the right balance where AI handles high-volume routine detection while skilled analysts investigate novel attack patterns and determine strategic responses."

AI's ability to rapidly analyze large datasets will heighten the need for cybersecurity workers to sharpen their data analytics skills, adds Julian Davies, vice president of advanced services at Bugcrowd. "The ability to interpret AI-generated insights will be essential for detecting anomalies, predicting threats, and enhancing overall security measures." Prompt engineering skills are going to be increasingly useful as well for organizations seeking to derive maximum value from their AI investments, he adds.

**Attackers Will Leverage AI to Exploit Open Source Vulns**

Venky Raju, field CTO at ColorTokens, expects threat actors will leverage AI tools to exploit vulnerabilities and automatically generate exploit code in open source software. "Even closed source software is not immune, as AI-based fuzzing tools can identify vulnerabilities without access to the original source code. Such zero-day attacks are a significant concern for the cybersecurity community," Raju says.

In a report earlier this year, CrowdStrike pointed to AI-enabled ransomware as an example of how attackers are harnessing AI to hone their malicious capabilities. Attackers could also use AI to research targets, identify system vulnerabilities, encrypt data, and easily adapt and modify ransomware to evade endpoint detection and remediation mechanisms.

**Verification, Human Oversight Will Be Critical**

Organizations will continue to find it hard to fully and implicitly trust AI to do the right thing. A recent survey by Qlik of 4,200 C-suite executives and AI decision-makers showed most respondents overwhelmingly favored the use of AI for a variety of uses. At the same time, 37% described their senior managers as lacking trust in AI, with 42% of mid-level managers expressing the same sentiment. Some 21% reported their customers as distrusting AI as well.

"Trust in AI will remain a complex balance of benefits versus risks, as current research shows that eliminating bias and hallucinations may be counterproductive and impossible," SlashNext's Kowski says. "While industry agreements provide some ethical frameworks, the subjective nature of ethics means different organizations and cultures will continue to interpret and implement AI guidelines differently." The practical approach is to implement robust verification systems and maintain human oversight rather than seeking perfect trustworthiness, he says.

Davies from Bugcrowd says there's already a growing need for professionals who can handle the ethical implications of AI. Their role is to ensure privacy, prevent bias, and maintain transparency in AI-driven decisions. "The ability to test for AI’s unique security and safety use cases is becoming critical," he says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

6 AI-Related Security Trends to Watch in 2025

Palo Alto, Calif., USA, 30th December 2024, CyberNewsWire

**Palo Alto, Calif., USA, December 30th, 2024, CyberNewsWire**

SquareX, an industry-first Browser Detection and Response (BDR) solution, leads the way in browser security. About a week ago, SquareX reported large-scale attacks targeting Chrome Extension developers aimed at taking over the Chrome Extension from the Chrome Store.

On December 25th, 2024, a malicious version of Cyberhaven’s browser extension was published on the Chrome Store that allowed the attacker to hijack authenticated sessions and exfiltrate confidential information. The malicious extension was available for download for more than 30 hours before being removed by Cyberhaven. The data loss prevention company declined to comment on the extent of the impact when approached by the press, but the extension had over 400,000 users on the Chrome Store at the time of the attack.

Unfortunately, the attack took place as SquareX’s researchers had identified a similar attack with a video demonstrating the entire attack pathway just a week before the Cyberhaven breach. The attack begins with a phishing email impersonating Chrome Store containing a supposed violation of the platform’s “Developer Agreement”, urging the receiver to accept the policies to prevent their extension from being removed from Chrome Store. Upon clicking on the policy button, the user gets prompted to connect their Google account to a “Privacy Policy Extension”, which grants the attacker access to edit, update and publish extensions on the developer’s account.

Fig 1. Phishing email targeting extension developers

Fig 2. Fake Privacy Policy Extension requesting access to “edit, update or publish” the developer’s extension

Extensions have become an increasingly popular way for attackers to gain initial access. This is because most organizations have limited purview on what browser extensions their employees are using. Even the most rigorous security teams typically do not monitor subsequent updates once an extension is whitelisted.

SquareX has conducted extensive research and demonstrated at DEFCON 32, how MV3-compliant extensions can be used to steal video stream feeds, add a silent GitHub collaborator, and steal session cookies, among others. Attackers can create a seemingly harmless extension and later convert it into a malicious one post-installation or, as demonstrated in the attack above, deceive the developers behind a trusted extension to gain access to one that already has hundreds of thousands of users. In Cyberhaven’s case, attackers were able to steal company credentials across multiple websites and web apps through the malicious version of the extension.

Given that developer emails are publicly listed on Chrome Store, it is easy for attackers to target thousands of extension developers at once. These emails are typically used for bug reporting. Thus, even support emails listed for extensions from larger companies are usually routed to developers who may not have the level of security awareness required to find suspicion in such an attack. As per SquareX’s attack disclosure and the Cyberhaven breach that occurred within the span of less than two weeks, the company has strong reason to believe that many other browser extension providers are being attacked in the same way. SquareX urges companies and individuals alike to conduct a careful inspection before installing or updating any browser extensions.

Fig 3. Contact details of extension developers are publicly available on Chrome Store

SquareX team understands that it can be non-trivial to evaluate and monitor every single browser extension in the workforce amidst all the competing security priorities, especially when it comes to zero-day attacks. As demonstrated in the video, the fake privacy policy app involved in Cyberhaven’s breach was not even detected by any popular threat feeds.

SquareX’s Browser Detection and Response (BDR) solution takes this complexity off security teams by:

*   Blocking OAuth interactions to unauthorized websites to prevent employees from accidentally giving attackers unauthorized access to your Chrome Store account
*   Blocking and/or flagging any suspicious extension updates containing new, risky permissions
*   Blocking and/or flagging any suspicious extensions with a surge of negative reviews
*   Blocking and/or flagging installations of sideloaded extensions
*   Streamline all requests for extension installations outside the authorized list for quick approval based on company policy 
*   Full visibility on all extensions installed and used by employees across the organization

> SquareX’s founder Vivek Ramachandran warns: “Identity attacks targeting browser extensions similar to this OAuth attack will only become more prevalent as employees rely on more browser-based tools to be productive at work. Similar variants of these attacks have been used in the past to steal cloud data from apps like Google Drive and One Drive and we will only see attackers get more creative in exploiting browser extensions. Companies need to remain vigilant and minimize their supply chain risk without hampering employee productivity by equipping them with the right browser native tools.”

**About SquareX:**

SquareX helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real-time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware, and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

With SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, and enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach

Proactive defenses, cross-sector collaboration, and resilience are key to combating increasingly sophisticated threats.

Source: Artur Szczybylo via Alamy Stock Photo

From the growing sophistication of zero-day exploits to the entrenchment of nation-state and cybercriminal alliances, 2024 delivered more evidence of how quickly the threat landscape continues to evolve. The year reinforced hard truths about the persistence of attackers and the systemic challenges of defense. We look back on some of the events that defined 2024 and the tactical insights that security teams can apply to stay ahead in the ongoing battle in 2025.

**Surging Zero-Day Exploits and Nation-State Collaboration**

Threat researchers continued to see a year-over-year increase of zero days. Recent analysis by Mandiant of 138 vulnerabilities that were disclosed in 2023 found the majority (97) were exploited as zero-days — an increase from 2022. Tom Kellermann, senior vice president of cyber strategy at Contrast Security, expects that number to increase in 2024.

The growth is a direct result of geopolitical tensions, he says. Nation-state actors, particularly China, are exploiting these types of vulnerabilities at unprecedented rates.

"The Chinese specifically have been doing tremendous research into exploiting zero-days and discovering them," Kellermann says. "I think everyone's kind of on their back foot when dealing with this because traditional cybersecurity defenses can't thwart those attacks."

The rise in these kinds of attacks includes a new trend in 2024: collaboration or coordination between nation-states and cybercrime rings, says Stephan Jou, senior director of security analytics at OpenText Cybersecurity.

"In this model, an attack with nation-state characteristics is launched at the same time, or followed closely by, an attack on the same target by an independent for-profit threat actor. Russia, for example, has been seen to collaborate with malware-as-a-service gangs, including Killnet, LokiBot, Gumblar, Pony Loader, and Amadey. China has entered similar relationships with the Storm-0558 and Red Relay cybercrime rings, typically to support its geopolitical agenda in the South China Sea."

Chester Wisniewski, global field CTO at Sophos, says China-sponsored attackers have developed assembly-line zero-day exploits shared through state-mandated disclosure laws. Attackers initially used zero-days in targeted attacks, then escalated them to widespread exploitation to cover their tracks. Proactive patch management and collaboration between vendors and organizations to mitigate threats is critical, he says.

"The real problem is this accumulation of stuff that's not getting patched," Wisniewski says. "We just keep launching more equipment out there onto the Internet. And it's getting more and more polluted, and nobody's responsible for taking care of it."

Jou agrees and says the lesson here is that defense against even sophisticated attacks comes back to the same basics: patch management, endpoint protection, email security, awareness training, and backup and disaster recovery planning.

"By ensuring that these unglamorous but essential best practices are in place, security teams can rob threat actors of many of their favorite tactics to abuse networks and businesses," he says.

**Resiliency Planning Needs More Focus**

Ransomware attacks in 2024 highlighted the fragility of supply chains and business continuity. Ransomware operators are now targeting service providers and supply chain networks, Wisniewski says. A cyberattack on Ahold Delhaize, the parent company of major US supermarket chains, including Stop & Shop, Hannaford, Food Lion, and Giant Food, disrupted services across its network in November, impacting more than 2,000 stores. For several days, customers had issues with online grocery delivery, offline websites, and limited pharmacy services.

Improving business continuity strategies to include modern segmentation tools can help minimize operational disruptions during incidents, Wisniewski says.

"When one part of a supply chain goes down, it impacts thousands of businesses," he says. "This amplifies the economic and operational pressure to comply with attackers' demands. You can't plan never to fail, but you can plan to fail gracefully."

Another headline-making business continuity incident this year was the CrowdStrike outage. In July, the company released a faulty software update that affected approximately 8.5 million devices running the Windows operating system. The glitch triggered widespread system crashes that resulted in multiple disruptions, particularly in the travel industry. Delta Air Lines was forced to cancel thousands of flights due to system disruptions. 

The event dominated news cycles for several days. In its wake, analysts pointed to the critical need for better process adherence and visibility. But Dror Liwer, cofounder of Coro, says it also highlights a need for security leaders to  effectively communicate with diverse stakeholders — whether technical teams, business executives, or external parties — when managing the fallout of a large-scale incident.

**Critical Infrastructure Is a Growing Target**

Attacks on critical infrastructure reached new levels in 2024. In September, the Cybersecurity and Infrastructure Security Agency (CISA) issued a notice that government-run water systems were at risk of attack by nation-states after officials reported a cybersecurity issue at a facility in Arkansas City, Kansas, which was forced to switch to manual operations while the situation was resolved.

Barry Mainz, CEO of Forescout, says cyberattacks are evolving to target critical services, like municipal water authorities and airport landing systems. This year made it clear that attackers are shifting their focus from well-protected facilities to more vulnerable upstream systems, like water supplies and power grids, he says.

"If you just zoom out a bit and look at where the vulnerabilities are, the bad actors are saying, 'Well, it's a lot harder now since people are spending money to secure certain IT functions. We're going to go down the food chain a little bit,'" Mainz says.

One of the key challenges in securing critical infrastructure is the inherent complexity of operational environments. Many industrial systems operate using legacy equipment that was never designed with cybersecurity in mind. In addition, there is often a lack of visibility into connected devices within these environments, which can make detecting threats extremely difficult.

"I think the lesson is we've got to invest in a cybersecurity strategy for not only IT systems but \[operational technology\] systems," Mainz says. "And also we need to think structurally about how we manage those systems because the people that actually manage those OT systems, they're not IT professionals.”

A better approach, he says, involves adopting advanced monitoring and threat detection tools as well as fostering collaboration between IT and OT teams. By breaking down silos and improving communication, organizations can better address the unique security requirements of critical infrastructure. Mainz pointed to the importance of government and private-sector partnerships in bolstering defenses.

**Telecom Can't Be Trusted**

We wrap up 2024 with news that Salt Typhoon, a cyber-espionage group allegedly linked to the Chinese government, has successfully infiltrated telecommunications networks in multiple countries. In the US alone, FBI officials say at least eight major telecom companies, including AT&T, Verizon, and Lumen Technologies, were compromised. The group gained access to sensitive data, such as call logs, unencrypted text messages, and, in some cases, live call audio. The FBI recommended that Americans use encrypted messaging apps, like Signal and WhatsApp, to ensure their communications stay hidden.

The ongoing issues around nation-state attackers and their use of telecom is one of his biggest worries heading into 2025, Kellermann says. He also points to T-Mobile's acquisition of Sprint in 2020, which he says is concerning because "Sprint used to be the classified backbone network of the US government." This means that if there are security vulnerabilities within T-Mobile's infrastructure, they could potentially compromise sensitive government communications or systems that were part of Sprint's legacy network. 

"I think the people are ignoring that and are not paying attention fully," he says.

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

What Security Lessons Did We Learn in 2024?

SUMMARY Two California men have been arrested and charged in what is being called the largest NFT fraud…

****SUMMARY****

*   **Two California men charged in the largest NFT fraud case, stealing $22M via “rug pull” schemes.**

*   **Fraudulent projects included “Vault of Gems” and “Faceless,” promising false features.**

*   **Defendants allegedly intimidated others and hid their involvement in the scams.**

*   **Charges carry penalties of up to 20 years for wire fraud and 5 years for stalking.**

*   **The case highlights the need for caution in the evolving NFT and crypto markets.**

Two California men have been arrested and charged in what is being called the largest **NFT fraud** case to date. Gabriel Hay, 23, of Beverly Hills, and Gavin Mayo, 23, of Thousand Oaks, are accused of running a series of “rug pull” schemes, defrauding investors out of over $22 million in cryptocurrency. The six-count indictment (PDF), unsealed in Los Angeles, details a three-year operation involving multiple fraudulent digital asset projects.

****What is a “Rug Pull”?****

A “**rug pull**” is a type of scam common in the cryptocurrency industry. It involves creators of a new digital asset, such as an NFT, heavily promoting their project and soliciting investments. Once they’ve gathered a substantial sum, they suddenly abandon the project, leaving investors with worthless assets and making off with the funds.

****The Case****

According to the U.S. Department of Justice’s **press release,** from May 2021 to May 2024, Hay and Mayo allegedly orchestrated a string of these scams, using projects with names like “Vault of Gems,” “Dirty Dogs,” “Faceless,” “Sinful Souls,” and “Clout Coin,” among others. They lured investors with elaborate “roadmaps” outlining ambitious plans for their NFTs, promising unique features and future development.

For example, they claimed the “Vault of Gems” project would be the “first NFT project to be pegged to a hard asset.” However, these promises were reportedly hollow. After collecting millions from investors, Hay and Mayo allegedly abandoned each project, leaving investors high and dry.

Vault of Gems NFTs created by Hey, as per the indictment

They also used various ways to hide themselves in the process, they allegedly identified other persons to be the owners, when actually Hay and Mayo were the owners. One project manager had great emotional distress because of the intimidation coming from Hay and Mayo because he exposed them for being behind the Faceless NFT project.

The alleged fraud scheme began to come apart when Homeland Security Investigations (HSI) initiated an investigation. “For three years, Hay and Mayo apparently lied to their investors in order to defraud them out of millions of dollars,” said HSI Executive Associate Director **Katrina W. Berger**, emphasizing the devastating impact of these financial crimes, even without physical violence.

“Whenever a new investment trend occurs, scammers are sure to follow,” added U.S. Attorney Martin Estrada, highlighting the ongoing battle against cryptocurrency fraud.

****Charges and Future****

Hay and Mayo face serious charges, including conspiracy to commit wire fraud, wire fraud, and stalking. Each wire fraud-related count carries a maximum penalty of 20 years in prison, while the stalking count carries a maximum of five years. The final sentence will be determined by a federal judge.

This case is being handled by the National Cryptocurrency Enforcement Team (**NCET**), a specialized unit within the Department of Justice dedicated to combating crimes involving digital assets. The NCET focuses on investigating cryptocurrency exchanges, **mixing services**, and infrastructure providers that facilitate illicit activities. This is very important and is a must due to the growth of illicit use of cryptocurrencies.

****Lesson for Unsuspecting Investors****

This indictment shows the need for staying cautious and informed when investing in NFTs and other digital assets, especially as the market keeps changing. Investors are urged to conduct thorough research and be wary of projects that make promises without clear, actionable plans.

1.  **Police Arrest Suspect in Crypto Millionaire’s Murder**
2.  **What Makes Bitcoin NFTs Different from Other NFTs?**
3.  **Crypto tumbler BestMixer.io seized for money laundering**
4.  **Ukraine Arrests Cryptor Specialist Aiding LockBit Ransomware**
5.  **Hackers Hijacked Official Ferrari Subdomain to Host NFT Scam**
6.  **Lazarus Exploits Chrome 0-Day for Crypto with Fake NFT Game**

Two Californians charged in the largest NFT fraud case to date

From zero-day exploits to 5G network vulnerabilities, these are the threats that are expected to persist over the next 12 months.

In 2024, we at Dark Reading covered a variety of attacks, exploits, and, of course, vulnerabilities across the board. Here, we recount 10 emerging threats organizations should be prepared for — as detailed by Dr. Jason Clark in "10 Emerging Vulnerabilities Every Enterprise Should Know," a Dark Reading webinar — as they continuously rise and develop in 2025.

**Zero-Day Exploits**

Zero-days and their increase in volume across the cybersecurity landscape is a particularly concerning trend, as there is no patch for these bugs when they're discovered. Attackers are also able to exploit systems using these vulnerabilities undetected, as safeguards have not been put in place by organizations or enterprises yet.

High-profile zero-day vulnerabilities include Log4Shell, tracked as CVE-2021-44228, a critical RCE bug within Log4j's Java Naming and Directory Interface (JNDI). By exploiting the vulnerability, attackers were able to easily take control of vulnerable systems, a considerable threat as Log4j is used in nearly every Java application.

Other vulnerabilities include PrintNightmare and Proxyshell, both remote execution flaws that were exploited quickly and widely, according to Clark.

"The rise in zero-day exploits is partly driven by just more sophisticated threat actors," Clark said in the Dark Reading webinar. "This can include things like nation-states and also using them in targeted attacks."

Chad Graham, cyber incident response team (CIRT) manager at Critical Start, however, believes that advancements with AI will change the landscape in 2025.

"Both attackers and defenders will rely on AI-driven tools to automate the search for hidden software flaws," Graham says. "This shift will likely result in a more dynamic cybersecurity landscape, where continuous innovation and adaptation become the norm."

**Supply Chain Attacks**

Supply chain attacks remain an active threat and tend toward the severe as their impact cascades on to multiple parties: customers, suppliers, and other third parties. Attackers exploit a trusted resource and ultimately gain access to not just one organization, but multiple. These kinds of threats remain concerning as organizations depend more and more on outsourcing services.

The best known example is the SolarWinds breach, which impacted the SolarWinds Orion system, at the hands of a group known as Nobelium. More than 30,000 organizations — including state and federal agencies — used the Orion network management system, resulting in the backdoor malware compromising thousands of data, network, and systems.

Tracked as CVE-2020-10148 with a CVSS score of 9.8, the authentication bypass bug allowed an unauthenticated attacker to execute API commands. The attackers in question were advanced persistent threat (APT) actors who infiltrated into the SolarWinds’ supply chain to insert a backdoor.

"The complexity of modern supply chains makes it challenging to secure all the dependencies," Clark said in the webinar. "This underscores the need for rigorous third-party risk management."

In the year ahead, Dana Simberkoff, chief risk, privacy, and information security officer at AvePoint, believes that there will be a sharpened focus on supply chains and third-party risk management.

"The CrowdStrike incident wasn't just a wake-up call — it was a stark reminder that in our interconnected ecosystem, one weak link can trigger a catastrophic chain reaction," Simberkoff says.

**Remote Work Infrastructure Exploits**

Since 2020 and the COVID-19 pandemic, organizations have leaned into remote and hybrid work offerings, increasing the risk of cybersecurity threats and becoming a significant concern. Attackers focus on vulnerabilities that allow users to engage in remote work such as VPNs, remote desktop protocols (RDPs), and phishing attacks through platforms such as Zoom and Microsoft Teams.

There have been several notable incidents in which VPNs and RDPs were leveraged, allowing threat actors to gain access to enterprise systems and networks. In addition, remote workers are often operating from less secure environments, causing an uptick in phishing attacks as the threat actors try to take advantage of these blind spots.

"The shift to remote work has expanded the overall attack surface, Clark said in the webinar. "Remote workers often need more security controls than those that are working \[onsite\], which can lead to significant vulnerabilities."

Recent examples of vulnerabilities remote and hybrid work vulnerabilities include CVE-2024-38199, a remote code execution vulnerability (RCE) in the Windows or Line Printer Deamon (LPD) Service, and CVE-2024-21433, a Windows Print Spooler elevation of privilege vulnerability.

"Remote work infrastructure will continue to be a prime target for cybercriminals in 2025, with an increase in sophisticated attacks on cloud services, VPNs, and collaboration tools," says Stephen Kowski, field CTO at SlashNext Email Security+. "We'll likely see more AI-powered threats designed to bypass traditional security measures, exploiting vulnerabilities in interconnected devices and home networks."

**Exploitation of AI and Machine Learning Systems**

With the rise of AI and its increasing use amid the public, comes widespread risk of exploitation from attackers. Clark noted of adversarial attacks, data poisoning, and model inversion attacks that are at the forefront of emerging threats for AI and machine learning (ML) systems in particular. 

The nature of some ML systems requires feeding a system information for the best results, the system becoming more familiar with the user over time. When attacks target these systems, it can lead to unauthorized access to sensitive data stored and processed within these tools, as well as incorrect predictions or biased decisions.

"AI models will be key areas of exploitation in 2025," says Rom Carmel, co-founder and CEO at Apono. "As AI and machine learning become integral to identity verification systems, attackers will find ways to poison AI models or bypass them."

AI can also simply be manipulated for malicious ends, as seen when an AI deepfake robocall was created to impersonate US President Joe Biden to encourage individuals not to vote in the New Hampshire's Democratic primary, an event that could have had severe consequences on the US electoral process.

"The threat landscape is evolving with the rapid adoption of AI and ML," Clark said in the webinar. "Attackers increasingly focus on these systems to undermine their reliability and exploit vulnerability."

**Cloud Misconfigurations**

As organizations continue to shift their operations to the cloud, it will continue to emerge as a space for threat actors to thrive, often due to the cloud simply not being set up correctly.

Common examples of threats that circulate within the cloud are publicly accessible S3 buckets, misconfigured security groups in AWS, and exposed databases.

"Cloud misconfigurations can have severe impacts related to data breaches, unauthorized access to critical systems, financial loss, and reputational damage," Clark said. He added that the complexity of these environments is going to increase leading to more frequent configuration errors.

In the past, Amazon and Microsoft cloud environments have exposed customer data, such as viewing habits, names, email addresses, email content, and phone numbers. The leaks aren't due to vulnerabilities but misconfigurations ranging from insecure read-and-write permissions to inaccurate access lists and misconfigured policies.

"To successfully prevent cloud breaches in 2025, companies need to focus on three key areas: visibility, access control, and continuous monitoring," says Jason Soroko, senior fellow at Sectigo. "Cloud environments are dynamic, so your security needs to be dynamic too."

**IoT Device Vulnerabilities**

IoT devices are allowing for emerging threats to thrive, being easy targets for threat actors to exploit, whether it be due to weak default passwords, lack of encryption, or insecure firmware.

Common attacks that IoT devices face are data theft, network breaches, and distributed denial-of-service (DDoS) attacks. A recent example emerged in the Common Unix Printing System (CUPS) for managing printers and print jobs. The series of vulnerabilities, tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 could allow bad actors to stage DDoS attacks within seconds for less than 1 cent while using an available cloud platform.

"Just the sheer volume of connected devices really exacerbates the threat," Clark noted in the webinar. "Securing these devices becomes really challenging due to their diversity and often limited processing power for adding security features."

And as the use of IoT, OT, and 5G networks continues to rise, organizations will need cyber threat intelligence (CTI) to extend beyond traditional IT environments, says Callie Guenther, senior manager, cyber threat research at Critical Start. "This expansion, which will continue throughout 2025, will add complexity to CTI, requiring more granular insights and specific intelligence data."

**Cryptographic Weaknesses**

According to Clark, cryptographic weaknesses continue to pose a significant threat because these kinds of vulnerabilities undermine the foundation of secure communication and data protection. These weaknesses often manifest in one of two ways: flaws in encryption algorithms, or how the algorithms are implemented.

"The rising threat is kind of compounded by the fact that as computational capability advances, that previously secure crypto standard now becomes increasingly more vulnerable," Clark said in the webinar.

He recommended regularly updating cryptographic libraries, and enforcing strong encryption protocols to avoid exploitation attempts like man-in-the middle attacks, data integrity issues, and the exposed sensitive information.

Just recently, Acros Security discovered a vulnerability, similar to CVE-2024-38030, that enables an attack in which a vulnerable device is coerced into sending NTLM hashes, which is the cryptographic version of a user's password, to a threat actor.

"We have never before required from \[cloud service providers\] such granular and detailed information on the type of encryption in use, but customers (government and non-government customers alike) will require this level of detail to ensure their encryption standards are being met," says Philip George, executive technical strategist at InfoSec Global Federal.

**API Security Gaps**

More organizations are relying on APIs to connect systems; however, these APIs are at risk when they have flaws in the design or the implementation of the APIs. Attackers are able to breach systems through unauthorized access, allowing them to manipulate certain restricted actions.

A notable example of this is the exposure of user data through Facebook’s API, though these flaws are also abundant in other sectors such as healthcare or financial services. 

Gaps in API security ultimately serve as a launchpad, often for data breaches which can lead to the loss of sensitive information, unauthorized transactions, reputational damage, and significant financial loss.

"The threat is escalating as API is becoming more prevalent, increasing the number of potential attack surfaces," Clark said. "To mitigate these risks, it's essential to secure your API endpoints, enforce robust authentication mechanisms, and regularly update and audit API access."

A Docusign API was recently used in a wide-scale phishing campaign due to its "API-friendly environment," which is beneficial for businesses but also provides a way for bad actors to conduct malicious operations. The flaw could ultimately could have led to instances of fraud, though there are ways for users to avoid and detect such API abuse.

In the coming year, the cyber landscape will continue to evolve, API being in the forefront of these changes.

"We anticipate a rise in sophisticated API attacks using automation, artificial intelligence, and advanced evasion techniques to exploit vulnerabilities and bypass traditional security measures," says Eric Schwake, director of cybersecurity strategy at Salt Security. "One significant risk will stem from the exploitation of API misconfigurations, which often occur due to the fast pace of development and deployment. This situation will challenge organizations to adopt a more proactive and comprehensive approach to API security."

**Ransomware Evolution**

"We could do a whole webinar on ransomware," Clark said in the webinar, which raises the question: Can ransomware even be considered an emerging threat? 

The answer is yes, though ransomware attacks have become one of the most disruptive and costly cyberattacks out there largely due to their rapid evolution.

One of the most notable ransomware attacks occurred on Colonial Pipeline, which shut down its entire operations for the first time, leading to fuel shortages and four states on the East Coast declaring a state of emergency. The ransomware attack prompted action from national security and the executive branch and forced a reevaluation of the nation's critical infrastructure security.

Threat actors know they can win big when demanding ransoms from organizations, such as those in the healthcare sector, which will pay these high prices in order to help patients in need.

"As these attacks are becoming more targeted and, frankly, aggressive, it's crucial to start to implement backup strategies that are robust, strengthen your overall incident response plans, and continuously educate your employees on recognizing and avoiding things like phishing attempts that can often serve as an entry point for ransomware," Clark said in the webinar.

Backups may not always be an option, according to Brandon Williams, chief technology officer at Conversant Group.

"Some threat actors have moved to deleting data as part of their normal motions," he says. "If this gains traction in 2025, organizations will not have a method to recover by simply paying a ransom and hoping to get a working decryption tool. The only method of recovery will be backups; however, data shows that backups do not typically survive these breaches."

**5G Network Vulnerabilities**

5G networks are being rapidly deployed, and with them come threat actors' awareness and exploitation of its vulnerabilities. Attackers are increasingly able to target 5G infrastructure with ease, and these open the door for even bigger threats such as large-scale DDoS attacks, unauthorized data access, and disruption of our critical services.

"As we consider the rising threat, the global rollout of 5G brings an increasing number of connected devices," Clark said in the webinar. "The rising number amplifies their attack risk, particularly given their reliance on cloud-native infrastructures."

At Black Hat 2024 in Las Vegas, seven Penn State University researchers detailed how mobile devices are at risk of data theft and denial of service due to 5G technology vulnerabilities. Threat actors use these resources simply by providing someone with an Internet connection, allowing easy access to spying, phishing, and more. 

"Vulnerabilities such as lack of initial broadcast message authentication, spectrum slicing, silent downgrade, and unsecured DNS paging currently affect 5G networks," says Mayuresh Dani, manager, security research, at Qualys Threat Research Unit. "In the year to come, these will continue affecting 5G networks and vulnerabilities in unsecured base stations will multiply snooping attacks."

Emerging Threats &amp; Vulnerabilities to Prepare for in 2025

KEY SUMMARY POINTS Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of…

****KEY SUMMARY POINTS****

*   **Focus Shift to Nuclear Industry**: The Lazarus Group, linked to North Korea, has shifted its targets to the nuclear industry, marking a potential escalation from its earlier focus on defense, aerospace, and cryptocurrency.

*   **Fake Job Posting Tactics**: Their attacks, observed in January 2024, employ fake job postings (Operation DreamJob) to deliver malicious files disguised as job assessments, gaining access to victims’ systems.

*   **Advanced Malware Techniques**: The group uses sophisticated tools like Ranid Downloader and a novel plugin-based malware, “CookiePlus,” which operates in memory, making it harder for security systems to detect.

*   **Exploitation of Vulnerabilities**: Lazarus continues refining its tactics, exploiting vulnerabilities like Google Chrome zero-day and leveraging innovative malware like “RustyAttr” on macOS.

*   **Call for Caution**: The increasing sophistication and activity of the Lazarus Group underscore the need for heightened cybersecurity measures, particularly in sensitive industries.

Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of the notorious Lazarus hacking group, which, as we know it, has links to the North Korean government.

According to Securelist’s research, the Lazarus Group has shifted its focus to targeting individuals within the nuclear industry lately. This indicates an upcoming escalation in their operations, as they previously concentrated on sectors like defense, aerospace, and cryptocurrency. 

“We observed a similar attack in which the Lazarus group delivered archive files containing malicious files to at least two employees associated with the same nuclear-related organization over the course of one month,” the report read.   

Malicious files created on the victims’ hosts (Via Secure List)

The attacks observed by Kaspersky occurred in January 2024 and followed the pattern of using fake job postings, a tactic known as the DeathNote campaign or “Operation DreamJob.”

This involves creating fake job postings and enticing potential victims with tempting career opportunities. During the “interview” process, malicious files are subtly introduced, often disguised as legitimate assessment tests.

The attack starts with an initial file disguised as job assessments for prominent companies, which contains a ZIP archive with malicious executables or trojanized legitimate tools like VNC viewers.

Once executed, the trojan prompts the victim to enter an IP address provided by the attackers via separate communication channels like messenger apps. This grants the attackers unauthorized access to the compromised machine, enabling them to move laterally within the network and potentially steal sensitive data or disrupt critical operations.  

An XOR key is generated based on the IP address to decrypt the internal resources of the VNC executable and unzip the data. The unzipped data is then downloaded by Ranid Downloader, which fetches further malicious payloads like MISTPEN, RollMid, LPEClient, Charamel Loader, ServiceChanger, and CookiePlus. The payload type (DLL or shellcode) is determined by a flag within the data structure. The execution results of these plugins are encrypted and sent back to the C2 server.

A key innovation in these recent attacks is the introduction of “CookiePlus,” a novel plugin-based malware. This downloader operates primarily in memory, loading malicious payloads dynamically. This evasive technique makes it harder for traditional security solutions to detect and mitigate the threat.

The development of CookiePlus demonstrates the Lazarus Group’s continuous efforts to refine its tools and evade detection. By introducing new modular malware and adapting their tactics, they aim to maintain a persistent presence within targeted networks and achieve their objectives.

The group has been particularly active lately. In November Group-IB discovered the Lazarus group’s new trojan, “RustyAttr,” which hides malicious code in extended attributes on macOS systems and in October the group exploited a Google Chrome zero-day vulnerability to target cryptocurrency investors with a deceptive NFT game. This calls for continuous vigilance to safeguard your digital assets.

1.  Lazarus Exploits Chrome 0-Day with Fake NFT Game
2.  North Korean Hackers Team Up with Play Ransomware
3.  Lazarus’ Magecart attack steal card data from EU, US sites
4.  Lazarus Hits Blockchain Pros with Fake Video Conferencing
5.  Lazarus hackers suspected of targeting Indian space agency

Lazarus Group Targets Nuclear Industry with CookiePlus Malware

This Tech Tip outlines what enterprise defenders need to do to protect their enterprise environment from the new NTLM vulnerability.

Roy Akerman, VP of Identity Security Strategy, Silverfort

December 20, 2024

4 Min Read

Source: Supapixx via Alamy Stock Photo

A new zero-day vulnerability in NTLM discovered by researchers at 0patch allows attackers to steal NTLM credentials by having a user view a specially crafted malicious file in Windows Explorer — no need for the user to open the file. These password hashes can be used for authentication relay attacks or for dictionary attacks on the password, both for identity takeover.

NTLM refers to a suite of old authentication protocols from Microsoft that provide authentication, integrity, and confidentiality to users. While NTLM was officially deprecated as of June, our research shows that 64% of Active Directory user accounts regularly authenticate with NTLM — evidence that NTLM is still widely used despite its known weaknesses.

The flaw is exploitable even in environments using NTLM v2, making it a significant risk to enterprises that have not yet moved to Kerberos and are still relying on NTLM. Considering Microsoft may not patch this issue for a while, enterprise defenders should take steps to mitigate the vulnerability in their environments. This Tech Tip outlines how dynamic access policies, a few hardening steps, and multifactor authentication (MFA) can help limit attempts to exploit this vulnerability. Upgrading the protocol, where possible, could eliminate the issue completely.

**What Is the NTLM Vulnerability?**

When a user views a malicious file in Windows Explorer — whether by navigating to a shared folder, inserting a USB drive containing the malicious file, or just viewing a file in the Downloads folder that was automatically downloaded from a malicious Web page — an outbound NTLM connection is triggered. This causes Windows to automatically send NTLM hashes of the currently logged-in user to a remote attacker-controlled share.

These NTLM hashes can then be intercepted and used for authentication relay attacks or even dictionary attacks, granting attackers unauthorized access to sensitive systems. Attackers can also potentially use the exposed passwords to access the organization's software-as-a-service (SaaS) environment due to the high rates of synced users.

The issue impacts all Windows versions from Windows 7 and Server 2008 R2 up to the latest Windows 11 24H2 and Server 2022.

The fundamental problem with NTLM lies in its outdated protocol design. NTLM transmits password hashes instead of verifying plaintext passwords, making it vulnerable to interception and exploitation. Even with NTLM v2, which uses stronger encryption, the hashes can still be captured and relayed by attackers. NTLM's reliance on weak cryptographic practices and lack of protection against relay attacks are key weaknesses that make it highly exploitable. Moreover, NTLM authentication does not support modern security features, such as MFA, leaving systems open to a variety of credential theft techniques, such as pass-the-hash and hash relaying.

**What Defenders Need to Do**

To mitigate this vulnerability, Microsoft has updated previous guidance on how to enable Extended Protection for Authentication (EPA) on LDAP, Active Directory Certificate Services (AD CS), and Exchange Server. On Windows Server 2022 and 2019, administrators can manually enable EPA for AD CS and channel binding for LDAP. There are scripts provided by Microsoft to activate EPA manually on Exchange Server 2016. Where possible, update to the latest Windows Server 2025 as it ships with EPA and channel binding enabled by default for both AD CS and LDAP.

Some organizations may still be dependent on NTLM due to legacy systems. Those teams should consider additional authentication layers, such as dynamic risk-based policies, for protecting existing NTLM legacy systems against exploitations.

Harden LDAP configurations. Configure LDAP to enforce channel binding and monitor for legacy clients that may not support these settings.

Check impact on SaaS. If you are unsure whether there are applications or clients in your environment that rely on NTLMv2, you can use Group Policy to enable the Network Security: Restrict NTLM: Audit incoming NTLM traffic policy setting. This will not block NTLMv2 traffic but will log all attempts to authenticate using NTLMv2 in the Operations Log. By analyzing these logs, you can identify which client applications, servers, or services still rely on NTLMv2, so you can make targeted adjustments or updates.

Using Group Policy to limit or disable NTLM authentication via the Network Security: Restrict NTLM setting will reduce the risk of fallback scenarios where NTLM is unintentionally used.

Monitor SMB traffic. Enabling SMB signing and encryption can help prevent attackers from impersonating legitimate servers and triggering NTLM authentication. Blocking outbound SMB traffic to untrusted networks will also reduce the risk of NTLM credential leakage to rogue servers. Implement network monitoring and alerting for unusual SMB traffic patterns, particularly outbound requests to unknown or untrusted IP addresses.

Leave NTLM behind. NTLM has been deprecated. Administrators should audit NTLM usage to identify which systems still rely on NTLM. Organizations should prioritize transitioning those systems away from NTLM to more modern authentication protocols, such as Kerberos. Once a more modern protocol is in place, implement MFA to add an additional layer of protection.

Taking these steps will help organizations address the fundamental flaws in NTLM and improve their security posture.

**About the Author**

VP of Identity Security Strategy, Silverfort, Silverfort

Roy Akerman is the VP of Identity Security Strategy at Silverfort and former co-founder and CEO of Rezonate. Prior to Rezonate, Roy served as VP of Product and Innovation at Cybereason, responsible for growing 3 new business lines on cloud security, mobile defense, and XDR. Roy is leading product incubations and new business initiatives, fusing the practices of advanced Technology, Psychology, and Business in forming new disruptive products and anti-disciplinary innovation teams. Akerman is blending business and innovation practices acquired in his MIT and business journey with problem-solving and tech approaches based on his Government and Military experience. Roy has 20 years of experience in Cybersecurity, as one of the senior leaders and founders of NISA - the Israeli Equivalent to the NSA/Cyber Command, retired as the chief of global cyber operations. In this role, Roy and his teams ran global counter-cyber defense operations for Israel’s Cyber Defense, built cutting-edge cyber security tech. They established partnerships and alliances with numerous states and business partners.

How to Protect Your Environment From the NTLM Vulnerability

While a number of threat groups have used TP-Link bugs to infiltrate networks, a proposed ban of the company's popular routers is more about geopolitics than actual cybersecurity — and that may not be a bad thing.

Source: metamorworks via Shutterstock

With US government agencies and lawmakers reportedly considering a ban on TP-Link's products in the United States, one might think the company would rank high on the list of networking vendors with the most vulnerabilities currently being exploited by cyberattackers.

Not by a long shot.

The Chinese firm, whose products are popular among consumers and small businesses, currently has two security issues gracing the Known Exploited Vulnerabilities (KEV) list curated by the Cybersecurity and Infrastructure Security Agency (CISA), compared with 74 for Cisco Systems, 23 for Ivanti, and 20 for D-Link.

Yet US government officials' concern is less about known vulnerabilities, and more about unknown risks, including its routers' popularity in the United States — where it accounts for about two-thirds of the market — and the degree to which the company is beholden to China's government.

While no researcher has called out a specific backdoor or zero-day vulnerability in TP-Link routers, restricting products from a country that is a political and economic rival is not unreasonable, says Thomas Pace, CEO of extended Internet of Things (IoT) security firm NetRise and a former head of cybersecurity for the US Department of Energy.

"The value to me \[of a ban\] is almost more around economic policy value than pure technical cybersecurity value," he says. "To me, there is value in saying you shouldn't buy these things because of X, Y, and Z reasons \[and to make it\] more difficult for small businesses, or whoever, to get their hands on devices from these companies."

Related:BlackBerry to Sell Cylance to Arctic Wolf

**TP-Link — Not a Vulnerability Stand-Out**

In April 2024, one of two TP-Link vulnerabilities attracted the most vulnerability scanning by threat actors, according to an analysis by cloud and application-security firm F5. The issue, a command injection vulnerability for TP-Link's Archer AX21 router (CVE-2023-1389), allows an unauthenticated attacker to easily compromise a device via a simple POST request.

TP-Link ranks low on the list of networking vendors with known exploited vulnerabilities. Source: Author from CISA data

In another incident, security firm Check Point Software Technologies discovered that TP-Link devices were also compromised with an implant known as Camaro Dragon. The implanted components were discovered in modified TP-Link firmware images, and not the original software shipped by the company, says Itay Cohen, research lead at Check Point Research.

Yet Cohen stresses that the implants were written in a firmware-agnostic manner and not specific to any particular product or vendor.

"It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks," he says. "Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers."

Related:Versa Introduces Integrated Endpoint Data Loss Prevention in SASE Solution

The threat posed by such vulnerabilities and implants are real, but the data from the KEV catalog shows that other manufacturers are just as likely to have their vulnerabilities exploited — and there are more of them. The lesson is that vulnerabilities in embedded devices are not unique to any one manufacturer or country of origin, says Sonu Shankar, chief product officer at Phosphorus Cybersecurity, an extended IoT cybersecurity provider.

"Nation-state actors frequently exploit weaknesses in devices from companies worldwide, including those sold by American manufacturers," he says. "Devices lacking basic security hygiene — such as the use of strong passwords, timely firmware patching, or proper configurations — can become easy targets for cyberattacks."

TP-Link stressed this fact in a statement sent to Dark Reading.

"Many brands of consumer electronics are targeted by hackers, and we support government efforts to hold all producers to the same standard," a company spokesperson said. "We welcome opportunities to engage with the federal government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the American market, American consumers, and addressing US national security risks."

Related:Test Your Cyber Skills With the SANS Holiday Hack Challenge

**China's Government Oversight Is Pervasive**

But those assertions may be minimizing the influence of the Chinese government on the company's operations: Most Western companies do not understand the degree to which Chinese officials monitor China's business sectors — and cybersecurity firms — as a component of government policy and national strategy, NetRise's Pace says.

"It's a totally different business culture," he says. "There is a member of the PRC in every company — that's not even like an opinion, it's just how it is. And if you think they're not there to exert their influence, then you're just an unbelievably naive person, because that's exactly what they do, \[including\] for the purposes of intelligence gathering."

Threat intelligence analysts have flagged the Chinese government national strategy documents and evidence showing their increasing efforts to compromise rival nations' infrastructure — such as the attacks by Volt Typhoon and Salt Typhoon.

"In recent years we see Chinese threat actors’ increasing interest in compromising edge devices, aiming to both build resilient and more anonymous C2 infrastructures, and to gain a foothold in certain targeted networks," Check Point stated in its analysis, but added that the "discovery of the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk."

China's networking products are not alone in being targeted by the US government, which also banned the products of antivirus firm Kaspersky because of national security concerns, given that it's a Russian company.

**The Global Cyber Reality of Home Routers: Buyer Beware**

Companies and consumers should do their due diligence, keep their devices up to date with the latest security patches, and consider whether the manufacturer of their critical hardware may have secondary motives, says Phosphorus Cybersecurity's Shankar.

"The vast majority of successful attacks on IoT are enabled by preventable issues like static, unchanged default passwords, or unpatched firmware, leaving systems exposed," he says. "For business operators and consumer end-users, the key takeaway is clear: adopting basic security hygiene is a critical defense against both opportunistic and sophisticated attacks. Don’t leave the front door open."

For companies worried about the origin of their networking devices or the security their supply chain, finding a trusted third party to manage the devices is a reasonable option. In reality, though, almost every device should be monitored and not trusted, says NetRise's Pace.

"It's a crazy world that exists when it comes to device security," he says. "You're accepting this device that you know nothing about — and that you really can't know anything about — unlike Windows \[or another operating system\] ... where you can also install three agents and a firewall in front of it to mitigate the risk of the software."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

US Ban on TP-Link Routers More About Politics Than Exploitation Risk

In the last newsletter of the year, Thorsten recalls his tech-savvy gift to his family and how we can all incorporate cybersecurity protections this holiday season.

Thursday, December 19, 2024 14:02

Welcome to the final Threat Source newsletter of 2024. 

Watching "Die Hard" during the Christmas season has become a widely recognized tradition for many, despite ongoing debates about its classification as a Christmas movie. I know it isn't everyone's cup of tea. Whether you like the movie or not, let me share a story about what didn't quite go as planned in my family last year.  

When  some celebrities had their social media accounts compromised, I saw it as the perfect opportunity to introduce my family to the world of multi-factor authentication (MFA) for their online accounts. Our home IT setup is diverse— With Linux, Macs, Windows; Androids, iOS, we needed something cross-platform. Also, we needed a user-friendly solution as we have both standard users and IT experts (never underestimate your users). From my professional standpoint, I decided to go “all in” with hardware tokens - they work cross platform and "survive" one or the other OS installs from scratch. Providing two for each person was mandatory in case one got lost, which had happened to me already. So it wasn't a cheap exercise. In my defense, this was before the side-channel attack EUCLEAK was discovered, which has since expanded to affect more products as noted in the first release. 

In the spirit of John McClane : “Now I know what a TV dinner feels like.” 

The kids found the gift "boring" and almost a year later, the adoption rate is still only 30%. Fortunately, my wife had the foresight to prepare real presents for the family, saving Christmas Eve from being a "bad guys win" scenario. (Only John Thor can drive somebody that crazy.) 

I share this anecdote not to discourage you, but to help you avoid making the same mistake and risking your celebrations. Unless everyone gathered around the Christmas tree is an infosec professional, it might not be the time to go "Yippee-ki-yay Mr Falcon" with tech gifts.  

However, spending time with loved ones is a great opportunity to discuss the trends and importance of cybersecurity. We've been highlighting compromised credentials for a long time, as seen in our previous posts \[here\], \[here\], \[here\] and \[here\]. For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, making it clear identity-based attacks are becoming more prevalent, and wont be gone anytime soon. 

 Advocate for the use of a password managers—there are paid versions with family plans on one end, and excellent open-source alternatives on the other. Avoid storing credentials in browsers, as they can be extracted by info-stealers. Consider using passkeys where possible. According to the fido alliance, more than 20% of the world's top 100 websites support passkeys already. If passkeys are not yet enabled for one of your services? Any MFA is better than none. Even using "just" TOTP in a software container is a significant improvement over just a password. 

But it's not just about enabling MFA. As Martin wrote last week, we need to close the gap by communicating and understanding the the threat landscape. When it comes to stolen credentials, share resources like https://haveibeenpwned.com/ or https://sec.hpi.de/ilc/?lang=en with your loved ones so they can check if their email has been part of a breach.   

If you decide not to bother your friends & famliy (though I strongly believe Mbappe, Sweeny and Odenkirk would have preferred a more secure account) with Account/Password Hygiene, there are some more work related recommendations in Hazel’s “How are attackers trying to bypass MFA” 

Whichever is your idea of Christmas, then, like Argyle said, "I gotta be here for New Year's!"  

We look forward to seeing you in 2025!   

**The one big thing**

At the time of writing, our Vulnerability Research Team Disclosed 207 Vulnerabilities, and had another 93 reported to the respective Vendor in 2024.  Di you know  Talos has a team which investigates software and operating system vulnerabilities in order to discover them before malicious threat actors do? Every day, they try to find vulnerabilities that have not yet been discovered, and then work to provide a fix for those before a zero-day threat could ever be executed. 

**Why do I care? **

We see threat actors exploiting known vulnerabilities constantly. Sometimes those CVEs are Years old.  

**So now what? **

Maybe you want to check for some CVEs or conduct a network security assessments.   
You can our team’s reports,roundups,spotlights and deep dives on our blog. 

**Top security headlines of the week **

 Blackhat Europe 2024 took place Dec 9-12 in London, UK. Loaded with a lot of interesting Sessions, my favorites are “Vulnerabilities in the eSIM download protocol” and “Over the Air: Compromise of Modern Volkswagen Group Vehicles” both showing how far an attack surface can possibly extend.  

Germany's Federal Office for Information Security (BSI) says it blocked communication between appr. 30.000 Android IoT Devices which were sold with BadBox malware preinstalled, and their command and control (C2) infrastructure by sinkholing DNS queries (Bleeping Computer)  

Law enforcement agencies worldwide disrupted a holiday tradition for cybercriminals: launching Distributed Denial-of-Service (DDoS) attacks. Booter and stresser websites were taken down, administrators were arrested and over 300 users were identified for planned operational activities. (Europool) 

The Willow chip is not capable of breaking modern cryptography,” Google’s director of quantum tells The Verge.

**Can’t get enough Talos? **

*   The evolution and abuse of proxy networks 
*   Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities 

**Upcoming events where you can find Talos **

  Cisco Live EMEA (February 9-14, 2025) 

Amsterdam, Netherlands 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256:**873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**MD5:** d86808f6e519b5ce79b83b99dfb9294d    
**VirusTotal:**  
https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**Typical Filename:** n/a   
**Claimed Product:** n/a    
**Detection Name:** Win32.Trojan-Stealer.Petef.FPSKK8  

**SHA256:**9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**VirusTotal:**  
https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**Typical Filename:** VID001.exe    
**Claimed Product:** n/a    
**Detection Name:** Win.Worm.Bitmin-9847045-0 

 **SHA 256:**  
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86    
**VirusTotal:** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**Typical Filename:** endpoint.query    
**Claimed Product:** Endpoint-Collector    
**Detection Name:** W32.File.MalParent  

 **SHA256:**47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**Typical Filename:** VID001.exe   
**Claimed Product:** n/a    
**Detection Name:** Coinminer:MBT.26mw.in14.Talos 

 **SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:**  
7bdbd180c081fa63ca94f9c22c457376    
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
**Typical Filename:** IMG001.exe    
**Claimed Product:** N/A     
**Detection Name:** Trojan/Win32.CoinMiner.R174018

Tag

#zero_day