Tag: Cyber Security

Sep 11, 2025The Hacker NewsContinuous Threat Exposure Management

CISOs know their field. They understand the threat landscape. They understand how to build a strong and cost-effective security stack. They understand how to staff out their organization. They understand the intricacies of compliance. They understand what it takes to reduce risk. Yet one question comes up again and again in our conversations with these security leaders: how do I make the impact of risk clear to business decision-makers?

Boards want to hear how risk affects revenue, governance, and growth. They have a limited attention span for lists of vulnerabilities or technical details. When the story gets too technical, even urgent initiatives lose traction and fail to get funded.

CISOs need to translate technical issues into terms the board understands. Doing so builds trust, garners support and shows how security decisions connect directly to long-term growth. It was the urgent need to bridge the CISO-Board communication gap that led us to create a new paradigm in CISO continuing education: Risk Reporting to the Board for Modern CISOs.

The Disconnect Between Boards and CISOs

Boards are increasingly held accountable for cyber risk. SEC rules require public companies to disclose cyber incidents within four business days and to describe board cyber oversight in annual reports. In the EU, NIS2 holds management bodies directly responsible for cybersecurity measures, with penalties up to €10 million or 2% of global turnover.

Boards track governance, liability, and enterprise value. CISOs present threats, vulnerabilities, and controls. Surveys confirm this gap: Gartner’s 2024 Board of Directors Survey reports that 84% of directors classify cybersecurity as a business risk, yet research finds that only about half of boards rate their understanding as strong enough for effective oversight.

CISO-Board alignment has never been more important, but the two sides still speak different languages. This challenge surfaced so often in our conversations with security leaders that it led us to a simple conclusion: if so many experienced professionals need this skill, it should be taught.

Teaching How to Close the Boardroom Gap

The goal was clear: boards need insights that connect cyber risk to business outcomes. Risk Reporting to the Board for Modern CISOs was built from scratch to help security leaders meet that need.

The course teaches CISOs how to reframe their message in ways that resonate with directors. It focuses on practical skills: moving beyond vanity metrics to dashboards that answer the “So what?” question, building concise presentations that boards can act on, anticipating and managing difficult questions, and framing budget requests in financial and strategic terms. The course also introduces Continuous Threat Exposure Management as a model for presenting risk in a structured, forward-looking way.

Each of the five lessons is designed to be practical and easy to apply. Participants leave with methods and templates they can use in their next board meeting. The key areas of focus include:

• The Board’s View of Risk: What directors focus on and how to frame security as an enabler of safe innovation and competitive advantage.
• Clear Risk Communication: Moving past vanity metrics by building dashboards that tell a risk story that ties technical findings to business impact.
• High-Impact Presentations: Creating concise, effective board presentations, aligning with key executives in advance, and handling difficult questions with confidence.
• Stronger Business Cases: Translating security needs into financial and strategic language. Building requests around risk reduction value, total cost of ownership, and alignment with company objectives.
• Operationalizing CTEM: Applying the five stages of Continuous Threat Exposure Management to strengthen security posture and structure reporting in a forward-looking way.

The course is led by Dr. Gerald Auger, whose career spans more than twenty years in both industry and academia. He served as cybersecurity architect for a major medical center and has taught tens of thousands of students through his Simply Cyber platform. His mix of practical and teaching experience makes the course grounded, relevant, and directly useful for CISOs in the boardroom.

The Bottom Line

Cybersecurity is at the center of business oversight. Boards expect insight that is clear and actionable, and CISOs need to present risk in terms that connect directly to governance, finance, and strategy. Risk Reporting to the Board for Modern CISOs was designed with these challenges in mind. The course gives security leaders practical tools to translate their expertise into language the board can act on.

When CISOs build these skills, they move from talking about technical metrics to explaining risk in terms that link to business goals and show how security drives long-term growth. That leads to clearer conversations with directors, steadier support for security programs, and a stronger role for cybersecurity in the company’s overall strategy.

Want to learn more about Risk Reporting to the Board for Modern CISOs?

Note: This article was expertly written by Tobi Trabing, VP Global Sales Engineering at XMCyber.

Sep 11, 2025Ravie LakshmananMalware / Credential Theft

Cybersecurity researchers have disclosed details of a new campaign that leverages ConnectWise ScreenConnect, a legitimate Remote Monitoring and Management (RMM) software, to deliver a fleshless loader that drops a remote access trojan (RAT) called AsyncRAT to steal sensitive data from compromised hosts.

“The attacker used ScreenConnect to gain remote access, then executed a layered VBScript and PowerShell loader that fetched and ran obfuscated components from external URLs,” LevelBlue said in a report shared with The Hacker News. “These components included encoded .NET assemblies ultimately unpacking into AsyncRAT while maintaining persistence via a fake ‘Skype Updater’ scheduled task.”

In the infection chain documented by the cybersecurity company, the threat actors have been found to leverage a ScreenConnect deployment to initiate a remote session and launch a Visual Basic Script payload via hands-on-keyboard activity.

“We saw trojanized ScreenConnect installers masquerading as financial and other business documents being sent via phishing emails,” Sean Shirley, LevelBlue MDR SOC Analyst, told The Hacker News.

The script, for its part, is designed to retrieve two external payloads (“logs.ldk” and “logs.ldr”) from an attacker-controlled server by means of a PowerShell script. The first of the two files, “logs.ldk,” is a DLL that’s responsible for writing a secondary Visual Basic Script to disk, using it to establish persistence using a scheduled task by passing it off as “Skype Updater” to evade detection.

This Visual Basic Script contains the same PowerShell logic observed at the start of the attack. The scheduled task ensures that the payload is automatically executed after every login.

The PowerShell script, besides loading “logs.ldk” as a .NET assembly, passes “logs.ldr” as input to the loaded assembly, leading to the execution of a binary (“AsyncClient.exe”), which is the AsyncRAT payload with capabilities to log keystrokes, steal browser credentials , fingerprint the system, and scan for installed cryptocurrency wallet desktop apps and browser extensions in Google Chrome, Brave, Microsoft Edge, Opera, and Mozilla Firefox.

All this collected information is eventually exfiltrated to a command-and-control (C2) server (“3osch20.duckdns[.]org”) over a TCP socket, to which the malware beacons in order to execute payloads and receive post-exploitation commands. The C2 connection settings are either hard-coded or pulled from a remote Pastebin URL.

“Fileless malware continues to pose a significant challenge to modern cybersecurity defenses due to its stealthy nature and reliance on legitimate system tools for execution,” LevelBlue said. “Unlike traditional malware that writes payloads to disk, fileless threats operate in memory, making them harder to detect, analyze, and eradicate.”

Sep 10, 2025Ravie LakshmananCybersecurity / Malware

An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme.

“This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads,” Bitdefender researcher Bogdan Zavadovschi said in a report shared with The Hacker News.

“The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.”

The targeting of the Philippines is something of a recurring pattern for Chinese state-sponsored hacking groups, particularly in light of geopolitical tensions fueled by territorial disputes in the South China Sea between China, Vietnam, the Philippines, Taiwan, Malaysia, and Brunei.

The Romanian cybersecurity vendor, which first detected signs of malicious activity in early 2024, described EggStreme as a tightly integrated set of malicious components that’s engineered to establish a “resilient foothold” on infected machines.

The starting point of the multi-stage operation is a payload called EggStremeFuel (“mscorsvc.dll”) that conducts system profiling and deploys EggStremeLoader to set up persistence and then executes EggStremeReflectiveLoader, which, in turn, triggers EggStremeAgent.

EggStremeFuel’s functions are realized by opening an active communication channel with a command-and-control (C2), enabling it to –

• Get drive information
• Start cmd.exe and establish communication via pipes
• Gracefully close all connections and shutdown
• Read a file from server and save it to disk
• Read a local file from a given path and transmit its content
• Send the external IP address by making a request to myexternalip[.]com/raw
• Dump the in-memory configuration to disk

Calling EggStremeAgent the “central nervous system” of the framework, the backdoor works by monitoring new user sessions and injects a keylogger component dubbed EggStremeKeylogger for each session to harvest keystrokes and other sensitive data. It communicates with a C2 server using the Google Remote Procedure Call (gRPC) protocol.

It supports an impressive 58 commands that enable a broad range of capabilities to facilitate local and network discovery, system enumeration, arbitrary shellcode execution, privilege escalation, lateral movement, data exfiltration, and payload injection, including an auxiliary implant codenamed EggStremeWizard (“xwizards.dll”).

“The attackers use this to launch a legitimate binary that sideloads the malicious DLL, a technique they consistently abuse throughout the attack chain,” Zavadovschi noted.

“This secondary backdoor provides reverse shell access and file upload/download capabilities. Its design also incorporates a list of multiple C2 servers, enhancing its resilience and ensuring that communication with the attacker can be maintained even if one C2 server is taken offline.”

The activity is also characterized by the use of the Stowaway proxy utility to establish an internal network foothold. Complicating detection further is the fileless nature of the framework, causing malicious code to be loaded and executed directly in memory without leaving any traces on disk.

“This, coupled with the heavy use of DLL side-loading and the sophisticated, multi-stage execution flow, allows the framework to operate with a low profile, making it a significant and persistent threat,” Bitdefender said.

“The EggStreme malware family is a highly sophisticated and multi-component threat designed to achieve persistent access, lateral movement, and data exfiltration. The threat actor demonstrates an advanced understanding of modern defensive techniques by employing a variety of tactics to evade detection.”

Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems.

According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures.

CHILLYHELL is the name assigned to a malware that’s attributed to an uncategorized threat cluster dubbed UNC4487. The hacking group is assessed to have been active since at least October 2022.

According to threat intelligence shared by Google Mandiant, UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware.

The Apple device management company said it discovered a new CHILLYHELL sample uploaded to the VirusTotal malware scanning platform on May 2, 2025. The artifact, notarized by Apple back in 2021, is said to have been publicly hosted on Dropbox since then. Apple has since revoked the developer certificates linked to the malware.

Once executed, the malware extensively profiles the compromised host and establishes persistence using three different methods, following which it initializes command-and-control (C2) communication with a hard-coded server (93.88.75[.]252 or 148.72.172[.]53) over HTTP or DNS, and enters into a command loop to receive further instructions from its operators.

To set up persistence, CHILLYHELL either installs itself as a LaunchAgent or a system LaunchDaemon. As a backup mechanism, it alters the user’s shell profile (.zshrc, .bash_profile, or .profile) to inject a launch command into the configuration file.

A noteworthy tactic adopted by the malware is its use of timestomping to modify the timestamps of created artifacts to avoid raising red flags.

“If it does not have sufficient permission to update the timestamps by means of a direct system call, it will fall back to using shell commands touch -c -a -t and touch -c -m -t respectively, each with a formatted string representing a date from the past as an argument included at the end of the command,” Jamf researchers Ferdous Saljooki and Maggie Zirnhelt said.

CHILLYHELL supports a wide range of commands that allow it to launch a reverse shell to the C2 IP address, download a new version of the malware, fetch additional payloads, run a module named ModuleSUBF to enumerate user accounts from “/etc/passwd” and conduct brute-force attacks using a pre-defined password list retrieved from the C2 server.

“Between its multiple persistence mechanisms, ability to communicate over different protocols and modular structure, ChillyHell is extraordinarily flexible,” Jamf said. “Capabilities such as timestomping and password cracking make this sample an unusual find in the current macOS threat landscape.”

“Notably, ChillyHell was notarized and serves as an important reminder that not all malicious code comes unsigned.”

The findings dovetail with the discovery of ZynorRAT, a RAT that uses a Telegram bot called @lraterrorsbot (aka lrat) to commandeer infected Windows and Linux hosts. Evidence shows that the malware was first submitted to VirusTotal on July 8, 2025. It does not share any overlaps with other known malware families.

Compiled with Go, the Linux version supports a wide range of functions to enable file exfiltration, system enumeration, screenshot capture, persistence through systemd services, and arbitrary command execution –

• /fs_list, to enumerate directories
• /fs_get, to exfiltrate files from the host
• /metrics, to perform system profiling
• /proc_list, to run the “ps” Linux command
• /proc_kill, to kill a specific process by passing the PID as input
• /capture_display, to take screenshots
• /persist, to establish persistence

ZynorRAT’s Windows version is near-identical to its Linux counterpart, while still resorting to Linux-based persistence mechanisms. This likely indicates that development of the Windows variant is a work in progress.

“Its main purpose is to serve as a collection, exfiltration, and remote access tool, which is centrally managed through a Telegram bot,” Sysdig researcher Alessandra Rizzo said. “Telegram serves as the main C2 infrastructure through which the malware receives further commands once deployed on a victim machine.”

Further analysis of screenshots leaked via the Telegram bot has revealed that the payloads are distributed via a file-sharing service known as Dosya.co, and that the malware author may have “infected” their own machines to test out the functionality.

ZynorRAT is believed to be the work of a lone actor possibly of Turkish origin, given the language used in Telegram chats.

“Although the malware ecosystem has no shortage of RATs, malware developers are still dedicating their time to creating them from scratch,” Rizzo said. “ZynorRAT’s customization and automated controls underline the evolving sophistication of modern malware, even within their earliest stages.”

Sep 10, 2025Ravie LakshmananSpyware / Vulnerability

Apple on Tuesday revealed a new security feature called Memory Integrity Enforcement (MIE) that’s built into its newly introduced iPhone models, including iPhone 17 and iPhone Air.

MIE, per the tech giant, offers “always-on memory safety protection” across critical attack surfaces such as the kernel and over 70 userland processes without sacrificing device performance by designing its A19 and A19 Pro chips, keeping this aspect in mind.

“Memory Integrity Enforcement is built on the robust foundation provided by our secure memory allocators, coupled with Enhanced Memory Tagging Extension (EMTE) in synchronous mode, and supported by extensive Tag Confidentiality Enforcement policies,” the company noted.

The effort is an aim to improve memory safety and prevent bad actors, specifically those leveraging mercenary spyware, from weaponizing such flaws in the first place to break into devices as part of highly-targeted attacks.

The technology that underpins MIE is EMTE, an improved version of the Memory Tagging Extension (MTE) specification released by chipmaker Arm in 2019 to flag memory corruption bugs either synchronously or asynchronously.

It’s worth noting that Google’s Pixel devices already have support for MTE as a developer option starting with Android 13. Similar memory integrity features have also been introduced by Microsoft in Windows 11.

“The ability of MTE to detect memory corruption exploitation at the first dangerous access is a significant improvement in diagnostic and potential security effectiveness,” Google Project Zero researcher Mark Brand said in October 2023, coinciding with the release of Pixel 8 and Pixel 8 Pro.

“The availability of MTE on a production handset for the first time is a big step forward, and I think there’s real potential to use this technology to make 0-day harder.”

Apple said MIE transforms MTE from a “helpful debugging tool” into a groundbreaking new security feature, offering security protection against two common vulnerability classes – buffer overflows and use-after-free bugs – that could result in memory corruption.

This essentially involves blocking out-of-bounds requests to access adjacent memory that has a different tag, and retagging memory as it gets reused for other purposes after it has been freed and reallocated by the system. As a result, requests to access retagged memory with an older tag (indicating use-after-free scenarios) also get blocked.

“A key weakness of the original MTE specification is that access to non-tagged memory, such as global variables, is not checked by the hardware,” Apple explained. “This means attackers don’t have to face as many defensive constraints when attempting to control core application configuration and state.”

“With Enhanced MTE, we instead specify that accessing non-tagged memory from a tagged memory region requires knowing that region’s tag, making it significantly harder for attackers to turn out-of-bounds bugs in dynamic tagged memory into a way to sidestep EMTE by directly modifying non-tagged allocations.”

Cupertino said it has also developed what it calls Tag Confidentiality Enforcement (TCE) to secure the implementation of memory allocators against side-channel and speculative execution attacks like TikTag that MTE was found susceptible to last year, resulting in the leak of an MTE tag associated with an arbitrary memory address by exploiting the fact that tag checks generate cache state differences during speculative execution.

“The meticulous planning and implementation of Memory Integrity Enforcement made it possible to maintain synchronous tag checking for all the demanding workloads of our platforms, delivering groundbreaking security with minimal performance impact, while remaining completely invisible to users,” it added.

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.

Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month, 38 of the disclosed flaws are related to privilege escalation, followed by remote code execution (22), information disclosure (14), and denial-of-service (3).

“For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws,” Satnam Narang, senior staff research engineer at Tenable, said. “Nearly 50% (47.5%) of all bugs this month are privilege escalation vulnerabilities.”

The patches are in addition to 12 vulnerabilities addressed in Microsoft’s Chromium-based Edge browser since the release of August 2025’s Patch Tuesday update, including a security bypass bug (CVE-2025-53791, CVSS score: 4.7) that has been patched in version 140.0.3485.54 of the browser.

The vulnerability that has been flagged as publicly known is CVE-2025-55234 (CVSS score: 8.8), a case of privilege escalation in Windows SMB.

“SMB Server might be susceptible to relay attacks depending on the configuration,” Microsoft said. “An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks.”

The Windows maker said the update enables support for auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA, allowing customers to assess their environment and detect any potential device or software incompatibility issues before deploying appropriate hardening measures.

“The key takeaway from the CVE-2025-55234 advisory, other than the explanation of the well-known attack surface around SMB authentication, is that this is one of those times where simply patching isn’t enough; in fact, the patches provide administrators with more auditing options to determine whether their SMB Server is interacting with clients that won’t support the recommended hardening options,” Adam Barnett, lead software engineer at Rapid7, said.

The CVE with the highest CVSS score for this month is CVE-2025-54914 (CVSS score: 10.0), a critical flaw impacting Azure Networking that could result in privilege escalation. It requires no customer action, given that it’s a cloud-related vulnerability.

Two other shortcomings that merit attention include a remote code execution flaw in Microsoft High Performance Compute (HPC) Pack (CVE-2025-55232, CVSS score: 9.8) and an elevation of privilege issue affecting Windows NTLM (CVE-2025-54918, CVSS score: 8.8) that could allow an attacker to gain SYSTEM privileges.

“From Microsoft’s limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine,” Kev Breen, senior director of threat research at Immersive, said.

“The patch notes for this vulnerability state that ‘Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network,’ suggesting an attacker may already need to have access to the NTLM hash or the user’s credentials.”

Lastly, the update also remediates a security flaw (CVE-2024-21907, CVSS score: 7.5) in Newtonsoft.Json, a third-party component used in SQL Server, that could be exploited to trigger a denial-of-service condition, as well as two privilege escalation vulnerabilities in Windows BitLocker (CVE-2025-54911, CVSS score: 7.3, and CVE-2025-54912, CVSS score: 7.8).

Microsoft’s Hussein Alrubaye has been credited with discovering and reporting both the BitLocker flaws. The two flaws add to four other vulnerabilities (collectively called BitUnlocker) in the full-disk encryption feature that were patched by Microsoft in July 2025 –

• CVE-2025-48003 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability via WinRE Apps Scheduled Operation
• CVE-2025-48800 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability by Targeting ReAgent.xml Parsing
• CVE-2025-48804 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability by Targeting Boot.sdi Parsing
• CVE-2025-48818 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability by Targeting Boot Configuration Data (BCD) Parsing

Successful exploitation of any of the above four flaws could allow an attacker with physical access to the target to bypass BitLocker protections and gain access to encrypted data.

“To further enhance the security of BitLocker, we recommend enabling TPM+PIN for pre-boot authentication,” Security Testing and Offensive Research at Microsoft (STORM) researchers Netanel Ben Simon and Alon Leviev said in a report last month. “This significantly reduces the BitLocker attack surfaces by limiting exposure to only the TPM.”

“To mitigate BitLocker downgrade attacks, we advise enabling the REVISE mitigation. This mechanism enforces secure versioning across critical boot components, preventing downgrades that could reintroduce known vulnerabilities in BitLocker and Secure Boot.”

The disclosure comes as Purple Team detailed a new lateral movement technique dubbed BitLockMove that involves the remote manipulation of BitLocker registry keys via Windows Management Instrumentation (WMI) to hijack specific COM objects of BitLocker.

BitLockMove, developed by security researcher Fabian Mosch, works by initiating a remote connection to the target host through WMI and copying a malicious DLL to the target over SMB. In the next phase, the attacker writes a new registry key that specifies the DLL path, ultimately causing BitLocker to load the copied DLL by hijacking its COM objects.

“The purpose of the BitLocker COM Hijacking is to execute code under the context of the interactive user on a target host,” Purple Team said. “In the event that the interactive user has excessive privileges (i.e., domain administrator), this could also lead to domain escalation.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —

• Adobe
• Arm
• Broadcom (including VMware)
• Cisco
• Commvault
• Dell
• Drupal
• F5
• Fortra
• FUJIFILM
• Gigabyte
• GitLab
• Google Android and Pixel
• Google Chrome
• Google Cloud
• Google Wear OS
• Hikvision
• Hitachi Energy
• HP
• HP Enterprise (including Aruba Networking)
• IBM
• Ivanti
• Jenkins
• Juniper Networks
• Lenovo
• Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
• MediaTek
• Mitsubishi Electric
• Moxa
• Mozilla Firefox, Firefox ESR, and Thunderbird
• NVIDIA
• QNAP
• Qualcomm
• Rockwell Automation
• Salesforce
• Samsung
• SAP
• Schneider Electric
• Siemens
• Sitecore
• Sophos
• Spring Framework
• Supermicro
• Synology
• TP-Link, and
• Zoom

Sep 10, 2025Ravie LakshmananMalware / Cyber Espionage

The House Select Committee on China has formally issued an advisory warning of an “ongoing” series of highly targeted cyber espionage campaigns linked to the People’s Republic of China (PRC) amid contentious U.S.–China trade talks.

“These campaigns seek to compromise organizations and individuals involved in U.S.-China trade policy and diplomacy, including U.S. government agencies, U.S. business organizations, D.C. law firms and think tanks, and at least one foreign government,” the committee said.

The committee noted that suspected threat actors from China impersonated Republican Party Congressman John Robert Moolenaar in phishing emails sent to trusted counterparts with an aim to deceive them and trick them into opening files and links that would grant them unauthorized access to their systems and sensitive information without their knowledge.

The end goal of the attacks was to steal valuable data by abusing software and cloud services to cover up traces of their activity, a tactic often adopted by state-sponsored hackers to evade detection.

“This is another example of China’s offensive cyber operations designed to steal American strategy and leverage it against Congress, the Administration, and the American people,” said Moolenaar, who is also the Chairman of the House Select Committee on the Communist Party of China (CCP). “We will not be intimidated, and we will continue our work to keep America safe.”

The statement comes days after a report from The Wall Street Journal, which revealed on September 7, 2025, that several trade groups, law firms, and U.S. government agencies received an email message from Moolenaar asking their input on proposed sanctions against China.

“Your insights are essential,” the contents of the message allegedly read, along with an attachment containing a draft version of the legislation that, when launched, deployed malware to gather sensitive data and gain entrenched access to the targeted organizations.

The attack is believed to be the work of APT41, a prolific hacking group known for its targeting of diverse sectors and geographies for cyber espionage.

“China firmly opposes and combats all forms of cyber attacks and cyber crime,” the Chinese embassy in Washington told Reuters in a statement. “We also firmly oppose smearing others without solid evidence.”

“By impersonating Rep. Moolenaar (R-MI), a known Beijing critic, the attackers created urgency and legitimacy that encouraged fast responses,” Yejin Jang, vice president of government affairs at Abnormal AI, told The Hacker News.

“Political communication extends beyond official government devices or accounts. Sophisticated adversaries understand this reality and actively exploit it. By masquerading as trusted officials through personal or non-official channels, attackers bypass traditional security controls while amplifying authenticity.”

The committee also noted that the campaign follows another spear-phishing campaign in January 2025 that targeted its staffers with emails that falsely claimed to be from the North America representative of ZPMC, a Chinese state-owned crane manufacturer.

The attack used fake file-sharing notifications in an attempt to trick the recipients into clicking on a link that’s designed to steal Microsoft 365 login credentials. The adversaries also exploited developer tools to create hidden pathways and covertly exfiltrated data straight to servers under their control.

It’s worth noting that the committee, in September 2024, published an investigative report alleging how ZPMC’s dominance in the ship-to-shore (STS) port crane market could “serve as a Trojan horse” and help the CCP and China exploit and manipulate U.S. maritime equipment and technology at their request.

“Based on the targeting, timing, and methods, and consistent with outside assessments, the Committee believes this activity to be CCP state-backed cyber-espionage aimed at influencing U.S. policy deliberations and negotiation strategies to gain an advantage in trade and foreign policy,” it said.

Introduction

Managed service providers (MSPs) and managed security service providers (MSSPs) are under increasing pressure to deliver strong cybersecurity outcomes in a landscape marked by rising threats and evolving compliance requirements. At the same time, clients want better protection without managing cybersecurity themselves. Service providers must balance these growing demands with the need to work efficiently, deliver consistent results, and scale their offerings.

Yet, many service providers still rely on manual processes that slow down delivery, make it harder to maintain consistency across clients, and limit the time teams have to focus on more strategic initiatives. Even experienced service providers can find themselves stretched thin as they try to meet rising client expectations while managing operational complexity.

In this environment, automation offers an opportunity to work more effectively and deliver greater value. By streamlining repetitive tasks, improving consistency, and freeing up time and resources, automation helps providers expand their services, strengthen client relationships, and grow sustainably.

We created The Service Provider’s Guide to Automating Cybersecurity and Compliance Management to help providers navigate the transition to automation. Inside, you’ll find a practical overview of current challenges, real-world examples, and guidance for identifying where automation can have the biggest impact.

The Hidden Costs of Manual Work

Tasks like risk assessments, policy development, framework mapping, remediation planning, and executive reporting often require 13 to 15 hours of manual work each. This level of effort places mounting pressure on internal teams, extends project timelines, and delays client outcomes all of which can restrict growth.

Over time, these inefficiencies quietly erode both profitability and service quality, making it harder to scale and compete effectively.

Key hidden costs include:

• Time delays that impact client satisfaction and slow down revenue cycles
• Inconsistencies across assessments and documentation, undermining trust
• Talent inefficiency as senior staff handle administrative work instead of strategic tasks
• Missed revenue opportunities due to limited capacity for upselling or onboarding new clients

Manual processes also create specific bottlenecks across five critical areas of service delivery:

1. Onboarding & Assessments – Repetitive, slow, and often inconsistent
2. Framework Mapping – Labor-intensive and prone to errors
3. Remediation Management – Hard to scale and standardize
4. Progress Reporting – Time-consuming and lacks consistency and clarity
5. Service Customization – Manual adjustments reduce repeatability

Automation is key to overcoming these barriers and unlocking scalable, high-margin service delivery.

According to The State of the Virtual CISO 2025 Report, vCISO providers using AI or automation report a 68% average reduction in cybersecurity and compliance workload over the past year.

AI-powered technologies like Cynomi’s vCISO Platform automate and standardize vCISO workflows end-to-end, cutting manual efforts by up to 70%. Here are five key areas where automation can make a measurable impact:

1. Risk Assessments & Onboarding: Interactive, guided questionnaires and centralized data capture replace emails and interviews, cutting hours from onboarding timelines.
2. Policy Development: Automated platforms generate client-specific policies mapped to frameworks like NIST and ISO.
3. Compliance Tracking: Tasks are automatically mapped to frameworks and updated as standards evolve, reducing oversight and error risk.
4. Remediation Planning: Tasks are prioritized and assigned automatically, allowing teams to track progress and outcomes in a centralized hub.
5. Progress Reporting: Client-branded, progress reports are generated in clicks, turning security activity into clear, business-focused insights without the usual delays.
6. Standardizing Service Delivery: Automation streamlines core tasks like onboarding and compliance management, allowing providers to deliver consistent, high-quality services across clients without reinventing the wheel each time.

The ROI of Automation

One of the most effective ways to measure automation’s value is through work hours saved. Tasks that once took over 13 hours can now be completed in just a few, freeing up nearly 10 hours per task to reinvest elsewhere. Multiply that across clients, and the impact on margins and capacity becomes substantial.

As Steve Bowman, Business Partner at Model Technology Solutions, noted, “When we started, it was four or five months before I’d have somebody doing an assessment on their own. Now it’s down to one month.” This dramatic improvement in ramp-up time underscores the transformative effect automation can have not only on day-to-day operations but also on long-term scalability.

Here are some examples of time-consuming tasks and the time savings service providers achieve through automating them:

For more real-world insights into how much time automation can save across key cybersecurity functions, explore The Service Provider’s Guide to Automating Cybersecurity and Compliance Management. It includes practical examples and a straightforward formula to calculate ROI in both hours and dollars, so you can instantly see the measurable benefits automation can bring.

How to Implement Security and Compliance Automation

Here’s a practical roadmap for managed service providers aiming to integrate automation into their vCISO or compliance operations.

1. Assess Current Processes: Start by mapping your existing workflows, including onboarding, assessments, remediation planning, and reporting. Identify manual, repetitive tasks that slow you down or create inconsistencies.
2. Define Automation Goals: Clarify what you want to achieve through automation, such as reducing task time, increasing capacity, or improving service consistency. Measurable goals help prioritize efforts and guide platform selection.
3. Select a Deployment Model: Explore three options: build your own tools, use a GRC platform for compliance, or adopt an all-in-one cybersecurity and compliance management platform like Cynomi. Each varies in complexity, scalability, and resource demands.
4. Pilot Before Scaling: Test your automation strategy with a single client or team to identify strengths, challenges, and integration needs before broader rollout.
5. Train Teams and Clients: Provide tailored training and maintain open communication to ensure smoother adoption and build confidence in the new platform.
6. Measure Impact and Optimize: Track key metrics, such as time saved and reporting turnaround. Use these insights to refine processes and maximize ROI.

Conclusion: Automation Is the New Differentiator

In today’s cybersecurity landscape, automation through AI has become a strategic necessity. It empowers service providers to streamline operations, deliver consistent value, and scale without increasing overhead. Those who embrace it, position themselves to move faster, serve more clients, and elevate their role from technical support to trusted business advisor.

Whether you’re just starting out or refining your current approach, The Service Provider’s Guide to Automating Cybersecurity and Compliance Management provides practical insights into current challenges, real-world examples, and guidance on what to automate, what to keep manual, and how to choose the right tools to scale effectively.

Sep 10, 2025The Hacker NewsMalware Analysis / Enterprise Security

Phishing-as-a-Service (PhaaS) platforms keep evolving, giving attackers faster and cheaper ways to break into corporate accounts. Now, researchers at ANY.RUN has uncovered a new entrant: Salty2FA, a phishing kit designed to bypass multiple two-factor authentication methods and slip past traditional defenses.

Already spotted in campaigns across the US and EU, Salty2FA puts enterprises at risk by targeting industries from finance to energy. Its multi-stage execution chain, evasive infrastructure, and ability to intercept credentials and 2FA codes make it one of the most dangerous PhaaS frameworks seen this year.

Why Salty2FA Raises the Stakes for Enterprises

Salty2FA’s ability to bypass push, SMS, and voice-based 2FA means stolen credentials can lead directly to account takeover. Already aimed at finance, energy, and telecom sectors, the kit turns common phishing emails into high-impact breaches.

Who is Being Targeted?

ANY.RUN analysts mapped Salty2FA campaigns and found activity spanning multiple regions and industries, with the US and EU enterprises most heavily hit.

When Did Salty2FA Start Hitting Enterprises?

Based on data from the ANY.RUN Sandbox and TI, Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April. Confirmed campaigns have been active since late July and continue to this day, generating dozens of fresh analysis sessions daily.

Real-World Case: How Salty2FA Exploits Enterprise Employees

One recent case analyzed by ANY.RUN shows just how convincing Salty2FA can be in practice. An employee received an email with the subject line “External Review Request: 2025 Payment Correction”, a lure designed to trigger urgency and bypass skepticism.

When opened in the ANY.RUN sandbox, the attack chain unfolded step by step:

View real-world case of Salty2FA attack

Malicious email with Salty2FA attack analyzed inside ANY.RUN sandbox

Stage 1: Email lure

The email contained a payment correction request disguised as a routine business message.

Stage 2: Redirect and fake login

The link led to a Microsoft-branded login page, wrapped in Cloudflare checks to bypass automated filters. In the sandbox, ANY.RUN’s Automated Interactivity handled the verification automatically, exposing the flow without manual clicks and cutting investigation time for analysts.

Cloudflare verification completed automatically inside ANY.RUN sandbox

Stage 3: Credential theft

Employee details entered on the page were harvested and exfiltrated to attacker-controlled servers.

Fake Microsoft page, ready to steal credentials from victims

Stage 4: 2FA bypass

If the account had multi-factor authentication enabled, the phishing page prompted for codes and could intercept push, SMS, or even voice call verification.

By running the file in the sandbox, SOC teams could see the full execution chain in real time, from the first click to credential theft and 2FA interception. This level of visibility is critical, because static indicators like domains or hashes mutate daily, but behavioral patterns remain consistent. Sandbox analysis gives faster confirmation of threats, reduced analyst workload, and better coverage against evolving PhaaS kits like Salty2FA.

Stopping Salty2FA: What SOCs Should Do Next

Salty2FA shows how fast phishing-as-a-service is evolving and why static indicators alone won’t stop it. For SOCs and security leaders, protection means shifting focus to behaviors and response speed:

• Rely on behavioral detection: Track recurring patterns like domain structures and page logic rather than chasing constantly changing IOCs.
• Detonate suspicious emails in a sandbox: Full-chain visibility reveals credential theft and 2FA interception attempts in real time.
• Harden MFA policies: Favor app-based or hardware tokens over SMS and voice, and use conditional access to flag risky logins.
• Train employees on financial lures: Common hooks like “payment correction” or “billing statement” should always raise suspicion.
• Integrate sandbox results into your stack: Feeding live attack data into SIEM/SOAR speeds detection and reduces manual workload.

By combining these measures, enterprises can turn Salty2FA from a hidden risk into a known and manageable threat.

Boost SOC Efficiency with Interactive Sandboxing

Enterprises worldwide are turning to interactive sandboxes like ANY.RUN to strengthen their defenses against advanced phishing kits such as Salty2FA. The results are measurable:

• 3× SOC efficiency by combining interactive analysis and automation.
• Up to 50% faster investigations, cutting time from hours to minutes.
• 94% of users report faster triage, with clearer IOCs and TTPs for confident decision-making.
• 30% fewer Tier 1–Tier 2 escalations, as junior analysts gain confidence and senior staff are freed to focus on critical tasks.

With visibility into 88% of threats in under 60 seconds, enterprises get the speed and clarity they need to stop phishing before it leads to a major breach.

Try ANY.RUN today: built for enterprise SOCs that need faster investigations, stronger defenses, and measurable results.

Sep 10, 2025Ravie LakshmananSoftware Security / Vulnerability

SAP on Tuesday released security updates to address multiple security flaws, including three critical vulnerabilities in SAP Netweaver that could result in code execution and the upload arbitrary files.

The vulnerabilities are listed below –

• CVE-2025-42944 (CVSS score: 10.0) – A deserialization vulnerability in SAP NetWeaver that could allow an unauthenticated attacker to submit a malicious payload to an open port through the RMI-P4 module, resulting in operating system command execution
• CVE-2025-42922 (CVSS score: 9.9) – An insecure file operations vulnerability in SAP NetWeaver AS Java that could allow an attacker authenticated as a non-administrative user to upload an arbitrary file
• CVE-2025-42958 (CVSS score: 9.1) – A missing authentication check vulnerability in the SAP NetWeaver application on IBM i-series that could allow highly privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities

“[CVE-2025-42944] allows an unauthenticated attacker to execute arbitrary OS commands by submitting a malicious payload to an open port,” Onapsis said. “A successful exploit can lead to full compromise of the application. As a temporary workaround, customers should add P4 port filtering at the ICM level to prevent unknown hosts from connecting to the P4 port.”

Also addressed by SAP is a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916, CVSS score: 8.1) that could permit an attacker with high privilege access to ABAP reports to delete the content of arbitrary database tables, should the tables not be protected by an authorization group.

The patches arrive days after SecurityBridge and Pathlock disclosed that a critical security defect in SAP S/4HANA that was fixed by the company last month (CVE-2025-42957, CVSS score: 9.9) has come under active exploitation in the wild.

While there is no evidence that the newly disclosed issues have been weaponized by bad actors, it’s essential that users move to apply the necessary updates as soon as possible for optimal protection.