COMMENTARY

Cybersecurity insurance is the fastest-growing segment of the global insurance market, and there’s a good reason for that. Cybersecurity has become one of the most critical requirements for organizations of all types — from small business to large corporation — as cyber threats remain constant. 

Unsurprisingly, cyber-insurance rates increased substantially from 2018 to 2022. Though overall cyber-insurance premiums began to decrease in 2023, many organizations are still seeing their rates rise.

Costs Are Increasing — for Those Able to Get Insured

The cyber-insurance industry is maturing just as quickly as cyber threats are growing in quantity, scale, and sophistication. As payouts and annual premiums increase, coverage limits are becoming more restrictive.

In a 2023 survey of US organizations, “79% saw insurance costs increase, with 67% facing an increase of 50-100%.” Smaller companies, with fewer than 250 employees, were more likely to be denied coverage than large businesses (28% versus 8%). The primary reason small businesses were rejected was their lack of security protocols.

The good news is that the work you do to strengthen your organization’s overall security posture and identity hygiene is also the work that will satisfy many of the compliance requirements underwriters are looking for — resulting in better security protections and better insurance coverage and premiums.

Tips to Ensure Affordable Cybersecurity Protection

Self-assess: To help with the process, proactively self-assess your risk profile and ask yourself the hard questions before the underwriters do. Conduct a thorough self-assessment of your current cybersecurity posture, identifying strengths and weaknesses.

This process has two main benefits: 

Don’t underestimate risks: Make sure not to underestimate your company’s or industry’s risks. Everyone is vulnerable to cyberattacks, not just traditional high-risk sectors such as financial services. In recent years, we’ve seen cyber incidents across many verticals, including healthcare, energy, and retail.

Insurance providers categorize rates based on industry-specific risks, comparing you to your peers in the process. Understand your sector’s unique vulnerabilities — even if you haven’t had to worry about them in the past—and be prepared to demonstrate how you’re addressing them. 

Know your coverage limits: That leads me to my next piece of advice — understand your coverage limits. Thoroughly review the limits, sublimits, and exclusions in your policy. Pay close attention to what the coverage provides in terms of the full scope of potential losses, including third-party liabilities and regulatory fines. You can often negotiate terms, including specific clauses and deductibles, during the process.

Not all policies are the same. Many insurance providers focus on particular verticals or demographics. They each have different views of risk and leverage a range of data points to make their decisions. Do your research on individual providers to find the best fit for your organization so regularly review your policy. The threat landscape is always changing, and the coverage you need may evolve along with it. Conduct periodic reviews of your policy well ahead of your renewal term date to make sure it is still meeting your needs.

Understand your requirements: It’s important to pay attention to the compliance requirements. Many policies explicitly call out compliance requirements. Failing to meet these standards can result in having your claims denied. Carefully assess your policy’s requirements to verify that you are fulfilling them.

When engaging with insurance providers, be ready to show your work. Demonstrate the effectiveness of your security controls, particularly those related to identity hygiene. If you’re renewing your policy, show how you’ve matured your approach to cyber-risk since your last assessment. What tangible improvements have you made? What products are you using to automate processes?

Focus on areas that underwriters prioritize, such as privileged access management and credential protection. Quantify your progress by highlighting reductions in accounts with administrative access or new requirements for regular password updates. Providers are looking for year-over-year maturity — moving from ad hoc, manual approaches to clean, consistent, automated, and sustainable hygiene practices. Be sure that you are getting full credit for your hard work.

Conclusion

As cyber threats continue to evolve, so must our approach to mitigating them. Bolster your cybersecurity posture in a holistic manner — self-assessing your risk profile, addressing vulnerabilities, and striving for continuous improvement — and you can better safeguard your organization against threats and control your cyber-insurance costs.

Prepare for increasingly rigorous risk assessments from providers moving forward. Underwriters now have access to extensive data about cyber threats and protections. Expect them to ask more granular questions and do deeper inspections into the efficacy of controls, especially those around identity-related risks, such as privileged access and credential theft. Anticipate their questions, and be prepared with comprehensive, up-to-date answers.

Cyber insurance should augment your cybersecurity strategy, not replace it. Prioritize implementing robust, ongoing cyber practices that protect your organization.

Microsoft is forcing .NET developers to quickly update their apps and developer pipelines so they do not use ‘azureedge.net’ domains to install .NET components, as the domain will soon be unavailable due to the bankruptcy and imminent shutdown of CDN provider Edgio.

Specifically, the domains “dotnetcli.azureedge.net” and “dotnetbuilds.azureedge.net” will be taken offline in the next few months, which could break the functionality of projects relying on the domains.

This includes developers using .NET installers residing on the affected domains, organizations using GitHub Actions or Azure DevOps with custom pipelines using those domains, Docker and script users with files and code referencing the retired domains, and more.

“We maintain multiple Content Delivery Network (CDN) instances for delivering .NET builds. Some end inazureedge.net. These domains are hosted by edg.io, which will soon cease operations due to bankruptcy. We are required to migrate to a new CDN and will be using new domains going forward,” explains Microsoft.

“It is possible that azureedge.net domains will have downtime in the near-term. We expect that these domains will be permanently retired in the first few months of 2025.”

Microsoft recommends that potentially impacted developers search their code, scripts, and configurations for references to azureedge.net and dotnetcli.blob.core.windows.net and replace them with builds.dotnet.microsoft.com.

During the transition, the new domains will be catered by a combination of Edgio, Akamai, and Azure Front Door, as Microsoft works on solidifying the final distribution model with other CDN providers.

CI/CD teams need to ensure GitHub Actions (actions/setup-dotnet) and Azure DevOps tasks are updated to versions supporting the new domains, while updates for Azure DevOps Server are expected in early 2025.

Additionally, given that new CDN domains will now be used, even when configurations are auto-updated, firewalls need to be set to allow traffic from the new locations (builds.dotnet.microsoft.com and ci.dot.net). 

The tech giant notes that the timing is quite unfortunate, as impacted users are requested to take action during the holidays when most IT teams are understaffed.

When asked why Microsoft can’t simply transfer the domains and continue using them, Rich Lander, Program Manager of .NET at Microsoft, said it was not possible.

“We asked the same question. We were told that this option wasn’t being made available. We don’t have more information on that,” explained Lander.

The answer is confusing as Microsoft’s Scott Hanselman confirmed that Microsoft already obtained ownership of the domains, stating that “no other party will ever have access to use these domains.”

By owning the domains and preventing their reuse, the chances of a supply chain compromise for those not migrating their applications are minimal. However, it still doesn’t explain the sudden rush to migrate domains and the risks of operational disruptions.

If you’re impacted, you can follow the issue more closely and access status updates on this GitHub page.

BleepingComputer contacted Microsoft with questions about this .NET domain migration but has not received a reply at this time.

Dec 30, 2025Ravie LakshmananCybersecurity / Compliance

The United States Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has proposed new cybersecurity requirements for healthcare organizations with an aim to safeguard patients’ data against potential cyber attacks.

The proposal, which seeks to modify the Health Insurance Portability and Accountability Act (HIPAA) of 1996, is part of a broader initiative to bolster the cybersecurity of critical infrastructure, the OCR said.

The rule is designed to strengthen protections for electronic protected health information (ePHI) by updating the HIPAA Security Rule’s standards to “better address ever-increasing cybersecurity threats to the healthcare sector.”

To that end, the proposal, among other things, requires organizations to conduct a review of the technology asset inventory and network map, identify potential vulnerabilities that could pose a threat to electronic information systems, and establish procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.

Other notable clauses include carrying out a compliance audit at least once every 12 months, mandating encryption of ePHI at rest and in transit, enforcing the use of multi-factor authentication, deploying anti-malware protection and removing extraneous software from relevant electronic information systems.

The Notice of Proposed Rulemaking (NPRM) also necessitates that healthcare entities implement network segmentation, set up technical controls for backup and recovery, as well as perform vulnerability scanning at least every six months and penetration testing at least once every 12 months.

The development comes as the healthcare sector continues to be a lucrative target with ransomware attacks, not only posing financial risk but also putting lives at stake by disrupting access to diagnostic equipment and critical systems that contain patient medical records.

“Healthcare organizations collect and store extremely sensitive data, which likely contributes to threat actors targeting them in ransomware attacks,” Microsoft noted in October 2024. “However, a more significant reason these facilities are at risk is the potential for huge financial payouts.”

“Healthcare facilities located near hospitals that are impacted by ransomware are also affected because they experience a surge of patients needing care and are unable to support them in an urgent manner.”

According to data compiled by cybersecurity company Sophos, 67% of healthcare organizations were hit by ransomware in 2024, up from 34% in 2021. The root cause behind a majority of these incidents have been traced back to exploited vulnerabilities, compromised credentials, and malicious emails.

Furthermore, 53% of healthcare organizations that had data encrypted paid the ransom to restore access. The median ransom payment was at $1.5 million.

The increase in the rate of ransomware attacks against the healthcare entities has also been complemented by longer recovery times, with only 22% of victims fully recovering from an attack in a week or less, a significant drop from 54% in 2022.

“The highly sensitive nature of healthcare information and need for accessibility will always place a bullseye on the healthcare industry from cybercriminals,” Sophos CTO John Shier said. “Unfortunately, cybercriminals have learned that few healthcare organizations are prepared to respond to these attacks, demonstrated by increasingly longer recovery times.”

Last month, the World Health Organization (WHO), a United Nations agency focused on global public health, characterized the ransomware attacks on hospitals and healthcare systems as “issues of life and death” and called for international cooperation to combat the cyber threat.

Image: Shutterstock, Dreamansions.

KrebsOnSecurity.com turns 15 years old today! Maybe it’s indelicate to celebrate the birthday of a cybercrime blog that mostly publishes bad news, but happily many of 2024’s most engrossing security stories were about bad things happening to bad guys. It’s also an occasion to note that despite my publishing fewer stories than ever this past year, we somehow managed to attract near record levels of readership (thank you!).

In case you missed any of them, here’s a recap of 2024’s most-read stories. In January, KrebsOnSecurity told the story of a Canadian man who was falsely charged with larceny and lost his job after becoming the victim of a complex e-commerce scam known as triangulation fraud. This can occur when you buy something online — from a seller on Amazon or eBay, for example — but the seller doesn’t actually own the item for sale. Instead, they purchase the item using stolen payment card data and your shipping address. In this scam, you receive what you ordered, and the only party left to dispute the transaction is the owner of the stolen payment card.

Triangulation fraud. Image: eBay Enterprise.

March featured several investigations into the history of various people-search data broker services. One story exposed how the Belarusian CEO of the privacy and data removal service OneRep had actually founded dozens of people-search services, including many that OneRep was offering to remove people from for a fee. That story quickly prompted Mozilla to terminate its partnership with OneRep, which Mozilla had bundled as a privacy option for Firefox users.

A story digging into the consumer data broker Radaris found its CEO was a fabricated identity, and that the company’s founders were Russian brothers in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites.

Radaris repeatedly threatened to sue KrebsOnSecurity unless that publication was retracted in full, alleging that it was replete with errors both factual and malicious. Instead, we doubled down and published all of the supporting evidence that wasn’t included in the original story, leaving little room for doubt about its conclusions. Fittingly, Radaris now pimps OneRep as a service when consumers request that their personal information be removed from the data broker’s website.

Easily the longest story this year was an investigation into Stark Industries Solutions, a large, mysterious new Internet hosting firm that materialized when Russia invaded Ukraine. That piece revealed how Stark was being used as a global proxy network to conceal the true source of cyberattacks and disinformation campaigns against enemies of Russia.

The homepage of Stark Industries Solutions.

Much of my summer was spent reporting a story about how advertising and marketing firms have created a global free-for-all where anyone can track the daily movements and associations of hundreds of millions of mobile devices, thanks to the ubiquity of mobile location data that is broadly and cheaply available.

Research published in September explored the dark nexus between harm groups and cybercrime communities consumed with perpetrating financial fraud. That analysis found an increasing number of young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others.

One focus of that story was a Canadian cybercriminal who used the nickname Judische. Identified by the Mandiant as one of the most consequential threat actors of 2024, Judische was responsible for a hacking rampage that exposed private information on hundreds of millions of Americans.  That story withheld Judische’s real name, but the reporting came in handy in late October when a 25-year-old Canadian man named Connor Riley Moucka was arrested and charged with 20 criminal counts connected to the Snowflake data extortions.

A surveillance photo of Connor Riley Moucka, a.k.a. “Judische” and “Waifu,” dated Oct 21, 2024, 9 days before Moucka’s arrest. This image was included in an affidavit filed by an investigator with the Royal Canadian Mounted Police (RCMP).

In November, KrebsOnSecurity published a profile of Judische’s accomplice — a hacker known as Kiberphant0m — detailing how Kiberphant0m had left a trail of clues strongly suggesting that they are or recently were a U.S. Army soldier stationed in South Korea.

My reporting in December was mainly split between two investigations. The first profiled Cryptomus, a dodgy cryptocurrency exchange allegedly based in Canada that has become a major payment processor and sanctions evasion platform for dozens of Russian exchanges and cybercrime services online.

How to Lose a Fortune with Just One Bad Click told the sad tales of two cryptocurrency heist victims who were scammed out of six and seven figures after falling for complex social engineering schemes over the phone. In these attacks, the phishers abused at least four different Google services to trick targets into believing they were speaking with a Google representative, and into giving thieves control over their account with a single click. Look for a story here in early 2025 that will explore the internal operations of these ruthless and ephemeral voice phishing gangs.

Before signing off for 2024, allow me to remind readers that the reporting we’re able to provide here is made possible primarily by the ads you may see at the top of this website. If you currently don’t see any ads when you load this website, please consider enabling an exception in your ad blocker for KrebsOnSecurity.com. There is zero third-party content on this website, apart from the occasional Youtube video embedded as part of a story. More importantly, all of our ads are static images or GIFs that are vetted by me and served in-house directly.

Fundamentally, my work is supported and improved by your readership, tips, encouragement and, yes, criticism. So thank you for that, and keep it coming, please.

Here’s to a happy, healthy, wealthy and wary 2025. Hope to see you all again in the New Year!

Interview Now that criminals have realized there’s no need to train their own LLMs for any nefarious purposes – it’s much cheaper and easier to steal credentials and then jailbreak existing ones – the threat of a large-scale supply chain attack using generative AI becomes more real.

No, we’re not talking about a fully AI-generated attack from the initial access to the business operations shutdown. Technologically, the criminals aren’t there yet. But one thing LLMs are getting very good at is assisting in social engineering campaigns. 

And this is why Crystal Morin, former intelligence analyst for the US Air Force and cybersecurity strategist at Sysdig, anticipates seeing highly successful supply chain attacks in 2025 that originated with an LLM-generated spear phish. 

When it comes to using LLMs, “threat actors are learning and understanding and gaining the lay of the land just the same as we are,” Morin told The Register. “We’re in a footrace right now. It’s machine against machine.”

Sysdig, along with other researchers, in 2024 documented an uptick in criminals using stolen cloud credentials to access LLMs. In May, the container security firm documented attackers targeting Anthropic’s Claude LLM model. 

While they could have exploited this access to extract LLM training data, their primary goal in this type of attack appeared to be selling access to other criminals. This left the cloud account owner footing the bill — at the hefty price of $46,000 per day related to LLM consumption costs.

Digging deeper, the researchers discovered that the broader script used in the attack could check credentials for 10 different AI services: AI21 Labs, Anthropic, AWS Bedrock, Azure, ElevenLabs, MakerSuite, Mistral, OpenAI, OpenRouter, and GCP Vertex AI.

We’re in a footrace right now. It’s machine against machine

Later in the year, Sysdig spotted attackers attempting to use stolen credentials to enable LLMs. 

The threat research team calls any attempt to illegally obtain access to a model “LLMjacking,” and in September reported that these types of attacks were “on the rise, with a 10x increase in LLM requests during the month of July and 2x the amount of unique IP addresses engaging in these attacks over the first half of 2024.”

Not only does this cost victims a significant amount of money, according to Sysdig, but this can run more than $100,000 per day when the victim org is using newer models like Claude 3 Opus. 

Plus, victims are forced to pay for people and technology to stop these attacks. There’s also a risk of enterprise LLMs being weaponized, leading to further potential costs.

2025: The year of LLM phishing?

In 2025, “the greatest concern is with spear phishing and social engineering,” Morin said. “There’s endless ways to get access to an LLM, and they can use this GenAI to craft unique, tailored messages to the individuals that they’re targeting based on who your employer is, your shopping preferences, the bank that you use, the region that you live in, restaurants and things like that in the area.”

In addition to helping attackers overcome language barriers, this can make messages sent via email or social media messaging apps appear even more convincing because they are expressly crafted for the individual victims. 

“They’re going to send you a message from this restaurant that’s right down the street, or popular in your town, hoping that you’ll click on it,” Morin added. “So that will enable their success quite a bit. That’s how a lot of successful breaches happen. It’s just the person-on-person initial access.”

She pointed to the Change Healthcare ransomware attack – for which, we should make very clear, there is no evidence suggesting it was assisted by an LLM – as an example of one of 2024’s hugely damaging breaches. 

In this case, a ransomware crew locked up Change Healthcare’s systems, disrupting thousands of pharmacies and hospitals across the US and accessing private data belonging to around 100 million people. It took the healthcare payments giant nine months to restore its clearinghouse services following the attack.

It will be a very small, simple portion of the attack chain with potentially massive impact

“Going back to spear phishing: imagine an employee of Change Healthcare receiving an email and clicking on a link,” Morin said. “Now the attacker has access to their credentials, or access to that environment, and the attacker can get in and move laterally.”

When and if we see this type of GenAI assist, “it will be a very small, simple portion of the attack chain with potentially massive impact,” she added.

While startups and existing companies are releasing security tools and that also use AI to detect and prevent email phishes, there are some really simple steps that everyone can take to avoid falling for any type of phishing attempt. “Just be careful what you click,” Morin advised.

Think before you click

Also: pay close attention to the email sender. “It doesn’t matter how good the body of the email might be. Did you look at the email address and it’s some crazy string of characters or some weird address like name@gmail but it says it’s coming from Verizon? That doesn’t make sense,” she added. 

LLMs can also help criminals craft a domain with different alphanumerics based on legitimate, well-known company names, and they can use various prompts to make the sender look more believable. 

Even voice-call phishing will likely become harder to distinguish because of AI used for voice cloning, Morin believes.

“I get, like, five spam calls a day from all over the country and I just ignore them because my phone tells me it’s spam,” she noted.

“But they use voice cloning now, too,” Morin continued. “And most of the time when people answer your phone, especially if you’re driving or something, you’re not actively listening, or you’re multitasking, and you might not catch that this is a voice clone – especially if it sounds like someone that’s familiar, or what they’re saying is believable, and they really do sound like they’re from your bank.”

We saw a preview of this during the run-up to the 2024 US presidential election, when AI-generated robocalls impersonating President Biden urged voters not to participate in the state’s presidential primary election.

Since then, the FTC issued a $25,000 reward to solicit ideas on the best ways to combat AI voice cloning and the FCC declared AI-generated robocalls to be illegal.

Morin doesn’t expect this to be a deterrent to criminals. 

“If there’s a will, there’s a way,” she opined. “If it costs money, then they’ll figure out a way to get it for free.” ®

Ukrainian national Mark Sokolovsky was sentenced Wednesday to five years in federal prison for his role in operating Raccoon Infostealer malware, which infiltrated millions of computers worldwide to steal personal data.

According to court documents, Sokolovsky, 28, was integral to operations that allowed the leasing of Raccoon Infostealer for $200 per month, payable via cryptocurrency. Users predominantly deployed this malware through phishing schemes to extract data from unsuspecting victims. The stolen data included log-in credentials, financial information, and other personal records, often used for financial crimes or sold on cybercrime forums.

Raccoon Infostealer, a potent tool in the cybercriminal arsenal, was dismantled by international law enforcement, alongside Sokolovsky’s arrest, in March 2022. In October 2022, a grand jury indicted Sokolovsky — also known as “Photix,” “raccoonstealer,” and “black21jack77777” —  for charges including conspiracy to commit fraud, money laundering, and aggravated identity theft. He was extradited from the Netherlands to the U.S. in February. 

In a plea deal reached in October, Sokolovsky agreed to forfeit $23,975 and pay restitution of at least $910,844.61. His actions were linked to compromising over 52 million user credentials, which facilitated fraud, identity theft, and ransomware attacks affecting victims worldwide.

U.S. Attorney Jaime Esparza for the Western District of Texas described Sokolovsky as a pivotal figure in an international conspiracy that enabled amateurs to commit significant cybercrimes.  He praised the teamwork of international law enforcement in capturing Sokolovsky and promised to keep working hard to fight cybercrime.

The Raccoon Infostealer had reportedly claimed to cease operations in March 2022 following the death of a developer in the Russian invasion of Ukraine. However, reports suggested a resurgence of the malware by June 2022. 

The quest to create a useful quantum computer reached a significant milestone at the end of 2024 with Google’s announcement of its Willow chip. The chip promises reduced noise and fewer errors as the number of qubits grows — a necessary step to advance toward advanced quantum computing. Despite some debate on when these systems will actually become available, experts still advise making plans and migrating to post-quantum technologies.

The shift from today’s technology, where adding more qubits adds more noise, to a future where increasing the number of qubits exponentially reduces the amount of noise — an achievement known as “threshold scalability” — conquers a major impediment to quantum computers. Creating a 1,000-qubit quantum computer requires foundational advancements beyond today’s noisy intermediate-scale quantum (NISQ) computers to create reliable logical qubits that can be used in easily scaled architectures.

The Google announcement marks “a significant leap forward,” says Karl Holmqvist, founder and CEO at Lastwall, an identity services provider focused on quantum resilience.

“Companies should be starting to get concerned about a usable quantum computer now,” Holmqvist says. “This is not because there is proof of a cryptographically relevant quantum computer yet. It is because there are active campaigns that are currently taking place to capture encrypted data and store it until there is a system that can break our asymmetric encryption.”

Related:Dark Reading Confidential: Quantum Has Landed, So Now What?

The threat posed by quantum computers seems to be becoming more real every day. In addition to Google’s Willow chip announcement, Microsoft announced in November that it had reached a 24-qubit milestone with Atom Computing using lasers, while Japanese researchers from the Riken Quantum Computer Research Center announced a “general-purpose” optical quantum computer.

The future implications could be dire. The Hudson Institute, a free-market think tank, warns that quantum computers pose a systemic cyber-risk to financial systems; it published two papers describing risks of disruption to the US financial system and cryptocurrencies.

Less Than a Decade Away?

Quantum computing is one of those technologies that many have perennially predicted is only a decade away. Currently, the median estimate among experts is that within 15 years, a quantum computer will be able to break RSA-2048 in 24 hours, according to the “Quantum Threat Timeline Report 2024.”

The middle-of-the-road estimate of when quantum computers will pose an encryption threat is less than 15 years. Source: Global Risk Institute

While many experts see the possibility of a useful quantum computer in less than a decade — based on three key areas: hardware progression, error correction, and algorithm development — useful quantum computers still have a long way to go before they become possible. For example, while Google’s work on Willow is a major step toward making error correction — mainly a theoretical field before this decade — more achievable in larger quantum computing chips, achieving this step is just the second milestone out of six listed on its quantum computer road map.

Related:Quantum Leap: Advanced Computing Is a Vulnerable Cyber Target

In addition, gauging the risk is difficult, with terms such as “threshold scalability” and “quantum supercomputers” muddying the waters, says Rebecca Krauthamer, co-founder and CEO of QuSecure.

“There’s so much complicated vocabulary when it comes to quantum, the thing that people need to look out for is when they start seeing quantum computers beginning to solve problems that they recognize,” Krauthamer says. “So whether it’s improved battery technology, or route optimization for self-driving cars, or optimized portfolio management, or breaking encryption — that’s the time everybody should have already migrated to post-quantum technologies, and not just post-quantum but crypto-agile management of cryptography.”

Yet the lack of significant benefits for the private sector could put a damper on development. The Boston Consulting Group, for example, points out that quantum computing programs have had difficulty converting effort into value.

“Quantum computing today provides no tangible advantage over classical computing in either commercial or scientific applications,” BCG stated in a July analysis. “Though experts agree that there are clear scientific and commercial problems for which quantum solutions will one day far surpass the classical alternative, the newer technology has yet to demonstrate this advantage at scale.”

Experts Still Urge Preparation

In addition, the point at which nation-states could use quantum computers to break encryption could be sooner, increasing the risk for some industries. Quantinuum, for example, accelerated its road map for fully fault-tolerant quantum computing to 2030 and warns that quantum secure solutions will likely be necessary before 2035.

“Given where we stand today, the need to complete migration to PQC [post-quantum computing] to effectively protect sensitive data needs to be prioritized,” says Duncan Jones, head of cybersecurity for Quantinuum.

Quantinuum expects incremental advances in the next few years. That includes improvements in error correction and qubit scaling, continued research into applications such as quantum decryption, and, as a result, greater adoption of PQC technologies, such as post-quantum encryption, quantum key distribution, and quantum random number generation (QRNG), says the company’s Jones.

“Organizations implementing quantum-safe strategies today should focus on PQC migration while ensuring their cryptographic foundations are as strong as possible through the use of QRNGs,” he says. “This approach provides immediate security benefits while preparing for future quantum-safe technologies.”

Google acknowledges that while its error correction breakthrough is significant, there is a difference between theory and practice.

“We still have a long way to go before we reach our goal of building a large-scale, fault-tolerant quantum computer,” two members of the Google Quantum AI team stated in a blog post. “The engineering challenge ahead of us is immense.”

ZAGG Inc. is informing customers that their credit card data has been exposed to unauthorized individuals after hackers compromised a third-party application provided by the company’s e-commerce provider, BigCommerce.

ZAGG is a consumer electronics accessories maker known for its mobile accessories, such as screen protectors, phone cases, keyboards, and power banks. The Utah-based company has an annual revenue of $600 million.

According to the letter sent to impacted individuals, the attacker breached the FreshClicks app provided by BigCommerce and injected malicious code that stole shoppers’ card details.

“We learned that an unknown actor injected into the FreshClick app malicious code that was designed to scrape credit card data entered as part of the checkout process for certain ZAGG.com customer transactions between October 26, 2024 and November 7, 2024.” – ZAGG

BigCommerce is an Austin-based software-as-a-service (SaaS) e-commerce platform provider that serves a diverse range of businesses, from small enterprises to large corporations, across various industries and regions.

FreshClick is a third-party app that helps create applications and responsive websites for the BigCommerce platform. It is designed to enhance the functionality of electronic stores and improve customer experience.

Although FreshClick isn’t developed directly by BigCommerce, it is offered through the platform’s app marketplace, which is a curated space for merchants to find and install add-ons for their shops.

In a statement for BleepingComputer, BigCommerce emphasized that its systems were not breached or compromised. Using internal tools, BigCommerce discovered that the FreshClicks App had been hacked and uninstalled it from its customers’ stores.

“Using our internal tools and in communication with the partner, we verified the third-party FreshClicks App was compromised. Acting in the best interest of our customers and their shoppers, we immediately uninstalled the app in their stores, which removed any compromised APIs and malicious code” – BigCommerce

As a result of this data breach, the attacker stole names, addresses, and payment card data belonging to shoppers at zagg.com between October 26 and November 7, 2024.

In response to this incident, ZAGG implemented remediation measures, notified federal law enforcement and regulators, and arranged for impacted individuals to receive a free-of-charge, 12-month credit monitoring service through Experian.

Letter recipients were also advised to monitor financial account activity closely, place fraud alerts, and consider placing a credit freeze.

ZAGG has not disclosed yet how many customers were impacted by this security breach.

BigCommerce’s store currently lists six add-ons created by FreshClick, which collectively have 178 reviews. However, the compromised plugin may have been temporarily removed.

Dec 27, 2024Ravie LakshmananCyber Attack / Data Theft

The threat actor known as Cloud Atlas has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting “several dozen users” in 2024.

“Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code,” Kaspersky researcher Oleg Kupreev said in an analysis published this week.

More than 80% of the targets were located in Russia. A lesser number of victims have been reported from Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.

Also referred to as Clean Ursa, Inception, Oxygen, and Red October, Cloud Atlas is an unattributed threat activity cluster that has been active since 2014. In December 2022, the group was linked to cyber attacks aimed at Russia, Belarus, and Transnistria that deployed a PowerShell-based backdoor called PowerShower.

Then exactly a year later, Russian cybersecurity company F.A.C.C.T. revealed that various entities in the country were targeted by spear-phishing attacks that exploited an old Microsoft Office Equation Editor flaw (CVE-2017-11882) to drop a Visual Basic Script (VBS) payload responsible for downloading an unknown next-stage VBS malware.

Kaspersky’s latest report reveals that these components are part of what it calls VBShower, which is then used to download and install PowerShower as well as VBCloud.

The starting point of the attack chain is a phishing email that contains a booby-trapped Microsoft Office document that, when opened, downloads a malicious template formatted as an RTF file from a remote server. It then abuses CVE-2018-0802, another flaw in the Equation Editor, to fetch and run an HTML Application (HTA) file hosted on the same server.

“The exploit downloads the HTA file via the RTF template and runs it,” Kupreev said. “It leverages the alternate data streams (NTFS ADS) feature to extract and create several files at %APPDATA%\Roaming\Microsoft\Windows\. These files make up the VBShower backdoor.”

This includes a launcher, which acts as a loader by extracting and running the backdoor module in memory. The other VB Script is a cleaner that cares of erasing the contents of all files inside the “\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\” folder, in addition to those within itself and the launcher, thereby covering up evidence of the malicious activity.

The VBShower backdoor is designed to retrieve more VBS payloads from the command-and-control (C2) server that comes with capabilities to reboot the system; gather information about files in various folders, names of running processes, and scheduler tasks; and install PowerShower and VBCloud.

PowerShower is analogous to VBShower in functionality, the chief difference being that it downloads and executes next-stage PowerShell scripts from the C2 server. It’s also equipped to serve as a downloader for ZIP archive files.

As many as seven PowerShell payloads have been observed by Kaspersky. Each of them carries out a distinct task as follows –

• Get a list of local groups and their members on remote computers via Active Directory Service Interfaces (ADSI)
• Conduct dictionary attacks on user accounts
• Unpack the ZIP archive downloaded by PowerShower and execute a PowerShell script contained within it in order to carry out a Kerberoasting attack, which is a post-exploitation technique for obtaining credentials for Active Directory accounts
• Get a list of administrator groups
• Get a list of domain controllers
• Get information about files inside the ProgramData folder
• Get the account policy and password policy settings on the local computer

VBCloud also functions a lot like VBShower, but utilizes public cloud storage service for C2 communications. It gets triggered by a scheduled task every time a victim user logs into the system.

The malware is equipped to harvest information about disks (drive letter, drive type, media type, size, and free space), system metadata, files and documents matching extensions DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, and RAR, and files related to the Telegram messaging app.

“PowerShower probes the local network and facilitates further infiltration, while VBCloud collects information about the system and steals files,” Kupreev said. “The infection chain consists of several stages and ultimately aims to steal data from victims’ devices.”

RansomHub, the ransomware collective that emerged earlier this year, quickly gained momentum, outpacing its criminal colleagues and hitting its victims especially hard. The group named and shamed hundreds of organizations on its leak site, while demanding exorbitant payments across various industries.

The group, a suspected Knight rebrand, first appeared in February and quickly picked up out-of-work affiliates from Lockbit following that crew’s law enforcement takedown around the same time. RansomHub also eagerly filled the void left by ALPHV/BlackCat after that group’s widely reported exit scam in March – bragging about recruiting affiliates from both defunct groups via TOX and cyber crime forums.

By August, just six months after setting up shop, RansomHub had claimed 210 victims and drawn the attention of the FBI, CISA, and other government agencies gunning for cyber criminals. Its victims allegedly include auction house Christie’s, Frontier Communications, US pharmacy chain Rite Aid, Planned Parenthood, and Delaware public libraries, among many others.

Its brand of malware has since become the encryptor of choice for Scattered Spider and other sophisticated criminals, and the gang posted a record-high 98 victims on its leak site in November. 

But, as other prolific digital thieves – including Scattered Spider – have learned, a string of high-profile attacks paints a very large target on the group and its affiliates. While it’s much more difficult to apprehend ransomware crooks who are given safe harbor by Russian prosecutors, even cyber criminals take holidays – and sometimes, the cops are waiting to make arrests during those moments.

‘Most active and significant’ ransomware threat

“I don’t want to put RansomHub up on a pedestal. They are an opportunistic group,” Michael McPherson, SVP of Security Operations at ReliaQuest, told The Register. “But they were smart to make this landgrab when they did. It will be interesting to see how long they can keep this run going.”

During its brief tenure, the Russia-linked group has made a name for itself as “the current most active and significant threat in ransomware activity,” according to an October 30 report from ReliaQuest, which called the gang the most dominant ransomware group during the third quarter of 2024.

“It’s an interesting group that did have a meteoric rise and almost seems to come out of nowhere,” conceded McPherson, a former FBI special agent. “There was an obvious effort for RansomHub to gain affiliates. They’re very, I would say, generous in their model and advertising a 90–10 split.”

This means the affiliates who pull off the attack may keep 90 percent of the extortion payment while the ransomware operators receive 10 percent. An 80–20 or 70–30 split is more common among these crime crews, so the higher payout makes it easier for the new kids on the block to attract more workers.

It will be interesting to see how long they can keep this run going

“These affiliates will go where the money is, and if somebody pays more, it would be silly not to go there,” McPherson opined, adding that this business model “would feed RansomHub’s ability to go out and hit so many victims at once by having a large affiliate base.”

Additionally, RansomHub’s operators on their dark web sites like to tout transparency with their affiliates – likely an effort to build trust with fellow criminals, following ALPHV’s alleged exit scam.

“There’s marketing involved,” McPherson observed. “They are reaching out to affiliates, trying to be more of a partner with them. They’re trying to evolve and take advantage of the cyber criminal landscape to grab market share. That’s what they want.”

Crew ‘moved fast and filled a void’

Still, the group’s tactics are not unique, he noted. The group employs repurposed Knight code and double-extortion methods – which are used by most ransomware gangs today.

This involves first breaking into their victims’ network and stealing valuable files, and then encrypting the data on the network, while also extorting the orgs for massive sums of money on dark web leak sites.

“Their actual tactics are not unique, but their ability to move fast and fill a void is what makes them so noteworthy at this moment in time,” McPherson told us. “Or maybe they’re just trying to run as hard and fast as they can, because they know they’re protected where they are.”

ZeroFox analysts have also tracked RansomHub’s rise this year, and reported the group accounted for about 2 percent of all attacks in Q1, 5.1 percent in Q2, 14.2 in Q3, and about 20 percent in Q4.

While it is almost certain that this will plateau, there is a likely chance that the collective will continue to attract experienced affiliates and remain the most dangerous threat

“The greatest threat in early 2025 will very likely emanate from RansomHub,” the security firm declared [PDF] in a December 12 report that also called RansomHub “the most prominent R&DE [ransomware and data exfiltration] outfit” of 2024.

“RansomHub’s attack tempo has been on a consistent upward trajectory, accounting for approximately 20 percent of all R&DE incidents in Q4 2024,” according to the report. 

“While it is almost certain that this will plateau, there is a likely chance that the collective will continue to attract experienced affiliates and remain the most dangerous R&DE threat,” it noted.

“The way they’re conducting business, and the pace at which they’re exposing and publishing victims, is quite common with new ransomware groups,” ZeroFox VP of Intelligence Adam Darrah told The Register. “It is likely RansomHub is made up of individuals affiliated with other now-defunct or waning-in-their-influence ransomware collectives. It is not uncommon for a newer shakedown mafia to come in and to make a splash.”

The US presidential election this year also likely added to the increased attacks, added Darrah, a former CIA political analyst. 

“In the run up to a major US election, they [were] taking advantage of a community of defenders, both inside and outside the government, who are already on edge about cyber-based attacks,” he said. “Ransomware groups that have any kind of official or unofficial affiliation with a nation-state intelligence service know that publishing such a high number of victims at an increased pace, at such an alarming rate, takes away time, attention, and resources from other defensive operations.”

It’s important to note that the number of listed victims doesn’t directly equate to attacks. Victims that pay the ransom demand – or come to some sort of agreement with the criminals – may not ever see their org’s names on the criminals’ leak sites.

“When they get on a radar this quickly, that also catches the attention of very capable good guys around the world,” Darrah said. “So there’s a reason the life cycle of some of these groups is not long.”

ZeroFox’s report warns that other ransomware gangs such as Meow, Play Ransomware, and Hunters International are “very likely” to emerge as serious threats in early 2025. While it’s unknown how long RansomHub can keep up its run, one thing is clear: there’s no shortage of collectives waiting to take its place at the top of the charts. ®