Opinion One of the charms of coding is that malice can be indistinguishable from incompetence. Last week’s Who, Me? story about financial transfer test software running amok is a case in point.

The hapless dev left code running overnight that should have moved a single cent in and out of his test account. Instead, it machine-gunned $100 transfers in for hours. It tripped internal security but the temporarily rich kid had told his boss about it and could thus talk his way clear.

What if the bank-raiding routine hadn’t been detected? Our hero would have come in to find a huge cash stash sitting there, a highly tempting proof of concept perhaps. Not coming clean would be malicious, but the code’s the same whether he ‘fessed up or not.

This is exactly the quandary US authorities are pondering as they consider banning products by Chinese consumer networking company TP-Link. These are very popular because the hardware is good and reliable, but mostly because they are remarkably cheap. So cheap, in fact, that the company is suspected of dumping, selling at under cost to take market share. The main reason for suspicion, though, is the routers’ firmware. It’s outstandingly prone to vulnerabilities, ridden with things like buffer overflows, to the point that mere incompetence seems an insufficient explanation.

This sounds like a conspiracy theory because the evidence is ambiguous. Line up the circumstantial evidence and it’s at least plausible. If TP-Link does have a corporate fondness for crap coders, how come the features visible to owners in everyday use work well, while invisible vulnerabilities are so common? Chinese law compels all domestic companies to cooperate with state security in secret. There is already evidence of widespread Chinese infiltration of communication infrastructure with Salt Typhoon. Motive, opportunity, ability, and history: where does the balance of probabilities lie?

It would be possible to prove TP-Link products were uniquely vulnerable by statistical analysis, comparing them to competitive products from other vendors. At that point, it doesn’t really matter what the reason is, they could be taken off the market because of consumer safety worries. That wouldn’t do much good, given the huge installed base, and the uniquely attractive environment infrastructure offers to the bad guys. It’s invisible to end users, hard to monitor, hard to update, and once something’s installed and working, it is highly disruptive to rip it out.

A great/awful example of this is the recently disclosed Iranian-linked attack on US and Israeli energy and IoT devices, part of a family of attacks that have targeted a wide range of devices from a wide range of manufacturers. Whoever created the IOCONTROL malware is highly competent and inventive, but at first glance it seems unlikely that the firmware of the target devices would contain deliberately vulnerable Iranian-sourced code. Iran has no international IT infrastructure makers to manipulate, being locked away behind sanctions. This need not stop it. Nor anyone else.

Industrial espionage is exceptionally hard to spot until the stolen secrets come to light. Likewise, industrial sabotage can be equally hard to trace. When that industry is firmware, and the malicious actor has no intention of using the information in detectable ways, this is even more so. Given how valuable zero days are to attackers, how much easier would they be to exploit if you put them there yourself?

You don’t even need to embed a star player in your target company, just someone competent enough to send copies of the code under development back to the malware creators, and get their changes back into the tree.

Do all those IoT, industrial control, and router companies have the ability to spot highly disguised vulnerabilities slipped in by malicious experts? They’re not very good at spotting incompetent errors, given the many alerts the industry generates.

Catching corrupt coders is always going to be hard, unless their own opsec is bad. It’s also most embarrassing to go public when you do. Even in security services and the military, where employees are routinely screened and counter-espionage is a specialty, the job is still very difficult. It’s not as if ideology or animus are needed to tempt someone into sin: cash and flattery do the job just as well.

It’s not a case of whether this is happening. The opportunities are too great, the risk too small, and the outlays too modest to resist. The question is how to find it, given that nobody seems to be looking. A company responsible for a vulnerability has the responsibility to fix it, but not to track down how it came to be and who was involved. There is no agency tracking and correlating this information, not unless national security is directly involved.

This just in: it is. We just don’t really believe it. Until we do, there’s an entire industry-wide meta-vulnerability going completely unchecked. Better believe it. ®

China’s national cyber incident response center accused the U.S. government of launching cyberattacks against two Chinese tech companies in a bid to steal trade secrets.

In a notice Wednesday, the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) said a suspected U.S. intelligence agency was behind the attacks, and that CNCERT had “handled” them, according to a Google translation.

The U.S. government has long accused China of cyber espionage to steal trade secrets from domestic companies, and China’s allegations about U.S. cyberattacks arrives in the midst of a very public campaign from U.S. government officials blaming China for a major attack on telecommunications carriers.

CNCERT said one of the attacks dates back to August of this year, against “a certain advanced material design and research unit.” The suspected attackers exploited a vulnerability in a document management system to infiltrate the software upgrade management server the company used, then install Trojans in more than 270 hosts of the company, CNCERT said.

The other attack dates to May of last year, against a “large-scale high-tech enterprise” in China’s “smart energy and digital information industry,” according to CNCERT. The center’s analysis determined that the attackers exploited Microsoft Exchange vulnerabilities to get into the company’s mail server, then implanted backdoors and took control of devices at the company and its subsidiaries.

China has, in recent years, stepped up its charges about U.S. cyberattacks. The report did not name a specific U.S. government office or entity responsible for the attacks.

The Chinese Communist Party-owned newspaper China Daily published an infographic this year detailing allegations that the United States is the leading source of cyberattacks against China over the past five years, citing CNCERT in part.

Republican lawmakers, as well as a top official in the incoming second Trump administration, have said recently in response to the Salt Typhoon telecommunications breaches that the United States has been too timid about going on offense against China.

CNCERT describes itself as a non-governmental non-profit cybersecurity technical center. China Daily said it is led by the Ministry of Industry and Information Technology.

Spokespeople for the National Security Agency and U.S. Cyber Command did not immediately respond to requests for comment Thursday.

NEWS BRIEF

A newly unsealed criminal complaint by US law enforcement shows they have been working to dismantle the LockBit ransomware-as-a-service group for several years, including a previously undisclosed arrest of one of the operation’s lead developers in Israel last August.

Rostislav Panev, a 51-year-old with dual Russian-Israeli citizenship, is facing extradition to the US to face charges along with two others accused of similarly working for LockBit, not just to develop the ransomware itself but also tools used by affiliates. For his part, Panev is accused of working on LockBit ransomware from its beginnings in 2019, eventually creating one of the most prolific ransomware operations in the world, according to the Justice Department’s statement about the arrest.

Panev, according to the Justice Department, at the time of his arrest had admin credentials for LockBit’s Dark Web online repository with the ransomware’s source code, as well as the source code for an affiliate tool called “StealBit” used to exfiltrate stolen data. His laptop also had he access credentials for the LockBit control panel used by affiliates. The Justice Department’s statement adds that Panev confessed to his role in the LockBit ransomware operation.

“The Justice Department’s work going after the world’s most dangerous ransomware schemes includes not only dismantling networks, but also finding and bringing to justice the individuals responsible for building and running them,” Attorney General Merrick Garland said in a statement about the arrests. “Three of the individuals who we allege are responsible for LockBit’s cyberattacks against thousands of victims are now in custody, and we will continue to work alongside our partners to hold accountable all those who lead and enable ransomware attacks.”

Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers.

The supply chain attack, spotted by both Sonatype and Socket researchers, deployed the XMRig cryptocurrency miner on compromised systems for mining the hard-to-trace Monero privacy cryptocurrency.

Additionally, Sonatype discovered that all three npm packages fell victim to the identical compromise on the same day, affecting multiple versions.

Rspack is a high-performance JavaScript bundler written in Rust, used in building and bundling JavaScript projects.

The two packages that were compromised are its core component and the command line interface (CLI) tool, downloaded 394,000 and 145,000 times weekly, respectively, on npm.

Vant is a lightweight, customizable Vue.js UI library tailored for building mobile web applications, providing pre-designed, reusable UI components. It is also relatively popular, garnering 46,000 weekly downloads on npm.

Cryptomining activity

The malicious code is hidden inside the ‘support.js’ file on @rspack/core, and in the ‘config.js’ file in ‘@rspack/cli,’ and fetches its configuration and command-and-control (C2) instructions from an external server.

The malware leverages npm’s postinstall script to execute automatically upon package installation.

Once it’s running, it retrieves the geographic location and network details of the victim’s system.

“This call accesses the geolocation API at http://ipinfo.io/json, potentially gathering IP addresses, geographic location, and other network details about the victim’s system,” explains Socket.

“Such reconnaissance is often used to tailor attacks based on the user’s location or network profile.”

The XMRig binary is downloaded from a GitHub repository, and for the compromised Vant package, it is renamed to ‘/tmp/vant_helper’ to conceal its purpose and blend into the filesystem.

The cryptomining activity uses execution parameters that limit CPU usage to 75% of the available processor threads, which strikes a good balance between cryptomining performance and evasion.

Sonatype’s Ax Sharma says that the following Monero address was found in the compromised Rspack packages:

475NBZygwEajj4YP2Bdu7yg6XnaphiFjxTFPkvzg5xAjLGPSakE68nyGavn8r1BYqB44xTEyKQhueeqAyGy8RaYc73URL1j

Response to compromise

Both Rspack and Vant confirmed that their NPM accounts were compromised, releasing new, cleaned versions of their packages and apologizing to the community for failing to safeguard the supply chain.

“On 12/19/2024, 02:01 (UTC), we discovered that our npm packages @rspack/core and @rspack/cli were maliciously attacked. The attacker released v1.1.7 using a compromised npm token, which contained malicious code. We took immediate action upon discovering the issue,” explained the Rspack developers.

“This release is to fix a security issue. We found that one of our team members’ npm token was stolen and used to release multiple versions with security vulnerabilities. We have taken measures to fix it and re-released the latest version,” posted the Vant developer.

The compromised Rspack version to avoid is 1.1.7, which contains the malicious crypto mining code.

Users are recommended to upgrade to v1.1.8 or later. The version before the malicious one, v1.1.6, is also safe, but the latest has implemented additional security measures.

Regarding Vant, multiple compromised versions should be avoided. These are: 2.13.3, 2.13.4, 2.13.5, 3.6.13, 3.6.14, 3.6.15, 4.9.11, 4.9.12, 4.9.13, and 4.9.14.

Users are recommended to upgrade to Vant v4.9.15 and newer, which is a safe re-release of the latest version of the software.

This incident follows other recent supply chain compromises, like those on LottieFiles, which targeted people’s cryptocurrency assets, and Ultralytics, which hijacked users’ hardware resources for cryptomining.

The Lazarus Group, an infamous threat actor linked to the Democratic People’s Republic of Korea (DPRK), has been observed leveraging a “complex infection chain” targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024.

The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus, are part of a long-running cyber espionage campaign known as Operation Dream Job, which is also tracked as NukeSped by cybersecurity company Kaspersky. It’s known to be active since at least 2020, when it was exposed by ClearSky.

These activities often involve targeting developers and employees in various companies, including defense, aerospace, cryptocurrency, and other global sectors, with lucrative job opportunities that ultimately lead to the deployment of malware on their machines.

“Lazarus is interested in carrying out supply chain attacks as part of the DeathNote campaign, but this is mostly limited to two methods: the first is by sending a malicious document or trojanized PDF viewer that displays the tailored job descriptions to the target,” the Russian firm said in an exhaustive analysis.

“The second is by distributing trojanized remote access tools such as VNC or PuTTY to convince the targets to connect to a specific server for a skills assessment.”

The latest set of attacks documented by Kaspersky involve the second method, with the adversary making use of a completely revamped infection chain delivering a trojanized VNC utility under the pretext of conducting a skills assessment for IT positions at prominent aerospace and defense companies.

It’s worth noting that Lazarus Group’s use of rogue versions of VNC apps to target nuclear engineers was previously highlighted by the company in October 2023 in its APT trends report for Q3 2023.

“Lazarus delivered the first archive file to at least two people within the same organization (we’ll call them Host A and Host B),” researchers Vasily Berdnikov and Sojun Ryu said. “After a month, they attempted more intensive attacks against the first target.”

The VNC apps, a trojanized version of TightVNC called “AmazonVNC.exe,” are believed to have been distributed in the form of both ISO images and ZIP files. In other cases, a legitimate version of UltraVNC was used to sideload a malicious DLL packed within the ZIP archive.

The DLL (“vnclang.dll”) serves as a loader for a backdoor dubbed MISTPEN, which was uncovered by Google-owned Mandiant in September 2024. It’s tracking the activity cluster under the moniker UNC2970. MISTPEN, for its part, has been found to deliver two additional payloads codenamed RollMid and a new variant of LPEClient.

Kaspersky said it also observed the CookieTime malware being deployed on Host A, although the exact method that was used to facilitate it remains unknown. First discovered by the company in September and November 2020, CookieTime is so named for its use of encoded cookie values in HTTP requests to fetch instructions from a command-and-control (C2) server.

Further investigation of the attack chain has revealed that the threat actor moved laterally from Host A to another machine (Host C), where CookieTime was again used to drop various payloads between February and June 2024, such as follows –

• LPEClient, a malware that comes fitted with capabilities to profile compromised hosts
• ServiceChanger, a malware that stops a targeted legitimate service so as to sideload a rogue DLL embedded within it using the executable via DLL side-loading
• Charamel Loader, a loader malware that decrypts and loads internal resources like CookieTime, CookiePlus, and ForestTiger
• CookiePlus, a new plugin-based malicious program that’s loaded by both ServiceChanger and Charamel Loader

“The difference between each CookiePlus loaded by Charamel Loader and by ServiceChanger is the way it is executed. The former runs as a DLL alone and includes the C2 information in its resources section,” the researchers pointed out.

“The latter fetches what is stored in a separate external file like msado.inc, meaning that CookiePlus has the capability to get a C2 list from both an internal resource and an external file. Otherwise, the behavior is the same.”

CookiePlus gets its name from the fact that it was disguised as an open-source Notepad++ plugin called ComparePlus when it was detected in the wild for the first time. In the attacks targeting the nuclear-related entity, it has been found to be based on another project named DirectX-Wrappers.

The malware serves as a downloader to retrieve a Base64-encoded, RSA-encrypted payload from the C2 server, which is then decoded and deciphered to execute three different shellcodes or a DLL. The shellcodes are equipped with features to collect system information and make the main CookiePlus module sleep for a certain number of minutes.

It’s suspected that CookiePlus is a successor to MISTPEN owing to behavioral overlaps between the two malware families, including the aspect that both have disguised themselves as Notepad++ plugins.

“Throughout its history, the Lazarus group has used only a small number of modular malware frameworks such as Mata and Gopuram Loader,” Kaspersky said. “The fact that they do introduce new modular malware, such as CookiePlus, suggests that the group is constantly working to improve their arsenal and infection chains to evade detection by security products.”

The findings come as blockchain intelligence firm Chainalysis revealed that threat actors affiliated with North Korea have stolen $1.34 billion across 47 cryptocurrency hacks in 2024, up from $660.50 million in 2023. This included the May 2024 breach of Japanese cryptocurrency exchange, DMM Bitcoin, which suffered a loss of $305 million at the time.

“Unfortunately, it appears that the DPRK’s crypto attacks are becoming more frequent,” the company said. “Notably, attacks between $50 and $100 million, and those above $100 million occurred far more frequently in 2024 than they did in 2023, suggesting that the DPRK is getting better and faster at massive exploits.”

Analysis When Donald Trump takes office for his second term on January 20, many expect sweeping changes across the board. But among tech players, when it comes to mergers and acquisitions, those hoping for looser regulations might be disappointed. 

Under the Biden administration, the perception of heightened regulatory scrutiny and antitrust enforcement has fueled dissatisfaction among the tech elite. Even some who supported Vice President Kamala Harris’s failed presidential bid wanted Chair Lina Khan out of the FTC.

“There’s been a lot of reporting done that the current FTC is, for lack of a better term, more aggressive in finding objections to proposed transactions that historically would not have faced the same degree of scrutiny,” Andrew Luh, partner and chair of M&A practice at Silicon Valley law firm Gunderson Dettmer told The Register in an interview. 

“There are a lot of high profile examples in the news about deals that are being challenged,” Luh added, referring to high-profile deals like Microsoft’s acquisition of Activision-Blizzard and other top-tier cases that Khan’s FTC has fought. “If you’re just using those types of [cases], the fact that some of those companies appear to be less favored under the current enforcement regime would have some chilling effect.”

Despite those high-profile antitrust cases, Luh said the pace hasn’t slowed down that much. 

“We, as a firm, will work on about 150 a year and we’re not a huge firm by any means,” Luh said. “So the aggregate tech M&A deal stats are still massive, even if you silo off [the most scrutinized deals].” 

There’s data to support that when it comes to large-scale deals. S&P Global put out a report on the M&A outlook under the second Trump administration shortly after the election that suggested, contrary to the perception of the Biden administration as a trust-busting, anti-acquisition administration, the total number of tech, media, and telecom (TMT) acquisitions valued over $500 million has actually been higher under Biden than Trump’s first term. 

As of the end of October 2024, there have been 235 $500M+ TMT M&As under Biden, and just 223 during Trump’s four years in office. Even with the added scrutiny, the median number of days it took to complete those M&As only rose by a single day under Biden – 77 days for the average deal compared to 76 under Trump.

Beyond that, PricewaterhouseCooper (PwC) deals partner Lori Bistis told us, any years following the COVID-19 pandemic are going to look slow compared to the immediate aftermath of 2020. 

Both 2021 and 2022 saw a huge rise in M&A activity in the tech sector and outside of it, Bistis and Luh noted. 

“You went from a level of dealmaking that was unprecedented to more normal numbers,” Bistis said. “If you look at it based on the last three or four years, dealmaking in 2023 was down in tech.” 

Bistis pointed to new merger guidelines issued by the Department of Justice and FTC in late 2023, as well as upcoming changes to premerger notification rules, set to take effect on February 10, as factors contributing to a slowdown in deal activity this year.

“There’s more effort that has to go into what you produce for the government and the regulatory agencies to get a deal done,” Bistis said. “Overall from a regulatory standpoint, there’s a lot more review going on.” 

Economic factors are at play, too

Bistis and Luh both mentioned that a slowdown in post-COVID M&A activity isn’t solely on the FTC and DoJ – there’s economics at work, too. 

“You’ll always see a slowdown in dealmaking during an election year just because that equates to uncertainty,” Bistis noted. High interest rates and geopolitical tensions are playing a role, she said. 

Those factors have led companies to explore alternatives to traditional M&A, which still involve significant dealmaking but often face fewer regulatory hurdles, Bistis noted. Divestitures and joint ventures are both hot right now, thanks in large part to economic challenges in the tech sector. 

“Historically for big tech, there hasn’t been much of a focus on divestitures, but I think we’ve seen that a bit more,” Bistis said. 

If you think about the last couple of years, it’s been about a lot of restructuring in tech

This is evident in the numerous layoffs, closures, and spinoffs we’ve seen in recent years. 

“If you think about the last couple of years, it’s been about a lot of restructuring in tech,” Bistis said – and that means “efficiency,” she noted. “Part of [restructuring] is usually looking at some non-core assets that maybe you can extract some value out of them sooner if you sell.” 

Khan’s legacy: Tougher M&As, Trump or not

Bistis said she expects the trend of divestitures and joint ventures to continue as Biden-era regulations come onto the books that make M&As a bigger hassle, and undoing those rules won’t be as easy as issuing an executive order.

As mentioned above, the new changes to the Hart-Scott-Rodino (HSR) premerger notification rules and forms are going to make it even more cumbersome to get an acquisition past the authorities.

According to FTC chair Khan, the new HSR forms include requirements for companies to report a lot of additional information. Submissions will need to include info on entities and individuals involved in deals that will have the ability to influence post-acquisition decision making, supply relationships that may undermine competition or rival’s access to key products or services, information about products and services still under development that are not yet generating revenues, and details of certain prior acquisitions closed by both firms in the past five years to help regulators assess whether the transaction is part of an anticompetitive roll-up scheme.

The HSR updates and 2023 merger guidelines were both passed by the Commission on unanimous votes of 5-0 and 3-0, respectively. While the 2023 guidelines were voted on before Republican commissioners joined the Biden-era FTC, the new HSR rules were okayed by Democrats and Republicans alike – including Trump’s pick to head the FTC, Andrew Ferguson. 

While noting the new HSR rule “is not perfect, nor is it the rule I would have written if the decision were mine alone” in his concurring statement, Ferguson nonetheless voted to ratify it. 

“The additional information sought in the Final Rule is ‘necessary and appropriate,'” Ferguson opined. “Its benefits are many, and, by comparison, the added burdens are reasonable.”

Additionally, an FTC spokesperson pointed out to The Register that the new HSR rules haven’t resulted in a single lawsuit yet. This could suggest that companies have largely acquiesced to the new requirements.

The Trump transition team didn’t respond to questions for this story.

Cautious optimism among transition chaos

As we’ve noted in several stories covering the potential policies of the incoming Trump administration, there’s a lot of uncertainty swirling around Trump’s plans for his second term that’s led to the tech industry hitting the brakes on big changes. Things are largely the same in the M&A world right now. 

As compared to the regulatory trends we’ve seen over the last several years, I think it’s a cautious optimism

Both Luh and Bistis said their clients have been operating under a “wait and see” mindset, with Luh in particular saying that most businesses are just trying to wrap up year-end matters rather than thinking about 2025 acquisition plans. 

Bistis, on the other hand, said that the people she’s been speaking with are excited that the M&A process might become a little simpler: Even if the paperwork isn’t going away, regulators might take a more hands-off approach. 

“I think as compared to the regulatory trends we’ve seen over the last several years, I think it’s a cautious optimism,” Bistis said. “The benchmark over the last four years was pretty tough.” 

That said, anyone in the tech space who’s preparing to get the deal motor running come Trump’s inauguration would do well to get their house in order, Bistis told us, pointing to a number of suggestions PwC publishes for TMT firms.

“Focus on collecting the data now that you need to respond to said regulatory increases,” Bistis suggested. “You never want to be the hold up.”

“There’s a lot to be done – especially with these new HSR requirements coming out,” the PwC advisor said – and those rules are unlikely to vanish before Trump takes office. “The more [you] can get ahead of that, if you’re preparing to do an M&A, the better.” ®

An Israeli Court is set to deliberate a significant extradition case involving Rostislav Panev, an Israeli citizen alleged to be involved with the notorious LockBit ransomware gang.

According to Israeli news outlet Ynet, a U.S. extradition request was made public Thursday claiming that between 2019 and 2024, Panev served as a software developer for LockBit. During this period, LockBit is alleged to have executed cyberattacks impacting roughly 2,500 victims globally, including U.S. governmental and health care organizations.

The U.S. Department of Justice places LockBit among the most detrimental ransomware groups in operation, responsible for financial losses exceeding $500 million. Moreover, the group purportedly harbored connections with Evil Corp., an erstwhile Russian-based cybercrime syndicate sanctioned by the U.S. government in 2019 for its role in distributing malware and enabling a range of cybercriminal activity.

Documents disclosed in conjunction with the extradition request reveal that Panev was arrested at his Israeli home in August. He is suspected of developing software that placed ransom notes on compromised systems. For his work, he has allegedly made $230,000, largely via cryptocurrency. Law enforcement agencies discovered digital wallets tied to these payments, along with ransom templates, during searches at Panev’s residence.

Panev’s lawyer, Sharon Nahari, told Ynet that Panev was neither aware of nor complicit in the alleged schemes.

The extradition proceedings were instigated by the State Attorney’s Office after Israel’s Minister of Justice signed off on a formal request from the U.S. According to YNet, the U.S. kept the extradition order sealed, fearing that it might tip off other LockBit affiliates, potentially allowing them to escape to Russia.

International law enforcement has been aggressively pursuing those behind LockBit, starting in February with the public unveiling of “Operation Cronos,” the name of the organized international effort led by the U.K.’s National Crime Agency. British authorities seized the website used by LockBit to post targets and share data from targeted entities that refused to pay ransom and used it as the platform to disseminate news about the operation and information about the nearly 200 affiliates working with LockBit at the time, part of both a traditional law enforcement disruption as well as a psychological operation designed to undermine LockBit’s support in the cybercrime community. 

In October, law enforcement agencies announced additional arrests, seizures and sanctions targeting LockBit ransomware infrastructure, and 16 people were either arrested, sanctioned or both by the U.S. or U.K. 

A new zero-day vulnerability in NTLM discovered by researchers at 0patch allows attackers to steal NTLM credentials by having a user view a specially crafted malicious file in Windows Explorer — no need for the user to open the file. These password hashes can be used for authentication relay attacks or for dictionary attacks on the password, both for identity takeover.

NTLM refers to a suite of old authentication protocols from Microsoft that provide authentication, integrity, and confidentiality to users. While NTLM was officially deprecated as of June, our research shows that 64% of Active Directory user accounts regularly authenticate with NTLM — evidence that NTLM is still widely used despite its known weaknesses.

The flaw is exploitable even in environments using NTLM v2, making it a significant risk to enterprises that have not yet moved to Kerberos and are still relying on NTLM. Considering Microsoft may not patch this issue for a while, enterprise defenders should take steps to mitigate the vulnerability in their environments. This Tech Tip outlines how dynamic access policies, a few hardening steps, and multifactor authentication (MFA) can help limit attempts to exploit this vulnerability. Upgrading the protocol, where possible, could eliminate the issue completely.

What Is the NTLM Vulnerability?

When a user views a malicious file in Windows Explorer — whether by navigating to a shared folder, inserting a USB drive containing the malicious file, or just viewing a file in the Downloads folder that was automatically downloaded from a malicious Web page — an outbound NTLM connection is triggered. This causes Windows to automatically send NTLM hashes of the currently logged-in user to a remote attacker-controlled share.

These NTLM hashes can then be intercepted and used for authentication relay attacks or even dictionary attacks, granting attackers unauthorized access to sensitive systems. Attackers can also potentially use the exposed passwords to access the organization’s software-as-a-service (SaaS) environment due to the high rates of synced users.

The issue impacts all Windows versions from Windows 7 and Server 2008 R2 up to the latest Windows 11 24H2 and Server 2022.

The fundamental problem with NTLM lies in its outdated protocol design. NTLM transmits password hashes instead of verifying plaintext passwords, making it vulnerable to interception and exploitation. Even with NTLM v2, which uses stronger encryption, the hashes can still be captured and relayed by attackers. NTLM’s reliance on weak cryptographic practices and lack of protection against relay attacks are key weaknesses that make it highly exploitable. Moreover, NTLM authentication does not support modern security features, such as MFA, leaving systems open to a variety of credential theft techniques, such as pass-the-hash and hash relaying.

What Defenders Need to Do

To mitigate this vulnerability, Microsoft has updated previous guidance on how to enable Extended Protection for Authentication (EPA) on LDAP, Active Directory Certificate Services (AD CS), and Exchange Server. On Windows Server 2022 and 2019, administrators can manually enable EPA for AD CS and channel binding for LDAP. There are scripts provided by Microsoft to activate EPA manually on Exchange Server 2016. Where possible, update to the latest Windows Server 2025 as it ships with EPA and channel binding enabled by default for both AD CS and LDAP.

Some organizations may still be dependent on NTLM due to legacy systems. Those teams should consider additional authentication layers, such as dynamic risk-based policies, for protecting existing NTLM legacy systems against exploitations.

Harden LDAP configurations. Configure LDAP to enforce channel binding and monitor for legacy clients that may not support these settings.

Check impact on SaaS. If you are unsure whether there are applications or clients in your environment that rely on NTLMv2, you can use Group Policy to enable the Network Security: Restrict NTLM: Audit incoming NTLM traffic policy setting. This will not block NTLMv2 traffic but will log all attempts to authenticate using NTLMv2 in the Operations Log. By analyzing these logs, you can identify which client applications, servers, or services still rely on NTLMv2, so you can make targeted adjustments or updates.

Using Group Policy to limit or disable NTLM authentication via the Network Security: Restrict NTLM setting will reduce the risk of fallback scenarios where NTLM is unintentionally used.

Monitor SMB traffic. Enabling SMB signing and encryption can help prevent attackers from impersonating legitimate servers and triggering NTLM authentication. Blocking outbound SMB traffic to untrusted networks will also reduce the risk of NTLM credential leakage to rogue servers. Implement network monitoring and alerting for unusual SMB traffic patterns, particularly outbound requests to unknown or untrusted IP addresses.

Leave NTLM behind. NTLM has been deprecated. Administrators should audit NTLM usage to identify which systems still rely on NTLM. Organizations should prioritize transitioning those systems away from NTLM to more modern authentication protocols, such as Kerberos. Once a more modern protocol is in place, implement MFA to add an additional layer of protection.

Taking these steps will help organizations address the fundamental flaws in NTLM and improve their security posture.

Google is using artificial intelligence to power a new Chrome scam protection feature that analyzes brands and the intent of pages as you browse the web.

As spotted by Leo on X, a new flag in Chrome Canary enables a feature called “Client Side Detection Brand and Intent for Scam Detection” that uses an LLM, or Large Language Model. to analyze web pages on your device.

“Enables on device LLM output on pages to inquire for brand and intent of the page,” reads the Google Chrome flag’s description.

This feature is believed to help the scam detection service detect the brand and purpose (intent) of a webpage, making it easier to identify potential scams. It works on Mac, Windows, and Linux.

It’s unclear how the feature works, but it could issue warnings when you visit an obvious scam website.

For example, if you visit a fake Microsoft tech support page claiming your computer is infected and urging you to call a number, Chrome’s AI could analyze the promoted brand or language used on the page. If it detects scam tactics like fake urgency or suspicious domains, it could display a warning alerting you to avoid interacting with the page or sharing personal information.

This new tool is being tested in Chrome Canary and could be related to Chrome’s built-in Enhanced Protection feature, which now also uses artificial intelligence.

Chrome’s Enhanced Protection is now powered by AI.

Google says the updated Enhanced Protection feature uses AI to provide real-time protection against dangerous sites, downloads, and extensions.

Before October, Enhanced Protection didn’t use AI. It was described as “proactive protection,” but it has since been updated to “AI-powered protection.”

Google is likely using pre-trained data to understand web content and warn users about scams or dangerous sites.

The company is still testing these AI-powered security and privacy features in Chrome, and it’s unclear when more details will be shared.

A dual Russian and Israeli national has been charged in the United States for allegedly being the developer of the now-defunct LockBit ransomware-as-a-service (RaaS) operation since its inception in or around 2019 through at least February 2024.

Rostislav Panev, 51, was arrested in Israel earlier this August and is currently awaiting extradition, the U.S. Department of Justice (DoJ) said in a statement. Based on fund transfers to a cryptocurrency wallet owned by Panev, he allegedly earned approximately $230,000 between June 2022 and February 2024.

“Rostislav Panev for years built and maintained the digital weapons that enabled his LockBit co-conspirators to wreak havoc and cause billions of dollars in damage around the world,” U.S. Attorney Philip R. Sellinger said.

LockBit, which was one of the most prolific ransomware groups, had its infrastructure seized in February 2024 as part of an international law enforcement operation called Cronos. It gained notoriety for targeting more than 2,500 entities in at least 120 countries around the world, including 1,800 in the U.S. alone.

Victims of LockBit’s attacks included individuals and small businesses to multinational corporations, such as hospitals, schools, nonprofit organizations, critical infrastructure, government, and law enforcement agencies. The RaaS is believed to have netted the group at least $500 million in illicit profits.

Court documents show that Panev’s computer analyzed following his arrest had administrator credentials for an online repository that was hosted on the dark web and contained source code for multiple versions of the LockBit builder, which affiliates used to create custom builds of the ransomware.

Also discovered were access credentials for the LockBit control panel and a tool called StealBit, which allowed the affiliate actors to exfiltrate sensitive data from compromised hosts prior to initiating the encryption process.

Panev, besides writing and maintaining the LockBit malware code as well as offering technical guidance to the e-crime group, is also accused of exchanging direct messages with Dmitry Yuryevich Khoroshev, the primary administrator who also went by online alias LockBitSupp, discussing development work related to the builder and control panel.

“In interviews with Israeli authorities following his arrest in August, Panev admitted to having performed coding, development, and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work,” the DoJ said.

“Among the work that Panev admitted to having completed for the LockBit group was the development of code to disable antivirus software; to deploy malware to multiple computers connected to a victim network; and to print the LockBit ransom note to all printers connected to a victim network.”

With the latest arrest, a total of seven LockBit members – Mikhail Vasiliev, Ruslan Astamirov, Artur Sungatov, Ivan Gennadievich Kondratiev, Mikhail Pavlovich Matveev – have been charged in the U.S.

Despite these operational setbacks, the LockBit operators appear to be plotting a comeback, with a new version LockBit 4.0 scheduled for release in February 2025. However, it remains to be seen if the extortion gang can successfully stage a return in light of the ongoing wave of takedowns and charges.

Second Netwalker Ransomware Affiliate Gets 20 Years in Prison

The development comes as Daniel Christian Hulea, a 30-year-old Romanian affiliate of the NetWalker ransomware operation, was sentenced to 20 years in prison and ordered to forfeit $21,500,000 and his interests in an Indonesian company and a luxury resort property that was financed with ill-gotten proceeds from the attacks.

Hulea previously pleaded guilty in the U.S. to charges of computer fraud conspiracy and wire fraud conspiracy back in June 2024. He was arrested in Romania on July 11, 2023, and subsequently extradited to the U.S.

“As part of his plea agreement, Hulea admitted to using NetWalker to obtain approximately 1,595 bitcoin in ransom payments for himself and a co-conspirator, valued at approximately $21,500,000 at the time of the payments,” the DoJ said.

The NetWalker ransomware operation particularly singled out the healthcare sector during the height of the COVID-19 pandemic. It was dismantled online in January 2021 when U.S. and Bulgarian authorities seized the dark web sites used by the group. In October 2022, a Canadian affiliate, Sebastien Vachon-Desjardins, was sentenced to 20 years in prison.

Raccoon Stealer Developer Sentenced to 5 Years in Prison

In related law enforcement news, the DoJ also announced the sentencing of Mark Sokolovsky, a Ukrainian national accused of being the primary developer of the Raccoon Stealer malware, to 60 months in federal prison for one count of conspiracy to commit computer intrusion.

The 28-year-old conspired to offer the Raccoon infostealer as a malware-as-a-service (MaaS) to other criminal actors for $200 a month, who then deployed the malware on victims’ systems using various ruses such as email phishing in order to steal sensitive data. The harvested information was used to commit financial crimes or sold to others on underground forums.

Sokolovsky, who was extradited from the Netherlands in February 2024, pleaded guilty to the crime in early October and agreed to forfeit $23,975 and pay at least $910,844.61 in restitution.

“Mark Sokolovsky was a key player in an international criminal conspiracy that victimized countless individuals by administering malware which made it cheaper and easier for even amateurs to commit complex cybercrimes,” said U.S. Attorney Jaime Esparza for the Western District of Texas.

The U.S. Federal Bureau of Investigation (FBI) has set up a website where users can check whether their email address shows up in the data stolen by the Raccoon stealer malware. The MaaS operation was taken offline in March 2022 concurrent with Sokolovsky’s arrest by Dutch authorities.

NYC Man Gets Nearly 6 Years in Prison for Credit Card Trafficking and Money Laundering

The latest actions also follow the sentencing of a 32-year-old New York City man, Vitalii Antonenko, to time served plus days for his involvement in a criminal scheme that infiltrated systems with SQL injection attacks in order to steal credit card and personal information and offer the data for sale on online criminal marketplaces.

“Once a co-conspirator sold the data, Antonenko and others used Bitcoin as well as traditional bank and cash transactions to launder the proceeds in order to disguise their nature, location, source, ownership, and control,” the DoJ noted in May 2020. “The conspiracy’s victims included a hospitality business and non-profit scientific research institution, both located in eastern Massachusetts.”

Antonenko was arrested in March 2019 on his return to the U.S. from Ukraine carrying “computers and other digital media that held hundreds of thousands of stolen payment card numbers.”

In September 2024, he pleaded guilty to one count of conspiracy to gain unauthorized access to computer networks and to traffic in unauthorized access devices, and one count of money laundering conspiracy.