Third-party attacks emerged as a significant driver of material financial losses from cyber incidents in 2024, according to cyber risk management firm Resilience.

Third-party risks made up 31% of all client insurance claims and 23% of material losses last year. This marks a significant change from 2023, when no third-party claims led to material losses for Resilience clients.

“This shift underscores the growing vulnerabilities created by interconnected systems and reliance on external vendors in 2023,” the firm wrote in a report dated February 27.

Ransomware the Biggest Cause of Losses

Ransomware attacks targeting vendors made up 42% of the third-party claims, with losses from these incidents rising four-fold compared to 2023. The attack on automotive software firm CDK, which impacted thousands of car dealerships across the US and Canada, is an example of a ransomware attack on a vendor that financially impacts customers.

Vendor security failings, including the CrowdStrike global outage in July 2024, made up 4% of all material claims. Not all the claims arising from this incident have been fully developed, Resilience noted.

The company said that this trend is driving insurance companies to adjust their underwriting practices regarding third-party risk.

Overall, ransomware held its position as the top cause of material losses for businesses from 2023 to 2024. First-party ransomware incidents made up 44% of client ‘s material claims, while ransomware targeting vendors contributed to 18% of such claims.

Altogether, 62% of claims with losses were related to ransomware.

Despite these figures, the researchers noted that there are indications that ransomware frequency may be declining in broader markets.

“This is likely due to threat actors focusing on larger, high-profile organizations that yield bigger payouts, as opposed to the previous “spray and prey” approach,” they said.

Phishing Claims Fall Significantly

Phishing-related cyber incidents made up 9% of incurred claims in 2024, representing a 55% fall compared to 2023.

The researchers believe this trend is a reflection of improvements in phishing defenses and the shift towards third-party attacks.

There was a marked increase in transfer fraud claims, making up 18% of claims in 2024 compared to 14% in 2023.

Transfer fraud is where a scammer tricks a person into transferring them money using psychological manipulation. Resilience said it has observed scammers’ use of AI to scale such social engineering campaigns, resulting in increased susceptibility and higher success rates.

“As transfer fraud continues to grow, organizations must strengthen internal controls, educate employees on fraud prevention, and implement more robust verification processes for financial transactions,” the firm commented.

A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit developed by Cellebrite to unlock the device, according to a new report from Amnesty International.

“The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite,” the international non-governmental organization said, adding the traces of the exploit were discovered in a separate case in mid-2024.

The vulnerability in question is CVE-2024-53104 (CVSS score: 7.8), a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. A patch for the flaw was addressed in the Linux kernel in December 2024. It was subsequently addressed in Android earlier this month.

It’s believed that CVE-2024-53104 was combined with two other flaws – CVE-2024-53197 and CVE-2024-50302 – both of which have been resolved in the Linux kernel. They are yet to be included in an Android Security Bulletin.

• CVE-2024-53197 (CVSS score: N/A) – An out-of-bounds access vulnerability for Extigy and Mbox devices
• CVE-2024-50302 (CVSS score: 5.5) – A use of an uninitialized resource vulnerability that could be used to leak kernel memory

“The exploit, which targeted Linux kernel USB drivers, enabled Cellebrite customers with physical access to a locked Android device to bypass an Android phone’s lock screen and gain privileged access on the device,” Amnesty said.

“This case highlights how real-world attackers are exploiting Android’s USB attack surface, taking advantage of the broad range of legacy USB kernel drivers supported in the Linux kernel.”

The activist, who has been given the name “Vedran” to protect their privacy, was taken to a police station and his phone confiscated on December 25, 2024, after he attended a student protest in Belgrade.

Amnesty’s analysis found that the exploit was used to unlock his Samsung Galaxy A32 and that the authorities attempted to install an unknown Android application. While the exact nature of the Android app remains unclear, the modus operandi is consistent with that of prior NoviSpy spyware infections reported in mid-December 2024.

Earlier this week, Cellebrite said its tools are not designed to facilitate any type of offensive cyber activity and that it works actively to curtail the misuse of its technology.

The Israeli company also said it will no longer allow Serbia to use its software, stating “we found it appropriate to stop the use of our products by the relevant customers at this time.”

A new campaign is targeting companies in Taiwan with malware known as Winos 4.0 as part of phishing emails masquerading as the country’s National Taxation Bureau.

The campaign, detected last month by Fortinet FortiGuard Labs, marks a departure from previous attack chains that have leveraged malicious game-related applications.

“The sender claimed that the malicious file attached was a list of enterprises scheduled for tax inspection and asked the receiver to forward the information to their company’s treasurer,” security researcher Pei Han Liao said in a report shared with The Hacker News.

The attachment mimics an official document from the Ministry of Finance, urging the recipient to download the list of enterprises scheduled for tax inspection.

But in reality, the list is a ZIP file containing a malicious DLL (“lastbld2Base.dll”) that lays the groundwork for the next attack stage, leading to the execution of shellcode that’s responsible for downloading a Winos 4.0 module from a remote server (“206.238.221[.]60”) for gathering sensitive data.

The component, described as a login module, is capable of taking screenshots, logging keystrokes, altering clipboard content, monitoring connected USB devices, running shellcode, and permitting the execution of sensitive actions (e.g., cmd.exe) when security prompts from Kingsoft Security and Huorong are displayed.

Fortinet said it also observed a second attack chain that downloads an online module that can capture screenshots of WeChat and online banks.

It’s worth noting that the intrusion set distributing the Winos 4.0 malware has been assigned the monikers Void Arachne and Silver Fox, with the malware also overlapping with another remote access trojan tracked as ValleyRAT.

“They are both derived from the same source: Gh0st RAT, which was developed in China and open-sourced in 2008,” Daniel dos Santos, Head of Security Research at Forescout’s Vedere Labs, told The Hacker News.

“Winos and ValleyRAT are variations of Gh0st RAT attributed to Silver Fox by different researchers at different points in time. Winos was a name commonly used in 2023 and 2024 while now ValleyRAT is more commonly used. The tool is constantly evolving, and it has both local Trojan/RAT capabilities as well as a command-and-control server.”

ValleyRAT, first identified in early 2023, has been recently observed using fake Chrome sites as a conduit to infect Chinese-speaking users. Similar drive-by download schemes have also been employed to deliver Gh0st RAT.

Furthermore, Winos 4.0 attack chains have incorporated what’s called a CleverSoar installer that’s executed by means of an MSI installer package distributed as fake software or gaming-related applications. Also dropped alongside Winos 4.0 via CleverSoar is the open-source Nidhogg rootkit.

“The CleverSoar installer […] checks the user’s language settings to verify if they are set to Chinese or Vietnamese,” Rapid7 noted in late November 2024. “If the language is not recognized, the installer terminates, effectively preventing infection. This behavior strongly suggests that the threat actor is primarily targeting victims in these regions.”

The disclosure comes as the Silver Fox APT has been linked to a new campaign that leverages trojanized versions of Philips DICOM viewers to deploy ValleyRAT, which is then used to drop a keylogger, and a cryptocurrency miner on victim computers. Notably, the attacks have been found to use a vulnerable version of the TrueSight driver to disable antivirus software.

“This campaign leverages trojanized DICOM viewers as lures to infect victim systems with a backdoor (ValleyRAT) for remote access and control, a keylogger to capture user activity and credentials, and a crypto miner to exploit system resources for financial gain,” Forescout said.

It’s become almost a cliché to say that cybercriminals are remarkably quick to latch onto the latest trends and technologies and exploit them for their own nefarious gains. The buzz around DeepSeek and its state-of-the-art AI models is no exception. In fact, the past few days have provided a stark reminder that while the tech world is evolving at a breakneck speed, the tactics of online scammers often remain strikingly familiar.

Since the R1 reasoning model of the little-known Chinese startup took the world by storm last week, security researchers have spotted a number of fraudulent attempts to capitalize on its meteoric rise to popularity. Alongside this, DeepSeek has faced intense scrutiny over its privacy and security practices, bringing to light several risks surrounding (not necessarily only DeepSeek’s) AI models.

Here’s a rundown of how fraudsters use DeepSeek’s popularity as a lure for scams and malware, as well as a short recap of some of the key privacy and security issues that have also thrown the spotlight on the company in the past few days.

Scams and malware

One example comes from a user on X who posted some details about a website that mimics the official one and urges visitors to download what poses as DeepSeek’s AI model. Instead, however, clicking it triggers the download of a malicious executable that ESET products detect as Win32/Packed.NSIS.A. 

While the website largely “looks the part”, a keen eye will spot at least one more giveaway beside the URL itself: unlike the “Start now” button on the official website, the fake one says “Download Now”. (DeepSeek has launched mobile apps for both iOS and Android with great success, but you can also use it directly in your desktop browser without needing to download anything.) To further bolster the ploy’s chances of success, the malware is digitally signed by “K.MY TRADING TRANSPORT COMPANY LIMITED”.

Others have also spotted a number of newly-created lookalike domains that aim to trick people into thinking that they have landed on the real thing, but are instead to part them from their data or hard-earned money, including by touting (non-existent) DeepSeek pre-IPO shares.

Another risk has to do with bogus DeepSeek crypto tokens that have surged on multiple blockchain networks, with some reaching market capitalizations of millions of dollars in short order. The company made it clear on X earlier in January that it has not issued any cryptocurrency.

Privacy and security concerns surrounding DeepSeek

Right on the heels of its rapid ascent, DeepSeek said it had itself been the target of “a large-scale cyberattack” that caused it to suspend new user signups.

Meanwhile, cloud cybersecurity company Wiz has found a database belonging to DeepSeek that inadvertently exposed API keys, system logs, user chat prompts and other sensitive information to the open internet. DeepSeek has since locked down the database.

Cybersecurity firms KELA and Palo Alto Networks have found that DeepSeek’s AI models are susceptible to so-called evil jailbreak attacks and their security guardrails can be subverted to generate malicious outputs, including ransomware, as well as fabricate content such as detailed instructions for creating toxins and explosives.

Much like has been the case with TikTok and other Chinese online services, DeepSeek’s data collection practices also garnered scrutiny almost immediately, including from regulatory authorities in the United States, Ireland, Italy and France.

Precautions

Whether it’s a viral new app, a juggernaut social media platform, or an AI tool, cybercriminals are highly adept at weaving thee latest fads and trends into their ploys, ultimately making the ruses more enticing and harder to spot.

To protect yourself from DeepSeek-themed scams, keep your eyes peeled for any email or social media messages that attempt to piggyback off its popularity and push you to click on suspicious links.

Indeed, as AI tools can be harnessed to create highly convincing phishing campaigns and other social engineering attacks, be skeptical of messages that arrive out of the blue, particularly if they offer something too good to be true such as investment opportunities or create a sense of urgency. You’re better off contacting the company or person mentioned in the messages directly via verified channels and navigating to the official website by typing it into your web browser.

Strengthen your online accounts with two-factor authentication (2FA) wherever possible so that it’s far harder for cybercriminals to access your accounts even if they obtain your credentials. Make sure to also use multilayered security software across all your devices that can go a long way towards keeping you safe.

More broadly, when interacting with DeepSeek or, indeed, any other AI model, be mindful of the data you’re entering into it, including names, email addresses and sensitive personal preferences. The same goes for corporate and other sensitive data; the US Navy, for example, has already banned use of DeepSeek among its ranks.

Vulnerability exploitation has long been a popular tactic for threat actors. But it’s becoming increasingly so – a fact that should alarm every network defender. Observed cases of vulnerability exploitation resulting in data breaches surged three-fold annually in 2023, according to one estimate. And attacks targeting security loopholes remain one of the top three ways threat actors start ransomware attacks.

As the number of CVEs continues to hit new record highs, organizations are struggling to cope. They need a more consistent, automated and risk-based approach to mitigating vulnerability-related threats.

Bug overload

Software vulnerabilities are inevitable. As long as humans create computer code, human error will creep in to the process, resulting in the bugs that bad actors have become so expert at exploiting. Yet doing so at speed and scale opens a door to not just ransomware and data theft, but sophisticated state-aligned espionage operations, destructive attacks and more.

Unfortunately, the number of CVEs being published each year is stubbornly high, thanks to several factors:

• New software development and continuous integration lead to increased complexity and frequent updates, expanding potential entry points for attackers and sometimes introducing new vulnerabilities. At the same time, companies adopt new tools that often rely on third-party components, open-source libraries and other dependencies that may contain undiscovered vulnerabilities.
• Speed is often prioritized over security, meaning software is being developed without adequate code checks. This allows bugs to creep into production code – sometimes coming from the open source components used by developers.
• Ethical researchers are upping their efforts, thanks in part to a proliferation of bug bounty programs run by organizations as diverse as the Pentagon and Meta. These are responsibly disclosed and patched by the vendors in question, but if customers don’t apply these patches, they’ll be exposed to exploits
• Commercial spyware vendors operate in a legal grey area, selling malware and exploits for their clients – often autocratic governments – to spy on their enemies. The UK’s National Cyber Security Centre (NCSC) estimates that the commercial “cyber-intrusion sector” doubles every ten years
• The cybercrime supply chain is increasingly professionalized, with initial access brokers (IABs) focusing exclusively on breaching victim organizations – often via vulnerability exploitation. One report from 2023 recorded a 45% increase in IABs on cybercrime forums, and a doubling of dark web IAB ads in 2022 versus the previous 12 months

What types of vulnerability are making waves?

The story of the vulnerability landscape is one of both change and continuity. Many of the usual suspects appear in MITRE’s top 25 list of the most common and dangerous software flaws seen between June 2023 and June 2024. They include commonly-seen vulnerability categories like cross-site scripting, SQL injection, use after free, out-of-bounds read, code injection and cross-site request forgery (CSRF). These should be familiar to most cyber-defenders, and may therefore require less effort to mitigate, either through improved hardening/protection of systems and/or enhanced DevSecOps practices.

However, other trends are perhaps even more concerning. The US Cybersecurity and Infrastructure Security Agency (CISA) claims in its list of 2023 Top Routinely Exploited Vulnerabilities that a majority of these flaws were initially exploited as a zero-day. This means, at the time of exploitation, there were no patches available, and organizations have to rely on other mechanisms to keep them safe or to minimize the impact. Elsewhere, bugs with low complexity and which require little or no user interaction are also often favored. An example is the zero-click exploits offered by commercial spyware vendors to deploy their malware.

Explore how ESET Vulnerability and Patch Management inside the ESET PROTECT platform provides a pathway to swift remediation, helping keep both disruption and costs down to a minimum.

Another trend is of targeting perimeter-based products with vulnerability exploitation. The National Cyber Security Centre (NCSC) has warned of an uptick in such attacks, often involving zero-day exploits targeting file transfer applications, firewalls, VPNs and mobile device management (MDM) offerings. It says:

“Attackers have realised that the majority of perimeter-exposed products aren’t ‘secure by design’, and so vulnerabilities can be found far more easily than in popular client software. Furthermore, these products typically don’t have decent logging (or can be easily forensically investigated), making perfect footholds in a network where every client device is likely to be running high-end detective capabilities.”

Making things worse

As if that weren’t enough to concern network defenders, their efforts are complicated further by:

• The sheer speed of vulnerability exploitation. Google Cloud research estimates an average time-to-exploit of just five days in 2023, down from a previous figure of 32 days
• The complexity of today’s enterprise IT and OT/IoT systems, which span hybrid and multi-cloud environments with often-siloed legacy technology
• Poor quality vendor patches and confusing communications, which leads defenders to duplicate effort and means they’re often unable to effectively gauge their risk exposure
• A NIST NVD backlog which has left many organizations without a critical source of up-to-date information on the latest CVEs

According to a Verizon analysis of CISA’s Known Exploited Vulnerabilities (KEV) catalog:

• At 30 days 85% of vulnerabilities went unremediated
• At 55 days, 50% of vulnerabilities went unremediated
• At 60 days 47% of vulnerabilities went unremediated

Time to patch

The truth is that there are simply too many CVEs published each month, across too many systems, for enterprise IT and security teams to patch them all. The focus should therefore be on prioritizing effectively according to risk appetite and severity. Consider the following features for any vulnerability and patch management solution:

• Automated scanning of enterprise environments for known CVEs
• Vulnerability prioritization based on severity
• Detailed reporting to identify vulnerable software and assets, relevant CVEs and patches etc
• Flexibility to select specific assets for patching according to enterprise needs
• Automated or manual patching options

For zero-day threats, consider advanced threat detection which automatically unpacks and scans possible exploits, executing in a cloud-based sandbox to check whether it’s malicious or not. Machine learning algorithms can be applied to the code to identify novel threats with a high degree of accuracy in minutes, automatically blocking them and providing a status of each sample.

Other tactics could include microsegmentation of networks, zero trust network access, network monitoring (for unusual behavior), and strong cybersecurity awareness programs.

As threat actors adopt AI tools of their own in ever-greater numbers, it will become easier for them to scan for vulnerable assets that are exposed to internet-facing attacks. In time, they may even be able to use GenAI to help find zero-day vulnerabilities. The best defense is to stay informed and keep a regular dialog going with your trusted security partners.