CyberWire Daily - Cats and RATS are all the rage.
Episode Date: January 29, 2025Hackers linked to China and Iran are using AI to enhance cyberattacks. An AI-powered messaging tool for Slack and Discord is reportedly leaking user data. British engineering giant Smiths Group suffer...s a cyberattack. Rockwell Automation details critical and high-severity vulnerabilities. Researchers warn of new side-channel vulnerabilities in Apple CPUs. The Hellcat ransomware gang looks to humiliate its victims. SparkRAT targets macOS users and government entities. Flashpoint looks at FleshStealer malware. Cybercriminals leverage trust in government websites. Our guest is Ivan Novikov, CEO at Wallarm, sharing insights on the recent United States ruling that bars certain Chinese and Russian connected car tech from being imported into the US. QR code shenanigans. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Ivan Novikov, CEO at Wallarm, sharing insights on the recent United States ruling that bars certain Chinese and Russian connected car tech from being imported into the US and its impact. Selected Reading Chinese and Iranian Hackers Are Using U.S. AI Products to Bolster Cyberattacks (Wall Street Journal) Update: Cybercriminals still not fully on board the AI train (yet) (Sophos) Unprotected AI service streams private Slack messages for 30 bucks a month (Cybernews) Engineering giant Smiths Group discloses security breach (Bleeping Computer) Rockwell Patches Critical, High-Severity Vulnerabilities in Several Products (SecurityWeek) New Apple CPU side-channel attacks steal data from browsers (Bleeping Computer) SLAP (Predictors Fail) Meow-ware gang: the cyber cats who humiliate their prey (Cybernews) Hackers Attacking Windows, macOS, and Linux systems With SparkRAT (GB Hackers) Unmasking FleshStealer: A New Infostealer Threat in 2025 (Flashpoint) Threat Actors Exploit Government Websites for Phishing (Infosecurity Magazine) Christian Walther: "@gvy_dvpont Got me thinking… c…"  (Mastodon) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n two k and use promo code and two k at checkout the only way to
get twenty percent off is to go to join delete me dot com slash n two k and enter code and
two k at checkout that's join delete me dot com slash n two k code and two k. Hackers linked to China and Iran are using AI to enhance cyber attacks.
An AI-powered messaging tool for Slack and Discord is reportedly leaking user data.
British engineering giant Smith's Group suffers a cyber attack.
Rockwell Automation details critical and high severity vulnerabilities.
Researchers warn of new side channel vulnerabilities in Apple CPUs.
The Hellcat Ransomware gang looks to humiliate its victims.
Spark Rat targets Mac OS users and government entities.
Flashpoint looks at flesh stealer malware. Cyber criminals leverage trust in government websites. Our guest is Ivan
Novikov, CEO at Wallarm, sharing insights on the recent US ruling that bars certain
Chinese and Russian connected car tech from being imported into the US. And QR
code shenanigans. It's Wednesday, January 29th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Happy Wednesday and thank you for joining us here today.
The Wall Street Journal, in an exclusive, says hackers linked to China, Iran, and other
foreign governments are using AI, including Google's Gemini chatbot, to
enhance cyber attacks. These groups leverage AI for tasks like writing
malicious code, identifying vulnerabilities, and researching targets.
While Western officials have long warned about AI's misuse, Google's new findings
provide concrete examples of adversaries utilizing generative AI.
Chinese and Iranian hacking groups are the most active users of Gemini, treating it as
a research tool rather than a game-changing cyber weapon.
North Korean hackers use AI for job application cover letters, aiding espionage efforts, while
Russian groups use it sparingly for coding tasks.
In contrast, researchers at Sophos conclude cybercriminals on underground forums remain
largely skeptical about generative AI, with little evidence of its use in developing new
exploits or malware.
While some actors discuss ambitious AI applications, these remain theoretical. The primary concern is AI's potential misuse
for automating tasks like spamming, mass mailing,
and data analysis rather than creating novel threats.
Many cyber criminals see AI as overhyped
and unsuitable for complex operations.
For now, most are taking a wait and see approach,
assessing how AI
could integrate into their workflows over time. Meanwhile, China's deep-seek
AI with open source code raises concerns about unregulated misuse. US intelligence
officials warn that AI is becoming a crucial factor in global cyber and
military strategies. Google urges tighter export controls and faster AI adoption in U.S. defense to maintain its
technological edge.
StructChat, an AI-powered messaging tool for Slack and Discord, claims to prioritize privacy.
However, researchers at CyberNews found an exposed Apache Kafka broker instance
streaming user data without security measures. Despite multiple disclosure attempts, the
leak remains open as of yesterday, posing a severe risk to users. The leak includes
sensitive Slack data such as usernames, emails, conversations, team details, and internal
URLs. In just one hour, data from over 1,000 users across 200 companies was exposed. This
information could be exploited for phishing, identity theft, or corporate espionage. Struct
Chat, which uses OpenAI's chat GPT for summaries, has not responded to inquiries.
British engineering giant Smiths Group is working to restore systems following a cyber
attack that led to unauthorized access. The company quickly isolated affected systems
and activated business continuity plans. Smiths is collaborating with cybersecurity experts
to assess the impact and comply with regulations. While the exact nature of the attack remains
unclear, it may involve ransomware as taking systems offline is a common
response. No ransomware group has claimed responsibility. The company with 15,000
employees worldwide promises updates as needed.
Rockwell Automation has released six security advisories detailing critical and high severity
vulnerabilities in its products.
In the Factory Talk software, critical flaws in View Machine Edition and high severity
issues in View Site Edition could allow remote and local attackers to execute commands or access
system configurations.
Other vulnerabilities include a critical SQLite flaw in Data Mosaics Private Cloud, a denial
of service issue in the ICE-2 controller, and credential exposure in PowerFlex 755.
While there's no evidence of active exploitation, CISA has issued advisories urging organizations
to apply patches to protect industrial automation systems from potential threats.
Security researchers from the Georgia Institute of Technology and Ruhr University, Bochum,
have discovered new side-channel vulnerabilities in modern Apple processors that could leak sensitive
information from web browsers.
Named FLOP and SLAP, these attacks exploit flaws in speculative execution, the same underlying
issue behind Spectre and Meltdown.
The attacks target M2 or A15 and newer Apple CPUs, which predict memory addresses and data values to speed
up processing. However, mispredictions can expose sensitive information, potentially
allowing attackers to bypass browser sandboxes and steal data in Safari and Chrome via malicious
JavaScript or WebAssembly code. The researchers disclosed SLAP in March of last year and FLOP in September.
Apple acknowledged the flaws and pledged to address them, but no fixes have been released.
The company stated that it does not see an immediate risk to users, though researchers
warn of real-world security implications.
The Hellcat Ransomware Gang, emerging in 2024, employs a ransomware-as-a-service model but
stands out for its humiliating tactics against victims.
According to Cato researchers, Hellcat uses psychological pressure alongside standard
double extortion, threatening to leak stolen data if ransoms aren't paid. Notable attacks
include Schneider Electric, where hackers demanded $125,000 in baguettes
instead of cash. They also leaked 40 gigabytes of sensitive data. Other
targets include a US university, a French energy company, and an Iraqi city
government. Hellcat prioritizes public embarrassment over financial gain, selling access to compromised
systems cheaply rather than demanding large ransoms.
Their approach signals a potential evolution in cyber extortion, blending traditional financial
motives with psychological warfare to pressure victims. Moving from cats to rats, researchers from Hunt.io have uncovered new SparkRat operations,
exposing its persistent use in cyberespionage against macOS users and government entities.
Originally released on GitHub in 2022, SparkRat is a cross-platform remote access trojan targeting Windows, macOS, and
Linux.
Linked to North Korean cyber campaigns, SparkRat has been distributed via fake meeting platforms
and gaming sites.
Researchers from Hunt and Kato Networks identified C2 servers in Korea and Singapore using port
8000 for communication.
An Android APK linked to SparkRat further extends its attack surface.
Analysts recommend monitoring HTTP headers, JSON error messages, and network traffic for
detection.
Hunt, Cato Networks, and other cybersecurity researchers continue investigating SparkRat's evolving
infrastructure and tactics to mitigate this growing threat.
Researchers at Flashpoint look at FleshStealer, a credential-stealing malware that first emerged
in September of last year.
Written in C-sharp, it uses encryption to evade detection and terminates itself if debugging is detected.
It also avoids execution in virtual machine environments, preventing forensic analysis.
FleshStealer targets Chromium and Mozilla-based browsers, extracting credentials, crypto wallet
data and 2FA extensions from over 70 sources.
It can reset Google Cook cookies for further exploitation.
The malware is lightweight and offers 24-7 support for cybercriminals, with logs decrypted
directly on its web-based control panel.
For nearly two years, cybercriminals have been quietly exploiting vulnerabilities in
government websites, using their trusted.gov domains to launch
phishing campaigns.
According to Kofence Intelligence, attackers have turned these sites into weapons, leveraging
them to host credential phishing pages, act as command and control servers, and redirect
unsuspecting users to malicious destinations.
A particularly insidious tactic is the abuse of open redirects, where a compromised government
site unknowingly forwards visitors to phishing links.
Victims, seeing a trusted government address, click without hesitation, only to land on
pages designed to steal their credentials.
The United States, Brazil, and Colombia have been among the hardest hit, with U.S. government
domains accounting for 9 percent of total cases.
In most instances, these domains were exploited to bypass email security gateways like Microsoft
ATP, Proofpoint, and Mimecast, ensuring phishing emails reached inboxes undetected.
What's most alarming is how deliberate this campaign appears.
Instead of opportunistically attacking any vulnerable site, cyber criminals first
design their phishing campaigns and then seek out compromised government domains
to give their attacks credibility.
Their strategy is methodical, their execution precise. Coming up after the break, my conversation with Ivan Novikov, CEO at Wallarm, we're
discussing the recent US ruling that bars Chinese and Russian connected car tech, and
QR code shenanigans. Stay with us.
Cyber threats are evolving every second and staying ahead is more than just a
challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely.
Visit threatlocker.com today to see how a default deny approach can keep your company
safe and compliant.
Do you know the status of your compliance controls right now?
Like right now?
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to Ivan Novikov is CEO at Wallarm.
I recently caught up with him to discuss a recent US ruling that bars certain Chinese
and Russian connected car tech.
Ultimately, what do we have now, right, at the market as there is plenty of Chinese car
makers, right, the automobile vehicle makers already are ready to kind of like fulfill
the market by a lot of new cars, right, they're cheaper and in many cases even more convenient for customers, specifically to count latest
features such as the amount of electronics they have and so on. And that's, I think, what
they want to do is to kind of prevent American customers against using these cars in the future,
because they might be very inexpensive and also kind of like rich by features.
Why? Because ultimately, there is plenty of cars that exist in the market already connected.
And connected cars means not only sending your current location, but also in many cases send some parts,
if not all the video stream from some cameras or leaders
or different other electronic components
that built in a car, including microphones and so on.
So cars are full of electronics and this parts
and components connected to the cloud.
So they want to protect privacy at personal level, right?
And also kind of government privacy, because if it's plenty of cars, they can literally
film everything around, right?
And you don't even know what could be filmed outside of the car.
I guess what they want to do is to kind of improve security level very proactively before
American market kind of like fulfilled by these Chinese cars.
What sort of components are we talking about here?
Sure, I mean it's not a secret, right? Many of these electronic components such as chips, right, produced in China or Taiwan,
which is, you know, very unclear region is it for now.
So, and then that's specifically an interesting part of those and
definitely these components, software and hardware components, as you can see
in this notice, in this requirement, right, they split hardware and software a little bit separately
and they can kind of like push software a little bit faster than hardware. Hardware is not that easy to replace because many of American car vendors and car makers
using this Chinese hardware.
All right.
We're mainly talking about pretty much everything that connects cars.
Definitely the chips itself, right? And less about AI components,
because many of them produced by Intel and Nvidia,
they're based in states, right?
But all this component that basically make this car
connect to the cloud, to the main servers,
that's what I'm talking about.
So built-in embedded systems servers, that's what I'm talking about.
So built-in embedded systems and built-in computers and definitely all the lidars and
cameras, all of this.
This rule was put in by the Commerce Department, of course, under the previous administration.
Do we suspect that this rule will hold with the Trump administration coming
into office?
This is a little bit kind of like unclear, but is it for me, this question is definitely
kind of rely on the main point that they have to make.
The main point is like, who will enforce this, right?
Ultimately, it should be the Department of Transportation, right,
who actually apply these rules and make this as, you know, in any form such as recall, right,
if you already own the car or kind of like, you know, some restriction for dealership to sell such
cars. And this is what we will see. So I really think that this may stay in any form, but most interesting how
the Department of Transportation will act on this and which new kind of rules, right,
or guidances or, you know, commands in that sense will be issued by the Department of Transportation.
I know you and your colleagues at Wallarm work with automakers.
You're looking at the potential vulnerabilities of components and the software and so on.
When you look at the big cyber risks when it comes to cars, what are some of the things
that you think folks should know about?
Yeah, you're right.
We're doing a lot of research and working with car makers and automotive
companies all over the world. Our main idea is to help them to secure their APIs. Basically,
the data layer used to connect cars and clouds, right? Or servers somewhere in the internet
to basically connect cars to the internet. And then what I have to say, first of all,
all the cars are vulnerable.
Some of them more, some of them less, but there is absolutely no vendor that can claim
that, hey guys, we're 100% secure.
All of them vulnerable.
There are a few things that I have to point that we call this kind of attack surface means,
which attacks and how and where attackers can do to compromise very specific cars or vendor in general.
So just a few things to mention.
First of all, there's definitely all the APIs related to dealerships and management,
such as technical station and so on.
They should be connected. And for attackers, it's kind of a lot of benefits
to hack them and hack many cars altogether, right?
Or rather than target very specific cars
such as mine and yours and others, right?
One by one, it's less productive for them.
The other thing overall, the data centers and clouds
that used to serve the data came from cars, right?
Imagine you have plenty of cars,
which is hundreds of times a minute connected to the cloud,
but you better to try to hack the cloud
rather than go after each car,
which could be everywhere, right?
The clouds itself and a dealership is the first thing
and then clouds of this automakers.
However, they definitely protect that much better
than many other IT components and systems
because automotive cars already recognize this risk
a while ago and they invest in this security.
And the third point, I guess,
overall communication protocols,
it could be a direct link between
your car and the cloud.
It could be some indirect links such as your Bluetooth that you can activate in the car
and some other guy can connect.
But this attacks a little bit more targeted.
And I really think that it's more about the more targeted internal system to break this,
to break them and steal your car,
rather than compromise your car during the driving.
However, dealerships and cloud providers,
and clouds like IT systems for built
to serve these connected cars,
definitely kind of number one,
number two priorities for attackers.
That's Ivan Novikov from Wallarm.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific
apps not the entire network, continuously verifying every request based on identity
and context, simplifying security management with AI-powered automation, and detecting threats
using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Hit pause on whatever you're listening to
and hit play on your next adventure.
Stay two nights and get a $50 Best Western gift card.
Life's the trip.
Make the most of it at Best Western.
Visit bestwestern.com for complete terms and conditions.
And finally, there's a popular optical illusion that features the faces of Albert Einstein
and Marilyn Monroe superimposed over one another.
Depending on how far away you are from the image, you see either Albert or Marilyn, and
if you vary your distance, the two faces seemingly morph back and forth.
The illusion takes advantage of the way our visual systems interpret contrast and sharpness
and how our brains prefer to lock in to the familiar.
Curious researchers wondered if the same effect could be applied to QR codes.
In a post on Mastodon, Guy Dupont experimented with using lenticular lenses on QR codes
to activate one of two different URLs, depending on the angle the code was
viewed at.
Christian Wathor took it to the next level, creating a version with no lens required,
taking advantage of the previously mentioned peculiarities of perceived contrast and sharpness.
Spoiler alert!
It works!
Depending on the distance your camera is from the QR code, you will be directed to one of two unrelated URLs.
Needless to say, this opens up a whole new world of possibilities for QR code shenanigans.
We'll have a link in the show notes. See for yourself. It's fun, and not just a little bit unnerving.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with Original Music and Sound Design by Elliot Peltsman.
Our executive producer is Jennifer Ibane.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kielpe is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. you