CyberWire Daily - FamousSparrow’s sneaky resurgence.
Episode Date: March 27, 2025China’s FamousSparrow is back. A misconfigured Amazon S3 bucket exposes data from an Australian fintech firm. Researchers uncover a sophisticated Linux-based backdoor targeting industrial systems. I...nfiltrating the BlackLock Ransomware group’s infrastructure. Solar inverters in the security spotlight. Credential stuffing gets automated. CISA updates the Known Exploited Vulnerabilities catalog. The UK’s NCA warns of online groups involved in sadistic cybercrime and real-world violence. Authorities arrest a dozen individuals linked to the now-defunct Ghost encrypted communication platform. Our guest is Tal Skverer, Research Team Lead from Astrix, discussing the OWASP NHI Top 10 framework. Remembering our friend Matt Stephenson. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined by Tal Skverer, Research Team Lead from Astrix, who is discussing the OWASP NHI Top 10 framework and how teams can use these as they implement NHIs into their systems. Selected Reading Chinese Spy Group FamousSparrow Back with a Vengeance, Targets US (Infosecurity Magazine) Aussie Fintech Vroom Exposes Thousands of Records After AWS Misconfiguration (HackRead) New Sophisticated Linux Backdoor Targets OT Systems via 0-Day RCE Exploit (GB Hackers) Blacklock Ransomware: A Late Holiday Gift with Intrusion into the Threat Actor's Infrastructure (Resecurity) Dozens of solar inverter flaws could be exploited to attack power grids (Bleeping Computer) Threat Actors Using Powerful Cybercriminal Weapon 'Atlantis AIO' to Automate Credential Stuffing Attacks (Cyber Security News) CISA Adds of Sitecore CMS Code Execution Vulnerability to List of Known Exploited Vulnerabilities (Cyber Security News) NCA Warns of Sadistic Online “Com” Networks (Infosecurity Magazine) 12 Cybercriminals Arrested Following Takedown of Ghost Communication Platform (Cyber Security News) Matt Stephenson remembrance (LinkedIn) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity,
or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas
drive change. With career growth opportunities and a focus on work-life balance, you'll have
the flexibility to thrive both professionally and personally. Explore open cybersecurity
and technology roles today at Vanguardjobs.com.
China's famous sparrow is back.
A misconfigured Amazon S3 bucket exposes data from an Australian fintech firm.
Researchers uncover a sophisticated Linux-based backdoor targeting industrial systems.
Infiltrating the Blacklock Ransomware Group's infrastructure.
Solar inverters in the security spotlight.
Credential stuffing gets automated.
CISA updates the known exploited vulnerabilities catalog.
The UK's NCA warns of online groups involved in sadistic cybercrime and real-world violence.
Authorities arrest a dozen individuals linked to the now-defunct Ghost Encrypted Communication
Platform.
Our guest is Tal Skverer, research team lead from Asterix, discussing the OWASP-NHI Top
Ten Framework.
And remembering our friend, Matt Stevenson.
It's Thursday, March 27th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It is great to have you with us.
The China-linked hacking group Famous famous sparrow has resurfaced after years of apparent inactivity
targeting organizations in the US Mexico and Honduras
according to a March 26 report from ESET
Once known for exploiting the proxy logon flaw and focusing on hotels
The group has broadened its scope
to include governments, research institutions, and law firms.
The group used upgraded versions of its signature Sparrow Door backdoor and, for the first time,
deployed the Shadow Pad backdoor, often associated with other Chinese APTs.
Although Microsoft previously suggested Famous Sparrow is part of a larger cluster, including
Ghost Emperor and Salt Typhoon, ESET maintains it is a distinct group with limited overlap.
The recent campaign began in June of last year through web shells on outdated Windows
Server and Exchange systems, the toolset combined custom
malware and shared resources tied to other Chinese-aligned threat actors, showing a renewed
and evolving cyberespionage capability.
Cybersecurity researcher Jeremiah Fowler uncovered a major data exposure involving Australian fintech firm Vroom by UX, formerly DriveIQ.
A misconfigured Amazon S3 bucket left 27,000 sensitive records, including driver's licenses,
medical records, bank details, and partial credit card numbers publicly accessible without
password protection or encryption. Fowler also found evidence of a MongoDB instance holding 3.2 million documents, raising additional
security concerns.
Vroom, an AI-powered vehicle financing platform, quickly secured the exposed data and pledged
a post-incident review. The records dated from 2022 through 2025,
highlighting ongoing risks in data handling. Fowler stressed the potential for fraud,
including identity theft and social engineering, and urged fintech firms to adopt stronger
security measures. He emphasized end-to-end encryption, regular audits, and data minimization as key defenses.
Researchers at Qianjin X Lab uncovered Orpacrab, a sophisticated Linux-based backdoor targeting
Orpack industrial systems tied to fuel services.
Discovered in January 2024, the malware uses the MQTT protocol for covert command and control,
blending in with legitimate traffic.
It persists via startup scripts and encrypts configuration data.
It also uses DNS over HTTPS to evade detection.
Linked to the Cyber Avengers hacking group,
OrpaCRAV may have compromised gas boy fuel
systems, posing risks to payment terminals and customer data.
Earlier this month, cybersecurity firm Re-Security identified a critical vulnerability in the
data leak site of Blacklock Ransomware, a ransomware-as-a-service group active since
March 2024.
The flaw allowed Re-Security's Hunter team to infiltrate Blacklock's infrastructure,
gathering intelligence on their operations, network configurations, and storage methods,
including the use of mega-accounts for exfiltrated data.
The breach revealed that Blacklock had compromised at least 46 organizations across various sectors
globally.
Subsequent events in early 2025 suggest that rival ransomware group Dragonforce may have
exploited similar vulnerabilities, leading to the defacement and shutdown of Blacklock's
data leak site and associated projects. These developments underscore the dynamic and volatile nature of cybercriminal enterprises.
Researchers at Four Scouts' Videre Labs uncovered 46 critical vulnerabilities in solar inverters
from SunGrow, Growot, and SMA, three of the world's top manufacturers.
These flaws could allow attackers to remotely execute code, hijack devices via cloud platforms,
and even disrupt power grids by altering inverter output.
One vulnerability in SMA's Sunny portal allows remote code execution through malicious file
uploads. GrowWatt inverters are particularly exposed
due to easily exploitable APIs,
while SunGrow's architecture involves
multiple vulnerabilities across components,
including stack overflows and hard-coded credentials.
Exploiting these could let attackers
control fleets of inverters,
potentially destabilizing grid operations
by coordinating power surges or drops.
Beyond grid disruption, attackers could compromise user privacy, hijack smart devices, or launch
ransomware attacks.
All vendors have reportedly issued patches.
The findings highlight the urgent need for stronger security in renewable energy infrastructure
and the potential consequences of compromised smart energy systems.
Credential stuffing, a long-standing cyber threat, has become more dangerous with the rise of Atlantis AIO, an advanced automation tool. This software allows attackers to test millions of stolen credentials rapidly across cloud platforms
and email services, requiring minimal expertise.
Its modular design evades detection
through rotating proxies and distributed login attempts.
Abnormal security reports that since early 2025,
Atlantis AIO has gained popularity in underground forums,
enabling both novice and advanced attackers to carry out large-scale account compromises,
data theft, and fraud.
CISA has added two critical Sitecore CMS vulnerabilities to its Known Exploited Vulnerabilities catalog
due to confirmed active exploitation.
The first allows unauthenticated remote code execution via a deserialization flaw in the
Sitecore.security.anti-csrf module, while the second requires authentication but uses
the same attack vector. Both impact Sitecore versions up to 9.1.0.
CISA has mandated that federal agencies patch affected systems by April 16.
Organizations should apply available fixes or implement temporary access restrictions immediately.
The UK's National Crime Agency, the NCA, has issued a stark warning about the rise of
com networks, online groups of sadistic, predominantly teen boys involved in cybercrime and real
world violence.
These loosely organized groups use social media and messaging platforms to share extremist,
violent and child abuse content while engaging in crimes like phishing,
sim-swapping, ransomware, and fraud.
The NCA's latest National Strategic Assessment
highlights a six-fold increase in reported threats
between 2022 and 2024,
with thousands of offenders and victims in the UK and beyond.
These networks often groom young girls, coercing them into self-harm or abuse.
While foreign actors, particularly from Russia, still dominate the cybercrime landscape, the
rise in homegrown youth involvement is alarming.
Offenders seek profit, status, and notoriety.
Recent convictions illustrate the danger, and the NCA stresses these groups aren't
hidden on the dark web.
They thrive in mainstream digital spaces frequented by young users daily.
Yesterday, Irish and Spanish authorities arrested 12 individuals linked to a high-risk criminal
network using the now-defunct Ghost
Encrypted Communication Platform. Ghost, dismantled in September 2024 during a Europol-led international
operation, was used by organized crime groups to coordinate drug shipments between Spain
and Ireland. Despite attempts to evade detection, investigators traced Ghost user accounts to
the suspects, who smuggled cocaine and marijuana using vehicles with hidden compartments and
cloned license plates.
Ghost, launched in 2015, offered ultra-secure messaging through modified smartphones with
layered encryption and self-destruct features. The platform's takedown previously resulted in 52 global arrests,
including its alleged administrator.
Europol continues to support ongoing investigations,
and further arrests are expected as digital evidence from the platform is analyzed.
Coming up after the break, my conversation with Tal Skverer, research team lead from Asterix, were discussing the OWASP-NHI Top 10 Framework.
And remembering our friend, Matt Stevenson.
Stay with us.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe. I have to say DeleteMe is a game-changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
Today, get 20% off your Delete Me plan when you go to
joindeleteeme.com slash n2k and use promo code n2k at checkout. The only way to
get 20% off is to go to joindeleteeme.com slash n2k and enter code n2k at
checkout. That's joindeleteeme. com slash n two k code and two k.
Are you frustrated with cyber risk scores backed by mysterious data, zero context and
cloudy reasoning? Typical cyber ratings are ineffective,
and the true risk story is begging to be told.
It's time to cut the BS.
BlackKite believes in seeing the full picture
with more than a score,
one where companies have complete clarity
in their third-party cyber risk
using reliable quantitative data.
Make better decisions.
Reduce your uncertainty.
Trust BlackKite.
Tal Skverer is a research team lead from Asterix. I recently caught up with him to discuss the OWASP-NHI Top 10 framework.
OWASP really is a very well-known organization in helping developers write secure code and
write secure applications.
And they're most well-known for the famous Top 10 web application security risks.
But since they made this and got really famous
and everybody's been using this framework for a while now,
you have all these automated processes and tools
that help you mitigate risk that they work on
in this original project.
They actually started
to host multiple projects, top 10 projects like mobile security and API security and
even recently with the rise of LLMs and AI agents, they actually have the LLM top 10 risks, which basically each of those projects is
taking one big subject that is really relevant for a lot of developers and tackling this
area from the web application security lens. And ever since the rise of the non-human identity category in the past year or so,
it only seemed natural to also look at the NHI problem from the development perspective
and the application perspective. So that totally prompted our initial communication with OWASP
and suggesting this new top 10 project
focusing on non-human identities.
Well, I'm an old school guy,
so when I hear the phrase non-human identities,
I want to think about R2D2, C3PO, and maybe ELISA,
but that's not what we're talking about here.
What exactly is entailed with non-human identities?
Right. So non-human identities, let me think of a good way to answer it
because I can both speak on the essence of non-human entities
from the development perspective, which the project focused on,
but just in general when you consider non-human identities in an organization,
it's basically every time you have an identity, a credential,
basically any access to organization that is required by some automated process
that doesn't need to have a human involved.
And that really ranges around a lot of different kinds of access into an organization.
It could mean a third party application
to boost your business and help your salespeople
improve their CRM experience, for instance,
all the way to your development folks
who will use it, will use non-human identities
for their CI, CD,
the automatic deployments, et cetera,
and also ending up in your cloud environments.
Now today, everybody is using cloud services,
and within those cloud services, you need a lot of non-human identities
to facilitate the access of different kinds of applications,
of services that are hosted on your cloud environments.
And all those kind of identities basically fall into the category of non-human.
We kind of cheated in this name because we simply say anything that is not human.
But really it's a very large amount of identities.
Current estimations place non-human identity
at a ratio of about from 1 to 20 to 1 to 50,
depends on the environment, in favor of the non-humans.
So really, there has been an explosion
in this kind of identities.
Well, give us an idea of one of the common risks
here with non-human identities and what
the potential mitigation could be.
Sure, so we'll go into the number one, right?
Straight to the top.
After we've been ranking the risk themselves,
what ended up being the top positions,
which kind of us, some people that were on the project
were surprised by
this becoming the number one and others weren't.
It depends on how much time have you spent looking at problems with non-human identities.
So the first, the number one risk is improper offboarding, which just as a background or
a description of this risk, it means that you created a non-human identity,
so there's an identity being used somewhere in your organization, and then this non-human
is no longer needed, it's not used, and maybe the owner of this non-human has left the organization,
but the identity that was created for some kind of service was not off-bordered
from the organization.
Either it was completely forgotten about
and nobody really tried to off-bord it,
or maybe it's actually been off-bordered improperly.
So someone tried to off-bord it,
but didn't do it fully and still left some access
to this non-human.
This was the number one risk that was eventually ranked at the first position.
Just as an example to make more meaningful to anyone who's going to listen to this and
wonder how it looks like in real life. So consider that you have a service account
on your Kubernetes cluster.
You created someone to test some new service,
a new feature, and you kind of forgot about it.
And it's still there.
It still has access to your cluster.
The cluster is still up.
But the Kubernetes service account itself
is not supposed to be off-wallet, but it's still there.
It still has access.
And anyone with getting access to your pod
that contains this service account
now has access to your entire cluster.
So this is just one example.
Another very common example that we see,
we see employees creating personal access tokens
or different kind of credentials during their work for work-related reasons,
and then those employees leave the organization and this token stays somewhere within your
organization, maybe facilitating some automated process.
But it wasn't properly off-boarded when the person who created it left the organization,
which is something that's supposed to happen because
they might still have access to it.
Maybe they saved the token on the local machine at home.
Do this improper off-boarding, your organization might be exposed to needless risk because
now a non-employee may have access to your internal processes.
And when it comes to mitigation, so I'm actually going over
the official website, it's actually these are the exact sections that we have for
each risk. We have the description, we have example scenarios, and then we have
the how to prevent section or the mitigation section where
practitioners can use to mitigate the specific risk.
So for improper off-boarding,
first we have the necessity to have an off-boarding process,
an official off-boarding process,
that basically reviews all non-human identities
that are associated with someone
that is going to depart the organization.
So let me give some knowledge from the non-human identity world.
There are basically two types of non-human identities when it comes to off-boarding.
The first type is non-human identities that will be automatically disabled or removed
once the employees off-boarded,
the human identity of the employee will be off-boarded.
Those kinds of non-human entities
are things like personal access tokens or auth apps
that usually we like to call get disabled
once the user, the human user is disabled or off-boarded during this process.
And the other type is the type of non-human identity that is not going to be off-boarded
once the human user is disabled.
And both can have different impact to the organization.
So the first one is not from a risky perspective.
It's not an issue, but it may break one of your core systems once this human
user is going to leave the organization.
And thus we see a lot of times where human users are still being kept alive to avoid
their breaking some important service because there is some non-human identity associated
with the human users and the organization is afraid to break something critical.
The second type is actually the more, the riskier one,
in which you have to apply a proper off-boarding process
to detect all those non-human identities that the employee got exposed to
during their work time.
And once they leave the organization, you have to create new identities.
So you have to create this process.
And one way you can do it is actually to automate the off-boarding steps that you have in your
HR system or your human management system.
Every time that an employee is going to leave the organization, all the non-human identities
that you see this employee as the owner of must be as part of the offboarding process,
maybe sent to the manager to handle the rotation of.
And this is the main way to mitigate this risk.
That's Tal Skverer, research team lead from Asterix. Is your AppSec program actually reducing risk? Developers and AppSec teams drown in critical alerts,
yet 95 percent of fixes don't reduce real risk.
Why? Traditional tools use generic prioritization and lack the ability to
filter real threats
from noise. High impact threats slip through and surface in production,
costing 10 times more to fix.
Ox Security helps you focus on the 5% of issues that truly matter before they reach the cloud.
Find out what risks deserve your attention in 2025.
Download the Application Security Benchmark from Ox Security. cybersecurity.
And finally, the cybersecurity community has lost a true original.
Matt Stevenson has passed away.
Always the boldest dresser in the room, the man with a bow tie, the bright suit, the perfectly
curated sneakers.
And though he's gone, his impact remains vivid in the hearts and minds of everyone
lucky enough to orbit his world.
To me, Matt was more than a colleague or a professional voice.
He was the voice, charismatic, quick-witted, endlessly curious and instantly magnetic.
He had a rare gift, the ability to make every interaction feel like a reunion with an old
friend, whether you were meeting him for the first time or the hundredth. His energy was
larger than life, and yet it was never about him.
It was about connection, finding common ground in music, comics, sports, tech, sneakers,
or whatever topic would light up a stranger's face.
Even in the most professional spaces, Matt brought levity and humanity.
His presence made cyber security feel a little less intimidating,
a little more approachable, and a whole lot more fun.
He was a storyteller, a traveler, a collector, a showman, and from the stories shared by
those closest to him, a fiercely loyal friend.
He lived widely and openly, chasing memories across continents, from late-night karaoke
to early-morning flights, from deep conversations to laugh-until-you-cry moments in bars with
bad music and questionable food. He officiated weddings. He got lost in London. He made the
ordinary feel epic.
In the end, Matt was surrounded by the people he loved, wrapped in music, stories, and shared
memories, a fitting send-off for someone who lived his life as a celebration.
The cybersecurity world is quieter today without Matt's booming voice, his trademark style,
and his unshakable warmth.
But the echo of his laugh, the weight of his kindness, and the stories he left behind will
carry on in every room he once lit up.
Rest well, Matt Stevenson.
You were unforgettable. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're
mixed by Trey Hester with original music and sound design by Elliot Peltsman. Our executive
producer is Jennifer Iven. Peter Kilpe is our publisher and I'm
Dave Bittner.
Thanks for listening, we'll see you back here, tomorrow. Cyber threats are evolving every second, and staying ahead is more than just a
challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a
full suite of solutions designed to give you total control, stopping unauthorized
applications, securing sensitive data and ensuring your organization runs smoothly
and securely. Visit threatlocker.com today to see how a default deny approach
can keep your company safe and compliant.