CyberWire Daily - New sandbox escape looks awfully familiar.
Episode Date: March 28, 2025Mozilla patches Firefox flaw similar to actively exploited Chrome vulnerability. Russia-based RedCurl gang deploys ransomware for the first time. Ukraine's railway operator recovers from cyberattack. ...India cracks down on Google’s billing monopoly. Morphing Meerkat's phishing kit abuses DNS mail exchange records. 300,000 attacks in three weeks. Our guest is Chris Wysopal, Founder and Chief Security Evangelist of Veracode, who sits down with Dave to discuss the increase in the average fix time for security flaws. And Liz Stokes joins with another Fun Fact Friday. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Chris Wysopal, Founder and Chief Security Evangelist of Veracode, discussing increase in the average fix time for security flaws and percent of organizations that carry critical security debt for longer than a year. Selected Reading After Chrome patches zero-day used to target Russians, Firefox splats similar bug (The Register) Microsoft fixes Remote Desktop issues caused by Windows updates (Bleeping Computer) Firefox fixes flaw similar to Chrome zero-day used against Russian organizations (The Record) RedCurl's Ransomware Debut: A Technical Deep Dive (Bitdefender) Ukraine’s state railway restores online ticket sales after major cyberattack (The Record) Google App Store Billing Policy Anti-Competitive, India Court Rules (Bloomberg) Morphing Meerkat PhaaS Platform Spoofs 100+ Brands - Infosecurity Magazine (Infosecurity Magazine) Fresh Grandoreiro Banking Trojan Campaigns Target Latin America, Europe (SecurityWeek) Malware distributed via fake DeepSeek ads on Google (SC Media) GorillaBot Attacks Windows Devices With 300,000+ Attack Commands Across 100+ Countries (Cyber Security News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity,
or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas
drive change. With career growth opportunities and a focus on work-life balance, you'll have
the flexibility to thrive both professionally and personally. Explore open cybersecurity
and technology roles today
at Vanguardjobs.com.
Mozilla patches Firefox flaw,
similar to actively exploitedexploded Chrome vulnerability.
Russia-based Red Curl Gang deploys ransomware for the first time.
Ukraine's railway operator recovers from cyberattack.
India cracks down on Google's billing monopoly.
Morphing Meerkat's phishing kit abuses DNS mail exchange records.
300,000 attacks in three weeks.
Our guest is Chris Weisople, founder and chief security evangelist of Veracode, who sits
down with Dave to discuss the increase in the average fixed time for security flaws.
And Liz Stokes joins us with another Fun Fact Friday. Today is Friday, March 28, 2025.
I'm Maria Varmazes in for Dave Bittner, and this is your CyberWire Intel Briefing. Happy Friday everybody, let's get into it.
Mozilla has issued a patch for a critical Firefox vulnerability that could allow attackers
to perform sandbox escapes on Windows, the register reports.
The flaw is similar to an actively exploited vulnerability patched by Google in the Chrome
browser earlier this week.
The Chrome vulnerability, which Kaspersky says was being exploited to target Russian
entities and individuals, enabled attackers to bypass the browser's sandbox protections
as soon as the victim clicked on a phishing link.
Mozilla stated this, following the sandbox escape in CVE 2025-2783, various Firefox developers identified a similar pattern
in our interprocess communication code.
Attackers were able to confuse the parent process into leaking handles into unprivileged
child processes, leading to a sandbox escape.
Bitdefender says the Russia-based threat actor Redcurl, which has been conducting data theft
since 2018,
has launched its first ransomware campaign. Redcurl is a mysterious group whose motivations
are unclear. The threat actor seems to be financially motivated, but there's no evidence
that it extorts its victims after stealing their data. Bitdefender hypothesizes that Redcurl is
either a mercenary hacker group conducting corporate espionage or that it conducts extortion negotiations
Discreetly the researchers note that the former hypothesis quote could potentially explain their current interest in ransomware that targets
Infrastructure rather than endpoint computers in a mercenary model ransomware could serve as a diversion masking the true objective
Which is a targeted data exfiltration operation.
In this recent campaign,
the group deployed a new strain of ransomware dubbed
QWCrypt targeting only hypervisors.
Bitdefender explains that this focused targeting
can be interpreted as an attempt to inflict maximum damage
with minimum effort.
By encrypting the virtual machines hosted on the hypervisors,
making them unbootable, Redcurl effectively disables the entire
virtualized infrastructure, impacting all hosted services.
Interestingly, they deliberately excluded specific VMs that acted as
network gateways, demonstrating their familiarity with the network implementation.
Ukraine's state railway operator, Ukraizaliznitsiya, has restored online ticket sales following
a cyber attack earlier this week, according to the record.
The incident didn't affect train schedules, but online services were disrupted for several
days.
The company hasn't shared details on the attack, but said no sensitive information was compromised.
Ukraine's Ministry of Justice assisted in the recovery.
Passengers who purchased paper tickets during the cyber attack
will be offered free tea on board.
How nice.
In a significant ruling, an Indian appeals court has upheld
the Competition Commission of India's determination
that Google's App Store billing policies are anticompetitive
and detrimental to developers. This decision mandates that Google's App Store billing policies are anticompetitive and detrimental to developers.
This decision mandates that Google must permit alternative billing systems for in-app purchases on its platform,
challenging its current practices.
The ruling aligns with increasing global scrutiny over Google's dominance in the App Marketplace
and its imposition of restrictive billing practices.
This ruling illustrates the mounting regulatory challenges that Google faces worldwide
regarding its App Store operations.
Infoblox has published a report on a phishing kit
that uses DNS mail exchange or MX records
to dynamically serve phishing pages
that spoof over 100 brands.
MX records specify which mail server is responsible
for receiving incoming emails sent to a domain.
In this case, the phishing kit uses MX Records to identify the victim's email service provider
and dynamically serve fake login pages.
The kit is designed to harvest email user login credentials and is currently able to
impersonate 114 brands.
The threat actor behind this activity, dubbed Morphing Meerkat,
has been peddling its phishing as a service platform
since at least January 2020.
The Grand Oroiero banking Trojan has resurfaced
in a new phishing campaign targeting users
in Latin America and Europe.
Active since at least 2016,
Grand Oroiero initially focused on Brazil, but expanded
to Mexico, Portugal, and Spain around 2020. Despite law enforcement efforts in 2021 and
2024, including the arrest of several operators, the Trojan persists. And by early 2024, it
targeted over 1,500 banking applications across more than 60 countries, impersonating government entities from Argentina,
Mexico, and South Africa.
Later that year, its scope widened to 1,700 banks
and 276 cryptocurrency wallets,
extending into Asia and establishing it
as a global financial threat.
Recent campaigns involve phishing emails
masquerading as tax agency communications,
particularly in Argentina, Mexico, and Spain.
These emails utilize legitimate hosting services like Contabo and OVH Cloud,
directing victims to download malicious files from platforms such as MediaFire.
Once executed, the malware steals credentials, searches for Bitcoin wallet directories,
and connects to a command and control server.
To mitigate risks, users should exercise caution with unsolicited emails,
especially those claiming to be from tax authorities,
and employ robust cybersecurity tools to detect and prevent such threats.
Threat actors are exploiting the growing popularity of the Chinese artificial intelligence platform DeepSeek
by distributing malware through counterfeit sponsored ads on Google.
Users searching for DeepSeek encounter malicious advertisements that redirect them to convincingly crafted fake websites.
These sites then prompt users to download a file which, when executed, deploys a Microsoft Intermediate Language-based Trojan identified
as malware.ai.1323738514.
This malware poses significant security risks, including unauthorized access and data theft.
Security experts advise users to exercise caution by avoiding sponsored search results,
verifying website URLs before downloading software,
and considering the use of ad blockers to minimize exposure to such threats.
This campaign coincides with increasing scrutiny of DeepSeek,
leading to bans in regions like Texas over data privacy concerns.
GorillaBot, which is a sophisticated botnet built upon the Mirai framework,
has executed over 300,000 attack commands across more than 100 countries within a three-week period.
Discovered by the NSFocus global threat hunting team,
GorillaBot targets industries including telecommunications, finance, and education.
It infects devices by exploiting vulnerabilities in Internet of Things systems and poorly secured endpoints, converting them into instruments for distributed denial of service attacks
and other malicious activities.
The malware employs advanced encryption and anti-debugging techniques, such as a custom
XTA-like cipher for securing command and control communications and mechanisms to detect virtualized
analysis environments, making detection and analysis challenging.
To mitigate the risk posed by GorillaBot, organizations are advised to regularly patch vulnerabilities in IoT devices,
deploy advanced intrusion detection systems capable of identifying encrypted communications, and
utilize real-time malware behavior analysis tools. Stick around. After the break, Dave Bittner chats with Chris Weisopel, founder and chief
security evangelist at Veracode, about why the average time to fix security flaws is
on the rise. Plus, our very own producer, Liz Stokes,
has a fun fact about passwords that you don't want to miss. Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from
hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been
done. Take control of your data and keep your private life private by signing up for DeleteMe. Now at a special discount for our listeners, today get 20% off your DeleteMe plan when
you go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
The only way to get 20% off is to go to joindeleteeme.com slash n2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Are you frustrated with cyber risk scores backed by mysterious data, zero context and cloudy reasoning?
Are you frustrated with cyber risk scores backed by mysterious data, zero context and cloudy reasoning?
Typical cyber ratings are ineffective and the true risk story is begging to be told.
It's time to cut the BS.
BlackKite believes in seeing the full picture with more than a score, one where companies
have complete clarity in their third-party cyber risk using reliable quantitative
data.
Make better decisions.
Reduce your uncertainty.
Trust BlackKite.
Our very own Dave Bittner recently caught up with Chris Weisopel, founder and chief
security evangelist at Veracode.
They explored the growing delays in security flaw remediation and the surprising percentage
of organizations that carry critical security debt for over a year.
Here's their conversation.
You know, Veracode is a SaaS provider, so we have access to a lot of the data from our customers as
they build software, test their software, remediate their software.
So by anonymizing their data and basically analyzing it, we get a great visibility into
how people are building software and how secure it is.
One of the things that caught my eye in the report is the focus on the average fixed time
for security flaws.
Can you describe that for us?
First of all, let's explain what we're talking about when we say average fix time? Yeah. So when someone builds
some software and they write some code,
they typically then will do a security test on that code.
So a lot of this is automated,
so it's just part of the building process,
building the software, you test it,
and you find a vulnerability in the software.
You don't always fix it right away.
You could fix it right away,
but more often than not,
you have other things that are more pressing
than fixing a security bug.
You're trying to finish your feature.
You're trying to get another feature done.
So people just essentially put it on the backlog.
They sit, they record it, they write it down,
they put it in a ticketing system,
and they say, I'll get to this later.
And so the time between when the vulnerability was found and when the vulnerability is fixed
is what we call fixed time.
And the trend for that time has been headed in the wrong direction it would seem?
Yeah, it's really kind of, it's interesting.
It's something that is a little bit unexpected. And we've been doing this for 15 years.
And back in 2010, the average, and this is the average,
obviously some things are fixed much quicker and some things are fixed much later,
but the average was 59 days.
Then we looked at our data from 2020, just five years ago.
It was 171 days, So quite a jump, right?
It pretty much almost tripled there.
And you'd think, well, how much worse can it get?
And then in the last five years,
it's gone from 171 days to 252.
So it's increased significantly again.
So this is something that we're kind of trying
to piece apart, like what are some people doing right and what
are some people doing wrong that's causing it to take so long to fix vulnerabilities?
So, yeah, let's unpack that together. I mean, what do you suppose is behind these numbers?
Yeah, so I really think that software is getting more complex to maintain. And when things go wrong,
it's getting more difficult to fix them.
And some of the reasons are,
cloud-based apps are just very complicated.
People are using lights at different technologies.
They're using containers,
they're using something called microservices,
which is basically building a whole bunch of small programs.
They're using serverless architectures, which is the code is whole bunch of small programs. They're using serverless architectures,
which is the code is running in the cloud computers,
your cloud providers environment.
And all these different ways of writing code
gets stitched together to form an app
that you might think of,
hey, I'm logging into my banking app,
or I'm using Netflix.
Well, behind those things that you see on the surface with the UI, there's dozens and
perhaps hundreds of little pieces of code that are all working together.
When a vulnerability is found in one of those pieces of code, you got to hunt down like
who's going to fix it?
When are we going to fix it?
Is it going to change some things about the system?
The more fragmented software gets,
the more difficult it is to fix.
The other big reason we're seeing this is,
there's a lot of open source being used,
which means a development team pulls down
an open source package that some open source developers wrote.
They don't know them. It was published on a package repository,
and they're just using it.
Well, when a vulnerability is discovered in that package,
it oftentimes is not easy to just pull down a new package
and say, hey, I just want the fixed one.
Just give me the fixed one, because you build up
all these different dependencies with other packages
you're using.
So the way we're building software
is essentially getting more complicated
and there's more dependencies that need to be fixed
in order to actually remediate a vulnerability.
Well, I mean, all vulnerabilities are not created equal.
So do you have any sense for the kinds of things
that are being put off here?
Well, that's the really the one of the other really
interesting findings is, as a cybersecurity professional,
I think in the impact or the risk of a vulnerability.
Is it going to just maybe put out some wrong data,
like give the wrong answer?
Or is it going to crash my system, or is it
going to let an attacker steal all of my data?
These are all the different impacts of different kinds of vulnerabilities.
And so as security professionals, we really rank them from high severity to low severity.
We say, hey, fix the high severity ones first.
One of the interesting things we found was developers don't, they don't think this way.
Even if something is marked a high severity vulnerability, they might go and fix a medium
severity vulnerability first because it's more convenient for them. It might be easier to fix.
It might be in the code that they're working on. So, you know, something that might be right in
front of them today, hey, I'll go and fix that one. So we find that the vulnerabilities aren't often fixed
in order of risk.
And sometimes the high risk vulnerabilities
are put off longer than the low risk vulnerabilities.
So this is something that I think some education
can help developers prioritize better.
One of the other things that the report pointed out
was this notion of critical security debt,
the debt that's been open for longer than a year.
And you all found that a high number of organizations are carrying this kind of debt.
Yes, yes.
We found that 70% or 75% of organizations have this kind of debt, and it was 70% last year.
So it's getting worse.
Now the flip side of this is 25% of our customers have found a way to fix all their vulnerabilities
within a year.
So it's possible to do this.
And we kind of split them apart, and we called them industry leaders and industry laggards to try to tease apart
There are companies that are able to build secure software and they're they're staying on top of
It's getting harder to remediate the code, but they're staying they're staying on top of it
And then there are other organizations that are that are not doing that
So we see a big difference.
You know, it's sort of the security haves and the have nots.
We see across our customers, there's lessons to be learned from the leaders, and maybe
the lagging organizations can take some of those lessons.
Are there any commonalities here?
I mean, the folks who are finding success and taking care of these things early,
anything that they share with the folks
who are doing that along with them?
Yeah, one of the challenges is older software.
Older software that's been around for 10, 15 years
or is just larger, it's been worked on
by maybe hundreds of developers instead of a few developers,
it becomes more difficult to manage that software
and it becomes harder to fix the vulnerabilities,
especially when they're third party vulnerabilities
coming in from open source packages.
To some degree, no one wants to touch anything
unless they absolutely have to.
So we find that those larger applications,
people end up actually carrying more risk and they accept that security debt.
Whereas smaller applications that are maybe just a few years old, teams are able to keep up.
So I think this is one of those lessons that maybe we should be breaking software into smaller components that are easier to manage.
What are the take homes for you in terms of this year's state of software security report?
What do you hope people take away from it?
Yeah, I think one thing people should realize is remediation capacity, like how much effort
you're going to put towards it is a choice.
It isn't something, it's something that your product management and your engineering team
can decide on and you can manage the level of risk, but you have to decide on how much
capacity are you going to put towards fixing vulnerabilities and how are you going to make
a trade off between say new features and fixing bugs?
And that's an important thing for every company to think about.
Security that doesn't, unfortunately, it does sort of just happen, but it doesn't have to
be that way.
You can be more planful about it.
The other thing is we're starting to see the usage of AI, generative AI,
and products like Copilot to write code.
And that allows developers to write code a lot faster.
But what we found is it doesn't necessarily
make that code any more secure.
It actually is about as secure as an average developer
would write the code.
And that's because that's how it's
learned to write code is from other developers' code that's
been published.
But the challenge is AI writes code faster, right?
So it can create more vulnerabilities faster.
So I think this is one of the more dangerous times.
And we're going to be watching this for our next
State of Software Security Report next year,
kind of a dangerous time for software development
when we're kind of charging ahead using these
AI code generation tools because they increase productivity.
They'll just write more software faster.
But we haven't really got grips on how are we going to maintain
the same level of security?
Who's going to fix all these bugs?
And are we ready for that faster code writing and faster vulnerability generation?
So this is something I'll be looking forward over the next year, making sure that we have
a solution for this.
That's a really an interesting inflection point.
And I suppose the flippant answer would be, well, it's AI all the way down, right, Chris?
Yeah, every problem solved by AI, we just use AI.
Every problem created by AI, we use AI to solve.
What could possibly go wrong?
There will be more AI fixing code, and we just have to make sure it's fixing the code
correctly.
That's right. So that's the challenge going forward.
That was Chris Weisopel, founder and chief security evangelist at Veracode.
If you enjoyed the discussion, make sure to tune in daily for more expert insights on the latest industry trends. Is your AppSec program actually reducing risk?
Developers and AppSec teams drown in critical alerts, yet 95% of fixes don't reduce real risk. Why?
Traditional tools use generic prioritization and lack the ability to
filter real threats from noise. High-impact threats slip through and
surface in production, costing 10 times more to fix.
Aux security helps you focus on the 5% of issues that truly matter before they reach the cloud.
Find out what risks deserve your attention in 2025.
Download the Application Security Benchmark from OX Security.
Hey there, I'm Liz Stokes, and welcome to Fun Fact Friday, where each week I bring you a fascinating tidbit from the worlds of cybersecurity and space, whether it's quirky or mind-blowing
or just plain fun.
This week, we're going to be diving into something that we all use but may not always
think about.
Passwords.
It's definitely the perfect way to kick off your weekend with something interesting.
So, sit back, relax, and I hope you enjoy this week's Fun Fact about passwords.
And who knows, maybe you'll learn something new too.
[♪ Music playing. Sound effects playing. Sound effects playing.] something new too.
Welcome to Fun Fact Friday, your one stop shop for the quirkiest tidbits of wisdom.
I'm your host Liz Stokes here at N2K Cyberware.
Today we're taking a step back in time, 1961 to be exact.
While NASA astronauts were gearing up to land on the moon, over at MIT, a man named Fernando Corbató
was busy creating the world's first digital password system. With his compatible time-sharing
system, users could log in, manage their own files, and feel super high-tech while doing it.
Now, the first ever password has lost a history, but let's be honest, odds are it was something like password 123.
So next time you're updating your password, remember you're part of a legacy.
Just maybe aim for something a little stronger next time.
See you soon.
That was our one and only Liz Stokes with Fun Fact Friday.
And if you enjoyed that and want to hear more of her fascinating facts, head on over to
our N2K YouTube page for a treasure trove of fun and interesting tidbits. And that's the CyberWire.
For a link to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to join us for an all-new Research Saturday, where Dave sits down with John Williams,
vulnerability researcher from BishopFox, as they are discussing research on tearing down
Sonic walls, decrypting sonic OSX firmware.
That's Research Saturday, check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
Please also fill out the survey and show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the
world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams, while making your teams smarter.
Learn how at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester, with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpe is our publisher,
and I'm Maria Varmanzes in for Dave Bittner.
Thanks for listening.
Have a great weekend. Cyber threats are evolving every second, and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit threatlocker.com today
to see how a default deny approach
can keep your company safe and compliant.