CyberWire Daily - Open-source, open season.
Episode Date: June 25, 2025Cybercriminals target financial institutions across Africa using open-source tools. Threat actors are using a technique called Authenticode stuffing to abuse ConnectWise remote access software. A fake... version of SonicWall’s NetExtender VPN app steals users’ credentials. CISA and the NSA publish a guide urging the adoption of Memory Safe Languages. Researchers identify multiple security vulnerabilities affecting Brother printers. Fake AI-themed websites spread malware. Researchers track a sharp rise in signup fraud. A new Common Good Cyber Fund has been launched to support nonprofits that provide essential cybersecurity services. Tim Starks from CyberScoop joins us to discuss calls for a federal cyberinsurance backstop. A Moscow court says ‘nyet’ to more jail time for cyber crooks. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are again joined by Tim Starks, Senior Reporter from CyberScoop. Tim discusses his recent piece on “Federal cyber insurance backstop should be tied to expiring terrorism insurance law, report recommends.” Selected Reading Cybercriminals Abuse Open-Source Tools To Target Africa’s Financial Sector (Unit 42) Hackers Abuse ConnectWise to Hide Malware (SecurityWeek) Fake SonicWall VPN app steals user credentials (The Register) CISA Publishes Guide to Address Memory Safety Vulnerabilities in Modern Software Development (GB Hackers) New Vulnerabilities Expose Millions of Brother Printers to Hacking (SecurityWeek) Black Hat SEO Poisoning Search Engine Results For AI (ThreatLabz) Half of Customer Signups Are Now Fraudulent (Infosecurity Magazine) Common Good Cyber Fund Launched to Support Non-Profit Security Efforts (Infosecurity Magazine) Russia releases REvil members after convictions for payment card fraud (The Record) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it
piece of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k. Cyber criminals target financial institutions across Africa using open source tools.
Threat actors are using a technique called authenticode stuffing to abuse connectwise
remote access software.
A fake version of SonicWall's NetExtender VPN app steals users' credentials.
CISA and the NSA publish a guide urging the adoption of memory-safe languages.
Researchers identify multiple security vulnerabilities affecting Brother printers.
Fake AI-themed websites spread malware.
Researchers track a sharp rise in sign-up fraud,
a new Common Good cyber fund has been launched
to support nonprofits that provide essential cybersecurity services.
Tim Starks from CyberScoop joins us to discuss calls for a federal cyber
insurance backstop,
and a Moscow court says, yet, to more jail time for cyber crooks.
It's Wednesday, June 25th, 2025.
I'm Dave Fittner,
and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It's great as always to have you with us.
Research from Palo Alto Networks Unit 42 reveals that cybercriminals, tracked as CLCRI 1014 are targeting financial institutions
across Africa using open source tools in a consistent attack playbook. These
actors likely act as initial access brokers selling access on the dark web.
Tools like PoshC2, Chisel, and ClassroomSpy, normally used for penetration
testing and remote administration,
are repurposed to move laterally, maintain persistence, and exfiltrate data.
The attackers disguise these tools using forged signatures and names resembling legitimate
software.
Notably, they've shifted from using Mesh Agent to Classroom Spy, which enables full remote
control and monitoring.
They also employ tunneling via chisel and tailor implants to each environment.
The attackers use PowerShell scripts, stolen credentials, and proxy setups to evade detection and maintain access.
This campaign highlights growing threats to Africa's financial sector
from actors leveraging free tools with professional-level precision.
Threat actors are abusing ConnectWise remote access software by injecting malicious code using a technique called authenticode stuffing, according to G-data. This method hides malware inside the software certificate table without breaking its digital
signature, allowing the altered application to pass security checks.
The attackers exploit a ConnectWise workaround that stores config data in the certificate
table, intended for customizing installers, by stuffing it with malicious payloads instead. In a campaign dubbed Evil Conwy, modified ConnectWise clients are disguised as tools
like AI image converters.
These versions even fake Windows updates and hide installation indicators to avoid detection.
Since March of this year, G-data has seen a spike in such attacks.
ConnectWise revoked the compromised signatures after being alerted, but the issue raises
concerns about exploitable trust in signed software.
Threat Actors are distributing a fake version of SonicWall's NetExtender VPN app to steal
users' credentials.
SonicWall and Microsoft discovered that attackers were using a modified net extender installer
signed with a fake certificate and hosted on spoofed download sites.
Users who downloaded the fake app unknowingly installed malware that captured VPN credentials,
usernames, passwords, and domain info and sent them to a remote server.
The attackers altered two files in the installer to bypass certificate validation and enable
data exfiltration.
While the malicious sites and certificate were taken down, the ease of setting up new
domains poses an ongoing risk.
Users are advised to download software only from trusted sources like official
vendor websites to avoid falling victim to similar credential stealing campaigns.
CISA and the NSA have released a guide urging the adoption of memory safe
languages to reduce software vulnerabilities. Memory related bugs such
as buffer overflows and use after free
errors account for up to 75% of CVEs in major platforms. The report
highlights high-profile cases like heart bleed and bad alloc to stress the risks
these flaws pose. Memory safe languages such as Rust, Java, Go, and Python offer
built-in protections like bounds checking
and automated memory management, helping prevent entire classes of security issues.
The guide recommends starting with memory-safe languages in new projects and high-risk components
rather than rewriting all existing code.
It also addresses transition challenges such as as performance trade-offs and training needs.
Overall, the report promotes MSL adoption
as a critical step toward more secure software
development practices.
Researchers at Rapid7 have identified
eight security vulnerabilities affecting
689 Brother printer, scanner, and label maker
models as well as devices from Fujifilm, Riko, Konica Minolta, and Toshiba.
Millions of home and enterprise printers are potentially exposed. The most
critical flaw lets attackers bypass authentication by generating a default
admin password using the device's serial number.
This can be combined with another flaw to extract that serial number.
Six of the vulnerabilities can be exploited without authentication and could lead to
denial of service attacks, unauthorized configuration changes, or data exposure.
Brother patched most flaws but cannot fully fix one that's in existing
firmware. A workaround is available and future devices will be manufactured differently.
Other vendors have also issued advisories addressing the risks.
Zscaler Threat Labs researchers have uncovered a malware campaign using fake AI-themed websites.
Attackers are exploiting interest in tools like ChatGPT and Luma AI by using Black Hat
SEO to push malicious sites to the top of search engine results.
These sites deploy JavaScript to collect browser data, perform fingerprinting, and redirect
users through several layers to deliver malware.
The malware includes Vidar Steeler, Luma Steeler, and Legion Loader.
These payloads are often hidden in large deceptive installer files and use tricks like antivirus
checks, DLL sideloading, and process hollowing to evade detection.
The infrastructure is hosted through trusted platforms
like AWS CloudFront, making the campaign harder to detect.
Users are urged to download AI tools only
from verified vendor websites to avoid infection.
Okta's 2025 Customer Identity Trends Report
reveals bots were behind 46% of customer registration
attempts in 2024, marking a sharp rise in sign-up fraud.
Okta attributes this increase to AI-driven attack workflows, which are reshaping trust
in digital identities.
Retail and e-commerce sectors were most affected, followed by financial services and utilities.
Attackers exploit sign-up processes to claim rewards, locate existing accounts, and execute
resource-draining attacks.
While users care about identity protection, many abandon sign-ups due to complex forms.
Okta recommends defense strategies such as DDoS mitigation, bot filtering,
CAPTCHA escalation, IP blocking, and web application firewall rules. The company also advocates for
passkey adoption to reduce friction while maintaining security. A new Common Good
Cyber Fund has been launched to support nonprofits that provide essential
cybersecurity services for public benefit.
Backed by the UK and Canadian governments and endorsed by all G7 leaders, the fund aims
to strengthen the resilience and sustainability of civil society groups working to counter
threats like transnational repression.
Managed by the Internet Society with strategic input from an expert advisory board, the fund
will assist organizations that secure core digital infrastructure and provide cybersecurity
aid to high-risk communities.
This includes tools, training, and rapid response services. The initiative is led by Common Good Cyber, a coalition of seven non-profit groups, including
the Global Cyber Alliance and CyberPeace Institute.
These organizations emphasize the importance of protecting journalists, human rights groups,
and other vulnerable communities from cyber-enabled threats.
Application and funding details will be announced soon, marking a significant step in securing
the broader digital ecosystem.
Coming up after the break, Tim Starks from Cyber Scoop joins us to discuss calls for a federal cyber insurance backstop.
And a Moscow court says, niet to more jail time for cyber crooks.
Stick around.
And now, a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software
can run in your environment.
If it's not approved, it doesn't run.
Simple as that.
It's a way to stop ransomware
and other attacks before they start without adding extra complexity to your day. See how
ThreatLocker can help you lock down your environment at www.threatlocker.com.
Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep
your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger,
yes, even helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious It is always my pleasure to welcome back to the show Tim Starks.
He is a senior reporter at CyberScoop.
Tim, welcome back.
Howdy, Dave.
I'm doing well, thanks.
A couple of your recent articles that I want to touch on here today while we're together.
The first one you recently published, this is about the SEC withdrawing some
cyber rules for investment companies. Can you unpack this one for us?
Yeah, so the SEC has been a little bit of a hub of controversial regulatory activity on the cyber security front.
This is not the most controversial thing they've done, but it is something that the industry did not love.
Essentially, investment advisors, investment companies that are in that advice business,
they were required to notify of major incidents within a certain time to the SEC to publicly
disclose them after a certain period of time and also to develop some written rules for
their security procedures and their risks.
So this was in a slate of things that the SEC revoked on one day.
They got rid of a lot of regulations that were from the Biden administration.
This was one of them.
Well, and I suppose not terribly surprising given President Trump's desire to roll back regulations and
I suppose indeed anything from his predecessor to boot.
Yeah.
No, yeah.
It's got both strikes against it for Trump, right?
I think certainly industry demand mattered.
I think the fact that these rules had not yet gone into place yet was something that
made it easy to do this.
These rules have actually been promulgating since 2022.
2022, that's the word to use for it.
We've actually been around for a while and I think there have been some people who have
subsequently the article that I wrote, been kind of speculating that, look, maybe the
SEC itself wasn't even sure
about these rules because they had chances to enact it.
And if you're the Biden administration or someone who is an SEC commissioner who is
aligned with Democrats, you might think we better get this out before the next election.
That way we can make sure that it's harder to roll back.
In this case, they did not do that.
So there might've been some internal doubt about whether these were wise or whether they were wisely constructed.
Yeah, that's interesting. So the other of your articles I want to talk about here, this
one is about federal cyber insurance being a backstop. And some folks are saying it should
be tied to an expiring terrorism insurance law. What's going on here, Tim? Yeah, so the Foundation for the Defense of Democracies published a proposal on this,
essentially, from Nick Liesersund. If your listeners don't know who that is, he's a
longtime Hill aide working on cyber. He was at the office of the National Cyber Director.
He put together a very comprehensive policy proposal for the idea of having a federal backstop for cyber insurance service good insurance. The idea
is to, first off, there's a lot there's a lot of pieces, it's a
26 page memo. But one of the key things is they says we need to
maybe act on this soon if we're going to have a chance to do it
at all. And the thing to do is to attach it to the terrorism
risk insurance act, which is expiring in 2027. But because
the way insurance contracts are written,
they probably will, Congress will probably act on it
if they do it all by the end of 2026.
So this is an opportunity.
It's a fairly, it's not entirely identical
to how terrorism risk insurance works,
but it's similar in the sort of reinsurance mechanism
that it has.
I have feelings about this Tim.
Yeah.
Let me share why.
What do you mean?
Well, for years now, our listeners will know for years now
I have asked experts the question
when it comes to cyber insurance,
will cyber insurance go the way of flood insurance?
Right? Which is that,
flood insurance is so risky that it doesn't,
it makes no sense for private organizations to offer it.
So you can only get flood insurance from the federal government.
It is not terribly good insurance.
It is expensive, but it's all that there is.
And I have wondered for years if cyber was going to go that way because of the
potential for
these huge liabilities.
I read your article here and I wonder is that what we're seeing play out here? Is a federal backstop for cyber analogous to the type of thing we saw with flood
insurance where for private organizations, this kind of insurance is kind of a
sucker bet.
Yeah, it's an interesting question. I think, you know, we've had a little more time to deal with floods in this world than we have with cyber.
So I think the cyber insurance market is interesting in the sense that it was growing rather rapidly.
It is not growing that rapidly right now compared to the past.
And there have been a lot of exclusions written into policies.
The big one, of course, is that a foreign government sort of act of war kind of attack
and some of these attacks would fall under that aren't covered by most of these policies
or any of them that I know of actually.
So the market is maybe stagnant is the right word to use for it.
The idea that Nick had for this is that the federal backstop would make it less stagnant.
There's a sort of a rolling mechanism of how this works that if there is a federal backstop
that reduces what's called tail risks, the sort of like events that you can anticipate,
that will lead to some competition in the insurance industry, that will lead to lower
premiums and that will lead to more things being covered than normal
because people can offer more products
because they're less worried about the risk.
So, you know, insurance is such a fascinating concept
about the way it supposedly redistributes risk.
The idea is that this would help with that,
even if the backstop is never invoked.
That's the idea.
Whether it works that way or not, I cannot answer yet.
Well, and these are pie in the sky ideas, right? I mean, this is, yeah, yeah.
One thing that caught my eye here was the recommendation
to have a cap on total liability.
That's significant.
It is, yeah.
I mean, there's also, you know, the idea that
one of the things that I always found fascinating
about this was, and I
kind of just talked about it a little bit, when I was talking to Nick, I was like, you
only want it to cover things that are already covered.
If exclusions are a problem, doesn't that hurt?
And it goes back to that point of like, well, if risk is reduced, then insurance becomes
cheaper, they offer more products.
So at this point, it's pretty theoretical about how this would work.
I mean, one of the other things that's fascinating about this is that we just don't have the
data like we do about what kinds of things stop cyber attacks.
And it's, you know, it's one of those like, oh, if you have multifactor authentication,
do you know that you stopped an attack?
Can you make that directive a link in the way that you can with other kinds of things
in the insurance world where you know that X will lead to better protection for Y.
So one of the things this proposal helps to do is to come up with a way to have third
parties or even the government accept anonymized data.
The idea being, okay, nobody wants to share this stuff publicly.
Will they share it with their insurer if it's required as part of participation of their
box up?
That's another kind of like, you know, it's in that pie in the sky world, right?
Would that work?
It's just hard to really tell what the way cyber works because we just don't, in order
to have the data, we need to pass something like this maybe.
Right.
Know whether that will ever, ever can be something that we can do.
It also makes me wonder, you know, living in a world where the adversaries do their homework and often know how much cyber insurance an organization has to inform their ask for a ransomware demand.
You know, what happens if everybody has X number of dollars in federal backup?
How does that change the marketplace?
Yeah, there's always been that ongoing question of, you know, is in a roundabout way, cyber
insurance responsible for or has it contributed to the rise in ransomware attacks?
Because if you know that the company will pay because it has insurance, why not attack
them?
These mysteries are confounding, Dave.
They're confounding.
Well, it's a good thing we have folks like you to help us understand them.
So you said 2027 is when this terrorism legislation is up for renewal so that perhaps this could
be attached on that sort of a timeline?
Yeah.
And I think, you know, it's hard to, with the way Congress works these days, it's hard
to imagine anything like this getting a standalone attention. So that's part of the reason why the idea of
attaching it to something else is out there. Since for Nick is that 2025 is the
year to start doing this, to start having hearings on it, to start writing
legislation. The foundation for the FDD is going to produce draft legislation on
the style of the cyber salient commission.
You'll recall they did that and that helps get things through.
So the idea is if you can present something to lawmakers like here's something tangible,
we've done some of the work for you.
That would be a way to get this kickstarted because we also know that 2026 is an election
year.
So that makes it harder to get stuff done too.
Yeah, absolutely.
All right.
Well, Tim Starks is senior reporter at Cyber Scoop.
Tim, thanks so much for taking the time for us.
Thank you, Dave. Today's cyber attacks move fast. Your team needs to move faster. That's why CloudRange
is redefining cyber readiness with real-world AI-driven cyber range simulations. Join CEO
Debbie Gordon as she shares how organizations are replacing outdated tabletop exercises
with live fire training that builds
confidence and sharpens response in real time.
It's not just training, it's transformation.
Listen now and make sure your team is prepared for the threats ahead. And finally, in a move that might make Kafka do a double-take, a Russian court handed four
R-Evil gang members five-year sentences for trafficking stolen credit card data, then promptly
let them walk free.
The reason?
They had already served their time in pretrial limbo.
The convicted cyber crooks avoided additional jail time, but did part ways with a pair of
luxury cars and nearly $1.2 million in seized assets.
Their crimes weren't tied to R-Evil's infamous ransomware rampage, but rather old-school
carding fraud, mostly targeting
Americans. The arrests came in 2022, shortly after a Biden-Putin chat where the US President
gently suggested Russia do something about its thriving hacker scene. The crackdown didn't last
long, soon overshadowed by tanks rolling into Ukraine, and whispers
that Russia might be outsourcing cyber-ops to the very crooks it briefly jailed. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We are conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through August 31st of this year.
There's a link in the show notes, please do check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iven.
Peter Kilpey is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Did you know Active Directory is targeted in 9 out of 10 cyber attacks?
Once attackers get in, they can take control of your entire network.
That's why Semperis created Purplenight, the free security assessment tool that scans your active directory for hundreds of vulnerabilities and shows you how to fix them.
Join thousands of IT pros using PurpleKnight to stay ahead of threats.
Download it now at sempris.com slash purple-knight.
That's sempris.com slash purple-knight.