CyberWire Daily - Ransom demands and medical data for sale.
Episode Date: March 31, 2025A cyberattack targeting Oracle Health compromises patient data. The DOJ nabs over $8 million tied to romance scams. Trend Micro examines a China-linked APT group conducting cyber-espionage. A new Andr...oid banking trojan called Crocodilus has emerged. North Korea’s Lazarus Group targets job seekers in the crypto industry. CISA IDs a new malware variant targeting Ivanti Connect Secure appliances. Maria Varmazis, host of N2K’s T-Minus Space Daily show chats with Jake Braun, former White House Principal Deputy National Cyber Director and chairman of DEF CON Franklin. They discuss designating space as critical infrastructure. Nulling out your pizza payment. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Maria Varmazis, host of N2K’s T-Minus Space Daily show sits down with Jake Braun, former White House Principal Deputy National Cyber Director and chairman of DEF CON Franklin, and they discuss designating space as critical infrastructure and sharing an overview of its attack surface. Selected Reading Oracle Health breach compromises patient data at US hospitals (Bleeping Computer) Oracle Warns Health Customers of Patient Data Breach (Bloomberg) Critical Condition: Legacy Medical Devices Remain Easy Targets for Ransomware (SecurityWeek) U.S. seized $8.2 million in crypto linked to 'Romance Baiting' scams (Bleeping Computer) DOJ Seizes USD 8.2M Tied to Pig Butchering Scheme (TRM Labs) Earth Alux Hackers Employ VARGIET Malware to Attack Organizations (Cyber Security News) 'Crocodilus' Android Banking Trojan Allows Device Takeover, Data Theft (SecurityWeek) ClickFake Interview – Lazarus Hackers Exploit Windows and macOS Users Fake Job Campaign (Cyber Security News) CISA Analyzes Malware Used in Ivanti Zero-Day Attacks (SecurityWeek) How A Null Character Was Used to Bypass Payments (System Weakness on Medium) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity,
or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas
drive change. With career growth opportunities and a focus on work-life balance, you'll have
the flexibility to thrive both professionally and personally. Explore open cybersecurity
and technology roles today at Vanguardjobs.com.
A cyber attack targeting Oracle Health compromises patient data.
The DOJ nabs over $8 million tied to romance scams.
Trend Micro examines a China-linked APT group conducting cyber espionage.
A new Android banking Trojan called Crocodilus has emerged.
North Korea's Lazarus Group targets job seekers in the crypto industry.
CISA IDs a new malware variant
targeting Evante Connect secure appliances. Maria Vermaz's host of N2K's
T-minus space daily show chats with Jake Braun, former White House Principal
Deputy National Cyber Director and Chairman of DEFCON Franklin. They
discuss designating space as critical infrastructure, and nulling out your pizza payment. It's Monday, March 31, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
Happy Monday.
It is great to have you with us.
A cyber attack targeting Oracle Health, formerly Cerner, compromised patient data from legacy
servers not yet migrated to Oracle Cloud.
The breach, discovered on February 20, affected multiple US hospitals and healthcare providers.
A threat actor reportedly used stolen credentials to access and exfiltrate patient records from
these outdated systems.
Oracle Health privately informed affected customers but has not publicly acknowledged
the breach.
The attacker, using the alias Andrew, is demanding millions in cryptocurrency and has launched
public websites to pressure victims.
Oracle's response has drawn criticism for its lack of transparency and formal documentation.
Although Oracle is offering support tools, it's leaving HIPAA notifications to hospitals.
Healthcare remains a top target for ransomware due to its large under-secured attack surface
and critical
need for operational continuity.
Hatching medical devices is slow, often delayed over a year due to FDA regulations and outdated
systems.
Clarities Team 82 analyzed over 2.25 million IOMT and 647,000 OT devices across 351 healthcare organizations.
They found that 99% are vulnerable to known exploits and 20% of hospital systems with
these vulnerabilities are also insecurely connected to the Internet.
Using a triage method based on exploit presence, ransomware links, and insecure connectivity,
researchers identified the most at-risk devices.
For OT, only 0.3% of devices met all three risk criteria.
For IOMT, about 1%.
Clarity has published a five-step process to identify and remediate these threats.
The U.S. Department of Justice has seized over $8.2 million in USDT
tied to romance baiting scams, also known as pig butchering.
In these scams, victims are manipulated into investing on fake platforms
that appear to offer high returns.
Once large sums are invested, victims are blocked from withdrawing funds and ultimately
discover the platforms are fraudulent.
The FBI traced laundering patterns linked to these scams, enabling illegal forfeiture
under wire fraud and money laundering laws.
Heather froze and reissued the stolen funds to law enforcement-controlled wallets.
The seizure could help compensate victims, including 38 individuals with losses over
$5.2 million.
The scam operation is believed connected to human trafficking rings in Southeast Asia.
Authorities stress vigilance when approached with guaranteed return investments.
Researchers at Trend Micro take a closer look at EarthALEX, a China-linked APT group which
has been conducting cyberespionage operations since mid-2023. Initially targeting the Asia-Pacific
region before expanding into Latin America, the group
focuses on government, tech, telecom, and retail sectors, exploiting exposed servers
to implant web shells like Godzilla.
Their primary backdoor, VarGiat, allows persistent access, data theft, and stealthy operations
using multiple communication channels, including Microsoft Outlook via Graph API.
A unique technique involves injecting malicious code into MSPaint.exe processes, enabling
file-less attacks.
This method uses Windows APIs to avoid detection while performing reconnaissance and exfiltrating
data to attacker-controlled cloud storage.
Earth Alex's use of sophisticated stealthy malware and long-term infiltration tactics
highlights the growing cyber threat to critical industries in targeted regions.
A new Android banking trojan called Crocodilus has emerged with advanced capabilities for remote device takeover, key logging, and
stealing credentials, according to Threatfabric.
Targeting users in Spain and Turkey, it bypasses Android 13 Plus security using a custom dropper
and gains full control through accessibility services.
Once permissions are granted, Crocodilus connects to its command and
control server, runs silently in the background, and uses overlays to steal
login data. It also logs accessibility events to capture text inputs and even
reads one-time passwords from Google Authenticator. The malware can mute sound,
display black screens to hide activity, and deploy social
engineering tricks like fake wallet backup prompts to steal crypto keys.
Though linked to actor Cybra, evidence suggests a new, likely Turkish-speaking developer is
behind it.
North Korea's Lazarus Group is back with a new cyber campaign Click Fake Interview,
targeting job seekers in the crypto industry.
Using fake interview websites built with React.js, attackers trick victims into downloading malware
during staged recruitment processes.
These sites deploy Golang Ghost, a cross-platform backdoor that enables remote control, data
theft, and credential exfiltration on Windows and Mac OS.
The campaign expands on the earlier contagious interview tactic and now focuses on centralized
finance platforms like Coinbase and Bybit.
It also targets non-technical roles, exploiting their lower cybersecurity awareness.
Malware, like FrostyFerret and scripts in VBS or Bash, help establish persistence and
avoid detection. This campaign highlights Lazarus's continued evolution and its strategic
pivot to support North Korea's financial and military goals through crypto heists.
SISA has identified a new malware variant named Resurge targeting Avanti Connect secure appliances
via an already patched vulnerability.
This flaw, exploited since December and flagged in January,
allowed threat actors to gain access to critical infrastructure.
Upon analyzing compromised systems, CISA discovered Resurge alongside another variant, Spawn's
Cloth, an open-source shell script bundled with Busybox tools.
Resurge shares traits with Spawn Chimera, such as reboot persistence, but adds new functions
like web shell deployment,
file manipulation, and integrity check tampering.
It can also embed itself into Avanti's boot disk and manipulate the core boot image.
CISA advises full factory resets, along with widespread credential and password resets
to mitigate the threat.
Coming up after the break, Maria Vermaussis sits down with Jake Braun, former White House Principal Deputy National Cyber Director.
They discuss designating space as critical infrastructure
and nulling out your pizza payment. Stay with us.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers. I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when
you go to JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
Are you frustrated with cyber risk scores,
backed by mysterious data,
zero context and cloudy reasoning?
Typical cyber ratings are ineffective
and the true risk story is begging to be told.
It's time to cut the BS.
Black kite believes in seeing the full picture with more than a score, one where companies
have complete clarity in their third party cyber risk using reliable quantitative data.
Make better decisions.
Reduce your uncertainty.
Trust BlackKite.
["BlackKite Theme Song"]
["Defconn Franklin Theme Song"]
Jake Braun is former White House
Principal Deputy National Cyber Director
and Chairman
of DEFCON Franklin.
He recently sat down with my N2K colleague, Maria Vermazes, host of N2K's T-Minus Space
Daily podcast to discuss designating space as critical infrastructure.
My name is Jake Braun.
I am currently the executive director of the Cyber Policy Initiative at
the University of Chicago, but maybe more relevant for this conversation. I was most
recently as of about six months ago, eight months ago, the acting principal deputy national
cyber director in the White House, which essentially means I was the COO of this new cyber office
they set up in the White House that was actually created in the Trump administration, but it
was so new they hadn't hired any people into the office until Biden.
And the first employee I think was hired in 21, and by the time I left, we were up to
about 100 people. So running a startup is interesting.
Running a startup in government is particularly unique.
And then running a startup in the White House
is something that I have a lot of scars from,
but I would have never given up for the world.
Wow. Yeah. So I want to hear more about that.
Not the scars. It's Yeah, so I want to hear more about that.
Not the scars. It's up to you, obviously.
But the work that you were doing in the White House,
please tell me a bit more about the efforts that you were working on.
Sure. So Congress created this office essentially because
while there's a bunch of offices around the federal government that do cyber,
there wasn't one that was at a level,
meaning White House level,
that could kind of compel other agencies
to implement government-wide policies
and programs in cyber.
And so this group in Congress,
the Cyberspace Solarium Commission created this.
And our first task that was assigned to us by the president was to write or really update
the national cyber strategy, which the first one was written in Bush, the second term of
W Bush.
And then it's been updated.
We did the fourth iteration of it.
So our office rewrote or updated the national cyber strategy.
And then I was brought in to oversee implementation
across the federal government of that strategy.
And space was a key component of it,
as well as a whole host of other things,
including AI and mundane things like workforce
and sexy things like cyber crime and cartels and stuff
like that.
But it ran the gamut.
Yeah, and given what I often focus on, I'm clearly biased.
I really want to hear more about the space side of things.
Because as I mentioned before we started recording, I have a number of conversations with people
in various parts of the space industry
where we talk about space as critical infrastructure,
what that means and what that would affect.
And I don't think this is a very well understood thing.
So I'd love to hear a bit more about your thoughts on that
and sort of why the effort to get space designated
as critical infrastructure is so important?
Sure. So, actually our role in that conversation, the role of my office in the White House, the Office of the National Cyber Director,
was actually not kind of a foregone conclusion. Initially, the Space Council and the National Security Council were going to work to decide how things should unfold
as it relates to space as critical infrastructure and kind of key recommendations on security
of space infrastructure and so on.
However, we kind of rose our hand as kind of the new kid on the block and said, hey,
you know, cyber is kind of a key component of all this.
We should really be at the table.
And after some hemming and hawing
and typical government turf battles and everything else,
folks agreed that not having the cyber office involved
in this conversation was a big missed opportunity.
And so over time, you know, we made a strong push,
as did others, to designate space as critical
infrastructure officially.
I know that there's been some disagreement on that designation, but I think in practice,
people have largely come to agree that space is critical infrastructure, regardless of
its formal designation by the
government as such.
That's a really good point.
I think you're right that I think unofficially a lot of people are thinking of it that way.
Would there be a really super big material difference if it was more officially designated?
I mean, I know there is, but how big a difference would that really make at this point?
Well, part of the reason I think the space industry
was somewhat less excited about it
was that it can, doesn't always,
but can come with increased regulations
and scrutiny from government,
which of course industry generally doesn't like
for obvious reasons.
That being said, also more resources often come with it.
So there's, the government will often
fund the way it does with other industries.
Information sharing groups to share threat intelligence.
They'll often fund the ASSISA and other entities.
Folks that will go out and do
free cybersecurity assessments.
CISA does this and a whole host of entities like state and local governments in the energy
sector and water and so on, other parts of critical infrastructure.
And so those types of resources would be available.
Generally, we try not to subsidize major corporations who have the financial
wherewithal to do it themselves. Like, you know, SIS is not out there doing free cyber
assessments for JP Morgan or Bank of America, which are also critical infrastructure designated
formally as such. But, you know, you could certainly envision that being applicable to many of the smaller companies
in space.
Absolutely.
Yeah, I think some of the tenor of the conversations I've had also have been, we're fine.
We're good.
We've got this.
But my question is often the follow-up, do you actually have it?
Are you actually fine?
Is the nature of the threat really fully understood?
I'm not an expert here.
I don't know. I often wonder though, do people quite understand
what threats look like in the realm of space?
Is it even all that special and all that different
from the threats that we see terrestrially?
I'm just so curious your thoughts on sort of the nature
of what's going on in the space domain.
So first off, just to answer your question, absolutely not.
They don't got it.
And that's not their fault.
No one does.
I mean, if you've got a nation state actor after you, just remember Stuxnet.
Stuxnet was US and Israeli attacks on the Iranian nuclear program. The Iranians put their centrifuges in concrete vaults in the
desert, buried underground, zero connection to the internet or anything
else. And we were still able to hack into those centrifuges and shut them down and
make them break in a whole bunch of creative ways and so on and so forth. And
so if somebody can get into your infrastructure that's not connected to the internet, that's
buried underground in the desert in a concrete vault, then they absolutely, a nation state
of similar capability like China or Russia or Iran or whoever, could get into your satellite,
which by definition is connected
to networks all over the planet.
And by the way, in fact, I'll give you an example.
So in my current capacity at the University of Chicago, we've partnered with DEF CON,
the largest and longest running hacker conference in the world, to put out an annual report
on the top findings at DEF CON.
One of those findings this year was around space.
And since this is a little bit more technical than I am,
I'm just going to kind of read it off to you.
So a group of hackers figured out that they could reverse
engineer efforts to exploit VSAT satellite modems from
Earth.
And they focused on the NewTek MDM 2200 from iDirect.
So as far as they could tell, this was the first successful demonstration of a signal
injection attack on a VSAT modem using software-defined radios from Earth.
I mean, they're spending hundreds or single-digit thousands of dollars just messing around.
Now, granted, these are brilliant people,
so they're messing around.
It's a lot more advanced than most people's messing around.
But nonetheless, if they can do it on a shushing budget,
imagine what China, Russia, Iran, or some other bad actor
could do when they have millions or billions of dollars
to throw at it.
And considering that,
China itself has said that we're gonna be a war over Taiwan
in 2027, which hopefully none of us,
hopefully that doesn't happen,
and hopefully that's all bluster and everything.
But as we know from the Ukraine war,
the first shot across the bow was against satellites.
And we would presume the first shot fired
in a war with China would be in space at our satellite infrastructure.
If I'm a space company, large or small, I'm sure if I'm a large company, I have a good,
I would hope a good understanding of some of the things that I would need to do. But
I mean, no company can deal with this alone.
I mean, nobody can deal with it in a vacuum.
Collaboration is key. Threat information sharing is key.
What needs to be done?
I mean, I know there are some efforts underway.
I'm thinking of the Space ISAC is one of them in terms of sharing threat intel
in the space industry and the space domain.
If there's something going on, if there's a threat that's,
if something is underway, how do people in the space domain share that information
with each other in a meaningful way?
Right.
So, first off, you know, your initial point is the exact right one.
Join the Space ISAC.
If you're, even if you're a small company, I forget exactly what their fee structure
is like, but usually the little guys and gals get a joint for free or very reduced rate, and it's worth it.
Secondly, particularly if you're a startup and you don't have a CISO, hire a CISO.
And look, that's important not just for your security, but it's also important for your
valuations and so on.
I mean, a lot of these folks in China and elsewhere will look at what companies
most recently got major investments from private equity firms or venture capital firms or whoever
else and then those will be the ones they target. In fact, we found several years ago
at Homeland Security or Homeland Security found several years ago that attacks from
China on IP were directly correlated to press releases of $20 million of investment or more.
And so, yeah, like we could see that within weeks or whatever after press release saying they got $20 million in investment,
they were getting hacked and their IP was getting, you know, pulled out the back door.
So it's not just that you should do this for the good of the security of our space infrastructure,
it's also for the good of the security of your company's IP.
So number one, join the space ISAC.
Number two, if you don't have a CISO, hire a CISO.
And then number three, if you have a CISO, they're going to know most of the things that
you need to, the basics that you need to do. A huge challenge in cyber that often prohibits folks
from hiring cyber staff is how expensive they are.
And if you want somebody with a master's or even a bachelor's
in computer science or with a focus on cyber,
they're incredibly expensive.
However, if you've already got a CISO, you probably
don't need people at that level. And one of the things we really pushed for in the national cyber
strategy was for companies to think about how they could bring on folks and do that are maybe not
super duper cyber experts with a PhD in cyber or whatever, but somebody who they can do on the job
training. There's a lot of certifications,
online classes and so on,
where you could plus up your cyber workforce,
meaning you could do more cybersecurity
if you were to bring on people
who maybe have less qualifications
from a degree perspective,
but could quickly gain the hands-on knowledge
they would need from working with your CISO, taking some
online classes, getting a certification here or there, or, by the way, attending DEF CON,
who we partner with on the Hacker's Almanac.
I encourage everybody to Google and read because it's a fun read.
Well, Jake, I've learned a ton from you, and I really appreciate you taking the time.
So thank you for joining me today.
And of course, be sure to check out the T minus space daily podcast, wherever you
get your favorite podcasts.
Is your AppSec program actually reducing risk? Developers and AppSec teams drown in critical alerts, yet 95% of fixes don't reduce real
risk.
Why?
Traditional tools use generic prioritization and lack the ability to filter
real threats from noise. High impact threats slip through and surface in production, costing
ten times more to fix.
OxSecurity helps you focus on the 5% of issues that truly matter before they reach the cloud.
Find out what risks deserve your attention in 2025.
Download the Application Security Benchmark from Oxsecurity. And finally, our five-finger discount desk tells us about Diego Govea, a Portuguese
software developer and cyber sleuth who uncovered a sneaky flaw in a local food delivery app.
The bug?
A sneaky little null character in the payment mode parameter.
Turns out this unassuming character can tell the system to ignore everything that comes
after it, like your actual bank balance.
Diogo found that by slipping a null character into a payment request, he could order food
without having the system actually check to see if you had any available cash.
The system just nodded and said, yeah, that sounds legit.
The loophole let users sidestep payment checks, potentially costing businesses big.
Diogo's step-by-step exploit shows just how easy it was to game the system using tools
like Burp Suite.
His advice?
Sanitize inputs, validate parameters, enforce strict data types, and maybe don't trust strings
at face value, especially when food is involved.
Because no one should be able to order pizza with monopoly money. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed
by Trey Hester with original music and sound design by Elliot Keltzman. Our executive producer
is Jennifer Iben. Peter Kilpey is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit threatlocker.com today to see how a default deny approach
can keep your company safe and compliant.