CyberWire Daily - Remote hijacking at your fingertips.
Episode Date: March 19, 2025A critical vulnerability could let attackers hijack and potentially disable vulnerable servers. Europol warns of a “shadow alliance” between state-backed threat actors and cybercriminals. Sekoia e...xamines ClearFake. A critical PHP vulnerability is under active exploitation. A sophisticated scareware phishing campaign has shifted its focus to macOS users. Phishing as a service attacks are on the rise. A new jailbreak technique bypasses security controls in popular LLMs. Microsoft has uncovered StilachiRAT. CISA confirms active exploitation of a critical Fortinet vulnerability. On our CertByte segment, Chris Hare is joined by Troy McMillan to break down a question targeting the ISACA® Certified Information Security Manager® (CISM®) exam. AI coding assistants get all judgy. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CertByte Segment Welcome to CertByte! On this bi-weekly segment hosted by Chris Hare, a content developer and project management specialist at N2K, we share practice questions from N2K’s suite of industry-leading certification resources. This week, Chris is joined by Troy McMillan to break down a question targeting the ISACA® Certified Information Security Manager® (CISM®) exam. Today’s question comes from N2K’s ISACA® Certified Information Security Manager® (CISM®) Practice Test. The CISM exam helps to affirm your ability to assess risks, implement effective governance, proactively respond to incidents and is the preferred credential for IT managers, according to ISACA.To learn more about this and other related topics under this objective, please refer to the following resource: CISM Review Manual, 15th Edition, 1.0, Information Security Governance, Introduction. Have a question that you’d like to see covered? Email us at certbyte@n2k.com. If you're studying for a certification exam, check out N2K’s full exam prep library of certification practice tests, practice labs, and training courses by visiting our website at n2k.com/certify. Please note: The questions and answers provided here, and on our site, are not actual current or prior questions and answers from these certification publishers or providers. Additional source: https://www.isaca.org/credentialing/cism#1 Selected Reading Critical AMI MegaRAC bug can let attackers hijack, brick servers (bleepingcomputer) Europol Warns of “Shadow Alliance” Between States and Criminals (Infosecurity Magazine) ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery (Sekoia.io Blog) PHP RCE Vulnerability Actively Exploited in Wild to Attack Windows-based Systems (cybersecuritynews) Scareware Combined With Phishing in Attacks Targeting macOS Users (securityweek) Sneaky 2FA Joins Tycoon 2FA and EvilProxy in 2025 Phishing Surge (Infosecurity Magazine) New Jailbreak Technique Bypasses DeepSeek, Copilot, and ChatGPT to Generate Chrome Malware (gbhackers) Microsoft Warns of New StilachiRAT Malware (SecurityWeek) Fortinet Vulnerability Exploited in Ransomware Attack, CISA Warns (Infosecurity Magazine) AI coding assistant Cursor reportedly tells a 'vibe coder' to write his own damn code (TechCrunch) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a brief message from our sponsor, DropZone AI.
Is your sock drowning in alerts, with legitimate threats sitting in queues for hours or even
days?
The latest SAN Sock Survey Report reveals alert fatigue and limited automation are SOC teams
greatest barriers.
Drop Zone AI, recognized by Gartner as a cool vendor, directly addresses these challenges
through autonomous recursive reasoning investigations, quickly eliminating false positives, enriching
context and enabling
analysts to prioritize real incidents faster.
Take control of your alerts and investigations with DropZone AI. A critical vulnerability could let attackers hijack and potentially disable vulnerable
servers.
Europol warns of a shadow alliance between state-backed threat actors and cybercriminals.
Sequoia examines clear faith.
A critical PHP vulnerability is under active exploitation.
A sophisticated scareware phishing campaign has shifted its focus to Mac OS users.
Phishing as a service attacks are on the rise.
A new jailbreak technique bypasses security controls in popular LLMs.
Microsoft has uncovered Stellachi Rat.
CISA confirms active exploitation of
a critical Fortinet vulnerability on our CertBite segment.
Chris Hare is joined by Troy McMillan to break down
a question targeting the
ISACA Certified Information Security Manager exam,
and AI coding assistants get all judgy. It's Wednesday, March 19, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. A critical vulnerability in American Megatrends International's MegaRack Baseboard Management
Controller, that's AMI's BMC software, could let attackers hijack and potentially disable vulnerable servers.
MegaRack BMC, used by major server vendors like HPE, ASUS, and ASRock,
enables remote system management.
The flaw allows remote attackers to take full control of affected servers,
deploy malware, corrupt firmware, or even cause physical damage. Security firm Eclipseum discovered a flaw while analyzing patches for a previous vulnerability.
Over 1,000 exposed servers were found online, and more devices may be affected.
While no exploits have been detected in the wild, researchers warn that creating one is
easy.
Admins are urged to apply patches released on March 11
and monitor for suspicious activity,
as patching is complex and requires downtime.
The latest report from Europol warns
of a growing shadow alliance
between state-backed threat actors and cybercriminals,
with AI amplifying their impact.
The EU Serious and Organized Crime Threat Assessment 2025 highlights how groups, especially
from Russia, use cybercrime to destabilize Europe while maintaining deniability.
These hybrid threats involve ransomware, data theft, and AI-driven disinformation campaigns.
AI is making attacks more scalable and harder to detect,
enabling deepfake-powered social engineering, automated fraud,
and AI-driven cyberattacks.
Europol warns that future AI advancements could
lead to fully autonomous criminal networks.
Experts stress the need for defensive AI tools
to counteract these evolving threats.
Criminals don't need perfect AI to succeed, just good enough to bypass security and deceive users.
Europol urges governments and businesses to stay ahead in this digital arms race.
An interesting blog post from Sequoia examines ClearFake, a malicious JavaScript framework deployed on compromised websites to deliver malware through drive-by downloads.
A recent variant has expanded its reach by exploiting Web3 technologies, targeting users
involved in cryptocurrency, decentralized finance, and NFTs.
This campaign employs fake Google Meet pages that prompt users
to fix non-existent technical issues, leading them to execute malicious code.
Windows users are tricked into running scripts that download infostealers like
SteelSea and Radamanthes, while macOS users receive the Amos Stealer. The
operation is linked to cyber criminal group Slavic Nation
Empire and Scam Quartio, both active in the Russian-speaking cybercrime ecosystem. These
groups use sophisticated social engineering tactics and share infrastructure to maximize
their reach.
A critical PHP vulnerability is being actively exploited to compromise Windows-based systems,
according to Bitdefender Labs.
The flaw, which affects PHP installations running in CGI mode, allows attackers to execute arbitrary
code by manipulating character encoding conversions.
Since June of last year, attackers have used it to deploy cryptocurrency miners like XMRIG and remote access tools such as Quasar Rat.
Most attacks target systems in Taiwan, Hong Kong, and Brazil, with some in Japan and India.
Attackers use living-off-the-land techniques to evade detection, sometimes even modifying
firewall rules to block competitors in a crypto-jacking rivalry.
The PHP team has released patches urging immediate updates.
Organizations should switch to more secure architectures, restrict PowerShell access,
and enhance monitoring.
With ransomware groups eyeing this vulnerability, proactive threat detection is essential to
prevent severe attacks.
A sophisticated scareware phishing campaign has shifted its focus from Windows to Mac
OS users, according to Israeli cybersecurity firm LayerX.
Previously, the attackers tricked Windows users into believing their systems were locked
due to a security breach.
Victims were lured into entering their credentials on phishing pages hosted on Microsoft's Windows.net
platform, allowing attackers to bypass security checks.
However, new anti-scareware features in Chrome, Firefox, and Edge led to a 90% drop in Windows
targeted attacks. Within two weeks, the attackers adapted, modifying their tactics to target macOS users, particularly
those using Safari.
The phishing pages remained nearly identical but were adjusted to appear legitimate for
Apple users.
By exploiting domain typos and compromised sites, the attackers redirected victims to
fake login pages. Layer
X warns that this evolving campaign is a significant threat to enterprises, as compromised corporate
accounts could lead to widespread data exposure.
Barracuda has detected over a million phishing-as-a-service attacks in 2025, with platforms like Tycoon 2FA, Evil Proxy, and
the newly emerging Sneaky 2FA leading the surge. Tycoon 2FA dominates, accounting for
89% of attacks, while Evil Proxy holds 8% and Sneaky 2FA just 3%. Sneaky2FA, operated by the cybercrime group Sneaky Log, bypasses two-factor authentication
and uses Telegram bots for adversary-in-the-middle attacks, primarily targeting Microsoft 365
users.
Attackers leverage Microsoft's AutoGrab function to pre-fill phishing pages with victims'
credentials. Meanwhile, Tycoon 2FA has upgraded its evasion tactics, using encryption and obfuscation
techniques to hide malicious activity.
Evil proxy remains a major threat due to its accessibility, allowing less skilled attackers
to run phishing campaigns.
Barracuda warns users to watch for suspicious URLs and unexpected MFA prompts as these attacks
continue to evolve and evade detection.
A researcher from Cato CTRL has discovered a new jailbreak technique, Immersive World,
that bypasses security controls in ChatGPT, Copilot, and DeepSeq, enabling AI-generated malware creation.
This exploit tricked AI models into writing malware to steal Chrome credentials without
requiring prior coding experience.
The discovery highlights the rise of zero-knowledge cybercriminals, where AI lowers the technical
barrier for launching attacks. As AI adoption grows in finance, healthcare, and technology,
security risks like data breaches, misinformation, and automated malware generation are escalating.
Experts warn that traditional security strategies may no longer be sufficient.
The immersive world jailbreak serves as a stark reminder of AI's dual-use nature,
both as a tool for innovation and a weapon for cybercrime.
Microsoft has uncovered Stellachi Rat, a stealthy and persistent remote-access trojan designed to
steal sensitive data from compromised systems. First detected in November of last year,
the malware is not yet widely distributed, but Microsoft warns it can spread through Trojanized software, malicious sites, and phishing emails.
Stellachi Rat profiles infected systems, steals credentials from Chrome, monitors cryptocurrency wallets, and tracks clipboard content for valuable data.
It can also spy on RDP sessions, allowing lateral movement
within networks. To evade detection, it clears event logs, checks for analysis tools, and
obfuscates Windows API calls. The malware maintains persistence through watchdog threads
and Windows services, making it difficult to remove. Microsoft has not attributed Stellachi RAT to any known threat actor,
but stresses the need for vigilance as it poses a serious risk to organizations and individuals alike.
CISA has confirmed active exploitation of a critical Fortinet vulnerability in ransomware attacks.
The flaw affecting FortiOS and Fortiproxy allows attackers to gain
super admin privileges via crafted proxy requests. Linked to the MoraOO
ransomware group, it has been exploited to deploy a new strain called Superblack.
Additionally, CISA flagged a supply chain vulnerability in the TJ Actions
Changed Files GitHub Action, which impacted
over 23,000 organizations.
Attackers modified the code, exposing CI-CD secrets in GitHub Actions logs.
Organizations are urged to patch Fortinet devices and ensure they're using a secure
version of the GitHub Action to prevent further exploitation.
Coming up after the break on our CertBite segment, Chris Hare is joined by Troy McMillan
to break down a question targeting the ISACA Certified Information Security Manager exam
and AI coding assistants get all judgy.
Stay with us.
We've all been there.
You realize your business needs to hire someone yesterday.
You're not going to be able to do that.
You're not going to be able to do that. You're not going to be able to do that. We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's sponsored jobs helps you stand out and hire fast. Your post jumps
to the top of search results so the right candidates see it first. And it works. Sponsored
jobs on Indeed get 45% more applications than non-sponsored ones. One of the things I love
about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts, you only pay for
results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide
there's no need to wait any longer speed up your hiring right now with indeed and listeners
to this show will get a $75 sponsored job credit to get your jobs more visibility at
indeed.com slash cyber wire just go to indeed.com slash cyberwire right now and support our show by saying you
heard about indeed on this podcast. Indeed.com slash cyberwire. Terms and conditions apply.
Hiring indeed is all you need. Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity, or cloud computing, Vanguard offers a dynamic
and collaborative environment where your ideas drive change.
With career growth opportunities and a focus on work-life balance, you'll have the flexibility
to thrive both professionally and personally.
Explore open cybersecurity and technology roles today at Vanguardjobs.com. In the latest edition of our ongoing CertBytes segment, Chris Hare is joined by
Troy McMillan. They break down a question targeting the ISACA Certified Information Security Manager exam. Hi everyone, it's Chris.
I'm a content developer and project management specialist here at N2K Networks.
Today's question targets the ICACA Certified Information Security Manager CISM exam, which
was last updated in June 2022.
This exam helps to affirm your ability to assess risks, implement effective governance,
proactively respond to incidents, and is the preferred credential for IT managers, according
to ISACA.
I've enlisted Troy as our new guest host today.
He's a specialist in all things Cisco, ISACA, and EC Council.
Welcome, Troy.
How are you today?
I'm doing great, Chris.
Thanks for having me.
Of course.
And before we get into it, be sure to stick around
after our question for our special study bit for this test,
as well as for the latest news on upcoming N2K practice tests.
OK, we're going to be turning the tables.
And Troy, you're going to be asking me today's question.
Troy, go ahead and give my brain a stretch.
OK, Chris, here's your question.
It's multiple choice, but only one answer is correct.
In the absence of an information security strategy,
how should an information security manager start developing it?
Your choices are A, the manager can make decisions based on the business case,
B, the manager can make decisions based on the business case. B, the manager can refer to industry standards.
C, the manager develop the security policies.
Or D, the manager should refer to the information security governance framework.
All right, so before I answer Troy, I understand this is under the information
security governance objective and the Establish and
or Maintain an Information Security Governance Framework to
Guide Activities that Support the Information Security
Strategy sub-objective, correct?
That is correct.
Okay, and I have to select only one answer.
But before I talk through my reasoning, I think it would be
good to know from you, Troy,
if you can quickly define what an Information Security Manager role entails, given this is the audience for the cert.
Well, the Information Security Manager's main role is to develop the Information Security Strategy, which is a high-level plan that is used to guide all of their security efforts
used to protect the organizational assets.
All right, so that is good context.
And so as a person going for this certification,
I would be looking at these choices from that lens.
That said, knowing this will help me better inform my deductive reasoning strategy.
So let's give this a shot.
For choice A, I'm sure a business case would be one of the elements that the information
security strategy would be based on.
But if we're talking about having no strategy at all, I would guess that would not be enough
to start creating it.
Moving on to B, referring to industry standards.
That may be true, but that seems too general.
Now C, asking the manager to develop the security policies.
That seems to disregard the point of the question,
basically neutralizing it,
so I will discard that one as well.
Finally, option D, referring to
the information security governance framework. It doesn't specify which framework, but it sounds more specific
than the other options. And in the absence of any other intellectual
advantage, I'm going to choose this option. D, the manager should refer to the
information security governance framework. Am I right?
Good try, Chris, but unfortunately, that's incorrect.
The correct answer is B, the manager can refer to industry standards.
And the reason is because in the absence of a security strategy, it's unlikely that the
business case or the policies and a governance framework, those are probably not going to
develop. and a governance framework, those are probably not then developed. So understanding this item is understanding the order that things are done.
So by looking at the standards that ASACA publishes, which are sort of best practices
for doing this, you would find a framework that you would use to develop your information
security strategy.
Okay, that makes a lot of sense.
Now Troy, how does the CISM differ from ISC2's CISSP or Certified Information System Security
Professional Certification?
Who should take one versus the other?
Well, there's a lot of confusion surrounding that. The main difference between these two exams
is that the CISSP is both technical and managerial.
So you'll get high level items that
are from a managerial standpoint,
but you will also get questions that
are very technical in nature. Whereas the CISM exam is pretty much manager oriented.
So the difference is one is technical and managerial,
the CISSM is mostly managerial.
Okay, great information and question Troy.
Last question for you.
This exam has not been updated in three years.
Do you know if another update is due soon?
Well, they haven't been exactly upfront about that, but they say that they do their exams
every four to five years.
So considering when it was last updated, I would expect an update in 2026 or 2027.
Now it's time to discuss the study bit for this test.
What do you have first, Troy?
Okay. My study tip is going to go back to
the question that you asked me about the difference between CISSP and CISM.
On this exam, think managerial.
So if you're looking at an item and some of the answer options are technical in nature,
and the others are somewhat managerial or high-level,
probably the managerial option is going to be the better one to select.
So think like a manager, high-level.
Awesome tip. As we wrap up today's episode,
are there any upcoming practice tests you'd like to promote here?
Yes, we just released the CompTIA Tech+,
the AWS Certified AI Practitioner,
and the Azure AI Engineer Associate Practice Test.
We'll also have more coming up for CompTIA,
Microsoft, and Oracle in the next month.
Thanks so much for being here with me today, Troy.
Thank you for having me.
And thank you for joining me for this week's CertFight.
If you're actively studying for this certification and have any questions about study tips or
even future certification questions you'd like to see, please feel free to email me
at certfight at n2k.com.
That's C-E-R-T-B-Y-T-E at n number 2k.com.
If you'd like to learn more about N2K's practice tests,
visit our website at n2k.com forward slash certify.
For sources and citations for this question,
please check out our show notes.
Happy certifying. Be sure to check out N2K's ISACA Certified Information Security Manager practice test.
We'll have a link to that in our show notes.
Tired of investigation tools that only do one thing at a time?
Spending more time juggling contracts with data vendors than actually investigating?
Maltigo changes
that for good. Get one investigation platform, one bill to pay, and all the data you need
in one place. It comes with curated data and a full suite of tools to handle any digital
investigation. Connect the dots so fast cyber criminals won't even have time to google
what Maltigo is.
See the platform in action at Maltigo.com.
And finally, as companies rush to replace humans with AI, coding assistant Cursor might
have just revealed what workplace bots will be like.
A little snarky, and a lot judgmental.
One user learned the hard way when Cursor flat out refused to generate code for him.
You should develop the logic yourself, it scolded, insisting he actually learned to code
instead of relying on AI. So naturally, he did what any frustrated dev would do. He filed a bug
report, which quickly went viral. Speculation swirled. Did Cursor hit a hard coding limit,
or had it absorbed the grumpy spirit of stack overflow? Hacker news users joked that the AI might have trained on the notoriously sarcastic
programming forum.
If AI agents inherit human snark, maybe the real future of work is just arguing with robots. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast. Your feedback
ensures we deliver the insights that keep you a step ahead in the rapidly changing world of
cybersecurity. If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed
by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer
is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Fittner. Thanks for listening.
We'll see you back here tomorrow. the world. Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers.
I finally have peace of mind, knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports
so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when
you go to joindeleteeme.com slash n2k and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.