CyberWire Daily - The invisible force fueling cyber chaos.
Episode Date: April 3, 2025A joint advisory labels Fast Flux a national security threat. Europol shuts down a major international CSAM platform. Oracle verifies a data breach. A new attack targets Apache Tomcat servers. The Hun...ters International group pivots away from ransomware. Hackers target Juniper routers using default credentials. A controversy erupts over a critical CrushFTP vulnerability. Johannes Ullrich, Dean of Research at SANS Technology Institute unpacks Next.js. Abracadabra, alakazam — poof! Your credentials are gone. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Johannes Ullrich, Dean of Research at SANS Technology Institute, is discussing Next.js and how similar problems have led to vulnerabilities recently. Selected Reading Fast Flux: A National Security Threat (CISA) Don’t cut CISA personnel, House panel leaders say, as they plan legislation giving the agency more to do (CyberScoop) CSAM platform Kidflix shut down by international operation (The Record) AI Image Site GenNomis Exposed 47GB of Underage Deepfakes (Hackread) Oracle tells clients of second recent hack, log-in data stolen, Bloomberg News reports (Reuters) Hackers Exploiting Apache Tomcat Vulnerability to Steal SSH Credentials & Gain Server Control (Cyber Security News) Hunters International Ransomware Gang Rebranding, Shifting Focus (SecurityWeek) Hackers Actively Scanning for Juniper’s Smart Router With Default Password (Cyber Security News) Details Emerge on CVE Controversy Around Exploited CrushFTP Vulnerability (SecurityWeek) New Malware Attacking Magic Enthusiasts to Steal Login Credentials (Cyber Security News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity,
or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas
drive change. With career growth opportunities and a focus on work-life balance, you'll have
the flexibility to thrive both professionally and personally. Explore open cybersecurity
and technology roles today at VanguardJobs.com.
A joint advisory labels FastFlux a national security threat.
Europol shuts down a major international CSAM platform.
Oracle verifies a data breach.
A new attack targets Apache Tomcat servers.
The Hunter's international group pivots away from ransomware.
Hackers target Juniper routers using default credentials.
A controversy erupts over a critical crush FTP vulnerability. Our guest
is Johannes Ulrich, Dean of Research at the SANS Technology Institute. He unpacks Next.js.
And abracadabra ala kazam, your credentials are gone. It's Thursday, April 3rd, 2025. Thanks for joining us here today.
It is great to have you with us.
Fast Flux is a technique used by cybercriminals and nation-state actors to evade detection
by rapidly rotating DNS records and IP addresses linked
to malicious domains.
This tactic supports resilient command and control infrastructure and enables persistent
malicious activity such as ransomware, phishing, and botnets.
Variants include single-flux rotating IPs and double-flux changing DNS servers too, often supported by bulletproof
hosting services.
A joint advisory from the NSA, CISA, FBI, and international partners warns of FastFlux
as a national security threat and urges ISPs and cybersecurity providers, especially protective
DNS services, to develop
detection and mitigation capabilities. Recommended strategies include DNS
analysis, anomaly detection, IP blocking, sinkholeing, and threat intelligence
sharing. Distinguishing malicious fast flux from legitimate services like CDNs
remains a challenge.
Organizations are encouraged to verify PDNS protections, train staff on phishing, and
participate in collaborative defense efforts to reduce exposure to fast-flux-enabled cyber
threats.
Meanwhile, speaking of CISA, House cybersecurity leaders criticized Trump-era cuts to CISA, urging expanded responsibilities
instead. Representative Andrew Garbarino wants CISA central to U.S. cyber efforts, including
reauthorizing the 2015 cyber info sharing law and extending a key grant program. He
criticized cuts that harmed operations and signaled support for nominee
Sean Planky. Representative Eric Swalwell slammed chaotic firings as inefficient and
backs legislation to formalize the Joint Cyber Defense Collaborative. Both aim to shield
CISA from political attacks and ensure strong congressional support moving forward.
Europol announced the takedown of KidFlix, a major dark web child sexual abuse material
platform calling it the largest child exploitation operation in its history.
The multi-year effort led to 79 arrests so far, with 1,393 suspects identified and 39 children rescued.
Over 39 countries participated in the investigation.
Offenders used cryptocurrency to access the site, which hosted up to 91,000 videos, many
previously unknown to law enforcement.
German and Dutch authorities seized servers containing 72,000 videos.
Users could earn access tokens by tagging content.
Europol emphasized the real-world harm behind the platform's operations, rejecting attempts
to frame the case as a purely cyber issue.
The platform had 1.8 million users, with over three new videos uploaded every hour.
The investigation remains ongoing.
Elsewhere, a major data leak at Gennomus, an AI image generation platform by South Korea's
AInomus, exposed 47.8 gigabytes of sensitive data, including over 93,000 images, some appearing to depict
underage individuals in explicit content.
Discovered by researcher Jeremiah Fowler, the unsecured database also contained deep
fakes of celebrities as children and user command logs.
The platform, now offline, allowed face-swapping and nude image generation.
The incident raises alarm over AI misuse in creating non-consensual, explicit content
especially involving miners, prompting urgent calls for stricter safeguards and developer
accountability.
Oracle has informed customers of a data breach involving stolen login credentials from a
legacy system, Bloomberg reports.
The breach, now under investigation by the FBI and CrowdStrike, is separate from another
incident Oracle disclosed last month.
The attacker reportedly tried to extort the company and began selling the stolen data
online.
Though Oracle claims the compromised
system hasn't been used in eight years, some stolen credentials date back to 2024,
raising concerns about lingering risks. Oracle has not publicly commented.
A new attack, dubbed Tomcat Campaign 25, is targeting Apache Tomcat servers with sophisticated encrypted malware
designed for both Windows and Linux.
Hackers use brute force methods to exploit weak credentials, quickly compromise servers,
and deploy Java-based web shells for persistent access.
The malware steals SSH keys, enables lateral movement, and hijacks resources for crypto
mining.
Notably, it hides payloads in fake 404 error pages and mimics kernel processes to evade
detection.
Researchers suggest links to Chinese-speaking actors, though attribution remains uncertain.
Hunters International, a ransomware-as-a-service group believed to be a rebrand of the defunct
Hive gang, is shifting to exfiltration-only attacks, according to threat firm Group IB.
Active since late 2023, Hunters has targeted around 300 organizations, mostly in North
America, with sectors like real estate, health care, and energy most affected.
The group offers affiliates tools to steal data, set ransoms, and communicate with victims,
keeping 80% of payments.
Recently, Hunters stopped using ransom notes, instead contacting executives directly to
pressure payment.
Their affiliate panel includes storage software to manage and transmit stolen data.
On January 1st of this year, Hunters launched a new project called World Leaks, aiming to
abandon file encryption entirely, though it was paused due to infrastructure issues. Group
IB predicts other ransomware groups may follow suit, automating data theft and focusing purely
on exfiltration to reduce risk and increase profitability.
SANS has reported a sharp rise in targeted scans exploiting default credentials in Juniper
Network's Session Smart Router platform.
From March 23rd through the 28th, around 3,000 unique IPs attempted logins using default
credentials. The campaign, likely linked to the Mirai botnet, aimed to compromise unpatched
or improperly secured SSR devices for use in DDoS attacks. This surge followed Juniper's
recent patch for a critical authentication bypass flaw, the activity
dropped off abruptly indicating a coordinated automated effort. A
controversy has erupted over a critical crush FTP vulnerability now tracked with
two CVEs. The flaw disclosed on March 21st allows remote attackers to bypass
authentication and gain admin access while patches and workarounds were The flaw, disclosed on March 21st, allows remote attackers to bypass authentication
and gain admin access.
While patches and workarounds were quickly released, a delay in issuing a CVE prompted
Volchek to assign one independently, without contacting CrushFTP or original disclosure
Outpost24, who had requested a CVE via MITRE on March 13. This led to confusion
as the security industry began referencing Volchek's CVE. Exploitation began shortly after
disclosure with the Shadow Server Foundation observing widespread attacks. Initially,
1,800 internet-exposed instances were vulnerable.
Over 500 remain unpatched in the U.S. as of April 2.
Crush FTP criticized firms for accelerating exploitation by sharing details too soon.
Attackers' goals remain unclear, but the flaw could enable data theft or deeper intrusions. Outpost 24 is awaiting MITRE's decision on the official CVE designation.
Coming up after the break, Johannes Ulrich, Dean of Research at the SANS Technology Institute, joins us to unpack NEXT.js
and Abra Kadabra, Alakazam and KOOF! Your credentials are gone. Stay with us.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly
what's been done.
Take control of your data and keep your
private life private by signing up for DeleteMe. Now at a special discount for our listeners,
today get 20% off your DeleteMe plan when you go to joindeleteeme.com slash n2k and use promo code
n2k at checkout. The only way to get 20% off is to go to
joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K, code N2K.
Are you frustrated with cyber risk scores backed by mysterious data, zero context and
cloudy reasoning?
Typical cyber ratings are ineffective and the true risk story is begging to be told.
It's time to cut the BS.
BlackKite believes in seeing the full picture with more than a score. One where companies have complete clarity in their third party cyber risk
using reliable quantitative data.
Make better decisions. Reduce your uncertainty.
Trust BlackKite.
And I am pleased to be joined once again by Johannes Ulrich. He is the Dean of Research at the SANS Technology Institute and also the host of the SANS ISC
Stormcast podcast.
Johannes, it's always great to have you back.
Yeah, it's great to be back.
I want to talk to you about something that you've been looking into lately.
This is Next.js.
There's some stuff to unpack here.
Unpack it for me, please.
Yeah.
So of course, this was the big vulnerability here that authentication bypass, but it's
really a symptom of sort of a group of vulnerabilities
that ICB keep getting more and more.
And it's not really just individual software that's the problem here.
Like it manifests itself in software like Next.js.
It's a little bit more about how we architect some of these web applications.
Well, for folks who aren't familiar with it, can you explain to us what next.js is
and how it plays into this?
Yeah, so next.js is a framework that makes it easy
to create fancy web applications, to put it simple.
The JS stands for JavaScript.
It's sort of around that entire Node.js idea,
where you're creating code in JavaScript,
not just in the browser, but also on the back end.
And Next.js provides you a bunch of functionality
so you don't have to code the same thing over and over again.
That's sort of what these frameworks are doing.
They make it easy to create complex web applications.
So that all sounds good.
What's the issue here?
Yeah, sometimes things are maybe a little bit too easy.
Or appear to be too easy.
So what's happening here is with these modern web applications
that traditionally when you talk about a web application,
you think about your browser sending a request to a server,
the server runs a magic code and creates a response.
That's not really what's happening in a modern web application. Instead of one server and one
big piece of code creating the response, you have many web services that are essentially
running on their own web server. Some of course the fancy serverless part comes in here.
And each one of these web services does one little thing.
So what was a problem here was that one component
in your web application that's implemented with next.js
may take care of authorization.
And then you have a proxy that looks at the request that says,
oh you want to go to the admin page Dave, so I'll send you to my authorization server. It checks if
it's really you Dave, and then if you're an admin then you can go on to do whatever admins are doing.
The problem here was that because the complexity of these systems, there's always
a chance that you end up with loops. So your request being authenticated, it's being passed
on to the next step to the admin API. And then for whatever reason, some bug or whatever,
the admin API sends it back to the authorization
service.
It could sort of go forth and back forever.
So Next.js said, we have a solution for you here.
Whenever it goes through a component, let's just add the name of that component to a special
header.
Now the service knows, okay, this already went through the authorization service.
I don't have to send it back there again.
But those headers, they can be created by the user and rule number one in web applications,
users are always evil.
They're out there to get you.
And so can I make a t-shirt that says that?
Sure.
So basically now the user just tells, hey, my request already went through the authorization
server so trust me, it's me, it's Dave and let me do whatever Dave wants to do.
So that was the problem here that you have these headers that are being added by these
middle boxes, and these headers are then implicitly trusted by other components.
And they really don't have a good way to figure out if these headers are authentic, if they
were actually added by the authorization server, or if they were added by a user or some completely
different process.
Like I said, this is sort of a repeating pattern that I keep seeing, not just with Next.js,
but with a lot of different software.
So is this a fundamental flaw in the way these things are designed?
Yes, it's somewhat these very complex systems that probably the people who develop them no longer
quite understand in some ways.
And really sometimes overlook some of these bypass methods, like how someone could bypass
them to front ends.
I think recently one of the famous ones, and I like the best because I think was outright
funny in a weird web application security way was
Palo Alto. They actually added a header, XPAN auth check off. So you could just tell them,
hey, don't bother actually checking the authentication of this particular request because I tell
you so.
Wow.
What could possibly go wrong? But the intent here was that the request was supposed to go through other components that basically an add or remove that header depending on where the request is going to. Some requests don't need authentication. So let's just turn it off for those requests. And that's sort of how this happens.
And of course, all of this gets really complex.
There are so many headers.
There are so many ways how proxies manipulate headers, how they remove them, add them, and
that is really hard to get.
And like I said, as the users are evil, developers are actually usually nice people.
They're really nice. And if you leave them in the cubicle and don't touch them. But they
believe in standards, they believe in software actually complying with these standards. And
that also often doesn't happen. And that then leads to some of these bypasses. I see.
Well, is this a fixable issue?
Is this a configuration problem or are we best avoiding these sorts of things?
Well, I think it's fixable if you really look at the system overall and really get back
to basics.
Every request needs to be authenticated, access controlled, input validated.
Put something in the request that actually can be authenticated, like digital signatures.
We have JWTs, these JSON web tokens that provide some of that. Again, if you implement them
correctly, that's always the big caveat here. And they're not always easy to implement correctly,
but there are solutions.
The solutions are complex, but learn how to use them.
Yeah.
Well, that's always the trick, isn't it?
It keeps folks like you in business.
Yeah.
All right, Johannes Ulrich, thanks so much for joining us.
Thank you. Is your AppSec program actually reducing risk?
Developers and AppSec teams drown in critical alerts, yet 95% of fixes don't reduce real risk.
Why?
Traditional tools use generic prioritization and lack the ability to filter real threats
from noise.
High impact threats slip through and surface in production, costing 10 times more to fix.
Aux Security helps you focus on the 5% of issues that truly matter before they reach the
cloud. Find out what risks deserve your attention in 2025. Download the application security
benchmark from OX Security.
And finally, our Prestidigitation Desk tells us a new cyber trick has hit the magic world. And no, it's not an illusion.
Meet Abracadabra Stealer, the malware campaign targeting magicians, magic shop owners, and dedicated
wand wielders worldwide.
This cyber heist starts with emails promising exclusive trick tutorials or never-before-seen
Houdini footage.
It's a trap.
Open the attachment and poof, your login credentials vanish faster than a coin behind an ear.
Kaspersky researchers uncovered this act after magicians reported account breaches and disappearing
proprietary tricks.
Turns out the malware uses coded JavaScript and a touch of villainy to swipe browser data,
log keystrokes, and snap screenshots during logins. It even hides like a stagehand, disguised as an Adobe update in your system registry.
About 1200 victims, mostly premium users and trick developers, have been hit since early
this year.
So if your magic act suddenly appears for sale on a sketchy forum, you've probably
been abracadabra'd.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music
and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher and I'm Dave Bittner.
Thanks for listening, we'll see you back here, tomorrow. Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit threatlocker.com today to see how a default deny approach can
keep your company safe and compliant.