CyberWire Daily - When fake fixes hide real attacks.
Episode Date: April 21, 2025Adversary nations are using ClickFix in cyber espionage campaigns. Japan’s Financial Services Agency issues an urgent warning after hundreds of millions in unauthorized trades. The critical Erlang/O...TP’s SSH vulnerability now has public exploits. A flawed rollout of a new Microsoft Entra app triggers widespread account lockouts. The alleged operator of SmokeLoader malware faces federal hacking charges. A new scam blends social engineering, malware, and NFC tech to drain bank accounts. GSA employees may have been oversharing sensitive documents. Yoni Shohet, Co-Founder and CEO of Valence Security, who cautions financial organizations of coming Chinese open source AI. Crosswalks in the crosshairs of satirical hacking. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined by Yoni Shohet, Co-Founder and CEO of Valence Security, discussing how the onslaught of more open source AI tools coming out of China will be difficult to manage for companies especially those in the financial sector. Selected Reading North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks (Hackread) Countries Shore Up Their Digital Defenses as Global Tensions Raise the Threat of Cyberwarfare (SecurityWeek) Japan warns of hundreds of millions of dollars in unauthorized trades from hacked accounts (The Record) Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (Bleeping Computer) Widespread Microsoft Entra lockouts tied to new security feature rollout (Bleeping Computer) Alleged SmokeLoader malware operator facing federal charges in Vermont (The Record) New payment-card scam involves a phone call, some malware and a personal tap (The Record) Sensitive files, including White House floor plans, shared with thousands (The Washington Post) Hacking US crosswalks to talk like Zuck is as easy as 1234 (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. Adversary nations are using click-fix in cyber-espionage campaigns. Japan's financial services agency
issues an urgent warning after hundreds of millions in unauthorized trades. The critical
Erlang OTP SSH vulnerability now has public exploits.
A flawed rollout of a new Microsoft Entra app triggers widespread account lockouts.
The alleged operator of a smoke loader malware faces federal hacking charges.
A new scam blends social engineering, malware, and NFC tech to drain bank accounts.
GSA employees may have been over sharing sensitive documents, our guest
is Yoni Shohet, co-founder and CEO of Valence Security, who cautions financial organizations
of coming Chinese open source AI, and crosswalks in the crosshairs of satirical hacking. It's Monday, April 21st, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us.
Happy Monday.
It's great to have you with us.
Government-backed hackers from North Korea, Iran, and Russia are now using a technique
called ClickFix in cyber-espionage campaigns, according to Proofpoint.
This method tricks users into running malicious commands by displaying fake error messages
or security alerts.
Victims believe they're fixing a problem, but instead activate malware.
North Korea's TA-427 used ClickFix in early 2025 to target think tanks via fake meeting
invites. Iran's TA-450 deployed it in late 2024 against Middle Eastern financial and government sectors
through bogus Microsoft email updates.
Russian group TA-422 and UNK Remote Rogue also used it in phishing campaigns.
While not replacing all attack methods, ClickFix is being used to streamline
infection steps. Proofpoint notes that Chinese hackers haven't used ClickFix yet, but its growing
use signals a rising trend among state-backed groups. In spring of 2024, Russian-linked hackers
breached water plants in rural Texas, including in Muleshoe,
triggering system malfunctions.
While no ransom was demanded, the attack highlighted critical infrastructure vulnerabilities, an
urgent concern for cybersecurity professionals.
These incidents weren't isolated.
Experts say they represent a growing trend, state-backed actors probing US systems
to test digital defenses. Similar threats include China's Volt Typhoon and Salt Typhoon
campaigns, which targeted telecom networks and government communications for long-term
espionage. Despite this rising threat landscape, the U.S. has weakened cyber defenses under the
Trump administration, firing NSA leadership, cutting election security budgets, and slashing
cybersecurity staff.
Some say the cybersecurity workforce gap remains a pressing issue with over half a million
professionals needed, while others are skeptical that the so-called gap even exists.
Either way, as global tensions escalate and adversaries cooperate digitally, cyber professionals
must prepare for more complex, persistent, and politically motivated attacks.
Japan's Financial Services Agency has issued an urgent warning after hackers conducted over $665
million in unauthorized trades via compromised brokerage accounts.
Using phishing sites posing as legitimate firms, attackers stole customer credentials
to access and manipulate accounts, often selling Japanese stocks to purchase Chinese ones,
which remain in the victims' accounts.
At least 12 security firms, including Nomura and Rakuten, reported over 1,400 fraudulent
trades and over 3,300 illegal access attempts.
Brokerages will cover customer losses.
Japan links rising threats to China-backed cyber attacks.
The critical vulnerability in Erlang OTP's SSH daemon now has public exploits, putting thousands of systems at risk.
The flaw allows unauthenticated remote code execution and affects all devices using the daemon. Although patched in recent versions, many systems, especially
in telecom and database infrastructure, remain unpatched. Proof-of-concept exploits were
recently shared on GitHub and Pastebin, raising the risk of mass exploitation. Security experts
urge immediate updates as attackers are expected to begin scanning and exploiting vulnerable systems.
A flawed rollout of Microsoft's Entra ID's new Mace Credential Revocation app has triggered
widespread false positive alerts and account lockouts across organizations.
Admins reported that up to one-third of accounts were locked due to supposed leaked credentials,
though the
passwords were unique and protected by MFA.
No signs of compromise were found, and breach checks showed no matches.
The issue appears tied to Mace's sudden deployment.
Microsoft has yet to officially confirm the cause. Nicholas Moses, also known as Scrub Lord, is facing federal
hacking charges in Vermont for allegedly operating the smoke loader
malware, stealing personal data from over 65,000 victims worldwide. Prosecutors say
Moses used the malware to harvest passwords and sensitive information from infected devices between
January 2022 and May 2023, maintaining a command server in the Netherlands.
He allegedly sold stolen credentials for $1 to $5 each and claimed to have over half a
million logs.
Smokeloader, a malware strain active since 2011, is popular among Russian cybercriminals
for its modular design and ability to perform various attacks.
Moses's case follows Europol's Operation Endgame, which recently targeted major malware
droppers, including Smoke Loader.
Authorities continue to investigate and arrest individuals linked to the botnet's distribution
and resale operations.
A new scam blending social engineering, malware, and NFC tech is targeting Android users and
their payment cards, researchers at Cleefy report.
Dubbed SupercardX, the malware tricks victims via fake bank fraud alerts, urging them to
call a number where scammers then collect pins and convince users to remove card limits.
Victims are later prompted to place their card near their infected device.
The malware then uses NFC to silently capture card data, enabling instant theft outside traditional bank fraud
channels.
Supercard X is linked to a malware-as-a-service model operated by Chinese-speaking developers
but used by different groups globally.
Unlike past scams targeting specific banks, this campaign targets any debit or credit
card. Authorities warn such NFC-based fraud is growing
and may appear in more regions soon.
Internal records reviewed by The Washington Post reveal
that General Services Administration employees
under both the Biden and Trump administrations
improperly shared sensitive files,
including White House blueprints and
vendor banking details, with over 11,000 federal workers.
The documents, stored in a Google Drive folder, included at least nine files marked Controlled
Unclassified Information, which, while not classified, still require protection.
Some files allowed editing access.
The oversharing, ongoing since 2021, triggered a cybersecurity investigation last week.
The breach included sensitive plans for the White House's East and West wings and details
for a proposed blast door.
Though not necessarily classified, experts say such data should be tightly secured.
The GSA has annual security training and scanning tools, but the incident highlights systemic weaknesses in document handling across administrations.
Coming up after the break, my conversation with Yoni Shohek, co-founder and CEO of Valence Security who cautions financial organizations of coming Chinese open source AI and crosswalks
in the crosshairs of satirical hacking.
Stay with us.
What's the common denominator in security incidents? Escalations and lateral movement.
When a privileged account is compromised,
attackers can seize control of critical assets. With bad directory hygiene and years of technical
debt, identity attack paths are easy targets for threat actors to exploit but hard for defenders
to detect. This poses risk in active directory, intraID, and Hybrid configurations. Identity leaders are reducing such risks with Attack Path Management.
You can learn how Attack Path Management is connecting identity and security teams
while reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to spectorops.io today to learn more.
SpectorOps. See your attack paths the way adversaries do.
Do you know the status of your compliance controls right now?
Like right now?
We know that real-time visibility is critical for security, but when
it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the
gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Yoni Shohet is co-founder and CEO of Valence Security. I recently got together with him to discuss financial organizations being wary of coming
Chinese open source AI.
So I think there's two layers here of concerns in areas that most people are focusing on.
The first is the fact that it's coming from China, and the second is the fact that it's
open source.
I think the best way that most people can probably understand today is the fact that
just looking at DeepSeek as the latest example that really hit the headlines.
But it's eventually tools that are encouraging users or adopters of the open source capabilities to
leverage open source models that
include a wide variety of open source capabilities
from the code or to algorithms to the data itself,
that is the core aspect in most AI models.
And the fact that it's open source, meaning that everybody has access to see exactly the
source code and the source elements in an open source fashion, which is atypical to
how most AI models were released until recently.
Even in the name, OpenAI is not open source, so a lot of the chat-tube capabilities and
others are closed source, meaning
that you have limited transparency in terms of how the logic in the backend operates.
So in your estimation, what are the specific risks here?
Yeah, so I think the main thing that concerns a lot of people is really the fact that it's
Chinese in terms of the infrastructure and the people behind these
types of open source models, which means that it's governed by the Chinese government regulations,
not by more of a western society in terms of how the data is treated in terms of privacy
and potential security concerns, and also in terms of privacy and potential security concerns,
and also in terms of their obligations and requirements
to disclose some of this data to potential government,
the data that you feed to the AI models
to the potential government,
which I think is the first order of most of the risks
and concerns that we see today within the industry
is eventually, am I giving away my data to the Chinese government
by leveraging these tools basically?
And I think the second aspect is really the fact
that these tools are open source.
There's pros and cons of fact that it's open source AI tools.
Obviously it can lead to better collaboration
and to more inputs from the broader industry in terms of what
you can do with these tools or how you can make them applicable. But also, these types
of open source AI tools are typically also less focused on enterprise-grade capabilities,
ensuring proper security, reducing chances of vulnerabilities or patching potential vulnerabilities in the
logics that they implement and how they handle the data.
And also the fact that specifically some of these models have open source, also the data
models themselves then also could potentially the data that I'm feeding to a prompt or to
a tool eventually get open sourced itself because it's going to be leveraged for potential
learning of these AI models which are very data hungry as we all know.
So help me understand here, I mean the models being open source, would they typically be
running locally or will they be running remotely?
So it could be either or. Eventually you could download it and
run it locally and own the infrastructure that it's running, but also
you can just log in to DeepSeq's prompt and work with the chat directly, which I
think also leads to other concerns because there could be a lot of
variations that are based on very high quality models and data,
and they can market it in different ways
that would make it look very legitimate,
but you don't have precisely a good understanding
of who's behind these capabilities and tools
because we're making them more accessible
for potentially malicious or adversary organizations to leverage high quality AI models and data
to build commercial tools that will look
if they're powered by DeepSeek or try
to build credibility based on a well-known brand name,
even though they're not precisely the same people
behind these original tools,
even if you can question their credibility regardless.
I know one of the concerns that you've expressed is the use of these tools within
financial services institutions. What is the specific risk there?
Yeah, so I think the main concerns from what we've seen, and this is probably
when we look at what we do at Valence as a fast security company and we highlighted for some of our customers that option of deep seek within the organization
is just the unknown and how employees are.
Sharing data because again is as good as the data to feed it and if you're trying to use an AI model or an AI application
to get your job done, you most likely
need to tell it something about your work
or about the nature of what you're doing
or even specific information that could be sensitive.
Eventually, when you feed this data to an AI model
that nobody has vetted and nobody's trusting,
these AI models can pop up and become the hottest trend
and make the headlines. And everybody's curious to see,
oh, is this going to be better than Chach-GPT or Gemini,
one of the other tools that I'm already leveraging,
then potentially there could be misuse of data that could lead
to either exposure of that data because it will become
open source or because it's not going to be protected
capabilities or the right standards that the organization has.
Or in case of these specifically Chinese tools,
it could eventually end up in the hands
of the Chinese government,
at least what we've seen in terms of customers,
pretty concerned in terms of their risk there.
Yeah.
So what are your recommendations then?
I mean, for the folks who are tasked
with protecting their organizations, how should they approach this reality?
Yeah, what we've seen being very effective over the past couple of years with the
rise of AI in general is that first of all you can't really stop it. So I think
most organizations are past the point of saying I'm not gonna let anybody adopt
AI and we're gonna use just the traditional tools because if you block it
and not aggressively, eventually,
employees will just find a workaround.
What we've seen successful organizations implement is
basically identify the approved and sanctioned capabilities
and tools that they want to use for
the different business requirements,
whether if it's prompt questions, data analysis, recording analysis,
transcriptions, whatever the purpose that the business is raising that they need,
the specific tools, code analysis or code improvements that we see today is also a hot topic.
And make sure that these sanction capabilities are highly accessible, and that people in the organization know how to use them
and how to adopt them when they need.
And then instead of saying when a new tool comes out,
saying, hey, this is not approved, don't use it.
If the message is, hey, we have these alternatives
that we already approved,
this is not something you can use,
but we want to redirect you to something else
that could get the same purpose done,
but it's already approved and governed and sanctioned,
and therefore we have less concerns
from a security perspective around it,
or it's more controlled in terms of the risk
when we accepted it.
And focusing on how to do something rather than
how not to do something has been proven to be very effective
and especially with the adoption of innovative tools by business users and big admins.
That's Joni Shohet from Valence Security. Secure access is crucial for U.S. public sector missions, ensuring that only authorized users
can access certain systems, networks, or data.
Are your defenses ready? Cisco's Security Service Edge delivers comprehensive protection for your network and users.
Experience the power of Zero Trust and secure your workforce wherever they are.
Elevate your security strategy by visiting cisco.com slash go.sse.
That's c-i-s-c-o dot com slash g-o slash s-s-e. And finally, our malicious jaywalking desk tells us that crosswalk buttons in cities like Seattle
and Silicon Valley have been hijacked to play AI-generated voices of tech billionaires like
Jeff Bezos, Elon Musk, and Mark Zuckerberg.
Instead of the usual robotic walk or wait, pedestrians were greeted with Bezos promoting
Amazon Prime or joking about billionaires
moving to Florida if taxed.
Classic parody wrapped in high-tech mischief.
The culprit?
A mix of social commentary and shoddy security.
The devices, made by crosswalk hardware giant Polara, are managed via a Bluetooth-enabled
app called the Polara Field Service app.
It was publicly available and protected only by the worst password in tech history, 1234.
Pranksters easily reprogram the devices to play custom AI-generated audio.
While some call it harmless fun, the stunt raises serious issues. Visually impaired pedestrians depend on those audio cues to cross safely.
Swapping them for tech tycoon impersonations isn't just a laugh, it's a hazard.
It also highlights the risks of default credentials in critical infrastructure.
The app has since been pulled from app stores, but archived versions remain,
meaning this could happen again. The municipal crews now face the tedious task of manually
updating credentials on thousands of devices, one intersection at a time.
So let this be a friendly PSA. Customizable crosswalk audio? Great.
Billionaire bedtime banter at intersections?
Not so much.
And for the love of pedestrians, change your default passwords. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity. If you like our show, please share a rating and review in your favorite
podcast app. Please also fill out the survey and the show notes or send an email to cyberwire
at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed
by Trey Hester with original music
and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting
your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home
networks and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.