2FA middleman, Archetyp seized, Zoomcar hacked - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines – Episode Summary Hosted by CISO Series

Release Date: June 17, 2025

In the latest episode of Cyber Security Headlines by CISO Series, host Rich Stroffelino delves into the most pressing cybersecurity issues of the day. From sophisticated 2FA attacks to major data breaches and regulatory challenges, this episode provides a comprehensive overview of the evolving threat landscape. Below is a detailed summary of the key topics discussed.

1. Beware of SMS2FA Middleman Attacks

The episode opens with a concerning revelation about the vulnerability of SMS-based two-factor authentication (2FA). An anonymous whistleblower supplied Bloomberg Businessweek and Lighthouse Reports with auto-generated login codes that intercepted approximately 1.1 million SMS messages containing 2FA codes sent in June 2023.

Key Points:

Fink Telecom Services, a Swiss company, was identified as the intermediary processing these SMS messages. Previous investigations have linked Fink Telecom with government and private surveillance efforts to track user locations and monitor phones.
The CEO of Fink Telecom, Andreas Fink, stated, “Legal restrictions prevent us from seeing message content, and we no longer engage in surveillance operations” (00:40).
Fink operates primarily as a subcontractor for other SMS processors, meaning the platforms utilizing 2FA have no direct business relationship or oversight over the messages being processed.

This development highlights the critical need for organizations to re-evaluate their authentication methods and explore more secure alternatives beyond SMS-based 2FA.

2. Archetype Market Seized by Europol

In a significant crackdown on illicit online activities, Europol announced the seizure of Archetype Market, a notorious darknet marketplace for illicit drugs. Operational since May 2020, Archetype Market hosted over 3,200 registered vendors and facilitated transactions exceeding 250 million Euros in cryptocurrency.

Operation Deep Sentinel:

Conducted between June 11 and 13, the operation involved multiple European law enforcement agencies, including investigators from the Netherlands and Spain.
A 30-year-old German national, suspected of being an administrator, was arrested in Spain, along with a suspected moderator and several vendors in Germany and Sweden.
Post-seizure, the Archetype site now displays a warning message indicating that the domain has been seized (01:44).

This operation underscores the ongoing efforts by international law enforcement to dismantle cybercriminal infrastructures and disrupt illegal marketplaces.

3. ZoomCar Data Breach Affects 8.4 Million Users

ZoomCar, the India-based car-sharing company, reported a significant data breach affecting 8.4 million users across India, Indonesia, East India, Egypt, and Vietnam. The breach was disclosed to the U.S. Securities and Exchange Commission (SEC) after an unauthorized party accessed ZoomCar’s systems on June 9.

Details of the Breach:

The compromised dataset included names, phone numbers, and car registration numbers of users.
ZoomCar confirmed that the incident did not result in a material disruption to its operations.
No hacker group has claimed responsibility for the breach (01:51).

This incident highlights the persistent risks associated with data security in the automotive sharing sector and the importance of robust cybersecurity measures to protect user information.

4. Google’s Wiz Acquisition Faces Antitrust Scrutiny

Bloomberg sources revealed that the U.S. Department of Justice (DOJ) has initiated an antitrust investigation into Google's planned $32 billion acquisition of Wiz, a cloud security firm. The deal, announced in March, is now under close examination to assess its potential impact on market competition.

Implications:

The investigation is still in its early stages and may extend over several months.
A potential block on the deal would not only prevent Google from enhancing its cloud security portfolio but also entail a $3.2 billion breakup fee.
This scrutiny follows the DOJ’s previous investigation into Google’s 2022 acquisition of Mandiant, which was ultimately cleared (02:30).

The outcome of this investigation will have significant ramifications for Google’s expansion in the cybersecurity sector and broader antitrust regulatory practices.

5. SEC Withdraws Cybersecurity Regulations for Investment Companies

The U.S. Securities and Exchange Commission (SEC) has decided to withdraw its proposed cybersecurity regulations for investment companies and advisors, which were initially introduced in 2022. These regulations required entities to develop policies addressing cybersecurity risks and to report cyber incidents and risk factors to the SEC.

Highlights:

The SEC announced the withdrawal after facing substantial opposition and a rocky response during the public comment period (03:54).
Instead of the existing proposed rules, the SEC indicated it might issue new regulations tailored to evolving cybersecurity needs.
The withdrawal emphasizes that while compliance is not synonymous with security, it remains a critical component of a comprehensive cybersecurity strategy (06:43).

This decision reflects the complex balance regulators must achieve between enforcing security standards and accommodating industry concerns.

6. Deerstealer: A Case for Subscription Malware

Researchers at East Sentinel have documented a new malware campaign involving Deerstealer, a subscription-based Information Stealer (InfoStealer). This malware is rapidly evolving, incorporating features such as macOS support, multi-client targeting, and advanced encryption techniques.

Technical Overview:

Attackers initiate the campaign through a phishing page that executes a PowerShell command, initiating an attack chain to deploy hijack loaders.
The malware’s initial installation uses a signed binary from Comodo, which loads a manipulated DLL to inject Deerstealer into legitimate processes.
Deerstealer's capabilities include extracting data from over 50 browsers, remote access via a hidden VNC, and targeting cryptocurrency credentials by monitoring clipboards and messaging apps (04:29).

The sophistication and adaptability of Deerstealer pose a significant threat to both individuals and organizations, underscoring the necessity for advanced threat detection and response strategies.

7. Compromise of Russian Researcher Keir Giles’ Email

Keir Giles, a prominent British researcher specializing in Russian cybersecurity threats, disclosed that his email accounts were compromised through LinkedIn. The breach involved threat actors impersonating the U.S. State Department.

Findings:

Analysis by SecureWorks and Mandiant suggests the involvement of the Russian state-sponsored group Iron Frontier.
Giles cautioned his contacts about potential phishing attempts, stating, “Proceed with caution on any unexpected emails received from me recently” (05:27).
This incident marks Giles' second experience with such targeted attacks, the first occurring last year when Russian intelligence-linked actors attempted to compromise his email by impersonating academic researchers (05:52).

This case highlights the persistent threat posed by state-sponsored actors targeting high-profile researchers and the importance of vigilance in digital communications.

8. NIST Publishes New Zero Trust Architecture Guidance

The National Institute of Standards and Technology (NIST) has released updated guidance on Zero Trust Architecture (ZTA), aiming to provide a foundational framework for organizations developing their own zero trust models.

Key Features:

The guidance includes 19 examples of zero trust architectures built using commercial off-the-shelf tools and technologies.
Emphasizes a phased deployment approach:
1. Identifying and cataloging assets
2. Building out access policies
3. Achieving continuous monitoring and improvement
NIST advises that while compliance does not equate to security, it can enhance overall security efforts (05:56).

This updated guidance serves as a critical resource for organizations striving to implement robust zero trust security measures tailored to their specific contexts.

Conclusion

In this episode, Rich Stroffelino provides a thorough overview of the latest developments in cybersecurity, emphasizing the dynamic nature of threats and the continuous need for adaptive security strategies. From the exploitation of SMS2FA systems to significant data breaches and evolving malware threats, the discussions underscore the imperative for organizations to stay ahead in the cybersecurity landscape. Additionally, regulatory changes and updates, such as those from the SEC and NIST, highlight the interplay between compliance and security in shaping robust defense mechanisms.

For those seeking to understand the current cybersecurity environment, this episode offers invaluable insights into the challenges and responses shaping the field.

Loading summary

Transcript69 lines

[00:00]
A
From the CISO series, It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, June 17, 2025 I'm Rich Stroffelino beware of SMS2FA middleman an anonymous whistleblower provided Bloomberg Businessweek and Lighthouse Reports with auto.
[00:21]
C
Generated login codes related to roughly 1.
[00:23]
B
Million SMS messages with 2 factor authentication.
[00:27]
C
Codes sent in June 2023. All these messages passed through the Swiss.
[00:32]
B
Company Fink Telecom Services, which cybersecurity researchers have previously found worked with government and private surveillance contractors to track user locations.
[00:41]
C
And spy on phones.
[00:43]
B
Fink Telecom is one of the many intermediaries that process SMS factors for other platforms.
[00:49]
C
Fink CEO Andreas Fink told Bloomberg that legal restrictions prevent them from seeing message content and that it no longer works in surveillance.
[00:57]
B
Fink generally operates as a subcontractor for other SMS processors, so the platforms sending.
[01:03]
C
The codes have no direct business relationship or oversight of them.
[01:09]
B
Police sees Archetype Market Archetype Market has been online since May 2020, selling a high volume of illicit drugs for over 3,200 registered vendors with over 250 million.
[01:20]
C
Euros in cryptocurrency transactions. As part of a joint action by Europol.
[01:24]
B
Between June 11 and 13, Operation Deep.
[01:27]
C
Sentinel disrupted the marketplace.
[01:29]
B
Investigators in the Netherlands disrupted infrastructure. A 30 year old German national suspected of being an admin was arrested in Spain and a suspected moderator and several.
[01:39]
C
Alleged vendors were arrested in Germany and Sweden.
[01:42]
B
The Archetype site now displays a message.
[01:44]
C
Warning that the domain has been seized.
[01:48]
B
ZoomCar hack impacts 8.4 million users the.
[01:52]
C
India based car sharing company Zoomcar informed.
[01:55]
B
The U.S. securities and Exchange Commission that it learned an unauthorized party accessed ITS systems. On June 9, an investigation found that a threat actor accessed a limited dataset with personal information on 8.4 million users, including names, phone numbers and car registration numbers. Zoomcar said their data represented a subset of users across India, Indonesia, East India, Egypt and Vietnam.
[02:17]
C
No group claimed credit for the breach. Zumcar told the SEC the incident did not cause a material disruption to operations.
[02:26]
B
Wiz acquisition faces antitrust scrutiny Bloomberg sources.
[02:30]
C
Say the U.S. department of justice opened an antitrust investigation into Google's planned $32 billion acquisition of Wiz.
[02:37]
B
That deal was announced back in March. The investigation is in its early stages.
[02:42]
C
And could stretch on for months. A block on the deal wouldn't just.
[02:45]
B
Deny Google adding a strong cloud security.
[02:48]
C
Portfolio to its pocket.
[02:49]
B
It also carries a $3.2 billion breakup fee. The DOJ also investigated Google's 2022 acquisition.
[02:56]
C
Of Mandiant but eventually cleared the deal. And now, thanks to our episode sponsor.
[03:02]
B
Adaptive Security OpenAI's first cybersecurity investment as deepfake scams and GenAI Phishing evolve, Adaptive.
[03:10]
C
Equips security teams with AI powered phishing.
[03:13]
B
Simulations featuring realist personalized deep fakes and.
[03:17]
C
Engaging security awareness training.
[03:19]
B
Their new AI content creator turns threat.
[03:22]
C
Intel and policy updates into interactive multilingual training.
[03:26]
B
Instantly trusted by Fortune 500s and backed.
[03:29]
C
By Andreessen Horowitz and OpenAI, Adaptive helps you stay ahead of AI driven threats. Learn more at adaptivesecurity.com that's adaptive security.com SEC backs off on investment cybersecurity regulations in 2022, the SEC proposed new rules.
[03:54]
B
For investment companies and advisors requiring them to create policies to address cybersecurity risk.
[03:59]
C
And provide reporting on cyber incidents and risk to the commission that occurred over the last two years.
[04:06]
B
These new regulations already faced a rocky.
[04:08]
C
Response, with the SEC eventually reopening the public comment period in 20. In a new notice, the SEC said it would withdraw these pending rules and.
[04:18]
B
If it pursued similar regulations, it would.
[04:20]
C
Issue new proposed rules.
[04:24]
B
Deerstealer makes the case for Subscription malware Researchers at East Sentinel recently documented a.
[04:30]
C
New campaign showing the rapid development of.
[04:32]
B
The Deersteealer subscription based InfoStealer. The attackers initially use a phishing page to prompt a PowerShell command that launches an attack chain to execute hijack loaders.
[04:42]
C
And then eventually deploy deersteeler. The initial installation uses a sign binary.
[04:47]
B
From Comodo, which loads a manipulated DLL to inject the infostealer into a legitimate process. The researchers found that Deersteealer is evolving quickly, adding macOS support, multi client targeting and at higher pricing tiers, re encryption.
[05:02]
C
Payload signing and further customization.
[05:05]
B
The basic subscription still supports extracting data from over 50 browsers, includes a hidden VNC for remote access, and can target crypto credentials by monitoring clipboards and messaging apps. Hackers Compromise Email of Russian researcher on LinkedIn Keir Giles, a prominent British researcher on Russia, disclosed that several of his email accounts were compromised by threat actors.
[05:27]
C
Impersonating the U.S. state Department. Analysis of the emails by SecureWorks and.
[05:32]
B
Mandiant found it likely the campaign was.
[05:35]
C
Operated by the Russian state sponsored group known as Iron Frontier.
[05:39]
B
Giles warned contacts to proceed with caution on any unexpected emails received from him recently. This isn't his first experience with these types of attacks. Last year, threat actors tied to Russia's intelligence services impersonated academic researchers in an.
[05:53]
C
Attempt to compromise his email.
[05:56]
B
NIST publishes new ZTA guidance this new guidance is meant to serve as a foundational starting point for organizations building their own zero trust architecture, although it cautions that all of these need to be.
[06:07]
C
Custom built for a given context. NIST includes 19 examples of zero trust.
[06:12]
B
Architectures built by organizations using commercial off.
[06:15]
C
The shelf tools and technologies. The guidance is meant to augment NIST's.
[06:19]
B
Previous conceptual level ZTA documentation, which it released back in 2020. It emphasizes a phased deployment that starts by identifying and cataloging assets, building out.
[06:30]
C
Access policies and and eventually achieving continuous monitoring and improvement. Compliance doesn't equal security, but that doesn't mean it can't be part of the equation. Instead of dismissing compliance as mere security.
[06:43]
B
Theater, how can we use what we have to do to augment our security efforts? That's one of the subjects we'll be.
[06:50]
C
Tackling on this week's episode of the CISO Series podcast.
[06:53]
B
Look for the episode we checked the yes box for cybersecurity. What else do we have to do? Wherever you get your podcasts and if.
[07:00]
C
You have some thoughts about the news from today or about the show in.
[07:04]
B
General, be sure to reach out to us@feedbacksoseries.com we'd love to hear from you. Reporting from the CISO series, I'm Rich Stroffolino, reminding you to have a super sparkly day.
[07:19]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full story. Stories behind the headlines.