OCC major incident, Oracle confirms hack, Smokeloader servers seized - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines - Episode Summary Hosted by Sean Kelly, CISO Series
Episode Date: April 10, 2025

1. U.S. Comptroller's Major Email System Breach

Sean Kelly opens the episode discussing a significant security incident involving the U.S. Department of the Treasury's Office of the Comptroller of the Currency (OCC). On Tuesday, a breach of the OCC's email system was reported, initially identified by Microsoft in late February.

Incident Details:
- Method of Attack: The breach exploited an OCC email administrator account.
- Impact Assessment: Initially, the investigation by INIT found no evidence of impact on the financial sector, suggesting only a limited number of email accounts were compromised.
- New Developments: Contrary reports from Bloomberg and Microsoft have emerged, revealing that 103 email accounts were accessed, exposing 150,000 emails containing highly sensitive financial information. The attack began in May of the previous year and went undetected for nine months.
Unresolved Questions: The identity of the attackers remains unknown, raising concerns about the prolonged undetected access and the potential implications for national financial security.

Quote:
Sean Kelly noted, “The INIT investigation found no evidence of impact on the financial sector and concluded that only a limited number of email accounts were affected” [02:30].

2. Oracle Confirms Credential Leak from Obsolete Servers

Oracle has publicly addressed a security incident involving outdated servers. Sean Kelly details the company's response and the technical aspects of the breach.

Incident Overview:
- Affected Systems: Hackers accessed credentials from two obsolete Oracle servers, which were not part of the current Oracle Cloud Infrastructure (OCI).
- Oracle’s Statement: “Oracle would like to state unequivocally that the Oracle Cloud, also known as Oracle Cloud Infrastructure or OCI, has not experienced a security breach,” Oracle affirmed.
- Security Measures: Despite the credential theft, the passwords were hashed, preventing unauthorized access to customer environments or data.
Expert Insights: Kevin Beaumont, a security researcher, critiqued Oracle’s statement, highlighting that the compromised servers were part of Oracle’s older cloud services, now rebranded as Oracle Classic, making the denial somewhat misleading.

Quote:
Kevin Beaumont commented, “Oracle's denials of a breach of Oracle Cloud is wordplay, since the breached servers were part of Oracle's older cloud services environment” [05:15].

3. Europol Seizes Smoke Loader Malware Servers and Detains Suspects

Europol announced significant progress in combating the Smoke Loader botnet through Operation Endgame.

Key Actions:
- Seizures: Europol successfully seized Smoke Loader botnet servers.
- Detentions: At least five suspected customers involved in operating the botnet were detained.
- Identification Method: Through a seized database, investigators linked cybercriminals to their online aliases, facilitating arrests.
Operational Insights: The botnet service, known as "Superstar," utilized paper install methods. Europol disclosed that some suspects are cooperating, allowing authorities to examine digital evidence on their personal devices.
Public Communication: A dedicated Europol website has been established to provide updates on the investigation.

Quote:
Sean Kelly reported, “The Smoke Loader paper install botnet service was run by a threat actor called Superstar” [08:45].

4. CenterStack Zero Day Exploit Targets File Sharing Servers

A critical vulnerability has been identified in CenterStack's secure file sharing software, Gladinet, affecting numerous businesses globally.

Vulnerability Details:
- Exploit Mechanism: An improperly protected and hard-coded machine key in the CenterStack portal configuration allows attackers to craft malicious payloads that servers trust and execute.
- Affected Systems: The flaw impacts CenterStack's on-premises file servers, transforming them into insecure cloud-like systems.
Recommendations:
- Upgrade: Customers are urged to update to the latest patched version of the software.
- Manual Rotation: Alternatively, manually rotating the machine key is advised to mitigate the risk.

Quote:
Sean Kelly emphasized, “If the attacker knows the key, they can craft a malicious payload that the server will trust and execute” [12:10].

5. Emergence of Precision Validated Phishing Tactics

Threat actors have developed a sophisticated phishing technique known as Precision Validated Phishing, complicating detection efforts.

Technique Overview:
- Real-Time Validation: Phishing content is delivered only to pre-verified high-value targets through validation services, API calls, or JavaScript code.
- Evasion Tactics: Invalid targets receive error messages or are redirected to benign sites, effectively hiding phishing attempts from security researchers.
Impact on Security Research: Cofence, an email security firm, highlights that this method hinders researchers from using fake or controlled email addresses to detect credential theft campaigns, thereby prolonging the lifespan of phishing operations and reducing detection rates.

Quote:
Sean Kelly explained, “This new technique is blocking visibility for researchers who typically enter fake or controlled email addresses to map the credential theft campaign” [15:50].

6. AWS Credentials Theft via EC2 SSRF Vulnerabilities

Hackers are exploiting Server-Side Request Forgery (SSRF) vulnerabilities in AWS Elastic Cloud Compute (EC2) instances to steal credentials.

Attack Details:
- Exploitation Method: Attackers leverage SSRF flaws to access EC2 metadata, extracting credentials that allow privilege escalation and access to S3 buckets and other AWS services.
- Targeted Instances: The attacks focus on EC2 instances using the older IMDS version 1, which lacks the session token authentication introduced in IMDS version 2.
Attack Patterns: F5 Labs identified a spike in malicious activity between March 13th and 25th, indicating a possible single threat actor orchestrating the attacks.

Quote:
Sean Kelly noted, “The attacks are targeting instances running on AWS's older metadata service, IMDS version 1 that allows anyone with access to retrieve the metadata” [19:20].

7. Ransomware Attacks Reach All-Time High Amid Diminishing Payouts

The ransomware landscape is evolving, with attacks increasing even as ransomware payouts decline.

Statistical Insights:
- Attack Surge: March witnessed over 100 ransomware attacks publicly disclosed, marking an 81% increase compared to the same month last year.
- Quarterly Overview: The first quarter of 2025 saw 278 disclosed ransomware attacks, setting a new record.
- Data Exfiltration: A staggering 95% of these attacks involved data leaks, emphasizing the use of double extortion tactics.
Economic Factors: Chainalysis reports that ransomware activity may be intensifying due to a 33% decrease in payouts, dropping to $818 million in the previous year from $1.25 billion in 2023. This trend suggests that attackers are persisting despite lower financial incentives, possibly due to other motivations or efficiencies in their operations.

Quote:
Sean Kelly highlighted, “Data exfiltration played a major part in this surge, with 95% of all publicly disclosed attacks involving some form of data leak” [22:05].

8. AI Platform Lovable Vulnerable to Vibe Scamming

Lovable, a generative AI-powered platform for creating web applications, has been identified as highly susceptible to a new scamming technique dubbed Vibe Scamming.

Vulnerability Details:
- Jailbreak Attacks: Lovable allows users to perform jailbreak attacks, enabling the creation of fake credential harvesting pages with minimal technical expertise.
- Scamming Technique: Vibe Scamming involves crafting convincing login pages that mimic real services, automatically deploying them on subdomains and redirecting to legitimate sites like Office.com after stealing credentials.
Security Flaws: Guardiolabs criticized Lovable for lacking necessary guardrails, stating, “Lovable didn't just participate, it performed no guardrails, no hesitation” [25:40]. This negligence facilitates the rapid creation and deployment of fraudulent pages, lowering the barriers for cybercriminals.
Broader Implications: The rise of AI tools like Lovable may significantly lower the entry barriers for attackers, potentially increasing the frequency and sophistication of such scams.

Quote:
Sean Kelly reported, “Lovable not only produces convincing login pages mimicking real Microsoft sign in pages, but also auto deploys the page on a URL hosted on its own subdomain and redirects to Office.com after stealing credentials” [28:30].

Conclusion

In this episode of Cyber Security Headlines, Sean Kelly provided an in-depth analysis of several critical security incidents and emerging threats shaping the cybersecurity landscape in April 2025. From significant breaches in government and corporate systems to innovative phishing tactics and the vulnerabilities introduced by advanced AI platforms, the episode underscores the evolving challenges faced by cybersecurity professionals. Staying informed and proactive remains essential in mitigating these sophisticated threats.

For more detailed stories behind these headlines, visit CISOseries.com.

Loading summary

Transcript1 lines

[00:00]
Sean Kelly
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Thursday, April 10, 2025. I'm Sean Kelly. U.S. comptroller Suffers Major Incident On Tuesday, the U.S. treasury Department's office of the Comptroller of the Currency characterized their recent email system breach as a major incident. In late February, Microsoft alerted officials to the incident, which abused an OCC email administrator account. The INIT investigation found no evidence of impact on the financial sector and concluded that only a limited number of email accounts were affected. However, new reports from Bloomberg and Microsoft indicate that 103 email accounts with emails totaling 150,000 were compromised and contained highly sensitive financial information. The attack commenced in May of last year, nine months prior to its discovery. It remains unclear who is behind the attack. Oracle confirms obsolete servers hacked in an ongoing saga we've been covering here on Cybersecurity Headlines, Oracle has finally confirmed via email notifications to customers that hackers leaked credentials stolen from its servers, the notification said. Quote Oracle would like to state unequivocally that the Oracle Cloud, also known as Oracle Cloud Infrastructure or oci, has not experienced a security breach, end quote. The hacker was able to access username and passwords from two obsolete servers that were never part of oci, Oracle said. Because the passwords were hashed, the hacker was unable to access any customer environments or data. Researcher Kevin Beaumont said that Oracle's denials of a breach of Oracle Cloud is wordplay, since the breached servers were part of Oracle's older cloud services environment, which it rebranded as Oracle Classic. Police seize Smoke Loader malware servers and detain customers In a press release on Wednesday, Europol announced that its ongoing operation Endgame has tracked down and seized smokeloader botnet servers and detained at least five suspected customers, according to investigators. The Smoke Loader paper install botnet service was run by a threat actor called Superstar. A database seized during the operation allowed officials to track down the cybercriminals by linking them to their online aliases. Europol has yet to release details about the suspects and said that some of them are cooperating and have allowed them to examine digital evidence on their personal devices. Europol has set up a dedicated website to share the latest news related to the investigation. Centerstack Zero Day exploited to breach file sharing servers since last month, hackers have been exploiting a vulnerability in Gladinet, CenterStack's secure file sharing software. CenterStack is an enterprise file sharing and access platform that turns on premise file servers into secure cloud like file systems. CenterStack is used by thousands of businesses globally and is popular among managed service providers who host file services for their clients. The issue stems from an improperly protected and hard coded machine key in the Center Stack portal configuration. If the attacker knows the key, they can craft a malicious payload that the server will trust and execute. Gladnet recommends customers upgrade to the latest patched version or manually rotate their machine key as soon as possible. And now we'd like to give a huge thanks to our sponsor, Nudge Security Trying to squeeze a few more line items into your security budget? Nudge Security can help. It's the only solution for SaaS, security and governance that can discover up to two years of historical SaaS spend along with usage insights so you can uncover wasted spend and redeploy those dollars elsewhere. Start a free trial@nudgesecurity.com Sasspend that's n u d g e security.com SaaS spend phishing kits now vet victims in real time Threat actors have been spotted employing a new evasion tactic called precision validated phishing. This new technique uses real time email validation through either validation service, API calls or JavaScript code to ensure phishing content is shown only to pre verified high value targets. If an invalid target is identified, they are either presented with an error message or directed to benign sites. Email security firm Cofence said this new tactic is blocking visibility for researchers who typically enter fake or controlled email addresses to map the credential theft campaign. Ultimately, this reduces detection rates and prolongs the lifespan of phishing operations. Hackers target bugs in EC2 sites to steal AWS credentials. F5 Labs has observed hackers exploiting server side request forgery or SSRF vulnerabilities in websites hosted on AWS Elastic Cloud Compute instances. The attackers are using credentials extracted from EC2 metadata to escalate their privileges and access S3 buckets and other AWS services. The attacks are targeting instances running on AWS's older metadata service, IMDS version 1 that allows anyone with access to retrieve the metadata. The system has been superseded by IMDS version 2, which requires session token authentication to protect websites. F5 researchers said the malicious activity spiked between March 13th and 25th, and behavioral patterns strongly suggest that it was carried out by a single threat actor. Ransomware attacks hit all time high as payouts dwindle On Wednesday, Black Frog issued its State of Ransomware Q1 2025 report. The report revealed that March set a new high with over 100 ransomware attacks publicly disclosed, an increase of 81% compared to March of last year. Record breaking month contributed to the first quarter of this year, also being a record breaker with 278 disclosed ransomware attacks. Data exfiltration played a major part in this surge, with 95% of all publicly disclosed attacks involving some form of data leak. A report from Chainalysis back in February suggests the increased intensity of ransomware activity may be due to profits plummeting. Payouts decreased by 33% to $818 million last year from a record breaking 1.25 billion dol in 2023. Lovable AI found most vulnerable to Vibe scamming Lovable is a generative AI powered platform that enables creation of full stack web applications using text based prompts. Guardiolabs found Lovable to be the most susceptible to jailbreak attacks, allowing novice and aspiring cyber crooks to set up lookalike credential harvesting pages. This technique was dubbed Vibe Scamming after the AI dependent programming technique called Vibe coding, Guardiolabs said. Quot from pixel perfect scam pages to live hosting evasion techniques and even admin dashboards to track stolen data, Lovable didn't just participate, it performed no guardrails, no hesitation, guardio said. Lovable not only produces convincing login pages mimicking real Microsoft sign in pages, but also auto deploys the page on a URL hosted on its own subdomain and redirects to Office.com after stealing credentials. The rising popularity of such AI tools will likely significantly reduce the barriers to entry for attackers. And that does it for today's cybersecurity headlines. But remember to check out our latest episode of Security youy Should Know. If your organization is struggling with managing compliance and risk, then you need to hear what Hyperproof is doing in the GRC space. Head over to cisoseries.com for a quick 15 minute episode that answers the questions you need to know about their solutions. Or look for security. You should know where every you get your podcasts. Thank you for listening to the podcast that brings you more of the top cyber news headlines and more cowbell. I'm Sean Kelly. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.