Blue Shield of California shared private data,FBI IC3 report, Ex-Army sergeant jailed - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines – April 24, 2025

Host: Sean Kelly
Podcast: CISO Series – Cyber Security Headlines
Release Date: April 24, 2025

Sean Kelly presents a comprehensive overview of the latest developments in the world of information security, highlighting significant breaches, reports, and threats that shape the cybersecurity landscape.

1. Blue Shield of California Data Breach

Timestamp: [00:06]

Blue Shield of California, a major health insurer, disclosed a significant data breach affecting 4.7 million individuals. The breach occurred due to a misconfiguration in Google Analytics, which inadvertently collected sensitive patient information such as account numbers, claim service dates, provider details, patient names, and financial responsibilities.

Quote:
"We used Google Analytics to track how customers used our websites, but a misconfiguration caused personal information to be collected as well." — Sean Kelly

Blue Shield announced that the data sharing was halted in January 2025 and is currently in the process of notifying the affected members.

2. FBI’s 2024 IC3 Report on Internet Crime

Timestamp: [02:15]

The FBI released the 25th annual Internet Crime Complaint Center (IC3) report, revealing a record-breaking $16.6 billion in reported losses for 2024. The report highlighted over 850,000 complaints, marking a 33% increase from the previous year. Cyber-enabled fraud constituted $13.7 billion of these losses, accounting for 40% of the total complaint volume.

Key Insights:

Individuals over 60 years old experienced the highest financial losses, totaling over $4.8 billion, a 3% rise from 2023.
On a positive note, cyber fraud-related arrests surged by 700%, with 215 arrests made through collaborative operations with local law enforcement.

Quote:
"Cyber fraud-related arrests increased 700% to 215 through 11 joint operations with other local law enforcement agencies." — Sean Kelly

3. Ex-Army Sergeant Sentenced for Espionage

Timestamp: [04:30]

Sergeant Corbin Schultz, a 25-year-old former U.S. Army intelligence analyst, was sentenced to seven years in prison for selling classified military information to a foreign national, likely linked to the Chinese government. Over less than two years, Schultz provided 92 sensitive documents in exchange for $42,000, detailing U.S. military exercises in South Korea and the Philippines, Taiwan’s defenses, helicopter and fighter aircraft manuals, and tactical combat playbooks.

Quote:
"He supplied the conspirator with details on US military exercises and provided information crucial to Taiwan's defenses." — Sean Kelly

Post-incarceration, Schultz will undergo three years of supervised release.

4. Nintendo Targets Pokemon Data Leak Perpetrator

Timestamp: [06:45]

Nintendo is actively pursuing the individual responsible for last year’s significant Pokemon data breach. The company has sought a California court’s intervention to compel Discord to reveal the identity of a user known as "Game Freakout." This user allegedly leaked unreleased Pokemon titles, game builds, concept art, and lore documents via the Discord server "Freak Leak."

Quote:
"Nintendo is seeking the name, address, phone number, and email address of the leaker to hold them accountable." — Sean Kelly

Historically, Nintendo has taken legal action against those involved in leaking game information.

5. Mandiant Report on DPRK Threat Clusters

Timestamp: [08:10]

Mandiant published a detailed report on threat clusters originating from the Democratic People's Republic of Korea (DPRK). These clusters are targeting the web3 and cryptocurrency sectors through sophisticated social engineering tactics, including posing as reputable investors on Telegram, enticing developers with job-related lures to deploy malware-laden projects, and executing large-scale phishing campaigns.

Key Highlight: In 2023, the North Korean threat actor UNC3782 successfully executed phishing operations against Tron users, transferring over $137 million in a single day.

Quote:
"These threat actors use privileged access to steal data and enable cyber attacks, generating revenue for North Korea." — Sean Kelly

6. Japan’s FSA Warns of Unauthorized Stock Trading

Timestamp: [09:50]

Japan’s Financial Services Agency (FSA) has issued a warning regarding the surge in unauthorized stock trading facilitated by stolen credentials. Attackers are exploiting fake financial securities phishing sites to harvest login IDs and passwords, leading to fraudulent transactions. To date, 3,312 instances of unauthorized access have been reported, resulting in nearly 1,500 fraudulent transactions.

Recommendations from FSA:

Be vigilant against fake e-trading advertisements.
Avoid clicking on links in unsolicited emails or texts.
Proactively bookmark legitimate trading sites.
Use multi-factor authentication.
Enable account transaction notifications.

Quote:
"In most cases, the fraudsters gain unauthorized access to victims' accounts, sell the stocks, and use the proceeds to buy Chinese stocks." — Sean Kelly

7. Evolution of Ransomware Group Business Models

Timestamp: [11:20]

Research by SecureWorks reveals that ransomware-as-a-service (RaaS) schemes are evolving their business models to enhance profitability and attract affiliates. Notable developments include:

Dragonforce: Originally a traditional RaaS launched in August 2023, it recently rebranded as a cartel, adopting a distributed model that empowers affiliates to create their own brands and deploy unique malware.
Anubis: Offers diversified monetization strategies, including encryption attacks, data extortion, and access monetization. Anubis also employs tactics like naming victims on social media to pressure them into paying.

Quote:
"Understanding how these groups are operating, tooling, and monetizing is crucial in deploying the right defenses to secure people and businesses." — Sean Kelly

These shifts underscore the dynamic nature of the ransomware ecosystem and the necessity for adaptive defense mechanisms.

8. Ripple NPM Supply Chain Attack

Timestamp: [13:05]

Security firm Aikido uncovered a sophisticated supply chain attack targeting the Ripple Ledger’s official NPM package, "xrpl." The attack involved embedding backdoors into five versions of the package, which boasts weekly downloads exceeding 186,000. The vulnerability has been assigned a critical CVE, signaling a severe security flaw.

Recommendation:
Users of the affected versions should assume their systems are compromised and take immediate action to rotate their private keys.

Quote:
"The vulnerability has been assigned a critical CVE, indicating a direct threat to the integrity of the XRPL package." — Sean Kelly

Conclusion

Sean Kelly effectively navigates the complex terrain of cybersecurity, shedding light on critical incidents and emerging threats. From significant data breaches and state-sponsored espionage to evolving ransomware tactics and supply chain vulnerabilities, the episode underscores the multifaceted challenges faced by cybersecurity professionals today.

For more detailed stories, listeners are encouraged to visit CISOseries.com.

This summary encapsulates the key discussions and insights from the April 24, 2025 episode of "Cyber Security Headlines." For the complete podcast and additional details, refer to the official CISO Series platform.

Loading summary

Transcript3 lines

[00:00]
CISO Series Host
From the CISO series. It's Cybersecurity Headlines.
[00:07]
Sean Kelly
These are the cybersecurity headlines for Thursday, April 24, 2025. I'm Sean Kelly. Blue Shield of California shared private health data of millions with Google Health Insurer Blue Shield of California confirmed Wednesday that it shared patient private health information with Google since 2021. Blue Shield said it used Google Analytics to track how customers used its websites, but a misconfiguration caused personal information to be collected as well, including member account numbers, claim service dates and providers, patient names and patient's financial responsibility. The insurer said the data sharing stopped in January and it's now notifying 4.7 million affected individuals. The FBI issues its 2024 IC3 report yesterday, the FBI issued the 25th installment of its annual Internet Crime Complaint center report. The report revealed that IC3 recorded a new high for reported losses last year, reaching an astounding $16.6 billion. IC3 also received over 850,000 complaints, up 33% from 2023. Cyber enabled fraud accounted for a staggering $13.7 billion of those losses and accounted for 40% of ICC's overall complaint volume. People over age 60 suffered the most significant financial losses, coming in at over 4.8 billion dol 3% increase from 2023 to end on a positive note, the FBI said last year, cyber fraud related arrests increased 700% to 215 through 11 joint operations with other local law enforcement agencies. Ex army sergeant jailed for selling Military Secrets on Wednesday, 25 year old former U S Army intelligence analyst Sergeant Corbin Schultz was sentenced for selling classified military information to a foreign national. Authorities said Schultz sent at least 92 sensitive documents to a foreign conspirator likely connected with the Chinese government over a period of less than two years. In exchange for $42,000, Shultz supplied the conspirator with details on US military exercises in South Korea and the Philippines and also provided details relevant to Taiwan's defenses. Additionally, Schultz supplied his contact with helicopter and fighter aircraft manuals along with tactical combat playbooks. Schultz received a sentence of seven years in prison, after which he will be required to complete three years of supervised release. Nintendo is pursuing perpetrator behind major Pokemon leak Nintendo has requested a California court to force Discord to provide the identity of the person behind last year's massive Pokemon data breach. Nintendo alleges that in October of last year, a Discord user called Game Freakout leaked confidential materials not released to the public, including next gen Pokemon titles, builds of older games and loads of concept art and Lore documents. Nintendo provided a partially redacted screenshot of the Discord server called Freak Leak, in which Game freakout posted a file and told users to enjoy. Nintendo is seeking the name, address, phone number and email address of the leaker. While subpoenas do not always equate to lawsuits, Nintendo has taken Pokemon game leakers to court in the past and now we'd like to thank today's episode sponsor Dropzone AI Security analysts need practical experience to build investigation skills, but getting expert guidance for every alert is impossible. That's why dropzone AI created Coach, a free Chrome extension that serves as an AI security mentor for SOC analysts at any level. Coach reads alerts across all major security platforms, explains their contexts, provides alternative hypotheses, and guides analysts through industry standard investigation methodologies. Unlike our AISOC analyst, Product Coach doesn't do the work for you. It teaches you how to think through investigations yourself. It supplements human mentoring with always available guidance that respects your data with zero retention. Develop your security team's skills with DropZone AI Coach. That's Drop Zone Coach Mandiant Report Details DPRK Threat Clusters A report from Mandiant detailed the activities of multiple threat clusters based in the Democratic People's Republic of Korea or dprk. Mandiant said the threat clusters are targeting organizations and individuals in the web3 and cryptocurrency space using a variety of social engineering attacks. These tactics include posing as investors from reputable companies on Telegram, using job related lures to trick developers into running malware laced projects and conducting large scale phishing campaigns. Mandiant highlighted that in 2023, North Korean threat actor UNC3782 conducted phishing operations against Tron users and successfully transferred more than $137 million worth of assets in a single day. Manian said the threat actors, quote, use their privileged access to steal data and enable cyber attacks in addition to generating revenue for North Korea, end quote Japan Warns of Unauthorized Stock Trading via Stolen credentials Japan's Financial Services Agency, or FSA, is warning that attackers are using stolen customer login IDs and passwords harvested from fake financial securities phishing sites. Fraudulent transactions were initially reported in February by two security firms. Now six security firms have reported a total of 3312 instances of unauthorized access resulting in nearly 1500 fraudulent transactions to date, the FSA said, quote in most cases the fraudsters gain unauthorized access to victims accounts, sell the stocks etc in the account and then use the proceeds to buy Chinese stocks, end quote. The FSA recommends e traders look out for fake e trading advertisements and take precautions including avoiding opening links in emails or texts, proactively bookmarking legitimate trading sites, using Multi factor authentication and enabling account transaction notifications. Ransomware groups test new business models to increase profits According to research published by SecureWorks on Wednesday, ransomware as a service schemes are launching new business models to attract affiliates. For example, Dragonforce, which launched as a traditional ransomware as a service scheme back in August of 2023, rebranded itself as a cartel last month and has shifted to a distributed model that allows affiliates to use their infrastructure to create their own brands and deploy their own malware. Meanwhile, Anubis offers three monetization schemes for its customers, from traditional encryption attacks to data extortion attacks, as well as simple access monetization. Anubis also includes various options and tactics for increasing pressure on victims to pay, including naming them on social media, SecureWorks said. These examples highlight how the ransomware ecosystem is evolving, they added. Quote Understanding how these groups are operating, tooling and monetizing is crucial in deploying the right defenses to secure people and business. End quote Ripple NPM supply chain attack hunts for private keys Security firm Aikido discovered that a sophisticated attack was carried out Monday evening and involved installed back doors on five versions of the Ripple Ledger official NPM package. The package, called xrpl, allows devs to build apps using the crypto ledger's features such as a wallet, key management, payment channels and escrow. Weekly downloads for the popular NPM package hit a high of more than 186,000 in April. The vulnerability has been assigned a critical CVE, though the CVE is lacking in details, only indicating the flaw exists and is connected to the XRPL supply chain attack. Users of affected versions should assume they are compromised and rotate their private keys as soon as possible. And that does it for today's cybersecurity headlines. But why does AppSec feel like it's being left behind in cybersecurity? We have a lot of tooling, but the process for securing apps remains labor intensive and often ineffective. Are we waiting for the right tools or just the incentives to improve the process? That's what we'll be discussing on this week's episode of Defense In Depth, look for why are we still struggling to fix application security? Wherever you get your podcasts and if you're heading to RSA next week, drop in for our live recording of the CISO Series podcast at BSIDE San Francisco on Sunday, April 27th. And then on Monday, April 28th, we'll be hosting a Cyber Strikes and Security Insights Happy Hour at Lucky Strike Bowling Alley in San Francisco. Just head over to our events page@cisoseries.com for details. Thank you for listening to the podcast that brings you more of the top cyber news stories and more cowbell. I'm Sean Kelly.
[09:28]
CISO Series Host
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headline.