Cyberthreat sharing law renewal, APTs love ClickFix, GoDaddy mutes Zoom

Cyber Security Headlines - Episode Release: April 18, 2025

Hosted by: CISO Series
Episode Topics: Cyberthreat Sharing Law Renewal, APTs Love ClickFix, GoDaddy Mutes Zoom
Source: CISOseries.com

1. Bipartisan Push for Renewal of Cyber Threat Information Sharing Law

Overview:
In a significant move to bolster national cybersecurity, Senators Gary Peters (Michigan) and Mike Rounds (South Dakota) have introduced a bill aiming to renew the Cybersecurity Information Sharing Act of 2015 for another decade.

Key Points:

• Expiration of Original Law: The 2015 legislation is set to expire in September 2025.
• Purpose of the Law: Encourages businesses to share information about ongoing cybersecurity threats with the federal government.
• Support and Impact:
  • Hailed by federal agencies and cybersecurity experts as pivotal for protecting personal information.
  • Facilitates collaboration between the government and private sector to prevent data breaches and cyberattacks from both cybercriminals and foreign adversaries.

Notable Quote:
At [00:07], Steve Prentiss states, “The original law, named the Cybersecurity Information Sharing Act of 2015, expires in September of this year. It was hailed by federal agencies and cybersecurity experts as key to protecting personal information and ensuring that both the federal government and companies can take collaborative steps to prevent data breaches or attacks from cybercriminals and foreign adversaries.”

2. ClickFix: A Preferred Tool for State-Sponsored Hackers

Overview:
The ClickFix technique has emerged as a favored method among state-sponsored hacking groups, enhancing their ability to infiltrate systems by deceiving users into compromising their own machines.

Key Points:

• Methodology:
  • Users are tricked into performing tasks such as correcting a supposed Windows glitch, completing fake CAPTCHA verifications, or registering their devices.
• Adoption by APT Groups:
  • Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have deployed ClickFix from late 2024 through early 2025.
• Escalation of Use:
  • Transition from a tool used by regular cybercriminals to a weapon preferred by sophisticated APTs (Advanced Persistent Threats).

Notable Quote:
At [00:38], Steve Prentiss explains, “ClickFix has become prevalent in recent months, and Proofpoint is now stating that multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been deploying it over the three-month period from late 2024 through the beginning of 2025. This represents an escalation of sorts from simply being a tool for regular cybercrime groups.”

3. GoDaddy’s DNS Error Causes Zoom Outage

Overview:
A significant outage affected Zoom, causing the platform to be muted for approximately 90 minutes due to a DNS (Domain Name System) issue managed by GoDaddy.

Key Points:

• Incident Details:
  • Occurred on a Wednesday, severely impacting Zoom meeting functionalities.
• Technical Cause:
  • Cisco's ThousandEyes Observability Group identified a DNS problem where top-level domain name servers lacked records for Zoom US.
• Resolution:
  • The outage was caused by a server block from GoDaddy Registry, resulting from a miscommunication between Zoom's domain registrar, MARC Monitor, and GoDaddy Registry.
  • Users experienced disruption until service was restored and were required to flush their DNS caches via command line.

Notable Quote:
At [04:12], Steve Prentiss notes, “Users who had been online at the time of the outage had to use command line skills to flush their DNS caches. An official report states that the domain zoom.us was not available due to a server block by GoDaddy Registry. This block was the result of a communication error between Zoom's domain registrar MARC Monitor and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down the Zoom US domain.”

4. Critical Erlang OTP SSH Vulnerability Exposes Devices

Overview:
A severe vulnerability has been identified in the Erlang OTP SSH library, posing significant risks for devices relying on it for secure communications.

Key Points:

• Vulnerability Details:
  • Rated with a CVSS score of 10, indicating critical severity.
  • Allows attackers to send connection protocol messages before authentication, potentially granting unauthorized access.
• Affected Systems:
  • All SSH servers utilizing the Erlang OTP SSH library are at risk.
  • Particularly dangerous for systems used in remote access scenarios.
• Research and Alerts:
  • Discovered by researchers at Breuer University Bochum, Germany.
  • Tracked with a specific CVE number for reference and remediation.

Notable Quote:
At [05:25], Steve Prentiss states, “According to a team of researchers from Breuer University Bochum in Germany, the entire SSH implementation is affected by a critical vulnerability for which they calculated a CVSS score of 10. The flaw is related to the SSH protocol message handling, which allows an attacker to send connection protocol messages prior to authentication.”

5. SonicWall Alerts on Actively Exploited Vulnerability

Overview:
SonicWall has issued a warning regarding an SMA 100 Series vulnerability that, despite being patched in 2021, is now being actively exploited by threat actors.

Key Points:

• Vulnerability Characteristics:
  • Authenticated arbitrary command execution flaw.
  • Initially assigned a medium severity rating (CVSS score of 5.5) and overlooked due to the requirement of authentication.
• Current Threat:
  • The vulnerability is now being exploited in the wild, prompting SonicWall to elevate its severity to a CVSS score of 7.2 (high severity).
• Implications:
  • Highlights the risks of medium-severity vulnerabilities being weaponized over time.

Notable Quote:
At [06:15], Steve Prentiss remarks, “The vulnerability went largely unnoticed, likely because it was assigned a medium severity rating, a CVSS score of 5.5, and also due to its exploitation requiring authentication. It now turns out that the flaw has been exploited in the wild, forcing SonicWall to assign a new CVSS score of 7.2, making it high severity.”

6. Mustang Panda Enhances Attack Capabilities

Overview:
The Chinese espionage-focused APT group, Mustang Panda, has upgraded its toolkit, deploying new backdoors and tools to enhance its attack strategies.

Key Points:

• Advanced Techniques:
  • Utilizes DLL sideloading to execute malicious payloads, thus evading detection.
  • Deploys tools as libraries within archives containing vulnerable executables to load them.
• Target Scope:
  • Focuses on government and military entities, NGOs, and minority groups across East Asia and Europe.
• Impact:
  • Increased sophistication in attacks poses greater threats to targeted organizations.

Notable Quote:
At [07:05], Steve Prentiss comments, “The APT Mustang Panda is relying on DLL sideloading to execute its malicious payloads and evade detection, deploying all tools as libraries within archives that also contain a vulnerable executable to load them. The group is known for targeting government and military entities as well as NGOs and minority groups, mainly in East Asia but also in Europe.”

7. Fortinet Devices Compromised by Simlink Backdoor

Overview:
Over 16,000 Fortinet devices exposed to the internet have been compromised by a new Simlink backdoor, allowing unauthorized read-only access to sensitive files.

Key Points:

• Nature of the Backdoor:
  • Facilitates persistent read-only remote access to files in the root file system of compromised devices.
• Discovery and Response:
  • Fortinet identified the persistence mechanism and released an updated AV IPS signature and firmware updates to detect and remove the Simlink backdoor.
• Preventative Measures:
  • Users are urged to update their firmware and apply the latest security signatures to mitigate risks.

Notable Quote:
At [07:45], Steve Prentiss states, “More than 16,000 Internet-exposed Fortinet devices have been detected as compromised with a new Simlink backdoor that allows read-only access to sensitive files on previously compromised devices. Fortinet has released an updated AV IPS signature to detect and remove the Simlink, and the latest version of its firmware has also been updated to detect and remove the backdoor.”

8. Microsoft Office 2016 and 2019 Reach End of Support

Overview:
Microsoft is announcing the end of extended support for Office 2016 and 2019, urging users to upgrade to newer versions to maintain security and compliance.

Key Points:

• Support Timeline:
  • Extended support ends on October 14, 2025.
  • No further updates, security fixes, or technical support will be available post this date.
• Risks of Continued Use:
  • Potential security compliance risks, system incompatibilities, and other operational issues.
• Recommendation:
  • Users are encouraged to transition to supported versions to ensure ongoing protection and functionality.

Notable Quote:
At [08:10], Steve Prentiss warns, “Using unsupported software could lead to potential security compliance risks, system incompatibilities, and other issues. Microsoft is reminding customers that these two products will reach the end of extended support six months from now, on October 14th.”

Conclusion

This episode of Cyber Security Headlines by CISO Series delves into critical updates and emerging threats within the cybersecurity landscape. From legislative renewals and sophisticated hacking techniques to vulnerabilities in widely-used software and services, the episode underscores the dynamic and ever-evolving nature of cyber threats. Professionals are advised to stay informed and proactive in implementing security measures to safeguard their organizations.

For detailed stories and in-depth analysis, visit CISOseries.com.

Note:
Advertisements, introductory segments, and promotional content have been omitted to focus solely on the substantive cybersecurity discussions.