Device code attacks, phone TOAD solution, more telecoms breached

Cyber Security Headlines: Device Code Attacks, Anti-TOAD Solutions, Telecom Breaches, and More

Hosted by CISO Series

Episode Overview: In the February 17, 2025 episode of Cyber Security Headlines by CISO Series, host Steve Prentiss delves into a range of pressing cybersecurity issues affecting various sectors globally. From sophisticated phishing tactics and innovative security features to significant breaches in telecommunications and utility sectors, this episode provides a comprehensive overview of the current threat landscape and the responses being implemented to counter these challenges.

1. Device Code Phishing Attacks by Storm237

Timestamp: 00:06

Steve Prentiss opens the episode by discussing a new wave of phishing attacks orchestrated by a threat actor group known as Storm237, believed to have ties with Russia. These attacks target organizations across government, NGOs, IT, defense, telecommunications, health, and energy sectors in Europe, North America, Africa, and the Middle East.

“Threat actors access these codes through social engineering,” Prentiss explains, highlighting the sophisticated methods used to compromise devices that require login codes but lack traditional input methods like keyboards or browsers, such as smart TVs and IoT devices.

This technique, termed device code phishing, involves tricking users into divulging their device-specific login codes, thereby granting unauthorized access to sensitive systems and data.

2. Android’s Anti-TOAD Feature to Counter Call Sideloading Attacks

Timestamp: 02:15

Addressing mobile security, Prentiss introduces a newly released security feature in Android 16 beta 2, designed to thwart Telephone Oriented Attack Delivery (TOAD) scams. These scams manipulate users into altering sensitive phone settings to install malicious applications and grant accessibility permissions to unknown entities.

“This feature is currently live in Android 16 beta 2, released earlier this week, and aims to prevent users from unknowingly communicating with scammers,” Prentiss notes.

The Anti-TOAD feature enhances user protection by restricting unauthorized changes to device settings, thereby mitigating the risk of malware installations like Vultr, which are commonly distributed through deceptive SMS messages and phone calls.

3. SALT Typhoon Group Exploits Unpatched Cisco Routers in Telecom Breaches

Timestamp: 03:45

A significant security concern discussed is the continued targeting of telecommunications providers by SALT Typhoon, a Chinese hacker group. Utilizing previously unpatched vulnerabilities in Cisco iOS XE network devices, the group exploits both privilege escalation and web UI command injection vulnerabilities.

“This has already resulted in network breaches at multiple telecommunications providers in the US, South Africa, Italy, and Thailand,” Prentiss reports, emphasizing the global reach and persistent nature of these cyber intrusions.

These breaches differ from earlier exploits involving end-of-life Cisco routers and another group, Vault Typhoon, underscoring the evolving tactics of cyber adversaries in the telecom sector.

4. PPL Electric Utilities’ Data Exposure via MoveIt Vendor Breach

Timestamp: 04:30

Prentiss addresses a breach incident involving PPL Electric Utilities in Pennsylvania, where customer data was exposed due to a compromise at one of their vendors. The breach, stemming from the MoveIt platform, involved the theft of basic Personally Identifiable Information (PII), including names and contact details.

“The company emphasizes that the breach was completely unrelated to PPL's systems and critical infrastructure,” Prentiss clarifies, reassuring that no core systems were impacted and that sensitive information such as banking or Social Security numbers remained secure.

The incident highlights the importance of vendor security and the potential ripple effects of third-party breaches on utility providers and their customers.

5. CISA Adds New Vulnerabilities to Its KEV Catalog

Timestamp: 05:15

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog to include critical vulnerabilities in Apple iOS and iPadOS, Mitel SIP Conference Phones, and the remote support application SimpleHelp. These additions require federal agencies to mitigate the identified vulnerabilities by the first week of March.

“These vulnerabilities must be addressed by federal agencies by the end of the first week of March,” Prentiss states, urging immediate action to secure systems against potential exploits.

The inclusion of these vulnerabilities underscores the ongoing efforts to bolster federal cybersecurity defenses against emerging threats.

6. Lazarus Group’s Deployment of Marstech1 JavaScript Implant

Timestamp: 06:00

In a concerning development, Prentiss reveals that the Lazarus Group, linked to North Korea, has deployed a new JavaScript implant named Marstech1. This implant targets developers by injecting malware through compromised open-source repositories on platforms like GitHub.

“The implant itself was designed to collect system information and could be embedded within websites and NPM packages, posing a supply chain risk,” explains Prentiss.

Since its emergence in December 2024, Marstech1 has affected 233 confirmed victims across the US, Europe, and Asia, highlighting the sophistication and reach of state-sponsored cyber threats targeting the developer community.

7. IRS Plans to Acquire Nvidia SuperPod AI Supercomputers

Timestamp: 06:45

Shifting focus to governmental advancements, Prentiss discusses the Internal Revenue Service (IRS)'s plans to purchase Nvidia SuperPod AI supercomputers. These supercomputers are intended to enhance the IRS's machine learning capabilities for tasks such as fraud detection and taxpayer behavior analysis.

“This setup will combine 31 separate Nvidia servers, each containing eight of the company's flagship Blackwell processors designed to train and operate artificial intelligence models that power tools like ChatGPT,” Prentiss details.

Part of the broader DOGE program, led by Elon Musk, this initiative represents a significant investment in replacing traditional federal bureaucracy with advanced machine learning solutions, aiming to streamline operations and improve efficiency in tax-related processes.

8. Platformization vs. Best of Breed in Security Programs

Timestamp: 07:15

Concluding the episode, Prentiss touches on the ongoing debate within cybersecurity regarding the adoption of platformization versus Best of Breed solutions for security programs. Platformization involves utilizing comprehensive, all-in-one security platforms, while Best of Breed emphasizes selecting specialized, top-tier solutions for specific security needs.

“Should your security program be stitched together from hand-picked Best of Breed components, or should you rely on the foresight of a larger organization's one-stop-shop platform?” he poses.

To provide deeper insights, CISO Series has released a crowdsourced report titled "31 Myths and Realities around Platformization versus Best of Breed", available on their website. This report consolidates expert opinions to aid organizations in making informed decisions about their security infrastructure strategies.

Conclusion: The February 17, 2025 episode of Cyber Security Headlines by CISO Series offers a thorough examination of current cybersecurity challenges and advancements. From novel phishing methods and proactive security features to significant breaches and strategic governmental investments in AI, the episode underscores the dynamic and multifaceted nature of the cybersecurity landscape. For detailed stories and ongoing updates, listeners are encouraged to visit CISOseries.com.