Device code attacks, phone TOAD solution, more telecoms breached - Cybersecurity Headlines

Summary

Cyber Security Headlines: Device Code Attacks, Anti-TOAD Solutions, Telecom Breaches, and More

Hosted by CISO Series

Episode Overview: In the February 17, 2025 episode of Cyber Security Headlines by CISO Series, host Steve Prentiss delves into a range of pressing cybersecurity issues affecting various sectors globally. From sophisticated phishing tactics and innovative security features to significant breaches in telecommunications and utility sectors, this episode provides a comprehensive overview of the current threat landscape and the responses being implemented to counter these challenges.

1. Device Code Phishing Attacks by Storm237

Timestamp: 00:06

Steve Prentiss opens the episode by discussing a new wave of phishing attacks orchestrated by a threat actor group known as Storm237, believed to have ties with Russia. These attacks target organizations across government, NGOs, IT, defense, telecommunications, health, and energy sectors in Europe, North America, Africa, and the Middle East.

“Threat actors access these codes through social engineering,” Prentiss explains, highlighting the sophisticated methods used to compromise devices that require login codes but lack traditional input methods like keyboards or browsers, such as smart TVs and IoT devices.

This technique, termed device code phishing, involves tricking users into divulging their device-specific login codes, thereby granting unauthorized access to sensitive systems and data.

2. Android’s Anti-TOAD Feature to Counter Call Sideloading Attacks

Timestamp: 02:15

Addressing mobile security, Prentiss introduces a newly released security feature in Android 16 beta 2, designed to thwart Telephone Oriented Attack Delivery (TOAD) scams. These scams manipulate users into altering sensitive phone settings to install malicious applications and grant accessibility permissions to unknown entities.

“This feature is currently live in Android 16 beta 2, released earlier this week, and aims to prevent users from unknowingly communicating with scammers,” Prentiss notes.

The Anti-TOAD feature enhances user protection by restricting unauthorized changes to device settings, thereby mitigating the risk of malware installations like Vultr, which are commonly distributed through deceptive SMS messages and phone calls.

3. SALT Typhoon Group Exploits Unpatched Cisco Routers in Telecom Breaches

Timestamp: 03:45

A significant security concern discussed is the continued targeting of telecommunications providers by SALT Typhoon, a Chinese hacker group. Utilizing previously unpatched vulnerabilities in Cisco iOS XE network devices, the group exploits both privilege escalation and web UI command injection vulnerabilities.

“This has already resulted in network breaches at multiple telecommunications providers in the US, South Africa, Italy, and Thailand,” Prentiss reports, emphasizing the global reach and persistent nature of these cyber intrusions.

These breaches differ from earlier exploits involving end-of-life Cisco routers and another group, Vault Typhoon, underscoring the evolving tactics of cyber adversaries in the telecom sector.

4. PPL Electric Utilities’ Data Exposure via MoveIt Vendor Breach

Timestamp: 04:30

Prentiss addresses a breach incident involving PPL Electric Utilities in Pennsylvania, where customer data was exposed due to a compromise at one of their vendors. The breach, stemming from the MoveIt platform, involved the theft of basic Personally Identifiable Information (PII), including names and contact details.

“The company emphasizes that the breach was completely unrelated to PPL's systems and critical infrastructure,” Prentiss clarifies, reassuring that no core systems were impacted and that sensitive information such as banking or Social Security numbers remained secure.

The incident highlights the importance of vendor security and the potential ripple effects of third-party breaches on utility providers and their customers.

5. CISA Adds New Vulnerabilities to Its KEV Catalog

Timestamp: 05:15

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog to include critical vulnerabilities in Apple iOS and iPadOS, Mitel SIP Conference Phones, and the remote support application SimpleHelp. These additions require federal agencies to mitigate the identified vulnerabilities by the first week of March.

“These vulnerabilities must be addressed by federal agencies by the end of the first week of March,” Prentiss states, urging immediate action to secure systems against potential exploits.

The inclusion of these vulnerabilities underscores the ongoing efforts to bolster federal cybersecurity defenses against emerging threats.

6. Lazarus Group’s Deployment of Marstech1 JavaScript Implant

Timestamp: 06:00

In a concerning development, Prentiss reveals that the Lazarus Group, linked to North Korea, has deployed a new JavaScript implant named Marstech1. This implant targets developers by injecting malware through compromised open-source repositories on platforms like GitHub.

“The implant itself was designed to collect system information and could be embedded within websites and NPM packages, posing a supply chain risk,” explains Prentiss.

Since its emergence in December 2024, Marstech1 has affected 233 confirmed victims across the US, Europe, and Asia, highlighting the sophistication and reach of state-sponsored cyber threats targeting the developer community.

7. IRS Plans to Acquire Nvidia SuperPod AI Supercomputers

Timestamp: 06:45

Shifting focus to governmental advancements, Prentiss discusses the Internal Revenue Service (IRS)'s plans to purchase Nvidia SuperPod AI supercomputers. These supercomputers are intended to enhance the IRS's machine learning capabilities for tasks such as fraud detection and taxpayer behavior analysis.

“This setup will combine 31 separate Nvidia servers, each containing eight of the company's flagship Blackwell processors designed to train and operate artificial intelligence models that power tools like ChatGPT,” Prentiss details.

Part of the broader DOGE program, led by Elon Musk, this initiative represents a significant investment in replacing traditional federal bureaucracy with advanced machine learning solutions, aiming to streamline operations and improve efficiency in tax-related processes.

8. Platformization vs. Best of Breed in Security Programs

Timestamp: 07:15

Concluding the episode, Prentiss touches on the ongoing debate within cybersecurity regarding the adoption of platformization versus Best of Breed solutions for security programs. Platformization involves utilizing comprehensive, all-in-one security platforms, while Best of Breed emphasizes selecting specialized, top-tier solutions for specific security needs.

“Should your security program be stitched together from hand-picked Best of Breed components, or should you rely on the foresight of a larger organization's one-stop-shop platform?” he poses.

To provide deeper insights, CISO Series has released a crowdsourced report titled "31 Myths and Realities around Platformization versus Best of Breed", available on their website. This report consolidates expert opinions to aid organizations in making informed decisions about their security infrastructure strategies.

Conclusion: The February 17, 2025 episode of Cyber Security Headlines by CISO Series offers a thorough examination of current cybersecurity challenges and advancements. From novel phishing methods and proactive security features to significant breaches and strategic governmental investments in AI, the episode underscores the dynamic and multifaceted nature of the cybersecurity landscape. For detailed stories and ongoing updates, listeners are encouraged to visit CISOseries.com.

Transcript

A (0:00)

From the CISO series. It's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Monday, February 17, 2025. I'm Steve Prentiss. Hackers steal emails in device code Phishing attacks A threat actor thought to be allied with Russia is using a technique called device code phishing to target organizations in government, NGOs, IT, defence, telecommunications, health and energy sectors in Europe, North America, Africa and the Middle East. Microsoft is tracking the group under the name Storm237. Device code phishing involves getting access to devices that require a login code but which do not have a keyboard or browser, such as smart TVs and some IoT devices. Threat actors access these codes through social engineering. Anti Toad feature seeks to prevent in call sideloading attacks A new security feature for Android phones seeks to help device owners not change sensitive settings on their phones while unknowingly communicating with a scammer. This happens when a user is convinced to turn on settings within their phone to install apps and allow accessibility access for unknown parties. This feature is currently live in Android 16 beta 2, released earlier this week, and this is to counter a scamming process called Telephone Oriented Attack Delivery, in which cybercriminals distribute dropper apps using SMS messages and phone calls to trick victims into installing malware such as Vultr. Chinese hackers breach more US telecoms via unpatched Cisco routers According to recorded futures Insect Group hackers from China's SALT Typhoon group continue to target telecoms worldwide and have breached more US telecommunications providers via unpatched Cisco iOS XE network devices. In this campaign they are exploiting a privilege escalation vulnerability and a web UI command injection vulnerability. This has already resulted in network breaches at multiple telecommunications providers in the us, South Africa, Italy and Thailand. The vulnerabilities have CVE numbers viewable in the show notes to this episode and this is not the same exploit as was reported a month ago, which involved end of life Cisco routers and a different Chinese threat group, Vault Typhoon, thanks to today's episode sponsor Scrut Automation Scrut Automation allows compliance and risk teams of any size to establish enterprise grade security programs. Their best in class features like process automation, AI and over 75 native integrations reverse compliance debt and help manage risk proactively as your business grows. Visit Scrut IO to schedule a demo or learn more. That is Scrut IO PPL Electric Utilities in Pennsylvania blames MoveIt breach at vendor for exposed customer data. The Allentown based utility company says basic customer data stolen from one of its vendors in 2023 was recently exposed online, but the incident did not its core systems. This was due to the MoveIt breach and the data which was stolen was basic PII with no banking, credit card, Social Security or account password information and it was published online in December of 2024. The company, which serves customers in Pennsylvania, Kentucky and Rhode island, also emphasizes that the breach was completely unrelated to PPL's systems and critical infrastructure. CISA adds vulnerabilities from Apple iOS and iPadOS Mitel SIP Phone and SimpleHelp to its kev catalog. These additions to CISA's known exploited vulnerabilities catalog this past week focus on the Apple iOS and iPadOS Incorrect authorization USB vulnerability that we reported on last week. It also focuses on a Mitel SIP conference Phones argument injection vulnerability and a vulnerability affecting the remote support application Simple Help that we also reported on on February 7. These vulnerabilities must be addressed by federal agencies by the end of the first week of March. The CVE numbers for each are available in the show notes to this episode. Lazarus group deploys Marstech 1 JavaScript implant in targeted developer attacks the North Korea linked threat actor is now believed to be connected to a previously undocumented JavaScript implant named Marstech1, the number one used in targeted attacks against developers. The active operation involved malware delivered via an open source repository hosted on GitHub, with a profile named Success Friend. This profile, which was active since July 2024, is no longer accessible on GitHub. The implant itself was designed to collect system information and could be embedded within websites and NPM packages, posing a supply chain risk. The malware seems to have emerged in late December 2024 and has to date amassed 233 confirmed victims across the US, Europe and Asia. The IRS to buy Nvidia supercomputers for improved IRSing, according to nonprofit news outlet the Intercept, quoted in Slashdot. The IRS is ready to purchase an Nvidia SuperPod AI supercomputer to enhance its machine learning capabilities for tasks such as fraud detection and taxpayer behavior analysis. This is part of the Elon Musk led DOGE program addressing a broader push to replace federal bureaucracy with machine learning software. End quote according to a previously unreported February 5 acquisition document. The setup will combine 31 separate Nvidia servers, each containing eight of the company's flagship Blackwell processors designed to train and operate artificial intelligence models that power tools like ChatGPT. The hardware has not yet been purchased and installed, nor is a price listed, but SuperPod systems reportedly start at $7 million. The setup described in the contract materials notes that it will include a substantial memory upgrade from Nvidia. It's an ongoing conundrum for cybersecurity professionals. Should your security program be stitched together from hand picked Best of Breed components, or should you rely on the foresight of a larger organization's one stop shop platform? Platform companies may have done all the legwork for you, but do they have everything you need? We asked our community of experts for some insight on the platformization versus Best of breed debate and their wisdom is now available for you to read in our latest crowdsourced report entitled 31 Myths and Realities around Platformization versus Best of Breed. You can find it and comment on it on the homepage of Sisoseries.com just look for the unicorn, the one driving the sports car. I'm Steve Prentiss reporting for the CISO series.