Transcript
Steve Prentiss (0:00)
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, March 31, 2025. I'm Steve Prentiss. FBI warns of increase in free online document converter scams the agency's Denver field office says it is seeing an increase in scams involving free online document converter tools which ultimate either deliver malware, including ransomware, to users computers or facilitate identity theft. They explain that these fake file converters and download tools may indeed do the job as advertised, such as converting a Word document to a PDF, but at quite a cost. The agency further warns consumers to be cautious with downloads and to report suspected incidents to ic3.gov resurge malware exploits Ivanti flaw CISA is warning of a new malware called Resurge that is targeting a now patched security flaw in Ivanti Connect Secure appliances. Seemingly derived from the Spaun Chimera malware variant, the file is capable of surviving reboots and contains capabilities of a rootkit dropper, backdoor bootkit proxy and tunneler. The vulnerability that it exploits is a stack based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure and ZTA gateways that could result in remote code execution. This flaw was patched by Ivanti in January of this year. Blacklock hackers exposed through leak site vulnerability the ransomware group Blacklock, once known as El Dorado, has been infiltrated by threat hunters from RE Security who have uncovered crucial information information about how the group operates. The threat hunters said they found a security vulnerability in the group's data leak site, which made it possible to extract configuration files and credentials as well as the history of commands executed on the server. End quote this misconfiguration led researchers to clear Net IP addresses related to their network infrastructure behind Tor Hidden Services. End quote it is being described as one of the biggest operational security failures of Blacklock ransomware. Oracle Health breach compromises patient data at US Hospitals this breach is apparently unrelated to the Oracle Cloud federated SSO login breach that we have been covering in recent days. This one at Oracle Health impacts multiple US Healthcare organizations and hospitals and involves a threat actor who stole patient data from legacy servers. According to Bleeping Computer. Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, Bleeping Computer has confirmed that patient data was stolen in the attack. End quote Oracle Health used to be known as Cerner C E R N E R and is a healthcare software as a service company offering electronic health records and business operations systems to hospitals and healthcare organizations. After being acquired By Oracle In 2022, Cerner was merged into Oracle Health, with its systems migrated to Oracle Cloud. End quote Huge thanks to our sponsor Qualys. Overwhelmed by noise in your cybersecurity processes? Cut through the clutter with Qualys Enterprise truerisk Management. Quantify your cyber risk in clear financial terms and focus on what matters most. Actionable insights help you prioritize critical threats, streamline remediation and accelerate risk reduction while effectively communicating impact to stakeholders. Empower your cybersecurity strategy with tools that drive faster, smarter and more efficient risk management. Your secure future starts today with Qualys Enterprise True risk management. Visit qualys.cometm for more information. That is Q U A L Y S Hackers target Taiwan with malware laden fake messaging apps the malware in question is named P Job RAT and was being delivered through malicious instant messaging apps named Sangal Lite and cchat, which had been designed to resemble legitimate platforms. This is according to a report published Thursday by cybersecurity firm Sophos. They state the apps were available for Download on multiple WordPress sites, which have since been taken offline. Pjob RAT is an Android remote access trojan that gives attackers greater control over infected devices, allowing them to steal data from various applications, and even includes disabling battery optimization to ensure they run continuously in the background. The campaign seems to have come to an end since no recent activity has been observed. Microsoft removes Windows 11 account bypass According to Bleeping Computer, Microsoft has removed the bypass NRO CMD script from Windows 11 preview builds, which allowed users to bypass the requirement to use a Microsoft account when installing the operating system. Having been introduced in the latest Windows 11 Insider Dev Preview build, this means the change will likely be coming to production builds. The change basically forces all users to have a Microsoft account whether they want one or not. Sam's Club Investigates alleged Klopp Ransomware attack the Walmart owned membership warehouse club chain has been listed as one of the victims of a software exploit and breach that occurred in December. The Klopp ransomware gang has not leaked any data allegedly stolen from the club, but has accused the club of ignoring security. The ransomware group leaked files from Rackspace Technology and listed around 170 companies that were allegedly hacked via zero day vulnerabilities in the Clio file transfer software. Morphing Meerkat pops up with easy email spoofing Morphing Meerkat is the name of a newly discovered phishing as a service operation that uses the DNS over HTTPs protocol to evade detection. It also leverages DNS email exchange records to identify victims, email providers, and to dynamically serve spoofed login pages for more than 114 email brands as a Phishing As a service platform, it provides a complete toolkit for launching effective, scalable and evasive phishing attacks that require minimal technical knowledge. It can deliver this to service providers that include Gmail, Outlook, and Yahoo in multiple languages, including English, Spanish, Russian, and even Chinese, and can even spoof sender names and addresses. If you haven't checked it out yet, be sure to give a listen to our brand new show entitled Security youy Should Know. Each episode features a security vendor talking with two security experts answering the questions we all want to know about new solutions. This week we're highlighting Pentera and what they are doing to help you prioritize security gaps. Look for the show@cisoseries.com I'm Steve Prentiss reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.