Transcript
CISO Series Host (0:00)
From the CISO series. It's Cybersecurity Headlines.
Rich Stroffelino (0:07)
These are the cybersecurity headlines for Wednesday, March 26, 2025. I'm Rich Stroffelino. Encrypt Hub linked to Microsoft Management Console exploit Earlier this year, researchers at Trend Micro discovered that attackers could leverage a vulnerability in the Microsoft Management Console to circumvent file reputation protection and ultimately execute code. Trend Micro now links the exploitation of this flaw to the threat actor Encrypt Hub, also known as larva 208. In this attack, the threat actor manipulates MSC files and the multilingual user interface path to download and execute malicious payloads, maintain persistence, and steal sensitive data from infected systems, according to Trend Micro researcher Ali Akbar Zahravi, warning that the campaign shows signs of active development. Researchers also found earlier versions of this attack dating back to April 2024. Microsoft patched the vulnerability earlier this month. Security Copilot gets AI Agents Microsoft will release previews of new Security Copilot agents next month, the first significant capabilities added to the service since it launched. Microsoft claims these agents can be used to automate specific workflows across threat protection, identity management, data security and IT operations that previously required a human analys, reducing the volume of repetitive tasks. One example is a phishing triage agent. These agents will integrate across Defender, xdr, Purview, Intune and Entra. Microsoft said it will demonstrate more new security offerings at its Microsoft secure conference on April 9. A call for More Pets in Government A new report from New America's Open Technology Institute think tank calls for the government to prioritize the use of privacy enhancing technologies, or pets, to prevent unauthorized access to sensitive government data. These include more table stakes tools like encryption, but also calls for the use of synthetic data to prevent access to authentic personal information, as well as differential privacy and secure multiparty computation. The report also calls for incentivizing more pet vendor investment by procuring this tech with long term contracts. The report acknowledges the need for data sharing in the government, but but says a privacy first approach to data sharing can remove some of the inherent risk raspberry robin C2 domains uncovered the Russian linked threat actor Raspberry Robin first emerged in 2019, serving as an initial access broker to various forms of malware including Bumblebee, Dridex, Iced id, Lockbit Sock, Ghoulish and truebot. Researchers at Silent Push recently discovered one IP address being used to relay data across compromised QNAP NAS devices, which they were then able to track to over 180 unique C2 domains. These domains were extremely short and Raspberry Robin rapidly rotated them with a fast flux technique to make takedowns more challenging. The majority of the domains were registered with the Bulgarian Company Cloud DNS and now, thanks to today's episode sponsor ThreatLocker ThreatLocker is a global leader in Zero Trust Endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com that's T H R E A T L O c k e r.com Even Troy Hunt gets Phished Security Researchers they're just like us. Have I been Pown founder Troy Hunt published a blog post detailing how a sneaky phish managed to export his mailchimp account. Hunt received a legitimate looking email purportedly from mailchimp, advising that his sending privileges were restricted and offering a button to review his account. Hunt entered in his credentials and a one time password, almost immediately receiving a genuine email from mailchimp that his subscriber list was exported. That list included about 16,000 emails to Hunt's personal blog, including those who had been unsubscribed, which Hunt didn't realize mailchimp still kept. Hunt said the only red flag he could have caught was when Password was not auto filling his credentials because he was on a different domain. He also attributed the attack's success to fatigue from jet lag. If anyone needs a good example of how to fully disclose a security incident, please check out Troy's blog in our show. Notes Android malware uses Net Maui for evasion Researchers at McAfee discovered an Android malware campaign using Microsoft's cross platform Net Maui framework to obscure activity. That's because rather than storing code in Dex format that Android security tools are designed to scan, Maui allows for apps to be built in C and store files in binary blobs. With this approach, malware can stay undetected for a long time on a device. The researchers also found multiple variants with this technique, indicating it's becoming more popular. McAfee reported several Android APKs using this approach across fake banking, communication, dating and social media apps. Google Play Protect can detect these APKs, so the researchers think they're mostly targeted at China and other markets without access to the Play Store, the AI mitigation limitation. A new report from the U.S. national Institute of Standards and Technology we know it as Good Old NIST urged the cybersecurity community to develop improved mitigation strategies for adversarial machine learning systems. These include manipulating training data, adversarial inputs to impact system performance, and training data exfiltration from models. NIST noted that so called open research problem that found systems that are optimized for accuracy tend to underperform against adversarial attacks. The report recommends organizations accept tradeoffs between these priorities as part of a mitigation strategy. NIST also pointed to the continued struggle to detect adversarial attacks underway on AI systems due to the high cost of applying formal verification methods to these models as well as an overall lack of reliable benchmarks. Browser and the Browser Attack Hits Counter Strike 2 players Security researchers discovered a new phishing campaign Targeting Counter Strike 2 players on Steam. The threat actor poses as Ukrainian esports team Navi, using YouTube and other promotional channels to steer potential victims to phishing sites with the lure of free in game rewards. Claiming the gift requires logging into Steam. The threat actor uses a browser in the browser technique to show a fake login popup. From there, the threat actors attempt to take over Steam accounts and sell them on illicit markets. Remember to subscribe to the ciso series on YouTube. We host our Week in Review show there every Friday at 3:30pm Eastern, giving you some CISO perspective on the news of the week, and we also post original content, demos and clips from our other podcasts. Just search for ciso series on YouTube to subscribe or look for the link@cisoseries.com reporting for the CISO series, I'm Rich Stroffolino reminding you to have a super sparkly day.