Hundreds of cyber criminals arrested, 23andMe data, Ukraine railway partially taken down - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines - March 25, 2025

Host: Lauren Verno
Podcast: CISO Series
Episode Title: Hundreds of Cyber Criminals Arrested, 23andMe Data, Ukraine Railway Partially Taken Down

1. Operation Red Card: Massive Crackdown in Africa

Timestamp: [00:06]

Lauren Verno kicks off the episode with a significant development in the fight against cybercrime in Africa. An international operation named Operation Red Card led to the arrest of over 300 cybercriminals across seven African countries. This extensive crackdown targeted individuals involved in mobile banking fraud, investment scams, and messaging app fraud.

Nigeria was a major hotspot, with 130 suspects apprehended, including 113 foreign nationals.
In South Africa, authorities dismantled a Simbox fraud operation, arresting 40 individuals.
Zambia saw the shutdown of hacker activities involving malicious links aimed at stealing banking data.

The operation was not just about arrests; it resulted in the seizure of 26 vehicles, 16 houses, 39 plots of land, and 685 devices. Verno emphasizes the scale and coordination of the operation, highlighting it as a significant victory against cybercrime in the region.

2. 23andMe Bankruptcy Raises Data Privacy Concerns

Timestamp: [02:30]

A surprising turn of events unfolded as 23andMe, the renowned genetic testing company, filed for bankruptcy on Monday. This development has sparked widespread concern over the fate of millions of personal DNA records held by the company.

Verno outlines the potential risks, noting that there are fears the extensive genetic database might be "sold off to the highest bidder". Although 23andMe maintains that privacy protections will remain intact, court documents reveal that all company assets, including customer DNA records, are now subject to liquidation.

Adding urgency to the situation, California's Attorney General issued a stern warning, advising users to "delete their data immediately". Verno quotes the AG:

"Unlike passwords, genetic information is permanent."
[02:45]

Instructions for data deletion are provided in the show notes, highlighting the critical need for individuals to safeguard their genetic information amidst the company's financial turmoil.

3. Cyber Attack Disrupts Ukraine's State Railway Operations

Timestamp: [04:00]

Ukraine's State Railway faced a massive cyber attack that primarily disrupted online ticket sales, resulting in long queues at physical ticket booths. Fortunately, the attack did not affect train schedules, ensuring that transportation services continued without interruption.

The railway company described the attack as "systematic and multilayered", indicating a sophisticated breach. They are collaborating closely with Ukraine's security services to restore systems and conduct thorough vulnerability testing. However, officials have yet to attribute the attack to any specific group and remain uncertain about the complete restoration timeline.

4. China-Linked APT Group Weaverant's Stealthy Infiltration

Timestamp: [05:30]

Researchers uncovered a prolonged intrusion by the China-linked APT Group Weaverant, which had infiltrated an Asian telecom provider's network for over four years. Utilizing compromised Zyxel routers, the group effectively hid their traffic and infrastructure within the network.

Key tactics employed by Weaverant included:

Web shell tunneling to disguise malicious activities.
Exfiltration of credentials, access logs, and network configurations.
Encryption, SMB lateral movement, and disabling of security logs to evade detection.

Verno explains that the group's ability to maintain persistence over such an extended period underscores the sophistication and dangers posed by state-sponsored cyber threats.

5. NIST's Growing Backlog of CVEs

Timestamp: [06:15]

The National Institute of Standards and Technology (NIST) is grappling with a growing backlog of Common Vulnerabilities and Exposures (CVEs) submissions. Last year saw a 32% increase in CVE submissions, exacerbating the backlog despite NIST's efforts to maintain processing rates.

Verno highlights the implications of this backlog:

Organizations face challenges in accessing timely vulnerability data.
There is a widening gap between reported issues and actionable intelligence, which can impede effective cybersecurity measures.

NIST anticipates that submission volumes will continue to rise in 2025, posing ongoing challenges for the agency in keeping up with the demand.

6. Emergence of Van Helsink Raz Ransomware Group

Timestamp: [06:50]

A new ransomware-as-a-service group named Van Helsink Raz has quickly made its mark in the cybercrime landscape. Launched just two weeks ago, the group has already compromised three victims, demanding ransoms as high as $500,000.

Key features of Van Helsink Raz:

Affiliate Model: Offers affiliates 80% of ransom payments.
Entry Barrier: Requires a $5,000 deposit for new users.
Target Platforms: Windows, Linux, and ESXi.

Despite its advanced capabilities, the ransomware exhibits developmental flaws, such as mismatched file extensions. Additionally, the group adheres to a rule of not encrypting systems in the Commonwealth of Independent States (CIS), a common practice among groups with ties to Russia.

7. Critical Vulnerability in Next JS Framework

Timestamp: [07:30]

A critical vulnerability has been detected in the Next JS framework, a popular React framework with over 9 million weekly downloads on NPM. This flaw allows attackers to bypass authorization checks by sending requests with a specific header.

Details of the vulnerability:

Affected Versions: All versions prior to 15 and 12.3.5.
Impact: Affects self-hosted instances using NextStart with output.

Verno urges developers and organizations to upgrade immediately to secure their applications. For those unable to patch promptly, blocking requests containing the X Middleware sub-request header is recommended as a temporary mitigation.

8. Extradition of Snowflake Attack Suspect Connor Mucha

Timestamp: [08:15]

Connor Mucha, a Canadian citizen, has agreed to extradition to the US to face 20 federal charges related to the Snowflake attacks. These attacks compromised data from 165 companies, with prosecutors alleging that Mucha and his co-conspirators extorted victims for a total of $2.5 million.

Mucha is linked to the VCOM cyber network, known for its involvement in extortion and violence. However, the official timeline for his extradition remains unclear at this point.

Conclusion: Re-evaluating Severity in Cybersecurity Incidents

Timestamp: [08:35]

In the closing remarks, Lauren Verno poses a thought-provoking question about the reliance on severity when evaluating cybersecurity incidents. While severity is useful for post-incident analysis, she questions its effectiveness in real-time incident management. This topic is explored further in the latest episode's discussion, titled "The security incident has been upgraded from ouch to boing."

Verno encourages listeners to stay informed by accessing full stories behind the headlines at CISOseries.com.

Notable Quotes:

Lauren Verno on Data Privacy:

"Unlike passwords, genetic information is permanent."
[02:45]
On Severity in Cybersecurity:
"We often fall back on severity when evaluating cybersecurity incidents. Severity has its place in analyzing an incident after the fact, but does it help the situation when dealing with one?"
[08:35]

Stay updated with the latest in cybersecurity by tuning into the Cyber Security Headlines on the CISO Series podcast.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, March 25, 2025. I'm Lauren Verno. More than 300 cybercriminals arrested in Africa an international crackdown on cyber scams literally led to over 300 arrests across seven African countries targeting criminals behind mobile banking, investment and messaging app fraud dubbed Operation Red Card. Authorities uncovered cross border networks that defrauded over 5,000 victims, with Nigeria alone arresting 130 suspects, including 113 foreign nationals. In South Africa, 40 individuals were caught running a Simbox fraud operation while in Zambia, hackers using malicious links to steal banking data were taken down. Overall, the investigation led to the seizure of 26 vehicles, 16 houses, 39 plots of land and 685 devices. 23andMe bankruptcy puts millions of DNA records at risk 23andMe filed for bankruptcy on Monday and many are asking the question, what's going to happen to all that personal information now? Some have raised major concerns that its vast database of genetic data could be sold off to the highest bidder. While the company insists privacy protections will remain intact, court documents make it clear that all assets, including customer DNA records, are on the table. California's attorney general issued a release ahead of the announcement urging users to delete their data immediately, warning that unlike passwords, genetic information is permanent. Instructions on how to delete that data can be found in today's show notes Ukraine's State Railway partially down after attack A massive cyber attack on Ukraine's state railway has disrupted online ticket sales, forcing passengers into long lines at ticket booths but not affecting train schedules. The company called the attack systematic and multilayered, and is working with Ukraine's security services to restore systems while testing for vulnerabilities. Officials have not attributed the attack to a specific group yet, and they are unsure when every system will be back up and operational. China Linked APT Hidden telecom network for years, China Linked APT Group Weaverant spent over four years inside an Asian telecom provider's network using compromised Zyxel routers to hide traffic and infrastructure. Researchers at Signia uncovered the intrusion, which relied on web shell tunneling, linking multiple web shells like China Copper and the custom built in memory. To move laterally and maintain persistence, the group exfiltrated credentials, access logs and network configurations while evading detection through encryption, SMB, lateral movement and disabling security logs. Thanks to Today's episode sponsor ThreatLocker, ThreatLocker is a global leader in Zero Trust Endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com that's T H R E A T L O C K E R NIST Struggles to Keep up the National Institute of Standards and technology, or NIST, is struggling to clear a growing backlog of CVEs and the National Vulnerability Database, with a 32% increase in submissions last year exacerbating the issue. Despite maintaining processing rates, the backlog continues to grow and NIST anticipates even higher submission volumes in 2025. The delays are impacting organizations ability to access timely vulnerability data, creating a gap between reported issues and actionable intelligence. Despite efforts in increasing staff, New Ransomware Group Makes Quick Impact A new ransomware as a service launched just earlier this month, Van Helsink Raz, has already caused significant damage. Within just two weeks, the group compromised three victims with ransoms reported as high as $500,000. The service offers affiliates 80% of ransom payments with a $5,000 deposit required for new users and targets multiple platforms including Windows, Linux and ESXi. Despite its advanced features, the ransomware has some developmental flaws like mismatched file extensions, and the group has one rule to not encrypt systems in the Commonwealth of Independent States or CIS countries, which is common for criminal groups tied to Russia. Next JS flaw allows attackers to bypass security checks A critical vulnerability has been discovered in the Next JS framework, allowing attackers to bypass authorization checks by sending requests with a specific header. With more than 9 million weekly downloads, Next JS is a popular React framework on NPM. The flaw impacts all versions prior to 15 and 12.3.5 and affects self hosted instances using NextStart with output. Standalone users are urged to upgrade immediately and those unable to patch should block requests containing the X Middleware sub request header to prevent exploitation. Snowflake Attack Suspect to stand trial in US Canadian citizen Connor Mucha has agreed to extradition to the US to face 20 federal charges for his alleged role in the massive Snowflake attacks that compromised data from 165 companies. Prosecutors say Mucha, along with his co conspirators, extorted victims for 2.5 million and are linked to the VCOM, a cyber network involved in extortion and violence. The official timeline, though, for Mucha's extradition remains unclear at this point. We often fall back on severity when evaluating cybersecurity incidents. Severity has its place in analyzing an incident after the fact, but does it help the situation when dealing with one? That's one of the topics we're getting into on the latest episode of the CISO Series podcast. Look for the episode the security incident has been upgraded from ouch to boing. Wherever you get your podcast. I'm Lauren Verno reporting for for this CISO series.
[08:42]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.