Cyber Security Headlines - March 25, 2025

Host: Lauren Verno
Podcast: CISO Series
Episode Title: Hundreds of Cyber Criminals Arrested, 23andMe Data, Ukraine Railway Partially Taken Down

1. Operation Red Card: Massive Crackdown in Africa

Timestamp: [00:06]

Lauren Verno kicks off the episode with a significant development in the fight against cybercrime in Africa. An international operation named Operation Red Card led to the arrest of over 300 cybercriminals across seven African countries. This extensive crackdown targeted individuals involved in mobile banking fraud, investment scams, and messaging app fraud.

• Nigeria was a major hotspot, with 130 suspects apprehended, including 113 foreign nationals.
• In South Africa, authorities dismantled a Simbox fraud operation, arresting 40 individuals.
• Zambia saw the shutdown of hacker activities involving malicious links aimed at stealing banking data.

The operation was not just about arrests; it resulted in the seizure of 26 vehicles, 16 houses, 39 plots of land, and 685 devices. Verno emphasizes the scale and coordination of the operation, highlighting it as a significant victory against cybercrime in the region.

2. 23andMe Bankruptcy Raises Data Privacy Concerns

Timestamp: [02:30]

A surprising turn of events unfolded as 23andMe, the renowned genetic testing company, filed for bankruptcy on Monday. This development has sparked widespread concern over the fate of millions of personal DNA records held by the company.

Verno outlines the potential risks, noting that there are fears the extensive genetic database might be "sold off to the highest bidder". Although 23andMe maintains that privacy protections will remain intact, court documents reveal that all company assets, including customer DNA records, are now subject to liquidation.

Adding urgency to the situation, California's Attorney General issued a stern warning, advising users to "delete their data immediately". Verno quotes the AG:

"Unlike passwords, genetic information is permanent."
[02:45]

Instructions for data deletion are provided in the show notes, highlighting the critical need for individuals to safeguard their genetic information amidst the company's financial turmoil.

3. Cyber Attack Disrupts Ukraine's State Railway Operations

Timestamp: [04:00]

Ukraine's State Railway faced a massive cyber attack that primarily disrupted online ticket sales, resulting in long queues at physical ticket booths. Fortunately, the attack did not affect train schedules, ensuring that transportation services continued without interruption.

The railway company described the attack as "systematic and multilayered", indicating a sophisticated breach. They are collaborating closely with Ukraine's security services to restore systems and conduct thorough vulnerability testing. However, officials have yet to attribute the attack to any specific group and remain uncertain about the complete restoration timeline.

4. China-Linked APT Group Weaverant's Stealthy Infiltration

Timestamp: [05:30]

Researchers uncovered a prolonged intrusion by the China-linked APT Group Weaverant, which had infiltrated an Asian telecom provider's network for over four years. Utilizing compromised Zyxel routers, the group effectively hid their traffic and infrastructure within the network.

Key tactics employed by Weaverant included:

• Web shell tunneling to disguise malicious activities.
• Exfiltration of credentials, access logs, and network configurations.
• Encryption, SMB lateral movement, and disabling of security logs to evade detection.

Verno explains that the group's ability to maintain persistence over such an extended period underscores the sophistication and dangers posed by state-sponsored cyber threats.

5. NIST's Growing Backlog of CVEs

Timestamp: [06:15]

The National Institute of Standards and Technology (NIST) is grappling with a growing backlog of Common Vulnerabilities and Exposures (CVEs) submissions. Last year saw a 32% increase in CVE submissions, exacerbating the backlog despite NIST's efforts to maintain processing rates.

Verno highlights the implications of this backlog:

• Organizations face challenges in accessing timely vulnerability data.
• There is a widening gap between reported issues and actionable intelligence, which can impede effective cybersecurity measures.

NIST anticipates that submission volumes will continue to rise in 2025, posing ongoing challenges for the agency in keeping up with the demand.

6. Emergence of Van Helsink Raz Ransomware Group

Timestamp: [06:50]

A new ransomware-as-a-service group named Van Helsink Raz has quickly made its mark in the cybercrime landscape. Launched just two weeks ago, the group has already compromised three victims, demanding ransoms as high as $500,000.

Key features of Van Helsink Raz:

• Affiliate Model: Offers affiliates 80% of ransom payments.
• Entry Barrier: Requires a $5,000 deposit for new users.
• Target Platforms: Windows, Linux, and ESXi.

Despite its advanced capabilities, the ransomware exhibits developmental flaws, such as mismatched file extensions. Additionally, the group adheres to a rule of not encrypting systems in the Commonwealth of Independent States (CIS), a common practice among groups with ties to Russia.

7. Critical Vulnerability in Next JS Framework

Timestamp: [07:30]

A critical vulnerability has been detected in the Next JS framework, a popular React framework with over 9 million weekly downloads on NPM. This flaw allows attackers to bypass authorization checks by sending requests with a specific header.

Details of the vulnerability:

• Affected Versions: All versions prior to 15 and 12.3.5.
• Impact: Affects self-hosted instances using NextStart with output.

Verno urges developers and organizations to upgrade immediately to secure their applications. For those unable to patch promptly, blocking requests containing the X Middleware sub-request header is recommended as a temporary mitigation.

8. Extradition of Snowflake Attack Suspect Connor Mucha

Timestamp: [08:15]

Connor Mucha, a Canadian citizen, has agreed to extradition to the US to face 20 federal charges related to the Snowflake attacks. These attacks compromised data from 165 companies, with prosecutors alleging that Mucha and his co-conspirators extorted victims for a total of $2.5 million.

Mucha is linked to the VCOM cyber network, known for its involvement in extortion and violence. However, the official timeline for his extradition remains unclear at this point.

Conclusion: Re-evaluating Severity in Cybersecurity Incidents

Timestamp: [08:35]

In the closing remarks, Lauren Verno poses a thought-provoking question about the reliance on severity when evaluating cybersecurity incidents. While severity is useful for post-incident analysis, she questions its effectiveness in real-time incident management. This topic is explored further in the latest episode's discussion, titled "The security incident has been upgraded from ouch to boing."

Verno encourages listeners to stay informed by accessing full stories behind the headlines at CISOseries.com.

Notable Quotes:

• Lauren Verno on Data Privacy:

  "Unlike passwords, genetic information is permanent."
  [02:45]

• On Severity in Cybersecurity:
  "We often fall back on severity when evaluating cybersecurity incidents. Severity has its place in analyzing an incident after the fact, but does it help the situation when dealing with one?"
  [08:35]

Stay updated with the latest in cybersecurity by tuning into the Cyber Security Headlines on the CISO Series podcast.