JavaScript injection campaign, solar power vulnerabilities, SIM swap lawsuit - Cybersecurity Headlines

Summary

Cyber Security Headlines: Episode Summary
Host: Steve Prentiss | Release Date: March 28, 2025

1. JavaScript Injection Campaign Compromises 150,000 Sites

Timestamp: [00:00]

Steve Prentiss opens the episode by highlighting a significant security threat uncovered by researchers at Website Security Company, known as Cside (spelled lowercase c forward slash side). This malicious campaign has successfully compromised approximately 150,000 websites through JavaScript injection.

Key Details:

Methodology: The attack employs an iFrame injection technique to overlay malicious content via CSS, directing visitors to fraudulent Chinese gambling platforms.
Targeted Platforms: Primarily affects infected WordPress sites, showcasing the adaptability and evolving sophistication of threat actors.

Prentiss emphasizes:
“This campaign infiltrates legitimate websites with malicious JavaScript using an iFrame injection to display a full-screen overlay...” [00:00]

2. Vulnerabilities in Solar Power Systems Pose Risks to Electrical Grids

Researchers from Forescout have identified multiple vulnerabilities within solar power system products from manufacturers such as Sungrow, Growwatt, I.E. G, R.O.W.a.T.T, and SMA.

Key Concerns:

Affected Components:
- Internet connectivity interfaces.
- Cloud services handling monitoring and control data.
- Mobile applications interfacing with cloud services.
Potential Exploits:
- Arbitrary Code Execution: Attackers could upload malicious files to cloud servers.
- Data Theft & Vandalism: Unauthorized access to sensitive information or disruption of power grid operations.

Prentiss notes the severity of these vulnerabilities, stating that some could "pose a serious threat to electrical grids" if exploited.

3. T-Mobile Faces $33 Million Arbitration Over SIM Swap Attack

In a significant legal development, the law firm Greenberg Glusker secured a $33 million arbitration award against T-Mobile related to a SIM swap attack that resulted in a massive cryptocurrency theft.

Case Highlights:

Incident Date: February 21, 2020.
Losses Incurred: Bitcoin valued at $38 million was stolen after the attack.
Legal Argument: The firm contended that T-Mobile's security lapses, potentially involving a system backdoor, facilitated the breach. Additionally, T-Mobile allegedly attempted to conceal details of its security failures.

Prentiss summarizes the outcome, emphasizing the court's stance on T-Mobile's responsibility in the security breach.

4. NHS Software Supplier Receives Discount on Fine After Ransomware Attack

Following the August 2022 Lockbit ransomware attack on Advanced Health and Care Ltd., a key IT service provider for the UK's National Health Service (NHS), the company has settled for a reduced fine.

Case Details:

Original Fine Proposed: £6 million.
Final Fine: Just over £3 million, half of the initial proposal.
Settlement Reasons:
- The company acknowledged the watchdog's decision without appealing.
- Demonstrated cooperation with the NHS and regulatory bodies post-attack.
- Implemented mitigation measures to address related risks.

Prentiss highlights the importance of compliance and proactive risk management in mitigating fines and penalties.

5. Kubernetes Vulnerabilities Put 40% of Cloud Environments at Risk

According to researchers at Wiz, defects in a Kubernetes component have exposed 40% of cloud environments to potential threats.

Vulnerability Insights:

Affected Component: Ingress NGINX controller for Kubernetes (spelled NGINX).
Number of Vulnerabilities: Five recently discovered, including one critical flaw with a CVSS score of 9.8.
Current Exploitation: No active exploitation reported yet, but the risk remains extremely high for publicly exposed and unpatched controllers.

Expert Commentary:
Steven Fuhr, Principal Security Researcher at Rapid7, warns:
“With exploit code for this vulnerability starting to be published online, Kubernetes administrators should remediate publicly exposed instances on an urgent basis.”

Successful exploitation could lead to unauthorized access to cluster-wide secrets, including passwords and tokens, or even complete cluster takeover.

6. Top Microsoft Office Exploits to Watch For

The Hacker News team identifies the top three Microsoft Office exploits currently prevalent:

Phishing with Enhanced Email Attachments:
- Incorporates fake CAPTCHA, Cloudflare challenges, and QR codes to deceive users.
Microsoft Equation Editor Zero-Click Exploit:
- Despite being outdated, many systems still retain the Equation Editor, which allows remote code execution embedded within Word files without any user interaction.
Follina (0-Click) Exploit:
- Leverages the Microsoft Support Diagnostic Tool and specially crafted URLs within Office documents to execute remote code silently.

Prentiss advises listeners to consult the Hacker News article linked in the show notes for detailed mitigation strategies.

7. Windows Server 2025 Updates Cause Remote Desktop Freezes

Microsoft has reported a known issue affecting Windows Server 2025 post-security updates released since February's Patch Tuesday.

Issue Description:

Symptoms: Unresponsive mouse and keyboard inputs shortly after establishing a remote desktop connection, necessitating reconnection.
Affected Versions: Also impacted Windows 1124H2, though this was resolved with the February 25th update.
Current Status: Microsoft has yet to release a fix for Windows Server 2025 but plans to address it in future updates.

Prentiss underscores the inconvenience caused to administrators relying on remote desktop functionalities.

8. Mozilla Patches Critical Firefox Sandbox Escape Vulnerability on Windows

Mozilla has released Firefox version 1336.04 to address a critical security flaw that allows attackers to escape the browser's sandbox on Windows systems.

Vulnerability Details:

Affected Releases: Both standard and extended support versions.
Nature of the Flaw: Similar to a recent Chrome Zero-day, enabling attackers to confuse processes and leak handles, facilitating sandbox escapes.
Exploitation Status: Mozilla confirmed that attackers have exploited a related vulnerability in the wild.
Scope: Only affects Windows users; other operating systems remain unaffected.

Prentiss advises all Firefox users to update to the latest version immediately to safeguard against potential exploits.

Upcoming Events and Live Streams

Steve Prentiss concludes the episode by announcing a busy Friday schedule of live streams:

Super Cyber Friday
- Time: 1 PM
- Topic: Hacking fragmented Identity and Access Management (IAM) systems.
- Focus: Strategies to simplify identity management, governance, and security.
Week in Review Show
- Time: 3:30 PM Eastern
- Guest: Jonathan Waldrop, CISO of the Weather Company.
- Content: Expert commentary on the week's cybersecurity news.

Listeners are encouraged to visit the events page at cisoseries.com to join these sessions.

Conclusion

This episode of Cyber Security Headlines provided an in-depth analysis of several pressing security issues, from large-scale JavaScript injection campaigns and vulnerabilities in critical infrastructure like solar power systems, to significant legal outcomes in the realm of SIM swap attacks. The discussion also covered emerging threats in cloud environments and Microsoft Office exploits, highlighting the ever-evolving landscape of cybersecurity challenges. Notably, updates from major tech players like Microsoft and Mozilla were addressed, emphasizing the importance of timely patches and updates to maintain system integrity. Finally, the host promoted upcoming live events aimed at fostering deeper understanding and proactive management of cybersecurity threats.

For listeners seeking more detailed information, additional stories and full analyses are available at CISOseries.com.

Transcript

Steve Prentiss (0:00)

From the CISO series. It's Cybersecurity Headlines these are the cybersecurity headlines for Friday, March 28, 2025. I'm Steve Prentiss. 150,000 sites compromised by JavaScript injection, according to researchers at Website Security Company. C side that is spelled lowercase C forward slash and then S I D E. This campaign infiltrates legitimate websites with malicious JavaScript using an iFrame injection to display a full screen overlay in a visitor's browser. Using css, this takes the human browsers to sites promoting Chinese gambling platforms. This current campaign largely targets infected WordPress sites, but the researchers state the technique demonstrates how threat actors continually adapt, increasing their sophistication. Vulnerabilities found in numerous solar power systems Researchers at cybersecurity firm Forescout are warning of dozens of vulnerabilities in solar power system products from Sungrow, Growwatt, I.e. g, R, O W a T T and SMA. The researchers say some of these flaws can pose a serious threat to electrical grids. The flaws exist within components, such as one that connects a solar power system to the Internet, another in a cloud service where data is sent for monitoring and control, and a mobile application that enables the user to interact with the cloud service. Some of these flaws will allow an attacker to upload files to enable arbitrary code execution on the cloud platform server, steal information or vandalize the power grid itself. T Mobile pays $33 million in SIM swap lawsuit the law firm Greenberg Glusker has secured a $33 million arbitration award against T Mobile over a sim swap attack that led to a massive cryptocurrency theft. The case involved an investor whose phone number was hijacked on February 21, 2020, leading to the theft of Bitcoin valued at $38 million. T Mobile revealed that the incident occurred after a threat actor accessed T Mobile's systems and abused them for sim swapping. The law firm argued that T Mobile's security failures enabled the breach, potentially through a system backdoor, and that T Mobile attempted to keep details of its security failures sealed. NHS software supplier gets discount on fine for good behavior this story follows up on an event from August 2022 in which the Lockbit ransomware gang attacked Advanced Health and Care Ltd. An IT company that provides service to the UK's National Health Service, along with other healthcare organisations in the country. The fine of just over 3 million pounds being levied on the company by the UK's Data Protection Branch, called Information Commissioner's Office, is just half of what was originally proposed, the ICO said. Advanced Health and Care Ltd. Settled for the reduced fine after acknowledging the watchdog's decision, agreeing to pay up without appealing, playing nicely with the NHS and other regulatory bodies following the attack, as well as taking other steps to mitigate related risk. End quote thanks to Today's episode sponsor ThreatLocker ThreatLocker is a global leader in zero Trust Endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and to start your free trial, visit threatlocker.com that is just like the words threat locker.com defects in Kubernetes component puts 40% of cloud environments at risk. This number 40% is described by researchers at Wiz as being due to five recently discovered vulnerabilities, one regarded critical with a CVSS score of 9.8. In the Ingress NGINX controller for Kubernetes spelled N G I N x. The researchers state that they aren't aware of any active exploitation, but the risk for publicly exposed and unpatched Ingress nginx controllers is extremely high, end quote. Steven Fuhr, principal security researcher at Rapid7, stated separately with exploit code for this vulnerability starting to be published online, Kubernetes administrators should remediate publicly exposed instances on an urgent basis, he added. Successful exploitation could allow attackers to access cluster wide secrets including passwords or tokens, or completely take over a cluster. The top three Microsoft Office Exploits to watch for the Hacker News is out with its summary of the most popular Microsoft Office exploits, and they are, in brief, phishing using email attachments that now include fake capture, cloudflare and other prove you are a human steps as well as QR codes. The second is Microsoft Equation Editor, which still exists on many machines and which is a zero click exploit embedded in Microsoft Word files. Thirdly, another Microsoft Word 0 click follina F O L L I N A, which abuses the Microsoft Support Diagnostic tool and special URLs embedded in Office documents to execute remote code. More details on these and tips on how to mitigate them are available in the Hacker News article, a link to which is available in the show Notes Windows Server 2025 Updates Cause Remote desktop freezes Microsoft has acknowledged a known issue causing remote desktop freezes on Windows Server 2025 after installing security updates since February 2025's Patch Tuesday. Users experience unresponsive mouse and keyboard input shortly after connecting, requiring reconnection. This issue also affected Windows 1124H2, but was resolved with its February 25 update. Microsoft has yet to release a fix for Windows Server 2025, but plans to address it in the future. Mozilla warns Windows users of critical Firefox sandbox escape floor Mozilla has released a new version of Firefox 1. 3. 6. 0.4 to patch a critical security flaw that allows attackers to escape the browser's sandbox on Windows. The issue affects standard and extended support releases. While details are limited, the flaw is similar to a Chrome Zero day recently patched by Google. Mozilla noted attackers exploited a related vulnerability in the wild, allowing them to confuse processes and leak handles, leading to a sandbox escape. Other operating systems are unaffected. As usual, we've got a busy Friday of live streams today. It starts at 1pm with Super Cyber Friday, where the topic will be hacking fragmented iam. An hour of critical thinking of how to simplify the confusion on identity management, governance and security. Then at 3:30pm Eastern, we have our Week in Review show. Jonathan Waldrop, CISO of the Weather Company, will be our guest, providing his expert commentary on the news of the week. To join us for both, head on over to the events page@cisoseries.com I'm Steve Prentiss reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines. It.