LockBit host sanctions, DeepSeek security, trojanized KMS - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines - Episode Summary Hosted by CISO Series | Release Date: February 12, 2025

The February 12, 2025 episode of Cyber Security Headlines by CISO Series delves into significant developments in the information security landscape. Host Rich Stroffelino navigates through a series of critical topics, providing insightful analysis and expert commentary. This summary captures the key discussions, insights, and conclusions presented during the episode.

1. LockBit Host Sanctions

The episode opens with a significant development in the fight against ransomware. Australia, the UK, and the US have collaboratively imposed financial sanctions on Zserver, a Russia-based hosting provider accused of supporting the LockBit ransomware operations. Additionally, two Russian nationals employed as Zserver administrators have been sanctioned for their roles in facilitating LockBit’s malicious activities.

Notable Quote:

"These sanctions stem from a raid on a LockBit affiliate back in 2022, where Canadian authorities discovered a laptop running a VM operating a LockBit control panel off of a Zserver subleased IP address."
— Rich Stroffelino [00:07]

This coordinated effort underscores the international commitment to dismantling ransomware infrastructure and holds key actors accountable for cybercrimes.

2. DeepSeek’s Security Shortcomings

The podcast shifts focus to the vulnerabilities in artificial intelligence applications, specifically DeepSeek's R1 large language model. Researchers at Appsoc have identified alarming security deficiencies, highlighting that the R1 model failed security tests for business applications with a 93% failure rate in preventing malware creation. Furthermore, the model was susceptible to jailbreaks 91% of the time, allowing users to bypass system safeguards.

Notable Quote:

"The model showed stronger scores when it came to leaking training data, failing in only 1.4% of attempts. But overall, the researchers found it extremely easy to cause the model to hallucinate and generate toxic or harmful content."
— Rich Stroffelino [00:42]

These findings raise critical concerns about the deployment of AI systems in sensitive environments and the necessity for robust security measures.

3. Sandworm’s Trojanized KMS Attacks in Ukraine

Another focal point is the resurgence of the Sandworm group, a Russian cyber espionage entity. Since late 2023, Sandworm has been deploying fake Windows Updates and Trojanized Microsoft Key Management Service (KMS) activators to infiltrate Ukrainian systems. In Ukraine, evidence points to seven distinct malware campaigns utilizing these deceptive lures.

Notable Quote:

"The attack starts by attracting victims to a typo-squatted domain to get the DC RAT Trojan on their machine. From there, it prevents a fake Windows activation interface, disables Windows Defender, and delivers a further payload."
— Rich Stroffelino [02:00]

The effectiveness of these tactics is partly attributed to the widespread use of pirated software in Ukraine, including within government sectors, highlighting the ongoing challenges in cybersecurity defense.

4. SonicWall Vulnerability Enables VPN Hijacks

The discussion then moves to a critical vulnerability identified in SonicWall firewalls. On January 7, SonicWall alerted customers about a flaw that could be exploited in systems with SSL VPN or SSH management enabled. Researcher Bishop Fox developed a proof of concept on January 22, demonstrating how a crafted session cookie could manipulate SSL VPN authentication endpoints.

Notable Quote:

"The flaw allowed for sending a crafted session cookie to an SSL VPN authentication endpoint. This appears associated with an active VPN session and triggers improper validation while logging the victim out of the session."
— Rich Stroffelino [03:20]

This vulnerability emphasizes the need for immediate patching and vigilant network management to prevent potential hijacks and unauthorized access.

5. Ransomware Trends: Quantity Over Quality

The episode highlights findings from the Huntress 2025 Cyber Threat Report, which observes a shift in ransomware strategies. Rather than targeting high-profile entities, ransomware gangs are increasingly focusing on rapid, high-volume attacks. The average time to execute a ransom demand has decreased to just under 17 hours, with sophisticated groups like Ransom Hub and Akira reducing this to approximately six hours.

Notable Quote:

"Ironically, the group Rapid had the slowest time to ransom at 43 hours. Overall, Ransom Hub, Lynx, and Akira ransomware groups accounted for 54% of observed attacks."
— Rich Stroffelino [04:10]

Additionally, a significant 71% of ransomware incidents involved data exfiltration prior to the deployment of ransomware, underscoring the dual threat of data theft and encryption.

6. Intel’s Proactive Vulnerability Patching

Intel’s commitment to security is discussed through its 2024 product security report. The company patched a total of 374 vulnerabilities, with 72% pertaining to software components like drivers and utilities. Firmware fixes accounted for 21%, including critical UEFI patches, while the remaining patches addressed hardware vulnerabilities.

Notable Quote:

"Intel attributed 96% of the discovered vulnerabilities to its proactive product security assurances. Intel issued bug bounties on 53% of these vulnerabilities, with UEFI flaws drawing the most money."
— Rich Stroffelino [04:50]

This proactive stance illustrates Intel's dedication to maintaining robust security standards across its product lines.

7. Google Tag Manager Exploited for Card Skimmers

The podcast addresses a deceptive tactic involving Google Tag Manager (GTM). Researchers at Sucuri uncovered that several websites were compromised with scripts appearing to be standard GTM and Google Analytics for store analytics. However, these scripts contained containerized backdoors enabling persistent access and the collection of payment information during the checkout process.

Notable Quote:

"Just when you thought it was safe to go shopping, a handful of sites were discovered to be using what looked to be a typical Google Tag Manager and Google Analytics script for store analytics, but it also included a containerized backdoor that allowed for persistent access."
— Rich Stroffelino [05:20]

The exact vectors for injecting these malicious scripts remain unclear, highlighting the sophistication of supply chain attacks in e-commerce platforms.

8. Apple’s Strategic AI Partnership in China

Concluding the episode, the discussion turns to Apple's efforts to introduce AI services in China. To comply with stringent Chinese regulations, Apple has partnered with Alibaba to submit its Apple Intelligence features to the Cyberspace Administration of China—the nation's primary internet and cybersecurity regulator. This partnership is pivotal for Apple’s planned launch of Apple Intelligence in China, scheduled as part of iOS 18.4 in April.

Notable Quote:

"Apple partnered with Alibaba to submit its Apple Intelligence features to the Cyberspace Administration of China, the country's Internet and cybersecurity regulator."
— Rich Stroffelino [05:50]

Moreover, Apple explored potential collaborations with other tech giants like Baidu and DeepSeek to navigate regulatory hurdles effectively, ensuring a smooth entry into the Chinese market.

Conclusion

In this episode of Cyber Security Headlines, Rich Stroffelino provides a comprehensive overview of pressing cybersecurity issues, from international sanctions on ransomware facilitators to vulnerabilities in AI models and software infrastructures. The discussions emphasize the evolving tactics of cybercriminals and the continuous efforts of organizations and governments to bolster defenses against sophisticated threats. For more in-depth analyses and daily cybersecurity updates, listeners are encouraged to visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Wednesday, February 12, 2025. I'm Rich Stroffelino Lockbit host sanctioned Australia, the UK and the US announced joint financial sanctions against the Russia based hosting provider zserver over allegations that it provided essential infrastructure to the lock bit ransomware operation. The country has also sanctioned two Russian nationals working as Z server administrators for their role in directing Lockbit transactions and supporting their attacks, According to the U.S. office of Foreign Asset Control, these sanctions stem from a raid on a Lockbit affiliate back in 2022, where Canadian authorities discovered a laptop running a VM operating a lockbit control panel off of a Z server subleased IP address. A Peek at Deepseek's Weak Security According to researchers at Appsoc, DeepSeek's R1 large language model failed various security tests for business applications, largely due to a lack of comprehensive guardrails. They found that the R1 could not prevent users from creating malware 93% of the time. That was the failure rate. They also could jailbreak away from system safeguards 91% of the time. The model showed stronger scores when it came to leaking training data failure failing in 1.4% of attempts. But overall, the researchers found it extremely easy to cause the model to hallucinate and generate toxic or harmful content. Sandworm targeting Ukraine with Trojanized KMS researchers at Eclectic IQ found signs that since late 2023, the Russian cyber espionage group Sandworm began using fake Windows Updates and Trojanized versions of Microsoft Key Management Service activators to target victims. In Ukraine, there is evidence of seven malware campaigns using these similar lures. The attack starts by attracting victims to a typo squadded domain to get the DC RAT Trojan on their machine. From there, it prevents a fake Windows activation interface, disables Windows Defender, and delivers a further payload. This approach appears effective due to the prominent use of pirated software in Ukraine, even in the government sector. SonicWall Flaw Allows for VPN Hijacks On January 7, SonicWall warned about a firewall vulnerability that is susceptible to actual exploitation for customers with SSL VPN or SSH management enabled and urging admins to apply mitigations immediately. Researcher Bishop Fox announced that he developed a proof of concept for the flaw on January 22 and has now released full technical details. The flaw allowed for sending a crafted session cookie to an SSL VPN authentication endpoint. This appears associated with an active VPN session and triggers improper validation while logging the victim out of the session. This was only released after Sonicwall made patches available and now, thanks to today's episode sponsor Vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines that's V A N T A dot com headlines ransomware gangs find Quantity has a quality all its own According to Huntress 2025 Cyber Threat Report, ransomware attacks last year showed a trend in moving away from higher profile targets, instead focusing on speed of attacks at a higher volume. The average time to ransom across all groups was just under 17 hours, but sophisticated groups like Ransom Hub and Akira showed much faster times of around six hours. Ironically, the group rapid had the slowest time to ransom at 43 hours. Overall, ransom Hub, Lynx and Akira ransomware groups accounted for 54% of observed attacks. Additionally, 71% of ransomware incidents saw attackers exfiltrate data prior to deploying ransomware. Intel patched 374 vulnerabilities in 2024. According to Intel's product security report, 72% of these vulnerabilities were found in software things like Drivers, utilities and SDKs. Firmware fixes accounted for 21%, including 30 UEFI patches, with the remaining patches in hardware across processors, SGX and side channel issues. The company attributed 96% of the discovered vulnerabilities to its proactive product security assurances. Intel issued bug bounties on 53% of these vulnerabilities, with UEFI flaws drawing the most money. Although intel does not share specific amounts, Google Tag Manager used to deploy card Skimmers Just when you thought it was safe to go shopping, a handful of sites were discovered to be using what looked to be a typical Google Tag Manager and Google Analytics script for store analytics, but it also included a containerized backdoor that allowed for persistent access. According to researchers at Sucuri, this was used to collect payment information during the checkout process. It's unclear what vector is being used to get the script onto the sites. Apple making a deal to bring AI to China. Virtually any Western company looking to launch a software service in China has to make a deal with local partners to assuage regulators. Apple is no exception, the information sources say. Apple partnered with Alibaba to submit its Apple Intelligence features to the Cyberspace Administration of China, the country's Internet and cybersecurity regulator. Apple already announced plans to launch Apple Intelligence in China as part of iOS 18.4 in April, but it wasn't clear how they had cleared regulatory hurdles. The company also reportedly looked into doing deals with Baidu and Deepseek. Remember, if you want more video content from the CISO series, subscribe to the CISO Series YouTube channel. We're always posting original content, interviews, demos and of course our Week in Review show. Every Friday at 3:30pm Eastern. You can join me and our vibrant chat room with one of our CISO guests and get their perspective on the news of the week. Reporting for the CISO Series, I'm Rich Strofalino, reminding you to have a super sparkly day.
[06:54]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.

Cyber Security Headlines - Episode Summary Hosted by CISO Series | Release Date: February 12, 2025

1. LockBit Host Sanctions

Notable Quote:

"These sanctions stem from a raid on a LockBit affiliate back in 2022, where Canadian authorities discovered a laptop running a VM operating a LockBit control panel off of a Zserver subleased IP address."
— Rich Stroffelino [00:07]

This coordinated effort underscores the international commitment to dismantling ransomware infrastructure and holds key actors accountable for cybercrimes.

2. DeepSeek’s Security Shortcomings

Notable Quote:

"The model showed stronger scores when it came to leaking training data, failing in only 1.4% of attempts. But overall, the researchers found it extremely easy to cause the model to hallucinate and generate toxic or harmful content."
— Rich Stroffelino [00:42]

These findings raise critical concerns about the deployment of AI systems in sensitive environments and the necessity for robust security measures.

3. Sandworm’s Trojanized KMS Attacks in Ukraine

Notable Quote:

"The attack starts by attracting victims to a typo-squatted domain to get the DC RAT Trojan on their machine. From there, it prevents a fake Windows activation interface, disables Windows Defender, and delivers a further payload."
— Rich Stroffelino [02:00]

4. SonicWall Vulnerability Enables VPN Hijacks

Notable Quote:

"The flaw allowed for sending a crafted session cookie to an SSL VPN authentication endpoint. This appears associated with an active VPN session and triggers improper validation while logging the victim out of the session."
— Rich Stroffelino [03:20]

This vulnerability emphasizes the need for immediate patching and vigilant network management to prevent potential hijacks and unauthorized access.

5. Ransomware Trends: Quantity Over Quality

Notable Quote:

"Ironically, the group Rapid had the slowest time to ransom at 43 hours. Overall, Ransom Hub, Lynx, and Akira ransomware groups accounted for 54% of observed attacks."
— Rich Stroffelino [04:10]

Additionally, a significant 71% of ransomware incidents involved data exfiltration prior to the deployment of ransomware, underscoring the dual threat of data theft and encryption.

6. Intel’s Proactive Vulnerability Patching

Notable Quote:

"Intel attributed 96% of the discovered vulnerabilities to its proactive product security assurances. Intel issued bug bounties on 53% of these vulnerabilities, with UEFI flaws drawing the most money."
— Rich Stroffelino [04:50]

This proactive stance illustrates Intel's dedication to maintaining robust security standards across its product lines.

7. Google Tag Manager Exploited for Card Skimmers

Notable Quote:

"Just when you thought it was safe to go shopping, a handful of sites were discovered to be using what looked to be a typical Google Tag Manager and Google Analytics script for store analytics, but it also included a containerized backdoor that allowed for persistent access."
— Rich Stroffelino [05:20]

The exact vectors for injecting these malicious scripts remain unclear, highlighting the sophistication of supply chain attacks in e-commerce platforms.

8. Apple’s Strategic AI Partnership in China

Notable Quote:

"Apple partnered with Alibaba to submit its Apple Intelligence features to the Cyberspace Administration of China, the country's Internet and cybersecurity regulator."
— Rich Stroffelino [05:50]

Moreover, Apple explored potential collaborations with other tech giants like Baidu and DeepSeek to navigate regulatory hurdles effectively, ensuring a smooth entry into the Chinese market.